triton web help

Add to my manuals
564 Pages

advertisement

triton web help | Manualzz

Web Security Help

Websense

®

TRITON™ Web Security Solutions

v7.8

©1996–2014, Websense Inc.

All rights reserved.

10240 Sorrento Valley Rd., San Diego, CA 92121, USA

Published 2014

Printed in the United States and Ireland

The products and/or methods of use described in this document are covered by U.S. Patent Numbers 5,983,270; 6,606,659; 6,947,985;

7,185,015; 7,194,464 and RE40,187 and other patents pending.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from Websense Inc.

Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Websense Inc., shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.

Trademarks

Websense is a registered trademark and TRITON is a trademark of Websense, Inc., in the United States and certain international markets.

Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.

Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Mozilla and Firefox are registered trademarks of the Mozilla Foundation in the United States and/or other countries.

eDirectory and Novell Directory Services are a registered trademarks of Novell, Inc., in the U.S and other countries.

Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds, in the United States and other countries.

This product includes software distributed by the Apache Software Foundation ( http://www.apache.org

).

Copyright (c) 2000. The Apache Software Foundation. All rights reserved.

Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

Contents

Topic 1

Topic 2

Topic 3

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Working in the TRITON console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Reviewing, saving, and discarding changes . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Your subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Managing your account through the MyWebsense Portal . . . . . . . . . . . . . . . 24

Configuring your account information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

The Websense Master Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring database downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

What is WebCatcher? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Websense Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

The Web Security Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Threats dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Investigate threat event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

How severity is assigned to suspicious activity . . . . . . . . . . . . . . . . . . . . . . . 39

Reviewing threat incident details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Reviewing threat-related forensic data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Risks dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Usage dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

System dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Adding elements to a dashboard tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Time and bandwidth saved. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Web Security Status Monitor mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Internet Usage Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Managing access to categories and protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

When a category or protocol is blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

New Master Database categories and protocols . . . . . . . . . . . . . . . . . . . . . . . 52

Special categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Risk classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Security protocol groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Using quota time to limit Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Search filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Working with filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Web Security Help



3

Contents

Topic 4

Topic 5

Topic 6

Creating a category filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Editing a category filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Creating a protocol filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Editing a protocol filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Websense-defined category and protocol filters . . . . . . . . . . . . . . . . . . . . . . . 67

Category and protocol filter templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Configuring filtering settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Working with clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Working with computers and networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Working with users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Directory services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Windows Active Directory (Mixed Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Windows Active Directory (Native Mode). . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Novell eDirectory and Oracle (Sun Java) Directory Server . . . . . . . . . . . . . . 80

Advanced directory settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Working with custom LDAP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Adding or editing a custom LDAP group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Adding a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Searching the directory service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Changing client settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Password override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Account override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Moving clients to roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Working with hybrid service clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Internet Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

The Default policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Working with policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Creating a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Editing a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Assigning a policy to clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Enforcement order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Prioritizing group and domain policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Responding to a URL request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Exceptions to Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Managing exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

How are exceptions organized?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Adding or editing an exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Overriding an exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

If multiple exceptions could apply, which takes precedence? . . . . . . . . . . . 111

4



Websense Web Security Solutions

Topic 7

Topic 8

Contents

Editing multiple exceptions at the same time . . . . . . . . . . . . . . . . . . . . . . . . 111

Exception shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

How do I block or permit a URL for everyone? . . . . . . . . . . . . . . . . . . . . . . 112

How do I block or permit a URL for one person? . . . . . . . . . . . . . . . . . . . . 113

How do I block or permit a URL for my entire role? . . . . . . . . . . . . . . . . . . 113

How do I block or permit a URL for one of my managed clients?. . . . . . . . 114

How do I create an unfiltered URL?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Block Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Blocking graphical advertisements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Blocking embedded pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Working with block pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Customizing the block message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Changing the size of the message frame . . . . . . . . . . . . . . . . . . . . . . . . . 123

Changing the logo that displays on the block page . . . . . . . . . . . . . . . . . 124

Using block page content variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Reverting to the default block pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Creating alternate block messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Using an alternate block page on another machine . . . . . . . . . . . . . . . . . . . . . . 127

Determining why a request was blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Request blocked by Filtering Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Request blocked by the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Use Reports to Evaluate Internet Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

What is Internet browse time? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Presentation reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Creating a new presentation report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Defining the report filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Selecting clients for a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Selecting categories for a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Selecting protocols for a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Selecting actions for a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Setting report options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Customizing the report logo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Confirming report filter definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Working with Favorites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Running a presentation report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Scheduling presentation reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Setting the schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Selecting reports to schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Setting the date range. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Selecting output options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Viewing the scheduled jobs list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Viewing job history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Reviewing scheduled presentation reports . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Web Security Help

5

Contents

Topic 9

Topic 10

Investigative reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Summary reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Using search to generate a summary report . . . . . . . . . . . . . . . . . . . . . . . . . 160

Anonymizing investigative reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

The Anonymous option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Multi-level summary reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Flexible detail reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Columns for flexible detail reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

User Activity Detail reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

User activity detail by day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

User activity detail by month. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Standard reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Favorite investigative reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Scheduling investigative reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Managing scheduled investigative reports jobs . . . . . . . . . . . . . . . . . . . . . . 175

Outliers reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Output options for investigative reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Accessing self-reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Application reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

How is user agent data collected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Browser use details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Platform use details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Real-Time Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Real-Time Monitor in Multiple Policy Server Deployments . . . . . . . . . . . . 187

Content Gateway Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Scanning options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Content categorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Tunneled protocol detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Security threats: Content security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Security threats: File analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Outbound security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Scanning exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Data files used with scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Reporting on advanced analysis activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

How analysis activity is logged. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

SSL decryption bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configure the Hybrid Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Activate your hybrid service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Define filtered locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Adding or editing filtered locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

6



Websense Web Security Solutions

Topic 11

Topic 12

Topic 13

Contents

Managing explicit proxies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Adding or editing an explicit proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Configuring failover to the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Specify sites not managed by the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . 222

Adding or editing unfiltered destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Configure user access to the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Adding domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Editing domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Customizing hybrid block pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Enabling HTTPS notification pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

What is a PAC file?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Send user and group data to the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . 231

Configure Directory Agent settings for the hybrid service . . . . . . . . . . . . . . 231

Configure how data is gathered for the hybrid service . . . . . . . . . . . . . . 233

Oracle (Sun Java) Directory Server and the hybrid service . . . . . . . . . . . . . 234

Novell eDirectory and the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Adding and editing directory contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Optimizing search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Schedule communication with the hybrid service . . . . . . . . . . . . . . . . . . . . . . . 239

Define custom authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Adding custom authentication rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Editing custom authentication rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Monitor communication with the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . 245

View hybrid service authentication reports. . . . . . . . . . . . . . . . . . . . . . . . . . 246

View User Agent Volume report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Manage Off-site Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Using remote filtering software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Configuring Remote Filtering settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Configure remote filtering to ignore FTP or HTTPS traffic . . . . . . . . . . 252

Configure the Remote Filtering Client heartbeat interval . . . . . . . . . . . . 253

Hybrid service management of off-site users. . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Configuring hybrid filtering for off-site users. . . . . . . . . . . . . . . . . . . . . . . . 254

Off-site user self-registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Protect Vital Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Protecting against data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Protecting end users’ devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Mobile Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Refine Web Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Restricting users to a defined list of URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Limited access filters and enforcement order . . . . . . . . . . . . . . . . . . . . . . . . 262

Web Security Help

7

Contents

Topic 14

Creating a limited access filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Editing a limited access filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Adding sites from the Edit Policy page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Copying filters and policies to roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Building filter components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Working with categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Editing categories and their attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Reviewing all customized category attributes . . . . . . . . . . . . . . . . . . . . . 269

Making global category changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Renaming a custom category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Creating a custom category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Keyword-based policy enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Defining keywords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Reclassifying specific URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Prioritizing Security Risk categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Blocking posts to sites in some categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Working with protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Protocol-based policy enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Editing custom protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Adding or editing protocol identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Renaming a custom protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Making global protocol changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Creating a custom protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Adding to a Websense-defined protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Using Bandwidth Optimizer to manage bandwidth . . . . . . . . . . . . . . . . . . . . . . 284

Configuring the default Bandwidth Optimizer limits . . . . . . . . . . . . . . . . . . 286

Managing traffic based on file type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Enforcement based on file extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Enforcement based on file analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Enabling file type blocking in a category filter. . . . . . . . . . . . . . . . . . . . . . . 292

Working with file type definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Adding custom file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Adding file extensions to a file type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Using regular expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Using the Toolbox to verify policy enforcement behavior . . . . . . . . . . . . . . . . 296

URL Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Check Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Test Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

URL Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Investigate User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Identifying a user to check policy or test filtering . . . . . . . . . . . . . . . . . . . . 299

User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

8



Websense Web Security Solutions

Topic 15

Contents

Transparent identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Transparent identification of remote users . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Manual authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Configuring user identification methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Setting authentication rules for specific machines . . . . . . . . . . . . . . . . . . . . 306

Defining exceptions to user identification settings . . . . . . . . . . . . . . . . . 306

Revising exceptions to user identification settings . . . . . . . . . . . . . . . . . 307

Secure manual authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Generating keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Activating secure manual authentication . . . . . . . . . . . . . . . . . . . . . . . . . 310

Accepting the certificate within the client browser . . . . . . . . . . . . . . . . . 311

DC Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Configuring DC Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Reviewing DC Agent polled domains and domain controllers. . . . . . . . . . . 315

The dc_config.txt file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Logon Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring Logon Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

RADIUS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring RADIUS Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

eDirectory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Configuring eDirectory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Adding an eDirectory server replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring eDirectory Agent to use LDAP . . . . . . . . . . . . . . . . . . . . . . 324

Enabling full eDirectory Server queries . . . . . . . . . . . . . . . . . . . . . . . . . 325

Configuring an agent to ignore certain user names . . . . . . . . . . . . . . . . . . . . . . 326

Identification of hybrid users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Authentication priority and overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Web Endpoint deployment overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Manually deploying Web Endpoint for Windows . . . . . . . . . . . . . . . . . . . . 333

Manually deploying Web Endpoint for Mac OS X. . . . . . . . . . . . . . . . . . . . 335

Integrating a single sign-on identity provider . . . . . . . . . . . . . . . . . . . . . . . . 335

Websense Directory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Directory Agent and User Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

When users are not identified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Delegated Administration and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

The fundamentals of delegated administration. . . . . . . . . . . . . . . . . . . . . . . . . . 340

Delegated administration roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Delegated administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Delegated administration and reporting permissions . . . . . . . . . . . . . . . . . . 342

Administrators in multiple roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Multiple administrators accessing the TRITON console . . . . . . . . . . . . . . . 346

Preparing for delegated administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Web Security Help

9

Contents

Topic 16

Creating a Filter Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Locking categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Locking protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Preparing delegated administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Managing delegated administration roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Adding roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Editing roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Adding Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Adding managed clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Managing role conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Updating delegated administration roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Delete roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Delete managed clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Managing Super Administrator clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Performing delegated administrator tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

View your user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Add clients to the Clients page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Create policies and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Reviewing administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Enabling network accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Web Security Server Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Websense Web Security components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Policy enforcement and management components . . . . . . . . . . . . . . . . . . . . 371

Reporting components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

User identification components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Interoperability components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Reviewing your Web Security deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Using the Policy Server map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Using the component list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Evaluating directory performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Review directory server details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Understanding Policy Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Reviewing Policy Broker connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Working with Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Reviewing Policy Server connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Adding or editing Policy Server instances . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Working in a multiple Policy Server environment . . . . . . . . . . . . . . . . . . . . 385

Changing the Policy Server IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Working with Filtering Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Review Filtering Service details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Review Master Database download status . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Resuming Master Database downloads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

10



Websense Web Security Solutions

Topic 17

Contents

Filtering Service support for YouTube in Schools . . . . . . . . . . . . . . . . . . . . 390

Policy Server, Filtering Service, and State Server . . . . . . . . . . . . . . . . . . . . . . . 391

Integrating with a third-party SIEM solution . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Working with Content Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Managing Content Gateway connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Viewing and exporting the audit log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Stopping and starting Websense services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Websense Web Security installation directories . . . . . . . . . . . . . . . . . . . . . . . . 401

Alerting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Flood control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuring general alert options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuring system alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Configuring category usage alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Adding or editing category usage alerts. . . . . . . . . . . . . . . . . . . . . . . . . . 405

Configuring protocol usage alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Adding or editing protocol usage alerts . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Configuring suspicious activity alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Reviewing current system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Backing up and restoring your Websense data. . . . . . . . . . . . . . . . . . . . . . . . . . 410

Scheduling backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Running immediate backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Maintaining the backup files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Restoring your Websense data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Discontinuing scheduled backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Command reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Reporting Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Assigning categories to risk classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Configuring reporting preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Configuring how requests are logged. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Configuring Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Testing the Log Database connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Introducing the Log Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Database jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Log Database administration settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Configuring database partition options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Configuring Log Database maintenance options . . . . . . . . . . . . . . . . . . . . . 436

Configuring how URLs are logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Configuring Internet browse time options . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Configuring trend and application data retention . . . . . . . . . . . . . . . . . . . . . 440

Log Database sizing guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Configuring Dashboard reporting data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Web Security Help

11

Contents

Topic 18

Topic 19

Configuring investigative reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Database connection and report defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Display and output options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Self-reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Network Agent configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Configuring global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Configuring local settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Configuring NIC settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Configuring monitoring settings for a NIC . . . . . . . . . . . . . . . . . . . . . . . 457

Adding or editing IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Verifying Network Agent configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Installation and subscription issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

There is a subscription problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Unable to verify the subscription key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

After upgrade, users are missing from the Web Security manager. . . . . . . . 463

Master Database issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

The initial filtering database is being used . . . . . . . . . . . . . . . . . . . . . . . . . . 463

The Master Database is more than 1 week old . . . . . . . . . . . . . . . . . . . . . . . 464

The Master Database does not download . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Subscription key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Verify firewall or proxy server settings . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Insufficient disk space on the Filtering Service machine . . . . . . . . . . . . 467

Insufficient memory on the Filtering Service machine . . . . . . . . . . . . . . 468

Restriction applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Master Database download does not occur at the correct time . . . . . . . . . . . 469

Contacting Technical Support for database download issues . . . . . . . . . . . . 469

Policy enforcement issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Filtering Service is not running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

User Service is not available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

High CPU usage on the Filtering Service machine. . . . . . . . . . . . . . . . . . . . 471

Sites are incorrectly categorized as Information Technology. . . . . . . . . . . . 472

Keywords are not being blocked. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Custom or limited access filter URLs are not handled as expected . . . . . . . 473

Websense software is not applying user or group policies . . . . . . . . . . . . . . 473

Remote users do not receive the correct policy. . . . . . . . . . . . . . . . . . . . . . . 473

Network Agent issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Network Agent is not installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Network Agent is not running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Network Agent is not monitoring any NICs . . . . . . . . . . . . . . . . . . . . . . . . . 475

12



Websense Web Security Solutions

Contents

Network Agent can’t communicate with Filtering Service. . . . . . . . . . . . . . 475

Update Filtering Service IP address or UID information . . . . . . . . . . . . 476

Insufficient memory on the Network Agent machine. . . . . . . . . . . . . . . . . . 476

High CPU usage on the Network Agent machine. . . . . . . . . . . . . . . . . . . . . 477

User configuration and identification issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

User and group-based policies are not applied . . . . . . . . . . . . . . . . . . . . . . . 477

Unusually high directory server connection latency . . . . . . . . . . . . . . . . . . . 478

Filtering Service can’t communicate with transparent ID agent. . . . . . . . . . 479

DC Agent has insufficient permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

DC Agent unable to access required file. . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

DC Agent Domains and Controllers page is blank . . . . . . . . . . . . . . . . . . . . 482

I cannot add users and groups to the Web Security manager . . . . . . . . . . . . 482

Directory service connectivity and configuration . . . . . . . . . . . . . . . . . . 483

Directory service configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

User identification and Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . 484

Turning on the Computer Browser service . . . . . . . . . . . . . . . . . . . . . . . 484

Changing DC Agent, Logon Agent, and User Service permissions . . . . . . . 485

User Service on a Websense appliance or Linux server . . . . . . . . . . . . . . . . 486

Remote users are not prompted for manual authentication. . . . . . . . . . . . . . 487

Remote users are not being filtered correctly . . . . . . . . . . . . . . . . . . . . . . . . 487

Block message issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

No block page appears for a blocked file type . . . . . . . . . . . . . . . . . . . . . . . 488

Users receive a browser error instead of a block page . . . . . . . . . . . . . . . . . 488

A blank white page appears instead of a block page. . . . . . . . . . . . . . . . . . . 489

Log, status message, and alert issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Where do I find error messages for Websense components? . . . . . . . . . . . . 490

Websense Health alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Two log records are generated for a single request. . . . . . . . . . . . . . . . . . . . 492

Usage Monitor is not available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Usage Monitor is not running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Policy Server and Policy Broker issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

I forgot my password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

The Websense Policy Database service fails to start . . . . . . . . . . . . . . . . . . 494

Policy Server stops unexpectedly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

A Policy Broker replica cannot synchronize data . . . . . . . . . . . . . . . . . . . . . 495

Delegated administration issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Managed clients cannot be deleted from role . . . . . . . . . . . . . . . . . . . . . . . . 495

Logon error says someone else is logged on at my machine . . . . . . . . . . . . 496

Recategorized sites are filtered according to the wrong category. . . . . . . . . 496

I cannot create a custom protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Log Server and Log Database issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

Log Server is not running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

Log Server has not received log files from Filtering Service . . . . . . . . . . . . 498

Web Security Help

13

Contents

Low disk space on the Log Server machine . . . . . . . . . . . . . . . . . . . . . . . . . 500

No Log Server is installed for a Policy Server . . . . . . . . . . . . . . . . . . . . . . . 501

More than one Log Server is installed for a Policy Server . . . . . . . . . . . . . . 502

Log Database was not created. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Log Database is not available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Log Database size causes reporting delays . . . . . . . . . . . . . . . . . . . . . . . . . . 504

More than 100 files in the Log Server cache directory . . . . . . . . . . . . . . . . . 505

Last successful ETL job ran more than 4 hours ago . . . . . . . . . . . . . . . . . . . 506

Configure Log Server to use a database account . . . . . . . . . . . . . . . . . . . . . 507

Log Server is not recording data in the Log Database . . . . . . . . . . . . . . . . . 508

Updating the Log Server connection account or password. . . . . . . . . . . . . . 508

Configuring user permissions for Microsoft SQL Server . . . . . . . . . . . . . . . 509

Log Server cannot connect to the directory service . . . . . . . . . . . . . . . . . . . 509

Wrong reporting page displayed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

Investigative report and presentation report issues . . . . . . . . . . . . . . . . . . . . . . 510

Presentation Reports Scheduler not connected to Log Database . . . . . . . . . 511

Inadequate disk space to generate presentation reports . . . . . . . . . . . . . . . . 511

Scheduled jobs in presentation reports failed . . . . . . . . . . . . . . . . . . . . . . . . 512

Data on Internet browse time reports is skewed . . . . . . . . . . . . . . . . . . . . . . 512

Bandwidth is larger than expected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Trend data is missing from the Log Database. . . . . . . . . . . . . . . . . . . . . . . . 513

Trend reports are not displaying data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

Some protocol requests are not being logged . . . . . . . . . . . . . . . . . . . . . . . . 514

All reports are empty. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

Database partitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

SQL Server Agent job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Log Server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Microsoft Excel output is missing some report data . . . . . . . . . . . . . . . . . . . 516

Saving presentation reports output to HTML . . . . . . . . . . . . . . . . . . . . . . . . 516

Error generating presentation report, or report does not display. . . . . . . . . . 517

Investigative reports search issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

General investigative reports issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Other reporting issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Low memory on the Real-Time Monitor machine . . . . . . . . . . . . . . . . . . . . 518

Real-Time Monitor is not running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Real-Time Monitor is not responding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Cannot access certain reporting features. . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

No charts appear on the Status > Dashboard page . . . . . . . . . . . . . . . . . . . . 520

There is a forensics data configuration problem . . . . . . . . . . . . . . . . . . . . . . 520

The forensics repository location could not be reached . . . . . . . . . . . . . . . . 521

Forensics data will soon exceed a size or age limit. . . . . . . . . . . . . . . . . . . . 521

Websense Multiplexer is not running or not available . . . . . . . . . . . . . . . . . 522

Interoperability issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

14



Websense Web Security Solutions

Contents

Content Gateway is not running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Content Gateway is not available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Content Gateway non-critical alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Administrator unable to access other TRITON modules . . . . . . . . . . . . . . . 526

Sync Service is not available. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Sync Service has been unable to download log files . . . . . . . . . . . . . . . . . . 528

Sync Service has been unable to send data to Log Server . . . . . . . . . . . . . . 528

Hybrid policy enforcement data does not appear in reports . . . . . . . . . . . . . 528

Disk space is low on the Sync Service machine . . . . . . . . . . . . . . . . . . . . . . 529

The Sync Service configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Directory Agent is not running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Directory Agent cannot connect to the domain controller . . . . . . . . . . . . . . 531

Directory Agent communication issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Directory Agent does not support this directory service. . . . . . . . . . . . . . . . 533

The Directory Agent configuration file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Directory Agent command-line parameters . . . . . . . . . . . . . . . . . . . . . . . . . 535

Alerts were received from the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . 535

Unable to connect to the hybrid service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

Hybrid service unable to authenticate connection. . . . . . . . . . . . . . . . . . . . . 536

Missing key hybrid configuration information . . . . . . . . . . . . . . . . . . . . . . . 537

Hybrid failover proxy removed from explicit proxies list . . . . . . . . . . . . . . 538

Troubleshooting tips and tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

Where is the Websense “bin” directory?. . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

The Windows Services tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

The Windows Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

The Websense log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Web Security Help

15

Contents

16



Websense Web Security Solutions

1

Getting Started

Web Security Help | Web Security Solutions | Version 7.8.x

To learn to use Websense

®

Web Security solutions and find answers to your questions, browse this guide or use one of the following topics as a launch point.

First steps

Working in the TRITON console

Your subscription

The Web Security Dashboard

Create policies

Managing access to categories and protocols

Adding a client

Working with policies

Assigning a policy to clients

Using reports

Presentation reports

Investigative reports

Real-Time Monitor

Using the Toolbox to verify policy enforcement behavior

Advanced tools

Exceptions to Policies

Reclassifying specific URLs

Delegated Administration and

Reporting

Initial solutions

Installation and subscription issues

Master Database issues

Troubleshooting tips and tools

Filtering solutions

Policy enforcement issues

User configuration and identification issues

Block message issues

Reporting solutions

Log, status message, and alert issues

Log Server and Log Database issues

Investigative report and presentation report issues

Other solutions

Delegated administration issues

Interoperability issues

Troubleshooting tips and tools

Overview

Web Security Help | Web Security Solutions | Version 7.8.x

Use Websense Web Security solutions to develop, enforce, and report on Internet access policies. Together, a series of Websense components (described in

Websense

Web Security components

, page 370 ) provide Internet security and management, user

Web Security Help

17

Getting Started identification, alerting, reporting, and troubleshooting capabilities.

An overview of the new features included in this version can be found in the Release

Notes , available from the Websense Technical Library .

After installation, Websense Web Security uses the Default policy to monitor Internet usage without blocking requests.

The Default policy governs Internet access for all clients in the network until you define your own policies and assign them to clients.

You can edit the Default policy so that it can be used for enforcement, rather than just monitoring.

After you have created custom policies, the Default policy is applied to any request not governed by another policy.

See

The Default policy

, page 92, for more information.

To get started with policy enforcement, see:

1.

Internet Usage Filters

, page 49

2.

Clients

, page 73

3.

Internet Access Policies

, page 91

A single, browser-based tool—the TRITON

®

Unified Security Center—provides a central, graphical interface to the general configuration, policy management, and reporting functions of your Websense Web Security, Data Security, and Email Security solutions. See

Working in the TRITON console

, page 18,

for more information.

You can define levels of access to the TRITON Unified Security Center to allow certain administrators to manage one or more TRITON modules. Within the Web

Security module, you can further refine access permissions to allow administrators to manage policies, perform reporting tasks, and more. See

Delegated Administration and Reporting

, page 339,

for more information.

Working in the TRITON console

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Navigating the Web Security manager

, page 20

The Web Security Dashboard

, page 33

The TRITON Unified Security Center is the central configuration interface used to manage Websense Web Security, Email Security, and Data Security solutions. It includes a Web Security module (the Web Security manager) used to customize

18

Websense Web Security Solutions

Getting Started

Internet activity policies, monitor Internet usage, generate Internet usage reports, and manage configuration and settings for Websense Web Security.

Important

Do not use Internet Explorer Compatibility View with the

TRITON console. If you experience odd behavior or page layouts in Internet Explorer, make sure that Compatibility

View button (between the URL and the Refresh button in the browser address bar) is not selected.

At installation, the TRITON Unified Security Center is set up to give full access to all modules to a single administrator account: admin. The password for this account is set during installation.

Until a subscription key has been entered, when the admin user (or any other Super

Administrators that you create) logs on and connects to the Web Security manager, an

Initial Setup Checklist is displayed. Use the checklist to enter your subscription key

and perform basic initial configuration tasks.

Once a key has been entered and validated, administrators logging on to the Web

Security manager are taken to the Status > Dashboard page.

A quick tutorial is available for administrators using the Web Security manager, or this version, for the first time. Just click Help, then Getting Started, and select one of the following:

New Admin Tutorial

Upgrading Admin Tutorial

On first logon, when an administrator navigates away from the dashboard, the

Save and Deploy button activates. This allows initial default dashboard settings

to be saved for that administrator account. (Once the initial defaults are saved, navigating away from the dashboard activates the Save and Deploy button only when charts are added, removed, or edited.)

If you are using an account with permissions to access multiple TRITON

modules, use the TRITON toolbar to switch between modules. See

Navigating the

Web Security manager

, page 20 .

If you are using delegated administration, and have created administrative roles,

you may be prompted to select a role to manage. See

Delegated Administration and Reporting

, page 339 .

When you log on to the TRITON console, the Web Security module connects to the default (base) Policy Server specified during installation. To manage another Policy

Server, select its IP address from the Policy Server drop-down list in the Web Security toolbar.

A TRITON console session ends 30 minutes after the last action taken in the user interface (clicking from page to page, entering information, caching changes, or saving changes). A warning message is displayed 5 minutes before the session ends.

Web Security Help

19

Getting Started

If there are uncached changes on the page or cached changes pending, the changes are lost when the session ends. Remember to click OK to cache changes, and

Save and Deploy to record and implement those changes.

If the TRITON console is open in multiple tabs of the same browser window, all instances share the same session. If the session times out in one tab, it times out in all tabs.

If the TRITON console is open in multiple browser windows on the same computer, the instances share the same session unless you:

Launch multiple Internet Explorer windows independently of one another.

Use the File > New Session command to open a new Internet Explorer window.

Use Internet Explorer to open one connection to the TRITON console, and then use Firefox or Chrome to open another connection.

If you close the browser without logging off of the TRITON Unified Security Center, or if the remote machine from which you are accessing a TRITON module shuts down unexpectedly, you may be temporarily locked out of the TRITON console. The management components typically detect this issue within about 2 minutes and end the interrupted session, allowing you to log on again.

Navigating the Web Security manager

Web Security Help | Web Security Solutions | Version 7.8.x

The Web Security module of the TRITON console can be divided into 6 main areas:

1.

Banner

20

Websense Web Security Solutions

Getting Started

2.

TRITON toolbar

3.

Web Security toolbar

4.

Left navigation pane

5.

Right shortcut pane

6.

Content pane

This guide describes the options available to the admin account. Delegated

administrators may see a subset of the features described. See

Delegated

Administration and Reporting

, page 339,

for more information.

The banner

The banner, located at the top of the browser page, shows:

The user name associated with your administrative logon account

A Log Off button, for when you’re ready to end your administrative session

The TRITON toolbar

The TRITON toolbar, located under the banner, allows you to:

Move between modules of the TRITON Unified Security Center.

Connect to Appliance Manager for any V-Series Appliances deployed in your network.

Configure global TRITON Settings that affect all installed modules.

Access Help, tutorials, product information, and Websense Technical Support resources.

The Web Security toolbar

The Web Security toolbar, located under the TRITON toolbar, is used to:

Switch between the Main and Settings tabs of the left navigation pane.

See which Policy Server you are currently connected to, and switch between

Policy Server instances, if applicable (see

Working with Policy Server

, page 382

).

Web Security Help

21

Getting Started

View your administrative Role, switch between roles, or release policy permissions for the current role.

Tip

If you have policy management and reporting permissions, but only reporting features are displayed, another administrator may be logged on to the role. Only one administrator at a time can access policy management features for each role.

View Pending Changes (via the small magnifying glass icon) and Save and

Deploy pending changes. If there are no cached changes waiting to be saved,

these buttons are disabled.

See

Reviewing, saving, and discarding changes

, page 23,

for more information.

The left and right navigation panes

The left navigation pane has two tabs: Main and Settings. Use the Main tab to access status, reporting, and policy management features and functions. Use the Settings tab to manage your Websense account and perform global system administration tasks.

(Note that the Settings tab displays different options depending on your subscription level.)

The right shortcut pane contains links to useful tools and information.

Find Answers provides links to articles, webinars, videos, worksheets, and

tutorials to help you complete your tasks. Use the Search box to find more information in the Websense eSupport Knowledge Base.

22

Websense Web Security Solutions

Getting Started

The Toolbox contains quick lookup tools that you can use to verify your configuration. See

Using the Toolbox to verify policy enforcement behavior

, page

296, for more information.

Both the left and right navigation panes can be minimized by clicking the double arrow (<< or >>) icon at the top of the pane. Click the reverse icon (>> or <<) to view the pane.

Mouse over a shortcut icon on the minimized left navigation pane to see a menu of related features without maximizing the pane.

Reviewing, saving, and discarding changes

Web Security Help | Web Security Solutions | Version 7.8.x

When you make a change in Web Security manager, you must typically click OK at the bottom of the page to cache the change, then click Save and Deploy to save the change to the Policy Database, which causes the change to take effect.

Some fields or sections in Web Security manager have their own Save or Save

Now buttons. Changes to these features are saved and implemented immediately,

rather than first being cached and later saved.

Some types of changes require you to click OK on both a subordinate page and a main page to cache changes.

Important

Avoid double- or triple-clicking the OK button. Multiple, rapid clicks to the same button can cause display problems that can be solved only by exiting and reopening the browser.

Use the View Pending Changes page to review cached changes. Changes to a single area of functionality are typically grouped into a single entry in the cache list. For example, if you add 6 clients and delete 2 clients, the cache list indicates only that changes were made to Clients. Changes to a single Settings page, on the other hand, may result in multiple entries in the cache list. This occurs when a single Settings page is used to configure multiple functions.

To save all of the cached changes, click Save All Changes.

To abandon all of the cached changes, click Cancel All Changes.

After choosing Save All Changes or Cancel All Changes, you are returned to the last page you selected. There is no undo for either option.

Use the Audit Log to review the details of changes made in the Web Security manager.

See

Viewing and exporting the audit log

, page 396, for more information.

Web Security Help

23

Getting Started

Your subscription

Web Security Help | Web Security Solutions | Version 7.8.x

Websense subscriptions are issued on a per-client (IP address) basis.

To activate your software, enter a valid subscription key (see

Configuring your account information

, page 25

). This lets you download the Master Database (see

The

Websense Master Database

, page 27

), which enables policy enforcement.

After the first successful database download, the Web Security manager displays the number of clients your subscription includes and your subscription type (Web Filter,

Web Security, Web Security Gateway, or Web Security Gateway Anywhere).

A component called Websense Filtering Service maintains a subscription table of clients generating Internet requests each day. The subscription table is cleared nightly.

The first time a client makes an Internet request after the table has been cleared, its IP address is entered in the table.

When the number of clients listed in the table reaches the subscribed maximum, any previously-unlisted client that requests Internet access exceeds the subscription. In

Web Security Gateway or Gateway Anywhere deployments, there is no change in policy enforcement. Full security protection capabilities are maintained even after the licensed IP levels are exceeded. In Web Filter and Web Security deployments, when the number of subscribed users is exceeded, requests from users who exceed the subscription count are permitted or blocked based on the setting Block users when

subscription expires, found on the Settings > General > Account page in the Web

Security Manager.

For all Web Security solutions, if your subscription were to expire, all requests are permitted or blocked, depending on the same configurable setting. Note that expiration notices are provided in advance of a possible subscription expiration.

To configure how Internet requests are handled when a subscription expires, see

Configuring your account information

, page 25

.

To have an alert message sent when the subscription approaches or exceeds its limit, see

Configuring system alerts

, page 403

.

Managing your account through the MyWebsense Portal

Web Security Help | Web Security Solutions | Version 7.8.x

Websense, Inc., maintains a customer portal at mywebsense.com

that you can use to access product updates, patches and hotfixes, product news, evaluations, and technical support resources.

When you create an account, the account is associated with your Websense subscription key or keys. This helps to ensure your access to information, alerts, and patches relevant to your Websense product and version.

24

Websense Web Security Solutions

Getting Started

Multiple members of your organization can create MyWebsense accounts associated with the same subscription key.

Configuring your account information

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Your subscription

, page 24

Configuring database downloads

, page 29

Working with protocols

, page 278

Use the Settings > General > Account page to enter or review subscription information, and to determine how your Websense Web Security solution responds when the subscription expires or the subscription count is exceeded.

Also use the page to direct web security components to send category and protocol usage data to Websense, Inc., anonymously. This information may be used to help optimize the Websense Master Database (see

The Websense Master Database

, page

27

) and contribute to the Websense ThreatSeeker

®

Intelligence Cloud (see websense.com/content/Threatseeker.aspx

).

After installation, or any time you receive a new subscription key, you can use the

Subscription key field to enter the key, and then click Apply. A check is done to

verify the key syntax, and then Filtering Service attempts to download the Master

Database.

If a key is displayed, but the Subscription key field is disabled, you are connected to a secondary Policy Server. This means that the Policy Server instance gets its key information from the primary Policy Server whose IP address appears below the number of subscribed users.

Use the Settings > General > Policy Servers page to manage subscription keys in multiple Policy Server environments (see

Working in a multiple Policy Server environment

, page 385 ).

If the key syntax is correct, but the Master Database download fails because the key is invalid or expired, a health alert message is displayed on the Status > Alerts page. By default, the message also appears on the System tab of the Status >

Dashboard page.

After the first successful Master Database download, the Account page displays the following information:

Key expires

Subscribed users

End date for your current subscription. After this date, you must renew the subscription to continue downloading the

Master Database and applying Internet policies.

Web Security Gateway Anywhere: Sum of users managed by on-premises components, the hybrid service, and remote filtering software.

Web Security Help

25

Getting Started

Subscribed network users

Subscribed remote users

Primary Policy Server

Number of in-network users whose Internet requests may be managed.

Number of users whose requests may be handled when they are outside the network (requires optional remote filtering components).

IP address of the Policy Server instance from which this

Policy Server receives subscription key information.

Appears only when viewing information for a secondary

Policy Server.

1.

Select Block users when subscription expires to block all Internet access for all users when the subscription expires. In Web Filter and Web Security deployments, selecting this option will also block all requests from users who exceed the subscription count.

Leave the option unselected to give users unrestricted Internet access in these situations.

2.

Mark Send category and protocol data to Websense, Inc., to have web security components collect usage data about Websense-defined categories and protocols, and submit it anonymously to Websense, Inc.

This usage data helps Websense, Inc., to continually enhance web security capabilities.

3.

Under WebCatcher, mark Send URL information to Websense to help

Websense, Inc., improve URL categorization and security effectiveness. See

What is WebCatcher?

, page 30,

for more information about this tool.

To submit uncategorized URLs to be evaluated for categorization, mark Send

uncategorized URLs to improve URL categorization.

To send in security-related URLs to help track malicious website activity, mark Send security URLs to improve security effectiveness.

To keep a local copy of the information sent to Websense, Inc., for your review, mark Save a copy of the data being sent to Websense.

When this option is enabled, WebCatcher saves the data as unencrypted XML files in the Websense\Web Security\bin\ directory on the Log Server machine. These files are date and time stamped.

Select the Country of origin for your organization. This should be the country where the majority of Internet activity is being logged.

Specify a Maximum upload file size. When the maximum size is reached, collected WebCatcher data is sent automatically and a new file is started.

Use the Daily start time field to indicate a time each day when WebCatcher should send the data it has collected if the maximum file size has not been reached.

4.

(Websense Web Security Gateway Anywhere) To activate or update the connection between the on-premises and hybrid portions of your software:

26

Websense Web Security Solutions

Getting Started

Enter the Contact email address for your web security administrators. This is typically a group email alias that is monitored frequently. Alerts about hybrid service issues are sent to this address. Failing to respond appropriately to an alert could lead to temporary disconnection of your hybrid service.

Enter the Country and Time zone in which the administrators are located.

User requests are not managed by the hybrid service until this information has been provided and validated. For more information, see

Configure the Hybrid

Service

, page 215 .

5.

When you are finished making changes, click OK. Changes are not implemented until you click Save and Deploy.

The Websense Master Database

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Real-time database updates

, page 28

Real-Time Security Updates™

, page 28

Configuring database downloads

, page 29

Review Master Database download status

, page 389

Resuming Master Database downloads

, page 390

The Websense Master Database houses the category and protocol definitions that

provide the basis for managing Internet content (see

Managing access to categories and protocols

, page 50

).

Categories are used to group websites (identified by URL and IP address) with

similar content.

Protocol definitions group Internet communications protocols used for similar

purposes, like transferring files, or sending instant messages.

A limited version of the URL database is installed with Websense Filtering Service, but it is a good idea to download the full Master Database as soon as possible to enable comprehensive Internet management capabilities. To download the Master

Database for the first time:

Enter your subscription key in the Web Security manager Initial Setup Checklist.

If Filtering Service must go through a proxy to perform the download, also configure proxy settings in the checklist.

The process of downloading the full database may take a few minutes or more than

60 minutes, depending on factors such as Internet connection speed, bandwidth, available memory, and free disk space.

Web Security Help

27

Getting Started

After the initial download, Filtering Service downloads database changes on a schedule that you establish (see

Configuring database downloads

, page 29 ). Because

the Master Database is updated frequently, by default, database downloads are scheduled to happen daily.

If the Master Database is more than 14 days old, your Websense Web Security solution stops policy enforcement.

To initiate a database download at any time, or to view the status of the last database download, the date of the last download, or the current database version number, go to

System tab of the Web Security Dashboard and click Database Download in the

toolbar at the top of the content pane.

Real-time database updates

In addition to scheduled downloads of the full database, smaller, partial updates occur when needed. A real-time update might be used, for example, to recategorize a site that was temporarily miscategorized. These updates ensure that sites and protocols are managed appropriately.

Websense Filtering Service checks for database updates every hour.

The most recent updates are listed on the Status > Alerts page (see

Reviewing current system status

, page 409 ).

Real-Time Security Updates™

In addition to receiving the standard real-time database updates, organizations with a

Websense Web Security, Web Security Gateway, or Web Security Gateway Anywhere subscription can enable Real-Time Security Updates to receive security-related updates to the Master Database as soon as they are published by Websense, Inc.

Real-Time Security Updates provide an added layer of protection against Internetbased security threats. Installing these updates as soon as they are published reduces vulnerability to new phishing (identify fraud) scams, rogue applications, and malicious code infecting mainstream websites or applications.

Filtering Service checks for security updates every 5 minutes. Because the updates tend to be small, they do not disrupt normal network activity.

Use the Settings > General > Database Download page to enable Real-Time

Security Updates (see

Configuring database downloads

, page 29 ).

28

Websense Web Security Solutions

Getting Started

Configuring database downloads

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring your account information

, page 25

The Websense Master Database

, page 27

Review Master Database download status

, page 389

Use the Settings > General > Database Download page to establish the schedule for automatic Master Database downloads. If you did not already enter the information in the Initial Setup Checklist, you can use this page to configure any proxy server or firewall settings that Websense Filtering Service must use to download the database.

1.

(Websense Web Security, Web Security Gateway, and Web Security Gateway

Anywhere) Select Enable real-time security updates (default) to have Websense

Filtering Service check for security updates to the Master Database every 5 minutes. When a security update is detected, it is downloaded immediately.

Real-time security updates rapidly protect your network from vulnerability to threats like new phishing (identity fraud) scams, rogue applications, and malicious code infecting a mainstream website or application.

2.

Select the Download days for automatic downloads.

All download days are selected when Real-Time Security Updates are enabled. Downloads are automatically performed every day to assure that the most up-to-date standard database is available for the security updates.

You must download the Master Database at least once every 14 days for policy enforcement to continue without interruption.

If you deselect all download days, Filtering Service automatically attempts a download when the database is 7 days old.

3.

Next to Download between, select a start time and end time between which

Filtering Service attempts to download Master Database updates. By default, download occurs between 21:00 (9 p.m.) and 06:00 (6 a.m.), according to the time on the Filtering Service machine.

Filtering Service selects a random time during this period to contact the

Master Database server. To configure alerts for download failures, see

Configuring system alerts

, page 403 .

Any time Filtering Service is restarted, it checks for available Master

Database updates. The update may begin immediately, rather than waiting for the defined period.

Note

After downloading the Master Database, or updates to it,

CPU usage can reach 90% while the database is loaded into local memory.

Web Security Help

29

Getting Started

4.

Select Use proxy server or firewall if Filtering Service must access the Internet through a proxy server or a proxying firewall to download the Master Database.

Then provide:

The IPv4 address or hostname of the proxy server or firewall.

The Port through which the database download must pass (8080, by default).

5.

If the proxy server or firewall configured above requires authentication to reach the Internet, select Use authentication, and then enter the User name and

Password that Filtering Service should use to gain Internet access.

Note

If Use authentication is selected, the proxy server or firewall must be configured to accept clear text or basic authentication to enable Master Database downloads.

By default, the user name and password are encoded to match the character set for the Policy Server machine’s locale. This encoding can be configured manually via

the Settings > General > Directory Services page (see

Advanced directory settings

, page 81

).

What is WebCatcher?

Web Security Help | Web Security Solutions | Version 7.8.x

WebCatcher is an optional feature that collects unrecognized and security-related

URLs, and submits them to Websense Security Labs. Uncategorized URLs are reviewed for categorization, and security-related URLs are analyzed for what they can reveal about active Internet threats. (Full URL logging is not required for WebCatcher processing.) The results of the analysis are used to update the Master Database, resulting in improved performance.

Note

In an environment with multiple Web Security Log Server instances, WebCatcher is enabled only once, on the

Settings > General > Accounts page in Web Security

manager.

The information sent to Websense Security Labs contains only URLs and does not include user information. For example:

<URL HREF="http://www.ack.com/uncategorized/" CATEGORY="153"

IP_ADDR="200.102.53.105" NUM_HITS="1" />

The IP address in the example reflects the address of the machine hosting the URL, not the requestor’s IP address.

30

Websense Web Security Solutions

Getting Started

Beginning with 7.8.4, information sent by WebCatcher will include IPv6 addresses.

Note

Intranet sites are not sent by WebCatcher. This includes all sites with IP addresses in the 10.xxx.xxx.xxx,

172.16.xxx.xxx, and 192.168.xxx.xxx ranges.

WebCatcher data is sent to Websense, Inc., via HTTP post. You may need to create roles or make other changes on your proxy server or firewall to permit the outgoing

HTTP traffic.

Websense Technical Support

Web Security Help | Web Security Solutions | Version 7.8.x

Technical information about Websense software and services is available 24 hours a day at support.websense.com

, including:

 the searchable Websense Knowledge Base (made up of a Solution Center,

Technical Library, and customer forums)

Webinars and show-me videos product documents and in-depth technical papers answers to frequently asked questions

For additional questions, click the Contact Support tab at the top of the page.

The contact page includes information for finding solutions, opening an online support case, and calling Websense Technical Support.

For faster phone response, please use your Support Account ID, which you can find in the Profile section at MyWebsense .

For telephone requests, please have ready:

Websense subscription key

Access to the management console for your solutions (for example, the TRITON console, Appliance manager, Content Gateway manager)

Access to the machine running reporting tools and the database server (Microsoft

SQL Server or SQL Server Express)

Familiarity with your network’s architecture, or access to a specialist

Web Security Help

31

Getting Started

32

Websense Web Security Solutions

2

The Web Security

Dashboard

Web Security Help | Web Security Solutions | Version 7.8.x

The Threats tab of the Status > Dashboard page appears first when you log on to the

TRITON console and connect to the Web Security manager. It shows information about suspicious activity that may be related to malware threats in your network.

The type of information and level of detail shown depends on your subscription level.

Web Security Gateway or Web Security Gateway Anywhere is required, for example, to display information about outbound threats and to provide detailed forensic data

about the threats. See

Threats dashboard

, page 35 .

Dashboard elements are visible to Super Administrators and those delegated administrators with permission to view reports on the Web Security Dashboard (see

Editing roles

, page 354

).

Delegated administrator access to the Risks, Usage, and System dashboards is configured separately from Threats dashboard access.

Delegated administrators with Threats dashboard access can also be granted permission to view forensics details associated with advanced malware threats.

See

Reviewing threat-related forensic data

, page 41

.

The first time an administrator logs on to the Web Security manager, then navigates away from the dashboard, the Save and Deploy button activates. This happens regardless of whether any changes were made, in order to save default dashboard settings for each administrator account.

After the initial defaults are saved, navigating away from the dashboard activates the

Save and Deploy button only when charts are added, removed, or edited.

The dashboard includes 3 additional tabs:

Risks shows information about blocked and permitted requests for URLs that fall

into the Security Risk class. The amount of information depends on your subscription level. See

Risks dashboard

, page 42 .

Usage shows information about traffic patterns in your network, including

bandwidth information and summaries of blocked and permitted requests. See

Usage dashboard

, page 43

.

System shows alert messages, status information, and graphical charts that show

the current state of your deployment, focusing on Internet activity in your

network. See

System dashboard

, page 43 .

Web Security Help

33

The Web Security Dashboard

The Risks, Usage, and System dashboards can each display up to 12 elements (charts, status summaries, or counters) at a time. Most dashboard charts can be customized to change their time period (today, last 7 days, last 30 days, and so on) and their display format (stacked column, stacked area, multi-series line, and so on). You can include multiple versions of the same chart on a tab (for example, showing different time periods).

Dashboard elements are updated every 2 minutes.

All elements on a tab are also updated when any element on the tab is modified.

For example, if the time period for one chart is changed, data is refreshed in all of the elements on the page.

The available set of dashboard elements depends on your subscription type.

Charts related to the hybrid service, for example, are available only for Web

Security Gateway Anywhere.

To add an element to the tab, click Add Charts, then see

Adding elements to a dashboard tab

, page 44,

for instructions.

To remove an element from the tab, click the Options icon ( ) in the element title bar, then select Remove.

To access all editing options for an element, click the Options icon in the element title bar, then select Edit.

Clicking a pie, bar, or line chart typically opens an investigative report with more details. Some security-related charts link instead to the Threats dashboard.

Up to 4 buttons appear in the dashboard toolbar:

Database Download, available to Super Administrators only, shows Master

Database download status and provides the option to initiate or interrupt a

download. See

Review Master Database download status

, page 389 ).

Status Monitor releases the current administrator’s policy permissions and enters

a monitoring mode that allows access to the following pages without timing out:

Status > Dashboard

Status > Alerts

Reporting > Real-Time Monitor

See

Web Security Status Monitor mode

, page 47 .

Add Charts allows administrators to customize their view of the selected

dashboard tab by adding elements to the page. See

Adding elements to a dashboard tab

, page 44 .

Print opens a secondary window with a printer-friendly version of the charts

displayed on the page. Use browser options to print the page.

Beginning with 7.8.4, IPv6 addresses are included on dashboard charts.

34

Websense Web Security Solutions

The Web Security Dashboard

Threats dashboard

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

The Web Security Dashboard

, page 33

Investigate threat event details

, page 37

How severity is assigned to suspicious activity

, page 39

Reviewing threat incident details

, page 39

Reviewing threat-related forensic data

, page 41

Use the Threats tab of the Web Security Dashboard to monitor and investigate suspicious activity in your network.

Web Security Gateway or Web Security Gateway Anywhere is required to display information about outbound threats and to provide detailed forensic data about the threats.

You cannot add elements to, nor remove elements from, the Threats dashboard.

The initial view of the Threats dashboard shows:

Top Security Destinations shows the top countries to which suspicious traffic is

being sent, or in which sites associated with suspicious activity are hosted.

Security Events by Type shows the number of blocked requests, permitted

requests, or both for sites (destinations) in the top security categories associated with malware threats.

Suspicious Event Summary lists information about threat-related events in your

network.

A Status control in the top, right corner of the tab indicates whether Threats data is being updated automatically.

If the status is Running, click Pause to prevent data from being updated while you examine current results.

If the status is Paused, click Start to update the dashboard with any new data collected while updates were halted.

Additional controls at the top of the tab let you restrict the information in the charts and summary table to the specified:

Time period (Today, 7 days, 30 days, and so on)

Date details under the drop-down list shows the start date and time used to calculate the selected period.

Configure the maximum time period available on the Settings > Reporting >

Dashboard page (see

Configuring Dashboard reporting data

, page 443

).

Web Security Help

35

The Web Security Dashboard

With Microsoft SQL Server Express, the maximum time period is 30 days, and cannot be changed.

Severities (Critical, High, Medium, or Low)

Click the Severity Mapping link for more information about the categories associated with each severity level.

Action (All, Permitted, or Blocked)

Direction (All, Inbound, or Outbound)

You can also use the Top Event Destinations map and Security Events by Category chart to further refine the information that appears in the summary table at the bottom of the page.

Click a dot on the map to display only traffic associated with that country in the

Suspicious Event Summary table.

The size of the dot reflects the number of incidents associated with that country.

Hover over a dot to see a tooltip showing the country name. (Hovering over a blue area without a dot displays the name of the continent.)

Click a category in the chart to display only traffic associated with that category in the table.

Each category is represented by a different color in the chart; hover over a bar or segment in the chart to see a tooltip showing the category name.

By default:

The Top Event Destinations map shows the top 20 countries from which suspicious activity originates, or to which suspicious traffic is being sent.

The Security Events By Category chart shows the top 5 categories associated with suspicious activity in the network, displayed in stacked column format.

To modify the information in the map or the chart:

Click the Options icon, then select Edit.

Use the Top list (both elements) or Chart type list (Security Events by Category chart) to update the display.

Changing the “top” value or chart type does not affect the information displayed in the summary table.

The Suspicious Event Summary table offers a variety of options to help you identify specific events to investigate.

Use the Search box to find events for a user name, IP address, or hostname (if available; requires Content Gateway).

To stop filtering the table based on the term in the Search box, click Clear.

Each of the filters (time, severity, action, direction, country, category) currently applied to the summary table is listed. Clear the check box next to a filter to remove it and expand the information shown in the table.

Click a user name, IP address or hostname (if available) to see a detailed report.

See

Investigate threat event details

, page 37

.

36

Websense Web Security Solutions

The Web Security Dashboard

The Suspicious Event Summary can be customized to show or hide any of the following columns. The columns displayed by default are marked with an asterisk (*).

Column

Severity*

Description

Indicated by an “S” icon with a blue background (

Shows the severity (Critical, High, Medium, or Low) assigned to the event.

).

Forensics*

User*

IP address

Device*

Indicated by a magnifying glass icon ( ). Indicates whether the event included an attempt to send files.

Web Security Gateway or Gateway Anywhere only.

The user name (if any) associated with the activity.

The IP address of the machine on which the activity occurred.

The name of the machine on which the activity occurred.

Web Security Gateway or Gateway Anywhere only.

Category* The Master Database category assigned to the activity.

Last Attempt* The timestamp of the most recent event sharing all of the characteristics displayed in the row.

Country* Indicated by the abbreviation “CC” (for country code).

Shows the 2-letter country code for the event destination

(target). If more than one destination is associated with an event, “Multiple” is displayed.

Direction

Incidents*

Whether the suspicious activity involved inbound or outbound traffic.

Outbound threat detection requires Web Security Gateway or Gateway Anywhere.

The number of incidents sharing all of the characteristics displayed in the row except for “Last Attempt.”

To add columns to the chart, or to remove columns, click the Customize link above the table. Mark or clear the check box next to a column name to add or remove the column from the table.

To export the contents of the table to a CSV file, click Export to CSV. Select the time period for which to export event data, then click Export.

Investigate threat event details

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Dashboard > Threats > Event Details page to research suspicious activity incidents. The page can show incidents related to:

A specific user name, IP address, or device, selected from the Suspicious Event

Summary table on the Threats dashboard. (Device name information is provided by Content Gateway, and is not available when other integrations are used.)

Web Security Help

37

The Web Security Dashboard

A specific severity level, selected by clicking the link in a suspicious activity alert

email notification (see

Configuring suspicious activity alerts

, page 408

).

At the top of the page, a table lists each incident associated with the selected user, IP address, hostname, or severity level. The table shows 10 rows of data per page.

Use the Search field to narrow results to a specific incident or group of related incidents. Click Clear to remove the search filter.

Refer to the information on the top, right portion of the page to see the time period covered in the table, and when the table was last updated.

Click Customize in the toolbar at the top of the content pane to change the columns shown in the table. The detail table has the same column options as the summary table on the Threats dashboard.

Click a row in the table to update the bottom portion of the page with additional details about the selected incident, its associated threats, and the detection methods used (see

Reviewing threat incident details

, page 39 ).

The incident details section includes a link to Websense ACEInsight. Use this link to view current information about the URL and threats associated with the incident.

If there are more than 10 incidents, use the paging controls at the bottom of the table to navigate through the data.

In Web Security Gateway and Gateway Anywhere environments, files associated with attempts to either infect your network or send sensitive data out of your network may be captured. File-related data is referred to collectively as forensic data, and it is stored in a special database, called the forensics repository.

Forensics capture and storage is enabled by default.

Configure forensics capture and storage on the Settings > Reporting > Dashboard page (see

Configuring Dashboard reporting data

, page 443 ).

When forensics capture is enabled and there are files (like spreadsheets, documents, or compressed files) associated with an incident, an icon appears in the Forensics column of the Event Details table. When you select an incident that includes forensics data, information about the file or files associated with the incident is displayed in the

Forensic Data section of the page (see

Reviewing threat-related forensic data

, page

41

).

Warning

Use caution when opening a file associated with a threat incident. If the file is infected with malware, it could infect the machine you use to investigate the incident.

Note also that captured files could contain highly sensitive data.

If a user agent header was captured for the incident, the User Agent String field includes a link that you can use to Search for other instances of the user agent. Click the link to see results on the Search tab of the Reporting > Applications page. See

38

Websense Web Security Solutions

The Web Security Dashboard

Application reporting

, page 178,

for more information about application reports and user agents.

To export event information to a CSV file, click Export in the toolbar at the top of the content pane. All threat-related events logged in the selected time period are exported; not just those for the user, IP address, hostname, or severity level currently displayed on the page.

How severity is assigned to suspicious activity

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Master Database assigns a severity level to threat-related events based on the category assigned to the request.

Severity levels are mapped to categories in the Websense Master Database, and may change when the Master Database is updated.

Websense Web Filter and Websense Web Security subscriptions do not include some or all categories with High and Critical severity levels. These categories may appear on the Threats dashboard, but cannot be managed in category filters.

Click the Severity Mapping link near the top of the Threats dashboard for a current list of the categories that have an associated severity ranking. The list indicates any categories that are not available for filtering with your subscription.

Reviewing threat incident details

Web Security Help | Web Security Solutions | Version 7.8.x

When an administrator selects an incident in the table at the top of the Threats > Event

Details page, the area below the table is populated with all available details about the incident. The available details may vary based on:

What type of incident occurred. For example:

A outbound request for a URL that is assigned to a blocked category by the

Master Database is unlikely to include a threat name, intent, or type, because the request is blocked before Content Gateway analysis occurs.

A request that does not include an attempted file transfer does not include forensic data.

The integration providing Internet request information to Filtering Service. For example:

Only Content Gateway passes hostname, threat name, threat intent, threat type, and scanning category information.

Not all integrations pass protocol, method, or content type information.

Whether any file transfer attempts were associated with the incident. (Only

Content Gateway provides this type of forensic data.) See

Reviewing threatrelated forensic data

, page 41

.

Web Security Help

39

The Web Security Dashboard

The following incident details may be displayed on the page:

Field

Severity

Category

Threat Name

Threat Intent

Platform

Threat Type

Action

Reason

Incident Time

ACEInsight Link

User

Source IP Address

Device

Destination IP Address

Port

Protocol

Direction

Method

Content Type

Bytes Sent

Bytes Received

Country

Full URL

Description

Critical, High, Medium, or Low.

See

How severity is assigned to suspicious activity

, page

39

.

The Master Database or custom category assigned to the destination URL.

The name associated with the malicious software, bot traffic, or other threat activity (if applicable).

What the threat would attempt to do (log keystrokes, open a back door into the network, and so on).

The operating system targeted by the threat (Windows,

Android, and so on).

The classification of the malicious software (Trojan, worm, advanced persistent threat, and so on).

The action assigned to the request (Permit or Block).

The reason the permit or block action was applied (for example, the category assigned to the URL).

The date and time the incident occurred.

A link to ACEInsight.com to enable further research on the URL or threat.

The user requesting the URL (if a user is identified).

The IP address from which the request originated.

The name of the machine from which the request originated (requires Content Gateway; when a hostname is not available, the source IP address is repeated).

The IP address of the requested URL.

The port used to communicate with the requested URL.

The protocol used to request the URL.

Whether the incident involved an inbound or outbound connection.

Whether the request was a GET or a POST.

The value reported in the “Content-Type” field of the

HTTP header associated with the request (for example, text/html, image/gif, or application/javascript).

The number of bytes sent out from the source machine.

The number of bytes returned by the target (destination)

URL.

If the request was blocked, this is 0.

The country hosting the destination URL.

The full URL (domain, path, CGI string, and file) of the target site.

40

Websense Web Security Solutions

The Web Security Dashboard

Field

Active Policy

Database Category

Scanning Category

Role

Description

The policy used to manage the request.

The category assigned to the request by the Websense

Master Database.

The category assigned to the request by Content

Gateway analysis (may match the Master Database category).

The delegated administration role responsible for the policy used to manage the request.

Reviewing threat-related forensic data

Web Security Help | Web Security Solutions | Version 7.8.x

When an administrator selects an incident on the Threats > Event Details page that includes forensic data, the Forensic Data area below the table is populated with details about the attempted file transfer. Forensic details include:

Field

Source

Destination

Data Security Incident ID

Files

Parameters and Body

Description

The user or IP address making the request.

The IP address of the target machine.

The Websense Data Security ID number associated with the incident. Can be used to further investigate the incident in the Data Security manager (requires Web

Security Gateway Anywhere or a Websense Data

Security solution).

The name and size of the file or files associated with the incident. The file name is a link that can be used to open the actual file.

WARNING: Use caution when opening a captured file.

The file might contain malware that could infect the machine used for investigation. The file could also contain sensitive data.

Shows CGI parameters and HTML body details for the request used to send or retrieve the file.

The number of parameters and the details included in the body of the request may vary widely from incident to incident.

Web Security Help

41

The Web Security Dashboard

Risks dashboard

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

System dashboard

, page 43

Threats dashboard

, page 35

Usage dashboard

, page 43

Adding elements to a dashboard tab

, page 44

Use the Risks tab of the Web Security Dashboard to monitor permitted and blocked requests for URLs in the Security Risk class. By default, the following charts are displayed:

30-Day Risk Trends shows blocked request trends for specific security and legal

liability categories over a 30-day period that includes today. When you click a spark line:

For security-related categories (like Malicious), the Threats dashboard is displayed to allow further investigation.

For other categories (like Adult), an investigative report with more detailed information is displayed.

Clients with Security Risks shows which computers have accessed Security Risk

sites. You may want to check these machines to make sure they are not infected with any viruses or spyware.

Top Security Risk Categories shows which Security Risk categories have

received the most requests to help you determine whether your current policies are providing the right protection for your network.

Risk Classes shows how many requests to each risk class have been permitted

and blocked (see

Risk classes

, page 55 ) to help you evaluate whether the current

policies are effective.

Top Uncategorized shows which URLs not categorized by the Websense Master

Database have been accessed most. Go to Filter Components > Edit Categories to assign a URL to a category.

(Web Security Gateway and Gateway Anywhere) Analytics: Security Risks shows how many requests were assigned to new categories by Content Gateway analysis because the content had been changed or the site was compromised.

Click any chart on the page to open an investigative report with more detailed information.

42

Websense Web Security Solutions

The Web Security Dashboard

Usage dashboard

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

System dashboard

, page 43

Risks dashboard

, page 42

Threats dashboard

, page 35

Adding elements to a dashboard tab

, page 44

Use the Usage tab of the Web Security dashboard to monitor general Internet activity trends for your organization. By default, the following charts are displayed:

Top Blocked Users shows which users have requested the most blocked sites.

Top Requested Categories shows the categories that are being accessed most to

provide a high-level overview of potential security, bandwidth, or productivity concerns. Click the chart to see an investigative report with more detailed information.

Enforcement Summary provides an overview of recently permitted requests,

blocked requests for sites in the Security Risk class, and other blocked requests.

(Web Security Gateway and Gateway Anywhere) Web 2.0 Categories shows the top categories assigned to requested Web 2.0 URLs, measured by requests.

(Web Security Gateway and Gateway Anywhere) Web 2.0 URL Bandwidth shows the Web 2.0 URLs using the most bandwidth.

(Web Security Gateway and Gateway Anywhere) Analytics: Top Categories shows the top categories to which requested URLs were assigned after scanning determined that they no longer fit their original category.

Click any chart or element except the 30-Day Activity Summary to open an investigative report with more detailed information.

System dashboard

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Threats dashboard

, page 35

Risks dashboard

, page 42

Usage dashboard

, page 43

Adding elements to a dashboard tab

, page 44

Web Security Help

43

The Web Security Dashboard

Use the System tab of the Web Security Dashboard to monitor the status of your deployment. By default, the following dashboard elements are displayed:

Health Alert Summary shows component alert and status messages. If an error

or warning appears in the summary, click the alert message to open the Alerts page, where more detailed information is available (see

Reviewing current system status

, page 409 ).

Information in the Health Alert Summary is updated every 30 seconds.

User Activity: Zoom Trend shows the volume of Internet requests processed into

the Log Database in the selected time period.

Click and drag the cursor to select a section of the chart for closer examination. This can be done multiple times to select increasingly narrower time periods for review.

At maximum zoom, a data point is shown for each 10 minute period (for example, 12:00:00, 12:10:00, 12:20:00).

In the chart default (macro) view is shown, each data point may be based on sampling of multiple 10-minute interval data points within the selected area of the chart. As a result, the numbers shown in the macro view may not correlate exactly to the numbers shown when the chart is zoomed in.

Click Zoom Out to return to the previous level of focus.

Click Reset Chart to return to the default level of detail.

Protocol Bandwidth Use shows which protocols are using the most bandwidth in

your network.

Filtering Service Status shows the status of each Filtering Service associated

with the current Policy Server.

Click the Filtering Service IP address to see more information about that Filtering

Service instance, including its Network Agent and Content Gateway connections.

See

Review Filtering Service details

, page 389

.

(Web Security Gateway Anywhere) Hybrid Bandwidth Summary shows the bandwidth consumed by Internet requests managed by the hybrid service.

(Web Security Gateway Anywhere) Hybrid Requests shows how many requests by users from your organization were permitted and blocked by the hybrid service.

Adding elements to a dashboard tab

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Status > Dashboard > Add Chart page to add elements to the Risk, Usage, or System dashboard.

Note that you can neither add elements to nor remove elements from the Threats dashboard.

44

Websense Web Security Solutions

The Web Security Dashboard

To start, use the Add elements to tab drop-down list to select a tab, then select the element that you want to add from the Dashboard Elements list.

You can add an element to any tab.

Each tab can show a maximum of 12 elements.

Elements currently displayed on the selected tab are marked by a blue circle icon.

You can add multiple copies of the same element to a tab (for example, each might show a different time period).

When you select an element in the list, a sample is displayed in the Preview pane. You can use the preview pane to make changes to the chart Name and, if applicable, Chart

type, Time period, and Top value (for example, top 1-5 categories, or top 16-20

users).

Chart type: Many charts can be displayed as a multi-series bar, column, or line

chart, or as a stacked area or column chart. Some can be displayed as bar, line, or pie charts. Which types are available depends on the data being displayed.

Time period: Most charts can display a variable time period: Today (the period

since midnight of the current day), the last 7 days, or last 30 days. If the maximum time period for dashboard charts is extended, charts may also be able to show the last 180 or 365 days.

With Microsoft SQL Server Express, the maximum time period for dashboard charts is 30 days, and cannot be changed.

Using the default maximum time period (30 days) may improve dashboard performance.

See

Configuring Dashboard reporting data

, page 443, for information about

extending the time period for dashboard charts.

Top: Charts displaying information about the top users, categories, URLs, and so

on can display up to 5 values. Select whether to show the top 5 values, 6-10 values, 11-15 values, or 16-20 values.

When you are finished making changes, click Add. The dashboard tab is updated immediately.

If you have been editing a chart and would like to start over, click Restore Defaults to reset the chart to is default time period, type, and top value (if any).

Two dashboard elements do not appear on any tab by default, but are available to be added:

30-Day Value Estimates provide a way to estimate time and bandwidth savings

afforded by your web security software over a 30-day period that includes today.

Mouse over the Time or Bandwidth item (under Saved) for an explanation of

how the estimate was calculated (see

Time and bandwidth saved

, page 46

). The calculation can be customized on the Add Charts page.

Activity Today provides examples of how your web security software has

protected your network today. Depending on your subscription type, this may show information about Malicious, Adult, and Spyware sites blocked, and about sites scanned or scanned and recategorized by Content Gateway.

Web Security Help

45

The Web Security Dashboard

This element also shows the total number of Internet requests handled so far today, the total number of requests blocked, and the number of real-time database updates processed.

Time and bandwidth saved

Web Security Help | Web Security Solutions | Version 7.8.x

Websense web security solutions can help minimize the time and bandwidth lost to unproductive Internet activity.

Value Estimates are not displayed by default, but can be added to the Web Security

Dashboard to present an estimate of these time and bandwidth savings. These values are calculated as follows:

Time saved: multiply the typical time taken per visit by the sites blocked.

Initially, a default value is used for the average number of seconds that a user spends viewing a requested website. The sites blocked value represents the total number of requests blocked during the available time period (up to the maximum time period configured on the Settings > Reporting > Dashboard page).

Bandwidth saved: multiply the typical bandwidth per visit by the number of

sites blocked. Initially, a default value is used for the average number of bytes

consumed by the average website. The sites blocked value represents the total number of requests blocked during the available time period (up to the maximum time period configured on the Settings > Reporting > Dashboard page).

After adding the chart to a dashboard, hover the mouse over a counter to see how value is currently being calculated.

To change the numbers used in the calculation, mouse over the Options icon in the chart’s toolbar and select Edit. On the Edit page, you can enter new average time and bandwidth measurements to use as the basis for the calculation:

Option

Average seconds saved per blocked page

Average bandwidth [KB] saved per blocked page

Description

Enter the average number of seconds that your organization estimates a user spends viewing individual pages.

This value is multiplied by the number of pages blocked to determine the time savings shown.

Enter an average size, in kilobytes (KB), for pages viewed.

This value is multiplied by the number of pages blocked to determine the bandwidth savings shown.

When you are finished making changes, click OK to return the dashboard.

46

Websense Web Security Solutions

The Web Security Dashboard

Web Security Status Monitor mode

Web Security Help | Web Security Solutions | Version 7.8.x

For security purposes, a TRITON console session ends after 30 minutes of inactivity.

You can, however, enter a Status Monitor mode that lets you monitor Internet activity and alerting data without timing out.

You must log off of other TRITON management modules to enter Status Monitor mode in the Web Security manager.

In Status Monitor mode, information on the Status > Dashboard, Status > Alerts,

Status > Deployment, and Reporting > Real-Time Monitor pages continues to update normally until you close the browser or log off.

To initiate Status Monitor mode, first save or discard any pending changes, then:

Select Status Monitor mode from the Role drop-down list in the Web Security toolbar.

Click the Status Monitor button in the toolbar at the top of the Status >

Dashboard or Status > Alerts. page.

To stop monitoring Web Security status, log off of the TRITON console or close the browser.

Web Security Help

47

The Web Security Dashboard

48

Websense Web Security Solutions

3

Internet Usage Filters

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing access to categories and protocols

, page 50

Working with filters

, page 61

Configuring filtering settings

, page 69

Internet Access Policies

, page 91

Refine Web Security Policies

, page 261

Policies govern user Internet access. A policy is a schedule that determines how and when clients are able to access websites and Internet applications. At their simplest, policies consist of:

Category filters, used to apply actions (permit, block) to website categories

Protocol filters, used to apply actions to Internet applications and non-HTTP

protocols

Note

In Websense Web Security Gateway Anywhere environments, the hybrid service does not enforce protocol filters.

A schedule that determines when each filter is enforced

Policies let you assign varying levels of Internet access to clients (for example, users, groups, or IP addresses in your network). First, create filters to define precise Internet access restrictions, and then use the filters to construct a policy.

Web Security Help

49

Internet Usage Filters

In a first-time installation, the Default policy is used to monitor Internet requests as

soon as a subscription key is entered (see

The Default policy

, page 92

). Initially, the

Default policy permits all requests.

Note

When you upgrade from an earlier Websense Web Security version, existing policy settings are preserved. After upgrading, review your policies to ensure that they are still appropriate.

To apply different levels of access to different clients, start by defining category filters. You might define:

One category filter that blocks access to all websites except those in the Business and Economy, Education, and News and Media categories

A second category filter that permits all websites except those that represent a security risk and those containing adult material

A third category filter that monitors access to websites without blocking them (see

Creating a category filter

, page 62 )

To accompany these category filters, you might define:

One protocol filter that blocks access to Instant Messaging and Chat, P2P File

Sharing, Proxy Avoidance, and Streaming Media protocol groups.

A second protocol filter that permits all non-HTTP protocols except those associated with security risks and proxy avoidance

A third protocol filter that permits all non-HTTP protocols (see

Creating a protocol filter

, page 65 )

Once you have defined a set of filters that correspond to your organization’s Internet access regulations, you can add them to policies and apply them to clients (see

Internet Access Policies

, page 91

).

Managing access to categories and protocols

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

When a category or protocol is blocked

, page 52

New Master Database categories and protocols

, page 52

Special categories

, page 53

Risk classes

, page 55

Security protocol groups

, page 58

50

Websense Web Security Solutions

Internet Usage Filters

The Websense Master Database organizes similar websites (identified by URLs and IP addresses) into categories. Each category has a descriptive name, like Adult Material,

Gambling, or Peer-to-Peer File Sharing. You can also create your own, custom categories to group sites of particular interest to your organization (see

Creating a custom category

, page 271 ). Together, the Master Database categories and user-

defined categories form the basis for Internet access management.

Websense, Inc., does not make value judgments about categories or sites in the Master

Database. Categories are designed to create useful groupings of the sites of concern to subscribing customers. They are not intended to characterize any site or group of sites or the persons or interests who publish them, and they should not be construed as such. Likewise, the labels attached to Websense categories are convenient shorthand and are not intended to convey, nor should they be construed as conveying, any opinion or attitude, approving or otherwise, toward the subject matter or the sites so classified.

The up-to-date list of Master Database categories is available at: websense.com/global/en/ProductsServices/MasterDatabase/URLCategories.php

To suggest that a site be added to the Master Database, or that a site be moved from one category to another, go to support.websense.com and click Site Lookup Tool.

You are prompted to log on to MyWebsense, then given access to the tool, which allows you to verify the current category assigned to a site and request a new category.

When you create a category filter, you choose which categories to block and which to permit.

In addition to housing URL categories, the Websense Master Database includes protocol groups used to manage non-HTTP Internet traffic. Each protocol group defines similar types of Internet protocols (like FTP or IRC) and applications (like

MSN Messenger or BitTorrent). The definitions are verified and updated as frequently as nightly.

As with categories, you can define custom protocols for use in policies.

The up-to-date list of Master Database protocols is available at: websense.com/global/en/ProductsServices/MasterDatabase/

ProtocolCategories.php

Web Security Help

51

Internet Usage Filters

When you create a protocol filter, you choose which protocols to block and which to permit.

Note

In Websense Web Filter and Web Security deployments,

Network Agent must be installed to enable protocol-based policy enforcement.

With Websense Web Security Gateway and Gateway

Anywhere, it is possible to filter non-HTTP protocols that tunnel over HTTP ports without using Network Agent. See

Tunneled protocol detection

, page 194,

for more information.

The Websense Web Security Gateway Anywhere hybrid service does not enforce protocol filters.

Some Websense-defined protocols allow blocking of outbound Internet traffic destined for an external server—for example, a specific instant messaging server.

Only Websense-defined protocols with dynamically-assigned port numbers can be blocked as outbound traffic.

When a category or protocol is blocked

Web Security Help | Web Security Solutions | Version 7.8.x

When a user requests a URL in a blocked category, the browser displays a block page, rather than displaying the requested site. The block page is a customizable HTML page with a brief explanation of why the requested URL has been blocked.

See

Block Pages

, page 117, for a detailed description of the block page, along with

information about customizing block pages.

When a user attempts to use an application that relies on a blocked protocol (for example, a chat or torrent program), no blocking message is displayed. The application may display an error message, or it may simply appear to hang.

To minimize error reports from users who are attempting to access blocked protocols, make sure that users understand which applications they are and are not allowed to use on your organization’s equipment.

New Master Database categories and protocols

Web Security Help | Web Security Solutions | Version 7.8.x

When new categories and protocols are added to the Master Database, each is

assigned a default action, like Permit or Block (see

Actions

, page 58 ).

52

Websense Web Security Solutions

Internet Usage Filters

The default action is applied in all active category and protocol filters (see

Working with filters

, page 61

). To change the way the category or protocol is filtered, you can:

Edit each active filter individually. Use this option if you want to give different groups of clients different levels of access to the category or protocol.

Edit the attributes of the category or protocol to apply the same action in all filters. See

Making global category changes

, page 270,

and

Making global protocol changes

, page 282 .

The default action is based on feedback regarding whether or not the sites or protocols in question are generally considered business-appropriate.

You can have a system alert generated whenever new categories or protocols are

added to the Master Database. See

Alerting

, page 401,

for more information.

Special categories

Web Security Help | Web Security Solutions | Version 7.8.x

The Master Database contains special categories to help you manage specific types of

Internet usage. The following categories are available in all Websense Web Security solutions:

The Special Events category is used to classify bandwidth-oriented content related to hot topics to help you manage event-related surges in Internet traffic.

For example, the video pages offering live stream of the World Cup might generally appear in the Internet Radio and TV category, but be moved to the

Special Events category during the World Cup Finals.

Updates to the Special Events category are added to the Master Database during scheduled downloads. Sites are added to this category for a short period of time, after which they are either moved to another category or deleted from the Master

Database.

The Productivity category focuses on preventing time-wasting behavior.

Advertisements

Application and Software Download

Instant Messaging

Message Boards and Forums

Online Brokerage and Trading

Pay-to-Surf

The Bandwidth category focuses on saving network bandwidth.

Educational Video

Entertainment Video

Internet Radio and TV

Internet Telephony

Peer-to-Peer File Sharing

Web Security Help

53

Internet Usage Filters

Personal Network Storage and Backup

Streaming Media

Surveillance

Viral Video

Websense Web Security, Web Security Gateway, and Web Security Gateway

Anywhere include additional security categories:

Security focuses on Internet sites containing malicious code, which can bypass

virus-detection software programs.

Advanced Malware Command and Control (requires Content Gateway)

Advanced Malware Payloads (requires Content Gateway)

Bot Networks

Compromised Websites

Custom-Encrypted Uploads (requires Content Gateway)

Files Containing Passwords (requires Content Gateway)

Keyloggers

Malicious Embedded iFrame

Malicious Embedded Link

Malicious Websites

Mobile Malware

Phishing and Other Frauds

Potentially Exploited Documents (requires Content Gateway)

Potentially Unwanted Software

Spyware

Suspicious Embedded Link

Unauthorized Mobile Marketplaces

Extended Protection focuses on potentially malicious websites.

Dynamic DNS includes sites that mask their identity using Dynamic DNS

services, often associated with advanced persistent threats.

Elevated Exposure contains sites that camouflage their true nature or

identity, or that include elements suggesting latent malign intent.

Emerging Exploits holds sites found to be hosting known and potential

exploit code.

Newly Registered Websites

Suspicious Content includes sites likely to contain little or no useful content.

The Extended Protection group filters potentially malicious websites based on

reputation. Site reputation is based on early signs of potential malicious activity. An attacker might target a URL containing a common misspelling, for example, or otherwise similar to a legitimate URL. Such a site could be used to distribute malware to users before traditional filters can be updated to reflect these sites as malicious.

54

Websense Web Security Solutions

Internet Usage Filters

When Websense security researchers detect that a site includes a potential threat, the site is added to the Extended Protection category until researchers are 100% confident of the site’s final categorization.

Risk classes

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Assigning categories to risk classes

, page 420

Presentation reports

, page 133

Investigative reports

, page 155

The Websense Master Database groups categories into risk classes. Risk classes suggest possible types or levels of vulnerability posed by sites in the group of categories.

Risk classes are used primarily in reporting. The Web Security Dashboard includes graphs where Internet activity is displayed by risk class, and you can generate presentation or investigative reports organized by risk class.

Risk classes may also be helpful in creating category filters. Initially, for example, the

Basic Security category filter blocks all of the default categories in the Security Risk class. You might use the risk class groupings as a guideline when you create your own category filters, to help decide whether a category should be permitted, blocked, or restricted in some way.

There are 5 risk classes. By default, each risk class contains the categories listed below.

A category can appear in multiple risk classes, or not be assigned to any risk class.

The groupings may be changed periodically in the Master Database. When you receive notice that a new category has been added to the Master Database, it is a good idea to check its default risk class assignment.

Legal Liability

Adult Material (includes Adult Content, Lingerie and Swimsuit, Nudity,

Sex)

Bandwidth > Peer-to-Peer File Sharing

Gambling

Illegal or Questionable

Information Technology > Hacking and Proxy Avoidance

Intolerance

Militancy and Extremist

Tasteless

Web Security Help

55

Internet Usage Filters

Legal Liability

Violence

Weapons

Network Bandwidth Loss

Bandwidth (includes Educational Video, Entertainment Video, Internet

Radio and TV, Internet Telephony, Peer-to-Peer File Sharing, Personal

Network Storage and Backup, Streaming Media, Surveillance, Viral Video)

Entertainment > Media File Download Services

Productivity > Advertisements, Application and Software Download

Social Web Controls - Facebook > Facebook Video Upload

Social Web Controls - YouTube > YouTube Video Upload

Business Usage

Bandwidth > Educational Video

Business and Economy (includes Financial Data and Services, Hosted

Business Applications)

Collaboration - Office (includes Office - Mail, Office - Drive, Office -

Documents, and Office - Apps)

Education > Educational Materials, Reference Materials

Government (includes Military)

Social Web Controls - LinkedIn (includes LinkedIn Connections, LinkedIn

Jobs, LinkedIn, Mail, LinkedIn Updates)

Information Technology (includes Computer Security, Search Engines and

Portals, WebCollaboration, Web Translation, Web Analytics, and Web and

Email Marketing)

Travel

Vehicles

Security Risk

Bandwidth > Peer-to-Peer File Sharing

Extended Protection (includes Dynamic DNS, Elevated Exposure,

Emerging Exploits, Newly Registered Websites, Suspicious Content)

[Websense Web Security]

Information Technology > Hacking, Proxy Avoidance, Web and Email

Spam

Parked Domain

Productivity >Application and Software Download

Security (includes Bot Networks, Compromised Websites, Keyloggers,

Malicious Embedded iFrame, Malicious Embedded Link, Malicious Web

Sites, Phishing and Other Frauds, Potentially Unwanted Software, Spyware,

Suspicious Embedded Link) [Websense Web Security]

With Web Security Gateway and Gateway Anywhere, Advanced Malware

Command and Control, Advanced Malware Payloads, Custom-Encrypted

Uploads, Files Containing Passwords, and Potentially Exploited Documents are also included.

56

Websense Web Security Solutions

Internet Usage Filters

Productivity Loss

Abortion (includes Pro-Choice, Pro-Life)

Adult Material > Sex Education

Advocacy Groups

Bandwidth > Entertainment Video, Internet Radio and TV, Peer-to-Peer

File Sharing, Streaming Media, Surveillance, Viral Video

Collaboration - Office (includes Office - Mail, Office - Drive, Office -

Documents, and Office - Apps)

Drugs (includes Abused Drugs, Marijuana, Prescribed Medications,

Nutrition)

Education (includes Cultural Institutions, Educational Institutions)

Entertainment (includes Media File Download Services)

Gambling

Games

Government > Political Organizations

Health

Information Technology > Web and Email Spam, Web Hosting, and Web and Email Marketing

Internet Communication (includes General Email, Organizational Email,

Text and Media Messaging, Web Chat)

Job Search

News and Media (includes Alternative Journals)

Parked Domain

Productivity (includes Application and Software Download, Instant

Messaging, Message Boards and Forums, Online Brokerage and Trading,

Pay-to-Surf)

Religion (includes Non-Traditional Religions, Traditional Religions)

Shopping (includes Internet Auctions, Real Estate)

Social Organizations (includes Professional and Worker Organizations,

Service and Philanthropic Organizations, Social and Affiliation

Organizations)

Social Web Controls - Facebook (includes Facebook Apps, Facebook Chat,

Facebook Commenting, Facebook Events, Facebook Friends, Facebook

Games, Facebook Groups, Facebook Mail, Facebook Photo Upload,

Facebook Posting, Facebook Questions, Facebook Video Upload)

Social Web Controls - LinkedIn (includes LinkedIn Connections, LinkedIn

Jobs, LinkedIn Mail, LinkedIn Updates)

Social Web Controls - Twitter (includes Twitter Follow, Twitter Mail,

Twitter Posting)

Social Web Controls - Various (includes Blog Commenting, Blog Posting,

Classifieds Posting)

Social Web Controls - YouTube (includes YouTube Commenting,

YouTube Sharing, YouTube Video Upload)

Society and Lifestyles (includes Alcohol and Tobacco, Blogs and Personal

Sites, Gay or Lesbian or Bisexual Interest, Hobbies, Personals and Dating,

Restaurants and Dining, Social Networking)

Special Events

Sports (includes Sport Hunting and Gun Clubs)

Web Security Help

57

Internet Usage Filters

Productivity Loss

Travel

Vehicles

Super Administrators can change the categories assigned to each risk class on the

Settings > General > Risk Class page (see

Assigning categories to risk classes

, page

420 ).

Security protocol groups

Web Security Help | Web Security Solutions | Version 7.8.x

In addition to the Security and Extended Protection categories, Websense Web

Security includes two protocol groups intended to help detect and protect against spyware and malicious code or content transmitted over the Internet.

The Malicious Traffic protocol group includes the Bot Networks protocol, aimed at blocking command-and-control traffic generated by a bot attempting to connect with a botnet for malicious purposes.

The Malicious Traffic (Cannot block) protocol group is used to identify traffic that may be associated with malicious software.

Email-Borne Worms tracks outbound SMTP traffic that may be generated by

an email-based worm attack.

Other tracks inbound and outbound traffic suspected of connection with

malicious applications.

The Malicious Traffic protocol group is blocked by default, and can be configured within your protocol filters (see

Editing a protocol filter

, page 65 ). The Malicious

Traffic (Cannot block) protocols can be logged for reporting, but no other action can be applied.

Actions

Web Security Help | Web Security Solutions | Version 7.8.x

Category and protocol filters assign an action to each category or protocol. This is the action that Websense Web Security solutions take in response to a client’s Internet request. The actions that apply to both categories and protocols are:

Block the request. Users receive a block page or block message, and are not able

to view the site or use the Internet application.

Permit the request. Users can view the site or use the Internet application.

Evaluate current Bandwidth usage before blocking or permitting the request.

When this action is enabled, and bandwidth usage reaches a specified threshold,

further Internet requests for a specific category or protocol are blocked. See

Using

Bandwidth Optimizer to manage bandwidth

, page 284 .

58

Websense Web Security Solutions

Internet Usage Filters

Additional actions can be applied only to categories.

Confirm—Users receive a block page, asking them to confirm that the site is

being accessed for business purposes. If a user clicks Continue, she can view the site.

Clicking Continue starts a timer. During the configured time period (60 seconds by default), the user can visit other sites in Confirm categories without receiving another block page. Once the time period ends, browsing to any other Confirm site results in another block page.

The default time can be changed on the Settings > General > Filtering page.

Quota—Users receive a block page, asking them whether to use quota time to

view the site. If a user clicks Use Quota Time, he can view the site.

Clicking Use Quota Time starts two timers: a quota session timer and a total quota allocation timer.

If the user requests additional quota sites during a default session period (10 minutes by default), he can visit those sites without receiving another block page.

Total quota time is allocated on a daily basis. Once it is used up, each client

must wait until the next day to access sites in quota categories. The default daily quota allocation (60 minutes by default) is set on the Settings >

General > Filtering page. Daily quota allocations can also be granted to

clients on an individual basis. See

Using quota time to limit Internet access

, page 59, for more information.

Important

In multiple Filtering Service deployments, Websense State

Server is required for correct application of the Confirm and Quota actions. See

Policy Server, Filtering Service, and State Server

, page 391, for more information.

Block Keywords: When you define keywords and enable keyword blocking,

users requesting a site whose URL contains a blocked keyword are not allowed to access the site. See

Keyword-based policy enforcement

, page 272 .

Block File Types: When file type blocking is enabled, users attempting to

download a file whose type is blocked receive a block page, and the file is not downloaded. See

Managing traffic based on file type

, page 287 .

Using quota time to limit Internet access

Web Security Help | Web Security Solutions | Version 7.8.x

When a user clicks Use Quota Time, she can view sites in any quota category until the quota session ends. The default quota session time (configured via the Settings >

General > Filtering page) is 10 minutes.

Web Security Help

59

Internet Usage Filters

Once the quota session ends, a request for a quota site results in another quota block message. Users who have not depleted their daily quota allocation can start a new quota session.

Once quota time is configured, Filtering Service uses a priority list to determine how to respond when a user requests a site in a quota category. It looks for quota time configured for:

1.

The user

2.

The computer or network client

3.

Groups to which the user belongs

If a user is a member of multiple groups, quota time is allotted according to the

Use more restrictive blocking setting on the Settings > General > Filtering

page (see

Configuring filtering settings

, page 69

).

4.

Default quota time

Internet applets, such as Java or Flash applets, may not respond as expected to quota time restrictions. Even if it is accessed from a quota-restricted site, an applet that runs within the browser can continue running beyond the configured quota session time.

This is because such applets are downloaded completely to a client machine and run just like applications, without communicating back to the original host server. If the user clicks the browser’s Refresh button, however, Filtering Service sees the communication, then blocks the request according to applicable quota restrictions.

Search filtering

Web Security Help | Web Security Solutions | Version 7.8.x

Search filtering is a feature offered by some search engines that helps to limit the number of inappropriate search results displayed to users.

Ordinarily, Internet search engine results may include thumbnail images associated with sites matching the search criteria. If those thumbnails are associated with blocked sites, Websense Web Security solutions prevent users from accessing the full site, but do not prevent the search engine from displaying the image.

When you enable search filtering, search engine feature stops thumbnail images associated with blocked sites from being displayed in search results. Enabling search filtering affects both local and remote filtering clients.

Websense, Inc., maintains a database of search engines with search filtering capabilities. When a search engine is added to or removed from the database, an alert is generated (see

Alerting

, page 401

).

Search filtering is activated via the Settings > General > Filtering page. See

Configuring filtering settings

, page 69,

for more information.

60

Websense Web Security Solutions

Internet Usage Filters

Working with filters

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing access to categories and protocols

, page 50

Internet Access Policies

, page 91

Creating a category filter

, page 62

Creating a protocol filter

, page 65

Creating a limited access filter

, page 263

Use the Policy Management > Filters page to view, create, and modify category, protocol, and limited access filters.

The Filters page is divided into 3 main sections:

Category Filters determine which categories to block and permit.

Protocol Filters determine which non-HTTP protocols to block and permit.

Network Agent must be installed to enable full protocol-based policy enforcement.

With Websense Web Security Gateway, it is possible to filter non-HTTP protocols

that tunnel over HTTP ports without using Network Agent. See

Tunneled protocol detection

, page 194, for more information.

In Websense Web Security Gateway Anywhere environments, the hybrid service does not provide protocol-based policy enforcement.

Limited Access Filters define a restrictive list of permitted websites (see

Restricting users to a defined list of URLs

, page 261

).

Category, protocol, and limited access filters form the building blocks of policies.

Each policy is made up of at least one category or limited access filter, and one protocol filter, applied to selected clients on a specific schedule.

To review or edit an existing category, protocol, or limited access filter, click the filter name. For more information, see:

Editing a category filter

, page 63

Editing a protocol filter

, page 65

Editing a limited access filter

, page 264

To create a new category, protocol, or limited access filter, click Add. For more information, see:

Creating a category filter

, page 62

Creating a protocol filter

, page 65

Creating a limited access filter

, page 263

Web Security Help

61

Internet Usage Filters

To duplicate an existing filter, mark the check box next to the filter name, and then click Copy. The copy is given the name of the original filter with a number appended for uniqueness, and then added to the list of filters. Edit the copy just as you would any other filter.

If you have created delegated administration roles (see

Delegated Administration and

Reporting

, page 339

), Super Administrators can copy filters that they have created to other roles for use by delegated administrators.

To copy filters to another role, first mark the check box next to the filter name, and

then click Copy to Role. See

Copying filters and policies to roles

, page 266,

for more information.

Creating a category filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with filters

, page 61

Editing a category filter

, page 63

When a category or protocol is blocked

, page 52

Use the Policy Management > Filters > Add Category Filter page to create a new category filter. You can work from a predefined template, or make a copy of an existing category filter to use as the basis for the new filter.

1.

Enter a unique Filter name. The name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Filter names can include spaces, dashes, and apostrophes.

2.

Enter a short Description of the filter. This description appears next to the filter name in the Category Filters section of the Filters page, and should explain the filter’s purpose.

The character restrictions that apply to filter names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

Select an entry from the drop-down list to determine whether to use a template or make a copy of an existing filter. For more information about templates, see

Category and protocol filter templates

, page 68 .

4.

To see and edit the new filter, click OK. The filter is added to Category Filters list on the Filters page.

To customize the filter, click the filter name, and then continue with

Editing a category filter

.

62

Websense Web Security Solutions

Internet Usage Filters

Editing a category filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing access to categories and protocols

, page 50

Actions

, page 58

Using quota time to limit Internet access

, page 59

Working with filters

, page 61

Working with categories

, page 268

Use the Policy Management > Filters > Edit Category Filter page to make changes to existing category filters.

Important

When you edit a category filter, the changes affect every policy that enforces the filter.

Policies that enforce a category filter with the same name in another delegated administration role are not affected.

The filter name and description appear at the top of the page.

Click Rename to change the filter name.

Simply type in the Description field to change the filter description.

The number next to Policies using this filter shows how many policies currently use the selected filter. If the category filter is active, click View Policies for a list of policies that enforce the filter.

The bottom portion of the page shows a list of categories and the actions currently applied to each.

1.

Select an entry in the Categories list to view category information or to change the action associated with the selected category.

2.

Before making changes to the action applied to a category, use the details section

(to the right of the Categories list) to review any special attributes associated with the category.

To list recategorized URLs assigned to the category, if any, click See custom

URLs in this category. See

Reclassifying specific URLs

, page 274 .

To list keywords assigned to the category, click See keywords in this

category. See

Keyword-based policy enforcement

, page 272 .

To list regular expressions used to define custom URLs or keywords for the category, click See regular expressions in this category.

Web Security Help

63

Internet Usage Filters

3.

Use the buttons to the right of the category list to change the action applied to the selected category. For more information about the available actions, see

Actions

, page 58 .

Delegated administrators cannot change the action assigned to categories that have been locked by a Super Administrator.

4.

Use the check boxes to the right of the Categories list to apply advanced actions to the selected category:

To change the way that keywords are used for assigning requests to the

selected category, mark or clear Block keywords.

Keyword-based policy enforcement

, page 272

To determine whether users can access certain types of files from sites in the selected category, mark or clear Block file types. See

Managing traffic based on file type

, page 287

.

If you have chosen to block file types, select one or more file types to block.

To apply the selected file type settings to all permitted categories in the filter, click Apply to All Categories.

Warning

With Websense Web Security Gateway and Gateway

Anywhere, applying file type blocking to all categories may have a serious performance impact.

All files with an extension that does not match the blocked type are scanned to find their true file type, including text files, like HTML and CSS files.

To specify whether access to sites in the category is limited based on certain bandwidth thresholds, mark or clear Block with Bandwidth Optimizer. See

Using Bandwidth Optimizer to manage bandwidth

, page 284

.

If you have chosen to block based on bandwidth, specify which threshold limits to use.

To apply the selected bandwidth settings to all permitted categories in the filter, click Apply to All Categories.

5.

Repeat steps 1 through 3 to make changes to the actions applied to other categories.

6.

After editing the filter, click OK to cache your changes and return to the Filters page. Changes are not implemented until you click Save and Deploy.

To activate a new category filter, add it to a policy and assign the policy to clients. See

Internet Access Policies

, page 91

.

64

Websense Web Security Solutions

Internet Usage Filters

Creating a protocol filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing access to categories and protocols

, page 50

Actions

, page 58

Editing a protocol filter

, page 65

Working with protocols

, page 278

When a category or protocol is blocked

, page 52

Use the Policy Management > Filters > Add Protocol Filter page to define a new protocol filter. You can work from a predefined template or make a copy of an existing protocol filter to use as the basis for the new filter.

1.

Enter a unique Filter name. The name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Filter names can include spaces, dashes, and apostrophes.

2.

Enter a short Description of the filter. This description appears next to the filter name in the Protocol Filters section of the Filters page, and should explain the filter’s purpose.

The character restrictions that apply to filter names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

Select an entry from the drop-down list to determine whether to use a template

(see

Category and protocol filter templates

, page 68 ) or make a copy of an

existing filter as a basis for the new filter.

4.

To see and edit the new filter, click OK. The filter is added to Protocol Filters list on the Filters page.

To finish customizing the new filter, continue with

Editing a protocol filter

.

Editing a protocol filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing access to categories and protocols

, page 50

Creating a protocol filter

, page 65

Actions

, page 58

Working with protocols

, page 278

Using Bandwidth Optimizer to manage bandwidth

, page 284

Web Security Help

65

Internet Usage Filters

Use the Policy Management > Filters > Edit Protocol Filter page to make changes to existing protocol filters.

Important

Changes that you make here affect all policies that enforce this filter.

Policies that enforce a protocol filter with the same name in another delegated administration role are not affected.

The filter name and description appear at the top of the page.

Click Rename to change the filter name.

Simply type in the Description field to change the filter description.

The number next to Policies using this filter shows how many policies currently use the selected filter. If the protocol filter is active, click View Policies for a list of policies that enforce the filter.

The bottom portion of the page shows a list of protocols and the actions currently applied to each.

To change the way that protocols are filtered and logged:

1.

Select a protocol in the Protocols list. Advanced actions for the selected protocol appear to the right of the list.

2.

Use the Permit and Block buttons at the bottom of the Protocols list to change the action applied to the selected protocol.

Note

Websense software can block TCP-based protocol requests, but not UDP-based protocol requests.

Some applications use both TCP- and UDP-based messages. If an application’s original network request is made via TCP, and then subsequent data is sent using UDP,

Websense software blocks the initial TCP request and thus blocks subsequent UDP traffic.

UDP requests may be logged as blocked, even when they are permitted.

To apply the same action to the other protocols in the selected protocol group, click Apply to Group.

3.

If you want information about use of the selected protocol available for alerting or reporting, mark the Log protocol data check box.

66

Websense Web Security Solutions

Internet Usage Filters

4.

To impose bandwidth limits on the use of this protocol, click Block with

Bandwidth Optimizer, and then supply the bandwidth thresholds to use. See

Using Bandwidth Optimizer to manage bandwidth

, page 284,

for more information.

5.

After editing the filter, click OK to cache your changes and return to the Filters page. Changes are not implemented until you click Save and Deploy.

To activate a new protocol filter, add it to a policy and apply the policy to clients (see

Internet Access Policies

, page 91

).

Note

You can create policies that start enforcing a protocol filter at a specific time. If users initiate a protocol session before that filter goes into effect, they can continue to access the protocol, even if the filter blocks it, for as long as the session continues. Once a user terminates the session, additional requests for the protocol are blocked.

Websense-defined category and protocol filters

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Web Security solutions include several sample category and protocol filters.

You can use these filters as they are, or modify them. If you do not need the predefined filters, many of them can also be deleted.

The predefined category filters are:

Basic

Basic Security

Block All

Default

Monitor Only

Permit All

Strict Security

The Block All and Permit All category filters are not listed on the Filters page, though they can be added to policies. These filters are handled differently than the others, and cannot be deleted or edited. When Filtering Service receives an Internet request, it first checks to see if the Block All or Permit All filter applies, before performing any additional checks (see

Responding to a URL request

, page 100

).

The predefined protocol filters are:

Basic Security

Default

Monitor Only

Web Security Help

67

Internet Usage Filters

Permit All

The Permit All protocol filter, like its equivalent category filter, is not listed on the

Filters page and cannot be edited or deleted. It is also prioritized during the policy enforcement process.

The Default category and protocol filters can be edited, but cannot be deleted. In upgrade environments, if there are gaps in the Default policy, the Default filters are used to filter requests during periods when no other filter applies.

Category and protocol filter templates

Web Security Help | Web Security Solutions | Version 7.8.x

When you create a new category or protocol filter, you can begin by making a copy of an existing filter on the Filters page, selecting an existing filter as a model on the Add

Filter page, or using a filter template.

Websense Web Security solutions include 5 category filter templates:

Monitor Only and Permit All permits all categories.

Block All blocks all categories.

Basic blocks the most frequently blocked categories and permits the rest.

Default applies the Block, Permit, Continue, and Quota actions to categories.

Strict Security extends the Default template by blocking 2 additional security

categories, and adding file-type blocking for executables to a third category.

Basic Security blocks only the default categories in the Security Risk class (see

Risk classes

, page 55

).

Websense Web Security solutions also include 3 protocol filter templates:

Monitor Only and Permit All permit all protocols.

Basic Security blocks the P2P File Sharing and Proxy Avoidance protocols, as

well as Instant Messaging File Attachments (if subscribed) and Malicious Traffic

(Websense Web Security).

Default blocks the Instant Messaging / Chat protocols, as well as the P2P File

Sharing, Proxy Avoidance, Instant Messaging File Attachments (if subscribed), and Malicious Traffic (Websense Web Security).

Although you can modify or delete most Websense-defined category and protocol filters, you cannot edit or remove templates. Likewise, although you can create as many custom filters as necessary, you cannot create new templates.

Because templates cannot be modified, they provide a constant method of referring back to the original actions applied by Websense-defined filters. For example, the

Default category and protocol filter templates apply the same actions as the original

Default category and protocol filters. This means that you can always restore the original Websense policy configuration by creating filters that use the template defaults.

68

Websense Web Security Solutions

Internet Usage Filters

For instructions on using a template to create a new filter, see

Creating a category filter

, page 62,

or

Creating a protocol filter

, page 65 .

Configuring filtering settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related Topics:

Managing access to categories and protocols

, page 50

Block Pages

, page 117

Password override

, page 87

Account override

, page 88

Using Bandwidth Optimizer to manage bandwidth

, page 284

Keyword-based policy enforcement

, page 272

Use the Settings > General > Filtering page to establish basic settings for how

Internet requests are handled.

Use the General Filtering section to determine how policies are applied to users when multiple group policies could apply; specify keyword search options; and set password override, account override, continue, and quota session behavior.

1.

To determine how user requests are handled when multiple group policies apply, mark or clear Use most restrictive group policy (see

Enforcement order

, page

97

).

When the option is selected, the policy that applies the most restrictive action is used. In other words, if one applicable group policy blocks access to a category and another permits access, the user’s request for a site in that category is blocked.

When the option is not selected, the most permissive setting is used.

2.

Select one of the following Keyword search options (see

Keyword-based policy enforcement

, page 272

).

CGI only

URL only

Blocks sites when keywords appear in CGI query strings (after the “?” in a Web address).

Example: search.yahoo.com/search?p=test

Filtering Service does not search for keywords before the “?” when this is selected.

Blocks sites when keywords appear in the URL. If the requested address contains a CGI query string,

Filtering Service searches for keywords up to the “?”.

Web Security Help

69

Internet Usage Filters

URL and CGI

Disable keyword blocking

Blocks sites when keywords appear anywhere in the address. If a CGI query string is present, Filtering

Service searches for keywords both before and after the “?”.

Use with caution. Disable keyword blocking turns off all keyword blocking, even if Block keywords is selected in a category filter.

3.

In the Password override timeout field, enter the maximum number of seconds

(up to 3600, default 60) that a user can access sites in all categories after selecting

password override (see

Password override

, page 87

).

4.

In the Continue timeout field, enter the maximum time in seconds (up to 3600, default 60) that a user who clicks Continue can access sites in categories governed by the Confirm action (see

Actions

, page 58

).

5.

In the Account override timeout field, enter the maximum time in minutes (up to

3600, default 5) that a user is filtered by the policy assigned to the override

account (see

Account override

, page 88 ).

6.

In the Quota session length field, enter the interval (up to 60 minutes, default 10) during which users can visit sites in quota-limited categories (see

Using quota time to limit Internet access

, page 59 ).

A session begins when the user clicks the Use Quota Time button.

7.

Enter the Default quota time per day (up to 240 minutes, default 60) for all users.

To change the quota time for individual users, go to the Policies > Clients page.

As you make changes to the quota session length and the default quota time per day, the Default quota sessions per day is calculated and displayed.

Under State Server, provide IPv4 address or hostname and Port information if:

Your environment includes multiple Websense Filtering Service instances, and

You use the Quota or Confirm actions, password override, or account override.

State Server tracks clients’ quota, confirm, password override, and account override sessions to ensure that session time is allocated correctly across multiple Filtering

Service instances (see

Policy Server, Filtering Service, and State Server

, page 391 ).

After entering State Server connection details, click Check Status to verify the connection. Configure State Server connection information for each Policy Server instance in your deployment.

Under Bandwidth Optimizer, enter the information needed to filter Internet usage based on available bandwidth. For more information about enforcing bandwidthbased Internet access, see

Using Bandwidth Optimizer to manage bandwidth

, page

70

Websense Web Security Solutions

Internet Usage Filters

284 .

Note

In Websense Web Security Gateway Anywhere environments, no bandwidth-based restrictions are enforced on requests passing through the hybrid service.

1.

To specify an Internet connection speed, do one of the following:

Select a standard speed from the drop-down list.

Enter the network speed in kilobits per second in the text field.

2.

Enter the default thresholds to use when bandwidth-based actions are enforced.

Note that when the thresholds are set, but no category or protocol filters include bandwidth-base actions, no bandwidth usage restriction occurs.

Network: When total network traffic reaches this percentage of total available

bandwidth, start limiting access based on bandwidth, as configured in active filters.

Protocol: When traffic for a specific protocol (like HTTP or MSN

Messenger) reaches this percentage of total available bandwidth, start restricting access to that protocol, as configured in active filters.

3.

(Websense Web Security Gateway) Content Gateway can collect information about bandwidth consumed by HTTP traffic and protocols that tunnel over HTTP for use in reporting. To enable this option, mark Include bandwidth data

collected by Websense Content Gateway.

Use the Block Messages section to enter the URL or path to the alternative HTML block page you created for the top frame of browser-based block messages (see

Creating alternate block messages

, page 126 ), or to configure Websense Web Security

Gateway Anywhere to include a link to ACEInsight on block pages.

Separate pages can be used for the different protocols: FTP, HTTP (including

HTTPS), and Gopher.

Leave these fields blank to use the default block message.

If you have created custom block pages, and want to use those block pages for all

protocols, you can also use the fields in this section blank (see

Customizing the block message

, page 122 ).

In Websense Web Security Gateway Anywhere environments:

Custom block messages specified in the fields above are not applied to requests handled by the hybrid service.

Instead, use the Settings > Hybrid Configuration > User Access page to

customize the hybrid block page (see

Customizing hybrid block pages

, page

227 ).

When a user clicks the ACEInsight link, the URL the user attempted to access is sent to ACEInsight and a web page is displayed showing ACEInsight analysis.

Web Security Help

71

Internet Usage Filters

The URL sent to ACEInsight is truncated, to omit the CGI string (which could include a user name or password). As a result, ACEInsight does not analyze password-protected content, and may return different results than Content

Gateway.

The ACEInsight link does not appear on hybrid block pages.

Under Search Filtering, select Enable search filtering to activate a setting built into certain search engines so thumbnail images and other explicit content associated with

blocked sites are not displayed in search results (see

Search filtering

, page 60 ).

The search engines for which this feature is supported are displayed below the check box.

When you have finished configuring settings on this page, click OK to cache the changes. Changes are not implemented until you click Save and Deploy.

72

Websense Web Security Solutions

4

Clients

Web Security Help | Web Security Solutions | Version 7.8.x

You can customize how your Websense Web Security solution manages requests from specific users or machines by adding them as clients in the Web Security manager.

Clients can be:

Computers: Individual machines in your network, defined by IP address.

Networks: Groups of machines, defined collectively as an IP address range.

Directory clients: User, group, or domain (OU) accounts in a supported directory

service.

Note

In Websense Web Security Gateway Anywhere deployments, the hybrid service can apply policies to users or groups, and to filtered locations, but not to individual

clients or networks. See

Working with hybrid service clients

, page 90 .

Initially, all client requests are managed by the Default policy (see

The Default policy

, page 92 ). Once you add a client to the Clients page in the Web Security manager, you

can assign that client a specific policy.

When multiple policies could apply, such as when one policy is assigned to the user and another is assigned to the machine, by default, Websense Filtering Service uses the following enforcement order:

1.

Apply the policy assigned to the user making the request. If that policy has no filters scheduled at the time of the request, use the next applicable policy.

2.

If there is no user-specific policy, or the policy has no active filters at the time of the request, look for a policy assigned to the computer (first) or network

(second) from which the request was made.

3.

If there is no computer or network-specific policy, or the policy has no active filters at the time of the request, look for a policy assigned to any group to which the user belongs. If the user belongs to multiple groups, Websense Filtering

Service considers all group policies that apply (see

Enforcement order

, page 97 ).

4.

If there is no group policy, look for a policy assigned to the user’s domain (OU).

Web Security Help

73

Clients

5.

If no applicable policy is found, or the policy does not enforce a category filter at the time of the request, enforce the Default policy for the role to which the client has been assigned.

For more detailed information about how Filtering Service processes requests, see

Responding to a URL request

, page 100 .

For information about configuring Filtering Service to prioritize group and domain

policies over IP address-based (computer and network) policies, see

Prioritizing group and domain policies

, page 98 .

For information about how the hybrid service applies policies to clients, see

Enforcement order

, page 97

.

Working with clients

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Clients

, page 73

Working with computers and networks

, page 75

Working with users and groups

, page 76

Adding a client

, page 84

Changing client settings

, page 86

Use the Policy Management > Clients page to view information about existing clients, add, edit, or delete clients, or move clients to a delegated administration role.

If you are a delegated administrator, add clients to the Clients page from your

managed clients list. This allows you to apply policies to the clients. See

Adding a client

, page 84, for instructions.

Clients are divided into 3 groups:

Directory, which includes users, groups, and domains (OUs) from your directory

service (see

Working with users and groups

, page 76

).

Networks, IPv4 or IPv6 address ranges within the filtered network that can be

governed by a single policy (see

Working with computers and networks

, page 75 ).

Computers, individual machines in the filtered network, identified by IPv4 or

IPv6 address (see

Working with computers and networks

, page 75

).

Click the plus sign (+) next to the client type to see a list of existing clients of the selected type. Each client listing includes:

The client name, IP address, or IP address range.

The policy currently assigned to the client. The Default policy is used until you assign another policy (see

Internet Access Policies

, page 91

).

74

Websense Web Security Solutions

Clients

Whether or not the client can use a password override (see

Password override

, page 87

) or account override (see

Account override

, page 88

) option to view or attempt to view blocked sites.

Whether the client has a custom amount of quota time allotted (see

Using quota time to limit Internet access

, page 59

).

To find a specific client, browse the appropriate node in the tree.

To edit client policy, password override, quota time, and authentication settings, select

one or more clients in the list, and then click Edit. See

Changing client settings

, page

86, for more information.

To add a client, or to apply a policy to a managed client who does not currently appear on the Clients page, click Add, and then go to

Adding a client

, page 84,

for more information.

If you have created delegated administration roles (see

Delegated Administration and

Reporting

, page 339

), Super Administrators can move their clients to other roles. First mark the check box next to the client entry, and then click Move to Role. When a client is moved to a delegated administration role, the policy and filters applied to the client are copied to the role. See

Moving clients to roles

, page 89,

for more information.

If you have configured Websense User Service to communicate with an LDAP-based directory service, the Manage Custom LDAP Groups button appears in the toolbar at the top of the page. Click this button to add or edit groups based on an LDAP attribute (see

Working with custom LDAP groups

, page 83 ).

To remove a client from the Clients page, select the client and click Delete.

Working with computers and networks

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with clients

, page 74

Working with users and groups

, page 76

Adding a client

, page 84

Assigning a policy to clients

, page 97

In the Web Security manager, a computer is the IP address (for example, 10.201.3.1 or fd3a:918a:71a1:bcaa::0011) associated with a filtered machine. A network is the IP address range (for example, 10.201.3.2 - 10.201.3.44 or fd3a:918a:71a1:bcaa::1111 - fd3a:918a:71a1:bcaa::1211) that corresponds to a group of filtered machines.

In Websense Web Security Gateway Anywhere deployments, the hybrid service

does not apply policies to individual computer and network clients. See

Working with hybrid service clients

, page 90, for information about applying policies to

Web Security Help

75

Clients

 filtered locations.

Before applying policies to IPv6 computer and network clients, disable temporary

IPv6 addresses on the affected machines. See support.websense.com

for details.

You can assign policies to computer and network clients just as you would to user, group, or domain clients.

Assign a policy to a computer, for example, that does not require users to log on, or that can be accessed by users with guest accounts.

Assign a policy to a network to apply the same policy to several machines at once.

When you assign a policy to a computer or network, that policy is enforced regardless of who is logged on to the filtered machine, unless you have assigned a policy to the logged-on user. When on-premises Web Security components are used, the computer or network policy takes precedence over any group policies that may apply to the user.

(In Websense Web Security Gateway Anywhere deployments, the hybrid service

applies the group policy before applying a computer or network policy. See

Working with hybrid service clients

, page 90

.)

Working with users and groups

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with clients

, page 74

Directory services

, page 77

Working with custom LDAP groups

, page 83

Working with computers and networks

, page 75

Adding a client

, page 84

Assigning a policy to clients

, page 97

In order to apply policies to individual users and groups in your network, configure

Websense User Service to access your directory service to obtain directory object

(user, group, and domain [OU]) information.

User Service can communicate with Windows Active Directory in mixed or native mode, and with Novell eDirectory or Oracle (formerly Sun Java) Directory Server

Enterprise Edition accessed via Lightweight Directory Access Protocol (LDAP).

When you use an LDAP-based directory service, duplicate user names are not supported. Ensure that the same user name does not appear in multiple domains.

If you are using Active Directory or Oracle Directory Server, user names with blank passwords are not supported. Assign passwords to all users.

76

Websense Web Security Solutions

Clients

User Service conveys information from the directory service to Filtering Service for use in applying policies. As a best practice, install User Service on a Windows machine (though it can reside on Linux).

To configure directory service communication, see

Directory services

.

Directory services

Web Security Help | Web Security Solutions | Version 7.8.x

A directory service is a tool that stores information about a network’s users and resources. Before you can add user clients (users, groups, domains, or organizational units) in the Web Security manager, you must configure Websense User Service to retrieve information from your directory service.

Use the Settings > General > Directory Services page to identify the directory service used in your network. You can configure settings for only one type of directory service per Policy Server.

Note

In Websense Web Security Gateway Anywhere deployments, information from the Directory Services page is also used to populate the Hybrid Configuration >

Shared User Data page. This allows the hybrid service to apply user and group-based policies. See

Send user and group data to the hybrid service

, page 231

.

First select a directory service from the Directories list. The selection that you make determines which settings appear on the page.

See the appropriate section for configuration instructions:

Windows Active Directory (Mixed Mode)

, page 78

Windows Active Directory (Native Mode)

, page 79

Novell eDirectory and Oracle (Sun Java) Directory Server

, page 80

Warning

In Websense Web Security Gateway Anywhere deployments, the hybrid service supports Windows Active

Directory (Native Mode), Oracle Directory Server, and

Novell eDirectory.

Once configuration is complete, User Service communicates with the directory service to enable user and group-based policy enforcement. User Service caches the user and group information that it collects for up to 3 hours. If you make changes to user, group, or OU entries in the directory service, use the Clear Cache button under

User Service Cache to force User Service to refresh its user and group mappings

Web Security Help

77

Clients immediately. Note that user-based policy enforcement may slow down for a brief period while the cache is being recreated.

If you plan to allow administrators to use their network accounts to log on to the

TRITON console, you must also configure directory service communication on the

TRITON Settings > User Directory page. The same directory must be used to authenticate all administrative users. See the TRITON Settings Help for details.

Windows Active Directory (Mixed Mode)

Web Security Help | Web Security Solutions | Version 7.8.x

If your directory service is Active Directory in mixed mode, typically no further configuration is necessary.

Supply additional information on this screen if Websense User Service resides on a

Websense appliance of a Linux server, and either of the following is true:

DC Agent is being used for transparent identification (see

DC Agent

, page 312 )

Logon Agent is being used for transparent identification with Active Directory in

native mode.

If this matches your configuration, User Service and DC Agent or Logon Agent must communicate with a Windows Internet Name Server (WINS) to resolve domain names to domain controller IP addresses (see

User Service on a Websense appliance or Linux server

, page 486

).

To enable that communication, use the fields under Windows Active Directory (Mixed

Mode) to provide:

1.

The account name of an Administrative user that can access the directory service.

2.

The Password for the account.

3.

Domain information for the account.

4.

The IP address or hostname of a WINS server in your network.

Note that:

If you are using DC Agent, you can also perform these steps on the Settings >

User Identification > DC Agent page when you are configuring a DC Agent instance. You do not need to perform the configuration in both places.

If you are using Logon Agent, even though you are connecting to the directory in native mode, you must perform these steps on the Windows Active Directory

(Mixed Mode) page (including caching and saving your changes). Then, once the

WINS connection is configured, you can complete your directory service setup on the Windows Active Directory (Native Mode) page.

If your installation does not use this configuration, the administrative credential fields are disabled.

78

Websense Web Security Solutions

Clients

Windows Active Directory (Native Mode)

Web Security Help | Web Security Solutions | Version 7.8.x

Important

If User Service resides on a Websense appliance or Linux server, and you are using Logon Agent to identify users, set up a WINS server connection on the Active Directory

(Mixed Mode) page first (and save your changes). Then return to the Windows Active Directory (Native Mode) page and configure your directory service connection.

Windows Active Directory stores user information in one or more global catalogs. The global catalog lets individuals and applications find objects (users, groups, and so on) in an Active Directory domain.

In order for Websense User Service to communicate with Active Directory in Native

Mode, you must provide information about the global catalog servers in your network.

1.

Click Add, next to the Global catalog servers list. The Add Global Catalog Server page appears.

2.

Provide the IPv4 address or hostname of the global catalog server:

If you have multiple global catalog servers configured for failover, enter the

DNS domain name.

If your global catalog servers are not configured for failover, enter the IPv4 address or hostname (if name resolution is enabled in your network) of the server to add.

3.

Enter the Port that User Service should use to communicate with the global catalog (by default, 3268).

4.

Optionally, enter the Root context for User Service to use when associating user and group information with Internet requests. Note that this context is used for policy management, but not for adding clients in the Web Security manager.

If you supply a value, it must be a valid context in your domain.

If you have specified a communications port of 3268 or 3269, you do not need to supply a root context. If there is no root context, User Service begins searching at the top level of the directory service.

If the specified port is 389 or 636, you must provide a root context.

Note

Avoid having the same user name in multiple domains. If

User Service finds duplicate account names for a user, the user cannot be identified transparently.

Web Security Help

79

Clients

5.

Specify which administrative account User Service should use to retrieve user name and path information from the directory service. This account must be able to query and read from the directory service, but does not need to be able to make changes to the directory service, or be a domain administrator.

Select Distinguished name by components or Full distinguished name to specify how you prefer to enter the account information.

If you selected Distinguished name by components, enter the Display name, account Password, Account folder, and DNS domain name for the administrative account. Use the common name (cn) form of the administrative user name, and not the user ID (uid) form.

Note

The Account folder field does not support values with the organizational unit (ou) tag (for example, ou=Finance). If your administrative account name contains an ou tag, enter the full distinguished name for the administrative account.

If you selected Full distinguished name, enter the distinguished name as a single string in the User distinguished name field (for example, cn=Admin,

cn=Users, ou=InfoSystems, dc=company, dc=net), and then supply the

Password for that account.

6.

Click Test Connection to verify that User Service can connect to the directory using the account information provided.

7.

Click OK to return to the Directory Services page.

8.

Repeat the process above for each global catalog server.

9.

Click Advanced Directory Settings, and then go to

Advanced directory settings

, page 81 .

Novell eDirectory and Oracle (Sun Java) Directory Server

Web Security Help | Web Security Solutions | Version 7.8.x

To retrieve information from the directory, User Service needs the distinguished name, root context, and password for a user account with administrative privileges.

1.

Enter the IPv4 address or hostname of the directory server.

2.

Enter the Port number that User Service will use to communicate with the directory. The default is 389.

3.

If your directory requires administrator privileges for read-only access, enter the

Administrator distinguished name.

4.

Enter the Root Context that User Service should use when searching for user information. For example, o=domain.com.

Providing a root context is mandatory for Oracle Directory Server, but optional for Novell eDirectory.

80

Websense Web Security Solutions

Clients

Narrowing the context increases speed and efficiency in retrieving user information.

User Service uses the context when searching for user and group information to aid in policy enforcement. It is not used when clients are added to the Web

Security manager.

Note

Avoid having the same user name in multiple domains. If

User Service finds duplicate account names for a user, the user cannot be identified transparently.

5.

Provide a Password for the administrator account entered above.

6.

Click Test Connection to verify that User Service can connect to the directory server using the information provided.

7.

Click Advanced Directory Settings, and then go to

Advanced directory settings

, page 81 .

Advanced directory settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Windows Active Directory (Native Mode)

, page 79

Novell eDirectory and Oracle (Sun Java) Directory Server

, page

80

These settings can be used to define:

How Websense User Service searches the directory service to find user, group, and domain information

Whether User Service uses an encrypted connection to communicate with the directory service

Which character set User Service uses to encode LDAP information

Configure these settings as needed for any LDAP-based directory service.

1.

If you use custom object class types (attribute names) in your directory service, mark Use custom filters. The default filter strings are listed below the check box.

2.

Edit the existing filter strings, substituting object class types specific to your directory. For example, if your directory uses an object class type such as dept instead of ou, insert a new value in the Domain search filter field.

Web Security Help

81

Clients

Attributes are always strings used in searching the directory service contents.

Custom filters provide the functionality described here.

Attribute

User logon ID attribute

First name attribute

Last name attribute

Group attribute

MemberOf attribute

User search filter

Group search filter

Domain search filter

User’s group search filter

Description

Identifies user logon names

Identifies the user’s given name

Identifies the user’s surname

Identifies the group’s name

Specifies that the user or group is a member of another group.

If you are using Novell eDirectory, this corresponds to the groupMembership attribute.

Determines how User Service searches for users

Determines how User Service searches for groups

Determines how User Service searches for domains and organizational units

Determines how User Service associates users with groups

3.

To secure communications between User Service and your directory service, check Use SSL.

4.

To determine which character set User Service uses to encode LDAP information, select UTF-8 or MBCS.

MBCS, or multibyte character set, is commonly used for encoding East Asian languages such as Chinese, Japanese, and Korean.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

82

Websense Web Security Solutions

Clients

Working with custom LDAP groups

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with users and groups

, page 76

Directory services

, page 77

Adding or editing a custom LDAP group

, page 84

Use the Manage Custom LDAP Groups page to manage custom groups based on attributes defined in your directory service. This option is available only if you have configured User Service to communicate with an LDAP-based directory service.

Important

When you add custom LDAP groups, the group definitions are stored by the active Policy Server, and do not affect other Policy Server instances. To add custom LDAP groups to multiple Policy Servers, connect to each Policy

Server in turn and enter the information.

If you add custom LDAP groups, and then either change directory services or change the location of the directory server, the existing groups become invalid. You must add the groups again, and then define each as a client.

To add a group, click Add (see

Adding or editing a custom LDAP group

, page 84

).

To change an entry in the list, click on its group name (see

Adding or editing a custom LDAP group

).

To remove an entry, first select it, and then click Delete.

When you are finished making changes to custom LDAP groups, click OK to cache the changes and return to the previous page. Changes are not implemented until you click Save and Deploy.

Web Security Help

83

Clients

Adding or editing a custom LDAP group

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Add Custom LDAP Group page to define a group based on any attribute you have defined in your directory service. Use the Edit Custom LDAP Group page to make changes to an existing definition.

Important

If you add custom LDAP groups, and then either change directory services or change the location of the directory server, the existing groups become invalid. You must add the groups again, and then define each as a client.

1.

Enter or change the Group name. Use a descriptive name that clearly indicates the purpose of the LDAP group.

Group names are case-insensitive, and must be unique.

2.

Enter or change the description that defines this group in your directory service.

For example:

(WorkStatus=parttime)

In this example, WorkStatus is a user attribute that indicates employment status, and parttime is a value indicating that the user is a part-time employee.

3.

Click OK to return to the Manage Custom LDAP Groups page. The new or revised entry appears in the list.

4.

Add or edit another entry, or click OK to cache changes and return to the previous page. Changes are not implemented until you click Save and Deploy.

Adding a client

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with clients

, page 74

Working with computers and networks

, page 75

Working with users and groups

, page 76

Searching the directory service

, page 85

Changing client settings

, page 86

Use this page to add user, group, computer, and network clients to:

Your Clients page, so that you can assign them a policy (Clients > Add Clients)

84

Websense Web Security Solutions

Clients

A policy exception that blocks or permits specific URLs (Exceptions > Add

Other Clients to Exception)

If you are logged on to a delegated administration role, you can only add clients that appear in your managed clients list to the Clients page or exception.

In policy management and reporting roles, the process of adding managed clients to the Clients page requires assigning them a policy. (Investigative reporting roles do not have this requirement.)

1.

Identify one or more clients:

To add a user, group, or domain (OU) client, browse the Directory tree to find entries in your directory service. If you are using an LDAP-based directory service, you can also click Search to enable a directory search tool (see

Searching the directory service

, page 85

).

To add a computer or network client, enter an IP address or IP address

range in either IPv4 or IPv6 format.

No two network definitions can overlap, but a network client can include an

IP address identified separately as a computer client. In the case of such an overlap, the policy assigned to the computer takes precedence over the policy assigned to the network.

2.

Click an arrow button (>) to add each client to the Selected Clients list.

To remove an entry from the Selected Clients list, select the client, and then click

Remove.

3.

If you are adding clients to the Clients page, select a Policy to assign to all clients in the Selected Clients list.

4.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

The clients you selected are displayed either on the Clients page or in your exception.

After adding clients to the Clients page, you can select one or more client entries and click Edit to change policy assignments and other client configuration settings. See

Changing client settings

, page 86,

for more information.

Searching the directory service

Web Security Help | Web Security Solutions | Version 7.8.x

If you have configured Websense User Service to communicate with an LDAP-based directory service, you can use a search function to find the directory clients you want to identify for policy or exception assignment.

To search a directory service to retrieve user, group, and OU information:

1.

Click Search.

2.

Enter all or part of the user, group, or OU Name.

3.

Use the Type list to indicate the type of directory entry (user, group, OU, or all) that you want to find.

Web Security Help

85

Clients

In a large directory service, selecting All may cause the search to take a very long time.

4.

Use the Search for list to specify how to perform the search:

Select Entries containing search string to find all directory entries that contain the search term you entered.

Select Exact search string only to find only the directory entry that precisely matches the search term.

5.

Browse the Search Context tree to specify which portion of the directory to search. A more precise context helps to speed the search.

6.

Click Go.

A list of search results is displayed.

7.

Select one or more entry in search results, and then click the right arrow (>) to add each selection as a client or administrator.

Click New Search to enter another set of search criteria.

Click Browse to stop using search and instead navigate through the directory tree to identify users.

8.

When you are finished making changes, click OK to cache your changes.

Changes are not implemented until you click Save and Deploy.

Changing client settings

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Policy Management > Clients > Edit Client page to change policy and authentication settings for one or more clients. If you select multiple clients before clicking Edit, the configuration changes that you make on the Edit Client page are applied to all of the selected clients.

1.

Select a Policy to apply to the selected clients. The Default policy governs clients until another policy is assigned.

2.

Under Block Page Override Options, indicate whether this client has the option to override (or attempt to override) a block page to view a requested site.

(Super Administrators only) Mark Enable password override to enable the selected clients to enter a password that you specify to access any blocked site for the time period configured on the Settings > General > Filtering page (60

seconds, by default). See

Password override

, page 87 .

Also enter and confirm the password.

You might enable this option for specific users who sometimes need access to sites not generally permitted by your organization’s acceptable use policy.

To remove a client’s password override privileges, click Off.

Mark Enable account override to enable the selected clients to enter a network logon name and password to attempt to access a blocked site by having a different policy applied to the request. If the request is permitted by

86

Websense Web Security Solutions

Clients the new policy, the user can access the site for the time period configured on

the Settings > General > Filtering page (5 minutes, by default). See

Account override

, page 88 .

You might enable this option for shared machines (like kiosk machines) typically governed by an IP-address-based policy that allows users to log on via a guest account. Users then have the option to enter their network credentials on the block page to see if their usual policy permits access to a site blocked on the shared machine.

If the user’s policy also blocks the site, the user receives a second block page.

3.

To allocate a custom amount of Quota Time to the selected clients, click Custom, and then enter the number of minutes of quota time to assign.

To revert to the default quota settings, click Default.

4.

Click OK to cache your changes and return to the Clients page. Changes are not implemented until you click Save and Deploy.

The new client settings appear as part of the client listing on the Policy

Management > Clients page.

Password override

Web Security Help | Web Security Solutions | Version 7.8.x

Password override lets clients in the Super Administrator role that have valid passwords access sites in blocked categories. Password override can be granted to individual users, groups, computers, or networks, but not domains [OUs].

When a Super Administrator enables the password override option, he or she also creates a password. When clients with password override privileges request a blocked site, the Websense block page includes a password field. The clients can then enter the password to access blocked sites for a limited amount of time.

This option is not available to delegated administrators, because it would effectively

provide a method for overriding the Filter Lock (see

Creating a Filter Lock

, page

348 ).

Important

In multiple Filtering Service deployments, Websense State

Server is required for correct allocation of password

override time. See

Policy Server, Filtering Service, and

State Server

, page 391, for more information.

Configure how long clients with password override privileges can access blocked sites per password entry on the Settings > General > Filtering page (see

Configuring filtering settings

, page 69 ).

Grant password override privileges to specific clients via the Policy Management >

Clients page (see

Adding a client

, page 84,

or

Changing client settings

, page 86

).

Web Security Help

87

Clients

Account override

Web Security Help | Web Security Solutions | Version 7.8.x

Account override allows users to change the credentials used to apply a policy to a request.

If, for example, users access the Internet from a kiosk machine, or from a machine where they log on using a local account, rather than a network account, administrators can associate account override permissions with the computer or network (IP-addressbased) client.

Account override permissions can also be given to directory clients (users, groups, and domains [OUs]).

When user requests are blocked by the current policy, and account override permissions are assigned to the client being filtered (whether that is an IP address or a directory client), the block page includes an Enter New Credentials button. The user can then provide a user name and password.

Once the user clicks Switch Credentials, Websense Filtering Service identifies the policy assigned to the new account, then applies that policy to the request.

If the new policy permits the request, the user can access the site.

If the new policy blocks the request, the user sees another block page.

In other words, unlike password override, using the account override option does not guarantee access to a blocked site. Instead, it changes the policy used to filter the request.

The new policy is applied to additional requests on that machine for the time period specified on the Settings > General > Filtering page (5 minutes, by default). See

Configuring filtering settings

, page 69

.

Important

In multiple Filtering Service deployments, Websense State

Server is required for correct allocation of account

override time. See

Policy Server, Filtering Service, and

State Server

, page 391, for more information.

88

Websense Web Security Solutions

Clients

If, after successfully switching credentials, the user wants to leave the machine before the account override period has ended, the override session can be ended manually by entering the following URL: http://<Filtering_Service_IP_address>:15871/cgi-bin/ cancel_useraccount_overrider.cgi

You may want to configure this URL as a browser bookmark on machines where the account override option is used.

Moving clients to roles

Web Security Help | Web Security Solutions | Version 7.8.x

Super Administrators can use the Move Client To Role page to move one or more clients to a delegated administration role. Once a client has been moved, that client appears in the Managed Clients list and on the Clients page in the target role.

The policy applied to the client in the Super Administrators role and the filters that it enforces are copied to the delegated administration role.

Delegated administrators can change the policies applied to their managed clients.

Filter Lock restrictions do not affect clients managed by Super Administrators, but do affect managed clients in delegated administration roles.

If a group, domain, or organizational unit is added to a role as a managed client, delegated administrators in that role can assign policies to individual users in the group, domain, or organizational unit.

If a network (IP address range) is added to a role as a managed client, delegated administrators in that role can assign policies to individual computers in that network.

The same client cannot be moved to multiple roles.

To move the selected clients to a delegated administration role:

1.

Use the Select role drop-down list to select a destination role.

2.

Click OK

A popup message indicates that the selected clients are being moved. The move process may take a while.

3.

Changes are not implemented until you click Save and Deploy.

If delegated administrators in the selected role are logged on with policy access during the move process, they will have to log out of the TRITON console and log on again to see the new clients in their Managed Clients list.

Web Security Help

89

Clients

Working with hybrid service clients

Web Security Help | Web Security Solutions | Version 7.8.x

In Websense Web Security Gateway Anywhere deployments, the hybrid service can manage Internet requests originating from external IP addresses (locations) that you configure, and for requests from users in unrecognized locations (off-site users, for example) that log on to the hybrid service.

The hybrid service can apply policies (created in the Web Security manager) to:

Users, groups, and domains (OUs) defined in a supported, LDAP-based directory service

This requires that Websense Directory Agent be installed and configured (see

Identification of hybrid users

, page 328

).

Filtered locations, identified on the Hybrid Configuration > Filtered Locations page. A location is identified by the external IP address, IP address range, or subnet of one or more firewall or gateway machines.

The hybrid service does not apply policies to individual client machines in your network

Directory clients (users, groups, and OUs) managed by the hybrid service are identified on the Policy Management > Clients page, just like those whose requests are managed by on-premises components.

Applying a policy to a filtered location is similar to applying a policy to a computer or network client:

1.

Add the location to the Settings > Hybrid Configuration > Filtered Locations page

(see

Define filtered locations

, page 217

).

2.

Add the IP address or range that appears on the Filtered Locations page as a computer or network client on the Policy Management > Clients page (see

Working with computers and networks

, page 75 ).

3.

Apply a policy to the IP address or range.

Any time no user, group, or location policy applies, the Default policy is used.

90

Websense Web Security Solutions

5

Internet Access Policies

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Internet Usage Filters

, page 49

Clients

, page 73

The Default policy

, page 92

Working with policies

, page 93

Enforcement order

, page 97

Policies govern user Internet access. A policy is made up of:

Category filters, used to apply actions (permit, block) to URL categories (see

Managing access to categories and protocols

, page 50

)

Limited access filters, used to permit access to only a restricted list of URLs (see

Restricting users to a defined list of URLs

, page 261

)

Protocol filters, used to apply actions to Internet protocols (see

Managing access to categories and protocols

, page 50

)

A schedule that determines when each category or limited access filter and protocol filter is enforced

A new Websense Web Security installation includes 3 predefined policies:

Default filters Internet access for all clients not governed by another policy. This

policy becomes active as soon as you enter a subscription key (see

The Default policy

, page 92

).

Unrestricted provides unlimited access to the Internet. This policy is not applied

to any clients by default.

Example - Standard User shows how multiple category and protocol filters can

be applied in a policy to provide different degrees of Internet access at different times. This policy is used in the New Admin Quick Start tutorial to demonstrate the process of editing a policy and applying it to clients.

Use any of these policies as is, edit them to suit your organization, or create your own polices.

Web Security Help

91

Internet Access Policies

The Default policy

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Internet Access Policies

, page 91

Working with policies

, page 93

Enforcement order

, page 97

After installation, when you enter a valid subscription key, the Default policy begins monitoring Internet activity. Initially, the Default policy permits all requests.

Note

When you upgrade from an earlier Websense software version, existing policy settings are preserved. After upgrading, review your policies to ensure that they are still appropriate.

As you create and apply additional policies, the Default policy continues to govern

Internet access for any clients not assigned another policy.

The Default policy must provide coverage (enforce a combination of category or limited access filters and protocol filters) 24 hours a day, 7 days a week.

Important

Those upgrading from an earlier version of Websense software may have a Default policy that does not cover all time periods. You are not required to change your Default policy. If, however, you do edit the policy, you cannot save the changes until all time periods are covered.

Edit the Default policy as needed to suit the needs of your organization. The Default policy cannot be deleted.

92

Websense Web Security Solutions

Internet Access Policies

Working with policies

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Internet Access Policies

, page 91

Creating a policy

, page 94

Editing a policy

, page 95

Internet Usage Filters

, page 49

Refine Web Security Policies

, page 261,

Use the Policy Management > Policies page to review existing policy information.

This page also serves as a launch point for adding, editing, and deleting policies, copying policies to delegated administration roles (Super Administrators only), and printing detailed information about your policy configuration.

The Policies page includes a list of existing policies. The list includes a name and description for each policy, as well as the number of user, network, and computer clients to whom that policy has been assigned.

To add a policy, click Add, and then see

Creating a policy

, page 94, for more

information.

To edit a policy, click the policy name in the list, and then see

Editing a policy

, page 95, for more information.

To delete a policy, mark the check box next to the policy name, and then click

Delete.

To see which clients are filtered by the policy, click a number in the Users,

Networks, or Computers column. The client information appears in a popup window.

To print a list of all of your policies and their components, including filters, custom categories and protocols, keywords, custom URLs, and regular expressions, click

Print Policies To File. This feature creates a detailed spreadsheet of policy

information in Microsoft Excel format. It is intended to provide a convenient way for human resources specialists, managers, and others with supervisory authority to review policy information.

If you have created delegated administration roles (see

Delegated Administration and

Reporting

, page 339

), Super Administrators can copy policies that they have created

Web Security Help

93

Internet Access Policies to other roles for use by delegated administrators. The filters enforced by the policy are also copied.

Note

Because delegated administrators are governed by the

Filter Lock, when the Permit All filters are copied, the copy is given a new name, and Filter Lock restrictions are applied. Unlike the original filter, the copied filter can be edited.

To copy policies to another role, first mark the check box next to the policy name, and

then click Copy to Role. This process may take up to several minutes. See

Copying filters and policies to roles

, page 266,

for more information.

Creating a policy

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Internet Access Policies

, page 91

Working with policies

, page 93

Editing a policy

, page 95

Working with filters

, page 61

Restricting users to a defined list of URLs

, page 261

Use the Policy Management > Policies > Add Policy page to create a new, custom policy.

1.

Enter a unique Policy name. The policy name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Policy names can include spaces, dashes, and apostrophes.

2.

Enter a Description for the policy. The description should be clear and detailed to help with policy management in the long term.

The character restrictions that apply to policy names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

To use an existing policy as the foundation for the new policy, mark the Base on

existing policy check box, and then select a policy from the drop-down list.

To start with an empty policy, leave the check box unmarked.

4.

Click OK to cache your changes and go to the Edit Policy page.

Use the Edit Policy page to finish defining the new policy. See

Editing a policy

, page 95 .

94

Websense Web Security Solutions

Internet Access Policies

Editing a policy

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Internet Access Policies

, page 91

Working with policies

, page 93

Creating a policy

, page 94

Working with filters

, page 61

Restricting users to a defined list of URLs

, page 261

Use the Policy Management > Policies > Edit Policy page to make changes to an existing policy, or to finish defining a new policy.

Use the top portion of the page to edit the policy name and description:

Click Rename to change the policy name.

Simply type in the Description field to change the filter description.

Under the policy description, the Clients field lists how many clients of each type

(directory, computer, and network) are currently filtered by this policy. To see which clients are governed by the policy, click the link corresponding to the appropriate client type.

To assign this policy to additional clients, click Apply to Clients in the toolbar at the

top of the page, and then see

Assigning a policy to clients

, page 97

.

Use the Policy Definition area to define which filters this policy applies at different times:

1.

To add a time block to the schedule, click Add.

2.

Use the Start and End columns in the Schedule table to define the time period that this time block covers.

To define filters for a period that spans midnight (for example, 5 p.m. to 8 a.m.), add two time blocks to the schedule: one that covers the period from the start time until midnight, and one that covers the period from midnight to the end time.

The Example - Standard User policy demonstrates how to define a time period that spans midnight.

3.

Use the Days column to define which days of the week are included in this time block. To select days from a list, click the down arrow in the right portion of the column. When you are finished selecting days, click the up arrow.

4.

Use the Category / Limited Access Filter column to select a filter to enforce during this time block.

To add a new filter to enforce in this policy, select Create category filter or

Create limited access filter. See

Creating a category filter

, page 62, or

Creating a limited access filter

, page 263,

for instructions.

Web Security Help

95

Internet Access Policies

5.

Use the Protocol Filter column to select a protocol filter to enforce during this time block.

To add a new filter to enforce in this policy, select Create protocol filter. See

Creating a protocol filter

, page 65,

for instructions.

6.

Repeat steps 1 through 5 to add additional time blocks to the schedule.

When any time block in the schedule is selected, the bottom portion of the Edit

Policies page shows the filters enforced during that time block. Each filter listing includes:

The filter type (category filter, limited access filter, or protocol filter)

The filter name and description

The filter contents (categories or protocols with actions applied, or a list of sites permitted)

The number of policies that enforce the selected filter

Buttons that can be used to edit the filter

When you edit a filter on this page, the changes affect every policy that enforces the filter. Before editing a filter that is enforced by multiple policies, click the Number of

policies using this filter link to see exactly which policies will be affected.

The buttons that appear at the bottom of the filter listing depend on the filter type:

Filter Type category filter limited access filter protocol filter

Buttons

Use the Permit, Block, Confirm, or Quota button to change the action applied to the selected categories (see

Actions

, page 58

).

To change the action applied to a parent category and all of its subcategories, first change the action applied to the parent category, and then click Apply to Subcategories.

To enable keyword blocking, file type blocking, or blocking based on bandwidth, click Advanced.

Use the Add Sites and Add Expressions button to add permitted URLs, IP addresses, or regular expressions to

the filter (see

Restricting users to a defined list of URLs

, page 261

).

To remove a site from the filter, mark the check box next to the URL, IP address, or expression, and then click

Delete.

Use the Permit or Block button to change the action

applied to the selected protocols (see

Actions

, page 58 ).

To change the action applied to all protocols in a protocol group, change the action applied to any protocol in the group, and then click Apply to Group.

To log data for the selected protocol, or to enable blocking based on bandwidth, click Advanced.

When you finish editing a policy, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

96

Websense Web Security Solutions

Internet Access Policies

Assigning a policy to clients

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Internet Access Policies

, page 91

Creating a policy

, page 94

Editing a policy

, page 95

Clients

, page 73

Adding a client

, page 84

Use the Policies > Edit Policy > Apply Policy to Clients page to assign the selected policy to clients.

The Clients list shows all of the available directory, computer, and network clients, as well as the policy currently assigned to each client.

1.

Mark the check box next to each client that you want to assign to the selected policy.

2.

Click OK to return to the Edit Policy page.

3.

Click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.

Enforcement order

Web Security Help | Web Security Solutions | Version 7.8.x

Multiple criteria, applied in a specific order, are used to determine whether to permit, block, or limit requested Internet data.

For each request it receives, Websense Web Security solutions:

1.

Verify subscription compliance, making sure that the subscription is current.

2.

Determine which exception or policy applies, searching in this order:

On-premises software (Websense Filtering Service): a.

Policy or exceptions assigned to the user b.

Policy or exceptions assigned to the IP address (computer or network) of the machine being used c.

Policies or exceptions assigned to groups the user belongs to d.

Policies or exceptions assigned to the user’s domain (OU)

Web Security Help

97

Internet Access Policies e.

The Default policy

Note

You can configure Filtering Service to prioritize group and domain-based policies over IP address-based policies, if needed. See

Prioritizing group and domain policies

, page

98

.

(Websense Web Security Gateway Anywhere) For users whose requests are managed by the hybrid service: a.

Policy or exceptions assigned to the user b.

Policy or exceptions assigned to groups the user belongs to c.

Policy or exceptions assigned to the user’s domain (OU) d.

Policy or exceptions assigned to the external IP address (filtered location) from which the request originates e.

The Default policy

The first applicable exception or policy found is used.

3.

Filter the request according to the exception or policy’s restrictions.

In some cases, a user belongs to more than one group or domain, and no higherpriority policy applies. In these cases, the Websense Web Security solution checks the policies assigned to each of the user’s groups.

If all the groups have the same policy, Websense software enforces that policy.

If one of the groups has a different policy, Websense software uses the Use more

restrictive blocking selection on the Settings > General > Filtering page to

determine which policy to enforce.

If Use more restrictive blocking is checked, and any of the applicable policies blocks access to the requested category, the site is blocked.

If the option is not checked, and any of the applicable policies permits access to the requested category, the site is permitted.

If one of the applicable policies enforces a limited access filter, the Use more

restrictive blocking option can have different effects than expected. See

Limited access filters and enforcement order

, page 262

.

If one of the groups has a different policy, and any of the potentially applicable policies enforces file type blocking, the file type blocking settings are ignored.

Prioritizing group and domain policies

Web Security Help | Web Security Solutions | Version 7.8.x

In some cases, organizations may prefer that directory policies (applied to users, groups, and domains) take precedence over policies applied to IP addresses

(computers and networks).

98

Websense Web Security Solutions

Internet Access Policies

This might occur, for example, if group-based policies are used widely in the

organization, and the Account Override option (see

Account override

, page 88 ) is

applied to IP addresses in the network. When the default enforcement order is used, the IP address-based policy overrides any group-based policies, which could cause account override to fail frequently. When group and domain policies take precedence, the problem is avoided.

You can configure Websense Filtering Service to prioritize directory policies (in other words, use the search order User > Group > Domain > Computer > Network to identify the policy to apply to a request).

When Filtering Service is installed on a Windows or Linux server:

1.

Navigate to the Websense bin directory on the Filtering Service machine

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/

Websense/bin/, by default).

2.

Open the eimserver.ini file in a text editor.

3.

Locate the [FilteringManager] section of the file, and add the following parameter:

UserGroupIpPrecedence=true

4.

Save and close the file.

5.

Restart Filtering Service.

Windows: Use the Windows Services tool to restart Websense Filtering

Service.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to restart

Filtering Service.

When Filtering Service is on a Websense appliance:

1.

Log on to the Appliance manager.

2.

Navigate to the Administration > Toolbox page.

3.

In the Appliance Command Line section, under Command Line Utility, click

Launch Utility.

4.

Select Websense Web Security from the Module drop-down list.

5.

Enter user-group-ip-precedence in the Command field.

6.

Enter enable in the Action field, then click Run.

Filtering Service is stopped and restarted automatically to implement the change.

Web Security Help

99

Internet Access Policies

Responding to a URL request

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Filtering Service evaluates policy restrictions as follows to determine whether the requested site should be permitted or blocked. (For Websense Web

Security Gateway Anywhere deployments, note that the logic shown here applies to the on-premises software, but not the hybrid service.)

1.

Check to see whether the site is listed in an exception.

If there is a block exception, block the site.

If there is a permit exception, permit the site.

If there is no exception for the site, continue to Step 2.

100

Websense Web Security Solutions

Internet Access Policies

2.

Determines which category filter or limited access filter the policy enforces for the current day and time.

If the active category filter is Permit All, permit the site.

If the active category filter is Block All, block the site.

If the filter is a limited access filter, check whether the filter contains the

URL or IP address. If so, permit the site. If not, block the site.

If any other category filter applies, continue to Step 3.

Note

Filtering Service handles URLs accessed from search engine’s cache like any other URL. They are blocked or permitted according to the applicable policies. Log records for cached URLs show the entire cached URL, including any search engine parameters.

3.

Checks the active protocol filter and determines whether any non-HTTP protocols are associated with the request.

If so, apply the appropriate action, as defined in the protocol filter.

If not, continue to Step 4.

4.

Tries to match the site to an entry in the Recategorized URLs list.

If a match is made, identify the category for the site and go to Step 6.

If a match is not made, continue to Step 5.

5.

Tries to match the site to an entry in the Master Database.

If the URL appears in the Master Database, identify the category for the site and continue to Step 6.

Web Security Help

101

Internet Access Policies

If a match is not made, categorize the site as Miscellaneous/Uncategorized and continue to Step 6.

6.

Checks the active category filter and identifies the action applied to the category containing the requested site.

If the action is Block, block the site.

If any other action is applied, continue to Step 7.

7.

Checks for Bandwidth Optimizer settings in the active category filter (see

Using

Bandwidth Optimizer to manage bandwidth

, page 284 ).

If current bandwidth usage exceeds any configured limits, block the site.

If current bandwidth usage does not exceed the specified limits, or no bandwidth-based action applies, proceed to Step 8.

8.

Checks for file type restrictions applied to the active category (see

Managing traffic based on file type

, page 287

).

If the site contains files whose extensions are blocked, block access to those files. If the site itself is comprised of a blocked file type, block access to the site.

If the site does not contain files whose extensions are blocked, go to Step 9.

9.

Checks for blocked keywords in the URL and CGI path, if keyword blocking is enabled (see

Keyword-based policy enforcement

, page 272

).

If a blocked keyword is found, block the site.

102

Websense Web Security Solutions

If a blocked keyword is not found, continue to Step 10.

Internet Access Policies

10.

Handles the site according to the action applied to the category.

Permit: Permit the site.

Limit by Quota: Display the block message with an option to view the site

using quota time or go back to the previous page.

Confirm: Display the block message with the option to view the site for work

purposes.

Filtering Service proceeds until the requested site is either blocked or explicitly permitted. At that point, no further investigation is attempted. For example, if a requested site belongs to a blocked category and contains a blocked keyword,

Filtering Service blocks the site at the category level without checking the keyword.

Log Server then logs the request as blocked because of a blocked category, not because of a keyword.

Note

Users with password override privileges can access websites regardless of why the site was blocked.

Web Security Help

103

Internet Access Policies

104

Websense Web Security Solutions

6

Exceptions to Policies

Web Security Help | Web Security Solutions | Version 7.8.x

Exceptions give administrators a way to quickly permit URLs and IP addresses in blocked categories, or block URLs and IP addresses in permitted categories.

Creating an exception does not require changing the category of a URL, nor does it change the policy assigned to affected clients. It simply allows a flexible and rapid response to user requests, changes in company policies, spikes in Internet activity, or other changes in circumstance.

For example:

Permit access to an approved vendor’s website for all employees, even though the

Default policy blocks access to the Shopping category.

Block all clients in the Students role from accessing an uncategorized URL that is experiencing a suspicious spike in traffic while the website is investigated.

Permit access to a design blog for 3 members of the Web Marketing team, while continuing to block general access to the Blogs and Personal Sites category.

Block a specific user from accessing a list of URLs at the request of the Human

Resources department.

For streamlined instructions for common tasks, see

Exception shortcuts

, page 112 .

For detailed information about what information you can include in an exception, see

Managing exceptions

, page 105 .

Managing exceptions

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Adding or editing an exception

, page 108

Editing multiple exceptions at the same time

, page 111

Use the Policy Management > Exceptions page to review, edit, or delete existing exceptions, or to add new exceptions.

Web Security Help

105

Exceptions to Policies

Super Administrators see all exceptions, regardless of the role in which they were created. Delegated administrators see all exceptions that affect their current role. For

more information about how exceptions are ordered in the list, see

How are exceptions organized?

, page 107 .

If a single URL or regular expression is blocked or permitted by the exception, the

URL or expression is listed. Otherwise, click the link in the URLs column to see a complete list of affected URLs.

If the exception affects:

A single client, the client’s IP address, address range, or display name is listed.

A single role, the role name is displayed in the format “Role [Role_Name]”

All clients in all roles, the word “Global” is shown.

Global exceptions that can be overridden by delegated administrators are marked with an icon in the Clients column (see

Overriding an exception

, page

110

).

Multiple, specific clients, the number of clients is shown. Click the link to see a complete list of affected clients.

The exceptions list also shows:

Column

Type

Description

Displays an icon to indicate whether URLs in the exception are:

Blocked ( )

Permitted ( )

Permitted with security override disabled ( )

Last Modified Shows the date that the exception was last edited.

Expires Indicates whether or not the exception has an expiration date, and if so, displays the date.

Active Shows whether the exception is currently being enforced

(Active) or not (Inactive).

Use the Filter drop-down list to display only exceptions with specified characteristics.

The following filters are available:

Filter

Permitted

Blocked

Active

Inactive

Will Expire

Expired

Description

Exceptions that permit URLs.

Exceptions that block URLs.

Exceptions currently being enforced.

Exceptions not currently used.

Exceptions for which an expiration date is specified.

Exceptions that are inactive because their expiration date has passed.

106

Websense Web Security Solutions

Exceptions to Policies

Filter

Never Expires

Global

All Clients in a

Role

Specific Clients

Description

Exceptions set to remain active indefinitely.

Exceptions that apply to all clients in all roles.

Exceptions that apply to all clients in a specific delegated administration role (including the Super Administrator role).

Exceptions that apply to one or more specific clients.

You can also use the Search fields to limit which exceptions are displayed:

1.

Use the drop-down list to indicate which table columns you want to search.

2.

Enter all or part of the string you want to identify.

3.

Click Search.

4.

To return to your previous view, click Clear Search Results.

To create a new exception, click Add. See

Adding or editing an exception

, page 108,

for instructions.

To edit an existing exception, click the exception name, or mark the check box next to one or more exceptions, and then click Edit. See

Adding or editing an exception

, page

108, or

Editing multiple exceptions at the same time

, page 111, for instructions.

To remove an exception, mark the check box next to the exception name, and then click Delete.

How are exceptions organized?

Web Security Help | Web Security Solutions | Version 7.8.x

The order in which exceptions are displayed on the Policy Management > Exceptions page depends on the administrator’s role.

For Super Administrators, exceptions are grouped as follows:

1.

Global exceptions (affecting all clients in all roles)

2.

Exceptions that affect specific clients from the Clients page in the Super

Administrator role

3.

Exceptions that include one or more clients that are not explicitly assigned to a role (do not appear on any Clients page or in any Managed Clients list)

4.

Exceptions applied to the entire Super Administrator role

5.

Exceptions applied to specific clients in another delegated administration role

6.

Exceptions applied to an entire delegated administration role

For delegated administrators in other roles, exceptions are grouped as follows:

1.

Exceptions that affect specific clients in the role

2.

Exceptions that affect the entire role (including global exceptions)

Within each grouping, exceptions are shown in alphanumeric order.

Web Security Help

107

Exceptions to Policies

Adding or editing an exception

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Policy Management > Exceptions > Add Exception or Edit Exception page to create or update an exception that overrides standard policy enforcement to block or permit specific websites for specific clients.

1.

Enter or update the unique, descriptive Name for the exception. The name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

2.

In the URLs field, list the URLs or IP addresses to be permitted or blocked by the exception.

If you enter a URL in the format domain.com, both the domain and its subdomains (www.domain.com, subdomain.domain.com) are matched.

If you enter a URL in the format www.domain.com:

• http://www.domain.com is matched

• http://domain.com is not matched

• http://subdomain.domain.com is not matched

Enter one URL or IP address per line.

3.

Specify which Clients are affected by this exception.

Super Administrators can create:

Global exceptions that apply to all clients in all roles.

If you select this option, also specify whether or not to Allow delegated

administrators to create exceptions that override this exception (see

Overriding an exception

, page 110 ).

• Exceptions that apply to All clients in a role.

After selecting this option, select a role from the drop-down list.

• Exceptions that apply to Specific clients in any role.

After selecting this option, you are offered 2 lists. One (on the left) shows all clients that have been Defined: added as managed clients in a delegated administration role, added to the Clients page in any role, or added to an exception. The other (on the right) shows clients Selected for this exception.

Search boxes appear above each list to help you quickly find clients to add or remove.

108

Websense Web Security Solutions

Exceptions to Policies

To add a client to the exception that does not appear in the list on the left, click Add Other Clients, then add user, group, computer (IPv4 or v6 address), or network (IPv4 or v6 address range) clients.

Important

If you select specific clients that belong to multiple roles, when the exception is created, it is automatically split so that a new exception is created for each affected role.

For example, if you define an exception called “Permit

Craigslist” that applies to clients in the Super

Administrator, HR, and Facilities roles, when you click

OK, 3 exceptions are created.

The exceptions for the HR role and Facilities role are marked with an icon. Move the mouse over the icon to see which role is affected by the exception.

The exception for the Super Administrator role is not annotated.

Delegated administrators can create exceptions that apply to All managed

clients in this role or Specific clients in this role.

If you select the latter option, you are offered 2 lists. One (on the left) shows all clients Defined in your Managed Clients list and Clients page. The other

(on the right) shows the clients Selected for this exception.

• Search boxes appear above each list to help you quickly find the clients that you want to add.

• If a client does not appear in the Defined clients list, that individual is likely a member of a group, OU, or network (IP address range) defined as a managed client in your role. To add such a client, click Add Other

Clients, then specify the user, group, or IPv4 or v6 address that you want

to add.

4.

Specify the exception Type. This determines whether to Block or Permit the listed URLs for the specified clients.

5.

Indicate when the exception Expires.

If you select Never, the exception is used until you delete it, or edit it to add an expiration date.

If you select After, enter an expiration date in the format mm/dd/yyyy, or click the calendar icon to select a date. The exception expires at midnight

(based on the time set on the Filtering Service machine), when the selected day ends.

6.

Determine the exception State. By default, the exception is Active, and is immediately enforced after you cache and save your changes. If you do not want the exception to be used at this time, clear the check box.

Web Security Help

109

Exceptions to Policies

7.

By default, if a URL is associated with a Security Risk category (like Malicious

Web Sites or Spyware), any permitted exception is ignored, and the URL is filtered based on the active policy (see

Prioritizing Security Risk categorization

, page 276 ):

If a category filter blocks the category, the request is blocked.

If a category filter permits the category, the request is permitted.

If a limited access filter is being used, the request is blocked.

To override this security feature, click Advanced, then clear the Block URLs that

become a security risk, even if they are permitted by exception check box.

Making this change is not recommended.

8.

To use regular expressions to define URLs that are permitted or blocked by exception, click Advanced, then enter one expression per line in the Regular

expressions box.

To validate the expressions that you create, click Test Regular Expression.

Note that using large numbers of regular expressions, or using poorly-formed or overly-broad expressions, can lead to a significant decrease in performance.

9.

When you are finished making changes, click OK to cache your changes and return to the Exceptions page. Changes are not implemented until you click Save

and Deploy.

Overriding an exception

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Adding or editing an exception

, page 108

If multiple exceptions could apply, which takes precedence?

, page

111

By default, when a Super Administrator creates an exception, the exception takes precedence over any exceptions that a delegated administrator might create.

For example:

A Super Administrator global exception blocks mysite.com and a delegated administrator exception for some managed clients permits mysite.com.

The URL is blocked by default.

A Super Administrator global exception permits anothersite.com and a delegated administrator exception blocks the same site.

The URL is permitted by default.

When creating an exception, however, Super Administrators have the option to Allow

delegated administrators to create exceptions that override this exception. If this

option is selected, delegated administrator exceptions take precedence over the Super

Administrator exception.

110

Websense Web Security Solutions

Exceptions to Policies

For example:

A Super Administrator global exception permits samplesite.com, and a delegated administrator exception blocks samplesite.com for the delegated administration role.

The URL is blocked for clients in the delegated administration role.

A Super Administrator global exception blocks example.com, and a delegated administrator exception permits example.com for a managed client.

The URL is permitted for the specified managed client.

Super Administrator exceptions that can be overridden are marked by an icon ( ) in the Clients column on the Policy Management > Exceptions page.

If multiple exceptions could apply, which takes precedence?

Web Security Help | Web Security Solutions | Version 7.8.x

By default, Super Administrator exceptions take precedence over exceptions created by delegated administrators. So if a Super Administrator exception blocks a URL, and a delegated administrator exception permits the same URL, the request is blocked.

If, however, the Super Administrator configures an exception to allow delegated

administrator overrides (see

Overriding an exception

, page 110 ), then the delegated

administrator exception takes precedence. So if a Super Administrator exception blocks a URL, and a delegated administrator exception permits the same URL, the request is permitted.

If multiple equivalent exceptions could apply to a request (for example, if multiple

Super Administrator exceptions include the same URL):

Filtering Service checks for blocked exceptions first, so if there is a blocked exception and a permitted exception, the request is blocked.

If there are multiple blocked exceptions, the first one found is applied.

If there are no blocked exceptions and multiple permitted exceptions, the first permitted exception is applied.

After creating an exception, use the Test Filtering tool (see

Test Filtering

, page 298

) to verify that client requests are filtered as expected.

Editing multiple exceptions at the same time

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Policy Management > Exceptions > Edit Exceptions page to edit multiple exceptions at the same time.

When you edit multiple exceptions, you can edit only the exception type (permitted or blocked), expiration setting (never expires or expiration date), state (active or inactive), or security override setting (whether URLs in a permitted exception are permitted or blocked if Websense software finds a security risk).

Web Security Help

111

Exceptions to Policies

Click the View details of each selected exception link near the top of the page for more information about the exceptions you are editing.

1.

Verify the exception Type (Block or Permit). To make a change, click Change, then make a new selection.

2.

To update the Expires setting for the exception, click Change, then

If you select Never, the exception is used until you delete it, or edit it to add an expiration date.

If you select After, enter an expiration date in the format mm/dd/yyyy, or click the calendar icon to select a date.

3.

To update the exception State, click Change, then mark or clear the Active check box. Inactive exceptions are not used.

4.

By default, if Websense Web Security determines that a URL is a security risk

(hosts malicious software or spyware, for example), the URL is blocked, even if it has been permitted by exception.

To update the current security settings for a permitted exception, click Advanced, then click Change. Mark or clear the Block URLs that become a security risk,

even if they are permitted by exception check box.

Disabling the default security override protection is not recommended.

5.

When you are finished making changes, click OK to cache your changes and return to the Exceptions page. Changes are not implemented until you click Save

and Deploy.

Exception shortcuts

Web Security Help | Web Security Solutions | Version 7.8.x

Use these shortcuts to find the fastest way to perform common tasks.

For Super Administrators:

How do I block or permit a URL for everyone?

, page 112

How do I block or permit a URL for one person?

, page 113

For delegated administrators:

How do I block or permit a URL for my entire role?

, page 113

How do I block or permit a URL for one of my managed clients?

, page 114

For all administrators:

How do I create an unfiltered URL?.

, page 115

How do I block or permit a URL for everyone?

Web Security Help | Web Security Solutions | Version 7.8.x

112

Websense Web Security Solutions

Exceptions to Policies

Super Administrators can use the following steps to block or permit a URL for everyone in the network:

1.

Go to the Policy Management > Exceptions page and click Add.

2.

Enter a unique Name for the exception.

3.

Enter the URL that you want to permit or block.

4.

By default, the exception is set to apply to all clients (Global is selected).

5.

By default, the exception is set to Block the URL. To change this, set the Type to

Permit.

6.

Set an expiration date, if applicable.

7.

Click OK to cache the change, then click Save and Deploy to implement it.

How do I block or permit a URL for one person?

Web Security Help | Web Security Solutions | Version 7.8.x

Super Administrators can use the following steps to block or permit a URL for a single client in the network, regardless of the client’s role.

1.

Go to the Policy Management > Exceptions page and click Add.

2.

Enter a unique Name for the exception.

3.

Enter the URL that you want to permit or block.

4.

To specify the client affected by this exception, select Specific clients in any role.

5.

Enter all or part of the user name or IP address in the search box above the

Defined clients list, then press Enter.

If the client appears in the search results, select the client and click the right arrow (>) button to place the client in the Selected list.

If the client does not appear in the search results, click Add Other Clients, then:

• Select a user or group name from the list, or click Search to find a user or group in your user directory.

• Enter an IP address or range in either IPv4 or IPv6 format.

When you have identified the client that you want to add, use the appropriate right arrow (>) button to move the client to the Selected list, then click OK.

6.

By default, the exception is set to Block the URL. To change this, set the Type to

Permit.

7.

Set an expiration date, if applicable.

8.

Click OK to cache the change, then click Save and Deploy to implement it.

How do I block or permit a URL for my entire role?

Web Security Help | Web Security Solutions | Version 7.8.x

Web Security Help

113

Exceptions to Policies

Delegated administrators can use the following steps to block or permit a URL for all managed clients in the role they manage:

Important

Exceptions created by a Super Administrator may take precedence over exceptions created by a delegated administrator.

If you create an exception that does not seem to be applied to your managed clients, use the Test Filtering tool to see if another exception is overriding the one that you created

(see

Test Filtering

, page 298

).

1.

Go to the Policy Management > Exceptions page and click Add.

2.

Enter a unique Name for the exception.

3.

Enter the URL that you want to permit or block.

4.

By default, the exception is set to apply to All managed clients in this role.

5.

By default, the exception is set to Block the URL. To change this, set the Type to

Permit.

6.

Set an expiration date, if applicable.

7.

Click OK to cache the change, then click Save and Deploy to implement it.

How do I block or permit a URL for one of my managed clients?

Web Security Help | Web Security Solutions | Version 7.8.x

Delegated administrators can use the following steps to block or permit a URL for one of their managed clients.

Important

Exceptions created by a Super Administrator may take precedence over exceptions created by a delegated administrator.

If you create an exception that does not seem to be applied to your managed clients, use the Test Filtering tool to see if another exception is overriding the one that you created

(see

Test Filtering

, page 298

).

1.

Go to the Policy Management > Exceptions page and click Add.

2.

Enter a unique Name for the exception.

3.

Enter the URL that you want to permit or block.

4.

To specify the client affected by this exception, select Specific clients in this role.

5.

Enter all or part of the user name or IP address in the search box above the

Defined clients list, then press Enter.

114

Websense Web Security Solutions

Exceptions to Policies

If the client appears in the search results, select the client and click the right arrow (>) button to place the client in the Selected list.

If the client is a member of a group, OU, or network (IP address range) defined as a managed client in your role, but does not explicitly appear in your

Managed Clients list or on your Clients page, that client will not appear in your search results.

In this case, cancel creation of the exception, add the client to your Clients page, then create the exception. This time, the client will appear in your search results on the Add Exceptions page.

6.

By default, the exception is set to Block the URL. To change this, set the Type to

Permit.

7.

Set an expiration date, if applicable.

8.

Click OK to cache the change, then click Save and Deploy to implement it.

How do I create an unfiltered URL?.

Web Security Help | Web Security Solutions | Version 7.8.x

When you upgrade from version 7.6 or earlier, your existing unfiltered URLs are changed into permitted exceptions. Unfiltered URLs created by:

Super Administrators become global exceptions that permit the URL or regular expression for all clients in all roles.

Delegated administrators become role-scoped permitted exceptions that permit the URL or regular expression for all clients in a role.

To permit a URL for everyone (Super Administrators only), or for everyone in the role you manage, see:

How do I block or permit a URL for everyone?

, page 112

How do I block or permit a URL for my entire role?

, page 113

Web Security Help

115

Exceptions to Policies

116

Websense Web Security Solutions

7

Block Pages

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Blocking graphical advertisements

, page 119

Blocking embedded pages

, page 119

Working with block pages

, page 120

Creating alternate block messages

, page 126

Using an alternate block page on another machine

, page 127

Determining why a request was blocked

, page 128

When Websense Web Security blocks a website, it displays a block page in the client’s browser.

Block pages are constructed from HTML files, by default, made up of 3 main sections.

The header explains that the site is blocked.

The top frame contains a block message showing the requested URL and the reason the URL was blocked.

Web Security Help

117

Block Pages

The bottom frame presents any options available to the user, such as the option to go back to the previous page, or to click a Continue or Use Quota Time button to view the site.

If the site is blocked because it belongs to a category in the Security Risk class (see

Risk classes

, page 55

), a security block page is displayed.

In Websense Web Security Gateway and Gateway Anywhere deployments, Super

Administrators can enable an enhanced version of the block page that includes a link to Websense ACEInsight.

Enable the link on the Settings > General > Filtering page.

Users can click the link find more information about URLs blocked for security reasons.

Note

IPv6 only clients do not display a block page correctly.

The user is blocked from the site as expected but will receive a browser error rather than a block page. Dualstack IPv6 clients receive the normal block page.

Default block page files are included with your Websense software. You can use these default files or create your own custom versions.

Note

In Websense Web Security Gateway Anywhere deployments, changes to the on-premises block pages do not affect hybrid block pages. See

Customizing hybrid block pages

, page 227

.

118

Websense Web Security Solutions

Block Pages

Customize the default files to change the block message (see

Working with block pages

, page 120 ).

Configure Websense software to use block messages (default or custom) hosted on a remote web server (see

Using an alternate block page on another machine

, page 127 ).

Blocking graphical advertisements

Web Security Help | Web Security Solutions | Version 7.8.x

In some cases, Websense software displays a very small, blank image file

(BlockImage.gif) instead of a standard or security block page. This occurs when:

The Advertisements category is blocked, and

A site tries to display an image (like a GIF or JPG file) hosted at a URL in the

Advertisements category.

Advertisements are often displayed in frames or iframes on a page that also displays non-advertisement information. In this case, graphical advertisements typically appear as white (empty) boxes on the page. The rest of the site content displays normally.

In some cases, an entire site may be made up of advertisement images. In this case, the user will see a blank web page in the browser instead of a standard block message.

Users can tell that the site has been blocked because of the URL, which is something like this: http://<Filtering Service IP address>:15871/cgi-bin/ blockpage.cgi?ws-session=<session number>

If you would prefer to show an image other than the default, 1-pixel block image, simply replace the default file:

1.

Navigate to the block page directory on the Filtering Service machine (C:\

Program Files or Program Files (x86)\Websense\Web Security\BlockPages\

Images or /opt/Websense/BlockPages/Images, by default).

2.

Make a backup copy of the original blockImage.gif file.

3.

Name your image blockImage.gif and copy it to the Images directory

(overwriting the original file).

Blocking embedded pages

Web Security Help | Web Security Solutions | Version 7.8.x

Most web pages contain content from multiple sources (ad servers, streaming video sites, social networking applications, image hosting services, and so on). Some sites aggregate content, pulling pieces from multiple sites into a single presentation.

Web Security Help

119

Block Pages

In these instances, users may request sites that contain a mix of permitted and blocked content.

When a frame or iframe within a larger page contains blocked content, Websense software displays a standard or security block page within that frame. When the frame is small, however, the end user might be able to see only a tiny portion of the page

(perhaps not even the full block icon), and not understand why the content is blocked.

To address this issue, users can mouse over whatever portion of the block page is visible to see a tooltip-style popup with a brief block message. Clicking the message causes the full block page to appear in a separate window.

To return to browsing the permitted content of the original page, users should close the window showing the block page. Due to browser restrictions, clicking the Back button on a block page opened from within a frame does not have any effect.

If, when the block page is displayed in a new window, it offers a Use Quota Time or

Continue option, clicking the button:

1.

Closes the new (popup) window.

2.

Displays the previously blocked content (and only that content) in the original browser window.

To see the original page, including the previously blocked content, do either of the following:

Re-enter the site URL.

Use the browser Back button to return to the site, then refresh the page.

Working with block pages

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Customizing the block message

, page 122

Creating alternate block messages

, page 126

Using an alternate block page on another machine

, page 127

The files used to create Websense block pages are stored in the following directory:

Windows:

C:\Program Files\Websense\Web Security\BlockPages\

<language_code>\Default or

C:\Program Files(x86)\Websense\Web Security\BlockPages\

<language_code>\Default

120

Websense Web Security Solutions

Block Pages

Linux:

/opt/Websense/BlockPages/<language_code>/Default

Note

In Websense Web Security Gateway Anywhere deployments, these block pages are applied only to users filtered by the on-premises software. To customize the

pages provided by the hybrid service, see

Customizing hybrid block pages

, page 227

.

There are 2 primary HTML files used to construct block pages:

master.html constructs the information frame for the block page, and uses one of

the following files to display appropriate options in the bottom frame

File Name

blockFrame.html

continueFrame.html

quotaFrame.html

moreInfo.html

Contents

Text and button (Go Back option) for sites in blocked categories.

Text and buttons for sites in categories to which the

Confirm action is applied.

Text and buttons for sites in categories to which the

Quota action is applied.

Content for the page that appears when a user clicks the More information link on the block page.

block.html contains the text for the top frame of the block message, which

explains that access is restricted, lists the requested site, and describes why the site is restricted.

In addition, several supporting files are used to supply the text content, styles, and button functionality used in block pages:

File Name

blockStyle.css

master.css

popup.html

block.inl

blockframe.inl

Description

Cascading style sheet containing most block page styles

Cascading style sheet containing styles for block page popups (like the account override popup)

When an embedded page is blocked (see

Blocking embedded pages

, page 119 ), this file is used to display

the full-sized block page popup.

Provides tools used in constructing the block frame of the block page

Provides additional information for standard block pages

Web Security Help

121

Block Pages

File Name

continueframe.inl

quotaframe.inl

base64.js

master.js

security.js

messagefile.txt

WebsenseCopyright.txt

master.wml

Description

Provides additional information for the block frame when users have a “Continue” option

Provides additional information for the block frame when users have a “Use Quota Time” option

JavaScript file used to support credential encryption when users have an “Account Override” option. This file should not be changed or removed.

JavaScript file used in construction of a standard block page

JavaScript file used in construction of a security block page

Contains text strings used in block pages

Copyright information for Websense block pages

WML file with basic blocking information

In deployments that include Web DLP components, an additional file,

policyViolationDefaultPage.html, provides block page content when Websense Data

Security components block content from being posted to or downloaded from the

Web.

Customizing the block message

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Changing the size of the message frame

, page 123

Changing the logo that displays on the block page

, page 124

Using block page content variables

, page 124

Reverting to the default block pages

, page 126

You can make a copy of the default block page files, and then use the copy to customize the top frame of the block page that users receive.

Change the appearance of the block page to use your organizations logo, colors, and style.

Add information about your organization’s Internet use policies.

Provide a method for contacting an administrator about Internet use policies.

To create your own, custom block pages:

1.

Navigate to the Websense block page directory. For English:

Websense/Web Security/BlockPages/en/Default

122

Websense Web Security Solutions

Block Pages

2.

Copy the block page files to the custom block page directory. For English:

Websense/Web Security/BlockPages/en/Custom

Note

Do not modify the original block message files in the

BlockPages/en/Default directory. Copy them to the

BlockPages/en/Custom directory and then modify the

copies.

3.

Open the file in a text editor, such as Notepad or vi.

Warning

Use a plain text editor to edit block message files. Some

HTML editors modify HTML code, which could corrupt the files and cause problems displaying the block messages.

4.

Modify the text. The files contain comments that guide you in making changes.

Do not modify the tokens (enclosed by $* and *$ symbols), or the structure of the

HTML code. These enable Websense software to display specific information in the block message.

5.

Some block page HTML files use hard-coded paths to reference the support files used to construct the page. If you have modified the stylesheet used to format the block pages (blockStyle.css) or the JavaScript file used to construct security block pages (security.js), make sure that you also update the path to those files in your custom HTML files. For example:

<link rel="stylesheet" href="/en/Custom/blockStyle.css type="text>

6.

Save the file.

7.

Restart Websense Filtering Service (see

Stopping and starting Websense services

, page 398,

for instructions).

Changing the size of the message frame

Web Security Help | Web Security Solutions | Version 7.8.x

Depending on what information you want to provide in the block message, the default width of the block message and height of the top frame may not be appropriate. To change these size parameters in the master.html file:

1.

Copy master.html from the Websense/BlockPages/en/Default directory to

Websense/BlockPages/en/Custom.

2.

Open the file in a text editor, such as Notepad or vi (not an HTML editor).

3.

To change the width of the message frame, edit the following line:

<div style="border: 1px solid #285EA6;width: 600px...">

Web Security Help

123

Block Pages

Change the value of the width parameter as required.

4.

To cause the top frame of the message to scroll, in order to show additional information, edit the following line:

<iframe src="$*WS_BLOCKMESSAGE_PAGE*$*WS_SESSIONID*$" ...

scrolling="no" style="width:100%; height: 6em;">

Change the value of the scrolling parameter to auto to display a scroll bar when message text exceeds the height of the frame.

You can also change the value of the height parameter to change the frame height.

5.

Save and close the file.

6.

Restart Filtering Service to implement the change (see

Stopping and starting

Websense services

, page 398 ).

Changing the logo that displays on the block page

Web Security Help | Web Security Solutions | Version 7.8.x

The master.html file also includes the HTML code used to display to a Websense logo on the block page. To display your organization’s logo instead:

1.

Copy the block page files from the Websense/BlockPages/en/Default directory to Websense/BlockPages/en/Custom, if they have not already been copied.

2.

Copy an image file containing your organization’s logo to the same location.

3.

Open master.html in a text editor, such as Notepad or vi (not an HTML editor), and edit the following line to replace the Websense logo with your organization’s logo:

<img title="Websense" src="/en/Custom/wslogo_block_page.png"

...>

Replace wslogo_block_page.png with the name of the image file containing your organization’s logo.

Replace the values of the title parameter to reflect name of your organization.

4.

Save and close the file.

5.

Restart Filtering Service to implement the change (see

Stopping and starting

Websense services

, page 398 ).

Using block page content variables

Web Security Help | Web Security Solutions | Version 7.8.x

Content variables control the information displayed on HTML block pages. The following variables are included with the default block message code.

Variable Name

WS_DATE

WS_USERNAME

WS_USERDOMAIN

Content Displayed

Current date

Current user name (excluding domain name)

Domain name for the current user

124

Websense Web Security Solutions

Block Pages

Variable Name

WS_IPADDR

WS_WORKSTATION

Content Displayed

IP address of the requesting source machine

Machine name of the blocked computer

(if no name is available, IP address is displayed)

To use a variable, insert the variable name between the $* *$ symbols in the appropriate HTML tag:

<p id="UserName">$*WS_USERNAME*$</p>

Here, WS_USERNAME is the variable.

The block message code includes additional variables, described below. You may find some of these variables useful in constructing your own, custom block messages.

When you see these variables in Websense-defined block message files, however, please do not modify them. Because Filtering Service uses these variables when processing blocked requests, they must remain in place.

Variable Name

WS_URL

WS_BLOCKREASON

WS_ISSECURITY

WS_PWOVERRIDECGIDATA

WS_QUOTACGIDATA

WS_PASSWORDOVERRIDE-

BEGIN,

WS_PASSWORDOVERRIDE-END

WS_MOREINFO

WS_POLICYINFO

WS_MOREINFOCGIDATA

Purpose

Displays the requested URL

Displays why the site was blocked (i.e., which action was applied)

Indicates whether the requested site belongs to any of the categories in the

Security Risk class. When TRUE, the security block page is displayed.

Populates an input field in the block page HTML code with information about use of the Password Override button

Populates an input field in the block page HTML code with information about use of the Use Quota Time button

Involved in activating password override functionality

Displays detailed information (shown after the More information link is clicked) about why the requested site was blocked

Indicates which policy governs the requesting client

Sends data to Filtering Service about use of the More information link

Web Security Help

125

Block Pages

Variable Name

WS_QUOTATIME

WS_QUOTAINTERVALTIME

WS_QUOTABUTTONSTATE

WS_SESSIONID

WS_TOPFRAMESIZE

WS_BLOCKMESSAGE_PAGE

WS_CATEGORY

WS_CATEGORYID

Purpose

Displays the amount of quota time remaining for the requesting client

Displays quota session length configured for the requesting client

Indicates whether the Use Quota Time button is enabled or disabled for a particular request

Acts as an internal identifier associated with a request

Indicates the size (as a percentage) of the top portion of a block page sent by a custom block server, if one is configured

Indicates the source to be used for a block page’s top frame

Displays the category of the blocked

URL

The unique identifier for the requested

URL category

Reverting to the default block pages

Web Security Help | Web Security Solutions | Version 7.8.x

If users experience errors after you implement customized block messages, you can restore the default block messages as follows:

1.

Delete all the files from the Websense/BlockPages/en/Custom directory. By default, Websense software will return to using the files in the Default directory.

2.

Restart Filtering Service (see

Stopping and starting Websense services

, page 398

).

Creating alternate block messages

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with block pages

, page 120

Customizing the block message

, page 122

You can create your own HTML files to supply the text that appears in the top frame of the block page. Use existing HTML files, create alternate files from scratch, or make copies of block.html to use as a template.

Create different block messages for each of 3 protocols: HTTP, FTP, and Gopher.

126

Websense Web Security Solutions

Block Pages

Host the files on the Websense machine, or on your internal Web server (see

Using an alternate block page on another machine

, page 127 ).

After creating alternate block message files, you must configure Websense software to display the new messages (see

Configuring filtering settings

, page 69 ). During this

process, you can specify which message is used for each of the configurable protocols.

Using an alternate block page on another machine

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with block pages

, page 120

Customizing the block message

, page 122

Creating alternate block messages

, page 126

Instead of using Websense block pages and customizing just the message in the top frame, you can create your own HTML block pages and host them on an internal Web server.

Note

It is possible to store block pages on an external Web server. If, however, that server hosts a site listed in the

Master Database, and that site is in a blocked category, the block page itself is blocked.

Some organizations use alternate, remote block pages to hide the identity of the

Websense server machine.

The remote block page can be any HTML file; it does not need to follow the format of the default Websense block pages. Using this method to create block pages, however, does prevent you from using the Continue, Use Quota Time, and Password Override functions available with Websense-defined block pages (default or custom).

When the files are in place, edit the eimserver.ini file to point to the new block page.

1.

Stop the Websense Filtering Service and Policy Server services, in that order (see

Stopping and starting Websense services

, page 398

).

2.

On the Filtering Service machine, navigate to the Websense bin directory (C:\

Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/

Websense/bin/, by default).

3.

Create a backup copy of the eimserver.ini file and store it in another directory.

4.

Open eimserver.ini file in a text editor, and locate the [WebsenseServer] section

(at the top of the file).

Web Security Help

127

Block Pages

5.

Enter either the hostname or the IP address of the server hosting the block page in the following format:

UserDefinedBlockPage=http://<hostname or IP address>

The protocol portion of the URL (http://) is required.

6.

Save the file and close the text editor.

7.

Restart the Websense Policy Server and Filtering Service, in that order.

When the services have started, users receive the block page hosted on the alternate machine.

Determining why a request was blocked

Web Security Help | Web Security Solutions | Version 7.8.x

If you want to investigate why a request was blocked, information is available in the block page source code.

If the block page was sent by Filtering Service (for users filtered by the appliance or on-premises software), click More information. Next, right-click anywhere in

the message text and select View Source. See

Request blocked by Filtering

Service

, page 128 .

Note

With Internet Explorer 10, the View Source option is not always available. If the View Source option does not appear, click Page Tools and select View on the desktop.

If the block page was sent by the hybrid service (in Websense Web Security

Gateway Anywhere environments), right-click anywhere in the block message

and select View Source. See

Request blocked by the hybrid service

, page 129 .

Request blocked by Filtering Service

Web Security Help | Web Security Solutions | Version 7.8.x

The HTML source for the more information block page shows information about who requested the site, and what criteria were used to filter the request. Specifically, it shows:

The user name and source IP address of the request (if available), and the time (in the format HH:MM) that the request was made.

Which policy is being applied to the request, and whether the policy is assigned to the user, group, domain, computer (individual IP address), or network (IP address range).

If more than one group policy could apply, the message also states whether the

Use more restrictive blocking setting is in use. See

Configuring filtering

128

Websense Web Security Solutions

Block Pages

settings

, page 69

.

What aspect of the policy caused the request to be blocked (for example, category or limited access filter, file type, keyword, bandwidth usage).

The name of the role in which the policy was assigned.

What resource was used to categorize the site (Websense Master Database, realtime database update, a regular expression included in a real-time database update, custom URL, keyword, Websense Web Security Gateway scanning, and so on).

For example:

User Name: WinNT://Test/tester1 Source IP Address:

10.12.132.17 Current Time: 15:30

This network (10.12.132.0 to 10.12.132.255) is filtered by policy: role-8**Default. The policy includes a category or limited access filter for the current time.

This policy is associated with role: Super Administrator.

The request was categorized by: Master database.

Here, the request is filtered by a policy (Default) applied to the network (IP address range) in which the user’s machine is located. The policy assignment was performed in the Super Administrator role, and the requested site was categorized by the Master

Database.

Request blocked by the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

The HTML source for the block page sent by the hybrid service shows information about how the requested site was categorized, and how a policy was applied to the request. Specifically, it shows:

The name of the role in which the policy was assigned. See

Delegated administration roles

, page 340 .

The category assigned to the site.

The policy or policies assigned to the request.

If file type blocking was used, which file type applies.

The protocol (HTTP, HTTPS, or FTP over HTTP) used to make the request.

What resource was used to categorize the site (Websense Master Database, realtime database update, a regular expression included in a real-time database update, custom URL, keyword, Websense Web Security Gateway scanning, and so on).

If a problem occurred that prevented the hybrid service from reporting why a request was blocked, or if the hybrid service experienced an error when the block page was being displayed, the Exception reason field displays an explanation and numeric error code. If the problem recurs, Websense Technical Support can use the error code in troubleshooting the issue.

Web Security Help

129

Block Pages

For example:

Role: Super Administrator

Category: Peer-to-Peer File Sharing

Policy: Default

Domain:

Group:

FileType:

Network:

Protocol: http

Category Reason String: Master database

Exception reason:

Here, the request is filtered by a policy (Default) in the Super Administrator role that blocks the Peer-to-Peer File Sharing category. The requested HTTP site was categorized by the Master Database.

130

Websense Web Security Solutions

8

Use Reports to Evaluate

Internet Activity

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Investigative reports

, page 155

Accessing self-reporting

, page 178

Application reporting

, page 178

Real-Time Monitor

, page 184

The Web Security manager provides several reporting tools that can help you evaluate the effectiveness of your Internet access policies. (Log Server, a Windows-only component, must be installed to enable all reporting features except Real-Time

Monitor.)

Note

In organizations that use delegated administration, reporting features may not be available to all

administrators. See

Delegated Administration and

Reporting

, page 339 .

Web Security Dashboard charts provide threat, risk, usage, and system

information to help you review Internet activity in your network at a glance. For most charts, the time period, chart style, and set of results shown can be

customized. See

The Web Security Dashboard

, page 33 .

Presentation reports offer a list of predefined reports, custom reports, and report

templates. Reports are available in bar chart, trend chart, and tabular formats.

Copy any predefined report to apply your own filters to create a custom report, or

use a report template to create your report from scratch. See

Presentation reports

, page 133,

for complete details.

Investigative reports let you browse through log data interactively. The main

page shows a summary-level bar chart of activity by risk class. Click the different elements on the page to update the chart or get a different view of the data.

Web Security Help

131

Use Reports to Evaluate Internet Activity

See

Investigative reports

, page 155, for details on the many ways you can view

Internet use data.

Application reports provide information about the browsers and platforms from

which Internet requests are originating, with a search item that lets you investigate activity associated with a specific user agent string.

See

Application reporting

, page 178, for more information.

Real-Time Monitor shows current Internet activity in your network, including

the URLs being requested and the action applied to each request. In Websense

Web Security Gateway and Web Security Gateway Anywhere deployments, the monitor also shows which sites were scanned by Content Gateway. If a site is dynamically recategorized based on scanning results, both the original category and current category are shown.

See

Real-Time Monitor

, page 184,

for more information.

Important

Do not use Internet Explorer Compatibility View with the

TRITON console. If you experience odd reporting behavior or page layouts in Internet Explorer, make sure that Compatibility View button (between the URL and the

Refresh button in the browser address bar) is not selected.

What is Internet browse time?

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Database jobs

, page 431

Configuring Internet browse time options

, page 439

You can generate both presentation and investigative reports showing Internet

browse time, the estimated amount of time a user spent accessing websites. No

software program can tell the exact amount of time that someone spends viewing a site once it is open. One person might open a site, view it for a few seconds, and then take a business call before requesting another site. Someone else might spend several minutes reading a site in detail before moving to the next one.

A Log Database job (see

Database jobs

, page 431

) calculates browse time based on configurable parameters. This job runs once a day, so browse time information can lag the actual log data.

For browse time calculations:

An Internet session begins when a user opens a browser and continues as long as that user requests additional websites at least every 3 minutes (by default).

132

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

If you want to change the read time threshold, see

Configuring Internet browse time options

, page 439

.

The Internet session ends when more than 3 minutes pass before the user requests another site.

A new session begins if the user makes additional requests after more than 3 minutes. Commonly, a user’s browse time consists of multiple sessions each day.

The database job calculates the total time of each session, starting with the time of the first request and ending 3 minutes after the last request.

Presentation reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Creating a new presentation report

, page 136

Working with Favorites

, page 144

Running a presentation report

, page 145

Scheduling presentation reports

, page 146

Viewing the scheduled jobs list

, page 151

Web Security Help

133

Use Reports to Evaluate Internet Activity

Use the Reporting > Presentation Reports page to generate bar charts, trend charts, and tabular reports in HTML, PDF, or Microsoft Excel (XLS) format.

Available reports and templates are found in the Report Catalog, which organizes them into related report categories. Your subscription determines which report categories and predefined reports appear in the catalog. For example, report categories like Real Time Security Threats and Scanning Activity require a Websense Web

Security Gateway or Gateway Anywhere subscription.

Expand a category to see the reports or templates that it includes.

Click a report title to see a brief description of the information included in the report.

Beginning with 7.8.4, presentation reports support IPv6 for source and destination IP addresses. Also, anywhere an IP address can be entered in a presentation reports feature, both IPv4 and IPv6 formats are accepted.

To run a presentation report:

1.

Select the report in the catalog, and then click Run. The Run Report page appears.

2.

Specify report details as explained in

Running a presentation report

, page 145

.

If you run the report in the foreground (do not schedule the report to run), the report is not automatically saved when you close the application used to view the report (a Web browser, Adobe Reader, or Microsoft Excel, for example).

You must save the report manually.

134

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

If you run the report in the background (schedule the report to run immediately), when the report completes, a copy is saved, and a link to the report appears on the Review Reports page.

To use any template, predefined report, or custom report in the Report Catalog as the basis for a new report:

1.

Select a report or template name in the catalog.

If you select a report template:

A New Trend Report shows Internet activity trends over time.

A New Top N Report shows top levels of Internet activity with the characteristics you specify.

2.

Click Save As.

3.

Provide a name, title, and report category for the new file.

If you are using a report template, also define the report dimensions (i.e., what is measured and the unit of measurement).

For instructions, see

Creating a new presentation report

, page 136

.

4.

To refine the report, edit the report filter. The report filter controls elements such as which users, categories, protocols, and actions are to be included in your report.

For instructions, see

Defining the report filter

, page 137 .

To make changes to the report filter for any custom report, select the report, and then click Edit. You cannot modify or delete predefined reports or report templates.

To delete a custom report, select the report, and then click Delete. If a deleted report appears in any scheduled jobs, it will continue to be generated with that job. See

Viewing the scheduled jobs list

, page 151,

for information on editing and deleting scheduled jobs.

Reports that are used frequently can be marked as Favorites to help you find them more quickly. Just select the report, and then click Favorite (see

Working with

Favorites

, page 144

).

Mark Show Favorites only to display only templates that you have marked as favorites in the Report Catalog.

Use the buttons at the top of the page to schedule reports to run later, view scheduled report jobs, and view and manage reports created by the scheduler.

Click Scheduler to define a job containing one or more reports to be run at a

specific time or on a repeating schedule. See

Scheduling presentation reports

, page 146 .

Click Job Queue to see and manage a list of existing scheduled jobs, along with

the status of each job. See

Viewing the scheduled jobs list

, page 151

.

Click Review Reports to see and manage a list of reports that were successfully

scheduled and run. See

Reviewing scheduled presentation reports

, page 153 .

Web Security Help

135

Use Reports to Evaluate Internet Activity

Creating a new presentation report

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Defining the report filter

, page 137

Running a presentation report

, page 145

Use the Save As New Report page to create:

An editable version of any predefined report.

A copy of an existing custom report, in order to apply different report filters.

A new report, based on a report template.

The options available on the page depend on which option you have selected.

If you are making a copy of a predefined or custom report:

1.

Replace the Report name with a name that will make it easy to identify the new report. (The default name is the name of the original report template, with a number appended to indicate that this is a copy.)

The name must be from 1 to 85 characters, and cannot duplicate another report name.

2.

Enter a Report title. This is the title that will appear on at the top of the page when the report is generated.

3.

Select a Report category. This determines how the report is grouped in the

Report Catalog. The default is User-Defined Reports.

4.

Do one of the following:

Click Save to save the new version of the report and return to the Report

Catalog.

Click Save and Edit to edit the report filter for the new report (see

Defining the report filter

, page 137 ).

Click Cancel to abandon your changes and return to the Report Catalog.

If you are using a report template to create a new report:

1.

Enter a unique Report name. This is the name that will appear in the Report

Catalog.

The name must be from 1 to 85 characters, and cannot duplicate another report name.

2.

Enter a Report title. This is the title that will appear on at the top of the page when the report is generated.

3.

Select a Report category. This determines how the report is grouped in the

Report Catalog. The default is User-Defined Reports.

136

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

4.

If you are creating a top N report, continue with step 5.

If you are creating a trend report, indicate the Time unit for the trend report’s Xaxis. You can create a report showing trends by day (default), week, month, or year.

To ensure that the data you want appears in a trend report, make sure the first

day of the first week, month, or year that you want to include is set as the first

date in the range. (By default, the first day of the week is Sunday, but this may vary based on your Microsoft SQL Server configuration and locale.)

When user information is updated in the directory service, user group information may also change. This can affect weekly, monthly, and yearly group trend reports, because to be included in a group report, the user must be in the group at least one day before the start of the selected period.

For example, for a user’s activity to be included in a monthly group trend report for August 2012, the user must be in the group as of July 31, 2012. A user joining the group on August 23, 2012 (a Wednesday) would be included in daily trend reports starting on the following day, in weekly trend reports starting the following Saturday, Sunday, or Monday (depending on your

Microsoft SQL Server configuration), and in monthly trend reports starting

September 01, 2012.

5.

Use the Internet activity per drop-down list to select the focal area of the report.

You can show Internet activity per category (default), protocol, risk class, action

(like permit or block), user, or group.

6.

Use the Measure by drop-down list to select how the focal area is measured. You can measure by requests (default), bandwidth, or browse time.

7.

Do one of the following:

Click Save to save the report and return to the Report Catalog. The new report is now listed in the report category that you selected in step 5.

Click Save and Edit to edit the report filter for the new report. The process of

editing the report filter is the same as for any custom report (see

Defining the report filter

, page 137

).

Click Cancel to abandon your changes and return to the Report Catalog.

Defining the report filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Creating a new presentation report

, page 136

Running a presentation report

, page 145

Report filters let you control what information is included in a presentation report. For example, you might choose to limit a report to selected clients, categories, risk classes, or protocols, or even selected actions (like permit or block). You also can give the

Web Security Help

137

Use Reports to Evaluate Internet Activity report a new name and description, change the report title, select a custom logo, and set other general options through the report filter.

Note

To use a custom logo, you must create the image in a supported format and place the file in the appropriate

location before updating the report filter. See

Customizing the report logo

, page 143

.

The options available in the filter vary:

If you are editing a predefined report or a custom report based on a predefined report, the options available in the filter depend on the report selected.

For instance, if you selected a report of group information, such as Top Blocked

Groups by Requests, you can control which groups appear in the report but you cannot choose individual users.

If you are editing a report created using a the New Top N Report or New Trend

Report template, all options are shown in the filter, even if they are not applicable in the custom report.

Be careful to select only options relevant to your report.

The filter for predefined reports cannot be changed. You can edit the filter for a custom report when you create it by choosing Save and Edit on the Save As New

Report page, or select the report in the Report Catalog at any time and click Edit.

The Edit Report Filter page opens, with separate tabs for managing different elements of the report. Select the items you want on each tab, then click Next to move to the next tab. For detailed instructions, see:

Selecting clients for a report

, page 139

Selecting categories for a report

, page 140

Selecting protocols for a report

, page 141

Selecting actions for a report

, page 141

Setting report options

, page 142

On the Confirm tab, choose whether to run or schedule the report, and save the report

filter. See

Confirming report filter definition

, page 143 .

138

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Selecting clients for a report

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Selecting categories for a report

, page 140

Selecting protocols for a report

, page 141

Selecting actions for a report

, page 141

Setting report options

, page 142

Confirming report filter definition

, page 143

The Clients tab of the Presentation Reports > Edit Report Filter page lets you control which clients are included in the report. You can select only one type of client for each report. For example, you cannot select a combination of users and groups for the same report.

When the report definition specifies a particular client type, you can choose clients of that type or clients that represent a larger grouping. For example, if you are defining a filter for a report based on Top Blocked Groups by Requests, you can select groups or domains (OUs) for the report, but you cannot select individual users.

No selections are required on this tab if you want to report on all relevant clients.

1.

Select a client type from the drop-down list.

2.

Set the maximum number of search results from the Limit search list.

Depending on the traffic in your organization, there may be large numbers of users, groups, or domains (OUs) in the Log Database. This option manages the length of the results list, and the time required to display the search results.

3.

Enter one or more characters for searching, and then click Search.

Use asterisk (*) as a wildcard to signify missing characters. For example, J*n might return Jackson, Jan, Jason, Jon, John, and so forth.

Define your search string carefully, to assure that all desired results are included within the number selected for limiting the search.

4.

Highlight one or more entries in the results list, and click the right arrow button

(>) to move them to the Selected list.

5.

Repeat steps 2-4 as needed to conduct additional searches and add more clients to the Selected list.

6.

After you are finished making selections, click Next to open the Categories tab.

See

Selecting categories for a report

, page 140 .

Web Security Help

139

Use Reports to Evaluate Internet Activity

Selecting categories for a report

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Selecting clients for a report

, page 139

Selecting protocols for a report

, page 141

Selecting actions for a report

, page 141

Setting report options

, page 142

Confirming report filter definition

, page 143

The Categories tab of the Presentation Reports > Edit Report Filter page lets you control the information included in the report on the basis of categories or risk classes.

See

Risk classes

, page 55

.

No selections are required on this tab if you want to report on all relevant categories or risk classes.

1.

Select a classification: Category or Risk Class.

Expand a parent category to display its subcategories. Expand a risk class to see a list of the categories currently assigned to that risk class.

If the associated report is for a specific risk class, only the relevant risk class and the categories it represents are available for selection.

Note

If you select a subset of categories for the risk class named in the report, consider modifying the report title to reflect your selections.

2.

Mark the check box for each category or risk class to be reported.

Use the Select All and Clear All buttons below the list to minimize the number of individual selections required.

3.

Click the right arrow button (>) to move your selections to the Selected list.

When you mark a risk class, clicking the right arrow places all the associated categories into the Selected list.

4.

After all selections are complete, click Next to open the Protocols tab. See

Selecting protocols for a report

, page 141 .

140

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Selecting protocols for a report

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Selecting clients for a report

, page 139

Selecting categories for a report

, page 140

Selecting actions for a report

, page 141

Setting report options

, page 142

Confirming report filter definition

, page 143

The Protocols tab of the Presentation Reports > Report Filter lets you control which protocols are included in the report.

No selections are required on this tab if you want to report on all relevant protocols.

1.

Expand and collapse the protocol groups with the icon beside the group name.

2.

Mark the check box for each protocol to be reported.

Use the Select All and Clear All buttons below the list to minimize the number of individual selections required.

3.

Click the right arrow button (>) to move your selections to the Selected list.

4.

After all selections are complete, click Next to open the Actions tab. See

Selecting actions for a report

, page 141

.

Selecting actions for a report

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Selecting clients for a report

, page 139

Selecting categories for a report

, page 140

Selecting protocols for a report

, page 141

Setting report options

, page 142

Confirming report filter definition

, page 143

The Actions tab of the Presentation Reports > Edit Report Filter page lets you control which precise actions (for example, permitted by limited access filter or blocked by quota) are included in the report. If the report specifies that it applies only to blocked requests, you can select only block-related actions (blocked by file type, blocked by keyword, and so on).

No selections are required on this tab if you want to report on all relevant actions.

1.

Expand and collapse the action groups with the icon beside the group name.

2.

Mark the check box for each action to be reported.

Web Security Help

141

Use Reports to Evaluate Internet Activity

Use the Select All and Clear All buttons below the list to minimize the number of individual selections required.

3.

Click the right arrow button (>) to move your selections to the Selected list.

4.

After all selections are complete, click Next to open the Options tab. See

Setting report options

, page 142

.

Setting report options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Customizing the report logo

, page 143

Selecting clients for a report

, page 139

Selecting categories for a report

, page 140

Selecting protocols for a report

, page 141

Selecting actions for a report

, page 141

Setting report options

, page 142

Confirming report filter definition

, page 143

Use the Options tab of the Presentation Reports > Edit Report Filter page to configure several aspects of the report.

1.

Optionally modify the Report catalog name. The name must contain from 1 to

85 characters.

This name does not appear on the report itself; it is used only for identifying the unique combination of report format and filter in the Report Catalog.

2.

Modify the Report title that appears on the report. The title can have up to 85 characters.

3.

Modify the Description to appear in the Report Catalog. The description can have up to 336 characters.

The description should help you identify this unique combination of report format and filter in the Report Catalog.

4.

Select a logo to appear on the report.

All supported image files in the appropriate directory are listed. See

Customizing the report logo

, page 143 .

5.

Mark the Save as Favorite check box to have the report listed as a Favorite.

The Report Catalog shows a star symbol beside Favorite reports. You can select

Show only Favorites on the Report Catalog page to reduce the number of reports

listed, which enables you to move more quickly to a particular report.

6.

Mark the Show only top check box and then enter a number from 1 to 20 to limit the number of items reported.

This option appears only if the selected report is formatted as a Top N report, designed to show a limited number of items. The item that is limited depends on

142

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity the report. For example, for a Top Categories Visited report, this entry determines how many categories are reported.

7.

After all entries and selections are complete, click Next to open the Confirm tab.

See

Confirming report filter definition

, page 143

.

Customizing the report logo

Web Security Help | Web Security Solutions | Version 7.8.x

By default, presentation reports display the Websense logo in the upper left corner.

When you create a custom report and edit its report filter, you can choose a different logo.

1.

Create an image file in one of the following formats:

.bmp

.gif

.jfif

.jpe

.jpg

.jpeg

.png

.ttf

2.

Use a maximum of 25 characters for the image file name, including extension.

3.

Copy the image file to the ReportTemplates\images\ directory. The default path is:

C:\Program Files (x86)\Websense\Web Security\Manager\

ReportTemplates\images

All supported image files in this directory automatically appear in the drop-down list on the Options tab of the Edit Report Filter page. The image is automatically scaled to

fit within the space allocated for the logo. (See

Setting report options

, page 142

.)

Note

Do not delete or move images that are active in report filters. If a logo file is missing, the report cannot be generated.

Confirming report filter definition

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Selecting clients for a report

, page 139

Selecting categories for a report

, page 140

Selecting protocols for a report

, page 141

Selecting actions for a report

, page 141

Setting report options

, page 142

Web Security Help

143

Use Reports to Evaluate Internet Activity

The Confirm tab of the Presentation Reports > Edit Report Filter page displays the name and description that will appear in the Report Catalog, and lets you choose how to proceed.

1.

Review the Name and Description.

If any changes are needed, click Back to return to the Options tab, where you can

make those changes. (See

Setting report options

, page 142 .)

2.

Indicate how you want to proceed:

Option

Save

Description

Saves the report filter and returns to the Report Catalog. See

Presentation reports

, page 133 .

Save and Run Saves the report filter and opens the Run Report page. See

Running a presentation report

, page 145 .

Save and

Schedule

Saves the report filter and opens the Schedule Report page.

See

Scheduling presentation reports

, page 146 .

3.

Click Finish to implement the selection made in step 2.

Working with Favorites

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Running a presentation report

, page 145

Scheduling presentation reports

, page 146

You can mark presentation reports as Favorites to identify the reports you generate most frequently and want to be able to locate quickly.

1.

On the Presentation Reports page, highlight a report that you generate frequently, or want to be able to locate quickly.

2.

Click Favorite.

A star symbol appears beside Favorite report names in the list, letting you quickly identify them when all reports are shown.

3.

Mark the Show only Favorites check box above the Report Catalog to limit the list to those marked as Favorites. Clear this check box to restore the full list of reports.

If your needs change and a Favorite report is no longer being used as frequently, simply select the report again and click Favorite to remove the star symbol.

144

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Running a presentation report

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Scheduling presentation reports

, page 146

Use the Presentation Reports > Run Report page to generate a single report immediately. You can also create jobs with one or more reports and schedule them to

run once or on a repeating cycle (see

Scheduling presentation reports

, page 146 ).

To run a report:

1.

Select the Start date and End date to define the time period covered in the report.

2.

Select an Output format for the report.

Format

PDF

HTML

XLS

Description

Portable Document Format. PDF files are formatted for viewing, and can be opened in Adobe Reader.

Viewing requires Adobe Reader 7.0 or later.

HyperText Markup Language. HTML files are formatted for viewing, and can be opened in a browser.

Excel spreadsheet. XLS files are formatted for reuse, and can be opened in Microsoft Excel.

Viewing requires Microsoft Excel 2003 or later.

3.

If you selected a Top N report, choose the number of items to be reported.

4.

Specify how you want the report to be generated:

Select Schedule the report to run in the background (default) to have the report run immediately as a scheduled job. Optionally provide an email address to be notified when the report is complete. You can also provide an email address to be notified if the report cannot be generated. (You can also monitor the job queue to see the status of the report.)

Deselect Schedule the report to run in the background to have the report run in the foreground. In this case, the report is not scheduled, and does not appear on the Review Reports page.

5.

Click Run.

If you scheduled the report to run immediately, the completed report is saved automatically and added to the Review Reports list. To view, save, or delete the report, click Review Reports at the top of the Presentation Reports page.

If you ran the report in the foreground, the report will be displayed. HTML reports appear in the browser window when complete; with PDF or XLS formats, you have a choice of whether to open the report or save it to disk.

Web Security Help

145

Use Reports to Evaluate Internet Activity

If you selected HTML, click Presentation Reports to return to the Report

Catalog. If you selected PDF or XLS, you can use the Run Reports window again to generate the same report.

With this option, presentation reports does not automatically store a copy of the report. Use the save functionality built into the application used to open the report if you want to save a copy to view later.

6.

To print a report, use the print option offered by the application used to display the report.

For best results, generate PDF output and use the print options in Adobe Reader.

Scheduling presentation reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Running a presentation report

, page 145

Viewing the scheduled jobs list

, page 151

You can run presentation reports as they are needed, or you can use the Presentation

Reports > Scheduler page to create jobs that define a schedule for running one or

more reports.

Reports generated by scheduled jobs are distributed to one or more recipients via email. As you create scheduled jobs, consider whether your email server will be able to handle the size and quantity of the attached report files.

The completed reports are also added to the Presentation Reports > Review Reports page (see

Reviewing scheduled presentation reports

, page 153 ).

To access the Scheduler:

Click the Scheduler button at the top of the Presentation Reports page (above the

Report Catalog).

When editing a report filter, choose Save and schedule in the Confirm tab, and

then click Finish (see

Defining the report filter

, page 137 ).

Click the job name link on the Job Queue page to edit a job.

Click Add on the Job Queue page to create a new job.

The Scheduler page contains several tabs for selecting the reports to run and the schedule for running them. For detailed instructions, see:

Setting the schedule

, page 147

Selecting reports to schedule

, page 149

Setting the date range

, page 150

Selecting output options

, page 151

146

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

After creating jobs, use the Job Queue to review job status and find other helpful information (see

Viewing the scheduled jobs list

, page 151 ).

When a scheduled presentation report has run, the report file is sent to recipients as an email attachment called presentationreport_0. The number increments, according to the number of reports attached.

Scheduled reports are also automatically saved to the ReportingOutput directory on the TRITON management server machine (C:\Program Files (x86)\Websense\Web

Security\ReportingOutput, by default). Note that the name of the attachment sent via email does not match the name of the file stored in the ReportingOutput directory. The best way to find a specific report is to use the Review Reports page, which can be searched by date or job name, as well as report name.

Reports are automatically deleted from the Review Reports page and the

ReportingOutput directory after the period specified on the Settings > Reporting >

Preferences page (5 days, by default). If you want to retain the reports for a longer time, include them in your backup routine or save them in a location that permits long term storage.

An alert is displayed on the Review Reports page for a period of time before the report is deleted (3 days, by default). Use the Settings > Reporting > Preferences page to change this warning period.

Depending on the number of reports you generate daily, report files can occupy considerable amounts of disk space. Be sure there is adequate disk space available on the TRITON management server machine. If the ReportingOutput directory grows too large before the files are automatically deleted, you can delete the files manually.

The report is generated in the format you choose: PDF (Adobe Reader 7.0 or later),

XLS (Microsoft Excel 2003 or later), or HTML. If you choose HTML format, the report may display in the Web Security manager content pane. Reports displayed in the content pane cannot be printed or saved to a file. To print or save a report to file, choose the PDF or XLS output format.

Setting the schedule

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling presentation reports

, page 146

Selecting reports to schedule

, page 149

Selecting output options

, page 151

Setting the date range

, page 150

Web Security Help

147

Use Reports to Evaluate Internet Activity

Define a reporting job to occur once or on a repeating cycle on the Schedule tab of the

Presentation Reports > Scheduler page.

Note

It is advisable to schedule report jobs on different days or at different times, to avoid overloading the Log Database and slowing performance for logging and interactive reporting.

1.

Enter a Job name that uniquely identifies this scheduled job.

2.

Select a Recurrence Pattern and Recurrence Options for the job. The specific options available depend on the pattern selected.

Pattern

Once

Daily

Weekly

Monthly

Options

Enter the exact date on which to run the job, or click the icon to select from a calendar.

No additional recurrence options are available.

Mark the check box for each day of the week the job is to run.

Enter the dates during the month for running the job. Dates must be a number between 1 and 31, and must be separated by commas (1,10,20).

To run the job on consecutive dates each month, enter a start and end date separated by a hyphen (3-5).

3.

Under Schedule Time, set the start time for running the job.

The job begins according to the time on the TRITON management server.

Note

To start generating the scheduled reports today, select a time late enough that you can complete the job definition before the start time.

148

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

4.

Under Schedule Period, select a date for starting the job, and an option for ending the job.

Option

No end date

End after

End by

Description

The job continues to run according to the established schedule, indefinitely.

To discontinue the job at some time in the future, either edit or delete the job. See

Viewing the scheduled jobs list

, page

151 .

Select the number of times to run the job. After that number of occurrences, the job does not run again, but it stays in the

Job Queue until you delete it. See

Viewing the scheduled jobs list

, page 151

.

Set the date when the job stops running. It does not run on or after this date.

5.

Click Next to open the Reports tab. See

Selecting reports to schedule

, page 149

.

Selecting reports to schedule

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling presentation reports

, page 146

Setting the schedule

, page 147

Selecting output options

, page 151

Setting the date range

, page 150

Use the Select Report tab of the Presentation Reports > Scheduler page to choose reports for the job.

1.

Highlight a report for this job in the Report Catalog tree.

2.

Click the right arrow (>) button to move that report to the Selected list.

3.

Repeat steps 1 and 2 until all reports for this job appear in the Selected list.

4.

Click Next to open the Date Range tab. See

Setting the date range

, page 150

.

Web Security Help

149

Use Reports to Evaluate Internet Activity

Setting the date range

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling presentation reports

, page 146

Setting the schedule

, page 147

Selecting reports to schedule

, page 149

Selecting output options

, page 151

Use the Date Range tab of the Presentation Reports > Scheduler page to set the date range for the job. The options available depend on your selection for Date range.

Date range Description

All Dates Reports include all dates available in the Log Database. No additional entries are required.

When this option is used for repeating jobs, there may be duplicate information on reports in separate runs.

Specific Dates Choose the exact start (From) and end (To) dates for the reports in this job.

This option is ideal for jobs that run only one time. Choosing this option for a repeating schedule results in duplicate reports.

Relative Dates Use the drop-down lists to choose the number of periods to report

(This, Last, Last 2, and so forth), and the type of period (Days,

Weeks, or Months). For example, the job might cover the Last 2

Weeks or This Month.

Week represents a calendar week, Sunday through Saturday.

Month represents a calendar month. For example, This Week produces a report from Sunday through today; This Month produces a report from the first of the month through today; Last

Week produces a report for the preceding Sunday through

Saturday; and so forth.

This option is ideal for jobs that run on a repeating schedule. It lets you manage how much data appears on each report, and minimize duplication of data on reports in separate runs.

After setting the date range for the job, click Next to display the Output tab. See

Selecting output options

, page 151 .

150

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Selecting output options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling presentation reports

, page 146

Setting the schedule

, page 147

Selecting reports to schedule

, page 149

Setting the date range

, page 150

After you select the reports for a job, use the Output tab to select the output format and distribution options.

1.

Select the file format for the finished report.

Format

PDF

XLS

Description

Portable Document Format. Recipients must have Adobe

Reader v7.0 or later to view the PDF reports.

Excel Spreadsheet. Recipients must have Microsoft Excel

2003 or later to view the XLS reports.

2.

Enter email addresses for distributing the report.

Enter each address on a separate line.

3.

Mark the Customize subject and body of email check box, if desired. Then, enter the custom Subject and Body text for this job’s distribution email.

4.

Click Save Job to save and implement the job definition, and display the Job

Queue page.

5.

Review this job and any other scheduled jobs. See

Viewing the scheduled jobs list

, page 151 .

Viewing the scheduled jobs list

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Scheduling presentation reports

, page 146

Selecting output options

, page 151

Scheduling investigative reports

, page 172

The Presentation Reports > Job Queue page lists the scheduled jobs created for presentation reports. The list gives status for each job, as well as basic information

Web Security Help

151

Use Reports to Evaluate Internet Activity about the job, such as how frequently it runs. From this page, you can add and delete scheduled jobs, temporarily suspend a job, and more.

(To review scheduled jobs for investigative reports, see

Managing scheduled investigative reports jobs

, page 175

.)

The list provides the following information for each job.

Column

Job Name

Status

State

Recurrence

History

Next Scheduled

Owner

Description

The name assigned when the job was created.

Indicates whether the job is

 running

 scheduled (waiting for the next scheduled run time) completed successfully

 failed misfired (did not run at the last scheduled time due to a problem such as low memory or server shutdown)

One of the following:

ENABLED indicates a job that runs according to the established recurrence pattern.

DISABLED indicates a job that is inactive, and does not run.

The recurrence pattern (Once, Daily, Weekly, Monthly) set for this job.

Click the Details link to open the Job History page for the

selected job. See

Viewing job history

, page 153 .

Date and time for the next run.

The user name of the administrator who scheduled the job.

Use the options on the page to manage the jobs. Some of the buttons require that you first mark the check box beside the name of each job to be included.

Option

Job name link

Add Job

Delete

Run Now

Description

Opens the Scheduler page, where you can edit the job

definition. See

Scheduling presentation reports

, page 146 .

Opens the Scheduler page where you can define a new job.

See

Scheduling presentation reports

, page 146 .

Deletes from the Job Queue all jobs that have been checked in the list. After a job has been deleted, it cannot be restored.

To temporarily stop running a particular job, use the Disable button.

Starts running the jobs that have been checked in the list immediately. This is in addition to the regularly scheduled runs.

152

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Option

Enable

Disable

Description

Reactivates disabled jobs that have been checked in the list.

The job begins running according to the established schedule.

Discontinues running of enabled jobs that are checked in the list. Use this to temporarily suspend the job that you may want to restore in the future.

Viewing job history

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling presentation reports

, page 146

Viewing the scheduled jobs list

, page 151

Use the Presentation Reports > Job Queue > Job History page to view information about recent attempts to run the selected job. The page lists each report separately, providing the following information.

Column

Report Name

Start Date

End Date

Status

Message

Description

Title printed on the report.

Date and time the report started running.

Date and time the report was complete.

Indicator of whether the report succeeded or failed.

Relevant information about the job, such as whether the report was emailed successfully.

Reviewing scheduled presentation reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Presentation reports

, page 133

Running a presentation report

, page 145

Scheduling presentation reports

, page 146

Use the Presentation Reports > Review Reports page to find, access, and delete scheduled reports. By default, reports are listed from oldest to newest.

To view any report in the list, click the report name.

Web Security Help

153

Use Reports to Evaluate Internet Activity

If the report is a single PDF or XLS file, you may be given the option to save or open the report. This depends on your browser security settings and the plug-ins installed on your machine.

If the report is very large, it may have been saved as multiple PDF or XLS files and stored in a ZIP file. The file is compressed using ZIP format regardless of whether the report was created on a Windows or Linux machine. Save the ZIP file, then extract the PDF or XLS files it contains to view the report content.

Hover the mouse pointer over the report icon next to the report name to see if the report is one or multiple files.

To limit the list to reports that will be deleted soon, mark the Show only reports due

to be purged check box. The length of time that reports are stored is configured on the

Settings > Reporting > Preferences page (see

Configuring reporting preferences

, page

421 ).

To search the report list, first select an entry from the Filter by drop-down list, and then enter all or part of a name or date. You can search by:

The report or job name

The name of the administrator that scheduled the report (Requestor)

The date the report was created (Creation Date)

The date the report is due to be deleted (Purge Date)

Enter your search term, and then click Go. The search is case-sensitive.

Click Clear to remove the current search term, and then either perform a different search or click Refresh to display the complete list of reports.

If a recently completed report does not appear on the Review Reports page, you can also click Refresh to update the page with the latest data.

To delete a report, click the X to the right of the report file size.

To see the status of a scheduled report job, click Job Queue at the top of the page. See

Viewing the scheduled jobs list

, page 151,

for more information about using the job queue.

To schedule a new report job, click Scheduler (see

Scheduling presentation reports

, page 146 ).

154

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Investigative reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Summary reports

, page 157

Multi-level summary reports

, page 162

Flexible detail reports

, page 163

User Activity Detail reports

, page 167

Standard reports

, page 170

Favorite investigative reports

, page 171

Scheduling investigative reports

, page 172

Outliers reports

, page 175

Output options for investigative reports

, page 176

Database connection and report defaults

, page 446

Use the Reporting > Investigative Reports page to analyze Internet activity in an interactive way.

Initially, the main Investigative Reports page shows a summary report of activity by risk class (see

Risk classes

, page 55 ).

Work in the summary report view by clicking the available links and elements to explore areas of interest and gain general insight into your organization’s Internet

usage (see

Summary reports

, page 157 ).

Multi-level summary reports (see

Multi-level summary reports

, page 162

) and flexible

detail reports (see

Flexible detail reports

, page 163

) let you analyze the information from different perspectives.

Web Security Help

155

Use Reports to Evaluate Internet Activity

Other report views and investigative reports features can be accessed from links at the top of the page. See the table below for a list of links and the features they access. (Not all links are available on all pages.)

Option

User by Day/Month

Standard Reports

Favorite Reports

Job Queue

Outliers

Options

Action

Displays a dialog box that lets you define a report of a specific user’s activity, covering either a day or a month. For more information, see

User Activity Detail reports

, page

167 .

Displays a list of predefined reports so you can quickly see a

specific combination of data. See

Standard reports

, page

170 .

Lets you save the current report as a Favorite, and displays a list of existing Favorites that you can generate or schedule.

See

Favorite investigative reports

, page 171

.

Displays the list of scheduled investigative reports jobs. See

Scheduling investigative reports

, page 172 .

Displays reports showing Internet usage that is significantly different from average. See

Outliers reports

, page 175

.

Displays the page for selecting a different Log Database for reporting. The Options page also lets you customize certain reporting features, such as the time period initially shown on summary reports and the default columns for detail reports.

See

Database connection and report defaults

, page 446 .

Click this button, at the right of the Search fields, to export the current report to a spreadsheet file compatible with

Microsoft Excel 2003 or later.

You are prompted to either open or save the file. See

Output options for investigative reports

, page 176

.

Click this button, at the right of the Search fields, to export the current report to a PDF file compatible with Adobe

Reader v7.0 or later.

You are prompted to either open or save the file. See

Output options for investigative reports

, page 176

.

Beginning with 7.8.4, investigative reports support IPv6 for source and destination IP addresses. Also, anywhere an IP address can be entered in an investigative reports feature, both IPv4 and IPv6 formats are accepted.

Keep in mind that reporting is limited to the information that has been recorded in the

Log Database.

If you disable logging for user names, IP addresses, or selected categories (see

Configuring how requests are logged

, page 422

), that information cannot be included.

Similarly, if you disable logging for certain protocols (see

Editing a protocol filter

, page 65

), requests for those protocols are not available.

If you want reports to show both the domain name (www.domain.com) and the path to a particular page in the domain (/products/productA) you must log full

156

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

URLs (see

Configuring how URLs are logged

, page 438 ).

If your directory service does not include the first and last name of the user, reports cannot display user name information.

Investigative reports are limited by the processor and available memory of the

TRITON management server, as well as some network resources. Some large reports may take a very long time to generate. The progress message includes an option to save the report as a Favorite so you can schedule it to run at another time. See

Scheduling investigative reports

, page 172 .

Summary reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Multi-level summary reports

, page 162

Flexible detail reports

, page 163

User Activity Detail reports

, page 167

Standard reports

, page 170

Favorite investigative reports

, page 171

Scheduling investigative reports

, page 172

Outliers reports

, page 175

Output options for investigative reports

, page 176

Initially, the investigative reports page gives a summary report of usage for all users by risk class, showing the current day’s activity from the Log Database. The measurement for this initial bar chart is Hits (number of times the site was requested).

To configure the time period for this initial summary report, see

Database connection and report defaults

, page 446 .

Use the links and options on the page to quickly change the information reported, or drill down into the report details.

1.

Customize the way that results are quantified by selecting one of the following options from the Measure list.

Option

Hits

Description

The number of times the URL was requested.

Depending on how Log Server is configured, this may be true hits, which logs a separate record for each separate element of a requested site, or it may be visits, which combines the different elements of the site into a single log record.

Web Security Help

157

Use Reports to Evaluate Internet Activity

Option

Bandwidth

[KB]

Sent [KB]

Description

The amount of data, in kilobytes, contained in both the initial request from the user and the response from the website. This is the combined total of the Sent and Received values.

Keep in mind that some integration products do not send bandwidth data to Filtering Service. If your integration does not send this information, and Network Agent is installed, enable

Log HTTP requests to enable bandwidth-based reporting. See

Configuring NIC settings

, page 456 .

The number of kilobytes sent as the Internet request. This represents the amount of data transmitted, which may be a simple request for a URL, or may be more significant (for example, if the user is registering for a website.)

Received [KB] The number of kilobytes of data received in response to the request, including all text, graphics, and scripts on the page.

For sites that are blocked, the number of kilobytes varies according to the software creating the log record. When Network

Agent logs the records, the number of bytes received for a blocked site represents the size of the Websense block page.

If the log record is created by Websense Security Gateway, as a result of scanning, the kilobytes received represents the size of

the page scanned. See

Content Gateway Analysis

, page 189,

for more information scanning.

If another integration product creates the log records, the kilobytes received for a blocked site may be zero (0), may represent the size of the block page, or may be a value obtained from the requested site.

Browse Time An estimate of the amount of time spent viewing the site. See

What is Internet browse time?

, page 132

.

2.

Change the primary grouping of the report by selecting an option from the

Internet Use by list above the report.

Options vary according to the contents of the Log Database and certain network considerations. For example, if there is only one group or domain in the Log

Database, Groups and Domains do not appear in this list. Similarly, if there are too many users (more than 5,000) or groups (more than 3,000), those options do not

appear. (Some of these limits can be configured. See

Display and output options

, page 448 .)

3.

Click a name in the left column (or the arrow beside the name) to display a list of options, such as by user, by domain, or by action.

158

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

The options listed are similar to those listed under Internet Use by, customized to be a meaningful subset of the content currently displayed.

Note

Sometimes an option, such as User or Group, appears in red lettering. In this case, selecting that option may produce a very large report that may be slow to generate.

Consider drilling down further into the details before selecting that option.

4.

Select one of those options to generate a new summary report showing the selected information for the associated entry.

For example, on a Risk Class summary report, clicking by User under the Legal

Liability risk class generates a report of each user’s activity in the Legal Liability risk class.

5.

Click a new entry in the left column, and then select an option to see more detail about that particular item.

6.

Use the arrows beside a column heading to change the report’s sort order.

7.

Control the summary report with the following options above the chart. Then, delve into related details by clicking the elements of the new report.

Option

Report path

(User > Day)

View

View from... to...

Pie Chart /

Bar Chart

Action

Beside the Internet use by list is a path showing the selections that created the current report. Click any link in the path to return to that view of the data.

Select a period for the report: One Day, One Week, One Month, or All. The report updates to show data for the selected period.

Use the adjacent arrow buttons to move through the available data, one period (day, week, month) at a time.

As you change this selection, the View from fields update to reflect the time period being viewed.

The View field displays Custom, instead of a time period, if you choose specific date in the View from fields or through the

Favorites dialog box.

The dates in these fields update automatically to reflect the time period being viewed when you make changes in the View field.

Alternatively, enter exact start and end dates for the reports, or click the calendar icon to select the desired dates.

Click the adjacent right arrow button to update the report after selecting dates.

When the bar chart is active, click Pie Chart to display the current summary report as a pie chart. Click the slice label to display the same options that are available when you click an entry in the left column of the bar chart.

When the pie chart is active, click Bar Chart to display the current summary report as a bar chart.

Web Security Help

159

Use Reports to Evaluate Internet Activity

Option

Full Screen

Anonymous /

Names

Search for

Action

Select this option to display the current investigative report in a separate window, without the left and right navigation panes.

Click Anonymous to have reports display an internallyassigned user identification number wherever a user name would have appeared.

When names are hidden, click Names to return to showing user names.

Under some circumstances, user names cannot be displayed. For more information, see

Configuring how requests are logged

, page

422

.

For more information about hiding user-identifying information,

see

Anonymizing investigative reports

, page 161 .

Select a report element from the list, then enter all or part of a value for the search in the adjacent text box. Click the adjacent arrow button to start the search and display results.

Entering a partial IP address, such as 10.5., searches for all subnets, 10.5.0.0 through 10.5.255.255 in this example.

See

Using search to generate a summary report

, page 160,

for more details.

8.

Add a subset of information for all or selected entries in the left column by

creating a multi-level summary report. See

Multi-level summary reports

, page

162 .

9.

Create a tabular report for a specific item in the left column by clicking the adjacent number or measurement bar. This detailed report can be modified to meet

your specific needs. See

Flexible detail reports

, page 163

.

Using search to generate a summary report

Use the Search for box on the main Investigative Reports page to quickly find information about Internet traffic or client activity of interest.

First, select a report element from the list, then enter all or part of the string that you want to report on.

The elements available for search are:

The URL Hostname of the requested website

A Group defined in your directory service

A User defined in your directory service

If you select User, but enter an IP address, you will get results only for requests from the selected IP address for which no user was identified.

The Source IP address of the computer from which a request originated

The Destination IP address of the requested website

The Port used for the request

A Source IP Range from which requests originated

160

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Multiple Source IP Ranges from which requests originated, in a comma-

separated list

When you enter multiple IP address ranges, you can also specify individual IP addresses or sub-ranges to exclude from the search, by preceding the IP address or range with an exclamation point (bang) character. For example:

10.21.1.1-10.21.1.10,10.22.55.1-10.22.55.50,!10.22.55.5

Anonymizing investigative reports

Web Security Help | Web Security Solutions | Version 7.8.x

If you want to prevent identifying information from appearing in investigative reports, you have several options.

The most absolute method is to prevent the logging of user names, source IP addresses, and hostnames. In this case, no user-identifying information is recorded in the Log Database, making it impossible for investigative or presentation reports to include the information. See

Configuring how requests are logged

, page 422,

for instructions.

If some administrators need access to reports that include user information, but other administrators should never see user information, use delegated administration roles to control reporting access. You can configure roles to grant access to investigative reports, but hide user names in reports. See

Delegated

Administration and Reporting

, page 339,

for details.

If you sometimes need to generate reports that contain user information, but sometimes need to generate anonymous reports, use the Anonymous option at the top of the Investigative Reports page to hide user names and, optionally, source IP

addresses temporarily. See

The Anonymous option

, page 161, for details.

The Anonymous option

Web Security Help | Web Security Solutions | Version 7.8.x

By default, clicking Anonymous hides only user names, continuing to show source IP addresses in reports. You can configure investigative reports to instead hide both user names and source IP addresses when Anonymous is selected:

1.

On the TRITON management server, open the wse.ini file in a text editor. (By default, this file is located in C:\Program Files (x86)\Websense\Web Security\ webroot\Explorer.)

2.

Add the following line under the [explorer] heading: encryptIP=1

3.

Save and close the file.

Now, any time you click Anonymous, all user-identifying information is hidden.

When you click Anonymous, and then move to a different view of the data, such as detail view or outliers, user names remain hidden in the new report. However, to

Web Security Help

161

Use Reports to Evaluate Internet Activity return to the summary view with the names hidden, you must use the links at the top of the report, not the breadcrumbs in the banner.

Multi-level summary reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Summary reports

, page 157

Flexible detail reports

, page 163

User Activity Detail reports

, page 167

Standard reports

, page 170

Favorite investigative reports

, page 171

Scheduling investigative reports

, page 172

Outliers reports

, page 175

Output options for investigative reports

, page 176

Multi-level summary reports show a second level of information to supplement the primary information displayed. For example, if the primary display shows risk classes, you can define a second level to learn which categories have been requested most within each risk class. As another example, if the primary report shows requests for each category, you might show the top 5 categories and the 10 users who made the most requests to each.

Use the settings immediately above the summary report to create a multi-level summary report.

1.

In the Select top list, choose a number to designate how many primary entries

(left column) to report. The resulting report includes the primary entries with the largest values. (This shows the earliest dates if Day is the primary entry.)

Alternatively, mark the check box beside the desired individual entries in the left column to report only those entries. The Select top field displays Custom.

2.

From the by list, choose the secondary information to report.

3.

In the Display field, choose the number of secondary results to report for each primary entry

4.

Click Display Results to generate the multi-level summary report.

The summary report updates to show only the selected number of primary entries.

Below the bar for each primary entry, a list of secondary entries appears.

5.

Use the arrows beside a column heading to change the report’s sort order.

162

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

To return to a single-level summary report, select a different option under Internet

Use by. Alternatively, click one of the primary or secondary entries, and select an

option to generate a new investigative report of that information.

Flexible detail reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Summary reports

, page 157

Multi-level summary reports

, page 162

Favorite investigative reports

, page 171

Scheduling investigative reports

, page 172

Outliers reports

, page 175

Output options for investigative reports

, page 176

Database connection and report defaults

, page 446

Columns for flexible detail reports

, page 165

Detail reports give you a tabular view of the information in the Log Database. Access the detail report view from the main page after viewing a summary report for which you want more detail.

You can request a detail view from any row. However, when requesting a detail report based on hits, it is best to start from a row that shows fewer than 100,000 hits. If there are more than 100,000 hits for a particular row, the hits value displays in red to alert you that a detail report may be slow to generate.

Detail report view is considered flexible because it lets you design your own report.

You can add or delete columns of information, and change the order of the columns displayed. The information is sorted according to order of the columns. You can even reverse the sort order within any column from ascending to descending, or vice versa.

Websense investigative reports are limited by the processor and available memory of the TRITON management server, as well as some network resources. Requests for large reports may time out. When you request a large report, you are given options for generating the report without timeouts.

Important

In any drop-down or values list, some options may appear in red. The red lettering indicates that selecting this option may result in a very large report. It is generally more effective to drill down further into the details before selecting that option.

Web Security Help

163

Use Reports to Evaluate Internet Activity

1.

Generate a summary report or multi-level report on the investigative reports main page. (See

Summary reports

, page 157,

or

Multi-level summary reports

, page

162 .)

2.

Drill down into the results to focus on the information of immediate interest.

When generating a report on hits, it is best to drill down to an entry that shows fewer than 100,000 hits before opening the detail report view.

3.

Click the number or the bar on the row that you want to explore in more detail.To include multiple rows in one report, mark the check box for each row before clicking the number or bar on one row.

A popup message shows progress while the detail report loads.

Note

If the report takes a long time to generate, consider saving it as a Favorite report by clicking the link in the Loading

message, and scheduling it to run later. See

Favorite investigative reports

, page 171

.

4.

Review the information in the initial report.

The default columns vary, depending on whether you are reporting on hits, bandwidth, or browse time, and on the selections made on the Options page. (See

Database connection and report defaults

, page 446 .)

5.

Click Modify Report at the top of the page.

The Current Report list in the Modify Report dialog box shows which columns appear in the current detail report.

6.

Select a column name in the Available Columns or Current Report list, and click the right arrow (>) or left arrow (<) buttons to move that column to the other list.

Choose a maximum of 7 columns for the report. The column showing the measure

(hits, bandwidth, browse time) from the initial summary report always appears as the right-most column. It does not appear as a choice when modifying the report.

See

Columns for flexible detail reports

, page 165, for a list of the columns

available, and a description of each.

7.

Select a column name in the Current Report list and use the up and down arrow buttons to change the order of the columns.

The column at the top of the Current Report list becomes the left column in the report.

164

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

8.

Click the Summary or Detail link above the report to toggle between the two displays.

Option

Summary

Detail

Description

You must remove the Time column to display a summary report. Summary reports group into a single entry all records that share a common element. The specific element varies, according to the information reported. Typically, the rightmost column before the measure shows the summarized element.

The Detail option displays every record as a separate row.

The Time column can be displayed.

9.

Click Submit to generate the report you defined.

10.

Use the following options to modify the displayed report.

Use the View options above the report to change the time period reported.

Click the up or down arrow in a column heading to reverse the sort order for that column, and the associated data.

Use the Next and Prev links above and below the report to display additional pages of the report, if any. By default, each page contains 100 rows, which

can be adjusted to fit your needs. See

Display and output options

, page 448 .

Click the URL to open the requested website in a new window.

11.

Click Favorite Reports if you want to save the report so that you can generate it

again quickly or on a recurring basis (see

Working with Favorites

, page 144 ).

Columns for flexible detail reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Flexible detail reports

, page 163

Favorite investigative reports

, page 171

Scheduling investigative reports

, page 172

The table below describes the columns available for detail reports (see

Flexible detail reports

, page 163

).

Web Security Help

165

Use Reports to Evaluate Internet Activity

Not all columns are available at all times. For example, if the User column is displayed, Group is not available; if Category is displayed, Risk Class is not available.

Column Name

User

Day

URL Hostname

Domain

Group

Risk Class

Directory Object

Disposition

Source Server

Protocol

Protocol Group

Source IP

Destination IP

Description

Name of the user who made the request. User information must be available in the Log Database to include it on reports. Group information is not available in user-based reports.

Date the Internet request was made.

Domain name (also called hostname) of the requested site.

Directory service domain for the directory-based client (user or group, domain, or organizational unit) that made the request.

Name of the group to which the requestor belongs.

Individual user names are not given on group-based reports.

If the user who requested the site belongs to more than one group in the directory service, the report lists multiple groups in this column.

Risk class associated with the category to which the requested site belongs. If the category is in multiple risk

classes, all relevant risk classes are listed. See

Assigning categories to risk classes

, page 420

.

Directory path for the user who made the request, excluding the user name. Typically, this results in multiple rows for the same traffic, because each user belongs in multiple paths.

If you are using a non-LDAP directory service, this column is not available.

Action taken as a result of the request (for example, category permitted or category blocked).

IP address of the machine sending requests to Filtering

Service. In standalone deployments, this is the Network

Agent IP address. In integrated deployments, this is the gateway, firewall, or cache IP address.

With Websense Web Security Gateway Anywhere, use this option to identify requests filtered by the hybrid service from both on-site (filtered location) and off-site users.

Protocol of the request (for example, HTTP or FTP).

Master Database group in which the requested protocol falls

(for example, Remote Access or Streaming Media).

IP address of the machine from which the request was made.

With Websense Web Security Gateway Anywhere, you can use this option to review requests coming from a specific

hybrid filtered location. See

Define filtered locations

, page

217 .

IP address of the requested site.

166

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Column Name

Full URL

Month

Port

Bandwidth

Bytes Sent

Bytes Received

Time

Category

Description

Domain name and path for the requested site (example: http://www.mydomain.com/products/itemone/). If you are not logging full URLs, this column is blank. See

Configuring how URLs are logged

, page 438 .

Calendar month the request was made.

TCP/IP port over which the user communicated with the site.

The amount of data, in kilobytes, contained in both the initial request from the user and the response from the website.

This is the combined total of the Sent and Received values.

Keep in mind that some integration products do not send bandwidth data to Filtering Service. If your integration does not send this information, and Websense Network Agent is installed, activate the Log HTTP requests option for the appropriate NIC to enable reporting on bandwidth information. See

Configuring NIC settings

, page 456

.

Number of bytes sent as the Internet request. This represents the amount of data transmitted, which may be a simple request for a URL, or may be a more significant submission if the user is registering for a website, for example.

Number of bytes received from the Internet in response to the request. This includes all text, graphics, and scripts that make up the site.

For sites that are blocked, the number of bytes varies according to the software creating the log record. When

Websense Network Agent logs the records, the number of bytes received for a blocked site represents the size of the block page.

If the log record is created by Websense Security Gateway, as a result of scanning, the bytes received represents the size of the page scanned. See

Content Gateway Analysis

, page

189,

for more information on scanning.

If another integration product creates the log records, the bytes received for a blocked site may be zero (0), may represent the size of the block page, or may be a value obtained from the requested site.

Time of day the site was requested, shown in the

HH:MM:SS format, using a 24-hour clock.

Category to which the request was assigned. This may be a category from the Master Database or a custom category.

User Activity Detail reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Web Security Help

167

Use Reports to Evaluate Internet Activity

Click the User by Day/Month link to generate a User Activity Detail report for one user. This report gives a graphical interpretation of the user’s Internet activity for a single day or a full month.

First, generate a report for a specific user for a selected day. From that report, you can generate a report of the same user’s activity for a full month. For detailed instructions, see:

User activity detail by day

, page 168

User activity detail by month

, page 169

User activity detail by day

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

User Activity Detail reports

, page 167

User activity detail by month

, page 169

The User Activity Detail by Day report gives a more in-depth view of a specific user’s activity on one day.

1.

Select User by Day/Month at the top of the main page. The User Detail by Day dialog box appears.

2.

Enter a user’s name, or a portion of the name, in the Search for user field, and then click Search.

The search displays a scrolling list of up to 100 matching user names from the Log

Database.

3.

Make a selection from the Select user list.

4.

In the Select day field, either accept the last activity date that appears by default, or choose a different date.

You can type the new date or click the calendar icon to select a date. The calendar selection box indicates the date range covered by the active Log Database.

5.

Click Go to User by Day to see a detailed report of activity for that user on the requested date.

The initial report shows a timeline of the user’s activity in 5-minute increments.

Each request appears as an icon, which corresponds to a Websense Master

Database category. A single icon represents all custom categories. (The color of the icons corresponds to the risk grouping shown on the User Activity by Month reports.)

Rest the mouse over an icon to show the exact time, category, and action for the associated request.

168

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Use the controls listed below to modify the report display or to see a legend.

Option

Previous Day /

Next Day

Table View

Detail View

Group Similar

Hits / View

All Hits

Category

View Control

Description

Display this user’s Internet activity for the previous or next calendar day.

Displays a list of each requested URL, giving the date and time of the request, the category, and the action taken

(blocked, permitted, or other).

Displays the initial, graphical view of the report.

Combines into a single row all requests that occurred within

10 seconds of each other and have the same domain, category, and action. This results in a shorter, summarized view of information.

The standard time threshold is 10 seconds. If you need to

change this value, see

Display and output options

, page 448

.

After you click the link, it becomes View All Hits, which restores the original list of each request.

Displays a list of each category in the current report, showing both the category name and the icon representing that category.

Control which categories appear in the report by marking the check boxes for the categories to be included. Then, click

Accept to update the report according to your selections.

6.

Click User Activity Detail by Month, above the report, to view the same user’s

activity for the full month. See

User activity detail by month

, page 169,

for more information.

User activity detail by month

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

User Activity Detail reports

, page 167

User activity detail by day

, page 168

While the User Activity Detail by Day report is open, you can switch to see the monthly activity for that user.

1.

Open a User Activity Detail by Day report. See

User activity detail by day

, page

168 .

2.

Click User Activity Detail by Month at the top.

The new report displays a calendar image, with each day’s area showing small colored blocks representing the user’s Internet activity for that day. Requests to sites in custom categories are shown as gray blocks.

Web Security Help

169

Use Reports to Evaluate Internet Activity

3.

Click Database Category Legend at the top left to see how the colors represent low to high potential risk for the requested site.

The category assignments are fixed, and cannot be changed.

4.

Click Prev or Next to display this user’s Internet activity for the previous or the next month.

Standard reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Favorite investigative reports

, page 171

Scheduling investigative reports

, page 172

Standard reports let you display a particular set of information quickly without using the drill-down process.

1.

Click the Standard Reports link on the main Investigative Reports page.

2.

Choose the report containing the desired information. The following reports are available.

Highest Activity Levels

Which users have the most hits?

Top 10 users for top 10 visited URLs

Top 5 users activity in Shopping, Entertainment, and Sports

Top 5 URLs for the top 5 visited categories

Highest Bandwidth Consumption

Which groups are consuming the most bandwidth

Groups consuming most bandwidth in Streaming Media

Detail URL report on users by Network Bandwidth Loss

Top 10 groups for Bandwidth categories

Most Time Online

Which users spent the most time online

Which users spent the most time on sites in Productivity categories

Most Blocked

Which users were blocked most?

Which sites were blocked most?

Detail URL report on users who were blocked

Top 10 blocked categories

Highest Security Risk

170

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Top categories posing a security risk

Top users of P2P protocol

Top users of sites in Security categories

URLs for top 10 machines with spyware activity

Legal Liability

Legal Liability Risk by Category

Top users in Adult categories

3.

View the report that appears.

4.

Save the report as a Favorite if you want to run it on a recurring basis. See

Favorite investigative reports

, page 171 .

Favorite investigative reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Scheduling investigative reports

, page 172

You can save most investigative reports as Favorites. This includes reports you generate by drilling down to specific information, standard reports, and detail reports that you have modified to meet your specific needs. Then, run the Favorite report at any time, or schedule it to run on specific days and times.

In organizations that use delegated administration, permission to save and schedule

Favorites is set by the Super Administrator. Administrators who are granted this permission can run and schedule only the Favorites they saved; they do not have access to Favorites saved by other administrators.

To save a report as a Favorite.

1.

Generate an investigative report with the desired format and information.

2.

Click Favorite Reports.

3.

Accept or modify the default name.

The name may contain letters, numbers and underscore characters (_). No blanks or other special characters can be used.

4.

Click Add.

The report name is added to the Favorite Reports list.

From the Favorite Reports list, you can generate a Favorite report at any time, or delete one that has become obsolete:

1.

Click Favorite Reports to display a list of reports saved as favorites.

2.

Select a report from the list.

Web Security Help

171

Use Reports to Evaluate Internet Activity

3.

Do one of the following:

Click Run Now to generate and display the selected report immediately.

Click Schedule to schedule a report to run later or on a recurring basis. See

Scheduling investigative reports

, page 172 , for more information.

Click Delete to remove the report from the Favorites list.

From the Favorite Reports page, you can also create a new Favorite report that is similar to an existing one:

1.

Click Favorite Reports to display a list of reports saved as favorites.

2.

Select and run the existing Favorite report that most closely resembles the new report you want to create.

3.

Modify the displayed report as desired.

4.

Click Favorite Reports to save the revised display as a Favorite report with a new name.

Scheduling investigative reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Favorite investigative reports

, page 171

Favorite investigative reports

, page 171

Managing scheduled investigative reports jobs

, page 175

You must save an investigative report as a Favorite before it can be scheduled to run at a later time or on a repeating cycle. When the scheduled report job runs, the resulting reports are sent via email to the recipients you designate. As you create scheduled jobs, consider whether your email server will be able to handle the size and quantity of the attached report files.

Scheduled report files are stored in the following directory:

<install_path>\webroot\Explorer\<name>\

The default installation path is C:\Program Files (x86)\Websense\Web Security. If the scheduled job has only one recipient, <name> is the first portion of the email address

172

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

(before the @). In the case of multiple recipients, the reports are saved in a directory called Other.

Note

The reports saved from a repeating job use the same file name each time. If you want to save files for longer than a single cycle, be sure to change the file name or copy the file to another location.

Depending on the size and number of reports scheduled, this directory could become very large. Be sure to clear the directory periodically, eliminating unneeded report files.

1.

Save one or more reports as Favorites. (See

Favorite investigative reports

, page

171 ).

2.

Click Favorite Reports to display a list of reports saved as favorites.

Note

If your organization uses delegated administration roles, this list does not include favorite reports saved by other administrators.

3.

Highlight up to 5 reports to run as part of the job.

4.

Click Schedule to create a scheduled report job, and then provide the information requested on the Schedule Report page.

It is advisable to schedule report jobs on different days or at different times, to avoid overloading the Log Database and slowing performance for logging and interactive reporting.

Field

Recurrence

Start Date

Run Time

Email to

Additional Email

Addresses

Description

Select the frequency (Once, Daily, Weekly, Monthly) for running the report job.

Choose the day of the week or calendar date for running the job the first (or only) time.

Set the time of day for running the job.

Use the Additional Email Addresses field to add the appropriate addresses to this list.

Highlight one or more email addresses to receive the reports in the job. (Be sure to deselect any that should not receive the reports.)

Enter an email address, and then click Add to put it on the

Email to list.

The new email address is automatically highlighted with the other selected email addresses.

Web Security Help

173

Use Reports to Evaluate Internet Activity

Field

Customize email subject and body text

Email Subject

Email Text

Schedule Job

Name

Output Format

Date Range

Description

Mark this check box to customize your email notification subject line and body text.

If this box is not checked, the default subject and body text are used.

Enter the text to appear as the email subject line when scheduled reports are distributed.

The default email subject reads:

Investigative Reports scheduled job

Enter text to be added to the email message for distributing scheduled reports.

The email reads as shown below, with your text in place of

<CUSTOM TEXT>.

Report scheduler generated the attached file or files on

<date time>.

<CUSTOM TEXT>

To view the generated report(s), click on the following link(s).

Note: The link will not work if the recipient does not have access to the web server from which the job was sent.

Assign a unique name for the scheduled job. The name

identifies this job in the Job Queue. See

Managing scheduled investigative reports jobs

, page 175

.

Choose the file format for the scheduled reports:

PDF: Portable Document Format files are viewed in Adobe

Reader.

Excel: Excel spreadsheet files are viewed in Microsoft

Excel.

Set the date range to be covered by reports in this job.

All Dates: all available dates in the Log Database.

Relative: Choose a time period (Days, Weeks, or Months) and the specific period to include (This, Last, Last 2, and so on).

Specific: set specific dates or a date range for the reports in this job.

5.

Click Next to display the Schedule Confirmation page.

6.

Click Save to save your selections and go to the Job Queue page (see

Managing scheduled investigative reports jobs

, page 175

).

174

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Managing scheduled investigative reports jobs

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Scheduling presentation reports

, page 146

When you create a scheduled job for investigative reports, the Job Queue page appears, showing the new job and a list of existing scheduled jobs. You can also access the page by clicking the Job Queue link on the main investigative reports page.

Note

If your organization uses delegated administration, this page does not show jobs scheduled by other administrators.

The Schedule Report Detail section lists each scheduled job in the order it was created showing an overview of the defined schedule and the job status. In addition, the following options are available.

Option

Edit

Delete

Description

Displays the schedule defined for this job, and allows you to modify it, as needed.

Deletes the job and adds an entry to the Status Log section showing the job as Deleted.

The Status Log section lists each job that has changed in some way, showing the scheduled start time for the job, the actual end time, and the status.

Click Clear Status Log to remove all entries in the Status Log section.

Outliers reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Summary reports

, page 157

An Outliers report shows which users have the most unusual Internet activity in the database. A report query calculates the average activity for all users per category, per day, per action (disposition), and per protocol. It then displays the user activity that

Web Security Help

175

Use Reports to Evaluate Internet Activity has the most statistically significant variance from the average. Variance is calculated as the standard deviation from the mean.

1.

On the main Investigative Reports page, generate a summary report that displays the information for which you want to see outliers. The report selections underlined and shown in blue beside the Internet Use by field are reflected in the

Outliers report.

For example, to view outliers by hits for a particular category, select Category in the Internet Use by list, and select Hits as the Measure.

Note

Outliers reports cannot be generated for browse time. If you start from a summary report showing browse time, the

Outliers report is based on hits.

2.

Click Outliers.

The rows are sorted in descending order with the highest variance shown first.

Each row shows:

Total (hits or bandwidth) for the user, category, protocol, day, and action.

Average (hits or bandwidth) for all users, for that category, protocol, day, and action.

Variance from the average for the user.

3.

To see an individual user’s activity in this category over time, click the user name.

For example, if one user’s activity is noticeably high for a certain day, click that user’s name to see a report that gives a more in-depth understanding of the user’s overall activity.

Output options for investigative reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

176

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

After you generating an investigative report, you can use the buttons above the report to save it to a file. The button you click determines the format of the file.

Option Description

Saves the report in XLS format.

If Microsoft Excel 2003 or later is installed on the machine from which you are accessing the TRITON console

, you are prompted to view or save the report.

Otherwise, you are prompted to select a directory and file name for the saved report.

Use the options in Microsoft Excel to print, save, or email the report.

Generates a report in PDF format.

If Adobe Reader v7.0 or later is installed on the machine from which you are accessing the TRITON console

, you are prompted to view or save the report. Otherwise, you are prompted to select a directory and file name for the saved report.

Use the options in Adobe Reader to print, save, or email the report.

You can also print investigative reports, as follows:

Use the browser print function while the report is displayed.

Create a PDF or XLS file, as described above, and then use the print function in

Adobe Reader or Microsoft Excel.

Although reports have been set up to print successfully from the browser, you may want to test printing to check the result.

User Activity Detail by Month reports are configured to print in landscape mode. All other reports are configured for portrait mode.

When you design your own report (see

Flexible detail reports

, page 163

), the column widths differ according to the information included. The page orientation changes to landscape if the report is wider than 8 1/2 inches.

The content of the page is either 7 1/2 inches or 10 inches wide. In the case of A4, the margins are slightly narrower but still within the print range. (The default paper size is

Letter, or 8.5 x 11 inches. If you are working with A4 paper, be sure to change this setting in the wse.ini file. See

Display and output options

, page 448 .)

Web Security Help

177

Use Reports to Evaluate Internet Activity

Accessing self-reporting

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Investigative reports

, page 155

Configuring reporting preferences

, page 421

Self-reporting

, page 450

Websense self-reporting allows you to evaluate your own Internet browsing activities and adjust them, as needed, to meet organizational guidelines. It also accommodates government regulations that require organizations to let users see the type of information being collected.

If self-reporting is enabled in your organization, access it from your browser:

1.

Enter the URL supplied by your Web Security administrator, or click the Self-

Reporting link on the TRITON console logon page to access the self-reporting logon page.

2.

If Policy Server shows a drop-down list, choose the IP address for the Policy

Server that logs information on your Internet activity.

Contact your Web Security administrator for assistance.

3.

Enter the User name and Password you use to log on to the network.

4.

Click Log On.

The Web Security manager displays an investigative report showing your Internet activity by risk class. Click the various links and elements on the page to access other options for alternative views of the information stored on your activity. Use the Help system for assistance when working with the reports.

Application reporting

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

How is user agent data collected?

, page 181

Browser use details

, page 182

Platform use details

, page 183

In Web Security Gateway and Gateway Anywhere deployments, and standalone Web

Security and Web Filter deployments, use the Reporting > Applications page to review the browsers and operating systems used to make web requests in your network. You an also use the Search tab to investigate activity based on user agent

178

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

 strings. (The user agent string is an HTTP header that identifies the client software from which a request originates.)

Find instances of older browsers that may present a security vulnerability.

Identify which machines in your network may be vulnerable when a zero-day exploit is discovered.

Track adoption of new browsers and operating systems.

Use the user agent string associated with an application to identify the machines in your network on which that application is running.

Search for user agent strings associated with malware or suspicious activity to identify machines that may be at risk.

Beginning with 7.8.4, application reports support IPv6 addresses.

In Web Security and Web Filter deployments that are integrated with a third-party proxy, cache, firewall, or other device, the integration product does not send application data to Websense Filtering Service. As a result, no data is available on the

Applications page.

Important

After a new installation or upgrade, the Applications page will not show data on the Browser or Source Platform tab until a nightly database job runs. As users connect to the

Internet, new user agent strings appear on the Search tab, but the strings are not parsed into recognized browsers and platforms until the job runs.

See

How is user agent data collected?

, page 181, for more information about how

user agent data is logged, processed, and made available for use in reports.

The Applications page is made up of 3 tabs:

Reports on the Browser tab show which supported browser families (including desktop and mobile versions of Microsoft Internet Explorer, Mozilla Firefox,

Google Chrome, Safari, and Opera) and versions are being used to access the

Internet from your network.

The Browser tab is selected by default when you navigate to the Applications page.

Reports on the Source Platform tab show which supported operating systems

(including Windows, Linux, UNIX, OS X, iOS, Android, BlackBerry, Symbian, and Java ME) the browsers accessing the Internet are running on.

The Search tab lets you search for specific strings in user agent headers detected in your network. The search results show the top qualifying user agents by requests or bandwidth.

On any tab, you can select an alternate Time period from the drop-down list at the top of the tab. By default, 30 days worth of information (if available) is shown in the charts and tables.

Web Security Help

179

Use Reports to Evaluate Internet Activity

Different time periods are available depending on whether you use a standard or enterprise version of Microsoft SQL Server, or Microsoft SQL Server Express.

On the Browser and Source Platform tabs, you can also select a Device type (desktop or mobile) to limit the information that appears on the page. By default, information for both desktop and mobile browsers or platforms is shown.

Both the Browser and Source Platform tabs include a table that lists browsers or platforms and versions.

An icon in the Type column indicates whether the browser or platform is for desktop machines or mobile devices.

The next column gives the name of the browser family or operating system platform.

The Lowest Version and Highest Version values give the range of versions being used in your network during the selected period.

Number of browsers of the specified type actively being used to make requests,

or of source platforms from which requests are originating. The count is made based on the number of unique client IP addresses associated with the browser or operating system.

Click a link in the table to open a detail report with more information about the selected browser family, platform, or version number. See

Browser use details

, page

182, or

Platform use details

, page 183, for more information.

Use the Browser Family or Platform Comparison chart to view the top browser families or operating systems used in your network, and the Browser or Platform Use

Trend chart to track use of the different browsers or operating systems over time.

For any chart, select a different Chart type to change the way the information is displayed.

The Search tab initially displays the top 10 user agents, based on number of requests.

To search the database for specific user agents, enter a string in the User agent field and click Search. The string can be all or part of a user agent header, up to a maximum of 128 characters.

The top (up to 200) results that match your search string are displayed in the User

Agent Search Results table, which includes:

The actual User Agent that matches the search criteria. If the string is truncated, mouse over it to see the full string.

The last column header shows whether results are sorted by Requests or

Bandwidth. (Use the Sort by list to choose a measurement.)

After performing a search, click Clear to return to showing the default Top 10 User

Agents table.

Click a user agent in the Top 10 or Results table to display a User Agent Detail table at the bottom of the page. The details table shows:

The User whose browsing included the user agent.

The Client IP Address from which the request originated.

180

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

The Source Server IP Address for the integration component (Content Gateway or Network Agent) processing the requests.

The number of Requests that included the selected user agent.

The volume of Bandwidth for all requests that include the user agent from the specified user and client machine.

Click Export to CSV to export the report detail information to a CSV file that can be manipulated using spreadsheet software like Microsoft Excel.

Note

If there are more records than your system can handle, the output file will not contain actual CSV-format data. If this occurs, select a shorter timeframe to reduce the data set and export the data again.

How is user agent data collected?

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Application reporting

, page 178

Browser use details

, page 182

Platform use details

, page 183

The user agent is an HTTP header that web browsers and other web applications use to identify themselves and their capabilities. Your web security software captures and logs user agent data when users browse the Internet. If the user agent data includes browser and platform information, that information is parsed and displayed in application reports.

If a browser or platform is installed in your network, but is not used for Internet access, it does not appear in application reports.

Because there are no widely-adopted standards for user agent headers, your web security software is not able to identify all Internet-accessing applications.

Some applications, in fact, deliberately disguise their identity in the user agent header in an attempt to avoid detection.

The application browsing data that Websense Log Server receives includes the user agent header, user name, and source IP address. All requests that share the identical user agent, user, and source IP address during a 60-second period are combined into a single record that provides the total number of requests and the volume of bandwidth associated with those requests. That record is then forwarded to the Log Database.

How soon browser and platform reports are updated with data about current Internet activity depends on whether a user agent has previously been seen and analyzed:

Web Security Help

181

Use Reports to Evaluate Internet Activity

If the user agent corresponds to a browser, browser version, or platform that has not previously been parsed and identified, information about requests from that browser and platform do not appear in application reports until after the nightly

Trend job (see

Database jobs

, page 431

).

In other words, there is a delay of up to 24 hours before information about new browsers, browser versions, and platforms appears in browser and platform reports.

As a result, the Browser and Source Platform tabs do not initially show any reports after a new installation or upgrade to v7.8.

If the user agent corresponds to a browser, browser version, and platform that have previously been parsed and identified, information about requests from that browser and platform appear in browser and platform reports as soon as they are recorded in the Log Database.

Data on the Search tab is not subject to the same delays as the browser and platform reports. User agent strings are available for search as soon as they are recorded in the

Log Database. This includes both the strings associated with browsers and platforms, and strings used by other types of web apps.

Browser use details

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Application reporting

, page 178

How is user agent data collected?

, page 181

Platform use details

, page 183

When you click a browser family or version on the Browser tab of the Applications page, a Browser Detail Report is displayed.

The Browser Inventory gives a visual overview of:

For a selected browser family, the top versions in use, and usage trends for those versions.

For a selected browser version, the top users of the version, and usage trends for the version.

You can position your mouse over different chart elements to see additional details, and use the Chart type options under each chart to change the way the data is displayed.

Below the charts, a Users Sending Requests table lists up to the top 200 active users of the selected browser family or version. The table includes:

The name of the User making the Internet requests.

The Client Hostname, if available, and Client IP Address of the machine used to browse the Internet.

182

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

The Source Server IP Address corresponding to the integration component

(Content Gateway or Network Agent) that processes HTTP requests.

The Browser name and version.

The Type (mobile or desktop) of browser used.

The volume of requests made through the browser by Count and Bandwidth.

The User Agent associated with this browser and version. Click the icon to see the full user agent.

Click Export to CSV to export the available data to a CSV file for manipulation in a spreadsheet program like Microsoft Excel.

Note

If there are more records than your system can handle, the output file will not contain actual CSV-format data. If this occurs, select a shorter timeframe to reduce the data set and export the data again.

Use the paging options at the bottom of the table to navigate through the data. Each page can display up to 20 lines of information.

Click Close to return to the summary data on the Browser tab of the Applications page.

Platform use details

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Application reporting

, page 178

How is user agent data collected?

, page 181

Browser use details

, page 182

When you click a platform family or version on the Source Platform tab of the

Applications page, a Platform Detail Report is displayed.

The Platform Inventory gives a visual overview of:

For a selected operating system, the top versions in use, and usage trends for those versions.

For a selected operating system version, the top users of the version, and usage trends for the version.

You can position your mouse over different chart elements to see additional details, and use the Chart type options under each chart to change the way the data is displayed.

Web Security Help

183

Use Reports to Evaluate Internet Activity

Below the charts, a Users Sending Requests table lists up to the top 200 active users of the selected operating system or version. The table includes:

The name of the User making the Internet requests.

The Client Hostname, if available, and Client IP Address of the machine used to browse the Internet.

The Source Server IP Address corresponding to the integration component

(Content Gateway or Network Agent) that processes HTTP requests.

The operating system Platform name and version.

The Type (mobile or desktop) of operating system used.

The volume of requests made through the browser by Count and Bandwidth.

The User Agent associated with this operating system and version. Click the icon to see the full user agent.

Click Export to CSV to export the available data to a CSV file for manipulation in a spreadsheet program like Microsoft Excel.

Note

If there are more records than your system can handle, the output file will not contain actual CSV-format data. If this occurs, select a shorter timeframe to reduce the data set and export the data again.

Use the paging options at the bottom of the table to navigate through the data. Each page can display up to 20 lines of information.

Click Close to return to the summary data on the Source Platform tab of the

Applications page.

Real-Time Monitor

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Use Reports to Evaluate Internet Activity

, page 131

Real-Time Monitor in Multiple Policy Server Deployments

, page

187

184

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Use the Reporting > Real-Time Monitor page to review current Internet activity in your network.

Important

If Real-Time Monitor does not display correctly in Internet

Explorer, make sure that Compatibility View button

(between the URL and the Refresh button in the browser address bar) is not selected.

Click Start to populate the page with data. The page shows recent Internet requests, including:

The IP address or name of the user who made the request.

If user-based policies are used in your network, and the user name is shown, mouse over an entry to see the IP address.

If a user name is longer than 30 characters, a hyphen (“-”) and the last 30 characters of the name are displayed. If you right-click to add a long user name to the search filter, delete the hyphen character from the filter field and click Show Results to display matching entries.

The URL requested.

By default, if the URL is too long to display in the space provided, the field shows the first 30 characters of the URL, a space, a hyphen (“-”), and a space, and then last 20 characters of the URL. Right-click the truncated URL to see the entire string.

Click Customize in the toolbar at the top of the page, then select Show the full

URL to change this behavior.

Whether or not the requested site was recategorized as a result of Content

Gateway scanning.

The presence of an icon indicates that the site was dynamically recategorized based on the results of scanning. Mouse over the icon to see the original category.

No icon indicates that the Master Database category or custom URL category was used. (This includes sites that were scanned by Content Gateway, but not recategorized.)

The Category assigned to the site.

The actual category used to filter the request is shown, whether that is the Master

Database category, the custom URL category, or the category dynamically assigned as a result of scanning.

The Action (permitted or blocked) applied to the request.

Hover the mouse over an entry to see the policy or policies used to determine the action. Multiple policies may be listed if, for example:

Multiple group policies could be applied to the same user.

A policy is assigned to both the IP address and the user or group.

Web Security Help

185

Use Reports to Evaluate Internet Activity

When multiple policies are listed, you can use the Test Filtering tool (in the Web

Security manager Toolbox) to see which policy takes precedence for a request from the user or IP address shown in Real-Time Monitor.

The Time the request was passed to Real-Time Monitor.

Because Real-Time Monitor receives request information from Usage Monitor in real time, rather than reading the request from the Log Database, the request time shown here may not match the request time that appears in investigative and presentation reports.

To review current data, click Pause to prevent the page from continuing to refresh.

When you are ready to start monitoring new information, click Start again.

By default, data is refreshed every 15 seconds. To change the update rate, click

Customize in the toolbar at the top of the page, then select a new Data refresh

rate value.

Depending on your current settings, Real-Time Monitor holds a set number of records

(250, 500, or 1000), and always displays the latest set of available records. When you pause display of new records to review current data, this can mean that the hundreds or thousands of requests that occur while the display is paused are not available for display in the monitor. (The requests are, however, stored in the Log Database, and appear in investigative and presentation reports.)

To change how many records are displayed, click Customize in the toolbar at the top of the page, then select a new Number of records shown value.

Beginning with 7.8.4, IPv6 information is displayed in Real-Time Monitor.

Using filters to show specific Real-Time Monitor data

Web Security Help | Web Security Solutions | Version 7.8.x

To filter the data displayed on the screen:

1.

Enter all or part of a user name or IP address, URL, category, or action in the

Filter results by fields. You can also select a time filter to show the past 5, 10, or

15 minutes worth of applicable results.

2.

Click Show Results.

3.

To return to viewing all results, click Clear Search Filters.

You can also right-click any entry in the User, URL, Category, or Action fields and select the Filter by or Add...to search filter option to immediately filter results based on the selected string.

Understanding timeout behavior

Web Security Help | Web Security Solutions | Version 7.8.x

By default, TRITON Unified Security Center sessions time out after 30 minutes. To run Real-Time Monitor without timing out, click Full Screen to open the monitor in a new window. The IP address of the monitored Policy Server appears in the Real-Time

186

Websense Web Security Solutions

Use Reports to Evaluate Internet Activity

Monitor title bar. If you want to monitor multiple Policy Server instances, see

Real-

Time Monitor in Multiple Policy Server Deployments

, page 187,

for considerations

and instructions.

Real-Time Monitor in Multiple Policy Server Deployments

Web Security Help | Web Security Solutions | Version 7.8.x

When you go to the Reporting > Real-Time Monitor page, Real-Time Monitor shows information for the Policy Server instance to which the management console is currently connected. This means that if you have multiple Policy Servers, when you connect the management console to a new Policy Server instance, Real-Time Monitor starts to display information for a different set of clients.

If you want Real-Time Monitor to continue monitoring traffic for a specific Policy

Server, regardless of which Policy Server instance the Web Security manager is connected to, click Full Screen to open the monitor in a new window. The IP address of the monitored Policy Server is displayed at the top of the screen.

Real-Time Monitor receives Internet activity information from Usage Monitor.

Each Policy Server must have a Usage Monitor instance associated with it for

Real-Time Monitor to show its Internet activity.

You can have multiple Real-Time Monitor instances running in full-screen mode, each showing data for a different Policy Server:

1. Log on to the TRITON console and select the Web Security manager. It connects to the central (default) Policy Server.

2. Go to the Reporting > Real-Time Monitor page and click Full Screen.

The IP address of the central Policy Server appears in the title bar.

3. Return to the Web Security manager and use the Policy Server Connection button in the toolbar to connect to a different Policy Server instance.

4. Repeat step 2.

5. Repeat for each additional Policy Server instance in your network.

In full screen mode, Real-Time Monitor does not time out.

Web Security Help

187

Use Reports to Evaluate Internet Activity

188

Websense Web Security Solutions

9

Content Gateway Analysis

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Tunneled protocol detection

, page 194

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions

, page 205

Data files used with scanning

, page 207

Reporting on advanced analysis activity

, page 208

SSL decryption bypass

, page 211

Advanced analysis and SSL decryption bypass features are available with Websense

Web Security Gateway and Web Security Gateway Anywhere.

Websense Content Gateway performs advanced analysis of web traffic as it flows through the on-premises proxy. Only sites that are not already blocked, based on the active policy, are analyzed.

Content categorization

, page 193, categorizes content from URLs that are not in

the Websense Master Database and from sites with dynamic content, as identified by Websense Security Labs. Analysis returns a category for use in policy enforcement.

Tunneled protocol detection

, page 194, analyzes traffic to discover protocols

tunneled over HTTP and HTTPS. Such traffic is reported to Filtering Service for protocol policy enforcement. Analysis is performed on both inbound and outbound traffic.

Security threats: Content security

, page 195, analyzes inbound content to find

security threats such as malware, viruses, phishing, URL redirection, web exploits, proxy avoidance, and others.

Web Security Help

189

Content Gateway Analysis

Security threats: File analysis

, page 196, can apply as many as 3 methods of

inspection to detect security threats.

Websense Advanced Detection to discover malicious content, such as

viruses, Trojan horses, and worms, returning a threat category for policy enforcement.

Traditional antivirus (AV) definition files to find virus-infected files.

Websense ThreatScope Analysis uploads suspicious files to a cloud-hosted

sandbox for analysis and emails an alert to the administrator when a file is found to contain malicious content.

When either Advanced Detection or Antivirus Scanning is enabled, you can also optionally analyze:

Rich Internet applications, such as Flash files, to detect and block malicious

content.

FTP files to detect and block malicious content.

The File Type Options settings determine which types of files are analyzed for malicious content, including executable and unrecognized files. Individual file extensions may also be specified. This setting does not apply to ThreatScope analysis.

Outbound security

, page 202,

provides 2 types of outbound analysis. The first performs outbound content analysis that mirrors your inbound Security Threats content analysis and file analysis configuration. The second performs data theft analysis, looking for and blocking outbound custom encrypted files, password files, and other sensitive data.

The Content Categorization and Scanning Sensitivity control allows you to tune the Content Categorization and Content Analysis sensitivity thresholds

(

Advanced options

, page 203

).

For large, streaming, or slow transactions, the Content Delay Handling option provides some control over how long to wait before releasing a portion of buffered content to the client (

Advanced options

, page 203 ).

The Scanning Timeout, File Size Limit and Content Stripping Advanced

Options apply to all traffic transiting the proxy (

Advanced options

, page 203

).

Several presentation reports can provide details about how advanced analysis features protect your network from attempts to access sites containing threats. See

Reporting on advanced analysis activity

, page 208 .

SSL decryption bypass options support the specification of clients, websites, and

website categories that are not subject to decryption and analysis as they flow through the proxy. These options apply only if SSL support is enabled in Content Gateway.

See

SSL decryption bypass

, page 211 .

Scanning exceptions are lists of hostnames or URLs that are always analyzed or

never analyzed. The type of analysis to always or never perform is specified per hostname/URL or group of hostnames/URLs. A list of client IP addresses whose

content is never analyzed can also be specified. See

Scanning exceptions

, page 205

.

190

Websense Web Security Solutions

Content Gateway Analysis

Enabling scanning and SSL decryption bypass features

Web Security Help | Web Security Solutions | Version 7.8.x

To enable the advanced analysis and SSL decryption bypass features that are available with Websense Web Security Gateway and Gateway Anywhere, an appropriate subscription key must be entered in the Web Security manager. You can enter the key:

When prompted after logging on

On the Settings > General > Account page

On the Settings > General > Policy Servers page, after selecting a Policy Server instance to edit.

Review current key information on the Account or Policy Servers page.

The key is automatically passed to all Content Gateway instances associated with the

current Policy Server. See

Reviewing Policy Server connections

, page 383,

and

Managing Content Gateway connections

, page 396, for more information.

For information about configuring advanced analysis options, see

Scanning options

, page 191 . For information about SSL decryption bypass options, see

SSL decryption bypass

, page 211

.

Scanning options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Content categorization

, page 193

Tunneled protocol detection

, page 194

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

The analysis options available with Websense Web Security Gateway and Websense

Web Security Gateway Anywhere control the types of advanced analysis performed on web traffic as it transits the Content Gateway module (the Websense on-premises proxy).

For an introduction to advanced analysis options and other options related to Content

Gateway, see

Content Gateway Analysis

, page 189 .

Use the Settings > Scanning > Scanning Options page to configure the following:

Web Security Help

191

Content Gateway Analysis

Content categorization

, page 193

Tunneled protocol detection

, page 194

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Scanning sensitivity, scanning timeout, scan size limit, content delay handling, and content stripping (

Advanced options

, page 203 )

Basic settings are:

Off – No analysis.

On (default) – Analyze content or files with elevated risk profiles, as determined

by Websense Security Labs.

Aggressive analysis – Analyze content and files with elevated risk profiles and

content and files with lower risk profiles. Aggressive analysis consumes more resources. For best results, monitor system performance and scale system resources to meet demand.

In addition to the On/Off/Aggressive analysis settings, analysis is performed or not performed, based on the Always Scan, Never Scan, and client IP exception lists.

These lists are maintained on the Settings > Scanning > Scanning Exceptions page.

See

Scanning exceptions

, page 205

.

Warning

Sites on the Never Scan list are not analyzed under any circumstances. If a site on the Never Scan list is compromised, the malicious code is not analyzed and detected.

When you have completed configuration on the current page, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

192

Websense Web Security Solutions

Content Gateway Analysis

Content categorization

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Tunneled protocol detection

, page 194

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

When a web page is requested, content categorization is performed if:

The URL has not already been blocked by the active policy

The URL is not in the Websense Master Database

The URL has an elevated risk profile, as identified by Websense Security Labs

The category that is determined by content categorization is forwarded to Filtering

Service for policy enforcement.

Content categorization can, optionally, include analysis of URL links embedded in

the content. Such analysis can provide more accurate categorization of certain types

of content. For example, a page that otherwise has little or no undesirable content, but that links to sites known to have undesirable content, can itself be more accurately categorized. Link analysis is particularly good at finding malicious links embedded in hidden parts of a page, and in detecting pages returned by image servers that link thumbnails to undesirable sites. For more information about how analysis of link neighborhoods can improve coverage, read the Websense Security Labs blog post In

Bad Company .

The effectiveness of content categorization and link analysis is quantified in several presentation reports. See

Presentation reports

, page 133, for more information.

Important

If you plan to generate reports of advanced analysis activity, enable full URL logging (see

Configuring how

URLs are logged

, page 438 ). Otherwise, log records

include only the domain (www.domain.com) of the site categorized, and individual pages within a site may fit into different categories.

Web Security Help

193

Content Gateway Analysis

If your site uses WebCatcher to report uncategorized URLs to Websense, Inc. (see

What is WebCatcher?

, page 30 ), URLs categorized through content categorization are

forwarded for inclusion in the Master Database.

To configure content categorization:

1.

Go to the Settings > Scanning > Scanning Options page.

2.

Select Off to disable content categorization.

3.

Select On (default) to enable content categorization.

4.

Select Analyze links embedded in Web content to include embedded link analysis in content analysis. Requests that are blocked as a result of link analysis are logged and can be viewed in Scanning Activity presentation reports.

5.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

The algorithms used to perform content categorization are tuned by Websense

Security Labs to provide the best results for most organizations. However, if the

Optimized setting does not produce the results you expect, you can adjust the sensitivity level to influence more restrictive or more permissive results. See the

Advanced options

section of this screen.

Tunneled protocol detection

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

Tunneled protocol detection analyzes traffic to discover protocols that are tunneled over HTTP and HTTPS. Traffic that is allowed to tunnel over specific ports is also analyzed. Such traffic is reported to Filtering Service for protocol-based policy enforcement. When tunneled protocol detection is enabled, analysis is performed on both inbound and outbound traffic, regardless of other scanning settings.

HTTP tunneling occurs when applications that use custom protocols for communication are wrapped in HTTP (meaning that standard HTTP request/response formatting is present) in order to use the ports designated for HTTP/HTTPS traffic.

These ports are open to allow traffic to and from the Web. HTTP tunneling allows these applications to bypass firewalls and proxies, leaving a system vulnerable.

194

Websense Web Security Solutions

Content Gateway Analysis

The tunneled protocol detection feature analyzes HTTP and HTTPS traffic and, when it detects a protocol, forwards it to Filtering Service for policy enforcement. At this point, a protocol is blocked or allowed based on policy definitions. This feature can be used to block protocols used for instant messaging, peer-to-peer applications, and proxy avoidance. Note that some applications running over HTTP (for example,

Google Video) may not display the protocol block page. See

Managing access to categories and protocols

, page 50,

for information about protocol-based policy enforcement.

Note

Tunneled protocol detection is performed before content categorization. As a result, when a tunneled protocol is identified, protocol policy is enforced and content categorization is not performed.

Use the Settings > Scanning > Scanning Options page to enable and configure tunneled protocol detection:

1.

Select Off to disable tunneled protocol detection.

2.

Select On (default) to analyze all traffic to detect protocols tunneling over HTTP or HTTPS. Such traffic is reported to Filtering Service for policy enforcement.

3.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Use the Settings > Scanning > Scanning Exceptions page to specify trusted sites that

are never analyzed (

Scanning exceptions

, page 205

).

Security threats: Content security

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Tunneled protocol detection

, page 194

Security threats: File analysis

, page 196

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

Content Security performs web page content analysis to discover security threats and malicious code in HTTP and HTTPS content (HTTPS when Content Gateway SSL support is enabled).

Web Security Help

195

Content Gateway Analysis

Use the Settings > Scanning > Scanning Options page to enable and configure content security.

1.

Select Off to disable content analysis.

2.

Select On (default) to enable content analysis for uncategorized sites and sites with elevated risk profiles, as identified by Websense Security Labs.

3.

Select Aggressive analysis to analyze content from sites with elevated risk profiles and also sites with lower risk profiles. This option consumes additional system resources.

4.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Use the Settings > Scanning > Scanning Exceptions page to specify untrusted or trusted sites that are always analyzed or never analyzed (

Scanning exceptions

, page

205 ).

Content analysis sensitivity is tuned by Websense Security Labs to provide the best results for most organizations. However, if the Optimized setting does not produce the

results you expect, you can adjust the sensitivity in the

Advanced options

section.

Security threats: File analysis

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Security threats: Content security

, page 195

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

File analysis inspects files that users attempt to download or open remotely for viruses and other malicious content. File analysis returns a category to Filtering Service for policy enforcement.

There are 5 types of file analysis. They can be used together.

Advanced Detection

applies techniques developed by Websense to discover known and emerging threats, including viruses, Trojan horses, worms, and other malicious content.

Antivirus Scanning

uses antivirus definition files to identify virus-infected files.

ThreatScope™ Analysis

sends files that fit a profile defined by Websense Security

Labs to a cloud-hosted sandbox for activation and observation. If a file is found to be malicious, an email alert is sent to the Web Security alert recipient that contains

196

Websense Web Security Solutions

Content Gateway Analysis

 a description of the threat, a link to a detailed ThreatScope report, and a link to an

Investigative Report built from your log database.

ThreatScope is a premium feature available to Web Security Gateway Anywhere subscribers. A full description is included in the step-by-step configuration section, below.

Rich Internet application scanning

examines Flash files for malicious content.

FTP file scanning

examines inbound FTP files for malicious content.

You can configure the specific types of files to analyze by clicking File Type Options.

(Settings do not apply to ThreatScope.)

Note

If file analysis is configured to include multimedia files, sometimes when the streaming media is buffered and analyzed, the connection to the server times out. In such cases, the best remedy is to create an exception for that site. See

Scanning exceptions

.

Use the Settings > Scanning > Scanning Exceptions page to specify untrusted or trusted sites that are always analyzed or never analyzed (

Scanning exceptions

, page

205 ).

Use the Settings > Scanning > Scanning Options page to enable and configure file analysis.

Advanced Detection

1.

Select Off to disable file analysis.

2.

Select On (default) to enable file analysis on files from uncategorized sites and files from sites with elevated risk profiles, as identified by Websense Security

Labs.

3.

Select Aggressive analysis to analyze inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option consumes additional system resources.

Antivirus Scanning

1.

Select Off to disable antivirus analysis.

2.

Select On (default) to enable antivirus analysis of files from uncategorized sites and files from sites with elevated risk profiles, as identified by Websense Security

Labs.

3.

Select Aggressive analysis to apply antivirus analysis to inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option consumes additional system resources.

Web Security Help

197

Content Gateway Analysis

ThreatScope™ Analysis

This option is available to ThreatScope Cloud Services subscribers only.

1.

Select Off (default) to disable ThreatScope analysis.

2.

Select On to send qualified executable files to the cloud-hosted sandbox for analysis.

3.

Select Submit additional documents to send additional supported file types to

ThreatScope for analysis.

A file that qualifies for ThreatScope sandboxing:

Is not classified as “malicious” in the Websense Master Database

Passes all Security Threats: File Analysis analytics

Fits the Websense Security Labs profile for suspicious files

Is a supported file type. Executable files are always supported. See the knowledge base article titled: ThreatScope Supported File Types .

Note

Because the file was not detected as malicious, it was not

blocked and has been delivered to the requester.

Important

To receive ThreatScope email messages, which is the only mechanism used by ThreatScope to report malicious files,

you must enable and configure email alerts.

Go to Settings > Alerts > Enable Alerts, select Enable

email alerts and specify an Administrator email

address. Also confirm that your SMTP settings are

correct.

198

Websense Web Security Solutions

Content Gateway Analysis

Important

The Content Gateway web proxy manages on-premises

ThreatScope traffic.

Traffic is sent to:

*.websense.net

*.blackspider.com

The User-Agent is ssbc.

ThreatScope traffic must not be subject to man-in-themiddle decryption.

ThreatScope traffic cannot be challenged for authentication by any device in the network.

Filter.config rules are configured, by default, in Content

Gateway. If Content Gateway is in a proxy chain or behind a firewall, those devices may have to be configured to meet the requirements described above.

You can test your configuration to ensure that ThreatScope Analysis is properly configured in your deployment using the link ThreatScope: Malicious App found in the Real-time Analysis Test Pages section of http://testdatabasewebsense.com/

What does a ThreatScope transaction look like?

1.

An end user browses to a website and explicitly or implicitly downloads a file.

2.

The URL is not categorized as “malicious” and Security Threats: File Analysis does not find the file to be malicious.

3.

The file is delivered to the requester.

4.

However, the file fits the Websense Security Labs profile for suspicious files and is sent to ThreatScope in the cloud for analysis.

5.

ThreatScope analyzes the file, which may take as long as 5 to 10 minutes, but is typically much quicker.

6.

If the file is found to be malicious, Content Gateway sends a ThreatScope malicious file detection message to the configured alert recipient. The alert email includes links to the ThreatScope report and an investigative report created from your log records (examples below).

7.

Upon receipt of the message, administrators should: a.

Access and evaluate the ThreatScope report for the file b.

Examine the investigative report for the incident c.

Assess the impact of the intrusion in their network d.

Plan and begin remediation

8.

Separately, ThreatScope updates the ThreatSeeker

®

Intelligence Cloud with information about the file, the source URL, and the command and control targets.

Web Security Help

199

Content Gateway Analysis

9.

ThreatSeeker updates the Websense Master Database, ACE analytic databases, and other security components, which are then pulled by Websense deployments.

10.

The next time someone tries to browse the site, they and the organization are protected by their Websense Web Security deployment.

ThreatScope alert messages and reports

When Content Gateway learns that ThreatScope has detected a malicious file, it sends a ThreatScope alert email to the configured administrator. The message is plain text.

An example is shown below.

In the body, the User field includes the user name only if Content Gateway user authentication was used to identify the client. Otherwise, the client IP address appears in the field.

Two links are included. The first links to a detailed ThreatScope report on the file and its malicious contents. The second launches an investigative report, using your log records, for the time period in which the file download occurred. Depending on your browser, you may have to enable popups to allow the report to be displayed. Also note that you may receive the ThreatScope alert message before Web Security Gateway

Anywhere has written all of the transaction records in the Log Database. Periodically refresh the report to include pending records.

A typical alert message looks like:

200

Websense Web Security Solutions

Here is an example of a portion of a ThreatScope report:

Content Gateway Analysis

Rich Internet application scanning

Select Scan rich Internet applications to analyze Flash files for malicious content.

FTP file scanning

Select Scan FTP files to analyze files that are downloaded with the FTP protocol.

(FTP over HTTP file downloads and uploads are subject to the HTTP/HTTPS file scanning settings.) To be meaningful, this option requires that Content Gateway be configured to proxy FTP traffic. See the Content Gateway Manager Help.

Note

The Scan rich Internet applications and Scan FTP files options are available only when Advanced Detection is enabled. When the Advanced Detection file analysis feature is turned off, the rich Internet application scanning feature is disabled and the check box is cleared.

File Type Options

1.

To specify the types of files to analyze, click File Type Options. As a best practice, analyze all suspicious files, as identified by Websense Security Labs, and all executable and unrecognized files.

Web Security Help

201

Content Gateway Analysis

2.

To always analyze files having a specific extension, select Files with the

following extensions, enter the extension in the entry field and click Add.

To remove an extension from the list, click on the extension to select it, and click

Delete.

When you are done configuring file analysis options, click OK to cache your changes.

Changes are not implemented until you click Save and Deploy.

Several presentation reports provide details about attempts to download files containing security risks. These reports are listed in the Report Catalog only after analysis activity has detected sites whose activity has changed since it was assigned a

Master Database category. See

Presentation reports

, page 133,

for more information.

See

Managing traffic based on file type

, page 287,

for information about blocking files based on type and URL category.

Outbound security

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

Advanced options

, page 203

Outbound security:

Provides outbound analysis that mirrors your inbound Security Threats configuration. This option also supports Web Security social web controls.

Performs specialized data theft protection, analyzing for and blocking outbound custom encrypted files, password files, and other forms of sensitive data (see number 2, below).

1.

Enable Analyze for and block outbound security threats (default) to analyze outbound content for threats like bot and spyware phone home traffic. This option performs outbound analysis that mirrors your inbound Security Threats configuration.

Important

This option must be enabled to support social web controls.

202

Websense Web Security Solutions

Content Gateway Analysis

2.

Enable Data theft protection (default) to analyze and block: a.

Outbound custom encrypted files that are posted to uncategorized sites and suspicious destinations, as defined by Websense Security Labs. b.

Password files and files containing sensitive or suspicious data, regardless of the destination.

The results of analysis are reported to the Threats dashboard, and are included in transaction logs and reports.

Advanced options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Scanning exceptions

, page 205

Reporting on advanced analysis activity

, page 208

Use these options to:

Set the sensitivity level of Content Categorization and Content Security analysis

Set the analysis time limit*

Set the analysis size limit*

Enable stripping of specific types of code from HTML content*

*These settings apply to all incoming traffic.

Content categorization and scanning sensitivity level

The algorithms used to perform content categorization and content analysis are tuned by Websense Security Labs to provide optimal results for most organizations.

However, if the Optimized setting does not produce the results you expect, you can adjust the sensitivity level to influence more restrictive or more permissive results.

There are 5 sensitivity levels.

Optimized is the sensitivity level tuned by Websense Security Labs.

More Stringent and Most Stringent raise analytic sensitivity.

Less Stringent and Least Stringent reduce analytic sensitivity.

When you are finished, click OK to cache your changes.

Changes are not implemented until you click Save and Deploy.

Web Security Help

203

Content Gateway Analysis

Scanning timeout

Each content or file analysis consumes a variable amount of time that cannot be determined before analysis begins. By default, to ensure a good user experience, analysis is limited to 1.5 seconds (1500 milliseconds). To adjust the timeout, select

Custom and enter a value within the range 500 - 10000 (milliseconds).

Scan size limit

The scan size limit is the threshold to which analysis is performed. Analysis stops when the threshold is reached. The default is 10 MB. To change the value, select

Custom and enter a size in megabytes.

Content delay handling

Depending on the Content Gateway configuration and load conditions, very large files, streamed transactions, and slow origin servers can leave clients waiting for content.

The options in this section provide a tool for delivering a portion of buffered content to the client before analysis is performed. Analysis begins when all data is received or the scan size limit is exceeded.

Use Begin returning data to the client after to specify a time period after which a percentage of buffered data is released to the client. The default is 30 seconds. Select

Custom to enter another value.

Use Specify how much data to return to the client to specify the percentage of buffered data to release to the client. The default is 80 percent. Select Custom to enter a different value, up to 90 percent.

Content stripping

Threats to your system can be hiding in active content sent via web pages. Active content is content that is embedded in the HTML page that performs actions, such as running an animation or a program.

The content stripping options make it possible to specify that content in particular scripting languages (ActiveX, JavaScript, or VB Script) be stripped from incoming web pages. If content stripping is enabled, all content in the specified scripting languages is removed from sites flagged as containing dynamic content or appearing

on the Always Scan list (see

Scanning options

, page 191 ).

Content is removed only after the advanced analysis options have categorized the site and Filtering Service has determined which policy applies.

Warning

Web pages that rely on active content that has been stripped do not function as expected. To permit full access to sites that require active content, disable content stripping or add the sites to the Never Scan list.

204

Websense Web Security Solutions

Content Gateway Analysis

The user requesting a page with active content does not receive any notification that content has been removed.

Use the Settings > Scanning > Scanning Options > Advanced Options area to set content stripping options.

1.

In the Advanced Options > Content Stripping area, select the types of scripting languages to be removed from incoming web pages.

To disable content stripping for a selected language, clear the associated check box.

2.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Warning

Content stripping can result in some content being garbled and unreadable. You can reduce the number of such occurrences by making a small change to the Content

Gateway configuration.

1) Open the Content Gateway manager and go to the

Configure > Protocols > HTTP > Privacy tab.

2) In the Remove Headers > Remove Others field, add:

Accept-Encoding

3) Click Apply and restart Content Gateway.

Scanning exceptions

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Security threats: Content security

, page 195

Security threats: File analysis

, page 196

Outbound security

, page 202

Advanced options

, page 203

Scanning exceptions are lists of trusted or untrusted sites (hostnames and URLs) that are never analyzed or always analyzed. The type of analysis to never or always perform is specified per hostname or URL, or group of hostnames and URLs.

You can also create a list of trusted client IP addresses whose content is never analyzed.

Web Security Help

205

Content Gateway Analysis

For an introduction to scanning options, see

Content Gateway Analysis

, page 189

.

Use the Always Scan and Never Scan lists to refine the behavior of content categorization, tunneled protocol detection, security threats (content analysis and file analysis), and content stripping.

When Content Categorization, Content Security, or File Analysis options are On, sites on the Always Scan list are always analyzed, and sites on the Never Scan list are never analyzed (see

Scanning options

, page 191 ).

When the Tunneled Protocol Detection option is On or Aggressive analysis is selected, sites on the Never Scan list are never analyzed.

Use the Never Scan list with caution. If a site on the list is compromised, Websense

Web Security Gateway does not analyze the site and cannot detect the security problem.

Hostname/URL Exceptions

To add sites to the Always Scan or Never Scan lists:

1.

Click the Add Hostname/URL button.

You can specify a site in several ways, and you can specify more than one hostname or URL at a time.

You can enter a simple hostname, for example, thissite.com. Be sure to enter both the hostname and the extension (thissite.com and thissite.net are distinct hosts).

Sites with multiple labels are supported. For example: www.bbc.co.uk

You can use the wild card “*” to match leading subdomains only.

For example: *.yahoo.com.

You can enter a complete or partial hostname or URL. The leading scheme

“HTTPS://” is not required. An exact match is performed on the specified string.

For example: www.example.com/media/

Or: www.youtube.com/watch?v=

2.

After entering a single or group of hostnames/URLs, select the scanning options that apply to all of the sites you have entered. You can select one or more options.

To apply different options to different sites, enter the names separately.

A site can appear in only 1 of the 2 lists. You cannot, for example, specify that the same site should never be analyzed for tunneled protocols and always analyzed for content categorization.

Click OK to add the entry.

3.

To delete a site from a list, select the site and click Delete.

4.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

To change the scanning options associated with a site:

206

Websense Web Security Solutions

Content Gateway Analysis

1.

Select the site in the list and adjust the options.

2.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Client Exceptions

Use the Client Exceptions list to identify trusted users (client IP addresses) whose content is never analyzed.

To add an IP address to the list:

Click in the Enter clients box and enter an IP address or IP address range. For example, 10.201.67.245, or 10.201.67.245 - 10.201.67.250.

Click the right arrow (>) to move the address to the list.

To edit an entry:

Select the entry in the list and click Edit.

Make the desired changes and click OK.

To delete an entry:

Select the entry from the list and click Delete.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Data files used with scanning

Web Security Help | Web Security Solutions | Version 7.8.x

Analysis uses a set of data files to support its work. These files are updated regularly by Websense Security Labs and made available on the Websense download server.

Websense Content Gateway checks for updated analytic data files at regular intervals.

The name and version of each file is displayed in the Content Gateway manager on the

Monitor > MyProxy > Summary page.

Data file updates occur independent of Websense Master Database updates (including real-time database updates and Real-Time Security Updates).

Every time the ./WCGAdmin start command is run, a data file check and download is performed. If the download fails, a new download is attempted every 15 minutes until a successful download results.

The default interval for database update checks is 15 minutes. This is the recommended setting. Longer intervals increase the window of vulnerability to emerging, zero day exploits.

You can change the polling interval by editing the PollInterval value in the /opt/bin/

downloadservice.ini file on the Content Gateway machine. After editing the

Web Security Help

207

Content Gateway Analysis

downloadservice.ini file, you must stop and restart Content Gateway from the

command line:

/opt/WCG/WCGAdmin restart

Reporting on advanced analysis activity

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scanning options

, page 191

Content categorization

, page 193

Security threats: File analysis

, page 196

Content stripping

, page 204

After you install Websense Content Gateway and enter a key that enables the advanced analysis features, you can see and analyze the effects of these features on the dashboard, and with presentation and investigative reports.

On the Usage dashboard, by default, 2 charts tally requests to Web 2.0 sites over the past 30 days:

Web 2.0 Categories

Web 2.0 URL Bandwidth

See

The Web Security Dashboard

, page 33,

for information about customizing the charts or moving them to a different dashboard tab.

On the Presentation Reports page, the Scanning Activity group contains reports that focus on Web 2.0 browsing and analysis activity, including recategorization that results from content categorization. There is also a report that tracks page blocks that result from link analysis.

Important

Enable full URL logging (see

Configuring how URLs are logged

, page 438

) to ensure that reports of analysis activity are meaningful. Otherwise, reports can display only the domain (www.domain.com) of the site categorized, even though individual pages within the site may fall into different categories, or be recategorized for different reasons.

You can copy a security or analysis report template to create a custom report. You can then edit the report filter to refine the information included when you generate that custom report.

208

Websense Web Security Solutions

Content Gateway Analysis

Some security threat reports include a Threat ID column. You can click the individual threat ID to open a Websense Security Labs web page that describes the type of threat identified.

Other presentation reports can contain information on analysis activities, as well as general policy enforcement. For example, the Detail of Full URLs by Category report, found in the Internet Activity group of the Report Catalog, provides a detailed listing of each URL accessed within each category. To make a report that is specific to advanced analysis, copy the Detail of Full URLs by Category report, and edit the report filter for the new custom report. On the Actions tab, select only permitted and blocked actions that relate to analysis. On the Options tab, change the report catalog name and report title to identify this as an advanced analysis report. For example, you might change the name and title to Advanced Analysis: Detail of Full URLs by

Category.

Investigative reports can also be used to gain insight into advanced analysis activities.

1.

In the Internet use by drop-down list, select Action.

2.

In the resulting report, click an action, such as Category blocked real time, to show a list of drill-down options.

3.

Click the desired drill-down option, such as Category or User.

4.

Click the Hits value or the bar on any row to see related detail.

5.

Click Modify Report, at the top of the page, to add the Full URL column to the report.

See

Investigative reports

, page 155, for details on using all the investigative reports

features.

How analysis activity is logged

Web Security Help | Web Security Solutions | Version 7.8.x

There are important differences in the way that general Internet activity and advanced analysis activity are logged.

For general Internet activity, you have several options to reduce the size of the Log

Database.

Enable visits to log only one record for each website requested. See

Configuring

Log Server

, page 424

.

Enable consolidation to combine into a single log record multiple requests with

certain common elements. See

Configuring Log Server

, page 424 .

Disable full URL logging to log only the domain name (www.domain.com) for each request, and not the path to the specific page in the domain (/products/

Web Security Help

209

Content Gateway Analysis productA). See

Configuring how URLs are logged

, page 438

.

Note

If your organization needs reports that include the full

URL of each site visited, you should leave full UR logging enabled. Otherwise, reports will include only the domain

(www.domain.com) of the site categorized, even though individual pages within the site may fall into different categories, or be recategorized for different reasons.

Configure selective category logging to limit logging to only those categories

that are required for your organization. See

Configuring how requests are logged

, page 422 .

Note

Enabling visits, consolidation, or selective category

logging, will impact the accuracy of Internet Browse

Time.

Advanced analysis features, however, are bound only partially by these settings. When a site is analyzed, 2 separate log records are created.

Standard log records take advantage of any size reduction settings that have

been implemented, and are available for all reporting tools.

Advanced analysis records ignore most size reduction settings. Every separate

hit is logged, requests to all categories are logged, and no records are consolidated. These records are generated regardless of whether the site is blocked or permitted as a result of analysis. Only the setting for full URL logging is honored for advanced analysis records. Advanced analysis records are used to populate the Threats dashboard and presentation reports that focus on the results of Content Gateway analysis (like those described in

Reporting on advanced analysis activity

, page 208 ).

If you have enabled any Log Database size reduction options, the numbers that appear on the Threats dashboard and in presentation reports on Content Gateway analysis may not match those that appear in standard investigative and presentation reports, even when the reports are configured for the same users, time periods, and categories.

For example, if you have chosen to log visits, and a user requests a site analyzed by scanning features, that user request appears as one visit in standard reports, but may show as multiple hits in advanced analysis reports.

To see comparable data for standard activity and advanced analysis disable the Log

Database size reduction settings. Because this may result in a very large and fastgrowing database, make sure that the Log Database machine has adequate hard disk, processing, and memory capacity.

210

Websense Web Security Solutions

Content Gateway Analysis

See

Reporting Administration

, page 419,

for more information on configuring size reduction settings. See

Presentation reports

, page 133,

and

Investigative reports

, page

155, for information on generating reports.

SSL decryption bypass

Web Security Help | Web Security Solutions | Version 7.8.x

When SSL support is enabled in Content Gateway to manage encrypted traffic:

Category settings can be used to specify categories of websites for which decryption and inspection are bypassed.

A list of client IP addresses and IP address ranges can be created to specify trusted clients for which decryption and inspection are bypassed.

A list of destination hostnames, IP addresses, and IP address ranges can be created to specify trusted destination servers for which decryption and inspection are bypassed.

Note

There is a known limitation with Internet Explorer version 8 (IE8) that prevents some sites from being bypassed as expected. IE8 does not send a Server Name

Indicator (SNI) and when the hostname in the origin server certificate includes a wildcard (*), the common name and the hostname don’t match. As a result, the category lookup is performed on the destination IP address.

Category settings

For Category settings, a predefined Privacy Category group includes categories that may be subject to regulatory requirements.

Default privacy categories include:

Education

Financial Data and Services

Government

Health

Online Brokerage and Trading

Prescribed Medications

Traffic that involves websites in these categories may include personal identification information that should not be decrypted. In order to avoid liability for inspecting this type of information, you may want to specify some or all of these categories for decryption bypass. End users can determine that the website they are viewing is not decrypted by verifying that the certificate is the original for that site.

Web Security Help

211

Content Gateway Analysis

Use the Settings > Scanning > SSL Decryption Bypass page to select the default privacy categories for SSL decryption bypass:

1.

Click the Select Privacy Categories button. Check boxes for the website categories that constitute the default group are selected in the Category Bypass box.

2.

Click the arrow to the right of the category tree to add the privacy categories to the

Categories selected for SSL decryption bypass box.

You can create your own set of categories for SSL decryption bypass. On the SSL

Decryption Bypass page, specify individual website categories for which decryption

is not performed:

1.

Click a check box to select a category or subcategory for bypass.

2.

Click the arrow to right of the category tree to enter the selected category into the

Categories selected for SSL decryption bypass box.

To clear your selections from the category tree, click the Clear All button.

To remove a category or subcategory from the list, select the category and click the

Remove button.

Client list

To identify a client IP address or IP address range for SSL decryption bypass:

1.

Click Add and enter the client IP address or IP address range in the Add Client

Entry box, one entry per line.

When specifying an IP address range, use a “-” (hyphen) to separate the first address from the last.

Prior to 7.8.4, IPv6 addresses are valid with explicit proxy traffic only.

2.

To facilitate maintenance of the list, add a description that identifies the entry.

3.

Click OK to add the entries to the list.

To modify an entry, click on the IP address and modify the entry in the Edit Client

Entry box. Click OK to save your changes or Cancel to close the dialog box without

saving your changes.

To remove an entry from the list, select the check box adjacent to the entry and click

Delete. Confirm the action.

When you are finished, click OK to cache your changes.

Changes are not implemented until you click Save and Deploy.

Destination list

To specify a destination hostname, IP address, or IP address range for SSL decryption bypass:

212

Websense Web Security Solutions

Content Gateway Analysis

1.

Click Add and enter the hostname, IP address, or IP address range in the Add

Destination Entry box, one entry per line. For example: thissite.com.

Be sure to enter both the hostname and the TLD (top level domain). For example, thissite.com and thissite.net are distinct hosts.

Hosts with subdomains are supported. For example: media.example.com.

Include the wild card “*” to match leading subdomains. For example:

*.example.com.

The protocol (HTTPS://) is not needed.

Use a “-” (hyphen) to separate the first and last address in an IP address range.

Prior to 7.8.4, IPv6 addresses are valid with explicit proxy traffic only.

2.

To facilitate maintenance of the list, add a description that clearly identifies the entry.

3.

Click OK to add the entries to the list.

To modify an entry, click on the hostname or IP address and modify the entry in the

Edit Destination Entry dialog box. Click OK to save your changes or Cancel to

close the dialog box without saving your changes.

To remove an entry, select the check box adjacent to the entry and click Delete.

Confirm the action.

When you are finished, click OK to cache your changes.

Changes are not implemented until you click Save and Deploy.

Web Security Help

213

Content Gateway Analysis

214

Websense Web Security Solutions

10

Configure the Hybrid

Service

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Web Security Gateway Anywhere is a flexible, comprehensive security solution that lets you combine on-premises and hybrid (in-the-cloud) policy enforcement as needed. You decide which method to use for which clients.

An organization might use the robust on-premises software to provide web security for the main office or campus, while smaller regional offices or satellite locations send their Internet requests through the hybrid service. The hybrid service is also useful for users who are off-network, such as telecommuters, those who travel for business, and so on (see

Hybrid service management of off-site users

, page 253 ).

With Web Security Gateway Anywhere, you define clients and create policies for onpremises and hybrid Internet access management in the same user interface—the

TRITON console—which also offers centralized configuration and reporting.

To use the hybrid service:

1.

Activate your hybrid service account

, page 216

2.

Define filtered locations

, page 217

3.

Specify sites not managed by the hybrid service

, page 222 (if any)

4.

Configure user access to the hybrid service

, page 224

5.

Identification of hybrid users

, page 328

6.

Send user and group data to the hybrid service

, page 231

In order to ensure that the hybrid service has current policy, user, and group information, and that the on-premises reporting software has reporting data from users managed by the hybrid service, see

Schedule communication with the hybrid service

, page 239 .

Web Security Help

215

Configure the Hybrid Service

Activate your hybrid service account

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Define filtered locations

, page 217

Specify sites not managed by the hybrid service

, page 222

Configure user access to the hybrid service

, page 224

Send user and group data to the hybrid service

, page 231

Schedule communication with the hybrid service

, page 239

Before you can configure the hybrid service to start managing Internet requests for your organization, you must activate your hybrid account by submitting a contact email address. This creates a connection between the on-premises and hybrid portions of Websense Web Security Gateway Anywhere.

Use the Hybrid Filtering section of the Settings > General > Account page to provide the contact email address and country for your Web Security administrators (see

Configuring your account information

, page 25

).

The email address is typically an alias monitored by the group responsible for managing web security for your organization. It is very important that email sent to this account be received and acted upon promptly.

Websense Technical Support uses this address to send out notifications about urgent issues affecting the hybrid service.

If there is a configuration problem with your account, failure to respond to an email message from Technical Support in a timely fashion could lead to service interruptions.

Should certain rare problems occur, the email address is used to send the information needed to allow Sync Service to resume contact with the hybrid service.

This email address is not used to send marketing, sales, or other, general information.

The country you enter provides the system with time zone information.

Once you have activated the hybrid service for your account, you can specify which locations (identified by IP address, IP address range, or subnet) are managed by the hybrid service, how information is exchanged between the on-premises and hybrid portions of your Web security software, how users managed by the hybrid service are authenticated, and more.

216

Websense Web Security Solutions

Configure the Hybrid Service

Define filtered locations

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Specify sites not managed by the hybrid service

, page 222

Configure user access to the hybrid service

, page 224

Schedule communication with the hybrid service

, page 239

Use the Settings > Hybrid Configuration > Filtered Locations page to review, add, or edit information about the locations whose user requests are sent to the hybrid service.

A filtered location is the external IP address, IP address range, or subnet from which

Internet requests appear to originate when seen by the hybrid service. In Web Security

Gateway Anywhere deployments, hybrid policy enforcement can be applied to off-site users, regardless of how requests from those users are managed when they are innetwork.

For users managed by the hybrid service both in and outside the network, enter their in-network location details and specify that the location managed by the hybrid service. When off-site users make an Internet request, they are prompted to log on to the hybrid service so that the appropriate user or group-based policy can be applied.

Because the hybrid service is hosted outside your network, any locations managed by the hybrid service must be external addresses, visible from the Internet.

Locations managed by the hybrid service:

Are public-facing IP addresses for offices using Web Security Gateway

Anywhere

Are often the external address of your Network Address Translation (NAT) firewall

Could include branch offices, remote sites, or satellite campuses

These locations are NOT:

IP addresses of individual client machines

The IP address of any Content Gateway machine used by the on-premises components of Websense Web Security Gateway Anywhere

For users whose requests are managed by on-premises components (Filtering

Service) when they are inside the network, you can configure the browser PAC file to determine whether the user is in-network or off-site before forwarding an

Internet request.

If you are using the PAC file generated by the hybrid service, this configuration occurs automatically based on the settings that you provide on the Filtered

Locations page. Specify that these users are managed by local Websense software and define whether their on-premise policy enforcement is through a firewallintegrated or transparent proxy (for example, Content Gateway in transparent

Web Security Help

217

Configure the Hybrid Service mode), or an explicit proxy. If Internet requests from in-network machines at a specified location pass through an explicit proxy, you provide the proxy location

(hostname or IP address) and port to ensure requests are routed properly for users at that location.

Each location that you define appears in a table that combines a name and description with technical configuration details, including the selected proxy mode, the type of location (single IP address, IP address range, or subnet), and the actual external IP address or addresses from which requests originate.

To edit an existing entry, click the location Name, and then see

Adding or editing filtered locations

, page 218 .

To define a new location, click Add, and then see

Adding or editing filtered locations

, page 218 .

To remove a location, mark the check box next to the location name, and then click Delete.

To add and edit on-premises explicit proxies for use with filtered locations, click

Manage Explicit Proxies, then see

Managing explicit proxies

, page 220

.

If you have added or edited a location entry, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Adding or editing filtered locations

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filtered Locations > Add Filtered Location or Edit Filtered Locations page to:

Define a location either managed the hybrid service (like a branch office, remote site, or satellite campus), or that contains users managed by the hybrid service when off site.

Change the way a location managed by the hybrid service is defined.

To define a filtered location, or update an existing entry:

1.

Enter, review, or update the location Name. The name must be unique, and have between 1 and 50 characters. It cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Names can include spaces, dashes, and apostrophes.

2.

Enter, review, or update the short Description of the location (up to 255 characters). This appears next to the location name on the Filtered Locations page, and should clearly identify the location to any administrator.

The character restrictions that apply to names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

Select or verify the Time zone of the filtered location. Time zone information is used in applying policies, to ensure that the correct filters are applied at the appropriate time.

218

Websense Web Security Solutions

Configure the Hybrid Service

Each location whose requests go through the hybrid service can have a different time zone setting. Locations with transparent or explicit proxies use the time zone of the machine on which Filtering Service is running as the time zone for policy enforcement.

4.

In the Type field, indicate or verify the method used to define this location: IP

address, IP address Range, or Subnet.

If you are providing a subnet, specify whether you are identifying it by By bit

range (CIDR) or By subnet mask, and then select a bit range or mask.

5.

Enter, verify, or update the external IP address, range, or subnet of the firewall or firewalls through which filtered clients at this location access the Internet.

For locations managed by the hybrid service, these are external IP addresses, visible from outside your network, and not internal (LAN) addresses.

Important

Do not enter private IP addresses (in the ranges 10.0.0.0 -

10.255.255.255, 172.16.0.0 - 172.31.255.255, and

192.168.0.0 - 192.168.255.255) to identify locations managed by the hybrid service. Because these addresses are not visible from outside your network, and are used within multiple local area networks, the hybrid service does not accept private IP addresses as valid entries.

Do not include the IP address of any Content Gateway machine used by the on-premises components of Websense Web Security Gateway Anywhere.

External IP addresses must be unique to your organization, not shared with any other entity, so that the hybrid service is able to associate requests originating from these locations with the policies belonging to your organization.

6.

Specify, verify, or update how the requests from the location are managed: using the hybrid service, or by local Websense software.

7.

If the site is managed by local Websense software, select, verify, or update the proxy mode for this location: using a Transparent proxy, or an Explicit onpremises proxy.

If you select Explicit, there must be at least one proxy defined in the Explicit proxy configuration table. To add a new explicit proxy to the table, click Add, select a proxy location and preference order from the popup window, then click

OK. See

Managing explicit proxies

, page 220, for more information on the

available explicit proxies.

The filtered location uses the first proxy on the list. If that proxy is not available, web requests from the filtered location are redirected to the next proxy on the list.

To change the order, select any proxy on the list and then click Move Up or Move

Down to change its position in the list.

To remove a proxy from the table, mark the check box next to the proxy name, and then click Delete. The deleted proxy is no longer available for this filtered location, but can still be selected for other filtered locations.

Web Security Help

219

Configure the Hybrid Service

8.

Click OK to return to the Filtered Locations page, and then click OK again to cache your changes. Changes are not implemented until you click Save and

Deploy.

Managing explicit proxies

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filtered Locations > Manage Explicit Proxies page to review, add, and edit the on-premises explicit proxies available for use with filtered locations.

Each explicit proxy that you define appears in a table that displays a proxy name, its

IP address or hostname, the port number or numbers used for HTTP, SSL, or FTP access, and the filtered locations (if any) that currently reference the proxy.

To edit an existing entry, click the proxy Name, and then see

Adding or editing an explicit proxy

, page 220 .

To define a new explicit proxy, click Add, and then see

Adding or editing an explicit proxy

, page 220 .

To remove a proxy, mark the check box next to the proxy name, and then click

Delete.

Note

You cannot delete a proxy that is being used by one or more filtered locations. If you wish to delete a proxy, first edit each filtered location to remove the proxy from the

Explicit Proxy Configuration table.

Adding or editing an explicit proxy

Web Security Help | Web Security Solutions | Version 7.8.x

When managing explicit proxies, use the Add Explicit Proxy or Edit Explicit Proxy page to define or update information about an on-premises explicit proxy to be used for your filtered locations.

1.

Enter, verify, or update the proxy Name. The name must be unique, and have between 1 and 50 characters. It cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Names can include spaces, dashes, and apostrophes.

2.

Enter, verify, or update the IP address or name of the explicit proxy. This must be in one of the following forms:

An IP address (for example 123.45.67.89)

A hostname (for example my.example.com)

The IP address or name can include a port number, for example 123.45.67.89:443.

3.

Enter or update the proxy port or ports. There must be at least one port number for the proxy. This can be an HTTP port, an SSL port, or an FTP port.

220

Websense Web Security Solutions

Configure the Hybrid Service

4.

Click OK to return to the Manage Explicit Proxies page.

Configuring failover to the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

For filtered locations that use explicit proxies, you can configure failover to the hybrid service. This ensures that users are able to access the Internet and policy enforcement always occurs in the event that your other proxies are unavailable.

Failover to the hybrid service for a filtered location must be approved, to ensure that

Websense services can provision the correct number of users at the data center nearest to your location. Once failover for a filtered location has been approved, it does not need to be re-approved if you change the failover details or later disable and then reenable failover.

To configure failover to the hybrid service:

1.

On the Hybrid Configuration > Filtered Locations page, select a filtered location name to edit it. This must be a location managed by local Websense software with the proxy mode set to Explicit.

2.

Click Advanced.

3.

Mark Enable failover to hybrid service.

4.

Enter the Number of users filtered by this filtered location.

5.

Select the Nearest data center to the filtered location.

6.

Click OK to return to the Filtered Locations page, and then click OK again to cache your changes. Changes are not implemented until you click Save and

Deploy.

When failover for a filtered location is approved, an alert appears on the System dashboard and on the Status > Alerts page. You can view the approval status of all failover requests on the Status > Hybrid Service page.

Note

If automatic proxy caching is disabled in Internet Explorer, end users may notice a delay on every page they visit as the browser checks the list of proxies. When automatic proxy caching is enabled, the browser checks the proxy list only on startup. For more information, see the Microsoft article at http://support.microsoft.com/kb/271361 .

Web Security Help

221

Configure the Hybrid Service

Specify sites not managed by the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Define filtered locations

, page 217

Send user and group data to the hybrid service

, page 231

Schedule communication with the hybrid service

, page 239

Use the Settings > Hybrid Configuration > Unfiltered Destinations page to review, add, or edit information about target sites to which you want to grant clients unrestricted access. Clients can access these sites directly, without sending the request to either the hybrid service or an on-premises explicit proxy in a filtered location, if used. Typical unfiltered destinations include organizational webmail sites, internal IP addresses, and Microsoft update sites.

Tip

As a best practice, add your organization’s webmail address as an unfiltered destination. This ensures that:

You can access messages from Technical Support in situations that cause your proxy or the hybrid service to block all requests.

Off-site users who have forgotten (or not created) their hybrid service password can retrieve it via email.

Destinations listed here are added to the Proxy Auto-Configuration (PAC) file that

defines how users’ browsers connect to the hybrid service (see

Configure user access to the hybrid service

, page 224

). By default, the PAC file excludes all non-routable and multicast IP address ranges from policy enforcement. Therefore, if you are using private IP address ranges defined in RFC 1918 or RFC 3330, you need not enter them here.

Each unfiltered destination that you define appears in a table that combines a name and description with technical configuration details, including how the destination is defined (as an IP address, domain, or subnet), and the actual IP address, domain, or subnet that users can access directly.

To edit an existing entry, click the location Name, and then see

Adding or editing unfiltered destinations

, page 223

.

To define a new location, click Add, and then see

Adding or editing unfiltered destinations

, page 223 .

To remove an unfiltered destination, mark the check box next to the destination name, and then click Delete.

222

Websense Web Security Solutions

Configure the Hybrid Service

If you have added or edited an unfiltered destination entry, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Adding or editing unfiltered destinations

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Unfiltered Destinations > Add Unfiltered Destination or Edit Unfiltered

Destination page to define or change the URL or URLs that users can access directly,

without sending a request to the hybrid service or an on-premises explicit proxy.

1.

Enter, verify, or update the destination Name. The name must be unique, and have between 1 and 50 characters. It cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Names can include spaces, dashes, and apostrophes.

2.

Enter, verify, or update the short Description of the destination. This appears next to the unfiltered destination name on the Unfiltered Destinations page, and should clearly identify the target site or sites to any administrator.

The character restrictions that apply to names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

In the Type field, indicate, verify, or update how you want to define this destination: as an IP address, Domain, or Subnet.

If you are providing a subnet, specify whether you are identifying it by By bit

range (CIDR) or By subnet mask, and then select a bit range or mask.

4.

Enter, verify, or update the IP address, domain, or subnet that you want users to be able to access without sending the request to the hybrid service or an on-premises explicit proxy.

5.

Select or verify the Proxy type that this unfiltered destination applies to.

Select Hybrid to enable all hybrid users to access the destination directly without sending a request to the hybrid service.

Select Explicit to enable all users in filtered locations using an on-premises explicit proxy to access the destination directly.

Select Hybrid and Explicit to enable all users managed by the hybrid service and an on-premises explicit proxy from a filtered location to access the destination directly.

6.

Click OK to return to the Unfiltered Destinations page, and then click OK again to cache your changes. Changes are not implemented until you click Save and

Deploy.

Web Security Help

223

Configure the Hybrid Service

Configure user access to the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

To use the hybrid service for policy enforcement, you must configure how users connect to and are managed by the hybrid service. To do so, select Settings > Hybrid

Configuration > User Access.

The Proxy Auto-Configuration (PAC) File section shows the URL from which

users’ browsers retrieve the PAC file (see

What is a PAC file?

, page 229

).

The PAC file defines which requests the browsers send to the hybrid service, and which are sent directly to the target site (see

Specify sites not managed by the hybrid service

, page 222 ). The PAC file also contains information about filtered locations,

and the proxy configuration for any locations that manage Internet access for their users through an explicit or transparent proxy when on-premises, so that traffic can be routed properly at all locations.

Note

The exact mechanism for configuring a user’s browser to use the PAC file depends on the browser and your network environment. For example, if you are using Microsoft

Active Directory and Internet Explorer or Mozilla Firefox, you might want to automate the process by using group policies.

The default PAC file is retrieved over port 8082. If users request this PAC file from a location where port 8082 is locked down, they cannot access it. In this case, use the second PAC file address in this section, which enables the user to access the PAC file and hybrid service over port 80. Remote users should also use the PAC file address for port 80 if requesting access from a network that has port 8081 locked down. Even if

224

Websense Web Security Solutions

Configure the Hybrid Service they can access the PAC file on port 8082, port 8081 is the standard port required to be able to use the hybrid service.

Note

If you are using PingFederate as the identity provider for single sign-on, available beginning with 7.8.4, the PAC file defined for port 8082 is the only PAC file that can be used.

Note

PAC files for older versions of Web Security Gateway

Anywhere use a different URL than the one displayed on the User Access page. If you have deployed a PAC file for an older version, there is no need to change the URL unless you wish to. PAC file URLs provided with earlier versions of Web Security Gateway Anywhere continue to work.

Use the Availability section to specify whether all Internet requests should be permitted or blocked when the hybrid service is unable to access policy information for your organization.

Under Time Zone, use the drop-down list to select a default time zone to use when applying policies in the following situations:

For users connecting to the hybrid service from an IP address that is not part of an existing filtered location (see

Define filtered locations

, page 217 )

The default time zone is used, for example, by off-site users, or for other users that self-register with the hybrid service.

Whenever time zone information is not available for a filtered location

Use the Custom End User Block Page section to define a customized logo and text

for block pages displayed by the hybrid service (see

Customizing hybrid block pages

, page 227 ).

Use the HTTPS Notification Pages section to enable users making HTTPS requests to view the appropriate Websense notification pages (see

Enabling HTTPS notification pages

, page 228 ).

If the hybrid service uses directory data collected by Websense Directory Agent to identify users, you can configure hybrid passwords for user accounts on the Hybrid

Configuration > Shared User Data page (see

Send user and group data to the hybrid service

, page 231 ). If your organization does not use directory data collected by

Directory Agent to identify users connecting to the hybrid service from outside filtered locations, you can let users self-register for the service. This allows users with email accounts associated with domains that you specify under Registered Domains to identify themselves to the hybrid service.

Web Security Help

225

Configure the Hybrid Service

Users requesting Internet access from an unrecognized IP address are prompted to self-register. The domain portion of the user’s email address is used to associate the user with your organization so that the proper Default policy is applied.

Users who cannot be associated with an organization receive the hybrid service

Default policy.

Click Add to add a domain (see

Adding domains

, page 226

).

Click a domain entry to edit the domain or its attributes (see

Editing domains

, page 227 ).

You can also apply hybrid policy enforcement to off-site users connecting from unknown IP addresses, regardless of how those users are filtered when they are innetwork or connecting from a filtered location. Under Off-site Users, mark Enable

hybrid filtering of off-site users.

If you clear this check box, any user connecting from an unknown IP address will not be filtered.

See

Hybrid service management of off-site users

, page 253 for more information.

Adding domains

Web Security Help | Web Security Solutions | Version 7.8.x

Use the User Access > Add Domain page to identify the domains and subdomains (if any) belonging to your organization. This makes it possible for users with email addresses in the specified domains to self-register (authenticate themselves) to the hybrid service. This is typically enabled only in organizations that do not use

Directory Agent to send user information to the hybrid service.

The hybrid service is unable to provide user name information about self-registered users to the on-premises components for use in reporting. Only the IP address from which the request originated is logged.

1.

Enter a Domain name (in the format sampledomain.org) belonging to your organization.

2.

Enter a clear Description of the domain as a point of reference to simplify hybrid service administration.

3.

If you want users with email addresses in both the domain and its subdomains

(like university.edu and humanities.university.edu) to be able to self-register, mark Include subdomains.

4.

Click OK to return to the User Access page.

5.

Click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.

226

Websense Web Security Solutions

Configure the Hybrid Service

Editing domains

Web Security Help | Web Security Solutions | Version 7.8.x

Use the User Access > Edit Domain page to make changes to the domain entries that allow users to self-register for the hybrid service.

1.

Verify the domain Name and make changes, if necessary.

2.

Update the Description as needed.

3.

To change whether or not email addresses in subdomains are considered valid, mark or clear Include subdomains.

4.

Click OK to return to the User Access page.

5.

Click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.

Customizing hybrid block pages

Web Security Help | Web Security Solutions | Version 7.8.x

When the hybrid service denies access to a resource, it serves a default block page.

You can either use the default page, or modify the page text to suit your needs. For example, you could:

Add information about your organization’s Internet use policies.

Provide a method for contacting Human Resources or a Websense administrator about Internet use policies.

Add your organization’s logo.

Customizing the logo

If you want to customize the logo that appears on a hybrid block page, create a directory named logo in the Websense ssdata directory (by default, C:\Program Files

or Program Files (x86)\Websense\Web Security\bin\ssdata\ on Windows, or /opt/ websense/bin/ssdata/ on Linux). Then place your logo file in that directory.

The logo must be a JPEG, GIF, or PNG file. If a file with one of these extensions exists in the logo directory, Sync Service detects it and sends the data to the hybrid service.

The file must be greater than 0 KB and smaller than 50 KB for Sync Service to send it.

Sync Service also detects when there is a newer version of the file and updates the version on the hybrid service. If there are multiple valid files in this directory, Sync

Service uses the most recent file.

The Hybrid Service page displays the date and time that Sync Service sent a

customized block page logo to the hybrid service (see

Monitor communication with the hybrid service

, page 245

).

Web Security Help

227

Configure the Hybrid Service

To stop using a customized logo file, delete the file from the logo directory.

Note

Clearing Use a custom block page title and message on the Hybrid Configuration > User Access page does not automatically remove the customized logo from your block pages. The logo file must be deleted from the logo directory for Sync Service to stop pushing the file to the hybrid service.

Customizing the text

1.

On the Hybrid Configuration > User Access page, mark Use a custom block

page title and message.

2.

Enter the page Title and Message. This must be in plain text, with no HTML tags.

3.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Enabling HTTPS notification pages

Web Security Help | Web Security Solutions | Version 7.8.x

SSL (Secure Sockets Layer) is the industry standard for transmitting secure data over the Internet. It is based on a system of trusted certificates issued by certificate authorities and recognized by servers.

If you install the Websense SSL certificate for the hybrid service, the hybrid proxy can establish SSL channels with newer browsers (Internet Explorer 8 or later, and Firefox

3.5 or later) in order to serve notification pages to the user – for example, a block page if the SSL site is in a category that requires a notification, or the appropriate page if authentication is required.

To preserve performance, only HTTPS traffic is diverted in this manner; HTTP traffic goes through the proxy to the requested site.

228

Websense Web Security Solutions

Configure the Hybrid Service

To ensure hybrid users can see the notification pages when browsing with HTTPS, you need a root certificate on each client machine that can act as a Certificate

Authority for SSL requests to the hybrid proxy.

Note

End users using single sign-on, available beginning with

7.8.4, require this root certificate to ensure seamless authentication to HTTPS sites. If the certificate is not installed for single sign-on users, they must authenticate using NTLM identification or manual authentication, depending on the settings on the Hybrid User

Identification page. See

Integrating a single sign-on identity provider

.

To install the hybrid root certificate on all clients using the hybrid service:

1.

On the Hybrid Configuration > User Access page, click View Hybrid SSL

Certificate.

2.

Save the certificate file to a location of your choice.

3.

Deploy the SSL certificate to your hybrid users with your preferred administration or deployment method, for example Microsoft Group Policy Object (GPO) or a third-party deployment tool.

Once you have distributed the certificate, mark Use the hybrid SSL certificate to

display a notification page for HTTPS requests when required, then click OK to

cache your changes. Changes are not implemented until you click Save and Deploy.

What is a PAC file?

Web Security Help | Web Security Solutions | Version 7.8.x

A Proxy Auto-Configuration file is a JavaScript function definition that a browser calls to determine how to handle requests. The PAC file used to enable hybrid policy enforcement contains a number of global settings and allows you to configure sites

(for example, intranet sites or organizational webmail) that users can access directly,

without sending the request to the hybrid service (see

Specify sites not managed by the hybrid service

, page 222 ).

If you want to use the hybrid service on client machines, you must configure browser settings on each of the clients to point to the URL hosting the PAC file. This URL is displayed on the Hybrid Configuration > User Access page (see

Configure user access to the hybrid service

, page 224

).

The exact mechanism for configuring a browser to use the PAC file depends on the browser and network environment. For example, if you are using Microsoft Active

Directory and Internet Explorer or Mozilla Firefox, you have the option to automate the process via group policies. Users can also be instructed to set up their browsers manually.

Web Security Help

229

Configure the Hybrid Service

For Microsoft Internet Explorer, go to Tools > Internet Options and click the

Connections tab. Click LAN Settings, and then mark Use automatic

configuration script. Enter the PAC file URL in the Address field.

For Mozilla Firefox, go to Tools > Options, click the Advanced icon, and then select the Network tab. Under Connection, click Settings, and then select

Automatic proxy configuration URL. Enter the PAC file URL in the blank field.

The default PAC file is supplied by Websense, and comprises default settings from the hybrid service and any changes you make on the Hybrid Configuration pages. If you want to customize the PAC file, create a directory named pac in the Websense ssdata directory (by default, \Program Files or Program Files (x86)\Websense\Web

Security\bin\ssdata\pac on Windows, or /opt/websense/bin/ssdata/pac on Linux). Then you have the following options:

To use your own PAC file, create a file named websense.pac and place it in the

Websense pac directory.

To add a customized fragment to the default PAC file, place the JavaScript fragment in a file named customfinal.pac, and put it in the Websense pac directory. This fragment is appended to the default PAC file, replacing the token

_CUSTOMFINALPAC_.

Note

The customized websense.pac file must contain the following function: function FindProxyForURL(url, host) {}

If this function is not in the file, it will be rejected by the hybrid service.

If either of these files exists in the pac directory, Sync Service detects it and sends the data to the hybrid service. The file must be greater than 0KB and smaller than 50KB for Sync Service to send it. Sync Service also detects when there is a newer version of the PAC file or fragment and updates the version on the hybrid service.

The recommended state for custom PAC files is to set up a custom file or a custom fragment, not both. If both files exist in the pac directory, we recommend you decide whether a full customized PAC file or a customized fragment suits your needs better, and delete the other file from the directory.

To stop using a customized PAC file or fragment, delete the file or fragment from the

pac directory.

The Hybrid Service page displays the type of PAC file you are using, and lists the date and time that Sync Service last sent a customized file or fragment to the hybrid

service (see

Monitor communication with the hybrid service

, page 245

).

If you are unfamiliar with PAC files, it is useful to search the Internet for basic information. Wikipedia has a good introductory article, and a good website for more information and several example PAC files is http://www.findproxyforurl.com/ .

230

Websense Web Security Solutions

Configure the Hybrid Service

Send user and group data to the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

If your organization uses a supported, LDAP-based directory service—Windows

Active Directory (Native Mode), Oracle (Sun Java) Directory Server, or Novell eDirectory—you can collect user and group data and send it to the hybrid service. This is accomplished using 2 Websense components:

Websense Directory Agent collects user and group information from Directory

Server and collates it for the hybrid service.

Websense Sync Service transports policy, reporting, custom PAC file

information, and user/group data between the on-premises and hybrid systems.

When the hybrid service is configured properly, the information from Directory Agent can be used to apply user- and group-based policies.

If your organization uses Windows Active Directory in mixed mode, user and group data cannot be collected and sent to the hybrid service.

If the hybrid service uses directory data collected by Directory Agent to identify users, you have 2 options:

Configure the hybrid service to automatically create a hybrid logon password for all user accounts sent by Directory Agent. Passwords are sent to each user’s email address in staggered intervals to avoid a sudden influx of email messages.

Have users request their own password the first time they connect to the hybrid service from outside a filtered location. In order for the process to succeed, users must provide an email address that matches an account sent by Directory Agent.

The password is then sent to that email address.

For this reason, be sure that your organization’s webmail address has been added

as an unfiltered destination. See

Specify sites not managed by the hybrid service

, page 222 .

Configure Directory Agent settings for the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

Select Settings > Hybrid Configuration > Shared User Data to review and edit your current Directory Agent configuration, and to configure Directory Agent to communicate with Sync Service.

Web Security Help

231

Configure the Hybrid Service

The table near the top of the page lists the Active Directory global catalogs identified on the Settings > General > Directory Services page. Add or remove global catalog servers, or change the directory service used by Websense software, on that page.

Note

If you remove an Active Directory server from the

Directory Services page, also do the following manual step to ensure that the server is fully removed from Directory

Agent settings:

Software deployments: Delete all files in the

Websense/Web Security/bin/snapshots directory.

Then go to Settings > Hybrid Configuration >

Scheduling, and click Send under Send Update Now.

Appliance deployments: Contact Websense Technical

Support for assistance.

To refine the way that Directory Agent searches the directory and packages results for the hybrid service, click an IP address or hostname in the table. See

Configure how data is gathered for the hybrid service

, page 233

.

To view the global catalog directory contexts defined for identifying hybrid users,

click View Context under Contexts in the table. See

Adding and editing directory contexts

, page 236

.

To have the hybrid service generate passwords for all user accounts that it sees, scroll down to the Generate User Passwords section and mark Automatically generate

and email passwords.

In order for Directory Agent data to be sent to the hybrid service:

1.

Scroll to the Synchronize User Data section.

2.

Verify the Name or IP address of the Sync Service machine and the Port used for Sync Service communication (by default, 55832).

In most configurations, these fields are populated automatically, but can be updated manually, if needed.

3.

Click Test Connection to verify that Directory Agent can send data to Sync

Service. The test may take a minute or more.

If the connection is made, a success message is displayed.

If the connection cannot be made, verify the IP address or hostname of the

Sync Service machine and the communication port. Also verify that the Sync

Service machine is on, that Sync Service is running, and that your network firewall permits connections on the Sync Service port.

4.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

232

Websense Web Security Solutions

Configure the Hybrid Service

Configure how data is gathered for the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Shared User Data > Active Directory (Native Mode) page to refine the way that Directory Agent searches the selected directory server and packages user and group information for the hybrid service.

Under Root Context for Hybrid Filtering Users, click Add to provide a Root Context to use when gathering user and group data from the directory. Narrow the context to

increase speed and efficiency. See

Adding and editing directory contexts

, page 236 .

Warning

There is a limit to how many groups the hybrid service can support. The limit is affected by a number of factors, but if it is exceeded, user requests are not filtered properly (the service fails open).

If your organization has a large directory forest with thousands of groups, be sure to configure Directory Agent to upload only the information required to manage the users whose requests are sent to the hybrid service. You might select only specific groups to upload, or set a specific and narrowed root context.

It is best to provide contexts that include only users managed by the hybrid service.

If you are using Active Directory and have multiple Directory Agent instances, make sure that each has a unique, non-overlapping root context. Especially watch out for this if:

Multiple Directory Agent instances are configured to connect to domain controllers that all manage the same Active Directory server.

One Directory Agent instance is configured to communicate with an Active

Directory parent domain and another instance is configured to communicate with an Active Directory child domain (a separate global catalog server).

You can further refine the data that is sent to the hybrid service by defining patterns, or search filters, used to remove duplicate or otherwise unwanted entries from the

directory search results. See

Optimizing search results

, page 238,

for more information.

Web Security Help

233

Configure the Hybrid Service

Oracle (Sun Java) Directory Server and the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

If your organization uses Oracle (Sun Java) Directory Server, select Settings >

Hybrid Configuration > Shared User Data to refine the way that Directory Agent

searches the directory and packages user and group information for the hybrid service.

Important

To use any version of Sun Java System Directory or Oracle

Directory Server to send user and group information to the hybrid service, a Directory Agent configuration change is required.

Open the das.ini file (located in the Websense bin directory on the Directory Agent machine) and locate the following section:

# Enable next two parameters if your DS is Sun Java

# GroupMembershipAttribute=uniqueMember

# MemberOfAttribute=memberOf

Enable the GroupMembershipAttribute and

MemberOfAttribute parameters by removing the # symbol from the beginning of those lines, then save the file and restart Directory Agent.

1.

Under Root Context for Hybrid Filtering Users, click Add to provide a Root

Context to use when gathering user and group data from the directory. Narrow the

context to increase speed and efficiency. See

Adding and editing directory contexts

, page 236

.

Provide a context that includes only users managed by the hybrid service.

2.

Under Synchronize User Data, verify the Name or IP address of the Sync

Service machine and the Port used for Sync Service communication (by default,

55832).

These fields are populated automatically, but can be updated manually, if needed.

3.

Click Test Connection to verify that Directory Agent can send data to Sync

Service. The test may take a minute or more.

If the connection is made, a success message is displayed.

If the connection cannot be made, verify the IPv4 address or hostname of the

Sync Service machine and the communication port. Also verify that the Sync

Service machine is on, that Sync Service is running, and that your network firewall permits connections on the Sync Service port.

You can further refine the data that is sent to the hybrid service by defining patterns, or search filters, used to remove duplicate or otherwise unwanted entries from the

directory search results. See

Optimizing search results

, page 238,

for more

234

Websense Web Security Solutions

Configure the Hybrid Service information.

Novell eDirectory and the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

If your organization uses Novell eDirectory, select Settings > Hybrid

Configuration > Shared User Data to refine the way that Directory Agent searches

the directory and packages user and group information for the hybrid service.

1.

Under Root Context for Hybrid Filtering Users, click Add to provide a Root

Context to use when gathering user and group data from the directory. Narrow the

context to increase speed and efficiency. See

Adding and editing directory contexts

, page 236

.

Provide a context that includes only users managed by the hybrid service.

2.

Under Synchronize User Data, verify the Name or IP address of the Sync

Service machine and the Port used for Sync Service communication (by default,

55832).

These fields are populated automatically, but can be updated manually, if needed.

3.

Click Test Connection to verify that Directory Agent can send data to Sync

Service. The test may take a minute or more.

If the connection is made, a success message is displayed.

If the connection cannot be made, verify the IPv4 address or hostname of the

Sync Service machine and the communication port. Also verify that the Sync

Service machine is on, that Sync Service is running, and that your network firewall permits connections on the Sync Service port.

You can further refine the data that is sent to the hybrid service by defining patterns, or search filters, used to remove duplicate or otherwise unwanted entries from the

directory search results. See

Optimizing search results

, page 238,

for more information.

Web Security Help

235

Configure the Hybrid Service

Adding and editing directory contexts

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > Hybrid Configuration > Shared User Data > Add Context page to refine the way that Directory Agent searches your user directory and packages user and group information for the hybrid service.

Warning

There is a limit to how many groups the hybrid service can support. The limit is affected by a number of factors, but if it is exceeded, user requests are not filtered properly (the service fails open).

If your organization has a large directory forest with thousands of groups, be sure to configure Directory Agent to upload only the information required to filter the users whose requests are sent to the hybrid service. You might select only specific groups to upload, or set a specific and narrowed root context.

You can select multiple contexts within the directory. It is best to include contexts that include only users managed by the hybrid service: for example, you might have hybrid users in multiple OUs. Alternatively, if you want to synchronize all users in a number of specific groups, then you can select a context for each group where each context is the fully qualified group name.

By default, Directory Agent uses the user and group filters defined under

Advanced directory settings

on the Settings > General > Directory Services page. If required, you can customize these filters for each hybrid service context, for example to include only users that are members of a group managed by the hybrid service.

You can also choose to exclude certain contexts from the Directory Agent search. You might want to do this if you have a particular context that is not required or could cause problems with the hybrid service, such as an administrator group with multiple email addresses in a record. You can only set a context as an exclude context if it is within an included directory context.

1.

Expand the Directory Entries tree to locate the context you want to use when gathering user and group data from the directory. Narrow the context to increase speed and efficiency.

Use the search field to locate the context name if required. You can search on

OUs, groups, users, or all directory entries. If multiple contexts appear in the search results, select a context and click Show in Tree to see the context’s location in the Directory Entries tree.

2.

Mark the context, then click Specify Include Context.

3.

In the popup window that appears, indicate how far below the root context

Directory Agent looks for users and groups.

236

Websense Web Security Solutions

Configure the Hybrid Service

Select Context Only to limit searches to the root context only.

Select One Level to limit searches to the root context and one level below.

Select All Levels to expand searches to the root context and all levels below.

4.

If you selected groups or OUs for which to Specify Include Context, and then selected One Level or All Levels for group searches, the Include all users in

selected groups, regardless of context option is enabled. Check the box if you

want to ensure that all users are included from the groups found in the directory search, even if some of those users are in a different context.

5.

To fine-tune the search filters that Directory Agent uses for this context, click

Customize Search Filters.

6.

Mark Customize search filters, and edit the user and group search filters as required.

7.

Click OK to save the directory context.

8.

When you specify that a context is included, by default any contexts below that context in the tree are also included. To exclude a context within an included context, mark the context that should not be sent to the hybrid service, and click

Specify Exclude Context. You can select multiple contexts if required.

9.

In the popup window that appears, note that Set as exclude context is selected.

The Remove exclude context option is available only when you select an existing excluded context and click Specify Exclude Context to edit it.

10.

Indicate how far below the excluded context Directory Agent looks for users and groups.

Select Context Only to limit searches to the specified context only.

Select One Level to limit searches to the specified context and one level below.

Select All Levels to expand searches to the specified context and all levels below.

Note that the user and group levels for an excluded context cannot be greater than the defined levels for its root context. For example, if the root context’s Directory

Search level for either users or groups is set to Context Only, the corresponding users or groups search level for the excluded context are also set to Context Only and cannot be changed.

If you select All Levels for both users and groups, everything below the selected context is excluded and you cannot browse further levels of the Directory Entries tree.

11.

In versions 7.8.2 and later, if only groups are specified as exclude contexts, and

One or All levels have been selected for exclusion, use the Exclude all users in

selected groups, regardless of context option to determine whether:

(Check box marked) Users in exclude contexts are always excluded, regardless of whether they are also defined in other (included) contexts.

(Check box cleared) Users in exclude contexts are not excluded when they are also defined in other (included) contexts.

12.

Click OK to save the excluded context.

Web Security Help

237

Configure the Hybrid Service

When you are finished, click OK to close the Add Context page and update the Root

Context for Hybrid Filtering Users table. You must also click OK on the Shared User

Data page to cache the change.

Optimizing search results

Web Security Help | Web Security Solutions | Version 7.8.x

Optimizing search results further refines the data that is sent to the hybrid service by defining patterns, or search filters, used to remove duplicate or otherwise unwanted entries from the directory search results. It also provides a way to modify the mail attribute for directory entries collected by Directory Agent before they are sent to the hybrid service.

If, for example, the mail attribute in your directory service has a partial or internal email address reference, you could use a search filter to replace that partial or internal information with external information, usable by the hybrid service. This would be useful for those who configure the hybrid service to automatically create passwords for users so that they can connect to the hybrid service when they are off site (see

Configuring hybrid filtering for off-site users

, page 254

).

Any search filters that you create in the Web Security manager are applied to the directory data collected by Directory Agent before that data is sent to the hybrid service.

Click Optimize Search Results to see the current search filters, or to create new search filters using wildcards or regular expressions. There are 2 types of search filters: one to filter user entries and one to filter group entries.

To create a new search filter, click Add under the appropriate table.

To edit an existing search filter, click the associated Find String.

A popup dialog box prompts you to edit or enter:

Find string: The text to search for in the original directory data collected by

Directory Agent.

Replace string: The new text that you want to substitute for the original text in

data sent to the hybrid service.

When you are finished, click OK to close the dialog box and update the Filter User

Results or Filter Group Results table. You must also click OK on the Shared User

Data page to cache the change.

At this time, Directory Agent applies the search filters that you create only to the mail attribute.

238

Websense Web Security Solutions

Configure the Hybrid Service

Schedule communication with the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

Select Settings > Hybrid Configuration > Scheduling to specify how frequently directory data collected by Directory Agent is sent to the hybrid service, and how often reporting data is retrieved.

Note

Policy data is collected whenever you click Save and

Deploy in the Web Security manager, and sent to the

hybrid service at 15 minute intervals by default. If you have made an important update to your policy data, and want to send user and group information right away, click

Send under Send Policy Data Now.

To configure how often directory information is sent to the hybrid service:

1.

Under Send User Data, select one or more days of the week to send user and group information to the hybrid service. If you are using directory information to identify users, you must send Directory Agent data at least once a week.

2.

Enter start and end times to define the time period during which Sync Service attempts to send directory data to the hybrid service. Typically, directory data is sent at a period of low traffic in your network.

3.

If you have made an important update to your directory service data, and want to send user and group information right away, click Send under Send Update Now.

If the Web Security manager receives confirmation from Sync Service, a success message is displayed. This means that Sync Service will send the data, not that the data has been received by the hybrid service.

Web Security Help

239

Configure the Hybrid Service

To configure whether the hybrid service collects reporting data, and how often Sync

Service retrieves the data:

Important

In order for Sync Service to pass hybrid reporting data to

Log Server, a hybrid communication port must be configured on the Settings > General > Logging page. See

Configuring how requests are logged

, page 422,

for details.

If you are using distributed logging with version 7.8.1,

Sync Service must be configured to communicate with the central Log Server. Hybrid logging data cannot be passed from remote Log Server instances to the central Log

Server in version 7.8.1.

Threat data from the hybrid service is not available.

1.

Under Collect and Retrieve Reporting Data, mark Have the hybrid service

collect reporting data for the clients it filters.

If you clear this check box, log data is not saved for hybrid users. No information about these users’ Internet activity will appear in reports.

2.

Select one or more days of the week for Sync Service to request reporting data from the hybrid service. You must retrieve data at least once a week.

3.

Enter start and end times to define the time period during which Sync Service retrieves data from the hybrid service. You may want to retrieve data at a period of low traffic in your network.

4.

Select how often you want Sync Service to request reporting data from the hybrid service within the specified start and end times.

Sync Service cannot download reporting data any more frequently than every 15 minutes. This means that there is a time delay between when the hybrid service makes Internet requests and when those requests appear in reports.

If you need to route Sync Service traffic to and from the hybrid service through a proxy server or firewall:

1.

Under Route Sync Service Traffic, mark Route Sync Service traffic through a

proxy server or firewall.

2.

Enter the IP address or hostname of the proxy server or firewall, and specify the port that is to be used.

3.

If the specified server requires authentication, enter the user name and password for Sync Service to access it.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

240

Websense Web Security Solutions

Configure the Hybrid Service

Define custom authentication settings

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > Hybrid Configuration > Custom Authentication page to add and edit custom rules to change the default authentication behavior for specific applications or sites.

Occasionally, some Internet applications and websites cannot authenticate with the hybrid service. This might occur with, for example, instant messaging programs, antivirus updates, or software update services.

To allow particular applications that do not properly handle authentication challenges to bypass authentication, you can specify user agents, domains, or URLs, or a combination of these options.

A user agent is a string sent from your browser or Internet application to the server hosting the site that you are visiting. This string indicates which browser or application you are using, its version number, and details about your system, such as the operating system and version. The destination server then uses this information to provide content suitable for your specific browser or application.

For example, this is a user agent for Firefox:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6)

In this example, Windows NT 5.1 indicates that the operating system is Windows XP, and the language it uses is US English.

To get the user agent string for your browser, enter the following in the browser’s address bar: javascript:alert(navigator.userAgent)

You can view the user agents that have made authentication requests via the hybrid service in the User Agents by Volume report, available from the Custom

Authentication page and also on the Main > Status > Hybrid Service page. If a user agent in this report has a high number of authentication requests, it may be experiencing authentication problems. You can select a user agent in the report and click Create Rule to add a new custom authentication rule for that agent. See

View

User Agent Volume report

, page 247

.

To define a custom authentication rule, click Add, and then see

Adding custom authentication rules

, page 242 .

To edit an existing rule, click the rule Name, and then see

Editing custom authentication rules

, page 243 .

To remove a custom authentication rule, mark the check box next to the rule name, and then click Delete.

If you have added or edited a custom authentication rule, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Web Security Help

241

Configure the Hybrid Service

Adding custom authentication rules

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Custom Authentication > Add Custom Authentication Rule page to define one or more user agents, domains, or URLs that are failing to authenticate with the hybrid service.

1.

Enter a Name for the rule. The name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Names can include spaces, dashes, and apostrophes.

2.

Define the User agents, if any, for the rule:

To match against all user agent strings, select All user agents. You might do this to set up a custom rule that applies to all browsers on all operating systems in your organization.

If the application does not send a user agent string to the Internet, select No

user agent header sent.

This option matches against all applications that do not send a user agent. In this case, refine the rule by entering one or more URLs or domains in the

Destinations field.

To apply the custom authentication to one or more user agents, select Custom

user agents. Enter each user agent on a separate line. Use the asterisk

wildcard to match one line to multiple user agent strings, for example

Mozilla/5.0*.

Note

If you are creating a new rule directly from the User

Agents by Volume report, the user agents you selected in the report are already entered in this field.

3.

Define the URLs or domains (if any) for the rule in the Destinations field:

To match against all URLs and domains, select All destinations. You might want to do this if you are setting up a custom rule that applies to a specific user agent that accesses multiple sites.

To apply the custom authentication to one or more specific domains or URLs, select Custom destinations. Enter each URL or domain on a separate line.

URLs must include the protocol portion (http://) at the beginning and a forward slash (/) at the end (for example, http://www.google.com/). If these elements are not present, the string is treated as a domain. Domains cannot include a forward slash at the end (for example, mydomain.com).

Use the asterisk wildcard to match one line to multiple destinations: for example, entering *.mydomain.com would match against all domains ending in “mydomain.com.”

4.

Select the Authentication method for the custom rule.

242

Websense Web Security Solutions

Configure the Hybrid Service

Default: Uses your default authentication method.

NTLM: Uses NTLM identification for the specified user agents and

destinations. If an application is not NTLM-capable, basic authentication is used instead.

Note

You must have NTLM identification enabled for your account to use this option.

Secure form authentication: Uses secure form authentication to display a

secure logon form to the end user. For more information, see

Identification of hybrid users

, page 328

.

Basic authentication: Uses the basic authentication mechanism supported by

many Web browsers. No welcome page is displayed. For more information on basic authentication, see

Identification of hybrid users

, page 328 .

Welcome page: Displays a welcome page to users before they use basic

authentication to proceed.

None: Bypasses all authentication and identification methods in the hybrid

service. Select this option for Internet applications that are incapable of authentication.

5.

Optionally, select Bypass content scanning to bypass all filtering for the specified user agents and destinations.

Important

Select this option only for applications and sites that for some reason do not work well with the hybrid service, and that you trust implicitly. Selecting this option could allow viruses and other malware into your network.

6.

Click OK to return to the Custom Authentication page, and then click OK again to cache your changes. Changes are not implemented until you click Save and

Deploy.

Editing custom authentication rules

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Custom Authentication > Edit Custom Authentication Rule page to edit user agents, domains, or URLs that are failing to authenticate with the hybrid service.

1.

If you make changes to the rule Name, ensure it is between 1 and 50 characters long, and does not include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Names can include spaces, dashes, and apostrophes.

2.

Define or update the User agents, if any, for the rule:

Web Security Help

243

Configure the Hybrid Service

To match against all user agent strings, select All user agents. You might want to do this if you are setting up a custom rule that applies to all browsers on all operating systems in your organization.

If the application does not send a user agent string to the Internet, select No

user agent header sent.

This option will match against all applications that do not send a user agent. In this case, we recommend you refine the rule by entering one or more URLs or domains in the Destinations field.

To apply the custom authentication to one or more user agents, select Custom

user agents. Enter each user agent on a separate line. Use the asterisk

wildcard to match one line to multiple user agent strings, for example

Mozilla/5.0*.

3.

Define or update the URLs or domains (if any) for the rule in the Destinations field:

To match against all URLs and domains, select All destinations. You might want to do this if you are setting up a custom rule that applies to a specific user agent that accesses multiple sites.

To apply the custom authentication to one or more specific domains or URLs, select Custom destinations. Enter each URL or domain on a separate line.

URLs must include the protocol portion (http://) at the beginning and a forward slash (/) at the end (for example, http://www.google.com/). If these elements are not present, the string is treated as a domain. Domains cannot include a forward slash at the end (for example, mydomain.com).

Use the asterisk wildcard to match one line to multiple destinations: for example, entering *.mydomain.com would match against all domains ending in ‘mydomain.com.’

4.

Verify or update the Authentication Method for the custom rule.

Default: Uses your default authentication method.

NTLM: Uses NTLM identification for the specified user agents and

destinations. If an application is not NTLM-capable, basic authentication is used instead.

Note

You must have NTLM identification enabled for your account to use this option.

Form Authentication: Uses secure form authentication to display a secure

logon form to the end user. For more information, see

Identification of hybrid users

, page 328 .

Basic Authentication: Uses the basic authentication mechanism supported

by many Web browsers. No welcome page is displayed. For more information

on basic authentication, see

Identification of hybrid users

, page 328

.

Welcome Page: Displays a welcome page to users before they use basic

authentication to proceed.

244

Websense Web Security Solutions

Configure the Hybrid Service

None: Bypasses all authentication and identification methods in the hybrid

service. Select this option for Internet applications that are incapable of authentication.

5.

Optionally, select Bypass content scanning to bypass all filtering for the specified user agents and destinations.

Important

Select this option only for applications and sites that for some reason do not work well with the hybrid service, and that you trust implicitly. Selecting this option could allow viruses and other malware into your network.

6.

Click OK to return to the Custom Authentication page, and then click OK again to cache your changes. Changes are not implemented until you click Save and

Deploy.

Monitor communication with the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

You can view the status of the hybrid service on the Status > Dashboard > Hybrid

Service page in the Web Security manager. This page displays when data was most

recently sent to or received from the hybrid service. If an attempt to send or receive data failed, find out when the failure occurred, and which components were involved.

The page lists the date and time that Sync Service last:

Connected or attempted to connect to the hybrid service for any reason

Sent or attempted to send directory information to the hybrid service

Retrieved or attempted to retrieve log (reporting) data from the hybrid service

Sent or attempted to send log data to Log Server

Sent or attempted to send account information to the hybrid service

Sent or attempted to send policy information to the hybrid service

If you have not yet set up the connection between the on-premises and hybrid portions of Websense Web Security Gateway Anywhere, a message explains that “No communication has occurred.”

Under Last Directory Agent Sync Results, the page lists:

The date and time that Directory Agent last sent data to the hybrid service

The total number of users and groups processed by Directory Agent

The number of users and groups that were updated in the hybrid service

The number of groups filtered out because they contained invalid values

The number of users filtered out because they included invalid email addresses

Web Security Help

245

Configure the Hybrid Service

The number of new users and groups synchronized with the hybrid service

The number of obsolete users and groups removed from the hybrid service

This page also allows you to access authentication method and user agent reports from

the hybrid service (see

View hybrid service authentication reports

, page 246, and

View

User Agent Volume report

, page 247 ), and displays the type of PAC file you are using:

The default PAC file from the hybrid service

A customized PAC file uploaded from the Websense pac directory (see

What is a

PAC file?

, page 229 )

The default PAC file with an uploaded customized fragment

If you are using a custom file or fragment, the page shows how long the file or fragment has been in use.

If a Secondary date stamp is shown for the PAC file, this means that Sync Service has uploaded both a custom PAC file and a custom fragment from the pac directory.

The recommended state for custom PAC files is to set up a custom file or a custom fragment, not both. To rectify this, go to the pac directory (by default, \Program Files

or Program Files (x86)\Websense\Web Security\bin\data\pac on Windows, or /opt/ websense/bin/data/pac on Linux) and delete either websense.pac or customfinal.pac.

If you are using a customized block page logo, this page displays the date and time the logo file was uploaded to the hybrid service.

View hybrid service authentication reports

Web Security Help | Web Security Solutions | Version 7.8.x

Select View Report under Authentication Report on the Main > Status > Hybrid

Service page to download reporting data from the hybrid service and see a breakdown

of how hybrid users are identified or authenticated with the service.

The report output consists of a pie chart and a table, showing the number of clients using each available authentication method over the last 7 days. Web Endpoint,

Single sign-on (available beginning with 7.8.4), NTLM identification, Form

authentication, and Manual authentication are all set up for clients on the

Settings > Hybrid Configuration > Hybrid User Identification page (see

Identification of hybrid users

, page 328

).

X-Authenticated-User authentication is available if you have deployed one of the

following as a downstream chained proxy server:

Microsoft® Internet Security and Acceleration (ISA) Server or Forefront™

Threat Management Gateway (TMG) server

BlueCoat Proxy SG

The downstream proxy server performs user authentication and forwards requests to the hybrid proxy using the X-Authenticated-User header.

246

Websense Web Security Solutions

Configure the Hybrid Service

Click an authentication method in the table to see a list of users who have most recently authenticated with that method. You cannot click an authentication method that you have not deployed or that is currently not in use.

Each authentication method report can contain up to 1000 users. The users are listed by user name, email address, and last logon time. Click the arrow buttons at the bottom of the report to view previous or subsequent pages.

Reports displayed in the content pane cannot be printed or saved to a file. To print or save a report to file, click Export to PDF or Export to XLS to view the report in the appropriate output format.

Important

To display authentication reports in PDF format, Adobe

Reader v7.0 or later must be installed on the machine from which you are accessing the TRITON console.

To display authentication reports in XLS format, Microsoft

Excel 2003 or later must be installed on the machine from which you are accessing the TRITON console.

Each report includes the data and time it was last updated. Updates are not automatic: to download the latest report data from the hybrid service, click Update.

View User Agent Volume report

Web Security Help | Web Security Solutions | Version 7.8.x

Select View Report under User Agent Volume Report on the Main > Status >

Hybrid Service page to view user agents that have made authentication requests via

the hybrid service.

The report output consists of a table, showing the number of authentication requests and total requests made by each user agent. If a user agent already has a custom authentication rule associated with it, you can hover over the Rule column to see details of the custom rule.

You can filter the report results as follows:

Enter a search term and click Search

Select a Time range from the drop-down list. If you select Custom date range, select a time period between 1 and 14 days.

Mark View only user agents with rules to see only the user agents that have custom authentication rules associated with them.

If there is more than one page of results, click the arrow buttons at the bottom of the report to view previous or subsequent pages.

If a user agent in this report has a high number of authentication requests, it may be experiencing authentication problems. To add a new custom authentication rule for

Web Security Help

247

Configure the Hybrid Service one or more user agents in the report, mark the check box for each agent and click

Create Rule. The user agents you select are automatically entered in the Custom user

agents field on the Add Custom Authentication Rule page. See

Adding custom authentication rules

, page 242 .

Reports displayed in the content pane cannot be printed or saved to a file. To print or save a report to file, click Export to PDF or Export to XLS to view the report in the appropriate output format.

Important

To display authentication reports in PDF format, Adobe

Reader v7.0 or later must be installed on the machine from which you are accessing the TRITON console.

To display authentication reports in XLS format, Microsoft

Excel 2003 or later must be installed on the machine from which you are accessing the TRITON console.

Each report includes the data and time it was last updated. Updates are not automatic: to download the latest report data from the hybrid service, click Update.

248

Websense Web Security Solutions

11

Manage Off-site Users

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Using remote filtering software

, page 250

Hybrid service management of off-site users

, page 253

In addition to enforcing policy for users inside your organization’s network, Websense

Web Security solutions provide options for responding Internet requests when users are outside the network.

Install remote filtering software to monitor Internet activity for users outside the

network. See

Using remote filtering software

, page 250 .

Remote filtering software is included with Websense Web Security Gateway

Anywhere subscriptions, and is available as an option for Websense Web Filter,

Websense Web Security, and Websense Web Security Gateway customers.

Use the hybrid service to monitor Internet activity for users outside the network, regardless of how their requests are handled when they are in the network. See

Hybrid service management of off-site users

, page 253 .

The hybrid service is available only with Websense Web Security Gateway

Anywhere.

These methods can be used, for example, to provide policy enforcement for users who work from home, users who travel using company laptops, or students who use institutional laptops on and off campus.

Important

With Websense Web Security Gateway Anywhere, you can use remote filtering software for some off-site users and the hybrid service for others. The hybrid service cannot, however, be used to monitor Internet activity for machines that also have Remote Filtering Client installed.

Web Security Help

249

Manage Off-site Users

Using remote filtering software

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring Remote Filtering settings

, page 251

By default, remote filtering software components monitor HTTP, SSL, and FTP traffic and apply a user-based policy or the Default policy. Remote filtering software does not apply policies to IP addresses (computers or network ranges).

Bandwidth restrictions are not applied to remote filtering clients, and bandwidth generated by remote filtering traffic is not included in bandwidth measurements and reports.

Remote filtering software can only block or permit FTP and SSL (HTTPS) requests. FTP and HTTPS sites in categories assigned the quota or confirm action are blocked when the user is outside the network.

While remote filtering software always monitors HTTP traffic, you can configure

it to ignore FTP traffic, HTTPS traffic, or both. See

Configure remote filtering to ignore FTP or HTTPS traffic

, page 252 .

Remote filtering software includes the following components:

Remote Filtering Server is installed inside your network’s outermost firewall,

and configured so that filtered machines outside the network can communicate with it.

Remote Filtering Client is installed on Microsoft Windows machines that are

used outside the network.

Note

Follow the recommendations in the Deployment and

Installation Center carefully to deploy these components.

See the Remote Filtering Software technical paper for instructions on installing them.

All communication between Remote Filtering Client and Remote Filtering Server is authenticated and encrypted.

By default, when an HTTP, SSL, or FTP request is made from a machine with Remote

Filtering Client installed:

1.

The client first determines whether or not it is inside the network by sending a

heartbeat to the Remote Filtering Server in the DMZ.

2.

If the machine is inside the network, Remote Filtering Client takes no action. The request is passed to Network Agent or an integration product, and filtered like other in-network Internet activity.

250

Websense Web Security Solutions

Manage Off-site Users

3.

If the machine is outside the network, Remote Filtering Client communicates with Remote Filtering Server over the configured port (80, by default).

4.

Remote Filtering Server then contacts Filtering Service (installed inside the network) to ask what action to apply to the request.

5.

Filtering Service evaluates the request and sends a response to Remote Filtering

Server.

6.

Finally, Remote Filtering Server responds to Remote Filtering Client, either permitting the site or sending the appropriate block message.

Complete information about planning for, deploying, and configuring remote filtering software is available in the Remote Filtering Software technical paper, available from the support.websense.com

.

Configuring Remote Filtering settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configure remote filtering to ignore FTP or HTTPS traffic

, page

252

Configure the Remote Filtering Client heartbeat interval

, page 253

Use the Settings > General > Remote Filtering page to configure what happens if any Remote Filtering Client instance cannot communicate with Remote Filtering

Server.

By default, Remote Filtering Client permits all HTTP, SSL, and FTP requests while it continues attempting to contact Remote Filtering Server (fails open).

When the communication is successful, the appropriate filtering policy is enforced.

Select the Block all requests... check box to prevent users from accessing the

Internet when Remote Filtering Client cannot communicate with Remote Filtering

Server (fail closed).

When Remote Filtering Client is configured to fail closed, a timeout value is applied (default 15 minutes). The clock begins running when the remote computer is started. Remote Filtering Client attempts to connect to Remote Filtering Server immediately and continues cycling through available Remote Filtering Servers until it is successful.

If the user has Internet access at startup, during the timeout period, all requests are permitted until Remote Filtering Client connects to the Remote Filtering Server.

Web Security Help

251

Manage Off-site Users

If Remote Filtering Client cannot connect within the configured timeout period, all Internet access is blocked (fail closed) until connection to Remote Filtering

Server can be established.

Note

If Remote Filtering Server cannot connect to Filtering

Service for any reason, an error is returned to the Remote

Filtering Client, and all requests are permitted (fail open).

This timeout period allows users who pay for Internet access when travelling to start the computer and arrange for connection without being locked out. If the user does not establish Web access before the 15 minute timeout period expires, the user must restart the computer to begin the timeout interval again.

For detailed information about how remote filtering works, which components are involved, and how to deploy components, see the Remote Filtering Software technical paper.

Configure remote filtering to ignore FTP or HTTPS traffic

Web Security Help | Web Security Solutions | Version 7.8.x

You can configure remote filtering software to ignore FTP traffic, HTTPS traffic, or both. HTTP traffic is always monitored.

If you have multiple Remote Filtering Servers, repeat these steps for each instance.

1.

Navigate to the Websense bin directory (C:\Program Files\Websense\Web

Security\bin or /opt/Websense/bin/, by default) on the Remote Filtering Server machine.

2.

Open the securewispproxy.ini file in a text editor.

3.

To have this Remote Filtering Server instance ignore FTP traffic, add the following line to the file:

FilterFTP=0

If you want to later turn FTP management back on, change the parameter value from “0” to “1”.

4.

To have this Remote Filtering Server instance ignore HTTPS traffic, add the following line to the file:

FilterHTTPS=0

If you want to later turn HTTPS management back on, change the parameter value from “0” to “1”.

5.

Save and close the file.

6.

Restart the Remote Filtering Server service or daemon.

252

Websense Web Security Solutions

Manage Off-site Users

Configure the Remote Filtering Client heartbeat interval

Web Security Help | Web Security Solutions | Version 7.8.x

In order to determine whether it is inside or outside of the network, Remote Filtering

Client sends a heartbeat to Remote Filtering Server. If the heartbeat connection succeeds, Remote Filtering Client knows that it is inside the network. By default,

Remote Filtering Client continues to send the heartbeat every 15 minutes to ensure that its status has not changed.

If you would prefer that Remote Filtering Client send the heartbeat less frequently once it has determined that it is inside the network, you can increase the heartbeat interval. In this case, Remote Filtering Client will only send a more frequent heartbeat if it registers a change in network.

To change the heartbeat interval:

1.

Navigate to the Websense bin directory (C:\Program Files\Websense\Web

Security\bin or /opt/Websense/bin/, by default) on the Remote Filtering Server machine.

2.

Open the securewispproxy.ini file in a text editor.

3.

Find the HeartbeatRetryInterval parameter and change its value. For example:

HeartbeatRetryInterval=360

In this example, the heartbeat will be sent every 360 minutes, or 6 hours.

The value can be any number of minutes between 0 and 1440 (24 hours).

The default is 15 minutes.

4.

Save and close the file.

5.

Restart the Remote Filtering Server service or daemon.

Hybrid service management of off-site users

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring hybrid filtering for off-site users

, page 254

Off-site user self-registration

, page 254

In Websense Web Security Gateway Anywhere deployments, the hybrid service can be configured to manage off-site users, regardless of how those users requests’ are handled when they are in-network.

For users whose requests are handled by on-premises components (Filtering

Service) when they are inside the network, you can configure the browser PAC file to determine whether the user is in-network or off-site before forwarding an

Internet request.

Web Security Help

253

Manage Off-site Users

If you are using the PAC file generated by the hybrid service, this configuration occurs automatically based on the settings that you provide in the Web Security manager.

For users managed by the hybrid service both in and outside the network, no PAC file changes are required. When off-site users make an Internet request, they are prompted to log on to the hybrid service so that the appropriate user or groupbased policy can be applied.

Important

While you can use remote filtering software for some offsite users and the hybrid service for others, the hybrid service cannot be used to monitor Internet activity for machines that also have Remote Filtering Client installed.

Configuring hybrid filtering for off-site users

Web Security Help | Web Security Solutions | Version 7.8.x

To configure the hybrid service to manage users outside a filtered location:

If the hybrid service uses directory data collected by Websense Directory Agent to identify users, you can either configure the hybrid service to automatically create a hybrid logon password for all user accounts sent by Directory Agent (see

Send user and group data to the hybrid service

, page 231 ), or you can have users

request their own password the first time they connect to the hybrid service from outside a filtered location (see

Off-site user self-registration

, page 254 ).

If your organization does not use directory data collected by Directory Agent to identify users connecting to the hybrid service, you can let users self-register for

the service. See

Configure user access to the hybrid service

, page 224

.

Once you have established an identification policy for off-site users, mark Enable

off-site users on the Settings > Hybrid Configuration > User Access page in

the Web Security manager. See

Configure user access to the hybrid service

, page

224 .

Off-site user self-registration

Web Security Help | Web Security Solutions | Version 7.8.x

If you are not sending directory service data to the hybrid service (in other words, if you have not enabled Directory Agent), users must self-register in order to be filtered properly when they are off site (outside a filtered location).

In order for users to be allowed to self-register, you must first identify the domains associated with your organization on the Settings > Hybrid Configuration > User

Access page in the Web Security manager (see

Configure user access to the hybrid service

, page 224 ).

254

Websense Web Security Solutions

Manage Off-site Users

Users connecting to the hybrid service from outside a filtered location are prompted to enter a user name and password, or to register. To register with the hybrid service:

1.

The user provides a name and email address.

2.

The hybrid service then sends a password to the user via email, along with a link that can be used to change the password.

3.

The user clicks the link, and is prompted to enter the password.

4.

Registration is complete.

When registered users connect to the hybrid service from outside a filtered location, they enter their email address and password. The hybrid service then applies your organization’s Default policy to their Internet requests.

Web Security Help

255

Manage Off-site Users

256

Websense Web Security Solutions

12

Protect Vital Information

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Web Security secures your enterprise from web-based threats, liability issues, and productivity loss. But what if you want—or are required—to protect sensitive data, such as social security numbers or credit card numbers, from leakage over the Web? To protect against such data loss, deploy Websense Web Security

Gateway Anywhere. You can also help protect your end users’ mobile devices from potential data loss, the possible theft of intellectual property, and from mobile malware and other threats by deploying Web Security Gateway Anywhere with

Websense TRITON Mobile Security.

Protecting against data loss

With Websense Web Security Gateway Anywhere, not only can you protect sensitive data from leakage over the Web, but you can also monitor removable media devices, printers, instant messages, copy/paste operations, or email for the such data. To protect against data loss over other channels, in addition to the Web, you can purchase

Websense Data Protect, Data Monitor, Data Discover, Data Endpoint, or the full Data

Security Suite as add-ons to your web security software.

Websense web and data security solutions interoperate in fundamental ways, giving the data security software access to user information (collected by User Service) and

URL categorization information (from the Master Database).

By combining web and data security, you can create data loss prevention (DLP) policies that base rules on URL categories. For example, you can define a rule that credit card numbers cannot be posted to known fraud sites. You can also define rules based on users and computers rather than IP addresses. For example, Jane Doe cannot post financial information to FTP sites.

For an end-to-end description of setting up data loss protection over the Web, see the

Deployment and Installation Center . This covers installation, deployment, and configuration of the various components, including Websense Content Gateway.

For instructions on creating data security policies, see the Data Security Help .

Web Security Help

257

Protect Vital Information

Protecting end users’ devices

Websense TRITON Mobile Security protects your end users’ devices from potential data loss and the possible theft of intellectual property, plus from mobile malware, web threats, phishing attacks, spoofing, and more—all of which helps them safely access corporate resources.

When integrated with AirWatch

®

Mobile Device Management (MDM), you can provision iOS and Android mobile devices to send traffic to Websense Cloud Web

Security for analysis and policy enforcement. You can also enroll devices in your enterprise environment quickly, configure and update device settings over the air, create different policies for corporate versus personal devices, and secure mobile devices through actions such as locking and wiping them.

Mobile Integration

If you have Web Security Gateway Anywhere and TRITON Mobile Security, set up this account to integrate with AirWatch Mobile Device Management (MDM) in the

Web Security manager of the TRITON console. Go to Settings > Hybrid

Configuration > Mobile Integration > Mobile Device Management Account

Setup.

TRITON Mobile Security with AirWatch Mobile Device

Management is currently a limited-availability feature for a select group of early adopters only. For additional information about this feature, contact your support representative.

1.

Select the checkbox Integrate with MDM provider.

Note that unchecking this box and clicking Save Now disables integration between the Websense solution and AirWatch MDM.

2.

Enter the API URL and API key. You need to obtain these from the AirWatch

Console. See Step 4, Log on to the AirWatch Console in the Getting Started

Guide .

For the API URL, remove the “/API” from the end of the URL, so for example, change https://orgname.airwlab.com/API to https://orgname.airwlab.com.

258

Websense Web Security Solutions

Protect Vital Information

3.

Enter the user name and password that you use to log on to your AirWatch administrator account.

Important

If the password for the AirWatch administrator account changes or expires, you must enter the new password on the Mobile Device Management Account Setup page to maintain the integration of AirWatch MDM with the cloud service.

An alternative to using the administrator account is to create a service account in Active Directory with the password set to never expire. Use the logon name and password for this account instead of the AirWatch administrator account logon credentials.

4.

Click Save Now.

5.

After clicking Save Now and the settings are confirmed and saved successfully, this page then displays a user name and password that have been automatically generated for your hybrid account, along with a connection URL.

Copy and paste these three items into the VPN connection information section of the AirWatch Console.

Should you need to change the credentials for your hybrid account, for example, if they’ve been compromised, you can generate a new user name and password by clicking Advanced Options and then Generate New User Name and Password.

Important

After clicking Generate New User Name and Password but before clicking Save Now, you must re-enter the

password that you use to log on to the AirWatch

Console.

You must also enter the new user name and password generated for your hybrid account into the VPN

connection information section of the AirWatch

Console to maintain the integration of AirWatch MDM

with the hybrid solution.

For an overview of the mobile integration process, see the Getting Started Guide .

Web Security Help

259

Protect Vital Information

260

Websense Web Security Solutions

13

Refine Web Security

Policies

Web Security Help | Web Security Solutions | Version 7.8.x

At its simplest, Internet access enforcement requires a single policy that applies one category filter and one protocol filter 24 hours a day, 7 days a week. Websense Web

Security solutions offer tools, however, for going far beyond this basic safety net, to achieve precisely the level of granularity you need to manage Internet usage. You can:

Create limited access filters to block access to all but a specified list of sites for certain users (see

Restricting users to a defined list of URLs

, page 261 ).

Create custom categories to redefine how selected sites are treated (see

Working with categories

, page 268

).

Recategorize URLs to move specific sites from their default, Master Database

category to another Websense-defined or custom category (see

Reclassifying specific URLs

, page 274

).

Implement bandwidth restrictions, blocking users from accessing otherwise permitted categories and protocols when bandwidth usage reaches a specified

threshold (see

Using Bandwidth Optimizer to manage bandwidth

, page 284

).

In Websense Web Security Gateway Anywhere environments, bandwidth-based restrictions are not enforced for requests managed by the hybrid service.

Define keywords used to block sites in otherwise permitted categories when

keyword blocking is enabled and activated (see

Keyword-based policy enforcement

, page 272

).

Define file types used to block the download of selected types of files from otherwise permitted categories when file type blocking is activated (see

Managing traffic based on file type

, page 287

).

Restricting users to a defined list of URLs

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Limited access filters and enforcement order

, page 262

Creating a limited access filter

, page 263

Editing a limited access filter

, page 264

Web Security Help

261

Refine Web Security Policies

Limited access filters provide a very precise method of granting Internet access. Each limited access filter is a list of individual URLs, IP addresses, or regular expressions.

Like category filters, limited access filters are added to policies and enforced during a specified time period. When a limited access filter is active in a policy, users assigned that policy can visit only websites in the list. All other sites are blocked.

For example, if the First Grade policy enforces a limited access filter that includes only certain educational and reference sites, students governed by the First Grade policy can visit only those sites, and no others.

When a limited access filter is active, a block page is returned for any requested URL not included in that filter.

Websense software can support up to 2,500 limited access filters containing 25,000

URLs in total.

Limited access filters and enforcement order

Web Security Help | Web Security Solutions | Version 7.8.x

In some cases, more than one policy could apply to a single user. This happens when a user belongs to more than one group, and the groups are governed by different policies.

When multiple group policies apply to a user, the Use more restrictive blocking setting (see

Enforcement order

, page 97 ) determines which one is used to respond to

the user’s requests. By default, this setting is off.

Filtering Service determines which setting is less restrictive at the filter level. In cases where a user might be assigned to multiple policies, one of which is enforcing a limited access filter, “less restrictive” may sometimes seem counterintuitive.

When Use more restrictive blocking is OFF:

If the Block All category filter and a limited access filter could apply, the limited access filter is always considered less restrictive.

If any other category filter and a limited access filter could apply, the category filter is considered less restrictive.

This means that even when the limited access filter permits the site and the category filter blocks the site, the site is blocked.

When Use more restrictive blocking is ON, a limited access filter is considered more restrictive than any category filter except Block All.

262

Websense Web Security Solutions

Refine Web Security Policies

The table below summarizes how the Use more restrictive blocking setting affects policy enforcement when multiple policies could apply: limited access filter +

Block All category filter limited access filter + permitted category limited access filter + blocked category limited access filter +

Quota/Confirm category

Use more restrictive

blocking OFF

limited access filter

(request permitted) category filter

(request permitted) category filter

(request blocked) category filter

(request limited by quota/ confirm)

Use more restrictive

blocking ON

Block All

(request blocked) limited access filter

(request permitted) limited access filter

(request permitted) limited access filter

(request permitted)

Creating a limited access filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with filters

, page 61

Restricting users to a defined list of URLs

, page 261

Editing a limited access filter

, page 264

Use the Add Limited Access Filter page (accessed via the Filters or Edit Policy page) to give your new filter a unique name and a description. After creating the filter, enter a list of permitted URLs, assign the filter to a policy, and apply the policy to clients.

1.

Enter a unique Filter name. The name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Filter names can include spaces, dashes, and apostrophes.

2.

Enter a short Description of the filter. This description appears next to the filter name in the Limited Access Filters section of the Filters page, and should explain the filter’s purpose to help administrators manage policies over time.

The character restrictions that apply to filter names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

To see and edit the new filter, click OK. To abandon your changes and return to the Filters page, click Cancel.

When you create a new limited access filter, it is added to the Policy Management >

Filters > Limited Access Filters list. Click a filter name to edit the filter.

To finish customizing your new filter, continue with

Editing a limited access filter

.

Web Security Help

263

Refine Web Security Policies

Editing a limited access filter

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Restricting users to a defined list of URLs

, page 261

Limited access filters and enforcement order

, page 262

Creating a limited access filter

, page 263

Editing a policy

, page 95

A limited access filter is a list of URLs, IP addresses, and regular expressions, used to identify specific websites that users can access. When the filter is applied to clients, those clients cannot visit any site that is not in the list.

Important

If a URL permitted by a limited access filter becomes infected with malicious code, as long as Security categories are blocked, user requests for that site are blocked.

For instructions to change this behavior, see

Prioritizing

Security Risk categorization

, page 276 .

Use the Policy Management > Filters > Edit Limited Access Filter page to make changes to an existing limited access filter. You can change the filter name and description, see a list of polices that enforce the filter, and manage which URLs, IP addresses, and regular expressions are included in the filter.

When you edit a limited access filter, the changes affect every policy that enforces the filter.

1.

Verify the filter name and description. To change the filter name, click Rename, and then enter the new name. The name is updated in all policies that enforce the selected limited access filter.

2.

Use the Policies using this filter field to see how many policies currently enforce this filter. If 1 or more policies enforce the filter, click View policies to list them.

3.

Under Add or Remove Sites, enter the URLs and IP addresses that you want to add to the limited access filter. IP addresses may use IPv4 or IPv6 format.

Enter one URL or IP address per line.

For HTTP sites, it is not necessary to include the http:// prefix.

When an HTTP site is managed according to its Master Database category,

Websense software matches the URL with its equivalent IP address. This is not the case for limited access filters. To permit a website’s URL and IP address, add both to the filter.

264

Websense Web Security Solutions

Refine Web Security Policies

For FTP and HTTPS sites, include the prefix and provide the site’s IP address, rather than host (domain) name.

4.

Click the right arrow (>) to move the URLs and IP addresses to the Permitted sites list.

5.

In addition to adding individual sites to the limited access filter, you can add regular expressions that match multiple sites. To create regular expressions, click

Advanced.

Enter one regular expression per line, and then click the right arrow to move the expressions to the Permitted sites list.

To verify that a regular expression matches the intended sites, click Test.

See

Using regular expressions

, page 296,

for detailed information about using regular expressions for policy enforcement.

6.

Review the URLs, IP addresses, and regular expressions in the Permitted sites list.

To make changes to a site or expression, select it and click Edit.

To remove a site or expression from the list, select it and click Delete.

7.

After editing the filter, click OK to cache your changes and return to the Filters page. Changes are not implemented until you click Save and Deploy.

Adding sites from the Edit Policy page

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Restricting users to a defined list of URLs

, page 261

Limited access filters and enforcement order

, page 262

Creating a limited access filter

, page 263

Editing a policy

, page 95

Use the Policies > Edit Policy > Add Sites page to add URLs and IP addresses to a limited access filter.

Enter one URL or IP address per line. If you do not specify a protocol, Websense software automatically adds the http:// prefix.

When you are finished making changes, click OK to return to the Edit Policy page.

You must also click OK on the Edit Policy page to cache the changes. Changes are not implemented until you click Save and Deploy.

Changes made to a limited access filter affect all policies that enforce the filter.

Web Security Help

265

Refine Web Security Policies

Copying filters and policies to roles

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Creating a category filter

, page 62

Creating a protocol filter

, page 65

Creating a limited access filter

, page 263

Creating a policy

, page 94

Super Administrators can use the Filters > Copy Filters To Role and Policies >

Copy Policies To Role pages to copy one or more filters or policies to a delegated

administration role. Once the filter or policy has been copied, delegated administrators can apply the filters or policies to their managed clients.

In the target role, the tag “(Copied)” is added to the end of the filter or policy name. A number is added if the same filter or policy is copied multiple times. For example, “(Copied 2).”

Delegated administrators can rename or edit filters or policies that have been copied to their role.

Category filters copied to a delegated administration role set the action to Permit for custom categories created in the role. Delegated administrators should update the copied category filters to set the desired action for their role-specific custom categories.

Changes made by a delegated administrator to a filter or policy copied to their role by a Super Administrator do not affect the Super Administrator’s original filter or policy, or any other role that received a copy of the filter or policy.

Filter Lock restrictions do not affect the Super Administrator’s original filter or policy, but they do affect the delegated administrator’s copy of the filter or policy.

Because delegated administrators are affected by Filter Lock restrictions, the

Permit All category and protocol filters cannot be copied to a delegated administration role.

To copy a filter or policy:

1.

On the Copy Filters to Role or Copy Policies to Role page, verify that the correct policies or filters appear in the list at the top of the page.

2.

Use the Select a role drop-down list to select a destination role.

3.

Click OK.

A popup dialog box indicates that the selected filters or policies are being copied.

The copy process may take a while.

The changes are not implemented until you click Save and Deploy.

After the copy process is complete, the copied filters or policies will be available to delegated administrators in the selected role the next time they log on to the TRITON

266

Websense Web Security Solutions

Refine Web Security Policies console. If a delegated administrator is logged on to the role with policy access when the filters or policies are copied, they will not see the new filters or policies until they log off and log on again.

Building filter components

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Policy Management > Filter Components page to access tools used to refine and customize the way that Websense software enforces your organization’s Internet access policies. The 3 buttons on the screen are associated with the following tasks:

Edit Categories

Edit Protocols

File Types

Recategorize a URL (see

Reclassifying specific URLs

, page 274

). For example, if the Shopping category is blocked by your policies, but you want to permit access to specific supplier or partner sites, you could move those sites to a permitted category, like Business and

Economy.

Define or edit custom categories (see

Creating a custom category

, page 271

). Create additional subcategories within Websense-defined parent categories, or within the

User-Defined parent category, and then assign URLs to the new categories.

Assign keywords to a category (see

Keyword-based policy enforcement

, page 272 ). To recategorize and block

access to sites whose URLs contain a specific string, first define keywords, and then enable keyword blocking in a category filter.

Create regular expressions (see

Using regular expressions

, page 296 ), patterns or templates that can be

used to match multiple URLs and assign them to a category.

Create or edit custom protocol definitions (see

Creating a custom protocol

, page 282,

and

Editing custom protocols

, page 280

). For example, if members of your organization use a custom messaging tool, you could create a custom protocol definition to permit use of that tool while blocking other

Instant Messaging / Chat protocols.

Create or edit file type definitions, used to block files with specific extensions within otherwise permitted categories

(see

Managing traffic based on file type

, page 287

).

Web Security Help

267

Refine Web Security Policies

Working with categories

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Editing categories and their attributes

, page 268

Creating a custom category

, page 271

Keyword-based policy enforcement

, page 272

Reclassifying specific URLs

, page 274

Websense software provides multiple methods for managing sites that are not in the

Master Database, and for changing the way that individual URLs in the Master

Database are handled.

Create custom categories for more precise policy enforcement and reporting.

Use recategorized URLs to define categories for uncategorized sites, or to change the category for sites that appear in the Master Database.

Define keywords to recategorize all sites whose URL contains a certain string.

If you want to configure whether or not attempts to access a category are recorded in

the Log Database, see

Configuring how requests are logged

, page 422

. If a category is not logged, client requests for that category do not appear in reports.

Editing categories and their attributes

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Creating a custom category

, page 271

Reviewing all customized category attributes

, page 269

Making global category changes

, page 270

Keyword-based policy enforcement

, page 272

Reclassifying specific URLs

, page 274

Use the Policy Management > Filter Components > Edit Categories page to create and modify custom categories, recategorized URLs, and keywords.

The existing categories, both Websense-defined and custom, are listed in the left portion of the content pane. To see current custom settings associated with a category, or to create new custom definitions, first select a category from the list.

To see a list of all custom URLs, keywords, and regular expressions associated with all categories, click View All Custom URLs / Keywords in the toolbar at the top of the page. See

Reviewing all customized category attributes

, page 269,

for more

268

Websense Web Security Solutions

Refine Web Security Policies information.

To create a new category, click Add, and then go to

Creating a custom category

, page 271,

for further instructions.

To remove an existing custom category, select the category, and then click Delete.

You cannot delete Websense-defined categories.

To change the name or description of a custom category, select the category and click Rename (see

Renaming a custom category

, page 270

).

To change the action associated with a category in all category filters, click

Override Action (see

Making global category changes

, page 270

).

The Recategorized URLs list shows which recategorized sites (URLs and IP addresses) have been assigned to this category.

To add a site to the list, click Add URLs. See

Reclassifying specific URLs

, page 274,

for further instructions.

To change an existing recategorized site, select the URL or IP address, and then click Edit.

The Keywords list shows which keywords have been associated with this category.

To define a keyword associated with the selected category, click Add

Keywords. See

Keyword-based policy enforcement

, page 272,

for further instructions.

To change an existing keyword definition, select the keyword, and then click

Edit.

In addition to URLs and keywords, you can define Regular Expressions for the category. Each regular expression is a pattern or template used to associate multiple sites with the category.

To see or create regular expressions for the category, click Advanced.

To define a regular expression, click Add Expressions (see

Using regular expressions

, page 296

).

To change an existing regular expression, select the expression, and then click

Edit.

To delete a recategorized URL, keyword, or regular expression, select the item to remove, and then click Delete.

When you are finished making changes on the Edit Categories page, click OK to cache the changes and return to the Filter Components page. Changes are not implemented until you click Save and Deploy.

Reviewing all customized category attributes

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit Categories > View All Custom URLs and

Keywords page to review custom URL, keyword, and regular expression definitions.

You can also delete definitions that are no longer needed.

Web Security Help

269

Refine Web Security Policies

The page contains 3 similar tables, one for each category attribute: custom URLs, keywords, or regular expressions. In each table, the attribute is listed next to the name of the category with which it is associated.

To delete a category attribute, mark the appropriate check box, and then click Delete.

To return to the Edit Categories page, click Close. If you deleted any items on the

View All Custom URLs and Keywords page, click OK on the Edit Categories page to cache the changes. Changes are not implemented until you click Save and Deploy.

Making global category changes

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit Categories > Override Action page to change the action applied to a category in all existing category filters. This also determines the default action applied to the category in new filters.

Although this change overrides the action applied to the category in all existing filters, administrators can later edit those filters to apply a different action.

Before changing the settings applied to a category, first verify that the correct category name appears next to Selected Category. Next, you can:

1.

Chose a new Action (Permit, Block, Confirm, or Quota). See

Actions

, page 58, for

more information.

By default, Do not change current settings is selected for all options on the page.

2.

Specify whether or not to Block Keywords. See

Keyword-based policy enforcement

, page 272,

for more information.

3.

Specify whether or not to Block File Types, and customize blocking settings. See

Managing traffic based on file type

, page 287,

for more information.

4.

Specify whether or not to Block with Bandwidth Optimizer to manage access to

HTTP sites, and customize blocking settings. See

Using Bandwidth Optimizer to manage bandwidth

, page 284,

for more information.

Important

Changes made here affect every existing category filter, except Block All and Permit All.

5.

Click OK to return to the Edit Categories page (see

Editing categories and their attributes

, page 268

). The changes are not cached until you click OK on the Edit

Categories page.

Renaming a custom category

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit Categories > Rename Category page to change the name or description associated with a custom category.

270

Websense Web Security Solutions

Refine Web Security Policies

Use the Filter name field to edit the category name. The new name must be unique, and cannot exceed 50 characters.

The name cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Use the Description field to edit the category description. The description cannot exceed 255 characters.

The character restrictions that apply to filter names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

When you are finished making changes, click OK to return to the Edit Categories page. The changes are not cached until you click OK on the Edit Categories page.

Creating a custom category

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Editing categories and their attributes

, page 268

Keyword-based policy enforcement

, page 272

Reclassifying specific URLs

, page 274

In addition to using the more than 90 Websense-defined categories in the Master

Database, you can define your own custom categories to provide more precise policy enforcement and reporting. For example, create custom categories like:

Business Travel, to group sites from approved vendors that employees can use to

buy airplane tickets and make rental car and hotel reservations

Reference Materials, to group online dictionary and encyclopedia sites deemed

appropriate for elementary school students

Professional Development, to group training sites and other resources that

employees are encouraged to use to build their skills

Use the Policy Management > Filter Components > Edit Categories > Add

Category page to add custom categories to any parent category. You can create up to

100 custom categories.

1.

Enter a unique, descriptive Category name. The name cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

2.

Enter a Description for the new category.

The character restrictions that apply to filter names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

Select a parent category from the Add to list. By default, All Categories is selected.

4.

Enter the sites (URLs or IP addresses) that you want to add to this category. See

Reclassifying specific URLs

, page 274,

for more information.

Web Security Help

271

Refine Web Security Policies

You can also edit this list after creating the category.

5.

Enter the keywords that you want to associate with this category. See

Keywordbased policy enforcement

, page 272,

for more information.

You can also edit this list after creating the category.

6.

Define a default Action to apply to this category in all existing category filters.

You can edit this action in individual filters later.

Note

Category filters copied to a delegated administration role set the action to Permit for custom categories created in the role. Delegated administrators should update the copied category filters to set the desired action for their rolespecific custom categories.

7.

Enable any Advanced Filtering actions (keyword blocking, file type blocking, or bandwidth blocking) that should be applied to this category in all existing category filters.

8.

When you are finished defining the new category, click OK to cache changes and return to the Edit Categories page. Changes are not implemented until you click

Save and Deploy.

The new category is added to the Categories list and custom URL and keyword information for the category is displayed.

Keyword-based policy enforcement

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Reclassifying specific URLs

, page 274

Configuring filtering settings

, page 69

Creating a category filter

, page 62

Editing a category filter

, page 63

Working with categories

, page 268

Keywords are associated with categories, and then used to offer protection against

URLs that have not explicitly been added to the Master Database or defined as a custom URL. Three steps are necessary to enable keyword blocking:

1.

Enable keyword blocking at a global level (see

Configuring filtering settings

, page 69 ).

2.

Define keywords associated with a category (see

Defining keywords

, page 273

).

3.

Enable keyword blocking for the category in an active category filter (see

Editing a category filter

, page 63 ).

272

Websense Web Security Solutions

Refine Web Security Policies

When keywords have been defined and keyword blocking is enabled for a specific category, Websense software tries to match the keyword against each requested URL as follows:

If the keyword contains only ASCII characters, the keyword is matched against the domain, path, and query portions of a URL.

For example, if you associated the keyword “nba” with the permitted Sports category, the following URLs are blocked:

 sports.espn.go.com/nba/ modernbakery.com

 fashionbar.com

If the keyword contains characters outside the ASCII character set, the keyword is matched against only the path and query portions of the string.

For example, if you associated the keyword “fútbol” with the permitted Sports category:

“www.fútbol.com” is permitted (the domain portion of the URL is not matched)

“es.wikipedia.org/wiki/Fútbol” is blocked (the path portion of the URL is matched)

When a site is blocked by keyword, the site is recategorized according to the keyword match. Reports show the keyword category, rather than the Master Database category, for the site.

Be cautious when defining keywords to avoid unintended overblocking.

Important

Avoid associating keywords with any of the Extended

Protection subcategories. Keyword blocking is not enforced for these categories.

When a request is blocked based on a keyword, this is indicated on the Websense block page that the user receives.

Defining keywords

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Editing a category filter

, page 63

Working with categories

, page 268

Keyword-based policy enforcement

, page 272

Using regular expressions

, page 296

Web Security Help

273

Refine Web Security Policies

A keyword is a string of characters (like a word, phrase, or acronym) that might be found in a URL. Assign keywords to a category, and then enable keyword blocking in a category filter.

Use the Policy Management > Filter Components > Edit Categories > Add

Keywords page to associate keywords with categories. If you need to make changes

to a keyword definition, use the Edit Keywords page.

When you define keywords, be cautious to avoid unintended overblocking. You might, for example, intend to use the keyword “sex” to block access adult sites, but end up blocking search engine requests for words like sextuplets or City of Essex, and sites like msexchange.org (Information Technology), vegasexperience.com (Travel), and sci.esa.int/marsexpress (Educational Institutions).

Enter one keyword per line.

Do not include spaces in keywords. URL and CGI strings do not include spaces between words.

Include a backslash (\) before special characters such as:

. , # ? * +

If you do not include the backslash, Websense software ignores the special character.

Avoid associating keywords with any of the Extended Protection subcategories.

Keyword blocking is not enforced for these categories.

When you are finished adding or editing keywords, click OK to cache your changes and return to the Edit Categories page. Changes are not implemented until you click

Save and Deploy.

In order for keyword blocking to be enforced, you must also:

1.

Enable keyword blocking via the Settings > General > Filtering page (see

Configuring filtering settings

, page 69

).

2.

Enable keyword blocking in one or more active category filters (see

Editing a category filter

, page 63

).

Reclassifying specific URLs

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Exceptions to Policies

, page 105

Creating a custom category

, page 271

Keyword-based policy enforcement

, page 272

274

Websense Web Security Solutions

Refine Web Security Policies

You can use the Web Security manager to change the category assigned to a URL.

URLs that have been added to a new category are called custom URLs or recategorized URLs.

Use the Policy Management > Filter Components > Edit Categories >

Recategorize URLs page to add sites to a new category.

Make changes to existing recategorized sites on the Edit URLs page.

To change the category of a URL, you can add it to:

A different Websense-defined category

Any custom category (see

Creating a custom category

, page 271 )

A recategorized URL is not blocked by default. It is filtered according to the action applied to its new category in each active category filter.

Important

If a site is recategorized into a permitted category, and later becomes infected with malicious code, as long as Security categories are blocked, user requests for that site are blocked.

For instructions to change this behavior, see

Prioritizing

Security Risk categorization

, page 276 .

When you recategorize sites:

Enter each URL or IP address on a separate line.

If a site can be accessed via multiple URLs, define each URL that can be used to access the site as a custom URL to ensure that the site is permitted or blocked as intended.

With recategorized URLs, the URL is not automatically matched to its equivalent IP address. To ensure that a request for a site is handled properly, specify both its URL and IP address.

Include the protocol for any non-HTTP site. If the protocol is omitted, Websense software filters the site as an HTTP site.

For HTTPS sites, also include the port number (https://63.212.171.196:443/, https://www.onlinebanking.com:443/).

Websense software recognizes custom URLs exactly as they are entered. If the

Search Engines and Portals category is blocked, but you recategorize

www.yahoo.com in a permitted category, the site is permitted only if users type

the full address. If a user types images.search.yahoo.com, or just yahoo.com, the site is still blocked. If you recategorize yahoo.com, however, all sites with yahoo.com in the address are permitted.

When you are finished adding or editing recategorized sites, click OK to return to the

Edit Categories page. You must also click OK on the Edit Categories page to cache your changes. Changes are not implemented until you click Save and Deploy.

Web Security Help

275

Refine Web Security Policies

Websense software looks for custom URL definitions for a site before consulting the

Master Database, and therefore filters the site according to the category assigned to the recategorized URL.

After saving recategorized URLs, use the URL Category tool in the right shortcut pane to verify that the site is assigned to the correct category. See

Using the Toolbox to verify policy enforcement behavior

, page 296

.

Prioritizing Security Risk categorization

Web Security Help | Web Security Solutions | Version 7.8.x

By default, when a site is categorized in a Security Risk category, the site is filtered based on its Security Risk classification, even when the site:

Is added as a recategorized URL in a permitted category

Appears in a limited access filter

Note

Although the Extended Protection categories are default members of the Security Risk class, because they group sites that are still being analyzed, they receive lower prioritization than other categories. As a result, custom categorization always takes precedence over Extended

Protection categorization.

When Filtering Service or the hybrid service assigns a site to a Security Risk class category (based on Master Database category or Content Gateway analysis):

If a category filter is in effect, and the security-related category is blocked, the site is blocked.

If a limited access filter is in effect, the site is blocked.

Configure which categories are part of the Security Risk class on the Settings >

General > Risk Classes page in the Web Security manager.

If you want to always filter based on custom categorization, regardless of whether a site appears in a Security Risk category (like Malicious Web Sites or Spyware):

1.

Navigate to the Websense bin directory on the Filtering Service machine

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/

Websense/bin/, by default) and open the eimserver.ini file in a text editor.

2.

Navigate to the [FilteringManager] section and add the following line:

SecurityCategoryOverride=OFF

3.

Save and close the file.

4.

Restart Filtering Service.

Windows: Use the Services tool to restart Websense Filtering Service.

276

Websense Web Security Solutions

Refine Web Security Policies

Linux: Use the /opt/Websense/WebsenseDaemonControl command to stop and then start Filtering Service.

In Websense Web Security Gateway Anywhere environments, you can also disable this feature for the hybrid service:

1.

Navigate to the Websense bin directory on the Sync Service machine (C:\Program

Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default) and open the syncservice.ini file in a text editor.

2.

If it does not already exist, add a section called [hybrid], and then add the

SecurityCategoryOverride parameter, as shown here:

[hybrid]

SecurityCategoryOverride=false

3.

Save and close the file.

4.

Restart Sync Service.

Windows: Use the Services tool to restart Websense Sync Service.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to stop and then start Sync Service.

Blocking posts to sites in some categories

Web Security Help | Web Security Solutions | Version 7.8.x

By default, if users are permitted access to a category, like Message Boards and

Forums, they can both view and post to sites in the category.

You can configure Websense software to block posting to sites in specific categories using the BlockMessageBoardPosts configuration parameter.

If the parameter is set to ON, users are blocked from posting only to sites in the

Message Boards and Forums category.

The parameter can also take a comma-separated list of category identifiers (in the form 112,122,151). In this case, users are blocked from posting to sites in any of the listed categories.

To enable this feature for on-premises components:

1.

Navigate to the Websense bin directory on the Filtering Service machine

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/

Websense/bin/, by default) and open the eimserver.ini file in a text editor.

2.

Navigate to the [WebsenseServer] section and add the following line:

BlockMessageBoardPosts=<value>

Here, <value> can be either ON or a comma-separated list of category identifiers

3.

Save and close the file.

4.

Restart Filtering Service.

Windows: Use the Services tool to restart Websense Filtering Service.

Web Security Help

277

Refine Web Security Policies

Linux: Use the /opt/Websense/WebsenseDaemonControl command to stop and then start Filtering Service.

In Websense Web Security Gateway Anywhere environments, to enable this feature for the hybrid service:

1.

Navigate to the Websense bin directory on the Sync Service machine (C:\Program

Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default) and open the syncservice.ini file in a text editor.

2.

If it does not already exist, add a section called [hybrid], and then add the

BlockMessageBoardPosts parameter, as shown here:

[hybrid]

BlockMessageBoardPosts=<value>

Here, <value> is a comma-separated list of category identifiers.

3.

Save and close the file.

4.

Restart Sync Service.

Windows: Use the Services tool to restart Websense Sync Service.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to stop and then start Sync Service.

Working with protocols

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Master database includes protocol definitions used to filter Internet protocols other than HTTP, HTTPS and FTP. These definitions include Internet applications and data transfer methods such as those used for instant messaging, streaming media, file sharing, file transfer, Internet mail, and other network and database operations.

These protocol definitions can even be used to filter protocols or applications that bypass a firewall by tunneling through ports normally used by HTTP traffic. Instant messaging data, for example, can enter a network whose firewall blocks instant messaging protocols by tunneling through HTTP ports. Websense software accurately identifies these protocols, and filters them according to policies you configure.

Note

In Websense Web Filter and Websense Web Security deployments, Network Agent must be installed to enable protocol-based policy enforcement.

With Websense Web Security Gateway, it is possible to filter non-HTTP protocols that tunnel over HTTP ports

without using Network Agent. See

Tunneled protocol detection

, page 194,

for more information.

278

Websense Web Security Solutions

Refine Web Security Policies

In addition to using Websense-defined protocol definitions, you can define custom protocols. Custom protocol definitions can be based on IP addresses or port numbers, and can be edited.

To block traffic over a specific port, associate that port number with a custom protocol, and then assign that protocol a default action of Block.

To work with custom protocol definitions, go to Policy Management > Filter

Components, and then click Protocols. See

Editing custom protocols

, page 280, and

Creating a custom protocol

, page 282, for details.

Protocol-based policy enforcement

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with protocols

, page 278

Editing custom protocols

, page 280

Creating a custom protocol

, page 282

Adding or editing protocol identifiers

, page 280

Adding to a Websense-defined protocol

, page 284

When Network Agent is installed or with a Websense Web Security Gateway deployment, Websense software can block Internet content transmitted over particular ports, or using specific IP addresses, or marked by certain signatures, regardless of the nature of the data. By default, blocking a port intercepts all Internet content entering your network over that port, regardless of source.

Note

Occasionally, internal network traffic sent over a particular port may not be blocked, even though the protocol using that port is blocked. The protocol may send data via an internal server more quickly than Network Agent can capture and process the data. This does not occur with data originating outside the network.

When a protocol request is made, Web Security solutions use the following steps to determine whether to block or permit the request:

1.

Determine the protocol (or Internet application) name.

2.

Identify the protocol based on the request destination address.

3.

Search for related port numbers or IP addresses in custom protocol definitions.

4.

Search for related port numbers, IP addresses, or signatures in Websense-defined protocol definitions.

Web Security Help

279

Refine Web Security Policies

If any of this information cannot be determined, all content associated with the protocol is permitted.

If the protocol is FTP, HTTPS, or gopher, a check is first performed to see if the protocol is blocked. If the protocol is permitted, Filtering Service performs a URL lookup to see if the requested site is permitted or blocked.

Editing custom protocols

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with protocols

, page 278

Creating a custom protocol

, page 282

Creating a protocol filter

Editing a protocol filter

Working with categories

Use the Policy Management > Filter Components > Edit Protocols page to create and edit custom protocol definitions, and to review Websense-defined protocol definitions. Websense-defined protocols cannot be edited.

The Protocols list includes all custom and Websense-defined protocols. Click on a protocol or protocol group to get information about the selected item in the right-hand portion of the content pane.

To add a new, custom protocol, click Add Protocol, and then continue with

Creating a custom protocol

, page 282 .

To edit a protocol definition:

1.

Select the protocol in the Protocols list. The protocol definition appears to the right of the list.

2.

Click Override Action to change the action applied to this protocol in all protocol

filters (see

Making global protocol changes

, page 282 ).

3.

Click Add Identifier to define additional protocol identifiers for this protocol (see

Adding or editing protocol identifiers

, page 280 ).

4.

Select an identifier in the list, and then click Edit to make changes to the Port, IP

Address Range, or Transport Method defined by that identifier.

5.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

To delete a protocol definition, select an item in the Protocols list, and then click

Delete.

Adding or editing protocol identifiers

Web Security Help | Web Security Solutions | Version 7.8.x

280

Websense Web Security Solutions

Refine Web Security Policies

Use the Filter Components > Edit Protocols > Add Protocol Identifier page to define additional protocol identifiers for an existing custom protocol. Use the Edit

Protocol Identifier page to make changes to a previously-defined identifier.

Before creating or changing an identifier, verify that the correct protocol name appears next to Selected Protocol.

When working with protocol identifiers, remember that at least one criterion (port, IP address or transport type) must be unique for each protocol.

1.

Specify which Ports are included in this identifier.

If you select All Ports, that criterion overlaps with other ports or IP addresses entered in other protocol definitions.

Port ranges are not considered unique if they overlap. For example, the port range 80-6000 overlaps with the range 4000-9000.

Use caution when defining a protocol on port 80 or 8080. Network Agent listens for Internet requests over these ports.

You can configure Network Agent to ignore these ports in conjunction with a

Websense Web Security Gateway deployment.

Since custom protocols take precedence over Websense protocols, if you define a custom protocol using port 80, all other protocols that use port 80 are filtered and logged like the custom protocol.

2.

Specify which IP Addresses are included in this identifier.

If you select All external IP addresses, that criterion overlaps with any other

IP addresses entered in other protocol definitions.

IP address ranges are not considered unique if they overlap.

3.

Specify which Protocol Transport method is included in this identifier.

4.

Click OK to cache your changes and return to the Edit Protocols page. Changes are not implemented until you click Save and Deploy.

Renaming a custom protocol

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit Protocols > Rename Protocol page to change the name of a custom protocol, or move it to a different protocol group.

Use the Name field to edit the protocol name. The new name cannot exceed 50 characters.

The name cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

To move the protocol to a different protocol group, select the new group from the

In group field.

When you are finished making changes, click OK to return to the Edit Protocols page.

You must also click OK on the Edit Protocols to cache the changes.

Web Security Help

281

Refine Web Security Policies

Making global protocol changes

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit Protocols > Override Action page to change the way a protocol is filtered in all existing protocol filters. This also determines the default action applied to the protocol in new filters.

Although this change overrides the action applied in all existing protocol filters, administrators can later edit those filters to apply a different action.

1.

Verify that the correct protocol name appears next to Selected Protocol.

2.

Select a new Action (Permit or Block) to apply to this protocol. By default, No

change is selected. See

Actions

, page 58,

for more information.

3.

Specify new Logging options. Protocol traffic must be logged to appear in reports and enable protocol usage alerts.

4.

Specify whether or not Bandwidth Optimizer is used to manage access to this

protocol. See

Using Bandwidth Optimizer to manage bandwidth

, page 284,

for more information.

Important

Changes made here affect every existing protocol filter, except Block All and Permit All.

5.

When you are finished, click OK to return to the Edit Protocols page (see

Editing custom protocols

, page 280 ). You must also click OK on the Edit Protocols page

to cache the changes.

Creating a custom protocol

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with protocols

, page 278

Protocol-based policy enforcement

, page 279

Editing custom protocols

, page 280

Adding to a Websense-defined protocol

, page 284

Use the Filter Components > Protocols > Add Protocol page to define a new, custom protocol.

1.

Enter a Name for the protocol.

The name cannot include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

282

Websense Web Security Solutions

Refine Web Security Policies

A custom protocol can be assigned the same name as a Websense-defined protocol, in order to extend the number of IP addresses or ports associated with the original protocol. See

Adding to a Websense-defined protocol

, page 284, for

more information.

2.

Expand the Add protocol to this group drop-down list, and then select a protocol group. The new protocol appears in this group in all protocol lists and filters.

3.

Define a unique Protocol Identifier (set of ports, IP addresses, and transport

methods) for this group. You can add additional identifiers later, from the Edit

Protocols page.

Follow these guidelines for creating protocol identifiers:

At least one criterion (port, IP address or transport type) must be unique for each protocol definition.

If you select All Ports or All external IP addresses, that criterion overlaps with any other ports or IP addresses entered in other protocol definitions.

Port ranges or IP address ranges are not considered unique if they overlap. For example, the port range 80-6000 overlaps with the range 4000-9000.

F

Note

Use caution when defining a protocol on port 80 or 8080.

Network Agent listens for Internet requests over these ports. (In Websense Web Security Gateway deployments, you can configure Network Agent to ignore these ports.)

Since custom protocols take precedence over Websense protocols, if you define a custom protocol using port 80, all other protocols that use port 80 are filtered and logged like the custom protocol.

The following tables provide examples of valid and invalid protocol definitions:

Port

70

90

IP Address Transport

Method

ANY

ANY

TCP

TCP

Accepted combination?

Yes - the port number makes each protocol identifier unique.

Port

70

70

IP Address Transport

Method

ANY

10.2.1.201

TCP

TCP

Accepted combination?

No - the IP addresses are not unique. 10.2.1.201 is included in the “ANY” set.

Web Security Help

283

Refine Web Security Policies

Port

70

70

IP Address Transport

Method

10.2.3.212

10.2.1.201

TCP

TCP

Accepted combination?

Yes - the IP addresses are unique.

4.

Under Default Filtering Action, specify the default action (Permit or Block) that should be applied to this protocol in all active protocol filters:

Indicate whether traffic using this protocol should be Logged. Protocol traffic must be logged to appear in reports and enable protocol usage alerts.

Indicate whether access to this protocol should be regulated by Bandwidth

Optimizer (see

Using Bandwidth Optimizer to manage bandwidth

, page

284 ).

5.

When you are finished, click OK to return to the Edit Protocols page. The new protocol definition appears in the Protocols list.

6.

Click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.

Adding to a Websense-defined protocol

Web Security Help | Web Security Solutions | Version 7.8.x

You cannot add a port number or IP address directly to a Websense-defined protocol.

You can, however, create a custom protocol with the same name as the Websensedefined protocol, and then add ports or IP addresses to its definition.

When a custom protocol and a Websense-defined protocol have the same name,

Websense software looks for protocol traffic at the ports and IP addresses specified in both definitions.

In reports, custom protocol names have a “C_” prefix. For example, if you created a custom protocol for SQL_NET and specified additional port numbers, reports display

C_SQL_NET when the protocol uses the port numbers in the custom protocol.

Using Bandwidth Optimizer to manage bandwidth

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with categories

, page 268

Working with protocols

, page 278

Configuring the default Bandwidth Optimizer limits

, page 286

When you create a category or protocol filter, you can elect to limit access to a category or protocol based on bandwidth usage.

284

Websense Web Security Solutions

Refine Web Security Policies

Block access to categories or protocols based on total network bandwidth usage.

Block access to categories based on total bandwidth usage by HTTP traffic.

Block access to a specific protocol based on bandwidth usage by that protocol.

Note

If you have Websense Web Security Gateway Anywhere, be aware that the hybrid service does not enforce bandwidth-based restrictions.

For example:

Block the AOL Instant Messaging protocol if total network bandwidth usage exceeds 50% of available bandwidth, or if current bandwidth usage for AIM exceeds 10% of the total network bandwidth.

Block the Sports category when total network bandwidth usage reaches 75%, or when bandwidth usage by all HTTP traffic reaches 60% of available network bandwidth.

Protocol bandwidth usage includes traffic over all ports, IP addresses, or signatures defined for the protocol. This means that if a protocol or Internet application uses multiple ports for data transfer, traffic across all of the ports included in the protocol definition are counted toward that protocol’s bandwidth usage total. If an Internet application uses a port not included in the protocol definition, however, traffic over that port is not included in bandwidth usage measurements.

Websense software records bandwidth used by filtered TCP- and UDP-based protocols.

Websense, Inc., updates Websense protocol definitions regularly to ensure bandwidth measurement accuracy.

Network Agent sends network bandwidth data to Filtering Service at a predetermined interval. This ensures that Websense software accurately monitors bandwidth usage, and receives measurements that are closest to an average.

In a Websense Web Security Gateway deployment, Content Gateway collects bandwidth data for FTP, HTTP, and, when enabled, the individual protocols that tunnel over HTTP (see

Tunneled protocol detection

, page 194

). Measurement and reporting parallel that used by Network Agent. You can specify that this data be used to determine bandwidth-based policy enforcement for protocols in the Bandwidth

Optimizer settings.

1.

In the Web Security manager, go to Settings > General > Filtering.

2.

Select the Bandwidth Monitoring check box.

3.

When you are finished, click OK to cache your change. Changes are not implemented until you click Save and Deploy.

When bandwidth options are active, enforcement starts 10 minutes after initial configuration, and 10 minutes after each Websense Policy Server restart. This delay ensures accurate measurement of bandwidth data.

Web Security Help

285

Refine Web Security Policies

When a request is blocked based on bandwidth limitations, the Websense block page

displays this information in the Reason field. For more information, see

Block

Pages

, page 117 .

Configuring the default Bandwidth Optimizer limits

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Editing a category filter

, page 63

Editing a protocol filter

, page 65

Using Bandwidth Optimizer to manage bandwidth

, page 284

Before specifying bandwidth settings in policies, verify the default bandwidth thresholds that trigger bandwidth-based enforcement:

Default bandwidth for network: 50%

Default bandwidth per protocol: 20%

Default bandwidth values are stored by Policy Server, and enforced by all associated instances of Network Agent.

To change the default bandwidth values:

1.

In the Web Security manager, go to Settings > General > Filtering.

2.

Enter the bandwidth usage thresholds that will trigger bandwidth-based enforcement, when enabled.

When a category or protocol is blocked based on traffic for the entire network,

Default bandwidth for network defines the default threshold.

When a category or protocol is blocked based on traffic for the protocol, the

Default bandwidth per protocol defines the default threshold.

You can override the default threshold values for each category or protocol in any category or protocol filter.

3.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Any changes to the defaults have the potential to affect any category and protocol filters that enforce Bandwidth Optimizer restrictions.

To manage bandwidth usage associated with a particular protocol, edit the active protocol filter or filters.

To manage bandwidth usage associated with a particular URL category, edit the appropriate category filter or filters.

When you filter categories based on HTTP bandwidth usage, Websense software measures total HTTP bandwidth usage over all ports specified as HTTP ports for

Websense software.

286

Websense Web Security Solutions

Refine Web Security Policies

Managing traffic based on file type

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Enforcement based on file extension

, page 288

Enforcement based on file analysis

, page 291

Working with file type definitions

, page 293

Adding custom file types

, page 294

Adding file extensions to a file type

, page 294

When you create or edit a category filter, you can configure file type blocking for permitted categories. This allows your organization to restrict access to particular file types from websites in some or all permitted categories. For example, you could permit the category Sports, but block multimedia (audio and video) files from sites in the Sports category.

How file type blocking is implemented depends on your Websense Web security solution.

Websense Web Filter and Websense Web Security (no Content Gateway or hybrid service proxy) allow you to block file types based solely on file extension (see

Enforcement based on file extension

, page 288 ).

For example:

1. The General Email category is permitted in the active category filter, but file type blocking is enabled for Compressed Files in the category.

2. An end user attempts to download a file with a file with a .zip extension (like

“myfile.zip”).

3. The user receives a block page indicating that the download was blocked by file type, because the “.zip” file extension is associated with the Compressed

Files file type.

Websense Web Security Gateway and Gateway Anywhere (which include Content

Gateway and the hybrid service) enable 2-part file type blocking, based on a combination of file extension (see

Enforcement based on file extension

, page 288 )

and analysis of requested files (see

Enforcement based on file analysis

, page 291

).

For example:

1. The General Email category is permitted in the active category filter, but file type blocking is enabled for Compressed Files in the category.

2. An end user attempts to download a file with a file with a .zip extension (like

“myfile.zip”).

3. The user receives a block page indicating that the download was blocked by file type, because the “.zip” file extension is associated with the Compressed

Files file type.

Web Security Help

287

Refine Web Security Policies

4. The user attempts to download another file from email. This file does not have a known file extension (for example, “myfile.111”).

5. The file is scanned to find its file type.

• If analysis determines that the file is in a compressed format, the user receives a block page indicating that the download is blocked by file type.

• If analysis determines that the file is not compressed, the download request is permitted.

Combine protocol-based policy enforcement with file type enforcement to better manage Internet audio and video media. Protocol filters handle streaming media, while file type enforcement handles files that can be downloaded and then played.

Enforcement based on file extension

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Enabling file type blocking in a category filter

, page 292

Working with file type definitions

, page 293

Adding custom file types

, page 294

Adding file extensions to a file type

, page 294

When a user requests a URL in a permitted category for which file type blocking is enabled, Filtering Service checks the files associated with the URL to see if any of them has a file extension that is assigned to a blocked file type. If so, the request is

288

Websense Web Security Solutions

Refine Web Security Policies blocked, and the user receives a block page that indicates that the request was blocked by file type.

If the file extension is not associated with a blocked file type, what happens next depends on your Web security solution:

Websense Web Security and Web Filter: The file is permitted.

Websense Web Security Gateway and Gateway Anywhere: The file is analyzed to determine its true file type, and permitted or blocked based on that analysis (see

Enforcement based on file analysis

, page 291

).

Several predefined file types (groups of file extensions) are included with the product.

These file type definitions are maintained in the Master Database, and may be changed as part of the Master Database update process.

You can filter using predefined file types, modify the existing file type definitions, or create new file types. You cannot, however, delete Websense-defined file types, or delete the file extensions associated with them.

Any of the file extensions associated with a Websense-defined file type can be added to a custom file type. The file extension is then filtered and logged according to the settings associated with the custom file type.

Web Security Help

289

Refine Web Security Policies

File type definitions may contain as many or as few file extensions as are useful for enforcement purposes. Pre-defined file types, for example, include the following file extensions:

File Type

Compressed files

Associated Extensions

.ace, .arc, .arj, .b64, .bhx, .cab, .gz, .gzip, .hqx, .iso,

.jar, .lzh, .mim, .rar, tar, taz, .tgz, .tz, .uu, .uue, .xxe,

.z, .zip

Documents

.ade, .adp, .asd, .cwk, .doc, .docx, .dot, .dotm, .dotx,

.grv, .iaf, .lit, .lwp, .maf, .mam, .maq, .mar, .mat,

.mda, .mdb, .mde, .mdt, .mdw, .mpd, .mpp, .mpt,

.msg, .oab, .obi, .oft, .olm, .one, .ops, .ost, .pa, .pdf,

.pip, .pot, .potm, .potx, .ppa, .ppam, .pps, .ppsm,

.ppsx, .ppt, .pptm, .pptx, .prf, .pst, .pub, .puz, .sldm,

.sldx, .snp, .svd, .thmx, .vdx, .vsd, .vss, .vst, .vsx,

.vtx, .wbk, .wks, .wll, .wri, .xar, .xl, .xla, .xlb, .xlc,

.xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx,

.xlw, .xsf, .xsn

Executables

Images

.bat, .exe

.bmp, .cmu, .djvu, .emf, .fbm, .fits, .gif, .icb, .ico,

.jpeg, .jpg, .mgr, .miff, .pbf, .pbm, .pcx, .pdd, .pds,

.pix, .png, .psb, .psd, .psp, .rle, .sgi, .sir, .targa, .tga,

.tif, .tiff, .tpic, .vda, .vst, .zif

Multimedia

.aif, .aifc, .aiff, .asf, .asx, .avi, .ivf, .m1v, .m3u, .mid,

.midi, .mov, .mp2, .mp2v, .mp3, .mpa, .mpe, .mpg,

.mpv2, .ogg, .qt, .ra, .ram, .rmi, .snd, .wav, .wax,

.wm, .wma, .wmp, .wmv, .wmx, .wxv

Rich Internet Applications

.swf

Text

Threats

.htm, .html, .txt, .xht, .xhtml, .xml

.vbs, .wmf

When a user requests a site, Websense software:

1.

Determines the URL category.

2.

Checks the file extension.

3.

(Websense Web Security Gateway and Gateway Anywhere) If not blocked by extension, the file is analyzed to find its true file type.

Note

When multiple group policies could apply to a user request, file type blocking is not performed.

When a user tries to access a blocked file type, the Reason field on the Websense

block page indicates that the file type was blocked (see

Block Pages

, page 117

).

The standard block page is not displayed if a blocked image comprises just a portion of a permitted page. Instead, the image region appears blank. This avoids the possibility of displaying a small portion of a block page in multiple locations on an otherwise permitted page.

290

Websense Web Security Solutions

Refine Web Security Policies

To view existing file type definitions, edit file types, or create custom file types for enforcement by extension, go to Policy Management > Filter Components, and then click File Types. See

Working with file type definitions

, page 293,

for more information.

To enable file type blocking, see

Enabling file type blocking in a category filter

, page

292 .

Enforcement based on file analysis

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Enabling file type blocking in a category filter

, page 292

Security threats: File analysis

, page 196

If user traffic passes through Websense Content Gateway or the hybrid service, requested files are analyzed to define their type when all of the following are true:

1.

A user requests a URL in a permitted category.

2.

File type blocking is enabled for the category in the active category filter.

3.

There is no file extension match in a blocked file type (see

Enforcement based on file extension

, page 288 ).

In this case, the file type returned for policy enforcement describes the purpose or behavior of similar files, independent of extension. So attempts to disguise an executable by giving it a “.txt” or other innocuous file extension are prevented by file type analysis.

File type definitions are maintained in the analytics databases, and may be changed as part of the Content Gateway database or hybrid service update process.

The file types identified by file analysis are:

File Type

Compressed files

Description

Files that have been packaged to take up less space, like ZIP, RAR, or JAR archives.

Documents

Executables

Threats

Binary document formats, like DOCX or PDF.

Programs that can be run on your machine, like EXE or BAT files.

Picture formats, like JPG, BMP, and GIF.

Images

Multimedia

Audiovisual formats, like MP3, WMV, and MOV.

Rich Internet Applications

Web applications that run in a browser, like Flash.

Text

Unformatted textual material, like HTML and TXT files.

Malicious applications that could harm your machine or network, like spyware, worms, or viruses.

Web Security Help

291

Refine Web Security Policies

When a user requests a site, Websense Web Security Gateway solutions first determine the site category, and then check for filtered file types (first by extension, then by analysis).

Note

When multiple group policies could apply to a user request, file type blocking is not performed.

Starting in v7.8.3, if compressed files are permitted, when a compressed file is selected for download, its contents are analyzed. Policy enforcement is then based on the file type assigned to the content of the compressed archive. For example, if compressed files are permitted, but executable files are blocked, when a user attempts to download a compressed file, the contained files are analyzed. If the compressed file contains an executable file, the download is blocked based on the executable file type.

Or if the compressed file contains a file that is determined to be malicious, the download is blocked.

Note

The .xz file format is not supported for compressed file analysis.

When a user tries to access a blocked file type, the Reason field on the Websense

block page indicates that the file type was blocked (see

Block Pages

, page 117

).

The standard block page is not displayed if a blocked image comprises just a portion of a permitted page. Instead, the image region appears blank. This avoids the possibility of displaying a small portion of a block page in multiple locations on an otherwise permitted page.

To view existing file extensions in a file type, edit file types, or create custom file types for enforcement by extension, go to Policy Management > Filter

Components, and then click File Types. See

Working with file type definitions

, page

293, for more information.

To enable file type blocking, see

Enabling file type blocking in a category filter

, page

292 .

Enabling file type blocking in a category filter

Web Security Help | Web Security Solutions | Version 7.8.x

To prevent users from accessing some file types in otherwise permitted categories:

1.

Go to the Policy Management > Filters page and click on a category filter name.

Note that you can also edit category filters from within a policy.

2.

Select a category in the Categories list.

292

Websense Web Security Solutions

Refine Web Security Policies

3.

Mark the Block file types check box under Advanced Filtering on the right-hand side of the page.

A list of file types is displayed.

4.

Use the check boxes to select one or more file types to block.

5.

If you want to block the select file types in all categories permitted by this category filter, click Apply to All Categories.

6.

Click OK, then Save and Deploy to implement your changes.

Working with file type definitions

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing traffic based on file type

, page 287

Editing a category filter

, page 63

Responding to a URL request

, page 100

Use the Policy Management > Filter Components > Edit File Types page to create and manage up to 32 file types (groups of file extensions) that can be explicitly

blocked in category filters (see

Managing traffic based on file type

, page 287 ).

Important

Custom file types and custom additions to predefined types are used in extension-based enforcement, but not

Websense Web Security Gateway or Gateway Anywhere

true file type analysis. See

Enforcement based on file extension

, page 288,

and

Enforcement based on file analysis

, page 291,

for more information.

Click on a file type to see the file extensions associated with that type.

To add extensions to the selected file type, click Add Extension, and then see

Adding file extensions to a file type

, page 294, for further instructions.

To create a new file type, click Add File Type, and then see

Adding custom file types

, page 294,

for further instructions.

To delete a custom file type or extension, select an item, and then click Delete.

You cannot delete Websense-defined file types, or delete the file extensions associated with them.

You can, however, add file extensions associated with a Websense-defined file type to a custom file type. The file extension is then filtered and logged according to the settings associated with the custom file type. You cannot add the same extension to multiple custom file types.

Web Security Help

293

Refine Web Security Policies

When you are finished making changes to file type definitions, click OK. Changes are not implemented until you click Save and Deploy.

Adding custom file types

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit File Types > Add File Type page to define custom file types.

Important

Custom file types and custom additions to predefined types are used in extension-based enforcement, but not

Websense Web Security Gateway or Gateway Anywhere

true file type analysis. See

Enforcement based on file extension

, page 288,

and

Enforcement based on file analysis

, page 291,

for more information.

1.

Enter a unique File type name.

You can create a custom file type with the same name as a Websense-defined file type in order to add additional file extensions to the existing file type.

2.

Enter file extensions, one per line, in the File extensions list. You do not need to include the dot (“.”) before each extension.

3.

Click OK to return to the Edit File Types screen. The new file type appears in the

File Types list.

4.

When you are finished working with file type definitions, click OK on the Edit

File Types page. Changes are not implemented until you click Save and Deploy.

Adding file extensions to a file type

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Filter Components > Edit File Types > Add File Extensions page to add file extensions to the selected file type.

Important

Custom file types and custom additions to predefined types are used in extension-based enforcement, but not

Websense Web Security Gateway or Gateway Anywhere

true file type analysis. See

Enforcement based on file extension

, page 288,

and

Enforcement based on file analysis

, page 291,

for more information.

1.

Verify that the expected file type name appears next to Selected file type.

294

Websense Web Security Solutions

Refine Web Security Policies

2.

Enter file extensions, one per line, in the File extensions list. You do not need to include the dot (“.”) before each extension.

3.

Click OK to return to the Edit File Types screen. The new file extensions appear in the Custom file extensions list.

4.

When you are finished working with file type definitions, click OK on the Edit

File Types page. Changes are not implemented until you click Save and Deploy.

Web Security Help

295

Refine Web Security Policies

Using regular expressions

Web Security Help | Web Security Solutions | Version 7.8.x

A regular expression is a template or pattern used to match multiple strings, or groups of characters. You can use regular expressions in limited access filters, or to define custom URLs or keywords. Filtering Service then tries to match the general pattern, rather than a specific, single URL or keyword.

Consider this simple regular expression: domain.(com|org|net)

This expression pattern matches the URLs:

 domain.com

domain.org

domain.net

Use regular expressions with care. They provide a powerful tool, but they need to be constructed well. Poorly constructed regular expressions can result in excessive overhead, over-blocking, or under-blocking. Using regular expressions as policy enforcement criteria may increase CPU usage.

As with keywords, when non-ASCII characters appear in a regular expression, the expression is matched against only the path and query strings in a URL, and not the domain (“www.domain.com/path?query”).

Websense software supports most Perl regular expression syntax, with 2 exceptions.

The unsupported syntax is unlikely to be useful for matching strings that could be found in a URL.

Unsupported regular expression syntax includes:

(?{code})

??{code})

For further help with regular expressions, see: en.wikipedia.org/wiki/Regular_expression www.regular-expressions.info/

Using the Toolbox to verify policy enforcement behavior

Web Security Help | Web Security Solutions | Version 7.8.x

The right shortcut pane in the Web Security manager includes a Toolbox that allows you to perform quick checks of your policy setup.

Click a tool name to access the tool. Click the name again to see the list of tools. For more information about using a tool, see:

296

Websense Web Security Solutions

Refine Web Security Policies

URL Category

, page 297

Check Policy

, page 297

Test Filtering

, page 298

URL Access

, page 298

Investigate User

, page 298

You can also click Support Portal to access the Websense Technical Support website in a new browser tab or window. From the Support Portal, you can search the knowledge base to find articles, tips, tutorials, videos, and product documentation.

URL Category

Web Security Help | Web Security Solutions | Version 7.8.x

To find out how a site is currently categorized:

1.

Click URL Category in the Toolbox.

2.

Enter a URL or IP address.

3.

Click Go.

The site’s current category is displayed in a popup window. If your organization has recategorized the URL, the new category is shown.

The site’s categorization may depend on which version of the Master Database

(including real-time updates) you are using.

Check Policy

Web Security Help | Web Security Solutions | Version 7.8.x

Use this tool to determine which policies apply to a specific client. The results are specific to the current day and time.

1.

Click Check Policy in the Toolbox.

2.

To identify a directory or computer client, enter either:

A fully qualified user name

To browse or search the directory to identify the user, click Find User (see

Identifying a user to check policy or test filtering

, page 299

).

An IP address

3.

Click Go.

The name of one or more policies is displayed in a popup window. Multiple policies are displayed only when no policy has been assigned to the user, but policies have been assigned to multiple groups, domains, or organizational units to which the user belongs.

Even if multiple policies are shown, only one policy is enforced for a user at any given

time (see

Enforcement order

, page 97

).

Web Security Help

297

Refine Web Security Policies

Test Filtering

Web Security Help | Web Security Solutions | Version 7.8.x

To find out what happens when a specific client requests a particular site:

1.

Click Test Filtering in the Toolbox.

2.

To identify a directory or computer client, enter either:

A fully qualified user name

To browse or search the directory to identify the user, click Find User (see

Identifying a user to check policy or test filtering

, page 299

).

An IP address

3.

Enter the URL or IP address of the site you want to check.

4.

Click Go.

The site category, the action applied to the category, and the reason for the action are displayed in a popup window.

URL Access

Web Security Help | Web Security Solutions | Version 7.8.x

To see whether users have attempted to access a site in the past 2 weeks, including today:

1.

Click URL Access in the Toolbox.

2.

Enter all or part of the URL or IP address of the site you want to check.

3.

Click Go.

An investigative report shows whether the site has been accessed, and if so, when.

You might use this tool after receiving a security alert to find out if your organization has been exposed to phishing or virus-infected sites.

Investigate User

Web Security Help | Web Security Solutions | Version 7.8.x

To review a client’s Internet usage history for the last 2 weeks, excluding today:

1.

Click Investigate User in the Toolbox.

2.

Enter all or part of a user name (if user identification has been configured) or IP address (for machines on which users are not identified).

The IP address search shows only results for which no user name has been logged.

3.

Click Go.

An investigative report shows the client’s usage history.

298

Websense Web Security Solutions

Refine Web Security Policies

Identifying a user to check policy or test filtering

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Find User page to identify a user (directory) client for the Check Policy or

Test Filtering tool.

The page opens with the User option selected. Expand the Directory Entries folder to browse the directory, or click Search. The search feature is available only if you are using an LDAP-based directory service.

To search the directory to find a user:

1.

Enter all or part of the user Name.

2.

Expand the Directory Entries tree and browse to identify a search context.

You must click a folder (DC, OU, or CN) in the tree to specify the context. This populates the field below the tree.

3.

Click Search. Entries matching your search term are listed under Search Results.

4.

Click a user name to select a user, or click Search Again to enter a new search term or context.

To return to browsing the directory, click Cancel Search.

5.

When the correct fully qualified user name appears in the User field, click Go.

If you are using the Test Filtering tool, make sure that a URL or IP address appears in the URL field before you click Go.

To identify a computer client instead of a user, click IP address.

Web Security Help

299

Refine Web Security Policies

300

Websense Web Security Solutions

14

User Identification

Web Security Help | Web Security Solutions | Version 7.8.x

To apply policies to users and groups, Websense software must be able to identify the user making a request, given the originating IP address. Various identification methods are available:

An integration device or application identifies and authenticates users, and then passes user information to Websense software. For more information, see the

Deployment and Installation Center .

A Websense transparent identification agent works in the background to

communicate with a directory service and identify users (see

Transparent identification

).

Websense software prompts users for their network credentials, requiring them to

log on when they open a Web browser (see

Manual authentication

, page 303

).

In Websense Web Security Gateway Anywhere environments, the hybrid service must likewise be able to identify users to apply user and group based policies. It does not use information provided by User Service or transparent identification agents. Instead, the following methods are available:

A component called Websense Directory Agent collects the information used to identify users (see

Identification of hybrid users

, page 328

).

Websense Web Endpoint is installed on client machines to provide transparent authentication, enforce use of the hybrid service, and pass authentication details to the hybrid service.

Single sign-on, available beginning with 7.8.4, provides authentication using an identity provider that communicates with your directory service.

For 7.8.4, Ping Federate is the only supported identity provider.

Web Security Help

301

User Identification

Transparent identification

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Manual authentication

, page 303

Configuring user identification methods

, page 304

In general, transparent identification describes any method that Websense software uses to identify users in your directory service without prompting them for logon information. This includes integrating your Web Security solution with a device or application that provides user information, or using optional Websense transparent identification agents.

Websense

DC Agent

, page 312,

is used with a Windows-based directory service.

The agent periodically queries domain controllers for user logon sessions and polls client machines to verify logon status. It runs on a Windows server and can be installed in any domain in the network.

Websense

Logon Agent

, page 317, identifies users as they log on to Windows

domains. The agent runs on a Linux or Windows server, and its associated logon application runs on Windows or Mac clients.

Websense

RADIUS Agent

, page 319,

can be used in conjunction with either

Windows- or LDAP-based directory services. The agent works with a RADIUS server and client to identify users logging on from remote locations.

Websense

eDirectory Agent

, page 321,

is used with Novell eDirectory. The agent uses Novell eDirectory authentication to map users to IP addresses.

For instructions on installing each agent, see the Deployment and Installation Center .

Agent can be used alone, or in certain combinations.

Both general user identification settings and specific transparent identification agents are configured in the Web Security manager. Go to the Settings > General > User

Identification page.

See

Configuring user identification methods

, page 304,

for detailed configuration instructions.

In some instances, transparent identification agents may not be able to provide correct user information to other components. This can occur if more than one user is assigned to the same machine, or if a user is an anonymous user or guest, or for other reasons. In these cases, you can prompt the user to log on via the browser (see

Manual authentication

, page 303

).

302

Websense Web Security Solutions

User Identification

Transparent identification of remote users

Web Security Help | Web Security Solutions | Version 7.8.x

In certain configurations, Websense software can transparently identify users logging on to your network from remote locations:

If you have deployed the Websense Remote Filtering Server and Remote Filtering

Client, Websense software can identify any off-site user logging on to a cached

domain using a domain account. For more information, see

Manage Off-site

Users

, page 249 .

If you have deployed DC Agent, and remote users directly log on to named

Windows domains in your network, DC Agent can identify these users (see

DC

Agent

, page 312 ).

If you are using a RADIUS server to authenticate users logging on from remote locations, RADIUS Agent can transparently identify these users so you can apply

policies based on users or groups (see

RADIUS Agent

, page 319 ).

Manual authentication

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Setting authentication rules for specific machines

, page 306

Secure manual authentication

, page 308

Configuring user identification methods

, page 304

Transparent identification is not always available or desirable in all environments. For organizations that do not use transparent identification, or in situations when transparent identification is not available, you can still filter based on user and groupbased policies using manual authentication.

Manual authentication prompts users for a user name and password the first time they access the Internet through a browser. Websense software confirms the password with a supported directory service, and then retrieves policy information for that user.

You can configure Websense software to enable manual authentication any time transparent identification is not available (see

Configuring user identification methods

, page 304

and

Configure user access to the hybrid service

, page 224

).

You can also create a list of specific machines with custom authentication settings on

which users are prompted to log on when they open a browser (see

Setting authentication rules for specific machines

, page 306 ).

When manual authentication is enabled, users may receive HTTP errors and be unable to access the Internet if:

Web Security Help

303

User Identification

They make 3 failed attempts to enter a password. This occurs when the user name or password is invalid.

They click Cancel to bypass the authentication prompt.

When manual authentication is enabled, users who cannot be identified are prevented from browsing the Internet.

Configuring user identification methods

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Manual authentication

, page 303

Working with users and groups

, page 76

Use the Settings > General > User Identification page to manage when and how

Websense software attempts to identify users in the network in order to apply user- and group-based policies.

Configure Policy Server to communicate with transparent identification agents.

Review and update transparent identification agent settings.

Set a global rule to determine how Websense software responds when users cannot be identified by a transparent identification agent or integration device.

Identify machines in your network to which global user identification rules do not apply, and specify whether and how users of those machines should be authenticated.

If you are using Websense transparent identification agents, the agents are listed under

Transparent Identification Agents:

Server shows the IP address or name of the machine hosting the transparent

identification agent.

Port lists the port that Websense software uses to communicate with the agent.

Type indicates whether the specified instance is a DC Agent, Logon Agent,

RADIUS Agent, or eDirectory Agent. (See

Transparent identification

, page 302,

for an introduction to each type of agent.)

To add an agent to the list, select the agent type from Add Agent drop-down list.

Click one of the following links for configuration instructions:

Configuring DC Agent

, page 313

Configuring Logon Agent

, page 318

Configuring RADIUS Agent

, page 320

Configuring eDirectory Agent

, page 322

304

Websense Web Security Solutions

User Identification

To remove an agent instance from the list, mark the checkbox next to the agent information in the list, and then click Delete.

If you have one or more DC Agent instances, under DC Agent Domains and

Controllers, click View Domain List for information about which domain controllers

the agents are currently polling. See

Reviewing DC Agent polled domains and domain controllers

, page 315,

for more information.

Under User Identification Exceptions, list the IP addresses of machines that should use different user identification settings than the rest of your network.

For example, if you use a transparent identification agent or integration product to identify users, and have enabled manual authentication to prompt users for their credentials when they cannot be identified transparently, you can identify specific machines on which:

Users who cannot be identified are never be prompted for their credentials. In other words, when transparent identification fails, manual authentication is not attempted, and the computer or network policy, or the Default policy, is applied.

User information is always ignored, even when it is available, and users are always prompted for their credentials.

User information is always ignored, even when it is available, and users are never prompted for their credentials (the computer or network policy, or the Default policy, is always applied).

To create an exception, click Add, and then see

Setting authentication rules for specific machines

, page 306 . To remove an exception, mark the check box next to an

IP address or range, then click Delete.

Under Additional Authentication Options, specify the default response of Websense software when users are not identified transparently (by an agent or integration):

Click Apply computer or network policy to ignore user and group-based policies in favor of computer and network-based policies, or the Default policy.

Click Prompt user for logon information to require users to provide logon credentials when they open a browser. User and group-based policies can then be

applied (see

Manual authentication

, page 303

).

Specify the Default domain context that Websense software should use any time a user is prompted for log on credentials. This is the domain in which users’ credentials are valid.

If you use the Exceptions list to specify any machines on which users are prompted for logon information, you must provide a default domain context, even if the global rule is to apply a computer or network-based policy.

When you are finished making changes on this page, click OK to cache your changes.

Changes are not implemented until you click Save and Deploy.

Web Security Help

305

User Identification

Setting authentication rules for specific machines

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring user identification methods

, page 304

Manual authentication

, page 303

Secure manual authentication

, page 308

Selective authentication lets you determine whether users requesting Internet access from a specific client machine (identified by IPv4 or IPv6 address) are prompted to provide their logon credentials via the browser. This can be used to:

Establish different authentication rules for a machine in a public kiosk than for employees of the organization supplying the kiosk.

Ensure that users of an exam-room computer in a medical office are always identified before getting Internet access.

Machines with special user identification settings applied are listed on the Settings >

General > User Identification page. Click Exceptions to establish specific user

identification settings for some machines in your network, or see if special settings have been defined for a specific machine.

To add a machine to the list, click Add, and then see

Defining exceptions to user identification settings

, page 306, for further instructions.

When you are finished adding machines or network ranges to the list, click OK.

Changes are not implemented until you click Save and Deploy.

Defining exceptions to user identification settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Manual authentication

, page 303

Configuring user identification methods

, page 304

Use the User Identification > Add IP Addresses page to identify machines to which specific user identification rules should be applied.

1.

Enter an IP address or network Range in IPv4 or IPv6 format to identify clients to which to apply a specific authentication method, and then click the right-arrow button to add them to the Selected list.

If the same rules should be applied to multiple machines, add them all to the list.

306

Websense Web Security Solutions

User Identification

2.

Select an entry in the User identification drop-down list to indicate whether

Websense software should attempt to identify users of these machines transparently.

Select Try to identify user transparently to request user information from a transparent identification agent or integration device.

Select Ignore user information to avoid using any transparent method to identify users.

3.

Indicate whether users should be prompted to provide logon credentials via the browser. This setting applies when user information is not available, either because other identification failed, or because user information was ignored.

Select Apply computer or network policy to ensure that users are never required to provide logon credentials.

If “Try to identify user transparently” is also selected, users whose credentials can be verified transparently are filtered by the appropriate user-based policy.

Select Prompt user for logon information to require users to provide logon credentials, then specify the Default domain context to use (if applicable).

If “Try to identify user transparently” is also selected, users receive a browser prompt only if they are not identified transparently.

4.

Click OK to return to the User Identification page.

5.

When you are finished updating the Exceptions list, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Revising exceptions to user identification settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Manual authentication

, page 303

Configuring user identification methods

, page 304

Use the Settings > User Identification > Edit IP Addresses page to make changes to entries in the Exceptions list. Changes made on this page affect all machines

(identified by IP address or range) that appear in the Selected list.

1.

Select an entry in the User identification drop-down list to indicate whether

Websense software should attempt to identify users of these machines transparently.

Select Try to identify user transparently to request user information from a transparent identification agent or integration device.

Select Ignore user information to avoid using any transparent method to identify users.

Web Security Help

307

User Identification

2.

Indicate whether users should be prompted to provide logon credentials via the browser. This setting applies when user information is not available, either because transparent identification failed, or because transparent identification was ignored.

Select Apply computer or network policy to ensure that users are never prompted to provide logon credentials.

If “Try to identify user transparently” is also selected, users whose credentials can be verified transparently are filtered by the appropriate user-based policy.

Select Prompt user for logon information to require users to provide logon credentials, then specify the Default domain context to use (if applicable).

If “Try to identify user transparently” is also selected, users receive a browser prompt only if they are not identified transparently.

3.

Click OK to return to the User Identification page.

4.

When you are finished updating the Exceptions list, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Secure manual authentication

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring user identification methods

, page 304

Manual authentication

, page 303

Setting authentication rules for specific machines

, page 306

Activating secure manual authentication

, page 310

Websense secure manual authentication uses Secure Sockets Layer (SSL) encryption to protect authentication data being transmitted between client machines and

Websense software. An SSL server built into Filtering Service provides encryption of user names and passwords transmitted between client machines and Filtering Service.

By default, secure manual authentication is disabled.

Note

Secure manual authentication cannot be used with remote filtering software. The Remote Filtering Server can not serve block pages to clients if it is associated with a

Filtering Service instance that has secure manual authentication enabled.

To enable this functionality, you must perform the following steps:

1.

Generate SSL certificates and keys, and place them in a location accessible by

Websense software and readable by Filtering Service (see

Generating keys and certificates

, page 309

).

308

Websense Web Security Solutions

User Identification

2.

Enable secure manual authentication (see

Activating secure manual authentication

, page 310

) and secure communication with the directory service.

3.

Import certificates into the browser (see

Accepting the certificate within the client browser

, page 311

).

Generating keys and certificates

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Manual authentication

, page 303

Setting authentication rules for specific machines

, page 306

Secure manual authentication

, page 308

Activating secure manual authentication

, page 310

Accepting the certificate within the client browser

, page 311

A certificate consists of a public key, used to encrypt data, and a private key, used to decipher data. Certificates are issued by a Certificate Authority (CA). You can generate a certificate from an internal certificate server, or obtain a client certificate from any third-party CA, such as VeriSign.

The CA issuing the client certificate must be trusted by Websense software. Typically, this is determined by a browser setting.

For answers to common questions about private keys, CSRs, and certificates, see httpd.apache.org/docs/2.2/ssl/ssl_faq.html#aboutcerts .

To learn more about generating your own private key, CSR, and certificate, see www.akadia.com/services/ssh_test_certificate.html

.

There are many tools that you can use to generate a self-signed certificate, including the OpenSSL toolkit (available from openssl.org

).

Regardless of the method you choose for generating the certificate, use the following general steps.

1.

Generate a private key (server.key).

2.

Generate a Certificate Signing Request (CSR) with the private key.

Important

When prompted for the CommonName, enter the IP address of the Filtering Service machine. If you skip this step, client browsers will display a security certificate error.

3.

Use the CSR to create a self-signed certificate (server.crt).

Web Security Help

309

User Identification

4.

Save the server.crt and server.key files in a location that Websense software can access, and where they can be read by Filtering Service.

Activating secure manual authentication

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Manual authentication

, page 303

Setting authentication rules for specific machines

, page 306

Secure manual authentication

, page 308

Generating keys and certificates

, page 309

Accepting the certificate within the client browser

, page 311

1.

Stop Websense Filtering Service (see

Stopping and starting Websense services

, page 398 ).

2.

Navigate to the Websense installation directory on the Filtering Service machine

(by default, C:\Program Files or Program Files (x86)\Websense\bin or /opt/

Websense/bin/).

3.

Locate eimserver.ini and make a backup copy of the file in another directory.

4.

Open the original INI file in a text editor.

5.

Find the [WebsenseServer] section, and then add the line:

SSLManualAuth=on

6.

Below the previous line, add the following:

SSLCertFileLoc=[path]

Replace [path] with the full path to the SSL certificate, including the certificate file name (for example, C:\secmanauth\server.crt).

7.

Also add:

SSLKeyFileLoc=[path]

Replace [path] with the full path to the SSL key, including the key file name (for example, C:\secmanauth\server.key).

8.

Save and close eimserver.ini.

9.

Start Websense Filtering Service.

After starting, Filtering Service listens for requests on the default secure HTTP port

(15872).

The preceding steps ensure secure communication between the client machine and

Websense software. To also secure communication between Websense software and the directory service, make sure that Use SSL is selected on the Settings > Directory

Services page. See

Advanced directory settings

, page 81,

for details.

310

Websense Web Security Solutions

User Identification

Accepting the certificate within the client browser

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Manual authentication

, page 303

Setting authentication rules for specific machines

, page 306

Secure manual authentication

, page 308

Generating keys and certificates

, page 309

Activating secure manual authentication

, page 310

The first time you try to browse to a website, the browser will display a warning about the security certificate. To avoid seeing this message in the future, install the certificate in the certificate store.

Microsoft Internet Explorer

1.

Open the browser and go to a website.

A warning appears, stating that there is a problem with the site’s security certificate.

2.

Click Continue to this website (not recommended).

If you receive an authentication prompt, click Cancel.

3.

Click the Certificate Error box to the right of the address bar (at the top of the browser window), and then click View certificates.

4.

On the General tab of the Certificate dialog box, click Install Certificate.

5.

Select Automatically select the certificate store based on the type of

certificate, and then click Next.

6.

Click Finish.

7.

When asked whether to install the certificate, click Yes.

Users will no longer receive certificate security warnings related to Filtering Service on this machine.

Mozilla Firefox

1.

Open the browser and go to a website.

A warning message appears.

2.

Click Or you can add an exception.

3.

Click Add Exception.

4.

Make sure that Permanently store this exception is selected, and then click

Confirm Security Exception.

Users will no longer receive certificate security warnings related to Filtering Service on this machine.

Web Security Help

311

User Identification

DC Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Configuring DC Agent

, page 313

Websense DC Agent runs on Windows and detects users in a Windows network running NetBIOS, WINS, or DNS networking services.

DC Agent and User Service gather network user data and send it to Websense

Filtering Service. Several variables determine the speed of data transmission, including the size of your network and the amount of existing network traffic.

To enable transparent identification with DC Agent:

1.

Install DC Agent. For more information, see the Deployment and Installation

Center .

In order to perform domain discovery (automatic domain and domain controller detection) and computer polling (to verify the logged-on user), DC Agent must run with domain admin or enterprise admin permissions. If you do not plan to use either of these features, DC Agent can run as any network user with read privileges on the domain controller. Note that when domain discovery is disabled, you must maintain the domain and domain controller list for each DC Agent

instance manually (see

The dc_config.txt file

, page 316

).

2.

Configure DC Agent to communicate with other Web Security components and with domain controllers in your network (see

Configuring DC Agent

).

3.

Use the Web Security manager to assign policies to users, groups, and OUs (see

Adding a client

, page 84 ).

Web Security solutions can prompt users for identification if DC Agent is unable to identify users transparently. For more information, see

Manual authentication

, page

303 .

312

Websense Web Security Solutions

User Identification

Configuring DC Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

Manual authentication

Configuring user identification methods

DC Agent

Use the User Identification > DC Agent page to configure a new instance of DC

Agent, as well as to configure the global settings that apply to all instances of DC

Agent.

To add a new instance of DC Agent, first provide basic information about where the agent is installed, and how Filtering Service should communicate with it. These settings may be unique to each agent instance.

1.

Under Basic Agent Configuration, enter the IPv4 address or hostname of the machine on which the agent is installed.

Note

Hostnames must start with an alphabetical character (a-z), not a numeric or special character.

Hostnames containing certain extended ASCII characters may not resolve properly. If you are using a non-English version of Websense software, enter an IP address instead of a machine name.

2.

Enter the Port that DC Agent should use to communicate with other Websense components. The default is 30600.

3.

To establish an authenticated connection between Filtering Service and DC Agent, select Enable authentication, and then enter a Password for the connection.

Next, customize global DC Agent communication and troubleshooting, domain controller polling, and computer polling settings. By default, changes that you make here affect all DC Agent instances.

Some of these settings can, however, be overridden in a configuration file (see the

Using DC Agent for Transparent User Identification technical paper).

1.

Under Domain Discovery, mark or clear Enable automatic domain discovery determine whether DC Agent automatically finds domains and domain controllers in your network.

2.

If domain discovery is enabled, also specify:

Web Security Help

313

User Identification

How often to Discover domains. Domain discovery occurs at 24-hour intervals, by default.

Whether DC Agent or User Service is responsible for performing domain discovery.

In many environments, it is preferable to use User Service for domain discovery.

If DC Agent is used for domain discovery, the service must run with domain or enterprise admin privileges.

3.

When User Service is installed on a Websense appliance or Linux server, the page includes a Linux WINS Server Information section. A WINS server is required to resolve domain names to domain controller IP addresses.

If you have not already provided WINS information on the Settings > Directory

Services page, enter: a.

The account name of an Administrative user that can access the directory service.

b.

The Password for the account.

c.

Domain information for the account.

d.

The IP address or hostname of a WINS server in your network.

4.

In the Domain Controller Polling section of the DC Agent Communication box, mark Enable domain controller polling to enable DC Agent to query domain controllers for user logon sessions.

To perform domain controller polling, the DC Agent service needs only read privileges on the domain controller. Automatic domain discovery (steps 1 and 2) and computer polling (step 7) require that the service run with elevated permissions.

You can specify which domain controllers each instance of DC Agent polls in a configuration file (see

The dc_config.txt file

, page 316

).

5.

Use the Query interval field to specify how often (in seconds) DC Agent queries domain controllers.

Decreasing the query interval may provide greater accuracy in capturing logon sessions, but also increases overall network traffic. Increasing the query interval decreases network traffic, but may also delay or prevent the capture of some logon sessions. The default is 10 seconds.

6.

Use the User entry timeout field to specify how frequently (in hours) DC Agent refreshes the user entries in its map. The default is 24 hours.

7.

Under Computer Polling, check Enable computer polling to enable DC Agent to query computers for user logon sessions. This may include computers that are outside the domains that the agent already queries.

DC Agent uses WMI (Windows Management Instruction) for computer polling. If you enable computer polling, configure the Windows Firewall on client machines to allow communication on port 135.

If DC Agent performs computer polling, the service must run with domain or

enterprise admin privileges.

314

Websense Web Security Solutions

User Identification

8.

Enter a User map verification interval to specify how often DC Agent contacts client machines to verify which users are logged on. The default is 15 minutes.

DC Agent compares the query results with the user name/IP address pairs in the user map it sends to Filtering Service. Decreasing this interval may provide greater user map accuracy, but increases network traffic. Increasing the interval decreases network traffic, but also may decrease accuracy.

9.

Enter a User entry timeout period to specify how often DC Agent refreshes entries obtained through computer polling in its user map. The default is 1 hour.

DC Agent removes any user name/IP address entries that are older than this timeout period, and that DC Agent cannot verify as currently logged on.

Increasing this interval may lessen user map accuracy, because the map potentially retains old user names for a longer time.

Note

Do not make the user entry timeout interval shorter than the user map verification interval. This could cause user names to be removed from the user map before they can be verified.

10.

Click OK to return to the User Identification page, then click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.

Reviewing DC Agent polled domains and domain controllers

Web Security Help | Web Security Solutions | Version 7.8.x

Use the User Identification > DC Agent Domains and Controllers page to review which domain controllers each DC Agent instance in your network is currently polling.

Important

If the DC Agent Domains and Controllers page displays text explaining that DC Agent is not “polling any domain

controllers at this time,” see

DC Agent Domains and

Controllers page is blank

, page 482

.

Typically, the page shows the Domains and Domain Controllers detected by each of the DC Agent Instances in your network.

By default, DC Agent performs its domain discovery process (identifying domains and domain controllers) at startup, and at 24 hour intervals thereafter. Domain and

controller information is stored in a file called dc_config.txt (see

The dc_config.txt file

, page 316

).

Information displayed on the DC Agent Domains and Controllers page is compiled from each dc_config.txt file in your deployment.

Web Security Help

315

User Identification

The list includes only domains and controllers that are actively being queried.

If you have disabled queries to a domain controller in the dc_config.txt file, that domain controller is not shown.

Likewise, if you have disabled queries to all domain controllers within a domain, neither the domain nor its controllers are listed.

Information is shown for all of the DC Agent instances in your network.

If the same domain controller is polled by multiple DC Agent instances, each is listed.

To configure different DC Agent instances to poll different domains, update the dc_config.txt file for each instance. See

The dc_config.txt file

, page 316 .

The Web Security manager checks for the latest domain and controller information each time you navigate to the DC Agent Domains and Controllers page. This means that if domain discovery is underway while you are viewing the page, you must navigate away, then return to the page to see updates.

The dc_config.txt file

Web Security Help | Web Security Solutions | Version 7.8.x

DC Agent works by identifying domain controllers in the network, and then querying those domain controllers for user logon sessions. By default, the agent automatically verifies existing domain controllers and detects new domains or domain controllers added to the network.

By default, DC Agent performs domain discovery (identifying domains and domain controllers) at startup, and every 24 hours thereafter.

Either DC Agent or User Service can be used to perform domain discovery.

For information about enabling domain discovery and setting the discovery interval,

see

Configuring DC Agent

, page 313 .

DC Agent stores domain and domain controller information in a file called

dc_config.txt (located, by default, in the C:\Program Files or Program Files

(x86)\Websense\Web Security\bin\ directory on each DC Agent machine).

Edit the dc_config.txt file to change which domain controllers DC Agent polls:

1.

Go to the Websense bin directory (by default, C:\Program Files or Program Files

(x86)\Websense\Web Security\bin) on the DC Agent machine.

2.

Make a backup copy of the dc_config.txt file in another location.

3.

Open the original dc_config.txt file in a text editor (like Notepad).

4.

Confirm that all of your domains and domain controllers are listed. For example:

[WEST_DOMAIN] dcWEST1=on dcWEST2=on

[EAST_DOMAIN] dcEAST1=on dcEAST2=on

316

Websense Web Security Solutions

User Identification

5.

If there are domain controllers in the list that DC Agent should not poll, change the entry value from on to off. For example:

 dcEAST2=off

If you configure DC Agent to avoid polling an active domain controller, the agent cannot transparently identify users logging on to that domain controller.

If DC Agent’s automatic domain discovery has detected a domain controller that should not be used to identify users, set the entry to off, rather than removing it. Otherwise, the next discovery process will re-add the controller.

6.

If there are domain or domain controller entries missing from the list, you can add them manually. Before adding entries, run the net view /domain command on the

DC Agent machine to make sure that the agent can see the new domain.

7.

Save your changes and close the file.

8.

Restart the Websense DC Agent service.

Logon Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Configuring Logon Agent

, page 318

Websense Logon Agent identifies users in real time, as they log on to domains. This eliminates the possibility of missing a user logon due to a query timing issue.

Logon Agent (also called Authentication Server) can reside on a Windows or Linux machine. The agent works with the Websense logon application (LogonApp) on

Windows and Mac client machines to identify users as they log on to Windows domains.

In most cases, using either DC Agent or Logon Agent is sufficient, but you can use both agents together. In this case, Logon Agent takes precedence over DC Agent. DC

Agent only communicates a logon session to Filtering Service in the unlikely event that Logon Agent has missed one.

Install Logon Agent, and then deploy the logon application to client machines from a central location. For more information, see the Using Logon Agent for Transparent

User Identifcation technical paper.

Web Security Help

317

User Identification

After installation, configure the agent to communicate with client machines and with the Websense Filtering Service (see

Configuring Logon Agent

).

Note

If you are using Windows Active Directory (Native Mode) and User Service is installed on a Linux machine, see

User

Service on a Websense appliance or Linux server

, page

486, for additional configuration steps.

Configuring Logon Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Manual authentication

, page 303

Configuring user identification methods

, page 304

Logon Agent

, page 317

Use the User Identification > Logon Agent page to configure a new instance of

Logon Agent, as well as to configure the global settings that apply to all instances of

Logon Agent.

To add a new instance of Logon Agent:

1.

Under Basic Agent Configuration, enter the IPv4 address or hostname of the

Logon Agent machine.

Note

Machine names must start with an alphabetical character

(a-z), not a numeric or special character.

Machine names containing certain extended ASCII characters may not resolve properly. If you are using a non-English version of Websense software, enter an IP address instead of a machine name.

2.

Enter the Port that Logon Agent should use to communicate with other Websense components (30602, by default).

3.

To establish an authenticated connection between Filtering Service and Logon

Agent, mark Enable authentication, and then enter a Password for the connection.

Next, customize global Logon Agent communications settings. By default, changes that you make here affect all Logon Agent instances.

318

Websense Web Security Solutions

User Identification

1.

Under Logon Application Communication, specify the Connection port that the logon application uses to communicate with Logon Agent (15880, by default).

2.

Enter the Maximum number of connections that each Logon Agent instance allows (200, by default).

If your network is large, you may need to increase this number. Increasing the number does increase network traffic.

To configure the default settings that determine how user entry validity is determined, you must first determine whether Logon Agent and the client logon application operate in persistent mode or nonpersistent mode (default). (More information is available in the Using Logon Agent for Transparent User Identification technical paper.)

In persistent mode, the logon application contacts Logon Agent periodically to communicate user logon information.

If you are using persistent mode, specify a Query interval to determine how frequently the logon application communicates logon information.

Note

If you change this value, the change does not take effect until the previous interval period has elapsed. For example, if you change the interval from 15 minutes to 5 minutes, the current 15-minute interval must end before the query starts occurring every 5 minutes.

In nonpersistent mode, the logon application sends user logon information to

Logon Agent only once for each logon.

If you are using nonpersistent mode, specify a User entry expiration time period.

When this timeout period is reached, the user entry is removed from the user map.

When you are finished making configuration changes, click OK to return to the

Settings > User Identification page, then click OK again to cache your changes.

Changes are not saved until you click Save and Deploy.

RADIUS Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Configuring RADIUS Agent

, page 320

Websense RADIUS Agent lets you apply user and group-based policies using authentication provided by a RADIUS server. RADIUS Agent enables transparent

Web Security Help

319

User Identification identification of users who access your network using a dial-up, Virtual Private

Network (VPN), Digital Subscriber Line (DSL), or other remote connection

(depending on your configuration).

RADIUS Agent works together with the RADIUS server and RADIUS client in your network to process and track Remote Access Dial-In User Service (RADIUS) protocol traffic. This enables you to assign particular policies to users or groups that access your network remotely, as well as to local users.

When you install RADIUS Agent, the agent integrates with existing Websense components. However, RADIUS Agent, your RADIUS server, and your RADIUS client must be configured appropriately (see

Configuring RADIUS Agent

, page 320 ).

Configuring RADIUS Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Manual authentication

, page 303

Configuring user identification methods

, page 304

RADIUS Agent

, page 319

Use the User Identification > RADIUS Agent page to configure a new instance of

RADIUS Agent, as well as to configure the global settings that apply to all instances of RADIUS Agent.

To add a new instance of RADIUS Agent:

1.

Under Basic Agent Configuration, enter the IPv4 address or hostname of the

Logon Agent machine.

Note

Machine names must start with an alphabetical character

(a-z), not a numeric or special character.

Machine names containing certain extended ASCII characters may not resolve properly. In non-English environments, enter an IP address instead of a name.

2.

Enter the Port that RADIUS Agent should use to communicate with other

Websense components (30800, by default).

3.

To establish an authenticated connection between Filtering Service and RADIUS

Agent, mark Enable authentication, and then enter a Password for the connection.

320

Websense Web Security Solutions

User Identification

Next, customize global RADIUS Agent settings. By default, changes that you make here affect all RADIUS Agent instances. Settings marked with an asterisk (*), however, can be overridden in an agent’s configuration file to customize the behavior of that agent instance (see the Using RADIUS Agent for Transparent User

Identification technical paper).

1.

Under RADIUS Server, enter the RADIUS server address or name. If you provide the IP address, use IPv4 address format.

RADIUS Agent forwards authentication requests to the RADIUS server, and must know the identity of this machine.

2.

If your network includes a RADIUS client, enter the RADIUS client address or

name. If you provide the IP address, use IPv4 address format.

Websense software queries this machine for user logon sessions.

3.

Enter the User entry timeout interval, used to determine how often RADIUS

Agent refreshes its user map. Typically, the default query value (24 hours) is best.

4.

Use the Authentication Ports and Accounting Ports settings to specify which ports RADIUS Agent uses to send and receive authentication and accounting requests. For each type of communication, you can specify which port is used for communication between:

RADIUS Agent and the RADIUS server (authentication default 1645; accounting default 1646)

RADIUS Agent and the RADIUS client (authentication default 12345; accounting default 12346)

5.

When you are finished making configuration changes, click OK to return to the

Settings > User Identification page, then click OK again to cache your changes.

Changes are not saved until you click Save and Deploy.

For information about configuring your RADIUS client and RADIUS server to communicate with Websense RADIUS Agent, see the Using RADIUS Agent for

Transparent User Identification technical paper.

eDirectory Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Configuring eDirectory Agent

, page 322

Websense eDirectory Agent works together with Novell eDirectory to transparently identify users so Websense software can filter them according to policies assigned to users, groups, domains, or organizational units.

eDirectory Agent gathers user logon session information from Novell eDirectory, which authenticates users logging on to the network. The agent then associates each

Web Security Help

321

User Identification authenticated user with an IP address, and records user name-to-IP-address pairings to a local user map. eDirectory Agent then communicates this information to Filtering

Service.

Note

From a Novell client running Windows, multiple users can log on to a single Novell eDirectory server. This associates one IP address with multiple users. In this scenario, eDirectory Agent’s user map only retains the user name/IP address pairing for the last user logged on from a given IP address.

One instance of Websense eDirectory Agent can support one Novell eDirectory master, plus any number of Novell eDirectory replicas.

Configuring eDirectory Agent

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Transparent identification

, page 302

Manual authentication

, page 303

Configuring user identification methods

, page 304

eDirectory Agent

, page 321

Configuring eDirectory Agent to use LDAP

, page 324

Use the User Identification > eDirectory Agent page to configure a new instance of eDirectory Agent, as well as to configure the global settings that apply to all instances of eDirectory Agent.

To add a new instance of eDirectory Agent:

1.

Under Basic Agent Configuration, enter the IPv4 address or hostname of the eDirectory Agent machine.

Note

Machine names must start with an alphabetical character

(a-z), not a numeric or special character.

Machine names containing certain extended ASCII characters may not resolve properly. In non-English environments, enter an IP address instead of a name.

2.

Enter the Port that eDirectory Agent should use to communicate with other

Websense components (30700, by default).

322

Websense Web Security Solutions

User Identification

3.

To establish an authenticated connection between Filtering Service and eDirectory

Agent, select Enable authentication, and then enter a Password for the connection.

Next, customize global eDirectory Agent communication settings:

1.

Under eDirectory Server, specify a Search base (root context) for eDirectory

Agent to use as a starting point when searching for user information in the directory.

2.

Provide the administrative user account information that eDirectory Agent should use to communicate with the directory: a.

Enter the Administrator distinguished name for a Novell eDirectory administrative user account.

b.

Enter the Password used by that account.

c.

Specify a User entry timeout interval to indicate how long entries remain in the agent’s user map.

This interval should be approximately 30% longer than a typical user logon session. This helps prevent user entries from being removed from the map before the users are done browsing.

Typically, the default value (24 hours) is recommended.

Note

In some environments, instead of using the User entry timeout interval to determine how frequently eDirectory

Agent updates its user map, it may be appropriate to query the eDirectory Server at regular intervals for user logon

updates. See

Enabling full eDirectory Server queries

, page

325

.

3.

Add the eDirectory Server master, as well as any replicas, to the eDirectory

Replicas list. To add an eDirectory Server master or replica to the list, click Add,

and the follow the instructions in

Adding an eDirectory server replica

, page 323

.

When you are finished making configuration changes, click OK to return to the

Settings > User Identification page, then click OK again to cache your changes.

Changes are not saved until you click Save and Deploy.

Adding an eDirectory server replica

Web Security Help | Web Security Solutions | Version 7.8.x

One instance of the Websense eDirectory Agent can support one Novell eDirectory master, plus any number of Novell eDirectory replicas running on separate machines.

eDirectory Agent must be able to communicate with each machine running a replica of the directory service. This ensures that the agent gets the latest logon information as quickly as possible, and does not wait for eDirectory replication to occur.

Web Security Help

323

User Identification

Novell eDirectory replicates the attribute that uniquely identifies logged-on users only every 5 minutes. Despite this replication time lag, eDirectory Agent picks up new logon sessions as soon as a user logs on to any eDirectory replica.

To configure eDirectory Agent installation to communicate with eDirectory:

1.

Enter the eDirectory master or replica Server IP address.

2.

Enter the Port that eDirectory Agent uses to communicate with the eDirectory machine. The valid values are 389 (default) and 636 (SSL port).

3.

Click OK to return to the eDirectory Agent page. The new entry appears in the eDirectory Replicas list.

4.

Repeat the process for any additional eDirectory server machines.

5.

Click OK to return to the Settings > User Identification page, then click OK again to cache your changes.

6.

Click Save and Deploy to implement the changes.

7.

Stop and start eDirectory Agent so that the agent can begin communicating with the new replica. See

Stopping and starting Websense services

, page 398,

for instructions.

Configuring eDirectory Agent to use LDAP

Web Security Help | Web Security Solutions | Version 7.8.x

Websense eDirectory Agent can use Netware Core Protocol (NCP) or Lightweight

Directory Access Protocol (LDAP) to get user logon information from Novell eDirectory. By default, eDirectory Agent on Windows uses NCP. On Linux, eDirectory Agent must use LDAP.

If you are running eDirectory Agent on Windows, but want the agent to use LDAP to query Novell eDirectory, set the agent to use LDAP instead of NCP. Generally, NCP provides a more efficient query mechanism.

To set eDirectory Agent on Windows to use LDAP:

1.

Ensure that you have at least one Novell eDirectory replica containing all directory objects to monitor and filter in your network.

2.

Stop the Websense eDirectory Agent service (see

Stopping and starting Websense services

, page 398

).

3.

Navigate to the eDirectory Agent installation directory (by default, \Program

Files or Program Files (x86)\Websense\bin), and then open the wsedir.ini file in

a text editor.

4.

Modify the QueryMethod entry as follows:

QueryMethod=0

This sets the Agent to use LDAP to query Novell eDirectory. (The default value is

1, for NCP.)

5.

Save and close the file.

6.

Restart the Websense eDirectory Agent service.

324

Websense Web Security Solutions

User Identification

Enabling full eDirectory Server queries

Web Security Help | Web Security Solutions | Version 7.8.x

In small networks, you can configure Websense eDirectory Agent to query the eDirectory Server for all logged-on users at regular intervals. This allows the agent to detect both newly logged-on users and users who have logged off since the last query, and to update its local user map accordingly.

Important

Configuring eDirectory Agent to use full queries is not recommended for larger networks, because the length of time required to return query results depends on the number of logged on users. The more logged-on users there are, the higher the performance impact.

When you enable full queries for eDirectory Agent, the User entry timeout interval is not used, because users who have logged off are identified by the query. By default, the query is performed every 30 seconds.

Enabling this feature increases eDirectory Agent processing time in 2 ways:

Time needed to retrieve the names of logged-on users each time a query is performed

Time required to process user name information, remove obsolete entries from the local user map, and add new entries based on the most recent query eDirectory Agent examines the entire local user map after each query, rather than identifying only new logons. The time required for this process depends on the number of users returned by each query. The query process can therefore affect both eDirectory Agent and Novell eDirectory Server response times.

To enable full queries:

1.

On the eDirectory Agent machine, navigate to the Websense bin directory

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/

Websense/bin/, by default).

2.

Locate the file wsedir.ini and make a backup copy in another directory.

3.

Open wsedir.ini in a text editor (like Notepad or vi).

4.

Go to the [eDirAgent] section of the file and find the following entry:

QueryMethod=<N>

Make a note of the QueryMethod value, in case you want to revert to the default setting later.

5.

Update the QueryMethod value as follows:

If the current value is 0 (communicate with the directory via LDAP), change the value to 2.

Web Security Help

325

User Identification

If the current value is 1 (communicate with the directory via NCP), change the value to 3.

Note

If changing this query value slows system performance, return the QueryMethod entry to its previous value.

6.

If the default query interval (30 seconds) is not appropriate for your environment, edit the PollInterval value appropriately.

Note that the interval time is set in milliseconds.

7.

Save and close the file.

8.

Restart the Websense eDirectory Agent service (see

Stopping and starting

Websense services

, page 398 ).

Configuring an agent to ignore certain user names

Web Security Help | Web Security Solutions | Version 7.8.x

You can configure a transparent identification agent to ignore logon names that are not associated with actual users. This feature is often used to deal with the way that some

Windows 200x and XP services contact domain controllers in the network.

For example, user1 logs on to the network, and is identified by the domain controller as computerA/user1. That user is filtered by a Websense policy assigned to user1. If a service starts up on the user’s machine that assumes the identity computerA/

ServiceName to contact the domain controller, this can cause policy enforcement

problems. Websense software treats computerA/ServiceName as a new user with no policy assigned, and applies the computer policy, or the Default policy.

To address this issue:

1.

Stop the agent service (see

Stopping and starting Websense services

, page 398 ).

2.

Navigate to the \Websense\bin\ directory, and open the ignore.txt file in a text editor.

3.

Enter each user name on a separate line. Do not include wildcard characters, such as “*”: maran01

WindowsServiceName

Websense software ignores these user names, regardless of which machine they are associated with.

To prompt Websense software to ignore a user name within a specific domain, use the format username, domain.

aperez, engineering1

4.

When you are finished, save and close the file.

326

Websense Web Security Solutions

User Identification

5.

Restart the agent service.

The agent ignores the specified user names, and Filtering Service does not consider these names in policy enforcement.

Web Security Help

327

User Identification

Identification of hybrid users

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Websense Directory Agent

, page 336

When users are not identified

, page 338

Authentication priority and overrides

, page 330

Working with hybrid service clients

, page 90

Select Settings > Hybrid Configuration > Hybrid User Identification to configure how users are identified by the hybrid service, and to test and configure users’ connections to the service. You can configure multiple authentication or identification options for your hybrid users if required.

To ensure that the appropriate per-user or per-group policy is applied to hybrid users, whether from a filtered location or when off-site, Websense Web Security Gateway

Anywhere provides an option for identifying hybrid users transparently:

Websense Web Endpoint is installed on client machines to provide transparent

authentication, enforce use of the hybrid service, and pass authentication details to

the hybrid service. See

Web Endpoint deployment overview

, page 331

.

Single sign-on, available beginning with 7.8.4, provides clientless transparent

authentication via a gateway hosted on your network. See

Integrating a single sign-on identity provider

, page 335 .

If you do not deploy either Web Endpoint or single sign-on, the hybrid service can identify users transparently or manually when they connect to the hybrid service.

Users can only be identified transparently via NTLM if they are logging on from a known IP address, defined as a filtered location (see

Define filtered locations

, page 217 ). Note that NTLM identification is not available for off site users.

The hybrid service can be configured to automatically generate passwords for all users whose information is collected by Directory Agent (see

Configure user access to the hybrid service

, page 224

).

If you do not enable any form of transparent authentication:

Off site users without Web Endpoint or single sign-on (available beginning with 7.8.4) are prompted for an email address and password when they open a browser and connect to the Internet.

Other hybrid users are assigned policies based on their IP address if Web

Endpoint, single sign-on, or NTLM identification are not available.

Indicate how the hybrid service should identify users requesting Internet access. These options are also used as a fallback if either the endpoint or single sign-on (available beginning with 7.8.4) fails.

328

Websense Web Security Solutions

User Identification

Mark Always authenticate users on first access to enable transparent NTLM identification, secure form authentication, or manual authentication when users first connect to the hybrid service.

If you do not select this option and you have not enabled any other authentication methods for users in filtered locations, those users receive an IP address-based policy, and their identity does not appear in reports

Internet Explorer and Firefox can be used for transparent user identification.

Other browsers will prompt users for logon information.

If Directory Agent is sending data to the hybrid service, using NTLM to identify users is recommended.

Mark Use NTLM to identify users when possible to use directory information gathered by Directory Agent to identify users transparently, if possible.

When this option is selected, the hybrid service uses NTLM to identify the user if the client supports it, and otherwise provides a logon prompt.

Note

When NTLM is used to identify users, do not use selfregistration (configured on the User Access page under

Registered Domains).

Mark Use secured form authentication to identify users to display a secure logon form to the end user. When the user enters their email address and hybrid service password, the credentials are sent over a secure connection for authentication.

Note

If Ping Federate is used as the identity provider, single sign-on cannot fall back to secured form authentication.

If you select this option, define how often users’ credentials are revalidated for security reasons under Session Timeout. The default options are 1, 7, 14, or 30 days. Beginning with 7.8.4, the same session timeout applies to single sign-on, if enabled.

Note

It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Support.

If the users have not previously registered to use the service, they can do so by clicking Register on the logon form. To use this option, enable self-registration

(configured on the User Access page under Registered Domains). Advise end users not to use the same password for hybrid service access that they use to log on to the network.

Web Security Help

329

User Identification

If you do not select either the NTLM or the secured form authentication option, but Always authenticate users on first access is selected, users who could not be identified via another means see a logon prompt every time they access the

Internet. Basic authentication is used to identify users who receive a logon prompt.

Specify whether or not a Welcome page is displayed when users who have not been identified via NTLM or who are not using secured form authentication open a browser to connect to the Internet. The Welcome page:

Provides a simple selection of common search engines to get the user started

Is used mainly by those who connect to the hybrid service from outside a filtered location (while working from home or traveling, for example)

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Once you have set up the hybrid service and configured user browsers to access the

PAC file, you can use the links provided under Verify End User Configuration to make sure that end user machines have Internet access and are correctly configured to connect to the hybrid service.

If your hybrid service account has not been verified (which may mean that no email address has been entered on the Settings > General > Account page), the URLs are not displayed.

Authentication priority and overrides

Web Security Help | Web Security Solutions | Version 7.8.x

You can select multiple authentication options for your end users on the Settings >

Hybrid Configuration > Hybrid User Identification page. The options are

prioritized as follows:

Web Endpoint is always used if installed on a client machine.

If Web Endpoint is not installed or fails, single sign-on, available beginning with

7.8.4, is used if both of the following are true: a.

It has been deployed in your network.

b.

It has been selected on the Hybrid User Identification page for an end user whose requests are managed by the hybrid service.

If neither Web Endpoint nor single sign-on is available, the end user is authenticated via secure form-based authentication, if both of the following are true: a.

It has been selected on the Hybrid User Identification page.

b.

The user agent or application requesting authentication supports form-based authentication via an HTML page.

Applications that do not support form-based authentication use either NTLM identification or basic authentication. Basic authentication is always used if

Always authenticate users on first access is selected and none of the other

options are either selected or available.

330

Websense Web Security Solutions

User Identification

You can also enforce a specific authentication option for certain end users, for example all users in a branch office, by deploying a PAC file URL in the following format: http://hybrid-web.global.blackspider.com:8082/proxy.pac?a=X

The a= parameter controls the authentication option, and X can be one of the following:

Parameter

a=n a=f

Description

NTLM identification or basic authentication is used, depending on the policy settings and the browser or application capability.

Authentication is performed using secure form-based authentication.

Web Endpoint deployment overview

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Manually deploying Web Endpoint for Windows

, page 333

Manually deploying Web Endpoint for Mac OS X

, page 335

Websense Web Endpoint is a piece of software that gets installed on a client machine.

It enforces the use of the hybrid service for Web Security, and passes authentication information to the hybrid proxies, enabling secure transparent authentication.

For an up-to-date list of supported operating systems, see the System requirements topic in the Web Endpoints paper.

To deploy Web Endpoint to Windows clients, you can:

Download the installation files, then use a Microsoft Group Policy Object or similar distribution tool to deploy the files to selected client machines.

Download or copy the installation files onto a client machine, then manually install the Web Endpoint software.

Deploy the endpoint to some or all of your hybrid users directly from the hybrid service. Each user is prompted to install the endpoint software on their machine.

This deployment method is not supported with Google Chrome browsers.

On Internet Explorer 10, this deployment method is supported only when the browser is in desktop mode.

If a user does not install the endpoint, he or she is authenticated according to the options you have selected on the User Identification page. Single sign-on, available beginning with 7.8.4, is used if configured; otherwise the hybrid service

Web Security Help

331

User Identification

 will use the other identification or authentication options you have selected, or finally basic authentication. The user is again asked to install the endpoint next time they start a browsing session.

See

Manually deploying Web Endpoint for Windows

, page 333 .

To deploy Web Endpoint to Mac OS X clients, you can:

Download or copy the files onto individual client machines, then launch the installer by double-clicking the package.

Download or copy the files onto a Mac machine, then use Apple Remote Desktop software to distribute the installation package.

See

Manually deploying Web Endpoint for Mac OS X

, page 335

.

If you also have a Data Security solution and want to deploy both the Web Endpoint and the Data Endpoint to client machines, you must use the Websense Endpoint

Package Builder to create a deployment package for both endpoints. See Installing and Deploying Websense Endpoints in the Deployment and Installation Center.

The endpoint has a number of key protections against tampering, which should prevent the majority of end users uninstalling or deleting the endpoint even if they have local administrator rights.

Endpoint files and folders are protected from being deleted or renamed.

The endpoint process will automatically restart if it is stopped or killed.

A password is required to uninstall the endpoint or stop the endpoint service.

Endpoint registry settings cannot be modified or deleted.

The Service Control command to delete the endpoint service is blocked.

You must define an anti-tampering password to be used to stop the endpoint service or uninstall the endpoint before you can download the installation file or enable deployment from the hybrid service. The password is automatically linked to any deployments of the endpoint.

Important

For security reasons, Websense does not retain a copy of your anti-tampering password. If you forget your password, you can reset it on the Hybrid User

Identification page by entering and confirming a new password. All installed endpoints will be updated to use the new password next time they connect to the Internet.

To enable Web Endpoint deployment:

1.

On the Settings > Hybrid Configuration > Hybrid User Identification page, mark

Enable installation and update of Web Endpoint on client machines.

Selecting this option allows you to configure Web Endpoint deployment and automatic update settings. If you later deselect this option, any installed endpoint

332

Websense Web Security Solutions

User Identification clients continue to work until they are uninstalled, though they no longer receive automatic updates.

2.

Enter and confirm your anti-tampering password. The password must be between

4 and 25 characters.

3.

Select a deployment method:

Click Deploy Web Endpoint Manually if you want to install Web Endpoint by hand on individual machines or via your preferred distribution method.

(This is the only option available for the Mac version of the Web Endpoint.)

Note the WSCONTEXT value displayed on screen. If you plan to use GPO to distribute the endpoint, you will use this value in your deployment script to ensure that Web Endpoint users are correctly associated with your

organization. See

Manually deploying Web Endpoint for Windows

, page 333

.

Click View Web Endpoint Files to view the endpoint versions suitable for your client machines. Select a client operating system, then click on a version of the endpoint to download. You can also view a PDF of the release notes for each version by clicking a release notes link. Click Close when done.

To deploy the endpoint directly to Windows clients from the hybrid service, mark Deploy Web Endpoint from hybrid service proxies.

Choose whether the endpoint is deployed to all users that are filtered through the hybrid service, or only to off-site users.

You can provide a customized message that appears to end users at the beginning of the endpoint download and installation process. The message can be used to reassure the user that the download is company-approved, and to provide any further information they may need. To customize the message, click Advanced Settings, then enter your organization name and the message you want to display. Click View Sample Page to see what will appear to the end user.

The sample page also contains the default text that is always displayed to the end user at the beginning of the download.

4.

Mark Automatically update endpoint installations when a new version is

released if you want to ensure that all endpoints on your client machines always

have the latest version when it is available from the hybrid service.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Manually deploying Web Endpoint for Windows

Web Security Help | Web Security Solutions | Version 7.8.x

Deploy via GPO

To deploy Web Endpoint via Group Policy Object (GPO):

1.

Create a shared folder on the domain controller and set its permissions to readonly.

Web Security Help

333

User Identification

2.

Use a text editor to create a batch file (.bat) in the shared folder (for example

installwebep.bat).

3.

Type the following msiexec command into the batch file: msiexec /package "\\<path>\Websense Endpoint.msi" /quiet

/norestart WSCONTEXT=<value>

In your file, replace:

<path> with the actual path to the Websense Endpoint.msi file

<value> with the WSCONTEXT string shown on the Settings > Hybrid

Configuration > Hybrid User Identification page

4.

Save and close the file.

5.

Open the Group Policy Management Console (GPMC) and create a new (or open an existing) GPO for the OU in which your computer accounts reside. To create a new GPO: a.

In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a Group Policy object (GPO).

b.

Click New.

c.

In the New GPO dialog box, specify a name for the new GPO, then click OK.

6.

Navigate to Computer Configuration > Windows Settings > Scripts, then double-click Startup in the right pane.

7.

Click Add.

8.

In the Script Name field, type the full network path and file name of the batch file you created in step 2, then click OK and close the GPMC.

9.

Run the gpupdate /force command from a command prompt to refresh the group policy.

The application is installed on startup. The client may not be fully functional until a reboot occurs.

Deploy to a single machine

1.

Copy the endpoint client installation file to a temporary folder on the client machine, then unzip the file.

2.

Open a command prompt, then navigate to the location of the unzipped endpoint client files.

3.

Enter the following command: msiexec /package "Websense Endpoint.msi" /norestart

WSCONTEXT=xxxx

Replace “xxxx” with the unique configuration code shown on the Settings >

Hybrid Configuration > Hybrid User Identification page in the Web Security manager. The code is shown as part of the GPO command string.

334

Websense Web Security Solutions

User Identification

Manually deploying Web Endpoint for Mac OS X

Web Security Help | Web Security Solutions | Version 7.8.x

1.

Download the installation package via the Web Security manager (as described in

Web Endpoint deployment overview

, page 331 ), and copy the files to the machine:

On which you want to install Web Endpoint

From which you want to deploy Web Endpoint to other Mac clients

2.

Use either of the following methods to install the client software:

Use Apple Remote Desktop to deploy the file to other Mac clients.

Double-click the downloaded endpoint package to launch the installer.

Administrator permissions are required to install the endpoint client software.

Integrating a single sign-on identity provider

Web Security Help | Web Security Solutions | Version 7.8.x

Beginning with 7.8.4, single sign-on uses an identity provider to authenticate user identity, attributes, and roles with enterprise directories. All communications between components are secured.

When single sign-on is installed on your network, clients connecting to the hybrid proxy are redirected to an identity provider. The identity provider proxy must be configured if off-site users are to be authenticated. Once single sign-on has authenticated a user against your directory service, they are directed back to the proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to authenticate again for subsequent Web browsing sessions.

For 7.8.4, only PingFederate is supported as a single sign-on identity provider. For information on how to deploy PingFederate, please visit their web site .

To integrate a single sign-on identity provider:

1.

On the Settings > Hybrid Configuration > User Access page, download and install the hybrid SSL certificate to ensure seamless authentication to HTTPS sites. If the certificate is not installed for single sign-on users, they receive a certificate error when they browse to an HTTPS site. If they then select the

“Continue to this website (not recommended)” link, they must authenticate using

NTLM identification or manual authentication, depending on the settings on the

Hybrid User Identification page. See

Enabling HTTPS notification pages

, page

228 .

2.

Mark Use PingFederate as the identity provider for single sign-on to activate single sign-on for all client machines.

3.

Once single sign-on is configured and the SSL certificate is installed on clients, copy the metadata URL from the identity provider’s metadata and enter it in the

Metadata URL field on the Hybrid User Identification page.

Web Security Help

335

User Identification

4.

Under Session Timeout, define how often users’ credentials are revalidated for security reasons. The default options are 1, 7, 14, or 30 days.

Note

It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Support.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Websense Directory Agent

Web Security Help | Web Security Solutions | Version 7.8.x

In Websense Web Security Gateway Anywhere environments, an interoperability component called Websense Directory Agent is required if you want to enable user, group, and domain (OU) based policy enforcement through the hybrid service.

Directory Agent must be installed on a machine from which it can communicate with:

Your supported LDAP-based directory service (Windows Active Directory

[Native Mode], Oracle Directory Server, or Novell eDirectory)

If your organization uses Windows Active Directory in mixed mode, user and group data cannot be collected and sent to the hybrid service.

Websense Sync Service

Directory Agent can be installed on the same machine as other Websense components, including Sync Service and User Service.

After deployment, use the Web Security manager to configure Directory Agent to

collect data from your directory service (see

Send user and group data to the hybrid service

, page 231 ). Once configured, Directory Agent collects user and group data

from your directory service and sends it to Sync Service in LDIF format.

At scheduled intervals (see

Schedule communication with the hybrid service

, page

239 ), Sync Service sends the user and group information collected by Directory Agent

to the hybrid service. Sync Service compresses large files before sending them.

336

Websense Web Security Solutions

User Identification

Directory Agent and User Service

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Identification of hybrid users

, page 328

Working with users and groups

, page 76

Directory services

, page 77

Send user and group data to the hybrid service

, page 231

Although Directory Agent collects directory information independently, it has one important dependency on User Service. At installation, Directory Agent must connect to a Policy Server instance that has a User Service associated with it. Directory Agent can be configured to communicate only with the directory that this User Service instance is configured to use.

In other words, in a distributed deployment, if you have multiple Policy Servers, each with an associated User Service, and the User Service instances connect to different directory servers, you must associate Directory Agent with the Policy Server whose

User Service connects to the directory that you want to use for hybrid user identification.

You can have multiple Directory Agent instances.

Each Directory Agent instance must be associated with a different Policy Server.

All Directory Agent instances must connect to a single Sync Service. (A deployment can have only one Sync Service instance.)

You must configure the Sync Service connection manually for all supplemental

Directory Agent instances. (Communication is configured automatically for the

Directory Agent instance that connects to the same Policy Server as Sync

Service.) To do this:

1. When you log on to the TRITON console, select the appropriate Policy Server instance for the Directory Agent that you want to configure.

2. Go to the Settings > Hybrid Configuration > Shared User Data page.

3. Under Synchronize User Data, verify the Name or IP address of the Sync

Service machine and the Port used for Sync Service communication (by default, 55832).

4. Click Test Connection to verify that Directory Agent can send data to Sync

Service. The test may take a minute or more.

• If the connection is made, a success message is displayed.

• If the connection cannot be made, verify the IP address or hostname of the

Sync Service machine and the communication port. Also verify that the

Sync Service machine is on, that Sync Service is running, and that your network firewall permits connections on the Sync Service port.

5. Click OK to cache your changes, and then click Save and Deploy to implement them.

Web Security Help

337

User Identification

Directory Agent configuration can not be performed until there is a supported User

Service configuration. Changes to User Service configuration may also require you to update your Directory Agent configuration.

User Service configuration is performed on the Settings > General > Directory

Services page (see

Working with users and groups

, page 76 ).

Directory Agent configuration is performed on the Settings > Hybrid

Configuration > Shared User Data page (see

Send user and group data to the hybrid service

, page 231 ).

You can configure Directory Agent to use a different root context than User Service, and to process its directory data differently than User Service. Also, with Windows

Active Directory, if User Service is configured to communicate with multiple global catalog servers, Directory Agent can communicate with all of them.

Note that if you have multiple Directory Agent instances, each instance must use a unique, non-overlapping root context.

When users are not identified

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Identification of hybrid users

, page 328

Working with hybrid service clients

, page 90

If you do not choose to deploy Directory Agent, Web Endpoint, or single sign-on

(available with 7.8.4), or disable user identification, only 3 types of policies can be applied to users:

The policy applied to the external IP address from which the user connects.

This IP address must be defined as a filtered location.

Your organization’s Default policy, if the request originates from outside a filtered location, or if no computer or network policy has been applied to the filtered location.

The hybrid service Default policy, if the user’s connection cannot be associated with your organization.

This is a rare case, that should occur only if there is a configuration problem with your hybrid service account.

User and group policies cannot be applied to self-registered users. Self-registered users are always filtered by the Default policy (see

Off-site user self-registration

, page

254 ).

338

Websense Web Security Solutions

15

Delegated Administration and Reporting

Web Security Help | Web Security Solutions | Version 7.8.x

Delegated administration provides an effective way to distribute responsibility for

Web Security configuration, policy management, reporting, and compliance auditing to multiple individuals. For example:

Allow individual managers to set policies and run reports on users in their teams.

Give local administrators for regional offices or campuses policy management permissions, as well as some access to local configuration options, but limit reporting access to protect end-user privacy.

Ensure that Human Resources can run Internet activity reports on some or all clients, identified by user name or IP address.

Grant auditors access to view all configuration and policy management screens in the Web Security manager without the ability to save changes.

The sections that follow detail the main concepts of delegated administration, and then provide specific configuration and implementation instructions.

The fundamentals of delegated administration

, page 340

Preparing for delegated administration

, page 347

Managing delegated administration roles

, page 352

Updating delegated administration roles

, page 361

Performing delegated administrator tasks

, page 363

Enabling network accounts

, page 367

Web Security Help

339

Delegated Administration and Reporting

The fundamentals of delegated administration

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Delegated administration roles

, page 340

Delegated administrators

, page 341

Delegated administration and reporting permissions

, page 342

Administrators in multiple roles

, page 345

Multiple administrators accessing the TRITON console

, page 346

Before setting up delegated administration for your organization, there are 3 main concepts to understand:

Roles are containers used to group administrators and clients. There are 3 types

of roles. See

Delegated administration roles

, page 340 .

Administrators are individuals or groups given responsibility for configuring

Web Security manager settings, managing policies for clients, running Internet activity reports, or auditing the system. An administrator’s set of responsibilities is determined by the role and permissions that the administrator is assigned. See

Delegated administrators

, page 341

.

Permissions determine what responsibilities (like creating policies or running

reports) an administrator has within a role. The available permissions change

based on which type of role an administrator is assigned to. See

Delegated administration and reporting permissions

, page 342 .

Delegated administration roles

Web Security Help | Web Security Solutions | Version 7.8.x

A role groups clients—users, groups, domains (OUs), computers, and networks— with one or more administrators.

Clients in a delegated administration role are referred to as managed clients.

Administrators can perform different tasks (like managing policies or running reports) for managed clients in their role, based on their permissions.

The Web Security manager includes one predefined role: Super Administrator.

Although it is not shown, admin, the Global Security Administrator account, is a member of this role. The admin account cannot be deleted, nor can its permissions be changed.

Important

You cannot delete the Super Administrator role or the admin account.

340

Websense Web Security Solutions

Delegated Administration and Reporting

Administrators assigned to the Super Administrator role have the ability to create roles, assign administrators and managed clients to roles, and determine the permissions for administrators in the role. Global Security Administrators can add administrators to the Super Administrator role.

Super Administrators can create 2 types of delegated administration and reporting roles:

Policy management and reporting: User policies are managed by administrators

in the role. Administrators in the role can optionally also run reports.

Investigative reporting: Administrators can run investigative reports showing

Internet activity for only managed clients in the role. Client policies are managed in one or more other roles.

Define as many additional roles as are appropriate for the organization. For example:

Create a role for each department, with the department manager as administrator and the department members as managed clients.

In a geographically distributed organization, create a role for each location and assign all the users at the location as managed clients of that role. Then, assign one or more individuals at the location as administrators.

Delegated administrators

Web Security Help | Web Security Solutions | Version 7.8.x

Administrators are the individuals who can access the TRITON console. Depending on their permissions, in the Web Security manager they may be able to:

Log on and view some elements of the Web Security Dashboard, but take no other actions.

Access all configuration and management features of the Web Security manager, but save no changes.

Run reports on specific groups of clients, or on all clients.

Manage policies for specific groups of clients.

Have full configuration access to all features of the Web Security manager.

The specific permissions available depend on the administrator’s role type (Super

Administrator, policy management and reporting, or investigative reporting). See

Delegated administration roles

, page 340 .

Global Security Administrators (like admin) define administrator accounts in

TRITON Settings. These accounts may either be network logon accounts (defined in a supported directory service) or local accounts, used only to access TRITON. Once an account has been defined, the Global Security Administrator assigns each one a level of logon access to one or more TRITON modules.

The levels of Web Security access that can be granted to administrators are:

Access and account management, which grants unconditional Super

Administrator permissions (see

Delegated administration and reporting

Web Security Help

341

Delegated Administration and Reporting

permissions

, page 342 ).

Access, which allows the administrator to log on and view limited portions of the

Status > Dashboard and Alerts pages only. Super Administrators can add those administrators to roles to allow them some level of additional policy management access, reporting access, or both.

Any administrator account that has been granted access to the Web Security module appears on the Delegated Administration > View Administrator Accounts page. These accounts are also listed on the Delegated Administration > Edit Role > Add

Administrators page.

Only administrators that have already been granted Web Security access via TRITON

Settings can be added to roles.

Delegated administration and reporting permissions

Web Security Help | Web Security Solutions | Version 7.8.x

The permissions available to an administrator depend on whether the administrator is assigned to the Super Administrator role, a policy management and reporting role, or an investigative reporting role.

Super Administrator permissions

The Super Administrator role can contain 2 types of administrators: unconditional

Super Administrators and conditional Super Administrators.

When you create a Global Security Administrator account on the TRITON Settings >

Administrators page, or select the Web Security > Grant access and the ability to

modify access permissions for other accounts option, the account is automatically

added to the Super Administrator role in the Web Security manager with unconditional permissions.

Unconditional Super Administrators can:

Access all system configuration settings for Websense Web security solutions

(managed via the Settings tab).

Add or remove administrators in the Super Administrator role.

Create or edit the Filter Lock that blocks certain categories and protocols for all users managed by delegated administration roles. See

Creating a Filter Lock

, page

348 .

Manage policies for clients in the Super Administrator role, including the Default policy that applies to all clients not assigned another policy in any role.

Create and run reports on all clients, regardless of which role they are assigned to.

Access Real-Time Monitor.

Review component status and stop or start components from the Status >

Deployment page.

Review the audit log, which records administrator access to and actions within the

Web Security manager.

342

Websense Web Security Solutions

Delegated Administration and Reporting

(Web Security Gateway and Gateway Anywhere) Open the Content Gateway manager via a button on the Settings > General > Content Gateway Access page and be logged on automatically, without having to provide credentials.

When an unconditional Super Administrator adds additional administrators to the

Super Administrator role (via the Policy Management > Delegated Administration page in the Web Security manager), the new administrators are granted conditional permissions.

Unlike unconditional Super Administrators, whose permissions cannot be changed, conditional Super Administrators can be granted a combination of policy management, reporting, and access permissions.

Full policy permissions allow conditional Super Administrators to:

Create and edit delegated administration roles, filter components, filters, policies, and exceptions, and to apply policies to clients that are not managed by any other role.

Access database download, directory service, user identification, and

Network Agent configuration settings. Conditional Super Administrators with reporting permissions can also access configuration settings for the reporting tools.

Create and edit delegated administration roles, but not to delete roles or remove the administrators or managed clients assigned to them.

Exceptions only permissions allow conditional Super Administrators to create

and edit exceptions. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)

Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden for Super Administrators with exceptions only permissions.

Reporting permissions allow conditional Super Administrators to:

Access Web Security Dashboard charts.

Run investigative and presentation reports on all users.

If an administrator is granted reporting permissions only, the Check Policy tool does not appear in the Toolbox.

Real-Time Monitor permissions allow Super Administrators to monitor all

Internet activity for each Policy Server associated with the Web Security manager.

Content Gateway direct access permissions allow Super Administrators to be

logged on to the Content Gateway manager automatically via a button on the

Settings > General > Content Gateway Access page in the Web Security manager.

Only one administrator at a time can log on to a role with full policy or exceptions

only permissions. Therefore, if an administrator is logged on to the Super

Administrator role to perform policy or configuration tasks, other Super

Administrators can log on with only reporting, auditor, or status monitor permissions in the role. Super Administrators also have the option to select a different role to manage.

To switch to another role after logon, go to the Role drop-down list in the Web

Security toolbar and select a role.

Web Security Help

343

Delegated Administration and Reporting

Policy Management and Reporting permissions

Delegated administrators in policy management and reporting roles can be given any combination of the following permissions:

Full policy permissions allow delegated administrators to create and manage filter

components (including custom categories and recategorized URLs), filters

(category, protocol, and limited access), policies, and exceptions (black and white lists) for their managed clients.

Filters created by delegated administrators are restricted by the Filter Lock, which may designate some categories and protocols as blocked and locked. These categories and protocols cannot be permitted by delegated administrators. (As part of enforcing the Filter Lock, delegated administrators cannot give their managed clients password override permissions.)

Only one administrator at a time can log on to a role with policy permissions.

Therefore, if an administrator is logged on to a role to perform policy tasks, other administrators in the role can log on with auditing (read-only), reporting, or Real-

Time Monitor permissions only. Administrators who have been assigned to multiple roles also have the option to select a different role to manage.

To switch to another role after logon, go to the Role drop-down list in the banner and select a role.

Exceptions only permissions allow delegated administrators to create and

manage exceptions for managed clients in their role. (Exceptions permit or block

URLs for specified users, regardless of which policy normally governs their

Internet access.)

Policies, filters, and filter components are hidden for delegated administrators with exceptions only permissions.

Deployment status permissions allow delegated administrators to review

component status on the Status > Deployment page. Delegated administrators with deployment status permissions can also be granted permission to start components, stop components, or both.

Reporting permissions can be granted in either of 2 general categories: report on

all clients, or report on only managed clients in the role.

Any delegated administrator with reporting permissions can be given access to the Web Security Dashboard, investigative reports, and the Settings pages used to manage Log Server and the Log Database.

Delegated administrators with the option to report on all clients can also be given access to presentation reports.

Real-Time Monitor permissions allow administrators to monitor all Internet

activity for each Policy Server associated with the Web Security manager.

Investigative reporting permissions

Administrators in investigative reporting roles can create investigative reports for managed clients in their role. (Clients’ policies are managed in other roles.) They can also use the URL Category, URL Access, and Investigate User tools.

344

Websense Web Security Solutions

Delegated Administration and Reporting

These administrators do not have access to presentation reports or Real-Time Monitor, but can optionally be allowed to view charts on the Web Security Dashboard.

Auditors

Any conditional Super Administrator or delegated administrator account can be granted Auditor permissions. An auditor can see most Web Security manager features and functions, but cannot save any changes.

Instead of the OK and Cancel buttons that allow other administrators to cache or discard changes, Auditors are given a single Back button. The Save and Deploy button is disabled.

Administrators in multiple roles

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Delegated administration roles

, page 340

Delegated administrators

, page 341

Delegated administration and reporting permissions

, page 342

Depending on the needs of your organization, the same administrator may be assigned to multiple roles. Administrators assigned to multiple roles must choose a single role to manage at logon.

After logon, your permissions are as follows:

Policy management:

Full policy: You can add and edit filters and policies for the role selected

during logon, and apply policies to that role’s managed clients.

Exceptions only: You can create and manage exceptions for the role selected

during logon, and apply exceptions to that role’s managed clients.

Reporting: you have the combined reporting permissions of all your roles. For

example, suppose you are assigned to 3 roles, with reporting permissions as follows:

Role 1: no reporting

Role 2: investigative reporting only

Role 3: report on all clients, full access to all reporting features

In this situation, regardless of which role you choose during logon, you are permitted to view charts on the Web Security Dashboard, and report on all clients, using all reporting features.

If you are logged on for reporting only, the Role field in the banner bar indicates whether you have Full Reporting (report on all clients) or Limited Reporting

(report on managed clients only) permissions.

Web Security Help

345

Delegated Administration and Reporting

Multiple administrators accessing the TRITON console

Web Security Help | Web Security Solutions | Version 7.8.x

Administrators in different roles can access the Web Security manager simultaneously to perform whatever activities their role permissions allow. Since they manage different clients, they can create and apply policies without conflict.

The situation is different if administrators with policy permissions in the same role try to connect at the same time. Only one administrator at a time can log on with full policy or exceptions-only permissions in the shared role. If a second administrator tries to log on with full policy or exceptions-only permissions while another administrator logged on, the second administrator is given a choice:

Log on with read-only access (similar to temporary auditor permissions).

When this option is selected, the Role drop-down box shows “Role Name - [Read-

Only]” as the current role, and offers the option of switching to “Role Name”

(without any modifiers). This makes it possible to access the role with policy permissions when the role is no longer locked.

Log on for reporting only, if the administrator has reporting permissions.

Log on to a different role, if the administrator is assigned to any other roles.

Log on to view only the Status pages until the role becomes available (Limited

Status access).

Try again later, after the first administrator logs off.

Administrators who are not using their policy permissions can do one of the following to unlock the role and allow another administrator to log on to manage polices:

If generating reports, select Release Policy Permissions from the Role dropdown list.

When this option is selected, policy management features are hidden from the logged-on administrator, but reporting features remain active.

If monitoring system performance, select Status Monitor from the Role dropdown list.

Administrators in Status Monitor mode can access the Status > Dashboard and

Alerts pages, as well as Real-Time Monitor (if applicable). Their session does not time out.

If administrators in Status Monitor mode try to go to a page other than Dashboard,

Alerts, or Real-Time Monitor, they are prompted to log on again.

346

Websense Web Security Solutions

Delegated Administration and Reporting

Preparing for delegated administration

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

The fundamentals of delegated administration

, page 340

Creating a Filter Lock

, page 348

Preparing delegated administrators

, page 351

Managing delegated administration roles

, page 352

Before creating delegated administration roles, there are 2 key planning and setup tasks for the Super Administrator to perform:

Review and edit the Filter Lock, which blocks specified categories and protocols for managed clients in all delegated administration roles. By default, the Filter

Lock blocks and locks several categories, so it is important to check the default settings against the requirements of your organization. (See

Creating a Filter

Lock

, page 348

.)

Filter Lock restrictions are automatically enforced for all filters created in or copied to a delegated administration role, and cannot be modified by the delegated administrator.

Delegated administrators can apply any action to categories and protocols not blocked and locked in the Filter Lock.

Changes to the Filter Lock are implemented for all managed clients as soon as the changes are saved. Delegated administrators who are working in the Web

Security manager when the changes take effect will not see the changes in their filters until the next time they log on.

Filter Lock restrictions do not apply to clients managed by the Super

Administrator role.

Determine which Super Administrator policies and filters will be copied to each new role that you plan to create, and make adjustments to existing policies as needed.

By default, each role is created with a single Default policy, created from the

Default category and protocol filter (not the Default policy) currently configured for the Super Administrator role.

Optionally, you can instead copy all policy objects (policies, filters, custom categories, and custom URLs) from the Super Administrator role to the new role. The delegated administrator then starts with a complete set of policies and policy components.

• Copies of policies and filters in a delegated administration role are subject to the Filter Lock, and are therefore not identical to the same policies and filters in the Super Administrator role.

Web Security Help

347

Delegated Administration and Reporting

• When the Unrestricted policy is copied, the policy and filter names are changed to reflect the fact that they are subject to the Filter Lock, and no longer permit all requests.

Copying Super Administrator policy objects to a new role can take a very long time, depending on how much information must be copied.

Once these planning steps are completed, each of the following delegated administration components must be put into place:

1.

A Global Security Administrator creates administrator accounts on the TRITON

Settings > Administrators page, and grant the accounts the appropriate level of

Web Security access.

2.

A Super Administrator creates delegated administration roles on the Policy

Management > Delegated Administration page, then adds administrators and

managed clients to the roles. See

Managing delegated administration roles

, page

352 .

3.

The Super Administrator notifies the delegated administrators that they have been granted administrative access to the Web Security manager, and explains their

level of permissions. See

Preparing delegated administrators

, page 351 .

Creating a Filter Lock

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Locking categories

, page 349

Locking protocols

, page 350

The Policy Management > Filter Lock page lets you specify categories and protocols that are blocked for all managed clients in delegated administration roles.

Any category or protocol that is blocked in the Filter Lock is considered blocked and

locked.

Click the Categories button to block and lock specific categories or category elements (keywords and file types). See

Locking categories

, page 349 .

Click the Protocols button to block and lock protocols, or to specify protocols that are always logged. See

Locking protocols

, page 350

.

348

Websense Web Security Solutions

Delegated Administration and Reporting

Locking categories

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Creating a Filter Lock

, page 348

Locking protocols

, page 350

Use the Policy Management > Filter Lock > Categories page to select the categories to be blocked and locked for all members of delegated administration roles.

You also can block and lock keywords and file types for a category.

1.

Select a category in the tree.

Delegated administration roles do not have access to custom categories created by the Super Administrators. Therefore, custom categories do not appear in this tree.

2.

Set the restrictions for this category in the box that appears beside the category tree.

Option

Lock category

Lock keywords

Lock file types

Apply to

Subcategories

Description

Blocks and locks access to sites in this category.

Blocks and locks access based on keywords defined for this category in each role.

Blocks and locks the selected file types for sites in this category.

Be sure to mark the check box for each file type to be blocked and locked.

Custom file types created by the Super Administrator are included on this list because they are available to delegated administration roles.

Applies the same settings to all subcategories of this category.

You can block and lock selected elements for all categories at once, if appropriate.

Select All Categories in the tree, and then select the elements to be blocked for all categories. Then, click Apply to Subcategories.

3.

When you are finished making changes, click OK to cache the changes and return to the Filter Lock page. Changes are not implemented until you click Save and

Deploy.

Web Security Help

349

Delegated Administration and Reporting

Locking protocols

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Creating a Filter Lock

, page 348

Locking categories

, page 349

Use the Policy Management > Filter Lock > Protocols page to block and lock access to or lock logging of selected protocols for all clients managed by delegated administration roles.

Note

Protocol logging is associated with protocol usage alerts.

You cannot generate usage alerts for a protocol unless it is set for logging in at least one protocol filter. Enabling the

Lock protocol logging option through the Filter Lock

assures that usage alerts can be generated for the protocol.

See

Configuring protocol usage alerts

, page 406 .

1.

Select a protocol in the tree.

Delegated administration roles do have access to custom protocols created by the

Super Administrator. Therefore, custom protocols do appear in this tree.

2.

Set the restrictions for this protocol in the box that appears beside the protocol tree.

Option

Lock protocol

Lock protocol logging

Apply to Group

Description

Blocks and locks access to applications and websites using this protocol.

Logs information about access to this protocol, and prevents delegated administrators from disabling logging.

Applies the same settings to all protocols in the group.

When you are finished making changes, click OK to cache the changes and return to the Filter Lock page. Changes are not implemented until you click Save and Deploy.

350

Websense Web Security Solutions

Delegated Administration and Reporting

Preparing delegated administrators

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

The fundamentals of delegated administration

, page 340

Preparing for delegated administration

, page 347

Performing delegated administrator tasks

, page 363

After assigning individuals as administrators in any administrative role, make sure to give them the following information:

The URL for logging on to the TRITON console. By default: https://<TRITON_location>:9443/triton/

Substitute the IP address or hostname of the TRITON management server.

What Policy Server to select after logon, if applicable. In an environment with multiple Policy Server instances, administrators can select the Policy Server to use from the Web Security toolbar. They must select the Policy Server that is configured to communicate with the directory service that authenticates their managed clients.

Whether to use their network logon account or a local Websense account when logging on to the TRITON console. If administrators log on with local accounts, provide the user name and password.

Their permissions: to create and apply policies to clients in the role, generate reports, create policies and generate reports, or audit administrator tasks without implementing changes.

Advise administrators who have both policy and reporting permissions to consider what activities they plan to perform during the session. If they only plan to generate reports, recommend that they go to the Role field in the banner, and choose Release Policy Permissions. This frees the policy permissions for the role, enabling another administrator to access the Web Security manager and manage policy for that role.

How to find the list of clients managed by their role. Administrators can go to

Policy Management > Delegated Administration, and then click their role name to display the Edit Role page, which includes a list of managed clients.

Limitations imposed by the Filter Lock, if any categories or protocols have been blocked and locked.

The tasks that are generally performed by administrators. See

Performing delegated administrator tasks

, page 363

.

Be sure to notify delegated administrators when you add or change custom file types and protocols. These components automatically appear in filters and policies for all roles, so it is important for those administrators to know when changes have been made.

Web Security Help

351

Delegated Administration and Reporting

Managing delegated administration roles

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

The fundamentals of delegated administration

, page 340

Preparing for delegated administration

, page 347

Managing role conflicts

, page 360

The Policy Management > Delegated Administration page offers different options, depending on whether it is viewed by a Super Administrator or a delegated administrator.

Super Administrators see a list of all the roles currently defined, and have the following options available.

Option

Add

Role

Delete

Advanced

Manage Role

Priority

View

Administrator

Accounts

Description

Click to add a new role. See

Adding roles

, page 353 .

Click a role name to view or configure the role. See

Editing roles

, page 354

.

Mark the check box next to a role name, then click the button to delete the selected roles. Available to unconditional Super

Administrators only.

See

Delete roles

, page 362, for information about how a

role’s clients are managed after the role is deleted.

Click to access the Manage Role Priority function.

Click to specify which role’s policy settings are used when the same client exists in multiple groups that are managed by

different roles. See

Managing role conflicts

, page 360

.

Click to see the local and network administrator accounts with Web Security manager access, and review their

permission level and role assignments. See

Reviewing administrator accounts

, page 367 .

Delegated administrators see only the roles in which they are administrators, and have access to more limited options.

Option

Role

Description

Click to view the clients assigned to the role, and the specific

reporting permissions granted. See

Editing roles

, page 354

.

352

Websense Web Security Solutions

Delegated Administration and Reporting

Adding roles

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Preparing for delegated administration

, page 347

Managing delegated administration roles

, page 352

Editing roles

, page 354

Use the Delegated Administration > Add Role page to provide a name and description for the new role.

1.

Enter a Name for the new role.

The name must be between 1 and 50 characters long, and cannot include any of the following characters:

* < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Role names can include spaces and dashes.

2.

Enter a Description for the new role.

The description may be up to 255 characters. The character restrictions that apply to role names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).

3.

Specify the Role Type:

A Policy management and reporting role allows administrators the ability to create filters and policies and apply them to manage clients. Administrators in these roles may also be given permission to report on managed clients or all clients.

If you select this role type, also indicate whether or not to Copy all Super

Administrator policies, filters, and filter components to the new role. If

you select this option, the process of creating the role may take several minutes.

If you do not copy all Super Administrator policies to the role, a Default policy is created for the role that enforces the Super Administrator Default category and protocol filters.

An Investigative reporting role allows administrators to report on their managed clients only, using the investigative reports tool. Managed clients in an investigative reporting role may also be added to a policy management and reporting role.

4.

Click OK to display the Edit Role page and define the characteristics of this role.

See

Editing roles

, page 354

.

If you created a policy management and reporting role, the new role is added to the Role drop-down list in the Web Security toolbar the next time you log on.

Web Security Help

353

Delegated Administration and Reporting

If you created an investigative reporting role, the name does not appear in the role drop-down. This reflects the fact that reporting permissions are cumulative (see

Administrators in multiple roles

, page 345 ).

Editing roles

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing delegated administration roles

, page 352

Adding roles

, page 353

Managing role conflicts

, page 360

Delegated administrators can use the Delegated Administration > Edit Role page to view the list of clients managed by their role, and the specific reporting permissions granted.

Super Administrators can use this page to select the administrators and clients for a role, and to set administrator permissions, as described below. Only unconditional

Super Administrators can delete administrators and clients from a role.

1.

Change the role Name and Description, as needed.

The name of the Super Administrator role cannot be changed.

2.

Add or remove administrators for this role (Super Administrators only).

Item

User Name

Description

Administrator’s user name.

Account Type Indicates whether the user is defined in the network directory service (Directory) or unique to the TRITON console

(Local).

Reporting

Real-Time

Monitor

Policy

Auditor

Give the administrator permission to use reporting tools.

Give the administrator permission to monitor all Internet activity for any Policy Server.

Give the administrator permission to create filters and policies, and apply policies to the role’s managed clients.

In the Super Administrator role, administrators with policy permission can also manage certain Websense configuration settings. See

Super Administrator permissions

, page 342

.

Give the administrator permissions to see all of the features and functions available to other administrators in the role, but without the ability to save changes.

The check boxes for other permissions are disabled when

Auditor permissions are selected.

354

Websense Web Security Solutions

Delegated Administration and Reporting

Item

Add

Delete

Description

Open the Add Administrators page. See

Adding

Administrators

, page 357

.

Remove the selected administrators from the role.

Available to unconditional Super Administrators only.

Unconditional Super Administrator accounts can only be removed from the TRITON Settings > Administrators page.

3.

Add and delete Managed Clients for the role.

Changes can be made by Super Administrators only. Delegated administrators can view the clients assigned to their role.

Item

<Name>

Add

Delete

Description

Displays the name of each client explicitly assigned to the role. Administrators in the role must add the clients to the

Clients page before policies can be applied. See

Performing delegated administrator tasks

, page 363

.

Opens the Add Managed Clients page. See

Adding managed clients

, page 359 .

Available to unconditional Super Administrators only, this button removes from the role any clients marked in the managed clients list.

Some clients cannot be deleted directly from the managed

clients list. See

Delete managed clients

, page 362, for more

information.

4.

Use the Deployment Status Permissions area to indicate whether administrators in this role can Access the Status > Deployment page to see information about the status of the Web Security components in your deployment.

If you grant delegated administrators access to the page, also select whether they can Start components or Stop components.

5.

Use the Reporting Permissions area to select the features available to administrators in this role who have reporting access.

Web Security Help

355

Delegated Administration and Reporting a.

Choose the general level of reporting permissions:

Option

Report on all clients

Report on managed clients only

Description

Select this option to give administrators permission to generate reports on all network users.

Use the remaining options in the Reporting

Permissions area to set the specific permissions for administrators in this role.

Select this option to limit administrators to reporting on the managed clients assigned to this role. Then, select the investigative reports features these administrators can access.

Administrators limited to reporting on managed clients only cannot access presentation reports or user-based reports on the Web Security Dashboard.

b.

Mark the check box for each reporting feature that appropriate administrators in the role are permitted to use.

Option

Access presentation reports

Access the Web

Security Dashboard

Access the Threats dashboard

Access forensics data in the Threats dashboard

Access investigative reports

View user names in investigative reports

Description

Enables access to presentation reports features.

This option is available only when administrators can report on all clients. See

Presentation reports

, page 133 .

Enables display of charts showing Internet activity on the Risks, Usage, and System dashboards. See

The Web Security Dashboard

, page 33 .

If this option is deselected, administrators can view only the Health Alert and Value Estimates (if displayed) sections of the System dashboard.

Allows administrators to access charts, summary tables, and event details related to advanced malware threat activity in your network. See

Threats dashboard

, page 35

.

With Websense Web Security Gateway or Gateway

Anywhere, allows administrators to view files associated with threat activity, and review information about attempts to send the files. See

Configuring forensics data storage

, page 445 .

Enables access to basic investigative reports features. When this option is selected, additional investigative reports features can be selected, also.

See

Investigative reports

, page 155 .

Allows administrators in this role to view user

names, if they are logged. See

Configuring how requests are logged

, page 422

.

Deselect this option to show only system-generated identification codes, instead of names.

This option is available only when administrators are granted access to investigative reports.

356

Websense Web Security Solutions

Delegated Administration and Reporting

Option

Save investigative reports as favorites

Schedule investigative reports

Manage the Log

Database

Access application reports

Description

Allows administrators in this role to create favorite investigative reports. See

Favorite investigative reports

, page 171 .

This option is available only when administrators are granted access to investigative reports.

Allows administrators in this role to schedule investigative reports to run at a future time or on a repeating cycle.

See

Scheduling investigative reports

, page 172

.

This option is available only when administrators are granted permissions to save investigative reports as favorites.

Allows administrators to access the Settings >

Reporting > Log Database page.

See

Log Database administration settings

, page

432 .

Allows administrators to see browser, platform, and user agent data on the Reporting > Applications page.

See

Application reporting

, page 178

.

6.

When you are finished making changes, click OK to cache the changes and return to the Delegated Administration page. Changes are not implemented until you click Save and Deploy.

Adding Administrators

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Delegated administrators

, page 341

Editing roles

, page 354

Super Administrators can use the Delegated Administration > Edit Role > Add

Administrators page to specify which individuals are administrators for a role.

Note

Administrators can be added to multiple roles. These administrators must choose a role during logon. In this situation, the administrator receives the combined reporting permissions for all roles.

Delegated administrators have significant control over the Internet activities of their managed clients. To ensure that this control is handled responsibly and in accordance

Web Security Help

357

Delegated Administration and Reporting with your organization’s acceptable use policies, Super Administrators should use the

Audit Log page to monitor changes made by administrators. See

Viewing and exporting the audit log

, page 396 .

1.

If you plan to assign network accounts as delegated administrators, make sure you are logged on to the Policy Server whose Settings > General > Directory Service configuration (see

Directory services

, page 77

) matches the TRITON Settings >

User Directory configuration.

If you are adding only local accounts as administrators, you can be logged on to any Policy Server.

2.

Under Local Accounts, mark the check box for one or more users, and then click the right arrow button to move the highlighted users to the Selected list.

3.

Under Network Accounts, mark the check box for one or more users, and then click the right arrow (>) button to move them to the Selected list.

Note

Custom LDAP groups cannot be added as administrators.

4.

Set the Permissions for administrators in this role.

Option

Administrator:

Policy

Management

Administrator:

Reporting

Administrator:

Real-Time

Monitor

Auditor

Description

Let administrators in this role apply policies to their managed clients. This also grants access to certain Websense configuration settings.

Grant administrators access to reporting tools. Use the Edit

Role page to set the specific reporting features permitted.

Allow administrators to monitor Internet traffic in real time.

See

Real-Time Monitor

, page 184 .

Give the administrator access to view all features available to other administrators in the role, without the ability to save changes.

5.

When you are finished making changes, click OK to return to the Edit Role page.

6.

Click OK on the Edit Role page to cache your changes. Changes are not implemented until you click Save and Deploy.

358

Websense Web Security Solutions

Delegated Administration and Reporting

Adding managed clients

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing delegated administration roles

, page 352

Editing roles

, page 354

Managed clients are the users and computers assigned to a role, whose policies are set by the role’s administrators. Directory clients (users, groups, and domains [OUs]), computers (individual IPv4 or v6 addresses), and networks (IPv4 or v6 address ranges) can all be defined as managed clients.

Super Administrators can use the Delegated Administration > Edit Role > Add

Managed Clients page to add as many clients to a role as needed. Each client can be

assigned to only one policy management and reporting role.

If you assign a network range as managed client in one role, you cannot assign individual IP addresses within that range to any other role. Additionally, you cannot specifically assign a user, group, or domain (OU) to 2 different roles. However, you can assign a user to one role, and then assign to a different role a group or domain

(OU) of which the user is a member.

Note

If a group is a managed client in one role, and that role’s administrator applies a policy to each member of the group, individual users in that group cannot later be assigned to another role.

When adding managed clients, consider which client types to include.

If you add IP addresses to a role, administrators for that role can report on all activity for the specified machines, regardless of who is logged on.

If you add users to a role, administrators can report on all activity for those users, regardless of the machine where the activity occurred.

Administrators are not automatically included as managed clients in the roles they administer, since that would enable them to set their own policy. To allow

administrators to view their own Internet usage, enable self-reporting (see

Selfreporting

, page 450 ).

If your organization has deployed multiple Policy Servers, and the Policy Servers communicate with different directories, be sure to select the Policy Server connected to the directory containing the clients you want to add.

Note

Best practices indicate that all directory clients in the same role be defined in the same directory.

Web Security Help

359

Delegated Administration and Reporting

1.

Select clients for the role:

Under Directory, mark the check box for one or more users.

If your environment uses Active Directory (Native Mode) or another LDAPbased directory service, you can search the directory to find specific user,

group, or domain (OU) names. See

Searching the directory service

, page 85

.

Under Computer, enter the IP address to be added to this role in IPv4 or IPv6 format.

Under Network, enter the first and last IP addresses in a range in IPv4 or IPv6 format.

2.

Click the right arrow (>) button adjacent to the client type to move the clients to the Selected list.

3.

When you are finished making changes, click OK to return to the Edit Role page.

4.

Click OK on the Edit Role page to cache your changes. Changes are not implemented until you click Save and Deploy.

Managing role conflicts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Managing delegated administration roles

, page 352

Adding managed clients

, page 359

Directory services allow the same user to belong to multiple groups. As a result, a single user may exist in groups that are managed by different delegated administration roles. The same situation exists with domains (OUs).

Additionally, it is possible for a user to be managed by one role, and belong to a group or domain (OU) that is managed by a different role. If the administrators for both of these roles are logged on simultaneously, the administrator responsible for the user could apply policy to that user at the same time as the administrator responsible for the group applies policy to the individual members of the group.

Use the Delegated Administration > Manage Role Priority page to tell Websense software what to do if different policies apply to the same user because of an overlap.

When a conflict occurs, Websense software applies the policy from the role that appears highest on this list.

1.

Select any role on the list, except Super Administrator.

Note

The Super Administrator role is always first on this list. It cannot be moved.

2.

Click Move Up or Move Down to change its position in the list.

360

Websense Web Security Solutions

Delegated Administration and Reporting

3.

Repeat steps 1 and 2 until all roles have the desired priority.

4.

When you are finished making changes, click OK to cache the changes and return to the Delegated Administration page. Changes are not implemented until you click Save and Deploy.

Updating delegated administration roles

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Delete roles

, page 362

Delete managed clients

, page 362

Policies and managed clients are typically added to a role when the role is created.

Delegated administrators with policy permissions can edit existing policies and create new policies within the role that they manage.

As new members join the organization, a Super Administrator can add them to

existing roles (see

Editing roles

, page 354

).

Super Administrators can also move clients (see

Moving clients to roles

, page 89 ) and

policies (

Copying filters and policies to roles

, page 266 ) from the Super Administrator

role to an existing delegated administration role at any time.

When a client is moved to a delegated administration role, the policy applied in the Super Administrator role is also copied. During this copy process, the filters are updated to enforce the restrictions of the Filter Lock, if any.

In the target role, the tag “(Copied)” is added to the end of the filter or policy name. Administrators for that role can readily identify the new item and update it appropriately.

Encourage administrators in the role to rename the filters and policies, and to edit them as needed, to clarify their settings and to minimize duplicates. These changes can simplify future maintenance efforts.

After the client is moved to the new role, only an administrator in that role can modify the client’s policy or the filters it enforces. Changes in the original policy or filters in the Super Administrator role do not affect copies of the policy or filters in delegated administration roles.

When policies and filters are copied to a delegated administration role directly, the same constraints are enforced that apply when filters and policies are copied as part of moving a client.

Filter Lock restrictions are implemented during the copy.

Permit All category and protocol filters are renamed, and become editable filters subject to the Filter Lock.

Copied filters and policies are identified in the role by the (Copied) tag in the name.

Web Security Help

361

Delegated Administration and Reporting

Consider editing policy descriptions before starting the copy, to assure that they are meaningful to the administrators in the target roles.

Delete roles

Web Security Help | Web Security Solutions | Version 7.8.x

On the Delegated Administration page, unconditional Super Administrators can delete any roles that have become obsolete.

Deleting a role also removes all clients that the role’s administrators have added to the

Clients page. After the role is deleted, if those clients belong to any networks, groups, or domains managed by other roles, they are governed by the appropriate policy

applied in those roles (see

Enforcement order

, page 97

). Otherwise, they are governed by the Super Administrator’s Default policy.

1.

On the Delegated Administration page, mark the check box beside each role to be deleted.

Note

You cannot delete the Super Administrator role.

2.

Click Delete.

3.

Confirm the delete request to remove the selected roles from the Delegated

Administration page. Changes are not permanent until you click Save and

Deploy.

The deleted role is cleared from Role drop-down list in the banner the next time you log on to the TRITON console.

Delete managed clients

Web Security Help | Web Security Solutions | Version 7.8.x

Clients cannot be deleted directly from the managed clients list (Delegated

Administration > Edit Role) if: the administrator has applied a policy to the client the administrator has applied a policy to one or more members of a network, group, or domain (OU)

There may also be problems if the Super Administrator is connected to a different

Policy Server than the one that communicates with the directory service containing the clients to be deleted. In this situation, the current Policy Server and directory service do not recognize the clients.

An unconditional Super Administrator can assure that the appropriate clients can be deleted, as follows.

362

Websense Web Security Solutions

Delegated Administration and Reporting

1.

Open the Policy Server list in the Web Security toolbar and make sure that you are connected to the Policy Server that communicates with the appropriate directory. You must be logged on with unconditional Super Administrator permissions.

2.

Open the Role list in the Web Security toolbar, and select the role from which managed clients are to be deleted.

3.

Go to Policy Management > Clients to see a list of all the clients to which the delegated administrator has explicitly assigned a policy.

This may include both clients that are specifically identified on the role’s managed clients list, and clients who are members of networks, groups, domains, or organizational units on the managed clients list.

4.

Delete the appropriate clients.

5.

Click OK to cache the changes.

6.

Open the Role list in the banner, and select the Super Administrator role.

7.

Go to Policy Management > Delegated Administration > Edit Role.

8.

Delete the appropriate clients from the managed clients list, and then click OK to confirm the delete request.

9.

Click OK on the Edit Role page to cache the changes. Changes are not implemented until you click Save and Deploy.

Managing Super Administrator clients

Web Security Help | Web Security Solutions | Version 7.8.x

Clients who are not specifically assigned to a delegated administration role are managed by Super Administrators. There is no Managed Clients list for the Super

Administrator role.

To apply policies to these clients, add them to the Policy Management > Clients page.

See

Adding a client

, page 84 . Clients who have not been assigned a specific policy are

governed by the Super Administrator Default policy.

There may be times when you cannot add clients to the Clients page. This can occur when the client is a member of a network, group, or domain (OU) that is assigned to another role. If the administrator of the other role has applied a policy to individual members of the network or group, those clients cannot be added to the Super

Administrator role.

Performing delegated administrator tasks

Web Security Help | Web Security Solutions | Version 7.8.x

Any delegated administrator who uses a Websense account (not their network credentials) to log onto the TRITON console can review account their account

Web Security Help

363

Delegated Administration and Reporting

information and change their password. See

View your user account

, page 364

.

Delegated administrators who have policy permissions can perform the following tasks.

View their role definition.

Navigate to the Policy Management > Delegated Administration page and click the role name. This brings up the Edit Role page, which lists the role’s managed clients and shows the reporting features available to administrators who have reporting permissions in the role.

Add clients to the Clients page

, page 365

.

Create policies and filters

, page 366

.

Apply policies to clients on the Clients page (see

Assigning a policy to clients

, page 97 ).

Reporting permissions can be granted at a granular level. The specific reporting

permissions granted to your role determine which of the following tasks are available to administrators with reporting permissions.

To learn which features you can use, go to the Delegated Administration page and click the role name. The Edit Role page shows the reporting features for which you have permissions. For information about using any of those features, see:

The Web Security Dashboard

, page 33

Presentation reports

, page 133

Investigative reports

, page 155

Application reporting

, page 178

Real-Time Monitor

, page 184

View your user account

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Performing delegated administrator tasks

, page 363

Add clients to the Clients page

, page 365

Create policies and filters

, page 366

If you log on to the TRITON console with network credentials, password changes are handled through your network directory service. Contact your system administrator for assistance.

If you have been assigned a local user name and password, view information about your account and change your password within the TRITON console.

1.

Click TRITON Settings in the TRITON toolbar, just under the banner.

The My Account page opens.

364

Websense Web Security Solutions

Delegated Administration and Reporting

2.

To change your password, first enter your current password, then enter and confirm a new password.

The password must be between 4 and 255 characters.

Strong passwords are recommended: 8 characters or longer, including at least one uppercase letter, lowercase letter, number, and special character (such as hyphen, underscore, or blank).

Click OK to save and implement the change.

3.

To see a list of roles that you can administrator, go to the Web Security manager

Policy Management > Delegated Administration > View Administrator Accounts page.

If you are assigned to manage only one role, its name appears in the list.

If you are assigned to manage multiple roles, click View next to your user name to see them listed.

4.

When you are finished, click Close to return to the Delegated Administration page.

Add clients to the Clients page

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Performing delegated administrator tasks

, page 363

View your user account

, page 364

Create policies and filters

, page 366

After Super Administrators assign managed clients to a role, delegated administrators

can add them to the Clients page and assign them policies. See

Adding a client

, page

84, for instructions.

When clients are added to a managed clients list, their Internet requests are immediately subject to a policy in the role.

Clients previously assigned a policy within the Super Administrator role are governed by a copy of that policy in the new role. The Move to Role process automatically copies the applicable policy.

Clients not previously assigned a policy receive the new role’s Default policy.

Initially, this Default policy enforces a Default category and protocol filter copied from the Super Administrator role.

Any client that appears in the Managed Clients list on the Delegated Administration >

Edit Role page for your role can be added to the Clients page and assigned a policy.

For groups, domains (OUs), and networks assigned to the role, you can also can add:

Individual users who members of the group or OU

Individual computers that are members of the network

Web Security Help

365

Delegated Administration and Reporting

Because a user may be part of multiple groups or OUs, adding individuals from a larger client grouping has the potential to create conflicts when different roles manage groups our OUs with common members. If administrators in different roles access the

Web Security manager at the same time, they might add the same client (individual member of a group, for instance) to their Clients page. In that situation, policy enforcement for that client is governed by the priority established for each role. See

Managing role conflicts

, page 360 .

Create policies and filters

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Performing delegated administrator tasks

, page 363

View your user account

, page 364

Add clients to the Clients page

, page 365

When your role was created, it automatically inherited the current Default category filter and protocol filter from the Super Administrator role. A role-specific Default policy was created that enforces the inherited Default category and protocol filters.

(This role-specific Default policy is automatically applied to any client added to the role until another policy is assigned.)

The Super Administrator may have copied other policies and filters to your role, as well.

In addition to policies and filters, you also inherit any custom file types and protocols created by the Super Administrator.

You can edit inherited policies and filters. Changes you make affect your role only.

Any changes the Super Administrator later makes to the original policies and filters do not affect your role.

Note

Changes the Super Administrator makes to file types and protocols automatically affect the filters and policies in your role.

When a Super Administrator informs you of changes to these components, review your filters and policies to be sure they are handled appropriately.

You can also create as many new filters and policies as you need. Filters and policies created by a delegated administrator are available only to administrators logged on to your role. For instructions on creating policies, see

Working with policies

, page 93 .

For instructions on creating filters, see

Working with filters

, page 61

.

366

Websense Web Security Solutions

Delegated Administration and Reporting

You can edit filter components for your role, with some limitations.

Categories: Add or edit custom categories; assign custom URLs and keywords to

custom or Master Database categories; change the action applied by default in category filters. (Changes to a category’s default action are implemented only if the category is not locked by the Filter Lock.)

Protocols: Change the action applied by default in protocol filters in your role.

(Changes to a protocol’s default action are implemented only if the protocol is not locked by the Filter Lock.) Delegated administrators cannot add or delete protocol definitions.

File types: View the file extensions assigned to each file type. Delegated

administrators cannot add file types or change the extensions assigned to a file type.

For more information, see

Building filter components

, page 267

.

If a Super Administrator has implemented Filter Lock restrictions, there may be categories or protocols that are automatically blocked, and cannot be changed in the filters you create and edit.

Reviewing administrator accounts

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Delegated Administration > View Administrator Accounts page to:

See a list of local and network accounts that have been given Web Security access by a Global Security administrator.

Check the level of permissions assigned to each account.

See a list of roles associated with each account.

If an account has been added to a single role as an administrator, that role is listed to the right of the account name. If the account can be used to manage multiple roles, click View to see the roles listed

Delegated administrators see account information for only their own account, and not for all accounts.

When you are finished reviewing administrator accounts, click Close to return to the

Delegated Administration page.

Enabling network accounts

Web Security Help | Web Security Solutions | Version 7.8.x

Global Security Administrators can use the TRITON Settings > User Directory page to enter the directory service information needed to allow administrators to log on to the TRITON console with their network credentials.

Web Security Help

367

Delegated Administration and Reporting

This task is done in addition to the configuration done by Web Security Super

Administrators to define the directory service used to identify user and group clients.

Note

Client directory service information is configured on the

Settings > Directory Services page (see

Directory services

, page 77

).

TRITON administrators’ network credentials must be authenticated against a single directory service. If your network includes multiple directories, a trusted relationship must exist between the directory specified in TRITON Settings and the others.

If it is not possible to define a single directory service for use with the TRITON

Unified Security Center, consider creating local accounts for administrators.

Specific instructions for defining the directory used to authenticate administrator logons can be found in the TRITON Settings Help.

368

Websense Web Security Solutions

16

Web Security Server

Administration

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Websense Web Security components

, page 370

Understanding Policy Broker

, page 380

Working with Policy Server

, page 382

Working with Filtering Service

, page 388

Integrating with a third-party SIEM solution

, page 394

Working with Content Gateway

, page 395

Viewing and exporting the audit log

, page 396

Stopping and starting Websense services

, page 398

Alerting

, page 401

Backing up and restoring your Websense data

, page 410

Internet policy enforcement requires interaction between several Websense Web

Security components:

User requests for Internet access are received by Network Agent, Content

Gateway, or an integrated third-party product or device (integration).

The requests are sent to Filtering Service for processing.

Filtering Service communicates with Policy Server and Policy Broker to respond appropriately to requests.

The central Policy Broker gives other components access to client, filter, policy, and general configuration information. (It is possible to deploy additional, replica Policy

Broker instances with read-only copies of this information, but only the central, or primary, instance is used to make updates to policy or configuration data.)

The TRITON console is associated with the central Policy Broker, and can be used to configure any Policy Server in the deployment.

Web Security Help

369

Web Security Server Administration

Websense Web Security components

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Understanding Policy Broker

, page 380

Working with Policy Server

, page 382

Working with Filtering Service

, page 388

Policy Server, Filtering Service, and State Server

, page 391

Stopping and starting Websense services

, page 398

Reviewing current system status

, page 409

Websense Web Security solutions are made up of several components that work together to provide Internet security, user identification, and reporting capabilities.

This section provides an overview of each component to help you understand and manage your environment.

For a list of components with a description of each, see:

Policy enforcement and management components

, page 371

Reporting components

, page 374

User identification components

, page 375

Interoperability components

, page 376

When Websense software is integrated with Citrix, Microsoft Forefront TMG, or a proxy or proxy-cache that uses ICAP, an additional integration component (integration service, plugin, or ICAP server) is also installed.

370

Websense Web Security Solutions

Web Security Server Administration

Policy enforcement and management components

Web Security Help | Web Security Solutions | Version 7.8.x

Component

Policy Database

Policy Broker

Policy Server

Description

Stores Websense software settings and policy information.

Installed automatically with Policy Broker.

Manages requests from Websense components for policy and general configuration information.

Identifies and tracks the location and status of other

Websense components.

Stores configuration information specific to a single

Policy Server instance.

Configure Policy Server settings in the Web Security

manager (see

Working with Policy Server

, page 382

).

Policy and most configuration settings are shared between

Policy Servers that share a Policy Database (see

Working in a multiple Policy Server environment

, page 385 ).

Filtering Service

Network Agent

Provides Internet policy enforcement in conjunction with

Network Agent, Content Gateway, or a third-party integration product. When a user requests a site, Filtering

Service receives the request and determines which policy applies.

Filtering Service must be running for Internet requests to be managed and logged.

Each Filtering Service instance downloads its own copy of the Websense Master Database.

Configure Filtering Service behavior in the Web Security

manager (see

Internet Usage Filters

, page 49, and

Configuring filtering settings

, page 69 ).

Enhances policy enforcement and logging functions

Enables protocol management

Enables policy enforcement in a standalone environment

For more information, see

Network Configuration

, page 451

.

Master Database

Includes millions of websites, sorted into more than 90 categories and subcategories

Contains more than 100 protocol definitions for use in managing non-HTTP protocols

Download the Websense Master Database to activate

Internet policy enforcement, and make sure that the database is kept up to date. If the Master Database is more than 2

weeks old, no policy enforcement can occur. See

The

Websense Master Database

, page 27, for more information.

TRITON Infrastructure

The platform that supports and unites the Web Security, Data

Security, and Email Security modules of the TRITON console.

Maintains an internal database of global settings that apply to all TRITON modules.

Web Security Help

371

Web Security Server Administration

Component

Web Security manager

(part of the TRITON console)

Description

Serves as the configuration, management, and reporting interface for your web security software.

Use the Web Security manager to define and customize

Internet access policies, configure components, report on

Internet activity, and more.

The Web Security manager is made up of the following services:

Websense - TRITON Web Security

Websense Web Reporting Tools

Websense Explorer Report Scheduler

Websense Information Service for Explorer

Websense Reporter Scheduler

See

Working in the TRITON console

, page 18,

for more information.

Usage Monitor

Content Gateway

Enables alerting based on Internet usage.

Provides Internet usage information to Real-Time

Monitor.

Usage Monitor tracks URL category access (shown in Real-

Time Monitor) and protocol access, and generates alert messages according to the alerting behavior you have configured. See

Alerting

, page 401, and

Real-Time Monitor

, page 184, for more information.

Provides a robust proxy and cache platform.

Can analyze the content of websites and files in real time to categorize previously uncategorized sites.

Enables protocol management.

Analyzes HTML code to find security threats (for example, phishing, URL redirection, Web exploits, and proxy avoidance).

Inspects file content to assign a threat category (for example, viruses, Trojan horses, or worms).

Strips active content from certain web pages.

See

Content Gateway Analysis

, page 189 .

Remote Filtering Client

Resides on client machines outside the network firewall.

Identifies the machines as clients to be filtered, and communicates with Remote Filtering Server.

See

Manage Off-site Users

, page 249, for more information.

Remote Filtering Server

Allows policy enforcement for clients outside a network firewall.

Communicates with Filtering Service to provide Internet access management of remote machines.

See

Manage Off-site Users

, page 249, for more information.

State Server

In multiple Filtering Service environments, tracks client quota, confirm, password override, and account override sessions to ensure that access time is allocated correctly.

To enable this functionality, deploy one State Server per

Policy Server.

372

Websense Web Security Solutions

For information about other components, see:

Reporting components

, page 374

User identification components

, page 375

Interoperability components

, page 376

Web Security Server Administration

Web Security Help

373

Web Security Server Administration

Reporting components

Web Security Help | Web Security Solutions | Version 7.8.x

Component

Log Server

Log Database

Real-Time Monitor

Multiplexer

Description

Logs Internet request data, including:

The request source

The category or protocol associated with the request

Whether the request was permitted or blocked

Whether keyword blocking, file type blocking, quota allocations, bandwidth levels, or password protection were applied

Beginning with 7.8.4, support IPv6 addresses.

With Network Agent and some integration products, Log

Server also stores information about the amount of bandwidth used.

Log Server is a Windows-only component that must be installed to enable most Web Security reporting features.

After installing Log Server, configure Filtering Service to pass logging data to the correct location (see

Configuring how requests are logged

, page 422 ).

Stores Internet request data collected by Log Server for use by Websense reporting tools.

Displays current Internet activity, including:

Request source (user name or IP address)

URL (full or domain only)

Category (Master Database, custom URL, or dynamic, based on Content Gateway scanning)

Whether the request was permitted or blocked

Time of the request

Real-Time Monitor is made up of 3 services:

Websense RTM Client

Websense RTM Server

Websense RTM Database

See

Real-Time Monitor

, page 184 .

When enabled, passes logging data from Filtering Service to:

A specified SIEM solution

Log Server

Used only when Websense software is integrated with a supported SIEM product. To enable SIEM integration, install one Multiplexer instance per Policy Server.

For information about other components, see:

Policy enforcement and management components

, page 371

User identification components

, page 375

Interoperability components

, page 376

374

Websense Web Security Solutions

Web Security Server Administration

User identification components

Web Security Help | Web Security Solutions | Version 7.8.x

Component

User Service

DC Agent

Description

Communicates with your directory service.

Conveys user-to-group and user-to-domain relationships, to

Filtering Service, for use in applying policies.

Enables display of directory client information in the Web

Security manager.

For information about configuring directory service access, see

Directory services

, page 77

.

Offers transparent identification of users defined in a

Windows-based directory service.

Communicates with User Service to provide up-to-date user logon session information for use in policy enforcement.

For more information, see

DC Agent

, page 312 .

Logon Agent

Provides unsurpassed accuracy in transparent user identification in Linux and Windows networks.

Does not rely on a directory service or other intermediary when capturing user logon sessions.

Detects user logon sessions as they occur.

Logon Agent communicates with the logon application on client machines to ensure that individual user logon sessions are captured and processed.

For more information, see

Logon Agent

, page 317

.

eDirectory Agent

Works with Novell eDirectory to transparently identify users.

Gathers user logon session information from Novell eDirectory, which authenticates users logging on to the network.

Associates each authenticated user with an IP address, and then works with User Service to supply the information to

Filtering Service.

For more information, see

eDirectory Agent

, page 321

.

RADIUS Agent

Enables transparent identification of users who use a dial-up,

Virtual Private Network (VPN), Digital Subscriber Line (DSL), or other remote connection to access the network.

For more information, see

RADIUS Agent

, page 319 .

For information about other components, see:

Policy enforcement and management components

, page 371

Reporting components

, page 374

Interoperability components

, page 376

Web Security Help

375

Web Security Server Administration

Interoperability components

Web Security Help | Web Security Solutions | Version 7.8.x

Component

Directory Agent

Filtering Plug-In

Linking Service

Sync Service

Description

In Websense Web Security Gateway Anywhere deployments, collects user and group information from a supported directory service for use by the hybrid service.

When Websense software is integrated with certain firewall, proxy, cache, or similar products, a plug-in may be installed to enable communication between Filtering Service and the integration.

In Websense Web Security Gateway Anywhere deployments, or in environments that combine Websense web and data security components, gives data security software access to Master

Database categorization information and user and group information collected by User Service.

In Websense Web Security Gateway Anywhere deployments:

Sends policy updates and user and group information to the hybrid service.

Receives reporting data from the hybrid service.

For information about other components, see:

Policy enforcement and management components

, page 371

Reporting components

, page 374

User identification components

, page 375

Reviewing your Web Security deployment

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Status > Deployment page to review status information for each Policy

Server in your deployment, and for the components that connect to each Policy Server.

Also investigate User Service directory connection and lookup speeds.

The Deployment page includes up to 3 tabs:

Policy Server Map gives a quick graphical and tabular overview of the Policy

Server instances in your network. Click a Policy Server icon or IP address to see

the status of components associated with the selected Policy Server. See

Using the

Policy Server map

, page 377 .

If your deployment only has one Policy Server, this tab is not displayed.

Component List provides a table listing the Web Security components in your

network, and allows administrators with appropriate permissions to stop or start components. See

Using the component list

, page 378

.

376

Websense Web Security Solutions

Web Security Server Administration

Directory Performance provides information about connection and lookup

speeds for each LDAP-based directory server that User Service queries for user

and group information. See

Evaluating directory performance

, page 379

.

If User Service is not installed, or if your organization uses Windows Active

Directory in mixed mode, this tab is not displayed.

Using the Policy Server map

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Websense Web Security components

, page 370

Understanding Policy Broker

, page 380

Working with Policy Server

, page 382

Websense Health alerts

, page 490

In multiple Policy Server deployments, the Policy Server Map tab of the Status >

Deployment page gives a graphical representation of all of your Policy Server instances.

All additional Policy Server instances are shown connected to the central or base

Policy Server for your deployment.

Each Policy Server is represented by a server tower or appliance icon with markers that describe its Policy Broker connection.

A legend underneath the map explains the icons.

Position the mouse over a Policy Server instance to see its full IP address and description, the IP address of the Policy Broker that it is currently connected to, and the Policy Broker mode (standalone, primary, or replica).

Configuration changes can be written to a standalone or primary Policy Broker, but replica Policy Broker instances are read-only.

Under the map, a table lists the IP address, description, Policy Broker IP address, key type, and current status of each Policy Server instance.

Click a Policy Server icon in the map or IP address in the table to see a list of the components (like Filtering Service, Log Server, and User Service) associated with the selected Policy Server instance. Note that in some cases, a single component name

(like Real-Time Monitor) is used to represent multiple, interdependent services (like

RTM Client, RTM Server, and RTM Database).

For each component, the list displays its name, IP address or hostname, version, and status.

The status column displays one of the following icons:

A green icon with a check mark indicates that the Policy Server and its associated components are all running.

Web Security Help

377

Web Security Server Administration

A red icon with an “x” indicates that the Policy Server or at least one of its associated components is stopped.

A yellow icon with an exclamation mark indicates that the Websense Control

Service instance on the Policy Server machine is not available, so status information is not available for that Policy Server and its associated components.

For administrators with permissions to start and stop component services or demons, the table also includes a start or stop link.

In some cases, a single entry in the list may represent multiple services. In these cases, all of the services that make up the component are started or stopped when the link is clicked.

An additional link offers the option to show all health alerts associated with the selected Policy Server within the Components pop-up window.

Using the component list

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Websense Web Security components

, page 370

Troubleshooting tips and tools

, page 538

The Component List tab of the Status > Deployment page displays a table showing the Web Security components deployed in your network. For each component, the table shows its:

Name

IP address or hostname

Policy Broker IP address or hostname

Version

Status:

A green icon with a check mark indicates that the components is running.

A red icon with an “x” indicates that the component is stopped.

A yellow icon with an exclamation mark indicates that the Websense Control

Service is not running, so status information is not available.

For administrators with permissions to start and stop component services or demons, the table also includes a start or stop link.

To export the component data for manipulation in a third-party spreadsheet or reporting tool, the Export to CSV link above the table.

378

Websense Web Security Solutions

Web Security Server Administration

Evaluating directory performance

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

User configuration and identification issues

, page 477

Working with users and groups

, page 76

User Identification

, page 301

When User Service is installed and configured to connect to an LDAP-based directory service, the Directory Performance tab of the Status > Deployment page displays a table showing directory server performance statistics during the selected period (the last hour, by default).

Select a different Time period to see longer-term or more recent data. (The available time periods are last 24 hours, last hour, or last 5 minutes.)

The table contains a separate row for each directory server that User Service has attempted to connect to during the selected period. Each row shows:

The IP address of the Directory Host machine

The Operation type (bind or lookup)

The Average, Most Recent, and Maximum times for each type of operation during the selected period. The time is shown in milliseconds.

The number of attempts User Service made to perform each operation for the specified directory

The number of times the operation failed

Click a Directory Host entry for more information about the performance of that directory since midnight, over the last hour, and during the most recent 5-minute period (see

Review directory server details

, page 380 ).

If users in your organization are experiencing browsing delays or sometimes receiving the incorrect policy (especially applied to the first web request of the day, or after a long period without browsing), use the directory performance statistics to identify underperforming directories. If there are persistent problems with specific directory hosts, you may need to take steps to improve:

Network connections between User Service and the directory

Memory, disk, or CPU speed on the directory server machine

Problems affecting multiple directories may indicate network, DNS, or other configuration issues.

Web Security Help

379

Web Security Server Administration

Review directory server details

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Evaluating directory performance

, page 379

User configuration and identification issues

, page 477

Use the Status > Deployment > Directory Server Details page to review performance data for the specified directory since midnight, over the last hour, and during the most recent 5-minute period.

For each time period, a table displays the following information for bind (connection) and lookup operations:

The Average, Most Recent, and Maximum times in milliseconds

The number of attempts to perform the operation

How many failures occurred

To return to the Directory Performance tab, click Close.

Understanding Policy Broker

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with Policy Server

, page 382

Working with Filtering Service

, page 388

Policy Server, Filtering Service, and State Server

, page 391

Websense Policy Broker is responsible for managing access to both policy data

(including clients, filters, filter components, and delegated administration settings) and to certain global settings that apply to the entire deployment. Settings specific to a single Policy Server instance (like its Filtering Service and Network Agent connections) are stored separately.

Even in multiple Policy Server environments, the same set of policy and general configuration data is shared throughout the deployment, thanks to Policy Broker.

1.

At startup, each Websense component requests applicable configuration information from Policy Broker.

2.

Running components frequently check for changes to configuration information.

3.

The primary or standalone Policy Broker updates its database each time administrators make changes in the Web Security manager and click Save and

Deploy.

380

Websense Web Security Solutions

Web Security Server Administration

4.

After a configuration change, each component requests and receives the changes that affect its functioning via Policy Broker.

It is possible to install one or more Policy broker replicas in addition to the primary

Policy Broker. In a replicated environment, changes made in the Web Security manager are saved to the primary Policy Broker. After the change, each replica synchronizes its copy of the data to receive the latest updates.

The Policy Broker mode (standalone, primary, or replica) is set during installation, but can be changed later (for example, to change from a standalone environment to a replicated environment) using a command-line utility. See the Websense

Policy Broker white paper for more information.

In a replicated environment, you can configure a Policy Broker connection order for each Policy Server instance in your deployment. This determines where components attached to a Policy Server (like Filtering Service) look first for

updates to configuration information. See

Reviewing Policy Broker connections

, page 381 .

Whether you have a single (standalone) Policy Broker or a primary Policy Broker with replicas, be sure to back up your policy and configuration data on a regular basis.

See

Backing up and restoring your Websense data

, page 410, for more information.

Reviewing Policy Broker connections

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Understanding Policy Broker

, page 380

Working with Policy Server

, page 382

If you have a multiple Policy Broker environment (with a primary Policy Broker and one or more replicas), use the Settings > General > Policy Brokers page to find a list of the Policy Broker instances in your deployment. You can also configure which instance each Policy Server in your network attempts to connect to first.

The Installed Policy Broker Instances table includes the following information:

The Host column shows the IP address or hostname of the Policy Broker machine.

The Type column indicates whether the instance is the primary or a replica. The primary instance always appears first in the list.

A Description of the instance. Click the pencil icon next to the existing description to update it.

When the Last Policy Sync occurred for each Policy Broker replica. This is the most recent time the replica received updated policy and configuration information from the primary Policy Broker.

Use the Policy Server Connections table to customize how the Policy Server instances in your deployment connect to Policy Broker. The table shows:

Web Security Help

381

Web Security Server Administration

The IP address or hostname of each Policy Server Host

A Description of the Policy Server instance

The Connection Order the Policy Server instance uses when it connects to Policy

Broker (a list of IP addresses)

To change the connection order, click the Policy Server IP address or hostname. This opens the Policy Broker Connection Order window, with the current connection order listed. To move an instance up or down in the list:

1.

Click on a row in the table to select the Policy Broker entry.

2.

Click the Up or Down button to move the entry in the list.

3.

Repeat for each entry that you want to move.

4.

When you are finished making changes, click OK to return to the Policy Brokers page.

5.

Click OK again on the Policy Brokers page to cache your changes. The changes are not implemented until you click Save and Deploy.

Working with Policy Server

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Reviewing Policy Server connections

, page 383

Adding or editing Policy Server instances

, page 384

Working in a multiple Policy Server environment

, page 385

Changing the Policy Server IP address

, page 386

Working with Filtering Service

, page 388

Policy Server, Filtering Service, and State Server

, page 391

Policy Server is responsible for identifying other Websense software components and tracking their status.

When you log on to the Web Security manager, you are logging onto a graphical interface to Policy Server.

You cannot log on to the Web Security manager until it is configured to communicate with Policy Server.

If your Websense software installation includes multiple Policy Servers, you can switch between Policy Server instances after logging on to the Web Security manager.

You can add and remove Policy Server instances within the Web Security manager.

382

Websense Web Security Solutions

Web Security Server Administration

Communication between the Web Security manager and one Policy Server instance is established during installation.

Many environments require only one Policy Server. A single Policy Server can communicate with multiple Filtering Service and Network Agent instances for load balancing. In very large organizations (10,000+ users), however, it may help to install multiple instances of Policy Server. If you install additional Policy Servers, add each instance to the Web Security manager (see

Reviewing Policy Server connections

, page

383 ).

Reviewing Policy Server connections

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > General > Policy Servers page to review Policy Server information for all Policy Server instances associated with the Web Security manager.

If you have multiple Policy Server instances that share a subscription key, you can create one instance as the primary Policy Server. When you add the others as secondary instances, they receive their key information from the primary. This may help to speed up your configuration process and simplify key maintenance (in case you receive a new subscription key in the future).

The Web Security manager is associated with a primary Policy Server instance at installation time. This becomes the base Policy Server for the Web Security manager, and its IP address and description cannot be changed.

To see the secondary Policy Server instances associates with a primary Policy

Server in the list, click the “+” symbol next to the Policy Server name or IP address.

To update the information that appears on the page (for example, to see the latest subscription key information or Policy Broker connections, and to see any Policy

Server instances that might have recently been automatically added to the Web

Security manager) click the Refresh button in the toolbar at the top of the content pane.

Policy Server instances that connect to a different Policy Broker than the base

Policy Server are flagged with an icon ( ) indicating that they are not currently configurable.

Each Policy Server entry includes a short description. Primary Policy Server entries also include:

Subscription information, including the key associated with the instance and its secondaries and the subscription level (for example, Web Security or Web

Security Gateway)

The IP address of the Policy Broker that Policy Server is using

In multiple Policy Broker deployments, configure how Policy Server connects to

Policy Broker on the Settings > General > Policy Brokers page.

Click Add to associate an additional Policy Server with the Web Security manager, or click a Policy Server IP address or name to edit configuration information for the

Web Security Help

383

Web Security Server Administration selected instance (see

Adding or editing Policy Server instances

, page 384

).

Note that in some cases, Policy Server instances are added to the Web Security manager automatically. For example, when a Policy Server instance is installed on the same machine as a Policy Broker replica, that Policy Server instance appears on the

Policy Servers page automatically. You can still edit these instances as needed (for example, to change their description).

Mark one or more Policy Server entries and click Delete to remove the connection between the Web Security manager and the selected Policy Server.

This removes the Policy Server instance from the Web Security manager, but does not uninstall or stop the Websense Policy Server service. You cannot delete the base Policy Server instance.

Any time you remove a Policy Server instance from your deployment, be sure to also remove the instance from the Policy Servers page in the Web Security manager.

Even if you take down one Policy Server machine, then bring up a new machine and assign it the old IP address, a Policy Server instance installed on the new machine does not automatically inherit the subscription key information from the old instance. You must still delete the old instance from the Web Security manager, then add the new instance.

After adding or editing a Policy Server connection, click OK on the Policy Servers page to cache your changes. Changes are not implemented until you click Save and

Deploy.

Adding or editing Policy Server instances

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > General > Add Policy Server or Edit Policy Server page to associate a new Policy Server instance with the Web Security manager, or to update configuration information for an existing Policy Server.

1.

Enter or edit the IP address or name and communication Port for the Policy

Server instance. The default port is 55806.

2.

Enter or update the Description of the selected Policy Server instance.

You cannot change the description for the base Policy Server.

3.

Indicate whether this is a Primary or Secondary Policy Server.

A primary Policy Server has a different subscription key than other Policy

Server instances associated with the Web Security manager.

A secondary Policy Server uses the same subscription key as another Policy

Server that has already been associated with the Web Security manager.

4.

If this is a secondary Policy Server: a.

Select the IP address of the primary Policy Server from which the secondary should get its key.

384

Websense Web Security Solutions

Web Security Server Administration b.

Indicate whether this secondary should inherit its Directory Services settings from the primary Policy Server.

These are the settings (configured on the Settings > General > Directory

Services page) that User Service uses to connect to a directory and retrieve user and group information.

c.

Click OK to return to the Policy Servers page, then click OK again on the

Policy Servers page to cache your changes. Changes are not implemented until you click Save and Deploy.

Note that after adding a secondary Policy Server, you may have to log off of the

TRITON console and log on again before you can use the Policy Server Switch button to connect to the new Policy Server instance.

5.

If this is a primary Policy Server, indicate whether to Use the current

subscription key registered to the new instance or Enter a subscription key.

If you are editing an existing entry, the current subscription key and subscription type are displayed below the radio buttons.

Click Verify Policy Server to make sure that the Web Security manager can communicate with the new Policy Server. If you have selected “Use the current subscription key,” and the connection is successful, the subscription key is displayed.

If you are not sure whether the new Policy Server instance already has a key registered, you can either select the option to enter the key manually, or click

Verify Policy Server to see if the Web Security manager finds an existing key

for the instance.

6.

Click OK to return to the Policy Servers page. You must click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.

Working in a multiple Policy Server environment

Web Security Help | Web Security Solutions | Version 7.8.x

In distributed environments, or deployments with a large number of users, it may be appropriate to install multiple Policy Server instances. This entails some special considerations.

Because policy information is managed by Policy Broker, policy changes are made available to all Policy Server instances when you click Save and Deploy.

Many global configuration settings (like risk class definitions and alerting options) are also shared between Policy Server instances.

Configuration settings that are specific to a single Policy Server (like its Filtering

Service and Network Agent connections) are stored locally by each Policy Server and not distributed.

In order to apply time-based actions (Confirm, Quota, Password Override, or

Account Override) correctly, one or more instances of Websense State Server is required. State Server allows the timing information associated with these features to be shared, so that clients are granted exactly the Internet access than you intend

(see

Policy Server, Filtering Service, and State Server

, page 391 ).

Web Security Help

385

Web Security Server Administration

To switch between Policy Server instances in the Web Security manager:

1.

In the Web Security toolbar, next to the IP address of the current Policy Server, click Switch.

If there are unsaved changes to the current Policy Server instance, a warning prompt appears. To remain connected to the current Policy Server so that you can save your changes, click Cancel.

2.

Select a Policy Server IP address or hostname from the Connect to list.

3.

Click OK.

You are logged onto the selected Policy Server automatically, and the Web Security manager interface is updated.

Changing the Policy Server IP address

Web Security Help | Web Security Solutions | Version 7.8.x

Before changing the IP address of the Policy Server machine, stop all Websense

services on the machine.

After changing the IP address, you must manually update Websense configuration files used by the Web Security manager, Policy Server, and other Websense services before policy enforcement resumes.

Step 1: Update Web Security manager configuration

Update the Web Security manager to use the new IP address to connect to Policy

Server.

1.

On the TRITON management server, stop the Websense Web Reporting Tools and Websense TRITON - Web Security services (if necessary).

If the TRITON console and Policy Server are installed on this same machine, these services should already be stopped.

2.

Navigate to the following directory:

Websense\Web Security\tomcat\conf\Catalina\localhost\

3.

Locate the mng.xml file, and then make a backup copy of the file in another directory.

4.

Open mng.xml in a text editor (like Notepad or vi) and replace each instance of the old Policy Server IP address with the new one.

The Policy Server IP address appears twice: as the ps/default/host value and the

psHosts value.

5.

When you are finished, save and close the file.

Do not restart any services until you have completed the remaining configuration updates in this section.

386

Websense Web Security Solutions

Web Security Server Administration

Step 2: Update Policy Server configuration

Update the Policy Server configuration file, and the initialization file used to configure communication between Websense components.

1.

If you have not already done so, stop all Websense services on the Policy Server machine (see

Stopping and starting Websense services

, page 398 ).

2.

Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default).

3.

Locate the config.xml file, and then make a backup copy of the file in another directory.

4.

Open config.xml in a text editor and replace each instance of the old Policy

Server IP address with the new one.

5.

When you are finished, save and close the file.

6.

In the bin directory, locate the websense.ini file, and then make a backup copy in another directory.

7.

Open websense.ini in a text editor and replace each instance of the old Policy

Server IP address with the new one.

8.

When you are finished, save and close the file.

Step 3: Verify the Log Database connection

Use the Windows ODBC Data Source Administrator on the Policy Server machine to verify the ODBC connection to the Log Database.

1.

Open the Data Sources tool:

Windows Server 2012: Go to Server Manager > Tools > ODBC Data

Sources 64-bit.

Windows Server 2008: Go to Start > Administrative Tools > Data Sources

(ODBC).

2.

On the System DSN tab, select the appropriate data source name (by default,

wslogdb70), and then click Configure.

3.

Verify that the correct database server machine is selected, and then click Next.

4.

Enter the credentials used to connect to the database, and then click Next.

5.

Accept the defaults on the next 2 screens, and then click Test Data Source.

Note

If the test fails, check the database server machine name and try again.

If the machine name is correct, but the test continues to fail, verify that the correct connection port is being used, and that the firewall allows communication on the selected port.

Web Security Help

387

Web Security Server Administration

Step 4: Restart Websense services

1.

Reboot the Policy Server machine. Make sure that all Websense services on the machine restart normally.

2.

If the Web Security manager used to configure this Policy Server is installed on another machine, restart the Websense Web Reporting Tools and Websense

TRITON - Web Security services on that machine.

Note

If the TRITON console is installed on the same machine as

Policy Server, administrators must use the new IP address to log on.

Working with Filtering Service

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Review Filtering Service details

, page 389

Resuming Master Database downloads

, page 390

Policy Server, Filtering Service, and State Server

, page 391

Working with Content Gateway

, page 395

Filtering Service is the Websense software component that works with Network

Agent, Content Gateway, or a third-party integration product to manage Internet activity. When a user requests a site, Filtering Service receives the request, determines which policy applies, and uses the applicable policy to determine whether the site is permitted or blocked.

Each Filtering Service instance downloads its own copy of the Websense Master

Database to use in determining how to handle Internet requests.

If you have multiple Filtering Service instances, an additional component, Websense

State Server, is required to enable correct application of time-based actions (Confirm,

Quota, Password Override, or Account Override). State Server allows the timing information associated with these features to be shared, so that clients are granted exactly the Internet access than you intend (see

Policy Server, Filtering Service, and

State Server

, page 391

).

Filtering Service also sends information about Internet activity to Log Server, so that it can be recorded and used for reporting.

In the Web Security manager, a Filtering Service Summary on the System dashboard lists the IP address and current status of each Filtering Service instance associated with the current Policy Server. Click a Filtering Service IP address for more detailed information about the selected Filtering Service.

388

Websense Web Security Solutions

Web Security Server Administration

Review Filtering Service details

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Status > Dashboard > Filtering Service Details page to review the status of an individual Filtering Service instance. The page lists:

The Filtering Service IP address

Whether or not the selected instance is running

The Filtering Service version

This should match your Websense software version, including any hotfixes that have been applied.

The operating system of the Filtering Service machine

The Websense software platform

This indicates whether your Web Security solution is running in standalone mode or integrated with Content Gateway or a third-party product.

The IP address and status of any Network Agent instances with which the selected

Filtering Service communicates.

The IP address and status of any Content Gateway instances with which the selected Filtering Service communicates

Click Close to return to the Web Security Dashboard.

Review Master Database download status

Web Security Help | Web Security Solutions | Version 7.8.x

Each Filtering Service instance in your network downloads its own copy of the Master

Database. When you are working in the Web Security manager, the Status > Alerts page displays a status message when a Master Database download is in progress, or an alert if a download attempt fails.

For detailed information about recent or ongoing database downloads, click Database

Download on the Web Security Dashboard toolbar. The Database Download page

includes an entry for each Filtering Service instance associated with the current Policy

Server.

Initially, the Database Download page displays a quick download summary, showing where the database was downloaded, which database version was downloaded, and whether the download was successful. From this summary view, you can:

Initiate a database download for a single Filtering Service (click Update).

Initiate database downloads for all listed Filtering Service instances (click Update

All).

Cancel one or all ongoing updates.

Click an IP address in the list on the right to review more detailed database download status for the selected Filtering Service.

Web Security Help

389

Web Security Server Administration

If the selected Filtering Service has encountered download problems, a recommendation for addressing the problem may be displayed.

To manually initiate a database download for the selected Filtering Service, click

Update.

During database download, the status screen shows detailed progress information for each stage of the download process. Click Close to hide progress information and continue working in the Web Security manager.

Resuming Master Database downloads

Web Security Help | Web Security Solutions | Version 7.8.x

If a Master Database download is interrupted, Websense software attempts to resume the download automatically. If Filtering Service is able to reconnect to the download server, the download resumes from where it was interrupted.

You can manually restart a failed or interrupted download. This does not resume the download from the point of interruption, but instead restarts the process from the beginning.

1.

In the Web Security manager, go to Status > Dashboard and click Database

Download.

2.

Click Stop All Updates to stop the interrupted process.

3.

Select a Filtering Service instance and click Update, or click Update All, to restart the download process from the beginning.

Filtering Service support for YouTube in Schools

Web Security Help | Web Security Solutions | Version 7.8.x

Educational institutions with a software deployment of Websense Web Security or

Web Filter can use a Filtering Service configuration parameter to enable YouTube for

Schools. This YouTube service provides access to educational videos from inside the school network, even when other YouTube content is blocked.

Note

In Web Security Gateway and Gateway Anywhere software or appliance deployments, you can enable

YouTube for Schools via Content Gateway, rather than via

Filtering Service.

Once you have enrolled in the program and received a school account code or ID, first:

In the Web Security manager, navigate to the Settings > General > Filtering page, and verify that Enable search filtering is selected at the bottom of the page.

You must enable search filtering to use the YouTube in Schools feature.

390

Websense Web Security Solutions

Web Security Server Administration

If search filtering was not previously enabled, click OK and Save and Deploy to cache and implement the change.

Make sure that the YouTube is permitted for the clients that will be granted

YouTube in Schools access.

When that configuration is complete, perform the following steps for each Filtering

Service instance in your deployment:

1.

Navigate to the Websense bin directory on the Filtering Service machine

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin\ or /opt/

Websense/bin/, by default).

2.

Make a backup copy of the eimserver.ini file in another location.

3.

Open the original eimserver.ini file and add the following lines:

[SafeSearchCustomValues]

YouTubeEDUFilter=<school_account_code>

Replace <school_account_code> with the actual code or ID received from

YouTube.

4.

Save and close the file.

5.

Restart Filtering Service:

Windows: Use the Windows Services tool to restart Websense Filtering

Service.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to restart

Filtering Service.

Policy Server, Filtering Service, and State Server

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with Policy Server

, page 382

Working with Filtering Service

, page 388

Actions

, page 58

Password override

, page 87

Account override

, page 88

If your deployment includes multiple instances of Filtering Service that might handle a request from the same user, an optional component, Websense State Server, can be installed to enable proper application of time-based actions (Quota, Confirm) or overrides (Password Override, Account Override).

Web Security Help

391

Web Security Server Administration

When State Server is installed, it allows its associated Filtering Service instances to share timing information, so users receive the correct allotment of quota, confirm, or override session time.

State Server is typically installed on a Policy Server machine, and only one State

Server instance is required per logical deployment. A logical deployment is any group of Policy Server and Filtering Service instances that might handle requests from the same set of users.

All Filtering Service instances that communicate with the same State Server instance must share the same time zone, and the time on all machines must be in synch.

Each Filtering Service instance can communicate with only one State Server.

All Filtering Service instances associated with the same Policy Server must communicate with the same State Server.

Multiple Policy Server instances can share a single State Server.

Configure which State Server instance a Policy Server communicates with on the

Settings > General > Filtering page in the Web Security manager (see

Configuring filtering settings

, page 69 ).

392

Websense Web Security Solutions

Web Security Server Administration

In a geographically dispersed organization, where each location has its own Policy

Server and Filtering Service instances, deploy one State Server instance (on the Policy

Server machine or V-Series appliance) at each location. For example:

In an organization where all requests are managed through a central location, only one

State Server instance is needed.

Web Security Help

393

Web Security Server Administration

Integrating with a third-party SIEM solution

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > General > SIEM Integration page to configure Websense software to send log data from Filtering Service to a supported Security Information and Event Management (SIEM) solution.

Before using this page to enable SIEM integration, make sure an instance of Websense

Multiplexer is installed for each Policy Server in your deployment.

Perform these steps for each Policy Server instance in your deployment.

1.

Select Enable SIEM integration for this Policy Server to turn on the SIEM integration feature.

2.

Provide the IP address or hostname of the machine hosting the SIEM product, as well as the communication Port to use for sending SIEM data.

3.

Specify the Transport protocol (UDP or TCP) to use when sending data to the

SIEM product.

4.

Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.

The available formats are syslog/CEF (ArcSight), syslog/key-value pairs

(Splunk and others), syslog/LEEF (QRadar), and Custom.

If you select Custom, a text box is displayed. Enter or paste the string that you want to use. Click View SIEM format strings for a set of sample strings to use as a reference or template.

If you select a non-custom option, a sample Format string showing fields and value keys is displayed.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

When you save your changes, Websense Multiplexer connects to Filtering Service and takes over the job of distributing log data to both Log Server and the selected SIEM integration.

Note that although the same data is passed from Filtering Service to both Log Server and the SIEM product, Log Server may be configured to perform data reduction processing tasks (like recording visits instead of hits, or consolidating log records).

Because the SIEM product does not perform these data reduction tasks, there may be more SIEM entries than records in the Log Database.

IPV6 support is available for SIEM and the Websense Multiplexer beginning with

7.8.4.

For more detailed information about the data passed to the SIEM integration, see

Integrating Web Security with third-party SIEM products . Subsections of the linked document provide mapping information for category numbers, disposition codes, reason strings, and other information included in the SIEM output.

394

Websense Web Security Solutions

Web Security Server Administration

Working with Content Gateway

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Working with Filtering Service

, page 388

Working with Policy Server

, page 382

Managing Content Gateway connections

, page 396

Content Gateway is a Linux-only Websense software component that provides highperformance Web proxy services in Websense Web Security Gateway and Gateway

Anywhere deployments. Content Gateway is also used as a proxy by Websense Data

Security and Email Security Gateway solutions.

In Websense Web Security Gateway and Gateway Anywhere deployments, Content

Gateway provides:

Real-time content scanning and website classification to protect the network from malicious web content. This is especially valuable for Web 2.0 sites, whose multiple sources and dynamic nature limit the usefulness of static categorization.

Advanced file scanning to discover and block infected and malicious files from being uploaded or downloaded

Detection of inbound and outbound protocols tunneled over HTTP and HTTPS and apply protocol-based policy enforcement

Content Gateway works with Filtering Service to manage Internet requests based on both:

Static categorization by the Master Database or custom URL definitions

Dynamic recategorization resulting from content scanning and analysis

At installation, Content Gateway establishes communication with a Policy Server instance. This connection:

Allows Policy Server to pass subscription key information to Content Gateway, mitigating the need to maintain keys in 2 management consoles

Provides the Web Security manager with information about Filtering Service connections to Content Gateway

Is used to populate the Settings > General > Content Gateway Access page in the

Web Security manager, and makes it possible to launch the Content Gateway manager from within the TRITON console

Web Security Help

395

Web Security Server Administration

Managing Content Gateway connections

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > General > Content Gateway Access page to review configuration and status information for Content Gateway instances associated with the current

Policy Server, or to launch the Content Gateway manager for a selected instance.

When a Content Gateway instance is registered with a Policy Server, the Content

Gateway Access page is automatically updated with IP address, hostname, and status information for that Content Gateway. This information appears in one of 3 tables:

If the Content Gateway is part of a cluster, a table is displayed with the cluster name as its title. All Content Gateway instances in the cluster are listed. If there are multiple clusters, multiple tables will appear.

If the Content Gateway is not clustered, it is shown in the Unclustered Content

Gateway instances table.

If Policy Server cannot communicate with a Content Gateway instance, it appears in the Not Responding table. This table is only displayed when Policy Server cannot communicate with a registered Content Gateway instance.

To launch the Content Gateway manager for any listed instance, click the corresponding link in the IP Address column of the table.

To update the description of an instance, to make it easier to manage Content Gateway connections, mark the radio button next to an instance IP address and click Edit

Description.

If a Content Gateway instance appears in the Not Responding table because the instance has been uninstalled or relocated, mark the radio button next to the instance name and click Delete.

After editing Content Gateway descriptions or deleting obsolete entries, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Viewing and exporting the audit log

Web Security Help | Web Security Solutions | Version 7.8.x

Websense software provides an audit trail showing which administrators have accessed the Web Security manager, as well as any changes made to policies and settings. This information is available only to Super Administrators who are granted policy permissions (see

Super Administrator permissions

, page 342 ).

Delegated administrators have significant control over the Internet activities of their managed clients. Monitoring their changes through the audit log enables you to ensure that this control is handled responsibly and in accordance with your organization’s acceptable use policies.

Use the Status > Audit Log page to view the audit log, and to export selected portions of it to an Excel spreadsheet (XLS) file, if desired.

396

Websense Web Security Solutions

Web Security Server Administration

Audit records are saved for 60 days. To preserve audit records longer than 60 days, use the export option to export the log on a regular basis. Exporting does not remove records from the audit log.

When the Audit Log page opens, the most recent records are shown. Use the scroll bar and the paging buttons above the log to view older records.

The log displays the following information. If an item is truncated, click the partial entry to display the full record in popup window.

Column

Date

User

Server

Role

Type

Element

Action

Previous

Current

Description

Date and time of the change, adjusted for time zones.

To assure consistent data in the audit log, be sure all machines running Websense components have their date and time settings synchronized.

User name of the administrator who made the change.

IP address or name of machine running the Policy Server affected by the change.

This appears only for changes that affect the Policy Server, such as changes made on the Settings tab.

Delegated administration role affected by the change.

When a change affects a client explicitly assigned as a managed client in the delegated administrator's role, that change shows as affecting the Super Administrator role. If the change affects a client that is a member of a network range, group, domain or organizational unit assigned to the role, the change shows as affecting the delegated administrator's role.

Configuration element that was changed, such as policy, category filter, or logon/logoff.

Identifier for the specific object changed, such as the category filter name or role name.

Type of change made, such as add, delete, change, log on, and so on.

Value before the change.

New value after the change.

Not all items are shown for all records. For example, the role is not displayed for logon and logoff records.

To export audit log records:

1.

Select a time period from the Export range list.

Choose Last 60 days to export the entire audit log file.

2.

Click Go.

If Microsoft Excel is installed on the machine, the exported file opens. Use options in Excel to save or print the file.

Web Security Help

397

Web Security Server Administration

If Microsoft Excel is not installed, follow the on-screen instructions to either locate the software or save the file.

Stopping and starting Websense services

Web Security Help | Web Security Solutions | Version 7.8.x

Websense services are configured to start each time the machine restarts. However, in some cases you need to stop or start one or more product components separately from a machine restart.

Note

If Filtering Service is in the process of downloading the

Master Database, it does not stop running until the download is complete.

When you stop all Websense services, always end with the policy services, in the order shown:

1.

Websense Policy Server

2.

Websense Policy Broker

3.

Websense Policy Database

Note that unless a problem specifically pertains to Policy Broker or the Policy

Database, it is rarely necessary to restart these services. Avoid restarting these services when possible.

When you start all Websense services, always start with the policy services, in the reverse of the shutdown order (starting with Policy Database and ending with Policy

Server).

When you stop the services associated with Real-Time Monitor:

Also stop the Websense TRITON - Web Security and Websense Web Reporting

Tools services.

Stop the Real-Time Monitor services in the order shown:

1. Websense RTM Client

2. Websense RTM Server

3. Websense RTM Database

Start the Real-Time Monitor services in the reverse of shutdown order (starting with

RTM Database and ending with RTM Client).

398

Websense Web Security Solutions

Web Security Server Administration

From the management console

Unconditional Super Administrators (including admin) and delegated administrators with appropriate permissions can stop and start services from the Status >

Deployment page in the Web Security manager.

Services can be started and stopped from either the Policy Server Map or the

Component List tabs.

On the Policy Server Map tab, click a Policy Server icon or IP address, then click the Start or Stop link for an associated component.

On the Component List tab, find the appropriate component in the list, then click its Start or Stop link.

Windows

On Windows machines, use the following steps to stop or start individual services.

1.

Open the Windows Services tool:

Windows Server 2012 : Server Manager > Tools > Services

Windows Server 2008: Start > Administrative Tools > Services

2.

Right-click the Websense service name, and then select Stop or Start.

To start, stop, or restart all services on the machine:

1.

Navigate to the Websense Web Security folder (C:\Program Files or Program

Files (x86)\Websense\Web Security\).

2.

Stop, start, or restart the services with one of the following commands:

WebsenseAdmin start

WebsenseAdmin stop

WebsenseAdmin restart

Linux

On Linux machines, there are 2 tools that can be used to stop and start daemons:

The WebsenseAdmin script starts, stops, and restarts all daemons on the machine.

The WebsenseDaemonControl script starts and stops individual daemons.

Warning

Do not use the kill command to stop a Websense service, as it may corrupt the service.

To use the WebsenseAdmin script to start or stop all daemons:

1.

Go to the /opt/Websense directory.

Web Security Help

399

Web Security Server Administration

2.

Check the status of the Websense services with the following command:

./WebsenseAdmin status

3.

Stop, start, or restart all Websense services with the commands:

./WebsenseAdmin stop

./WebsenseAdmin start

./WebsenseAdmin restart

To use the WebsenseDaemonControl script to start or stop a daemon:

1.

Go to the /opt/Websense directory.

2.

Enter the following command:

./WebsenseDaemonControl

A list of installed components is displayed, showing whether each process is running or stopped.

3.

Enter the letter associated with a component to start or stop the associated process.

To refresh the list, enter R.

4.

When you are finished, enter Q or X to exit the tool.

Websense appliance

On Websense appliances, use the Appliance manager to stop, start, and restart

Websense services.

To restart services:

1.

Go to the Status > General page. This page is displayed by default when you log on to Appliance Manager.

2.

Scroll to the Network Agent section and click Restart Module.

3.

When the Network Agent module has restarted, go to the Web Security section and click Restart Module.

To stop the services (perhaps while performing a maintenance task):

1.

Scroll to the Network Agent section of the Status > General page and click Stop

Services.

2.

In the Websense Web Security section, also click Stop Services.

3.

When you are ready start the services again: a.

Go to the Websense Web Security section and click Start Services.

b.

Go to the Network Agent section and click Start Services.

400

Websense Web Security Solutions

Web Security Server Administration

Websense Web Security installation directories

Alerting

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Web Security installation directory depends on the machine operating system.

On Windows machines, the default installation directory is:

C:\

Program Files or Program

Files(x86)\Websense\Web Security\

On Linux machines, the default installation directory is:

/opt/Websense/

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Flood control

, page 402

Configuring general alert options

, page 402

Configuring system alerts

, page 403

Configuring category usage alerts

, page 405

Configuring protocol usage alerts

, page 406

To facilitate tracking and management of both Websense software and client Internet activity, Super Administrators can configure alerts to be sent when selected events occur.

System alerts notify administrators of Web Security events relating to

subscription status and Master Database activity, as well as Content Gateway events, including loss of contact to a domain controller, log space issues, and more.

Usage alerts notify administrators when Internet activity for selected categories

or protocols reaches configured thresholds.

Usage alerts can be generated for both Websense-defined and custom categories or protocols.

Suspicious activity alerts notify administrators when threat-related events of a

selected severity level reach configured threshold.

All alerts can be sent to selected recipients via email or SNMP.

Web Security Help

401

Web Security Server Administration

Flood control

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Configuring general alert options

, page 402

There are built-in controls for usage alerts to avoid generating excessive numbers of alert messages. Use the Maximum daily alerts per usage type setting to specify a limit for how many alerts are sent in response to user requests for particular categories

and protocols. See

Configuring general alert options

, page 402, for more information.

You can also set threshold limits for each category and protocol usage alert, and for each suspicious activity alert. For example, if you set a threshold limit of 10 for a certain category, an alert is generated after 10 requests for that category (by any

combination of clients). See

Configuring category usage alerts

, page 405, and

Configuring protocol usage alerts

, page 406,

for more information.

Suppose that the maximum daily alerts setting is 20, and the category alert threshold is

10. Administrators are only alerted the first 20 times category requests exceed the threshold. That means that only the first 200 occurrences result in alert messages

(threshold of 10 multiplied by alert limit of 20).

Configuring general alert options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Configuring system alerts

, page 403

Configuring category usage alerts

, page 405

Configuring protocol usage alerts

, page 406

Configuring suspicious activity alerts

, page 408

Websense software can notify administrators of various kinds of system events, as well as Internet usage or suspicious activity that exceeds defined thresholds

Use the Settings > Alerts > Enable Alerts page to specify flood control settings, and to enable and configure one or more alerting notification methods. After enabling alerting on this page, use the other pages in the Settings > Alerts section to specify which alerts you want to receive.

1.

Under Alert Limits per 24 Hours, enter a number to specify the Maximum daily

alerts per type to be generated for each category usage, protocol usage, and

suspicious activity alert.

402

Websense Web Security Solutions

Web Security Server Administration

For example, you might configure a category usage alert to be sent every 5 times

(threshold) someone requests a site in the Sports category. Depending on the number of users and their Internet use patterns, that could generate hundreds of alerts each day.

If the maximum daily alerts per type is 10, administrators would receive alerts about the first 50 requests for Sports sites on a specific day (5 requests per alert multiplied by 10 alerts), but no alerts for subsequent requests for the category on the same day.

2.

Mark Enable email alerts to deliver alerts and notifications by email. Then, configure these email settings.

SMTP server IPv4 address or name

IPv4 address or hostname for the SMTP server through which email alerts should be routed.

From email address Email address to use as the sender for email alerts.

Administrator email address (To)

Email address of the primary recipient of email alerts.

Recipient email addresses (Cc)

Email address for up to 50 additional recipients. Each address must be on a separate line.

3.

Mark Enable SNMP alerts to deliver alert messages through an SNMP Trap system installed in your network. Then, provide information about your SNMP

Trap system.

Community name

IPv4 address or hostname

Port

Name of the trap community on your SNMP Trap server.

The IPv4 address or hostname of the SNMP Trap server.

Port number SNMP messages use. The default is 162.

4.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Configuring system alerts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Configuring general alert options

, page 402

Reviewing current system status

, page 409

The Web Security manager displays detailed system health and status information via the Status > Alerts page, described in

Reviewing current system status

, page 409

.

Web Security Help

403

Web Security Server Administration

To assure that administrators are notified of significant system events, configure

Websense system alerts to be distributed by email or via SNMP trap.

Websense Web Security Gateway and Gateway Anywhere administrators have the option to enable system alerts for both Web Security events (related to subscription and database download issues) and Content Gateway events for a variety of issues.

Use the Settings > Alerts > System page to specify which alerts to send, and select the methods used to send each notification.

To enable an alert, mark one or more check boxes to the right of the message summary to indicate how to notify administrators. Depending on what methods are enabled on the Enable Alerts page, you may be able to choose Email, SNMP, or a combination.

To disable an alert, clear all check boxes to the right of the message summary.

All alerts are enabled, by default. If you have provided SMTP information for email notifications, 4 Web Security events cannot be disabled:

A Websense Master Database download failed.

The number of current users exceeds your subscription level.

Your subscription expires in one month.

Your subscription expires in one week.

There are also 3 optional alerts:

The number of current users has reached 90% of your subscription level.

The search engines supported by Search Filtering have been changed.

The Websense Master Database has been updated.

In Websense Web Security Gateway and Gateway Anywhere environments, you have the option to enable the following additional system alerts:

A domain controller is down.

Decryption and inspection of secure content has been disabled.

Log space is critically low.

Subscription information could not be retrieved.

Non-critical alerts have been received. (See

Content Gateway non-critical alerts

, page 524,

for information about conditions that can trigger this alert.)

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

404

Websense Web Security Solutions

Web Security Server Administration

Configuring category usage alerts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Flood control

, page 402

Configuring general alert options

, page 402

Adding or editing category usage alerts

, page 405

Websense software can notify you when Internet activity for particular URL categories reaches a defined threshold. You can define alerts for permitted requests or for blocked requests to the category.

For example, you might want to be alerted each time 50 requests for sites in the

Shopping category have been permitted to help decide whether to place restrictions on that category. Or, you might want to receive an alert each time 100 requests for sites in the Entertainment category have been blocked, to see whether users are adapting to a new Internet use policy.

Use the Settings > Alerts > Category Usage page to view the alerts that have already been established, and to add or delete usage alert categories.

1.

View the Permitted Category Usage Alerts and Blocked Category Usage

Alerts lists to learn which categories are configured for alerts, the threshold for

each, and the selected alert methods.

2.

Click Add below the appropriate list to open the Add Category Usage Alerts page

(see

Adding or editing category usage alerts

, page 405

) and configure additional

URL categories for alerting.

3.

Mark the check box for any categories you want to delete from its list, and then click Delete below the appropriate list.

4.

When you are finished, click OK to cache your changes and return to the

Category Usage page. Changes are not implemented until you click Save and

Deploy.

Adding or editing category usage alerts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Configuring general alert options

, page 402

Configuring category usage alerts

, page 405

Use the Category Usage > Add Category Usage Alerts or Edit Category Usage

Alerts page to:

Web Security Help

405

Web Security Server Administration

(Add page only) Select new categories for usage alerts

Establish or change the threshold for usage alerts

Select or update alerting methods (email, SNMP)

If you are creating one or more new alerts, start by marking the check box next to each category that you want to add with the same threshold and alert methods.

Note

You cannot add usage alerts for any category that is excluded from logging. See

Configuring how requests are logged

, page 422 .

The remaining steps are available both for adding and for editing usage alerts:

1.

Set or update the Threshold by selecting the number of requests that cause an alert to be generated.

2.

Mark the check box for each desired alert method (Email, SNMP) for these categories.

Only the alert methods that have been enabled on the Alerts page (see

Configuring general alert options

, page 402

) are available for selection.

3.

Click OK to cache your changes and return to the Category Usage page (see

Configuring category usage alerts

, page 405

). Changes are not implemented until you click Save and Deploy.

Configuring protocol usage alerts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Flood control

, page 402

Configuring general alert options

, page 402

Adding or editing protocol usage alerts

, page 407

Websense software can notify you when Internet activity for a particular protocol reaches a defined threshold. You can define alerts for permitted or blocked requests for the selected protocol.

For example, you might want to be alerted each time 50 requests for a particular instant messaging protocol are permitted to help decide whether to place restrictions on that protocol. Or, you might want to receive an alert each time 100 requests for a particular peer-to-peer file sharing protocol have been blocked, to see whether users are adapting to a new Internet use policy.

406

Websense Web Security Solutions

Web Security Server Administration

On the Settings tab, use the Alerts > Protocol Usage page to view the alerts that have already been established, and to add or delete protocols for usage alerts.

1.

View the Permitted Protocol Usage Alerts and Blocked Protocol Usage Alerts lists to learn which protocols are configured for alerts, the threshold for each, and the selected alert methods.

2.

Click Add below the appropriate list to open the Add Protocol Usage Alerts page

(see

Adding or editing protocol usage alerts

, page 407 ) and configure additional

protocols for alerting.

3.

Select the check box for any protocols you want to delete, and then click Delete under the appropriate list.

4.

When you are finished, click OK to cache your changes and return to the Protocol

Usage page. Changes are not implemented until you click Save and Deploy.

Adding or editing protocol usage alerts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Configuring general alert options

, page 402

Configuring protocol usage alerts

, page 406

Use the Protocol Usage > Add Protocol Usage Alerts or Edit Protocol Usage

Alerts page to:

(Add page) Select new protocols for usage alerts

Establish or update the threshold for usage alerts

Select or update alert methods (email, SNMP) for the alerts

If you are creating new protocol usage alerts, start by marking the check box next to each protocol to be added with the same threshold and alert methods.

Note

You cannot select a protocol for alerting unless it is configured for logging in one or more protocol filters.

Protocol alerts only reflect usage by clients governed by a protocol filter that logs the protocol.

The remaining steps are available both for adding and for editing usage alerts:

1.

Set or change the Threshold by selecting the number of requests that cause an alert to be generated.

2.

Select each desired alert method (Email, SNMP) for these protocols.

Web Security Help

407

Web Security Server Administration

Only the alert methods that have been enabled on the Alerts page (see

Configuring general alert options

, page 402

) are available for selection.

3.

Click OK to cache changes and return to the Protocol Usage page (see

Configuring protocol usage alerts

, page 406 ). Changes are not implemented until

you click Save and Deploy.

Configuring suspicious activity alerts

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Alerting

, page 401

Flood control

, page 402

Configuring general alert options

, page 402

Websense Web Security solutions can notify you when suspicious activity of a specified severity level reaches a defined threshold. You can define alerts for permitted requests and blocked requests of each severity level.

Because Content Gateway is required to detect critical and high severity alerts, it is not possible to configure alerting for those severity levels in Websense Web Security and Websense Web Filter deployments.

Use the Settings > Alerts > Suspicious Activity page to enable, disable, or change alerting configuration for alerts associated with suspicious events in your network.

Detailed information about these events is displayed on the Threats dashboard.

The page displays 2 tables: Permitted Suspicious Activity Alerts and Blocked

Suspicious Activity Alerts. Each table shows:

The Severity level to be configured. The 4 severity levels are critical, high, medium, and low. Severity level is determined by the threat category associated

with the alert. See

How severity is assigned to suspicious activity

, page 39, for

more information.

The alerting Threshold. By default, the threshold for critical and high severity alerts, both permitted and blocked, is 1.

One or more notification methods. Suspicious activity alerts can be sent via

Email, SNMP, or both.

Whether or not the alert is Enabled. A green check mark indicates that alerts are being generated for suspicious activity of the selected severity. A red “X” indicates that alerting is disabled for the selected severity.

To update suspicious activity alert settings, you can:

1.

Mark the check box to the left of a severity level, then click Enable or Disable to activate or stop alerts of the selected type.

2.

For enabled alerts, enter a number in the Threshold field to specify the number of suspicious events that cause an alert to be generated.

408

Websense Web Security Solutions

Web Security Server Administration

3.

Select each notification method (Email, SNMP) to use to deliver suspicious activity alerts.

Only alert methods that have been enabled on the Enable Alerts page (see

Configuring general alert options

, page 402

) are available for selection.

4.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Reviewing current system status

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Status > Alerts page to find information about problems affecting the health of your Websense software, get troubleshooting help, and review the details of recent real-time updates to the Websense Master Database.

The Active Alerts list shows the status of monitored Websense software components.

For detailed information about which components are monitored, click What is

monitored? above the list of alert messages.

To troubleshoot a problem, click the Solutions button next to the error or warning message.

To hide an alert message, click Hide Persistent Alerts. If your organization does not use Log Server, Network Agent, or User Service, or if you do not plan to enable WebCatcher, mark the appropriate check box in the Hide Alert column of the table. Alerts associated with the selected service are no longer displayed.

The Real-Time Database Updates list provides information about emergency updates to the Websense Master Database, showing:

When the update occurred

The update type

The new database version number

The reason for the update

The IP address of the Filtering Service instance that received the update

These supplemental updates occur in addition to regular, scheduled Master Database updates, and can be used, for example, to recategorize a site that has been temporarily miscategorized. Websense software checks for database updates every hour.

For Websense Web Security users, the Alerts page includes a third list: Real-Time

Security Updates. This list has the same format as the Real-Time Database Updates

list, but specifically shows security-related database updates.

Installing security updates as soon as they are created eliminates vulnerability to threats such as new phishing (identity fraud) scams, rogue applications, or malicious code infecting a mainstream website or application.

For more information about Real-Time Security Updates, see

Real-Time Security

Updates™

, page 28

.

Web Security Help

409

Web Security Server Administration

Use the Print button, above the page, to open a secondary window with a printable version of the Alerts area. Use browser options to print this page.

Backing up and restoring your Websense data

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling backups

, page 412

Running immediate backups

, page 414

Maintaining the backup files

, page 415

Restoring your Websense data

, page 416

Discontinuing scheduled backups

, page 417

Command reference

, page 417

The Websense Backup Utility makes it easy to back up your Websense software settings and policy data, and to revert to a previous configuration. Data saved by the utility can also be used to import Websense configuration information after an upgrade.

Important

Make sure that all administrators log off of the TRITON console before you back up or restore your configuration.

The Backup Utility saves:

Global configuration information, including client and policy data, stored in the

Policy Database.

Local configuration information, such as Filtering Service and Log Server settings, stored by each Policy Server.

Websense component initialization and configuration files.

The backup process works as follows:

1.

You initiate an immediate backup (see

Running immediate backups

, page 414

) or define a backup schedule (see

Scheduling backups

, page 412

).

Manually launch a backup at any time.

Backup files are stored in a directory you specify when you run or schedule the backup.

2.

The Backup Utility checks all Websense components on the machine, collects the data eligible for backup, and creates an archive file. The file name is given the format:

410

Websense Web Security Solutions

Web Security Server Administration wsbackup_<yyyy-mm-dd_hhmmss>.tar.gz

Here, <yyyy-mm-dd_hhmmss> represents the date and time of the backup. tar.gz is a portable compressed file format.

Only root (Linux) and members of the Administrators group (Windows) can access the backup files.

Run the Websense Backup Utility on each machine that includes Websense components. The tool identifies and saves any of the following files that it finds on the current machine:

Path

\Program Files

or Program

Files (x86)\Websense\Web

Security\bin or

/opt/Websense/bin bin/i18n bin/postgres/data

BlockPages/*/Custom tomcat/conf/Catalina/

Localhost

File name

authserver.ini

BrokerService.cfg

config.xml

eimserver.ini

icap.conf

ignore.txt

LogServer.ini

securewispproxy.ini

transid.ini

upf.conf

websense.ini

WebUI.ini

wsauthserver.ini

wscitrix.ini

WSE.ini

wsedir.ini

wsradius.ini

wsufpserver.ini

i18n.ini postgresql.conf

pg_hba.conf

(all files) mng.xml

Store Websense backup files in a safe and secure location. These files should be part of your organization’s regular backup procedures.

To revert to an earlier configuration:

1.

Retrieve the backup files from their storage site.

Web Security Help

411

Web Security Server Administration

2.

Copy each backup file to the Websense machine on which it was created.

Important

Do not attempt to use a backup file created on one operating system platform to restore configuration to an installation on another platform.

For example, do not attempt to restore a backup file created on Linux to a Windows machine.

3.

Run the Backup Utility in restore mode.

Important

Always use the Backup Utility to restore a Websense software configuration. Do not extract the files from the archive using other extraction utilities.

If the backup file is corrupted, you will not be able to restore your settings.

During the restore process, any error messages or warnings are displayed on the machine where the restore is being run.

Scheduling backups

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Running immediate backups

, page 414

Maintaining the backup files

, page 415

Restoring your Websense data

, page 416

Discontinuing scheduled backups

, page 417

Command reference

, page 417

Notify Websense administrators of the backup schedule, so that they can be sure to log off of the TRITON console during the backup process.

To schedule backups:

Windows:

1. Open a command prompt and navigate to the Websense bin directory

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin, by default).

412

Websense Web Security Solutions

Web Security Server Administration

2. Enter the following command.

wsbackup -s -t "<m> <h> <day_of_month> <month>

<day_of_week>" -d <directory>

Note that the time information uses crontab format, and the straight quotation marks and spaces are required.

Linux:

1. Open a command shell and navigate to the Websense directory (/opt/

Websense/, by default).

2. Enter the following command:

./WebsenseTools -b -s -t \"<m> <h> <day_of_month>

<month> <day_of_week>\" -d <directory>

In addition to the \" characters at the beginning and end of the entire time and date string, if the string includes any asterisk characters (*), those must also be set off by a \" pair. For example:

./WebsenseTools -b -s -t \"45 1 \"*\" \"*\" 5\"

Here, the backup is scheduled to run at 1:45 a.m. on Fridays (regardless of the month or date).

In place of the variables shown in the example, provide the following information:

Variable

<m>

<h>

<day_of_month>

<month>

<day_of_week>

Information

0 - 59

Specify the precise minute to start the backup.

0 - 23

Specify the general hour of the day to start the backup.

1 - 31

Specify the date to perform the backup. If you schedule a backup for days 29 - 31, the utility uses the standard substitution procedure for the operating system in months that do not include that date.

1 - 12

Specify the month to perform the backup.

0 - 6

Specify a day of the week. 0 represents Sunday.

Each field can take a number, an asterisk, or a list of parameters. Refer to any crontab reference for details.

Web Security Help

413

Web Security Server Administration

Running immediate backups

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling backups

, page 412

Maintaining the backup files

, page 415

Restoring your Websense data

, page 416

Discontinuing scheduled backups

, page 417

Command reference

, page 417

Before running the Backup Utility, make sure that all administrators are logged off of the TRITON console.

To launch an immediate backup:

Windows:

1. Open a command prompt and navigate to the Websense bin directory

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin, by default).

2. Enter the following command.

wsbackup -b -d <directory>

Linux:

1. Open a command shell and navigate to the Websense directory (/opt/

Websense/, by default).

2. Enter the following command:

./WebsenseTools -b -b -d <directory>

Here, <directory> indicates the destination directory for the backup archive.

Warning

Do not store backup files in the Websense bin directory.

This directory is deleted if you uninstall your Websense software.

When you initiate an immediate backup, any error messages and notifications are displayed on the console of the machine running the backup.

414

Websense Web Security Solutions

Web Security Server Administration

Maintaining the backup files

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling backups

, page 412

Running immediate backups

, page 414

Restoring your Websense data

, page 416

Discontinuing scheduled backups

, page 417

Command reference

, page 417

When you perform a backup, a configuration file (WebsenseBackup.cfg) is created and stored with the backup archive. This configuration file specifies:

How long to keep the backup archive in the backup directory

The maximum amount of disk space that may be consumed by all backup files in the directory

Edit the WebsenseBackup.cfg file in any text editor to change either of these parameters:

Parameter

KeepDays

KeepSize

Value

Number of days archive files should remain in the backup directory. The default is 365.

Any files older than the KeepDays value are deleted from the backup directory. If the amount of alloted disk space is exceeded, the oldest files are deleted from the backup directory to make room for newer files.

Number of bytes allotted for backup files. The default is

10857600.

The KeepSize parameter is not applied until there are multiple backup files in the directory. The size of the last

(most recent) backup file is not affected by this setting. (In other words, if the most recent backup file is larger than the

KeepSize limit, it will be the only file in the directory, but it will not be truncated.)

Note that by default, one or both of these parameters may be commented out when the default configuration file is created. If you customize the value of either parameter, and there is a “#” character at the start of the line, delete the “#” to enable your changes.

Web Security Help

415

Web Security Server Administration

Restoring your Websense data

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling backups

, page 412

Running immediate backups

, page 414

Maintaining the backup files

, page 415

Discontinuing scheduled backups

, page 417

Command reference

, page 417

When you restore Websense configuration data, make sure that you are restoring data for the components that exist on the current machine. Also make sure that all administrators are logged off of the TRITON console.

If you run the restore process on the Policy Broker machine, once the restore is complete, restart all Websense services in your deployment. This includes the services on and off the Policy Broker machine.

To initiate the restore process:

Windows:

1. Open a command prompt and navigate to the Websense bin directory

(C:\Program Files or Program Files (x86)\Websense\Web Security\bin, by default).

2. Enter the following command: wsbackup -r -f archive_file.tar.gz

Linux:

1. Open a command shell and navigate to the Websense directory (/opt/

Websense/, by default).

2. Enter the following command:

./WebsenseTools -b -r -f archive_file.tar.gz

Important

The restore process may take several minutes. Do not stop the process while restoration is underway.

During the restore process, the Backup Utility stops all Websense services. If the utility is unable to stop the services, it sends a message asking the user to manually

stop them. Services must be stopped in the order described in

Stopping and starting

Websense services

, page 398 .

The Backup Utility saves some files used for communication with third-party integration products. Because these files reside outside the Websense directory

416

Websense Web Security Solutions

Web Security Server Administration structure, you must restore them manually, by copying each file to the correct directory.

Files that must be restored manually include:

File name

isa_ignore.txt

ignore.txt

Restore to

Windows\system32

Windows\system32\bin

Discontinuing scheduled backups

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling backups

, page 412

Running immediate backups

, page 414

Maintaining the backup files

, page 415

Restoring your Websense data

, page 416

Command reference

, page 417

To clear the backup schedule and stop running currently scheduled backups, open a command shell and navigate to the Websense bin directory (C:\Program Files or

Program Files (x86)\Websense\Web Security\bin, by default). Enter the following command: wsbackup -u

Command reference

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Scheduling backups

, page 412

Running immediate backups

, page 414

Maintaining the backup files

, page 415

Restoring your Websense data

, page 416

Discontinuing scheduled backups

, page 417

Only root (Linux) or a member of the Administrators group (Windows) can run the

Backup Utility.

The wsbackup and WebsenseTools -b commands take the following options:

-b (or --backup)

Web Security Help

417

Web Security Server Administration

-d directory_path (or --dir directory_path)

-f full_file_name (or --file full_file_name)

-h (or --help, or -?)

-r (or --restore)

-s (or --schedule)

-t (or --time)

-u (or --unschedule)

-v (or --verbose [0 - 3])

418

Websense Web Security Solutions

17

Reporting Administration

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring how requests are logged

, page 422

Assigning categories to risk classes

, page 420

Configuring reporting preferences

, page 421

Configuring Log Server

, page 424

Log Database administration settings

, page 432

Configuring investigative reports

, page 446

Self-reporting

, page 450

In organizations that use only the default administrator account (admin), everyone who uses the Web Security manager has access to all reporting settings and tools. In organizations that use delegated administration, access to reporting settings and tools is controlled by members of the Super Administrator role (see

Editing roles

, page

354 ).

Administrators with access to reporting settings have many options for customizing reporting in their environment.

The Websense Master Database organizes categories into risk classes. Risk classes suggest possible types or levels of vulnerability posed by sites in those categories. Use the Settings > General > Risk Classes page to customize risk classes for your organization. See

Assigning categories to risk classes

, page 420

.

Use the Settings > Reporting > Preferences page to configure the email server used to distribute reports, activate self-reporting, and configure how long scheduled reports are stored on the TRITON management server. Also configure whether Real-Time Monitor collects data all the time, or only when Real-Time

Monitor is open. See

Configuring reporting preferences

, page 421 .

Logging is the process of storing information about Internet activity in a Log Database so that you can generate reports.

Use the Settings > General > Logging page to enable logging, select the categories to be logged, and determine what user information is logged. See

Configuring how requests are logged

, page 422,

for more information.

Web Security Help

419

Reporting Administration

Use the Settings > Reporting > Log Server page to manage the way the log

records are processed and connections to the Log Database. See

Configuring Log

Server

, page 424 .

Use the Settings > Reporting > Log Database page to administer the Log

Database, including database partition, URL logging, browse time, and trend data options. See

Log Database administration settings

, page 432

.

An end user who uses the Filtering Service has no direct or indirect influence over the database. Thus, although the log entry is stored in the MSSQL database, the user did not direct its storage and cannot retrieve it.

The only interface to the database itself is from the Log Server, the Reporting services, and the Manager. Filtering Service and Websense Content Gateway do not access the database, but instead send information via the Log Server.

Assigning categories to risk classes

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Risk classes

, page 55

Block Pages

, page 117

Use Reports to Evaluate Internet Activity

, page 131

The Websense Master Database organizes categories into risk classes. Risk classes suggest possible types or levels of vulnerability posed by sites in those categories.

Risk classes are used primarily in reporting. The Web Security Dashboard includes charts that track Internet activity by risk class, and you can generate presentation or investigative reports organized by risk class.

Use the Settings > General > Risk Classes page to review or change which categories comprise each risk class.

1.

Select an entry in the Risk Classes list.

2.

Review the Categories list to see which categories are currently included in that risk class.

A check mark shows that the category is currently assigned to the selected risk class. The blue “W” icon indicates categories that are included in the risk class by default.

3.

Mark or clear entries in the category tree to include or exclude a category from the selected risk class. Categories can belong to more than one risk class.

420

Websense Web Security Solutions

Reporting Administration

Other choices include:

Option

Select All

Clear All

Restore Defaults

Description

Selects all categories in the tree.

Deselects all categories in the tree.

Resets the category choices for the selected risk class to those provided by the Websense software. A blue W icon indicates a default category.

4.

Repeat this process for each risk class.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Configuring reporting preferences

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Self-reporting

, page 450

Scheduling presentation reports

, page 146

Scheduling investigative reports

, page 172

Use the Settings > Reporting > Preferences page to provide information used to send completed scheduled reports to selected recipients via email, activate selfreporting, determine how long scheduled presentation reports are stored, and configure when Real-Time Monitor collects data.

1.

Under Email Reports, enter the Email address to display in the “From” field when scheduled reports are distributed via email.

2.

Enter the SMTP server IPv4 address or name for the email server to use for distributing scheduled reports.

3.

Mark the Allow self-reporting check box to let end users in your organization access the Web Security manager to run investigative reports on their personal

Internet activity.

When this option is selected, the URL used to access self-reporting features is

displayed. See

Self-reporting

, page 450

.

4.

Under Scheduled Presentation Reports, use the Store reports for drop-down list to indicate how long reports are stored on the TRITON management server machine (5 days, by default).

As you increase the length of time that reports are stored, you affect the amount of disk space required on the TRITON management server. The management server is not an appropriate location for a long-term reporting archive.

Web Security Help

421

Reporting Administration

5.

Use the Warn administrators... drop-down list to indicate how long a warning is displayed on the Review Reports page before a scheduled presentation report is deleted (3 days, by default).

The warning is intended to give administrators time to archive important reports in an appropriate location before they are deleted from the management server.

6.

Under Real-Time Monitor, select a radio button to determine when Real-Time

Monitor starts to capture user data:

Select Capture data only when Real-Time Monitor is active (default) to improve system performance. With this option selected, data collection begins when you launch Real-Time Monitor. There may be a slight delay (of a few seconds) before records start appearing on the screen.

Select Always capture data to have the Real-Time Monitor client continually process data into the RTM database, even when no one is viewing the data.

This may have a noticeable effect on system performance.

7.

Click Save Now to implement your changes.

Configuring how requests are logged

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Introducing the Log Database

, page 430

Configuring Log Server

, page 424

Use the Settings > General > Logging page to:

Provide the IP address and port that Filtering Service uses to send log records to

Log Server.

(Websense Web Security Gateway Anywhere) Provide the port that Sync Service uses to send hybrid log records to Log Server.

Specify what client-identifying information, if any, Filtering Service sends to Log

Server for use in reporting.

Determine which URL categories are logged for use in reporting and category usage alerting (see

Configuring category usage alerts

, page 405 ).

In an environment with multiple Policy Servers, configure the Logging page separately for each Policy Server instance. All Filtering Service instances associated with the active Policy Server send their log records to the Log Server identified on this page.

When working with multiple Policy Servers, note that:

Each Policy Server can communicate with a single Log Server instance.

For reporting data to display properly in the Web Security manager, there must be a Log Server associated with the base Policy Server (the Policy Server instance

422

Websense Web Security Solutions

Reporting Administration

 specified during installation, noted on the Settings > General > Policy Server page).

This is typically the Policy Server installed with Policy Broker (for example, the

Policy Server on the full policy source appliance).

If the Log Server IP address and port are blank for any Policy Server, the Filtering

Service instances associated with that Policy Server cannot log any traffic for reporting or alerts.

Information about whether or not user names and IP addresses are logged is stored centrally, so the same settings are used throughout your deployment.

Likewise, any changes you make to how categories are logged are shared by all

Filtering Service and Log Server instances.

If your environment includes both multiple Policy Servers and multiple Log Servers, make sure you log on to each Policy Server separately, and verify that it is communicating with the correct Log Server.

1.

Enter the Log Server IPv4 address or hostname.

2.

Enter the Port that Filtering Service uses to send log records to Log Server

(55805, by default).

3.

(Websense Web Security Gateway Anywhere) Enter the port that Sync Service uses to send log records from the hybrid service to Log Server.

4.

Click Check Status to determine whether the Web Security manager is able to communicate with Log Server using the specified location and port.

A message indicates whether the connection test passed. Update the IP address or hostname and port, if needed, until the test is successful.

5.

Specify how much user data is stored in log records and displayed in reports:

To log identifying information for machines accessing the Internet, mark Log

IP addresses.

To log identifying information for users accessing the Internet, mark Log user

names.

Note

If you do not log IP addresses or user names, there can be no user data in your reports. This is sometimes called

anonymous logging.

If you are using Web Security Gateway or Gateway Anywhere, and want

Threats dashboard tables to include source device name information, when available, click Log hostnames.

Name information is available in threat-related logs only. It is not available for Internet activity to which no severity is assigned.

Web Security Help

423

Reporting Administration

6.

Use the Selective Category Logging list to indicate any URL categories that should not be logged. Changes made here apply to all category filters in all active policies.

Note

If you disable logging for categories that have usage alerts

set up (see

Configuring category usage alerts

, page 405

), no usage alerts can be sent.

Reports cannot include information about categories that are not logged.

Use the Find category search box to quickly jump to a specific category.

Expand parent categories as needed to change logging for subcategories.

Clear the check box next to a category name to stop logging the category.

You must select or deselect each category separately. Selecting a parent category does not automatically select its subcategories. Use Select All and

Clear All to assist with selections.

7.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Configuring Log Server

Web Security Help | Web Security Solutions | Version 7.8.x

During installation, you configure certain aspects of Log Server operation, including how Log Server interacts with policy enforcement components. Use the Settings >

Reporting > Log Server page to update these settings, or to configure other details

about Log Server operation.

When you finish your configuration updates, click OK to cache your changes.

Changes are not saved until you click Save and Deploy.

If you make changes to the database connection, after saving and deploying the changes, also restart the Websense TRITON - Web Security service on the management server machine to update the database connection for all reporting tools.

In multiple Log Server environments, the settings configured on this page apply to the

Log Server instance assigned to the Policy Server whose IP address appears on the

Web Security toolbar.

Note

The Settings > Reporting > Log Server page replaces the

Log Server Configuration Utility, which was used to perform these tasks in previous versions.

424

Websense Web Security Solutions

Reporting Administration

Verify basic Log Server details

Under Location, verify the Log Server IP address. If necessary, use the Port field to update the port over which Log Server communicates with Filtering Service (55805, by default).

This port must match the logging port displayed on the Settings > General > Logging page.

Configure the Log Database connection

Under Log Database Connection, configure the ODBC connection that Log Server uses to connect to the Log Database.

1.

Specify the ODBC Data source name (DSN) and enter a unique Description for the database connection.

2.

Provide the SQL Server location (IP address or hostname and instance name, if applicable) for the Microsoft SQL Server installation that hosts the Log Database, as well as the Connection port for sending data to the Log Database (1433, by default).

3.

If your environment uses SQL Server clustering, enter the virtual IP address for the cluster.

4.

Enter the name of the Default database (wslogdb70, by default).

5.

Indicate whether or not to Use SSL to connect to the Log Database. When SSL encryption is enabled:

BCP cannot be used to add records to the Log Database.

Log Database connections are slower, affecting reporting performance.

Important

When Microsoft SQL Server components are configured so that “Trust Server Certificate” is set to No (the default), self-signed SSL certificates are not accepted for encryption of database connections.

In this case, SSL certificates signed by a Certificate

Authority must be properly deployed to the SQL Server,

TRITON management server, and Log Server machines before you enable the “Use SSL” option in the Web

Security manager.

See your SQL Server documentation for information about database encryption.

6.

Specify a Log Server connection method:

By default, SQL Server authentication is selected. To use SQL Server authentication, provide the SQL Server Account and Password to use.

Web Security Help

425

Reporting Administration

Alternatively, you can use a Windows trusted connect (network logon

account). The Websense Log Server service must be configured to run as this

account.

7.

Click Test Connection to verify that it is possible to connect to the Log Database using the credentials provided.

For information about the tests performed when you click the button, see

Testing the Log Database connection

, page 429 .

If you make changes to the database connection, after saving and deploying the changes, also restart the Websense TRITON - Web Security service on the management server machine to update the database connection for all reporting tools.

Specify how log records are processed into the database

Click Log Record Creation to specify how Log Server adds records to the Log

Database.

ODBC (Open Database Connectivity) inserts records into the database

individually, using a database driver to manage data between Log Server and Log

Database.

If you select this option, also set the Maximum number of connections to specify how many internal connections can be made between Log Server and the database engine.

Select a value between 4 and 50, as appropriate for your SQL Server license.

Note

Increasing the number of connections can increase processing speed for log records, but could impact other processes in the network that use the same SQL Server. In most cases, you should set the number of connections to fewer than 20. Contact your Database Administrator for assistance.

BCP (Bulk Copy Program) (recommended) inserts records into the Log

Database in batches. This option offers better efficiency than ODBC insertion, and is selected by default if the bcp.exe file is found on the machine.

The BCP option is available only if you install the SQL Server Native Client and

Command Line Utilities on the Log Server machine.

BCP cannot be used when SQL Server SSL encryption is used.

426

Websense Web Security Solutions

Reporting Administration

If you select the BCP option, also specify:

Option

BCP file location

File creation rate

Maximum batch size

Description

Directory path for storing BCP files. Log Server must have read and write access to the location. (The default folder is

C:\

Program Files or Program

Security\bin\Cache\BCP\.)

Files (x86)\Websense\Web

After entering the path, click Test Location to verify that the location is accessible.

Maximum number of minutes Log Server spends placing records into a batch file before closing that batch file and creating a new one.

This setting works in combination with the batch size setting: Log Server creates a new batch file as soon as either limit is reached.

Maximum number of log records before a new batch file is created.

This setting works in combination with the creation rate setting: Log Server creates a new batch file as soon as either limit is reached.

After selecting a log record insertion method, click Log Cache Files to specify where and how log cache files are created. These provide temporary storage for log records that have not yet been processed into the Log Database or moved to BCP files.

1.

For Cache location, indicate where on the Log Server machine logging cache files are stored (C:\Program Files or Program Files (x86)\Websense\Web

Security\bin\Cache\, by default).

2.

Click Test Location to verify that the path is accessible.

3.

For Cache file creation rate, indicate the maximum number of minutes (1, by default) Log Server should spend sending Internet access information to a log cache file before closing it and creating a new file.

4.

For Maximum cache file size, specify how large a log cache file should be before

Log Server closes it and creates a new one.

The file creation rate and maximum file size settings work in combination: Log Server creates a new log cache file as soon as either limit is reached.

Adjust database sizing settings

Configure Database Size Management settings to meet your organization’s needs.

The higher the level of detail recorded, the larger the Log Database.

1.

To minimize the size of the Log Database, mark Enable log record

consolidation. This combines multiple, similar Internet requests into a single log

record, reducing the granularity of reporting data.

Web Security Help

427

Reporting Administration

If you have enable SIEM integration, note that Log Server applies consolidation to the log records that it processes into the Log Database. Consolidation does not occur for records passed to the SIEM product.

When consolidation is enabled, requests that share all of the following elements are combined into a single log record:

Domain name (for example: www.websense.com)

Category

Keyword

Action (for example: Category Blocked)

User/IP address

The log record includes the number of requests combined into the consolidated record, as well as the total bandwidth for all of the consolidated requests.

Reports run faster when the Log Database is smaller. However, consolidation may decrease the accuracy of some detail reports, as separate records for the same domain name may be lost.

Important

To assure consistent reports, create a new database partition whenever you enable or disable consolidation.

Also, be sure to generate reports from partitions with the same consolidation setting.

With Websense Web Security Gateway (Anywhere), when consolidation is enabled, numbers shown in reports that include traffic blocked by scanning are

lower than the numbers shown on scanning-specific reports. This is a side-effect

of the way that scanning activity is recorded.

2.

If you enable consolidation, also specify the Consolidation time interval. This represents the greatest allowable time difference between the earliest and latest records combined to make one consolidation record.

Decrease the interval to increase granularity for reporting. Increase the interval to maximize consolidation. Be aware that a larger interval can also increase usage of system resources, such as memory, CPU, and disk space.

If you enable full URL logging on the Settings > Reporting > Log Database page, consolidated log records contain the full path (up to 255 characters) of the first matching site Log Server encounters.

For example, suppose a user visited the following sites and all were categorized in the shopping category.

 www.domain.com/shoeshopping

 www.domain.com/purseshopping www.domain.com/jewelryshopping

With full URL logging enabled, consolidation creates a single log entry showing 3 requests for the URL www.domain.com/shoeshopping.

428

Websense Web Security Solutions

Reporting Administration

3.

Under Hits and Visits, use the Enable visits check box to indicate the level of granularity recorded for each user Internet request.

Note

It is best to create a new database partition prior to changing the method of logging between visits and hits.

See the Settings > Reporting > Log Database page to create a new database partition.

When this option is not selected, a separate log record is created for each HTTP request generated to display different page elements, including graphics, advertisements, embedded videos, and so on. Also known as logging hits, this creates a much larger Log Database that grows rapidly.

When this option is selected, Log Server combines the individual elements that create the web page (such as graphics and advertisements) into a single log record that includes bandwidth information for all elements of the visit.

With Websense Web Security Gateway (Anywhere), when visits are enabled, numbers shown in reports that include traffic blocked by scanning are lower than the numbers shown on scanning-specific reports. This is a side-effect of the way that scanning activity is recorded.

Configure User Service communication

Click the User Service Connection button, then use the User and group update

interval field to indicate how often Log Server connects to User Service to retrieve

full user name and group assignment information (ever 12 hours, by default).

Activity for a user whose user name or group information has changed continues to be reported with the original user name or group assignment until the next update occurs.

Organizations that update their directory service frequently or have a large number of users should consider updating the user/group information more frequently.

Testing the Log Database connection

Web Security Help | Web Security Solutions | Version 7.8.x

The database connection information used by Log Server and other reporting tools can be updated on the Settings > Reporting > Log Server page in the Web Security manager.

The Log Database Connection section of the page includes a Test Connection button.

When you click the button, Log Server performs the following tests:

1.

Log Server retrieves the updated database connection information from the Web

Security manager.

If Log Server is stopped, or the network is down between the TRITON management server and the Log Server machine, this test fails. If the connection to Log Server fails, an IO exception error is likely to display.

Web Security Help

429

Reporting Administration

2.

Log Server uses ODBC to create a data source name (DSN) for testing purposes.

3.

Log Server uses the DSN to establish a connection to the Log Database. Log

Server checks to see that:

A Websense database exists.

The database version is correct.

4.

Log Server verifies its database permissions.

See

Configuring user permissions for Microsoft SQL Server

, page 509,

for information about the required database roles and permissions.

5.

Log Server deletes the DSN it created for testing.

6.

Log Server notifies the Web Security manager that its tests succeeded.

If this return notification fails, an IO exception error is likely to display.

In addition, the Web Security manager verifies that it can create a JDBC connection to the database. The Web Security manager test may pass even when a Log Server test fails.

The new database connection information is not used until you cache and save your changes. At that point:

The new database connection information is saved to the Policy Server configuration file.

Log Server creates a permanent DSN (reproducing the temporary DSN created during the connection test).

Restart the Websense TRITON - Web Security service to update reporting tools (like presentation reports) to use the new database connection.

Introducing the Log Database

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Database jobs

, page 431

Log Database administration settings

, page 432

The Log Database stores the records of Internet activity handled by your Websense

Web Security solution. Installation creates the Log Database with a catalog database and one database partition.

The catalog database (wslogdb70, by default) provides a single connection point for the various Websense components that need to access the Log Database: dashboards,

Log Server, presentation reports, and investigative reports. It contains supporting information for the database partitions, including the list of category names, risk class

430

Websense Web Security Solutions

Reporting Administration definitions, trend data, the mapping of users to groups, database jobs, and so forth.

The catalog database also maintains a list of all the available database partitions.

Database partitions store the individual log records of Internet activity. There are 2

partition types:

The standard logging partition (wslogdb70_1, wslogdb70_2, etc.) stores information about all logged Internet requests. Information from the standard logging partition is used to populate investigative and presentation reports, as well as dashboard charts.

The threats partition (wslogdb70_amt_1) stores information about requests that have been assigned a severity level (see

How severity is assigned to suspicious activity

, page 39

). Information from the threats partition is used to populate the

Threats dashboard.

New standard logging partitions are created based on size or date interval. See

Configuring database partition options

, page 433,

for more information.

When partitions are based on size, all incoming log records are inserted into the most recent active partition that satisfies the size rule. When the partition reaches the designated maximum size, a new partition is created for inserting new log records.

When the partitions are based on date, new partitions are created according to the established cycle. For example, if the rollover option is monthly, a new partition is created as soon as any records are received for the new month. Incoming log records are inserted into the appropriate partition based on date.

Database standard logging partitions provide flexibility and performance advantages.

For example, you can generate reports from a single partition to limit the scope of data that must be analyzed to locate the requested information.

Database jobs

Web Security Help | Web Security Solutions | Version 7.8.x

The following database jobs are installed along with the Log Database.

Important

If you are using a full version of Microsoft SQL Server

(not Express), the SQL Server Agent service must be running on the database engine machine. Make sure that this service is configured to start automatically when SQL

Server or the machine is restarted.

The Extract, Transform, and Load (ETL) job runs continuously, receiving data from Log Server, processing it, and then inserting it into the standard logging partition database. When trend data retention is enabled, the ETL job is also responsible for inserting trend data into the catalog database.

The ETL job must be running to process log records into the Log Database.

Web Security Help

431

Reporting Administration

The database maintenance job performs database maintenance tasks and preserves optimal performance. This job runs nightly, by default.

The Internet browse time (IBT) job analyzes the data received and calculates browse time for each client. The IBT database job is resource intensive, affecting most database resources. This job runs nightly, by default.

When trend data retention is enabled, the trend job uses daily trend data created by the ETL job to update weekly, monthly, and yearly trend records for use in presentation reports.

Even when trend data retention is disabled, the trend job processes data from the threats (AMT) partition to provide trend data on the Threats dashboard.

The trend job also parses user agent strings to populate the Browser and Source

Platform tabs of the Reporting > Applications page (see

Application reporting

, page 178 ).

This job runs nightly.

The Advanced Malware Threat (AMT) ETL job receives, processes, and inserts data into the threats partition database. Only log records that include a

severity ranking (see

How severity is assigned to suspicious activity

, page 39

) are recorded in the threats partition. Data from this partition is used to populate the

Threats dashboard (see

Threats dashboard

, page 35 ).

Certain aspects of these database jobs can be configured on the Settings > Reporting >

Log Database page. See

Log Database administration settings

, page 432,

for more information.

When configuring the start time for the maintenance job and the Internet browse time job, consider system resources and network traffic. These jobs are resource intensive, and can slow logging and reporting performance. When trend data retention is enabled, the trend job is run, by default, at 4:30 a.m. Try to avoid starting other jobs at times that might overlap with the trend job.

Log Database administration settings

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > Reporting > Log Database page to manage:

When, where, and how the Log Database creates new standard logging partitions, and which partitions are used in creating reports (

Configuring database partition options

, page 433 )

When and how maintenance jobs are run (see

Configuring Log Database maintenance options

, page 436

)

Whether log records include the full URL, including both the domain and the full path to the page or item (see

Configuring how URLs are logged

, page 438

)

How Internet browse time is calculated (see

Configuring Internet browse time options

, page 439 )

432

Websense Web Security Solutions

Reporting Administration

Whether and how long trend and application data should be stored (see

Configuring trend and application data retention

, page 440 ).

The name of the active Log Database instance is displayed at the top of the page.

Configuring database partition options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Log Database administration settings

, page 432

Log Database sizing guidance

, page 442

Configuring Internet browse time options

, page 439

Configuring how URLs are logged

, page 438

Configuring Log Database maintenance options

, page 436

Configuring trend and application data retention

, page 440

Use the Database Rollover Configuration section of the Settings > Reporting > Log

Database page to specify when you want the Log Database to create a new database partition (roll over), where database partitions are stored, and how large partitions are.

Also create new partitions manually, rather than waiting for the planned rollover, and review all database partitions available for reporting.

Refer to the Growth Rates and Sizing chart at the bottom of the Database Rollover

Configuration section for average daily database partition size over time. This may be helpful in planning for future growth, determining how frequently to create new partitions, and in setting partition size and growth options.

Use the drop-down list under the chart to configure the Time period displayed.

(The time period is based on the partition creation date; not the dates that the partition spans.) You can display partitions created in the last 1 week, 1 month, 3 months, 6 months, or show all available partitions.

Note that when a longer time period is selected, each partition may appear as a small dot on the chart.

Indicate whether or not to Show chart legend. When displayed, the legend indicates which partitions (by name) are mapped in the chart.

The legend is only available when the chart includes 20 or fewer partitions for the selected time period.

Select a section of the chart to view it more closely. Click Zoom Out or Reset

Chart to reduce the level of detail shown.

For more help with database sizing, see

Log Database sizing guidance

, page 442 .

To manage database rollover and growth:

1.

Next to Roll over every, indicate how often you want a new partition to be created.

Web Security Help

433

Reporting Administration

For all supported database engines, you can enter a size limit for each partition. When the size limit is reached, a new partition is created.

The size limit can be set as follows:

SQL Server Standard or Enterprise: 100-1,000,000 MB, default 5000

Microsoft SQL Server Express: 100-8000 MB, default 5000

If you are using Microsoft SQL Server Standard or Enterprise, you can alternatively specify a partition rollover time interval (every 1-52 weeks, or every 1-12 months).

Note

If the rollover begins during a busy part of the day, performance may slow during the rollover process.

To avoid this, some organizations set the automatic rollover to a long time period or large maximum size.

Then, they perform manual rollovers to prevent the automatic rollover from occurring. See

Configuring Log

Database maintenance options

, page 436,

for information on manual rollovers.

Keep in mind that extremely large individual partitions are not recommended. Reporting performance can slow if data is not divided into multiple, smaller partitions.

When a new partition database is created, the partition is automatically enabled for use in reporting.

2.

Under Partition Management, provide the following information: a.

Specify the File Path for creating both the Data and Log files for new database partitions.

b.

Under Init Size set the initial file size for both the Data and Log files that make up new database partitions.

SQL Server Standard or Enterprise: Data file initial size 50-500,000 MB, default 2000; Log file initial size 50-250,000 MB, default 100

434

Websense Web Security Solutions

Reporting Administration

SQL Server Express: Data file initial size 50-5000 MB, default 100; Log file initial size 50-4000 MB, default 100

Note

As a best practice, calculate the average partition size over a period of time, then update the initial size to approximate that value. You might, for example, set the initial size to

80% of the average size. This minimizes the number of times the partition must be expanded, and frees resources to process data into the partitions.

Use the information in the Growth Rates and Sizing list

(below the list of available partitions) for help in making this calculation.

c.

Under Growth, set the increment by which to increase the size of a partition’s

Data and Log files when additional space is required.

SQL Server Standard or Enterprise: Data file growth 100-500,000 MB, default 500; Log file size 1-250,000 MB, default 100

SQL Server Express: Data file growth 1-1000 MB, default 100; Log file size 1-1000 MB, default 100

3.

If you want to create a partition the next time the ETL job runs (see

Database jobs

, page 431 ), rather than waiting for the next automatic rollover, click

Manually Create Partition. This process usually takes a few minutes.

To have the new partition use changes made on the Log Database page, click

OK and Save and Deploy before clicking Manually Create Partition.

Click the Refresh link under the Available Partitions list periodically. The new partition is added to the list when the creation process is complete.

4.

Use the Available Partitions list to review the partitions available for reporting.

The list shows the dates covered, as well as the size and name of each partition.

Mark the check box next to a partition name, and use the buttons below the list to determine whether the partition’s data is used in or excluded from reports, or to delete the partition.

Click Enable to include a selected partition’s data in reports. You must enable at least one partition for reporting.

Click Disable to exclude a selected partition’s data from reports.

Together, the Enable and Disable options allow you to manage how much data is analyzed during report generation and speed report processing.

Click Delete to remove a partition that is no longer needed. The partition is actually deleted the next time the nightly database maintenance job runs.

Web Security Help

435

Reporting Administration

Only enabled partitions can be deleted. To delete a disabled partition, first enable it, then delete it.

Warning

Use this option with care. You cannot recover deleted partitions.

Deleting obsolete partitions minimizes the number of partitions in the Log

Database, which improves database and reporting performance. Use this Delete option to delete individual partitions as needed. See

Configuring Log Database maintenance options

, page 436,

if you prefer to delete older partitions according to a schedule.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Configuring Log Database maintenance options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Log Database administration settings

, page 432

Configuring database partition options

, page 433

Configuring Internet browse time options

, page 439

Configuring how URLs are logged

, page 438

Configuring trend and application data retention

, page 440

Use the Database Maintenance section of the Settings > Reporting > Log Database page to control when the database maintenance job runs, whether and how often database partitions are automatically deleted, and how often tasks like reindexing partitions and deleting error log messages occur.

1.

For Maintenance start time, select the time of day for running the database maintenance job (01:00 hours, by default).

The time and system resources required by this job vary depending on the tasks you select in this area. To minimize any impact on other activities and systems, it is best to run this job during a slow time on the network, different from the time set for the IBT job (see

Configuring Internet browse time options

, page 439 ).

436

Websense Web Security Solutions

Reporting Administration

2.

To permanently delete partitions based on age, select Automatically delete

partitions when data is older than, and then specify the number of days (from 1

to 1825) after which to delete the partitions.

Warning

After a partition has been deleted, the data cannot be recovered. See

Configuring database partition options

, page 433, for an alternative way to delete partitions.

3.

Select Enable automatic reindexing of partitions, and then select a day of the week to have this processing performed automatically each week (Saturday, by default).

Reindexing the database is important to maintain database integrity and to optimize reporting speed.

Important

It is best to perform this processing during a quiet time on the network. Reindexing database partitions is resource intensive and time-consuming. Reports should not be run during the process.

4.

Select Process failed batches during the database maintenance job to have the nightly database maintenance job reprocess any failed batches.

Failed batches occur when there is insufficient disk space or inadequate database permissions to insert log records into the database. Typically, these batches are successfully reprocessed and inserted into the database during the nightly database maintenance job. Reprocessing, however, cannot be successful if the disk space or permission problem has not been resolved.

If this option is unchecked, failed batches are never reprocessed. Instead, they are deleted after the time specified (below), if any.

5.

Select Delete failed batches after and then enter a number of days (from 0 to 90;

20, by default) after which to delete any failed batches.

If this option is not selected, failed batches are retained indefinitely for future processing.

6.

Select Delete the error log after, and then enter a number of days (0 to 90; 60, by default) after which to delete database error records from the catalog database.

If this option is not checked, error logs are retained indefinitely.

7.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Web Security Help

437

Reporting Administration

Configuring how URLs are logged

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Log Database administration settings

, page 432

Configuring database partition options

, page 433

Configuring Internet browse time options

, page 439

Configuring Log Database maintenance options

, page 436

Configuring trend and application data retention

, page 440

Use the Full URL Logging section of the Settings > Reporting > Log Database page to determine how much of each requested URL is logged.

Note

Managing Log Database size is an important concern in high-volume networks. Disabling the Full URL Logging option is one way to control database size and growth.

1.

Select Record domain and full URL of each site requested to log the entire

URL, including the domain (www.domain.com) and the path to the particular page (/products/productA.html).

Important

Enable full URL logging if you plan to generate reports of scanning activity (see

Reporting on advanced analysis activity

, page 208

). Otherwise, reports can display only the domain (www.domain.com) of the site categorized, even though individual pages within the site may fall into different categories, or contain different threats.

If this option is not checked, only domain names are logged. This choice results in a smaller database, but provides less detail.

If you activate full URL logging when consolidation is active, the consolidated record contains the full URL from the first record in the consolidation group. See

Configuring Log Server

, page 424,

for more information.

2.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

438

Websense Web Security Solutions

Reporting Administration

Configuring Internet browse time options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Log Database administration settings

, page 432

Configuring database partition options

, page 433

Configuring how URLs are logged

, page 438

Configuring Log Database maintenance options

, page 436

Configuring trend and application data retention

, page 440

Internet browse time (IBT) reports give a view into the amount of time users spend on the Internet. A nightly database job calculates browse time for each client based on the new log records received that day. Set browse time options in the Internet Browse

Time section of the Settings > Reporting > Log Database page.

1.

Select an IBT job start time for the IBT database job.

The time and system resources required by this job vary depending on the volume of data logged each day. It is best to run this job at a different time than the nightly

maintenance job (see

Configuring Log Database maintenance options

, page 436 ),

and to select a slow time on the network to minimize any impact on generating reports.

The IBT database job can be resource intensive, affecting most database resources. If you enable this job, set the start time so that it does not interfere with the database system’s ability to process scheduled reports and other important operations. Also, monitor the job to determine whether more robust hardware is needed to accommodate all processing needs.

2.

For Average browse time per site, set an average number of minutes for reading the contents of a web page.

This number defines browsing sessions for the purpose of Internet browse time reports. Opening a browser generates HTTP traffic. This represents the beginning of a browse session. The session is open as long as HTTP traffic is continually generated within the time set here. The browse session is considered closed once this amount of time passes with no HTTP traffic. A new browse session begins as soon as HTTP traffic is generated again.

Note

It is best to change the average browse time per site setting as seldom as possible, and to start a new database partition whenever you do make a change.

To avoid inconsistent data on the reports, generate IBT reports from database partitions that use the same average browse time per site value.

Web Security Help

439

Reporting Administration

Be aware that some websites use an automatic refresh technique to update information frequently. One example is a news site that rotates a display of the latest news stories. This refresh generates new HTTP traffic. Therefore, when this kind of site is left open, new log records are generated each time the site refreshes.

There is no gap in HTTP traffic, so the browser session is not closed.

3.

Set a Browse time for last site read value to account for time spent reading the last website before the end of a browse session.

When the time gap of HTTP traffic is longer than the average “per site” browse time threshold, the session is ended and the “last site read” browse time value is added to the session time.

4.

To enable detail reports that include browse time using investigative reports, mark

Calculate detailed browse time for use in investigative detail reports.

If you enable detailed browse time calculations, be sure to create a new database partition. (Create a new partition any time you enable or disable detailed browse time calculations.)

Important

Enabling detailed browse time calculations increases Log

Database size, and may also affect database performance.

If you use this option, monitor Log Database growth and overall reporting performance carefully.

When detailed browse time is disabled, the IBT job still runs to perform the calculations used to include browse time in summary reports.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Configuring trend and application data retention

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Log Database administration settings

, page 432

Configuring database partition options

, page 433

Configuring how URLs are logged

, page 438

Configuring Log Database maintenance options

, page 436

Configuring Internet browse time options

, page 439

Optionally, the Log Database can store trend data to enable presentation reporting on

Internet activity trends. When trend reporting is enabled, the ETL database job (see

Database jobs

, page 431 ) adds daily trend data to the catalog database, and the trend

job runs nightly to store weekly, monthly, and yearly trend information.

440

Websense Web Security Solutions

Reporting Administration

The Log Database also stores statistical data (like bandwidth and count) for browsers, operating system platforms, and user agent strings to enable application reporting.

Configuring trend data

Use the Trend Data Retention section of the Settings > Reporting > Log Database page to specify how long trend data should be retained in the Log Database.

1.

Mark Store trend data to prompt the ETL job to store trend data, and to activate the nightly trend job.

Trend data is calculated only for data collected while this option is enabled.

Data stored in the database before trend data retention is enabled, or data collected after the option is disabled, cannot be included in trend reports.

When this option is disabled, the Trend database job runs only to process threatrelated data in the AMT partition.

2.

Indicate how long to store weekly, monthly, and yearly trend data. Note that increasing the length of time trend data is stored increases the size of the Log

Database (see

Log Database sizing guidance

, page 442

).

Note

Because trend data is stored in the catalog database, rather than the partition database, trend data storage periods are not dependent on how long database partitions are retained.

The default storage periods for trend data are:

Daily

Weekly

Monthly

Yearly

SQL Server

90 days

26 weeks

18 months

5 years

SQL Server Express

60 days

13 weeks

6 months

3 years

The nightly trend job purges data when it is older than the specified retention period.

3.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Configuring application data

Use the Application Data section of the Settings > Reporting > Log Database page to determine how long to keep the statistical data used to populate applications reports

(on the Browser, Source Platform, and Search tabs of the Applications page).

Web Security Help

441

Reporting Administration

The time period you select does not affect how long the actual user agent strings are stored. Those are preserved indefinitely. It only affects statistical information, like bandwidth, number of requests, and number of machines.

By default, statistical data for applications reports is stored for 30 days. To select another value:

1.

Select a new time period from the Keep data for drop-down list. Depending on your database engine, data may be kept for up to 90 days.

2.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Log Database sizing guidance

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring database partition options

, page 433

Configuring how requests are logged

, page 422

Configuring how URLs are logged

, page 438

It is difficult to make precise sizing predictions for the Log Database, because database size is affected by a number of variables, including the number of filtered users and average requests per second. In addition, size is affected by whether the database is configured to:

Record hits or visits for each Web request (see

Configuring Log Server

, page 424

).

Recording hits provides a high level of detail, but recording visits can reduce the size of the database by roughly 40%.

Consolidate log records (see

Configuring Log Server

, page 424

).

By default, all requests are logged as separate hits or visits. When you turn on consolidation, similar requests (by the same user, for sites in the same domain, that have the same action applied) in a defined time period are recorded as a single log record. This can reduce the size of the Log Database by roughly 60%.

Store the full URL for each logged request (see

Configuring how URLs are logged

, page 438

).

Recording full URLs provides precise information about which sites a user has visited, but more than doubles Log Database size.

Log requests for all categories (see

Configuring how requests are logged

, page

422 ).

By default, requests for sites in all categories are logged. To reduce the size of the

Log Database, you can stop logging requests for sites in categories that, for example, present no security risk or legal liability to your organization.

The impact of this change depends on the number of categories that are not logged, and how often users requests sites in those categories.

442

Websense Web Security Solutions

Reporting Administration

Perform detailed browse time calculations (see

Configuring Internet browse time options

, page 439 ).

In order to create investigative detail reports that include browse time, the IBT job must calculate detailed browse time. Storing detailed browse time data, however, increases the size of the database, and may also affect database performance.

Store trend data (see

Configuring trend and application data retention

, page 440

).

Storing trend data makes it possible to report on trends in users’ Internet activity throughout the course of a day, week, or longer period, but storing trend data increases the size of the Log Database. The longer the data is stored, the greater its effect on database size.

Use the Growth Rates and Sizing chart on the Settings > Reporting > Log Database page to monitor the average daily size of your active and inactive standard logging partitions. This information may help you identify trends in traffic volume over time, and make it easier to plan for future growth.

As you collect average sizing information, adjust your rollover Initial Size and

Growth settings (in the Partition Management section of the Settings > Reporting >

Log Database page).

As a best practice, set the Initial Size value to approximately 80% of the average

partition size over the rollover period (week, month, etc.). The idea is to:

Minimize the number of times the partition must be expanded.

Free resources to process data into the partitions.

Prevent unneeded disk space from being allocated when the partition is created.

Unused portions of the initial space allocated to a partition cannot be recovered until the partition is deleted.

Configuring Dashboard reporting data

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Settings > Reporting > Dashboard page to configure the maximum time period that can be shown in elements of the Threats, Risks, Usage, and System dashboards.

If you have Websense Web Security Gateway or Gateway Anywhere, also configure whether to create a forensics repository for storing data about files associated with suspicious threat activity in your network.

Configuring the maximum time period for dashboard charts

By default, charts, counters, and tables on all tabs of the Status > Dashboard page show a maximum of 30 days of data. This limit was chosen to minimize the amount of time it takes to load the Dashboard, optimize Web Security manager overall performance, and reduce load on the Log Database.

Web Security Help

443

Reporting Administration

With Standard and Enterprise versions of Microsoft SQL Server, you can configure dashboard charts to show a longer time period. Extending the maximum time period, however, may have serious performance impacts for both the Web Security manager and the Log Database.

To change the maximum time period that can be displayed in Risks, Usage, and

System dashboard charts, under General Dashboard Data, select a value from the

Show a maximum of drop-down list.

Increasing the time period does not affect the size of the Log Database, but does increase the time needed to query the database, retrieve information, and update dashboard charts.

If you are using Microsoft SQL Server Express, the maximum time period is

30 days, and cannot be changed.

To change the maximum time period that can be displayed on the Threats dashboard and Event Details page, under Threats Data, select a value from the

Keep Threats data for drop down list.

Because detailed Threats data is stored in a separate partition from standard logging data, increasing the time period also increases the size of the Log

Database.

If threat-related forensic data storage is enabled (see below), the forensics repository attempts to store data for the time period selected here. If, however, the maximum repository size is reached, older records are automatically deleted to make room for newer records.

If you are using Microsoft SQL Server Express, the maximum time period is

30 days, and cannot be changed.

Note that data may not always be available for the full period selected. If your

Websense Web Security solution has only been installed for 7 days, for example, 30day reports show data for only the 7 days that policy enforcement has occurred.

Threats dashboard sample data

If you would like to see examples of the types of data that can appear on the Threats dashboard without generating potentially dangerous network traffic, you can import sample data.

Because the sample data is loaded into the Log Database, where it is mixed with any real data generated in your network, it is best to load the sample data only in a test or evaluation environment.

To clearly flag the sample data, each of the users in the sample database is assigned the middle name Demo (for example, Sam Demo Smith and Lisa Demo Brady). In addition, the timestamp on the user activity predates the creation of the Log Database partition holding the data.

To load sample data into the database, click Sample Data, then click Import Sample

Data. When you click OK and Save and Deploy, the data is loaded into the Log

Database. After a few seconds, the Threats dashboard is updated to show the new data.

444

Websense Web Security Solutions

Reporting Administration

Configuring forensics data storage

In Websense Web Security Gateway and Gateway Anywhere deployments, threatrelated forensic data can include:

Information about the source (IP address, device name, and user) attempting to send the data.

Information about the target (IP address, URL, and geographic location) to which the data is being sent.

Header information associated with the attempt to send the data.

A copy of the actual data being sent (such as a text file, spreadsheet, ZIP file).

If you enable storage of forensics data, also specify where the forensics repository (a specialized database) is stored, the maximum size to which the database can grow, and how long to store forensics data.

1.

Under Incident Data for Forensic Investigation, mark Store forensic data about

Threats incidents for further investigation to create the forensics repository.

If your deployment includes a Websense Data Security solution, this new forensics repository is similar to the Data Security repository. The smaller Web

Security repository stores information about only those incidents displayed on the

Threats dashboard.

2.

Indicate whether to store forensics details for Blocked requests only, or for All

requests (both blocked and permitted).

3.

Specify the Path to the location that will host the forensics repository.

The specified directory must already exist.

The path can be either local (on the TRITON management server) or remote.

Make sure that there is enough free space in the selected location for the repository to grow to the maximum size that you specify (below).

4.

Provide credentials for an account with read, write, and delete permissions for the forensics repository directory.

Select Use Local System account if neither network access nor special permissions are required to access the directory.

Select Use this account to use a domain account, then enter User name,

Password, and Domain for the account.

Click Test Connection to verify that the selected account can access the forensics repository location.

5.

To specify how large the forensics repository can grow, enter a Maximum size in

GB (default 20) for the forensics repository.

If you are using SQL Server Express, this value cannot be changed.

When the maximum size is reached, or records reach the age limit specified for Threats data, records are automatically purged from the repository.

6.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Web Security Help

445

Reporting Administration

Configuring investigative reports

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Database connection and report defaults

, page 446

Display and output options

, page 448

Investigative reports let you interactively delve into the information about your

organization’s Internet usage. See

Investigative reports

, page 155 .

The Options link on the main investigative reports page gives you the opportunity to modify which Log Database is used for reporting. It also lets you modify the default view of detail reports. See

Database connection and report defaults

, page 446

.

The wse.ini file lets you configure certain defaults for viewing summary and multilevel reports. It also gives you control over the default page size used when a report is

output to PDF. See

Display and output options

, page 448

.

Database connection and report defaults

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring investigative reports

, page 446

Display and output options

, page 448

Summary reports

, page 157

Multi-level summary reports

, page 162

Use the Investigative Reports > Options page to connect to the desired Log

Database, and to control defaults for investigative reports detail view.

Changes made to this page affect your reports. Other administrators, or even users logging on for self-reporting, can change these values for their own reporting activities.

1.

Choose the Log Database to use for investigative reports.

Mark View the catalog database to connect to the Log Database to which

Log Server is currently logging. Proceed to step 2.

446

Websense Web Security Solutions

Reporting Administration

To access a different Log Database, deselect View the catalog database, then enter the following information:

Field

Server

Database

User ID

Password

Description

Enter the machine name or IP address where the Log

Database is located.

If your environment uses SQL Server clustering, enter the virtual IP address for the cluster

Enter the name of the Log Database.

Enter the user ID for an account that has permission to access the database.

Leave this blank if Log Server is configured to use a trusted connection to access the Log Database.

Enter the password for the specified account. Leave this blank for a trusted connection.

2.

Select the following defaults for detail reports.

Field

Select default

Investigative Reports date range

Select the default detail report format

Description

Choose the date range for the initial summary report display.

Select report type

Available Columns /

Current Report

Choose Smart columns selection to display detail reports with the default columns set for the information being reported.

Choose Custom columns selection to specify the exact columns for initial display on all detail reports. Use the Available Columns list to make your selections.

Users can modify the columns displayed after generating the report.

Choose whether to open detail reports initially showing:

Detail: each record appears on a separate row; time can be displayed.

Summary: combines into a single entry all records that share a common element. The specific element varies, according to the information reported. Typically, the right-most column before the measure shows the summarized element. Time cannot be displayed.

Select a column name in the Available Columns list and click the appropriate arrow to move it to the

Current Report list. Up to 7 columns can be on the

Current Report list.

After the Current Report list contains all the columns for initial detail reports, set the order of the columns. Select an entry in the list, and use the up and down arrow buttons to change its position.

Web Security Help

447

Reporting Administration

3.

Click Save Options to immediately save all changes.

Display and output options

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring investigative reports

, page 446

Database connection and report defaults

, page 446

Output options for investigative reports

, page 176

You can make adjustments to the way certain report choices and report results are displayed in summary and multi-level investigative reports, and specify the default page size when reports are output to PDF format.

These investigative reports configuration options are set in the wse.ini file (located by default in the C:\Program Files (x86)\Websense\Web Security\webroot\Explorer\ directory).

The following table lists the parameters that affect display and output of investigative reports, what each controls, and its default value. (Do NOT modify any other settings in the wse.ini file.)

Parameter

maxUsersMenu maxGroupsMenu maxUsersDrilldown

Description

The database must have fewer users than this value (by default, 5000) to show User as a report choice in the

Internet Use by list.

The database must have fewer groups than this value (by default, 3000) to show Group as a report choice in the

Internet Use by list.

Note: There must be 2 or more groups for Group to appear in the Internet Use by list.

There also must be 2 or more domains for Domain to appear in the Internet Use by list. There is no maximum value for domains.

This works with the warnTooManyHits parameter to control when the User option displays in red. The red lettering indicates that selecting User will produce a very large report, which could be slow to generate.

If there are more users than this value (by default, 5000), and more hits than the warnTooManyHits value, the

User option displays red in various drop-down lists and values lists.

If there are more users than this value, but fewer hits than the warnTooManyHits value, the User option displays in normal color, as the resulting report will be a more reasonable size.

448

Websense Web Security Solutions

Reporting Administration

Parameter

maxGroupsDrilldown warnTooManyHits hitsPerPage maxOutputBufferSize sendMulti maxSlices timelineCompressionThreshold

PageSize

Description

The Group option displays in red during drill down if the proposed report includes more groups than this number

(by default, 2000). The red lettering indicates that selecting Group will produce a very large report, which could be slow to generate.

This works with the maxUsersDrilldown parameter to control when the User option displays in red.

If there are more users than the maxUsersDrilldown value, but fewer hits than this value (by default, 10000), the User option does not display in red.

If there are more users than the maxUsersDrilldown value, and more hits than this value, the User option does display in red. The red lettering indicates that selecting User will produce a very large report, which could be slow to generate.

This determines the maximum number of items (by default, 100) displayed per page. (This does not affect printed reports.)

This is the maximum amount of data (in bytes) that can be displayed on the main investigative reports page. If the requested data exceeds this limit (by default,

4000000, or, 4 million bytes), a message stating that some results are not shown appears in red at the end of the report.

Larger values enable you to display larger amounts of data in one report, if this is an issue. However, if you encounter memory errors, consider decreasing this value.

This option is disabled (0) by default. Set it to 1

(enabled) to divide very large, scheduled detail reports into multiple files of 10,000 rows each. The files that represent one report are zipped and sent to the email recipients. The report files can be extracted with most common file compression utilities.

Note: A change to this value will not take affect until

Explorer Report Scheduler service is restarted.

This is the maximum number of distinct slices (by default, 6) in a pie chart, including an Other slice, which combines all values that do not have individual slices.

This option is used only for User Activity by Day or

Month, when the Group Similar Hits/View All Hits option is available. The report collapses all hits with the same category that occur within the number of seconds set here (by default, 10).

Investigative report results can be output to Portable

Document Format (PDF) for easy distribution or printing. The page size (by default, Letter) can be:

A4 (8.27 X 11.69 inches)

Letter (8.5 X 11 inches)

Web Security Help

449

Reporting Administration

Self-reporting

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring reporting preferences

, page 421

Accessing self-reporting

, page 178

Investigative reports

, page 155

Self-reporting is a feature you can enable to allow users to view investigative reports on their personal Internet activity. This allows them to see what kind of information is being gathered and monitored about them, which accommodates government regulations in many countries. In addition, viewing their own activity may encourage some users to alter their browsing habits so they meet the organization’s Internet policy.

To enable self-reporting:

1.

Go to Settings > General > Directory Services, and configure the directory service used to authenticate users who access investigative reports with their network credentials. This may have been done previously to enable policy

application by user and group names. See

Directory services

, page 77 .

2.

Go to the Settings > Reporting > Preferences, and mark the Allow self-

reporting check box. See

Configuring reporting preferences

, page 421

.

After enabling the option, be sure to give users the information they need to run the reports:

The URL for accessing the self-reporting interface: https://<IP_address>:9443/mng/login/pages/ selfReportingLogin.jsf

Replace <IP_address> with the IP address of the TRITON management server.

Remind users that they can save the URL as a favorite or bookmark for future use.

Administrators and users can also access the self-reporting logon page by opening the TRITON console logon page and clicking the Self-Reporting link.

What user name and password to use during logon.

Self-reporting users must enter their network user name and password during logon.

450

Websense Web Security Solutions

18

Network Configuration

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Network Agent configuration

, page 452

Verifying Network Agent configuration

, page 459

When you run Websense Web Security or Websense Web Filter in standalone mode

(not integrated with a proxy or firewall product), Websense Network Agent enables:

Internet policy enforcement

Network protocol and Internet application management

Bandwidth management

Logging of bytes transferred

With Websense Web Security Gateway or Gateway Anywhere, or when Web Security or Web Filter is integrated with a third-party gateway, firewall, or caching product,

Content Gateway or the third-party product routes user requests to Filtering Service for policy enforcement, and routes block pages back to the client. In this environment,

Network Agent may still be used to manage non-HTTP requests, log Internet activity, or both.

In addition, Websense Web Security Gateway and Gateway Anywhere can detect protocols that tunnel over HTTP (see

Tunneled protocol detection

, page 194

) and

provide some bandwidth management capabilities (

Using Bandwidth Optimizer to manage bandwidth

, page 284

), independent of Network Agent.

Network Agent works by continually monitoring overall network usage, including bytes transferred over the network. The agent logs usage summaries at predefined intervals. Each summary includes start time and end time, overall bytes used, and bytes used per protocol.

By default, Network Agent also provides bandwidth usage data to Policy Server, and

Internet activity log data to Filtering Service.

Network Agent is typically configured to see all traffic in your network. The agent distinguishes between:

Web Security Help

451

Network Configuration

Requests sent from internal machines to internal machines (hits to an intranet server, for example)

Requests sent from internal machines to external machines such as web servers

(user Internet requests, for example)

The latter is the primary concern in monitoring employee Internet usage.

Network Agent configuration

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring global settings

, page 453

Configuring local settings

, page 454

Configuring NIC settings

, page 456

Adding or editing IP addresses

, page 458

After installing Network Agent, use the Web Security manager to configure its network monitoring behavior. Network Agent settings are divided into two main areas:

Global settings affect all Network Agent instances associated with a Policy

Server instance. Use these settings to:

Identify the machines in your network.

List machines in your network that Network Agent should monitor for

incoming requests (for example, internal Web servers).

Specify bandwidth calculation and protocol logging behavior.

Local settings apply only to the selected Network Agent instance. Use these

settings to:

Identify which Filtering Service instance is associated with each Network

Agent.

Note proxies and caches used by the machines that this Network Agent monitors.

Configure how each network card (NIC) in the Network Agent machine is used (to monitor requests, send block pages, or both).

Network card settings also determine which segment of the network each

Network Agent instance monitors.

452

Websense Web Security Solutions

Network Configuration

Configuring global settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring local settings

, page 454

Configuring NIC settings

, page 456

Adding or editing IP addresses

, page 458

Use the Settings > Network Agent > Global page to define basic monitoring and logging behavior for all instances of Network Agent connected to the current Policy

Server (the Policy Server whose IP address appears in the Web Security toolbar).

The Describe Your Network list identifies the IP addresses that are part of your network in IPv4 or IPv6 format. By default, Network Agent does not monitor the traffic sent between these IP addresses (internal network communications).

Network Agent does not use this list to determine which IP addresses to monitor for

Internet requests. That behavior is configured separately for each Network Agent NIC

(see

Configuring NIC settings

, page 456 ). This list is used only to exclude internal

traffic (like LAN and intranet connections) from monitoring.

An initial set of entries is provided by default. You can add more entries, or edit or delete existing entries.

The Internal Traffic to Monitor list includes any internal IPv4 or IPv6 addresses

(encompassed by the “Describe Your Network” list) for which you do want Network

Agent to monitor traffic. This might include internal Web servers, for example, to help you to track internal connections.

Any request sent from anywhere in the network to the specified internal machines is monitored. By default, this list is blank.

Click Add to add an IP address or range to the appropriate list. Both IPv4 and

IPv6 formats are supported. See

Adding or editing IP addresses

, page 458, for

more information.

To edit an entry in the list, click the IP address or range. See

Adding or editing IP addresses

, page 458, for more information.

To remove an entry from the list, mark the check box next to an IP address or range, and then click Delete.

Web Security Help

453

Network Configuration

The Additional Settings options allow you to determine how often Network Agent calculates bandwidth usage, and whether and how often protocol traffic is logged:

Field

Bandwidth calculation interval

What to do

Enter a number between 1 and 300 to specify how frequently, in seconds, Network Agent should calculate bandwidth usage. An entry of 300, for example, indicates that Network Agent will calculate bandwidth every 5 minutes.

The default is 10 seconds.

Mark this option to enable the Logging interval field.

Log protocol traffic periodically

Logging interval Enter a number between 1 and 300 to specify how frequently, in minutes, Network Agent logs protocols. An entry of 60, for example, indicates that Network Agent will write to the log file every hour.

The default is 1 minute.

When you are finished making changes, click OK to cache the changes. Changes are not implemented until you click Save and Deploy.

Configuring local settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring global settings

, page 453

Configuring NIC settings

, page 456

Use the Settings > Network Agent > Local Settings page to configure Internet traffic management, proxy information, and other settings for the selected instance of

Network Agent.

To get to the Local Settings page for a Network Agent instance, navigate to

Settings > Network Agent and position the mouse over the Global option. A list of IP addresses appears. Select the IP address of the instance you want to configure.

The IP address of the selected Network Agent instance appears in the title bar of the content pane.

454

Websense Web Security Solutions

Network Configuration

Use the Filtering Service Definition settings to specify which Filtering Service is associated with the selected Network Agent instance, and how to respond to Internet requests if Filtering Service is not available.

Field

Filtering Service IP address

If Filtering Service is unavailable

What to do

Select the Filtering Service that is associated with this

Network Agent.

Select Permit to permit all requests or select Block to block all requests until Filtering Service is available again. The default is Permit.

To ensure that user requests are monitored, managed, and logged correctly, use the

Proxies and Caches list to specify the IP address of any proxy or cache server that

communicates with Network Agent.

Click Add to add an IPv4 or IPv6 address or range to the list (see

Adding or editing IP addresses

, page 458

).

To edit an entry in the list, click the IP address or range.

To remove an entry from the list, mark the check box next to an IP address or range, and then click Delete.

Use the Network Interface Cards list to configure individual NICs. Click on a NIC in the Name column, and then see

Configuring NIC settings

, page 456, for further

instructions.

The Advanced Network Agent Settings options are used when:

HTTP requests in your network are passed through a non-standard port.

By default the Ports used for HTTP traffic are 8080, 80 (when Websense software is integrated with a firewall, proxy, or cache) or All (in a standalone deployment).

You want Network Agent to ignore traffic on specific ports.

Mark Configure this Network Agent instance to ignore traffic on the

following ports, and then enter one or more ports.

If you have deployed Websense Content Gateway, this may be used to prevent double logging of HTTPS traffic.

Websense Technical Support instructs you to change debugging options for troubleshooting purposes.

Web Security Help

455

Network Configuration

Debug Settings options should not be changed without direction from Technical

Support.

Field

Mode

Output

Port

Description

None (default)

General

Error

Detail

Bandwidth

File (default)

Window

55870 (default)

When you are finished making changes to your Network Agent settings, click OK to cache the changes. Changes are not implemented until you click Save and Deploy.

Configuring NIC settings

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Network Agent configuration

, page 452

Configuring monitoring settings for a NIC

, page 457

Adding or editing IP addresses

, page 458

Use the Network Agent > Local Settings > NIC Configuration page to specify how

Network Agent uses each available network interface card (NIC) to monitor and manage network usage.

The NIC Information area provides the context for the changes that you make, showing the IP address, brief NIC Description, and card Name. Use this information to ensure that you are configuring the correct NIC.

Monitoring

In a multiple-NIC configuration, you can identify one NIC to monitor network traffic, and another NIC to serve block pages. At least one NIC must be used for monitoring, and more than one NIC can monitor traffic.

Use the Monitoring section to indicate whether or not to Use this NIC to monitor

traffic.

If this NIC is not used for monitoring, deselect the check box and then continue with the next section.

If the NIC is used for monitoring, select the check box, and then click Configure.

You are taken to the Configure Monitoring Behavior page. See

Configuring

456

Websense Web Security Solutions

Network Configuration

monitoring settings for a NIC

, page 457,

for instructions.

Other NIC options

In addition to configuring monitoring options, you can also determine other NIC behaviors:

1.

Under Blocking, make sure that the appropriate NIC is listed in the Blocking NIC field. If you are configuring multiple NICs, the settings for each NIC should show the same value in this field. In other words, only one NIC is used for blocking.

2.

If you are running Websense software in Stand-Alone mode, Filter and log

HTTP requests is selected, and cannot be changed.

3.

If you have integrated Websense software with a third-party device or application, use the Integrations options to indicate how this Network Agent should filter and log HTTP requests. Options that do not apply to your environment are disabled.

Select Log HTTP requests to make Network Agent responsible for generating all Internet activity log records.

When this option is selected, log records generated by the integration product are discarded by Filtering Service. Only the log records that Network Agent creates are forwarded to Log Server for inclusion in the Log Database.

Select Filter all requests not sent over HTTP ports to use Network Agent to filter only those requests not sent through the integration product.

4.

Under Protocol Management, indicate whether Network Agent should use this

NIC to filter non-HTTP protocols:

Check Filter non-HTTP protocol requests to activate the protocol management feature. This allows Websense software to filter Internet applications and data transfer methods, such as those used for instant messaging, streaming media, file sharing, Internet mail, and so on. See

Managing access to categories and protocols

, page 50,

and

Working with protocols

, page 278, for more information.

Check Measure bandwidth usage by protocol to activate the Bandwidth

Optimizer feature. Network Agent uses this NIC to track network bandwidth usage by each protocol or application. See

Using Bandwidth Optimizer to manage bandwidth

, page 284,

for more information.

Configuring monitoring settings for a NIC

Web Security Help | Web Security Solutions | Version 7.8.x

Use the Local Settings > NIC Configuration > Monitor List page to specify which

IP addresses Network Agent monitors via the selected network interface card (NIC).

1.

Under Monitor List, specify which requests Network Agent monitors:

All: Network Agent monitors requests from all IP addresses it sees using the

selected NIC. Typically, this includes all machines in the same network segment as the current Network Agent machine or NIC.

None: Network Agent does not monitor any requests.

Web Security Help

457

Network Configuration

Specific: Network Agent monitors only the network segments included in the

Monitor List.

2.

If you selected Specific, click Add, and then specify the IP addresses that

Network Agent should monitor in IPv4 or IPv6 format. See

Adding or editing IP addresses

, page 458, for more information.

Note

You cannot enter overlapping IP address ranges. If ranges overlap, network bandwidth measurements may not be accurate, and bandwidth-based restrictions may be applied incorrectly.

To remove an IP address or network range from the list, check the appropriate list item, and then click Delete.

3.

Under Monitor List Exceptions, identify any internal machines Network Agent should exclude from monitoring.

For example, Network Agent could ignore requests made by CPM Server. This way, CPM Server requests will not clutter Websense log data or any of the status monitors output.

a.

To identify a machine, click Add, and then enter its IP address in IPv4 or IPv6 format.

b.

Repeat the process to identify additional machines.

4.

Click OK to cache your changes and return to the NIC Configuration page.

Changes are not implemented until you click Save and Deploy.

Adding or editing IP addresses

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Configuring global settings

, page 453

Configuring local settings

, page 454

Configuring NIC settings

, page 456

Use the Add IP Addresses or Edit IP Addresses page to make changes to any of the following Network Agent lists: Internal Network Definition, Internal Traffic to

Monitor, Proxies and Caches, Monitor List, or Monitor List Exceptions.

Both IPv4 and IPv6 addresses and ranges are supported.

When you add or edit an IP address range, make sure that it does not overlap any existing entry (single IP address or range) in the list.

When you add or edit a single IP address, make sure that it does not fall into a range that already appears in the list.

458

Websense Web Security Solutions

Network Configuration

To add a new IP address or range:

1.

Select the IP address or IP address range radio button.

2.

Enter a valid IP address or range.

3.

Click OK to return to the previous Network Agent Settings page. The new IP address or range appears in the appropriate table.

To return to the previous page without caching your changes, click Cancel.

4.

Repeat this process for additional IP addresses, as needed.

When you edit an existing IP address or range, the Edit IP Addresses page displays the selected item with the correct radio button already selected. Make any necessary changes, and then click OK to return to the previous page.

When you are finished adding or editing IP addresses, click OK on the Network

Agent Settings page. Changes are not implemented until you click Save and Deploy.

Verifying Network Agent configuration

Web Security Help | Web Security Solutions | Version 7.8.x

After configuring Network Agent in the Web Security manager, you can use any thirdparty packet analyzer to ensure that computers on your network are visible to your

Web Security solution.

Make sure that the network card that you have configured as the Network Agent monitoring NIC can see traffic from IP addresses in all network segments that the

Network Agent instance has been configured to monitor. (This configuration is done on the Local Settings > NIC Configuration > Monitor List page. See

Configuring monitoring settings for a NIC

, page 457

.)

If packets from some IP addresses are not visible to the monitoring NIC:

Review the network configuration and NIC placement requirements (see the

Deployment and Installation Center or Network Agent Quick Start )

Verify that you have properly configured the monitoring NIC (

Configuring NIC settings

, page 456 ).

Web Security Help

459

Network Configuration

460

Websense Web Security Solutions

19

Troubleshooting

Web Security Help | Web Security Solutions | Version 7.8.x

Use this section to find solutions to common issues before contacting Technical

Support.

The Websense Support website features an extensive Knowledge Base and customer forums, available at support.websense.com

. Search for topics by keyword or phrase, or browse content by product and version.

Troubleshooting instructions are grouped into the following sections:

Installation and subscription issues

Master Database issues

, page 463

Policy enforcement issues

, page 470

Network Agent issues

, page 474

User configuration and identification issues

, page 477

Block message issues

, page 488

Log, status message, and alert issues

, page 489

Policy Server and Policy Broker issues

, page 493

Delegated administration issues

, page 495

Log Server and Log Database issues

, page 497

Investigative report and presentation report issues

, page 510

Other reporting issues

, page 518

Interoperability issues

, page 522

Troubleshooting tips and tools

, page 538

Installation and subscription issues

Web Security Help | Web Security Solutions | Version 7.8.x

There is a subscription problem

, page 462

Unable to verify the subscription key

, page 462

After upgrade, users are missing from the Web Security manager

, page 463

Web Security Help

461

Troubleshooting

There is a subscription problem

Web Security Help | Web Security Solutions | Version 7.8.x

A valid subscription key is needed to download the Websense Master Database and perform Internet policy enforcement. When your subscription expires or is invalid, and when the Master Database has not been downloaded for more than 2 weeks, a warning appears on the Status > Alerts page.

Verify that you have entered your subscription key exactly as you received it. The key is case sensitive.

Make sure that your subscription has not expired. See

Subscription key

, page 465

.

Ensure that the Master Database has been downloaded successfully within the last

2 weeks. You can check download status in the Web Security manager: click

Database Download on the Status > Dashboard page.

See

The Master Database does not download

, page 464, for help troubleshooting

database download problems.

If you have entered the key correctly, but continue to receive a status error, or if your subscription has expired, contact Websense, Inc., or your authorized reseller.

When your subscription expires, Web Security manager settings determine whether users are given unrestricted Internet access or all Internet requests are blocked. See

Your subscription

, page 24,

for more information.

Unable to verify the subscription key

Web Security Help | Web Security Solutions | Version 7.8.x

After you enter your subscription key, Filtering Service attempts to connect to the

Websense database download server to both verify the key and download the Master

Database.

If Filtering Service is unable to connect to the database download server, both subscription errors and database download errors will appear in the Web Security manager.

If the database download server is down, the problem should resolve itself within a short period of time.

If Filtering Service is unable to connect to the download server, see

Internet access

, page 465,

and

Verify firewall or proxy server settings

, page 466, to make

sure that Filtering Service and the network environment are properly configured to enable the connection.

462

Websense Web Security Solutions

Troubleshooting

After upgrade, users are missing from the Web Security manager

Web Security Help | Web Security Solutions | Version 7.8.x

If you defined Active Directory as your directory service after upgrading your Web

Security solution, user names that include non-UTF-8 characters may not appear in the Web Security manager.

To support LDAP 3.0, the Websense installer changes the character set from MBCS to

UTF-8 during upgrade. As a result, user names that include non-UTF-8 characters are not properly recognized.

To fix this problem, manually change the character set to MBCS:

1.

Go to Settings > General > Directory Services.

2.

Make sure that Active Directory (Native Mode) is selected under Directories, near the top of the page.

3.

Click Advanced Directory Settings.

4.

Under Character Set, click MBCS. You may have to scroll down to see this option.

5.

Click OK to cache the change. Changes are not implemented until you click Save

and Deploy.

Master Database issues

Web Security Help | Web Security Solutions | Version 7.8.x

The initial filtering database is being used

, page 463

The Master Database is more than 1 week old

, page 464

The Master Database does not download

, page 464

Master Database download does not occur at the correct time

, page 469

Contacting Technical Support for database download issues

, page 469

The initial filtering database is being used

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Master Database houses the category and protocol definitions that provide the basis for managing Internet content.

A partial version of the Master Database is installed with your Websense software on each Filtering Service machine. This partial database is used to enable basic functionality from the time you enter your subscription key.

You must download the full database for full policy enforcement to occur. See

The

Websense Master Database

, page 27, for more information.

Web Security Help

463

Troubleshooting

The process of downloading the full database may take a few minutes or more than

60 minutes, depending on factors such as Internet connection speed, bandwidth, available memory, and free disk space.

The Master Database is more than 1 week old

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Master Database houses the category and protocol definitions that provide the basis for managing Internet content. Websense software downloads changes to the Master Database according to the schedule defined in the Web Security manager. By default, download is scheduled to occur once a day.

To manually initiate a database download:

1.

Go to the Status > Dashboard page, and then click Database Download.

2.

Click Update next to the appropriate Filtering Service instance to start the database download, or click Update All to start the download on all Filtering

Service machines.

Note

After downloading updates to the Master Database, CPU usage can be 90% or more for a short time while the database is loaded into local memory. It is a good idea to perform the download at off-peak times.

3.

To continue working while the database is downloaded, click Close.

Click the Database Download button at any time to view download status.

If a new version of the Master Database adds or removes categories or protocols, administrators performing category- or protocol-related policy management tasks

(like editing a category set) at the time of the download may receive errors. Although such updates are somewhat rare, as a best practice, try to avoid making changes to categories, protocols, and filters while a database is being updated.

The Master Database does not download

Web Security Help | Web Security Solutions | Version 7.8.x

If you are unable to download the Websense Master Database successfully:

Make sure that you have entered your subscription key correctly in the Web

Security manager, and that the key has not expired (

Subscription key

, page 465

).

Verify that the Filtering Service machine is able to access the Internet (

Internet access

, page 465

).

Check firewall or proxy server settings to make sure that Filtering Service can

connect to the Websense download server (

Verify firewall or proxy server settings

, page 466 ).

464

Websense Web Security Solutions

Troubleshooting

Make sure that there is enough disk space (

Insufficient disk space on the Filtering

Service machine

, page 467 ) and memory (

Insufficient memory on the Filtering

Service machine

, page 468 ) on the download machine.

Look for any application or appliance in the network, such as anti-virus software,

that might prevent the download connection (

Restriction applications

, page 468

).

Subscription key

Web Security Help | Web Security Solutions | Version 7.8.x

To verify that the subscription key is entered correctly and has not expired:

1.

Go to the Settings > General > Account page.

2.

Compare the key that you received from Websense, Inc., or your reseller to the

Subscription key field.

3.

Check the date next to Key expires. If the date has passed, contact your reseller or

Websense, Inc., to renew your subscription.

4.

If you have made changes to the key in the Settings dialog box, click OK to activate the key and enable database download.

To manually initiate a database download, or to check the status of the most recent database download, click Database Download in the toolbar at the top of the Status >

Dashboard page.

Internet access

Web Security Help | Web Security Solutions | Version 7.8.x

To download the Master Database, the Filtering Service machine sends an HTTP post command to the download servers at the following URLs: download.websense.com

ddsdom.websense.com

ddsint.websense.com

portal.websense.com

my.websense.com

To make sure the Filtering Service machine has the Internet access necessary to communicate with the download server, you can:

For non-appliance installations, open a browser on the Filtering Service machine and enter the following URL: http://download.websense.com/

If the machine is able to open an HTTP connection to the site, a redirect page is displayed, and then the browser displays the Websense home page.

From the command prompt or shell, enter the following command: ping download.websense.com

Verify that the ping receives a reply from the download server.

Web Security Help

465

Troubleshooting

Use telnet to connect to download.websense.com 80. If you see a cursor and no error message, you can connect to the download server.

If the Filtering Service machine cannot connect to the download server:

Enable communication on port 80, or the port designated in your network for

HTTP traffic, for the network interface used by Filtering Service. On Websense

Appliances, this is usually the C interface.

Verify that the Filtering Service network interface is using the correct DNS settings.

Make sure that Filtering Service is configured to use any necessary proxy servers to connect to the Internet (see

Verify firewall or proxy server settings

, page 466 )

Also make sure that your gateway or firewall does not include any rules that block

HTTP traffic from the Filtering Service machine.

Verify firewall or proxy server settings

Web Security Help | Web Security Solutions | Version 7.8.x

If the Master Database is downloaded through a firewall or proxy that requires authentication, use the following steps to check your proxy authentication settings:

1.

Go to Settings > General > Database Download.

2.

Verify that Use proxy server or firewall is selected, and that the correct server and port are listed.

3.

Make sure that the Authentication settings are correct. Verify the user name and password, checking spelling and capitalization.

If Websense software must provide authentication information, the firewall or proxy server must be configured to accept clear text or basic authentication.

Information about enabling basic authentication is available from support.websense.com

.

If a firewall restricts Internet access at the time Websense software normally downloads the database, or restricts the size of a file that can be transferred via HTTP,

Websense software cannot download the database. To determine if the firewall is causing the download failure, search for a rule on the firewall that might be blocking the download, and change the download times in the Web Security manager

(

Configuring database downloads

, page 29

), if necessary.

If Filtering Service is not running on a Websense appliance, you can check your

Filtering Service proxy settings against browser proxy settings on the machine. First verify that a browser on the Filtering Service machine can load web pages properly. If pages open normally, but the Master Database does not download, check the proxy server settings in the browser.

Microsoft Internet Explorer:

1. Display the Menu bar, then navigate to Tools > Internet Options and select the Connections tab.

466

Websense Web Security Solutions

Troubleshooting

2. Click LAN Settings, then make a note of the settings that appear under Proxy

server.

Mozilla Firefox:

1. Navigate to Tools > Options >, then select the Advanced tab.

2. On the Network tab (usually selected by default), click Settings.

The Connection Settings dialog box shows whether the browser is configured to connect to a proxy server. Make a note of the proxy settings.

Insufficient disk space on the Filtering Service machine

Web Security Help | Web Security Solutions | Version 7.8.x

Filtering Service needs adequate space to download compressed Master Database updates to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default). It also needs space to decompress and load the database. As a general rule, Websense, Inc., recommends at least 4 GB of free disk space on the download drive.

A disk space warning indicates that free disk space on the Filtering Service machine has dipped below 4 GB.

On Windows systems, use Windows Explorer to check disk space:

1.

Open My Computer in Windows Explorer (not Internet Explorer).

2.

Select the drive on which Websense software is installed. By default, Websense software is located on the C drive.

3.

Right-click the drive and select Properties.

4.

On the General tab, verify that at least 4 GB of free space is available. If there is insufficient free space on the drive, delete any unnecessary files to free up the required space.

On Linux systems, use the df command to verify the amount of available space in the file system in which Websense software is installed:

1.

Open a terminal session.

2.

At the prompt, enter: df -h /opt

Websense software is usually installed in the /opt/Websense/bin/ directory. If it is installed elsewhere, use that path.

3.

Make sure that at least 4 GB of free space is available. If there is insufficient free space on the drive, delete any unnecessary files to free up the required space.

If, after addressing any disk space issues, you are unable to download the Master

Database:

1.

Stop all Websense services on the Filtering Service machine (see

Stopping and starting Websense services

, page 398

).

2.

Delete the Websense.xfr and Websense (no extension) files from the Websense

bin directory.

Web Security Help

467

Troubleshooting

3.

Restart the Websense services.

4.

Manually initiate a database download (go to the Status > Dashboard page in the

Web Security manager, and then click Database Download).

Insufficient memory on the Filtering Service machine

Web Security Help | Web Security Solutions | Version 7.8.x

The memory required to run Websense software, download the Master Database, and apply Master Database updates varies, depending on the size of the network.

In a small network, at least 2 GB of memory is recommended (Windows and

Linux).

Refer to the Deployment and Installation Center for complete system recommendations.

When free memory drops below 512 MB on the Filtering Service machine, a Health

Alert message is generated. Buffer and cache space are not included in this calculation.

If the machine meets or exceeds the requirements in the Deployment and Installation

Center , and Filtering Service is able to load the Master Database, the low memory condition is unlikely to cause problems.

If Filtering Service is unable to load the Master Database, however, you will need to free up memory on the machine, or add additional RAM.

To check the memory in a Windows system:

1.

Open the Task Manager.

2.

Select the Performance tab.

3.

Check the total Physical Memory available.

You also use the Windows Performance monitor (Start > Administrative Tools >

Performance) to capture information.

To check the memory in a Linux system:

1.

Open a terminal session.

2.

At the prompt, enter: top

3.

Compute the total memory available by adding Mem: av and Swap: av.

To address problems with insufficient memory, you can either upgrade the machine’s

RAM or move applications with high memory usage to another machine.

Restriction applications

Web Security Help | Web Security Solutions | Version 7.8.x

Some restriction applications or appliances, such as virus scanners, size-limiting applications, or intrusion detection systems can interfere with database downloads.

468

Websense Web Security Solutions

Troubleshooting

Ideally, configure Websense software to go straight to the last gateway so that it does not connect to these applications or appliances. Alternatively:

1.

Disable the restrictions relating to the Filtering Service machine and to the Master

Database download location.

See the appliance or software documentation for instructions on changing the device’s configuration.

2.

Attempt to download the Master Database.

If this change has no effect, reconfigure the application or appliance to include the machine running Filtering Service.

Master Database download does not occur at the correct time

Web Security Help | Web Security Solutions | Version 7.8.x

The system date and time may not be set correctly on the Filtering Service machine.

Filtering Service uses the system clock to determine the proper time for downloading the Master Database.

If the download is not occurring at all, see

The Master Database does not download

, page 464 .

Contacting Technical Support for database download issues

Web Security Help | Web Security Solutions | Version 7.8.x

If you are still experiencing Master Database download problems after completing the troubleshooting steps in this Help section, send the following information to

Websense Technical Support:

1.

The exact error message that appears in the Database Download dialog box

2.

External IP addresses of the machines attempting to download the database

3.

Your Websense subscription key

4.

Date and time of the last attempt

5.

Number of bytes transferred, if any

6.

Open a command prompt and perform an nslookup on download.websense.com.

If connection to the download server is made, send the IP addresses returned to

Technical Support.

7.

Open a command prompt and perform a tracert to download.websense.com. If connection to the download server is made, send the route trace to Technical

Support.

8.

A packet trace or packet capture performed on the Filtering Service machine during an attempted download.

9.

A packet trace or packet capture performed on the network gateway during the same attempted download.

Web Security Help

469

Troubleshooting

10.

The following files from the Websense bin directory (C:\Program Files or

Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default): websense.ini, eimserver.ini, and config.xml.

Go to support.websense.com/ for Technical Support contact information.

Policy enforcement issues

Web Security Help | Web Security Solutions | Version 7.8.x

Filtering Service is not running

, page 470

User Service is not available

, page 471

Sites are incorrectly categorized as Information Technology

, page 472

Keywords are not being blocked

, page 472

Custom or limited access filter URLs are not handled as expected

, page 473

Websense software is not applying user or group policies

, page 473

Remote users do not receive the correct policy

, page 473

Filtering Service is not running

Web Security Help | Web Security Solutions | Version 7.8.x

When Filtering Service is not running, policy enforcement and logging cannot occur.

Filtering Service may stop running if:

There is insufficient disk space on the Filtering Service machine (see

Insufficient disk space on the Filtering Service machine

, page 467 ).

A Master Database download failed due to lack of disk space (see

The Master

Database does not download

, page 464

).

The websense.ini file is missing or corrupted.

You stop the service (after creating custom block pages, for example) and do not restart it.

Filtering Service may also appear to have stopped if you restarted multiple Websense services, and they were not started in the correct order. When you restart multiple services, remember to start the Policy Database, Policy Broker, and Policy Server before starting other Websense services.

To troubleshoot these problems:

Verify that there is at least 3 GB of free disk space on the Filtering Service machine. You may need to remove unused files or add additional capacity.

Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default), and confirm that you can open websense.ini in a text editor. If this file has been corrupted, replace it with a backup file.

470

Websense Web Security Solutions

Troubleshooting

Check the Windows Event Viewer or websense.log file for error messages from

Filtering Service (see

Troubleshooting tips and tools

, page 538 ).

Log off of the TRITON console, restart Policy Server, and then restart Filtering

Service (see

Stopping and starting Websense services

, page 398

).

Wait 1 minute before logging on to the TRITON console again.

User Service is not available

Web Security Help | Web Security Solutions | Version 7.8.x

User Service must be running, and Policy Server must be able to communicate with

User Service, in order for user-based policies to be applied correctly.

User Service may appear to have stopped if you restarted Policy Server after restarting other Websense services. To correct this issue:

1.

Close the TRITON console.

2.

Restart the Websense Policy Server service (see

Stopping and starting Websense services

, page 398

).

3.

Start or restart Websense User Service.

4.

Wait 1 minute before logging on to the TRITON console again.

If the previous steps do not fix the problem:

Check the Windows Event Viewer or websense.log file for error messages from

User Service (see

Troubleshooting tips and tools

, page 538 ).

Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default), and make sure that you can open websense.ini in a text editor. If this file has been corrupted, replace it with a backup file.

High CPU usage on the Filtering Service machine

Web Security Help | Web Security Solutions | Version 7.8.x

When the CPU on the Filtering Service machine is overloaded (whether by the volume of processing being performed by Filtering Service, or by demands from other software running on the Filtering Service machine), users may experience slow browsing, as requests for sites take longer to process.

During times of peak CPU usage (exceeding 95%), Filtering Service may be unable to process requests at all, leading to incorrect policy enforcement.

To address this issue, start by using the Task Manager (Windows) or top command

(Linux) to determine which processes on the machine are causing CPU usage to peak.

Are there applications that could be run from another machine?

Can you move Filtering Service to a dedicated machine?

If Filtering Service is using a high amount of processing time:

Web Security Help

471

Troubleshooting

Evaluate the amount of traffic being processed by Filtering Service. DNS lookups can require a fair amount of processing time; you may want to install an additional

Filtering Service instance for load balancing.

Evaluate your use of keywords and regular expressions. Are you using a large number of regular expressions or keywords, or using very complex regular expressions?

Reducing the number of keywords and regular expressions, or removing or simplifying complex regular expressions can improve Filtering Service performance.

Sites are incorrectly categorized as Information Technology

Web Security Help | Web Security Solutions | Version 7.8.x

Internet Explorer has the ability to accept searches from the Address bar. When this option is enabled, if a user enters only a domain name in the Address bar (websense instead of http://www.websense.com, for example), Internet Explorer considers the entry a search request, not a site request. It displays the most likely site the user is looking for, along with a list of closely matching sites.

As a result, Filtering Service permits, blocks, or limits the request based on the status of the Information Technology/Search Engines and Portals category in the active policy—not on the category of the requested site. To ensure that correct policy enforcement occurs, turn off searching from the Address bar:

1.

Go to Tools > Internet Options.

2.

Go to the Advanced tab.

3.

Under Search from the Address bar, select Do not submit unknown addresses

to your auto-search provider

4.

Click OK.

Keywords are not being blocked

Web Security Help | Web Security Solutions | Version 7.8.x

There are 2 possible reasons for this problem: Disable keyword blocking is selected, or the site whose URL contains the keyword uses post to send data to your web server.

To ensure that keyword blocking is enabled:

1.

Go to Settings > General > Filtering.

2.

Under General Filtering, check the Keyword search options list. If Disable

keyword blocking is shown, select another option from the list. See

Configuring filtering settings

, page 69, for more information about the available options.

3.

Click OK to cache the change. Changes are not implemented until you click Save

and Deploy.

472

Websense Web Security Solutions

Troubleshooting

If a site uses post to send data to your web server, Filtering Service does not enforce keyword settings for that URL. Unless your integration product recognizes data sent via post, users can still access URLs containing blocked keywords.

To see whether a URL uses a post command, view the URL source from within your browser. If the source code contains a string like “<method=post>”, then post is used to load that URL.

Custom or limited access filter URLs are not handled as expected

Web Security Help | Web Security Solutions | Version 7.8.x

If an HTTPS URL in a limited access filter or custom URL list (recategorized or unfiltered) is not blocked or permitted as expected, an integration product may be transforming the URL into a format that Filtering Service cannot recognize.

Non-proxy integration products translate URLs from domain format into IP format.

For example, the URL https://<domain.com> is read as https://<IP_address>:443.

When this occurs, Filtering Service cannot match the URL received from the integration product with a custom URL or limited access filter, and does not manage the site appropriately.

To work around this problem, add both the IP addresses and URLs for sites you want to define as custom URLs or use in limited access filters.

Websense software is not applying user or group policies

Web Security Help | Web Security Solutions | Version 7.8.x

User requests may not be managed according to the user or group policy you assigned for a variety of reasons. Check the following topics, and search the Knowledge Base for additional information.

User Service is not available

, page 471

Remote users do not receive the correct policy

, page 473

Directory service connectivity and configuration

, page 483

Directory service configuration

, page 483

User identification and Windows Server

, page 484

User Service on a Websense appliance or Linux server

, page 486

Remote users are not being filtered correctly

, page 487

Remote users do not receive the correct policy

Web Security Help | Web Security Solutions | Version 7.8.x

If a remote user accesses the network by logging on using cached domain credentials

(network logon information), Filtering Service applies the policy assigned to that user, or to the user’s group or domain, if appropriate. If there is no policy assigned to the

Web Security Help

473

Troubleshooting user, group, or domain, or if the user logs on to the computer with a local user account, the Default policy is applied.

Occasionally, a user does not receive a user or group policy or the Default policy. This occurs when the user logs on to the remote computer with a local user account, and the last portion of the remote computer’s Media Access Control (MAC) address overlaps with an in-network IP address to which a policy has been assigned. In this case, the policy assigned to that particular IP address is applied to the remote user.

Network Agent issues

Web Security Help | Web Security Solutions | Version 7.8.x

Network Agent is not installed

, page 474

Network Agent is not running

, page 474

Network Agent is not monitoring any NICs

, page 475

Network Agent can’t communicate with Filtering Service

, page 475

Network Agent is not installed

Web Security Help | Web Security Solutions | Version 7.8.x

Network Agent is required to enable policy enforcement for Internet protocols other than HTTP, HTTPS, and FTP. With some integrations, Network Agent is also used to provide more accurate logging.

If you are running with an integration product, and do not require Network Agent protocol management or logging, you can hide the “No Network Agent is installed” status message. See

Reviewing current system status

, page 409,

for instructions.

For standalone installations, Network Agent must be installed for network monitoring and policy enforcement to occur. See the Deployment and Installation Center for

installation instructions, and then see

Network Agent configuration

, page 452 .

Network Agent is not running

Web Security Help | Web Security Solutions | Version 7.8.x

Network Agent is required to enable full management of protocols other than HTTP,

HTTPS, and FTP. With some integrations, Network Agent is also used to provide more accurate logging.

For standalone installations, Network Agent must be running to monitor and manage network traffic.

To troubleshoot this problem:

1.

Look for low memory problems on the Network Agent machine that may be preventing the service or daemon from starting.

474

Websense Web Security Solutions

Troubleshooting

2.

Check the status of the Network Agent service or daemon:

Windows: Use the Windows Services tool to see if the Websense Network

Agent service has started.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to check the status of Network Agent.

Appliance: Use the Appliance Manager to check the status of the Network

Agent module.

3.

Make sure all administrators are logged off of the TRITON console, then restart the Websense Policy Broker and Websense Policy Server services (see

Stopping and starting Websense services

, page 398

).

4.

Start or restart the Websense Network Agent service.

5.

Wait 1 minute, and then log on to the TRITON console again.

If that does not fix the problem:

Check the Windows Event Viewer for error messages from Network Agent (see

The Windows Event Viewer

, page 539

).

Check the Websense.log file for error messages from Network Agent (see

The

Websense log file

, page 539 ).

Network Agent is not monitoring any NICs

Web Security Help | Web Security Solutions | Version 7.8.x

Network Agent must be associated with at least one network interface card (NIC) to monitor network traffic.

If you add or remove network cards from the Network Agent machine, you must update your Network Agent configuration.

1.

In the Web Security manager, go to Settings.

2.

In the left navigation pane, under Network Agent, select the IP address of the

Network Agent machine.

3.

Verify that all NICs for the selected machine are listed.

4.

Verify that at least one NIC is set to monitor network traffic.

See

Network Agent configuration

, page 452, for more information.

Network Agent can’t communicate with Filtering Service

Web Security Help | Web Security Solutions | Version 7.8.x

Network Agent must be able to communicate with Filtering Service to enforce your

Internet usage policies.

Did you change the IP address of Filtering Service machine or reinstall Filtering

Service?

If so, see

Update Filtering Service IP address or UID information

, page 476 .

Web Security Help

475

Troubleshooting

Do you have more than 2 network interface cards (NICs) on the Network Agent machine?

If so, see

Network Configuration

, page 451, to verify your Websense software

settings.

Have you reconfigured the switch connected to the Network Agent?

If so, refer to the Network Agent Quick Start to verify your hardware setup, and

see

Network Agent configuration

, page 452, to verify your Websense settings.

If none of these apply, see

Configuring local settings

, page 454, for information about

associating Network Agent and Filtering Service.

Update Filtering Service IP address or UID information

Web Security Help | Web Security Solutions | Version 7.8.x

When Filtering Service has been uninstalled and reinstalled, Network Agent does not automatically update the internal identifier (UID) for the Filtering Service. The Web

Security manager attempts to query Filtering Service using the old UID, which no longer exists.

Likewise, when you change the IP address of the Filtering Service machine, this change is not automatically registered.

To re-establish connection to the Filtering Service:

1.

Log on to the TRITON console and open the Web Security manager.

A status alert indicates that a Network Agent instance is unable to connect to

Filtering Service.

2.

Click Settings at the top of the left navigation pane.

3.

In the left navigation pane, under Network Agent, select the IP address of the

Network Agent machine.

4.

At the top of the page, under Filtering Service Definition, expand the Server IP

address list, and then select the IP address of the Filtering Service machine.

5.

Click OK at the bottom of the page to cache the update. Changes are not implemented until you click Save and Deploy.

Insufficient memory on the Network Agent machine

Web Security Help | Web Security Solutions | Version 7.8.x

Network Agent allocates the operation memory that it needs at startup. If there are severe memory constraints on the Network Agent machine, the agent will either:

Fail to start

Be unable to monitor traffic

In either case, policy enforcement and logging based on information from Network

Agent does not occur. As a result, users may be given access to sites or applications that would typically be blocked.

476

Websense Web Security Solutions

Troubleshooting

Use the Task Manager (Windows) or top command (Linux) to evaluate memory usage on the Network Agent machine. To solve the problem, you can:

Upgrade the RAM on the machine.

Move applications or components with high memory requirements to another machine.

Simplify your Network Agent configuration to reduce memory needs.

High CPU usage on the Network Agent machine

Web Security Help | Web Security Solutions | Version 7.8.x

When the CPU on the Network Agent machine is overloaded by demands from other software running on the machine, the agent may be unable to detect and log traffic. In a standalone environment, this can mean that all user requests for websites and

Internet applications are permitted, even those that would be typically be blocked.

To address this issue, start by using the Task Manager (Windows) or top command

(Linux) to determine which processes on the machine are causing CPU usage to peak.

Are there applications that could be run from another machine?

Can you move Network Agent to a dedicated machine?

User configuration and identification issues

Web Security Help | Web Security Solutions | Version 7.8.x

User and group-based policies are not applied

, page 477

Unusually high directory server connection latency

, page 478

Filtering Service can’t communicate with transparent ID agent

, page 479

DC Agent has insufficient permissions

, page 480

DC Agent unable to access required file

, page 481

I cannot add users and groups to the Web Security manager

, page 482

User Service on a Websense appliance or Linux server

, page 486

User and group-based policies are not applied

Web Security Help | Web Security Solutions | Version 7.8.x

If Filtering Service is applying computer or network policies, or the Default policy, to

Internet requests, even after you have assigned user or group-based policies, or if the wrong user or group-based policy is being applied, use the following steps to pinpoint the problem:

If you are using nested groups in Windows Active Directory, policies assigned to a parent group are applied to users belonging to a sub-group, and not directly to

Web Security Help

477

Troubleshooting

 the parent group. For information on user and group hierarchies, see your directory service documentation.

The User Service cache may be outdated. User Service caches user name to IP address mappings for 3 hours. To clear and recreate the cache, go to the User

Service Cache section of the Settings > General > Directory Services page in the

Web Security manager, and then click Clear Cache.

User Service may have been installed using the Guest account, equivalent to an anonymous user to the domain controller. If the domain controller has been set not to give the list of users and groups to an anonymous user, User Service is not allowed to download the list. See

Changing DC Agent, Logon Agent, and User

Service permissions

, page 485 .

If User Service resides on a Websense appliance or Linux server, and you are using DC Agent (with Active Directory in any mode) or Logon Agent (with

Active Directory in native mode) to identify users, verify your WINS server configuration. See

User Service on a Websense appliance or Linux server

, page

486 .

If a user on a machine running Windows XP SP2 is receiving the wrong policy, the problem could be due to the Windows Internet Connection Firewall (ICF), included and enabled by default in Windows XP SP2. For more information about the Windows ICF, see Microsoft Knowledge Base Article #320855.

For DC Agent or Logon Agent to get user logon information from a machine running Windows XP SP2:

1. On the Client machine, go to Start > Settings > Control Panel > Security

Center > Windows Firewall.

2. Go to the Exceptions tab.

3. Check File and Printer Sharing.

4. Click OK to close the ICF dialog box, and then close any other open windows.

If none of these steps addresses your issue, check the following topics, or search support.websense.com

for additional information.

Directory service connectivity and configuration

, page 483

Directory service configuration

, page 483

User identification and Windows Server

, page 484

Unusually high directory server connection latency

Web Security Help | Web Security Solutions | Version 7.8.x

Websense User Service communicates with user directories in your network to:

Populate the Clients page and other Web Security manager pages with user, group, and OU information.

Find group information for users so that Websense Filtering Service can enforce the correct policy.

478

Websense Web Security Solutions

Troubleshooting

Provide user and group information to other Websense components to ensure consistency in policy enforcement, reporting, and alerting.

Offer manual authentication via browser-based logon prompts.

When User Service experiences unusually high connection latency to the directories that it queries, users may:

Experience slow browsing

Receive an IP address-based policy or the Default policy instead of the appropriate user or group policy

Administrators may experience delays when trying to work with clients to the Web

Security manager.

To address this issue, look for:

Network problems between the specified User Service machine and each of the directory server machines noted in the health alert message

Problems on the domain controller that might slow down directory connections or searches

Filtering Service can’t communicate with transparent ID agent

Web Security Help | Web Security Solutions | Version 7.8.x

When you use DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent for transparent user identification, Filtering Service must be able to communicate with the agent to correctly apply user-based policies. If this communication fails, the user may be filtered by an IP-address-based policy or the Default policy.

To address this problem:

1.

Verify that the agent service or daemon is running.

Windows: Use the Windows Services tool to make sure that Websense DC

Agent, Websense Logon Agent, Websense eDirectory Agent, or Websense

RADIUS Agent is running.

Linux: Navigate to the /opt/Websense/ directory and use the following

command to verify that Logon Agent, eDirectory Agent, or RADIUS Agent is running:

./WebsenseAdmin -status

2.

You can ping the transparent identification agent machine from the Filtering

Service machine. Try both the IP address and the hostname of the transparent identification agent machine, to make sure that DNS is properly configured. For example: ping 10.55.127.22

ping transid-host

3.

The transparent identification agent communication port is open between the

Filtering Service machine and the agent machine. The default ports are:

DC Agent: 30600

Web Security Help

479

Troubleshooting

Logon Agent: 30602

 eDirectory Agent: 30700

RADIUS Agent: 30800

4.

The correct agent IP address or hostname and port appear on the Settings >

General > User Identification page in the Web Security manager.

If the service appears to be running normally, and there does not appear to be a network communication problem between the Filtering Service and agent machines:

Use the Windows Services tool or the /opt/Websense/WebsenseDaemonControl command to restart the agent.

Check the Windows Event Viewer (see

The Windows Event Viewer

, page 539

) or

websense.log file (see

The Websense log file

, page 539 ) on the agent machine for

error messages from the transparent identification agent.

DC Agent has insufficient permissions

Web Security Help | Web Security Solutions | Version 7.8.x

DC Agent may have been installed as a service using the Guest account, equivalent to an anonymous user to the domain controller.

In order to perform domain discovery (required for DC Agent to create and maintain the dc_config.txt file), or to perform computer polling, the Websense DC Agent service requires domain admin permissions. In some environments (typically very large enterprise networks), DC Agent requires enterprise admin permissions.

If you have disabled domain discovery and computer polling, and are just using domain controller polling while maintaining the dc_config.txt file manually, DC

Agent can run as any network user with read access to the domain controller.

To grant DC Agent domain admin privileges:

1.

On the DC Agent machine, create a user account with a descriptive name, like

WsUserID. This account exists only to provide a security context for DC Agent

when it requests information from the directory service.

Assign the new account domain admin privileges in all domains.

Assign the same password to this account in all domains.

Set the password to never expire.

Make a note of the user name and password.

2.

Open the Windows Services tool:

Windows Server 2012: Server Manager > Tools > Services

Windows Server 2008 R2: Start > Administrative Tools > Services

3.

Scroll to the Websense DC Agent service, right-click the service name, and then select Stop.

4.

Right-click the service name again, select Properties, and then click the Log On tab.

480

Websense Web Security Solutions

Troubleshooting

5.

Select This account, and then enter the account name and password that you created for DC Agent. Some domains require that the account name be entered in the format domain\username.

6.

Click OK to return to the Services tool.

7.

Right-click the service name again, and then select Start.

8.

Close the Services tool.

You may also need to assign User Service the same administrative privileges as DC

Agent.

DC Agent unable to access required file

Web Security Help | Web Security Solutions | Version 7.8.x

DC Agent works by identifying domain controllers in the network, then querying them for user logon sessions. By default, the agent automatically verifies existing domain controllers and detects new domains or domain controllers added to the network. It stores this information in a file called dc_config.txt, located in the

Websense bin directory on the DC Agent machine.

An alert stating that DC Agent is unable to access this file can occur if:

DC Agent is unable to open the file with read or write permissions.

Make sure that the domain account used to run DC Agent has read and write permissions to the file and directory.

If the file is present, and not write protected, make sure that the file can be opened manually, and has not been corrupted.

DC Agent is unable to create the file, because it cannot find any domain controller information.

If User Service is installed on a Websense appliance or Linux server, make sure that you have performed required WINS setup steps. For complete

instructions, see

User Service on a Websense appliance or Linux server

, page

486 .

If User Service is installed on a Windows Server 2008 machine, make sure that the service is running with domain admin credentials. See

Changing DC

Agent, Logon Agent, and User Service permissions

, page 485

.

Make sure that NetBIOS for TCP/IP is enabled, and that the NetBIOS ports

(137, 138, 139, and 445) are open between the DC Agent machine and the domain controller.

If User Service is running on Windows, make sure that the NetBIOS ports are also open between the User Service machine and the domain controller.

Make sure that the Computer Browser Service is running on any Windows

2008 Server machine that hosts DC Agent, User Service, or Active Directory.

See

Turning on the Computer Browser service

, page 484

.

DC Agent does not find any valid entries in the file.

Web Security Help

481

Troubleshooting

Make sure that at least one domain controller entry in the file is enabled. If all entries are disabled, DC Agent has effectively been instructed to stop working.

Make sure that all entries in the file are in a valid format. For example:

[WEST_DOMAIN] dcWEST1=on dcWEST2=on

[EAST_DOMAIN] dcEAST1=on dcEAST2=off

DC Agent Domains and Controllers page is blank

Web Security Help | Web Security Solutions | Version 7.8.x

By default, DC Agent performs automatic domain discovery, identifying domain controllers in the network. Domain and controller information is stored in a file called

dc_config.txt. The information from the dc_config.txt file is collected and displayed

in the Web Security manager on the Settings > User Identification > DC Agent

Domains and Controllers page.

This page may display only error text if:

DC Agent was recently installed, and domain discovery is still underway.

An administrator has modified the dc_config.txt file to turn off polling for all domain controllers in the network.

Something is preventing DC Agent from performing domain discovery.

Make sure that:

DC Agent domain discovery is enabled on the Settings > User Identification >

DC Agent page for each DC Agent instance in your network.

DC Agent has had enough time to complete its domain discovery process.

No DC Agent alerts appear on Status > Alerts page.

If a DC Agent alert appears, see

DC Agent has insufficient permissions

, page 480, and

DC Agent unable to access required file

, page 481

. These articles provide instructions for ensuring that DC Agent has the required permissions and network access to complete the domain discovery process and create the dc_config.txt file.

I cannot add users and groups to the Web Security manager

Web Security Help | Web Security Solutions | Version 7.8.x

A number of problems can prevent the list of users and groups from appearing when you attempt to add clients in the Web Security manager. Check the following topics, and check the Knowledge Base for additional information.

Directory service connectivity and configuration

, page 483

Directory service configuration

, page 483

482

Websense Web Security Solutions

Troubleshooting

User identification and Windows Server

, page 484

Directory service connectivity and configuration

Web Security Help | Web Security Solutions | Version 7.8.x

Make sure that the Websense User Service machine and your directory server are running, and able to communicate over the network. The default ports used for directory service communication are:

139

389

636

3268

3269

NetBIOS communication: Active Directory

LDAP communication: Active Directory, Novell eDirectory, Oracle (formerly Sun Java) Directory Server

SSL port: Novell eDirectory, Oracle (formerly Sun Java)

Directory Server

Active Directory

SSL port: Active Directory

In addition, consider the following:

If you are using Windows Active Directory in mixed mode, and User Service runs on a Windows Server machine, the account used to run User Service may require administrative privileges on the directory.

To check or change the User Service account, see

Changing DC Agent, Logon

Agent, and User Service permissions

, page 485

.

If you are running Active Directory in native mode, set the User Service to run as the Local System account. No account should be assigned to the actual service.

User Service connects to the directory with the administrator user name and password configured on the Settings > General > Directory Services > Add

Global Catalog Server page in the Web Security manager.

If you are running User Service on a Linux machine and communicating with a

Windows-based directory service, make sure that you have set up a WINS server and performed all necessary configuration steps (see

User Service on a Websense appliance or Linux server

, page 486

).

Determine whether a firewall is blocking communication between the Web

Security manager and User Service on port 55815. If so, open the blocked port.

Directory service configuration

Web Security Help | Web Security Solutions | Version 7.8.x

If you encounter problems adding users and groups in the Web Security manager, make sure that you have provided complete and accurate configuration for your directory service.

1.

Go to the Settings > General > Directory Services page.

2.

Select the directory service used by your organization.

Web Security Help

483

Troubleshooting

3.

Verify the configuration. See

Directory services

, page 77,

and its sub-topics for details.

If Websense User Service is installed on a Linux machine, and is configured to communicate with Active Directory, see

User Service on a Websense appliance or

Linux server

, page 486, for additional configuration requirements.

User identification and Windows Server

Web Security Help | Web Security Solutions | Version 7.8.x

You may encounter problems adding users and groups in the Web Security manager if you install one or more of the following components on a supported Windows Server version:

Websense User Service

Windows Active Directory

If your network uses Active Directory in mixed mode, the Windows Computer

Browser service must be running on the machine where User Service is installed, and also on the machine running Active Directory. This service was turned on by default in earlier versions of Windows, but it is disabled by default on Windows Server 2008 and 2012.

In addition, when User Service is installed on Windows Server, and you are using

Active Directory in mixed mode, you must configure User Service with domain rights to access information from Active Directory.

If you are running User Service on Linux and using Active Directory, additional

configuration is required. See

User Service on a Websense appliance or Linux server

, page 486 .

To enable the Computer Browser service on a relevant machine, see

Turning on the

Computer Browser service

, page 484

.

To configure User Service with rights to access directory information, see

Changing

DC Agent, Logon Agent, and User Service permissions

, page 485

.

Turning on the Computer Browser service

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Setup offers the option to turn on the Computer Browser service during installation of the following components on Windows Server.

Websense User Service

Websense DC Agent

Websense Logon Agent

If you chose not to have it started, or the installer was not successful, you must turn on the service manually.

Perform the following procedure on each machine running an affected component:

484

Websense Web Security Solutions

Troubleshooting

1.

Make sure that Windows Network File Sharing is enabled.

Windows Server 2012: a.

On the desktop, point the mouse to the top, right corner of the screen, then go to Settings > Control Panel.

b.

In the Control Panel, click Network and Internet, then Network and

Sharing Center.

c.

Click Change advanced sharing settings in the left navigation pane, then select Turn on file and printer sharing.

d.

Click Save Changes to save and exit.

Windows Server 2008 R2: a.

Go to Start > Network and click Network and Sharing Center.

b.

Click Advanced Sharing Settings, then select Turn on file and print

sharing.

2.

Open the Windows Services tool:

Windows Server 2012: Server Manager > Tools > Services.

Windows Server 2008 R2: Start > Administrative Tools > Services

3.

Double-click Computer Browser to open the Properties dialog box.

4.

Set the Startup type to Manual.

5.

Click Start.

6.

Change the Startup type to Automatic. This ensures that the service is started automatically every time the machine is restarted.

7.

Click OK to save your changes and close the Services tool.

8.

Repeat these steps on each Windows Server machine that hosts an affected component.

Changing DC Agent, Logon Agent, and User Service permissions

Web Security Help | Web Security Solutions | Version 7.8.x

Sometimes, DC Agent, Logon Agent, or User Service needs to run as an account that has permission to access the directory service.

1.

On the machine running the domain controller, create a user account such as

Websense. You can use an existing account, but a Websense account is preferable

so the password can be set not to expire. No special privileges are required.

Set the password never to expire. This account only provides a security context for accessing directory objects.

Make note of the user name and password you establish for this account, as they must be entered in step 6 and 7.

2.

On the machine running an affected component, go to Start > Programs >

Administrative Tools > Services.

3.

Select the appropriate Websense service entry, listed below, and then click Stop.

Websense DC Agent

Web Security Help

485

Troubleshooting

Websense Logon Agent

Websense User Service

4.

Double-click the Websense service entry.

5.

On the Log On tab, select the This account option.

6.

Enter the user name of the Websense account created in step 1. For example:

DomainName\websense.

7.

Enter and confirm the Windows password for this account.

8.

Click OK to close the dialog box.

9.

Select the Websense service entry in the Services tool, and then click Start.

10.

Repeat this procedure for each instance of Websense DC Agent, Logon Agent, and User Service in the network.

User Service on a Websense appliance or Linux server

Web Security Help | Web Security Solutions | Version 7.8.x

If you plan to apply policies to individual users and groups in your network, and User

Service runs on a Websense appliance or Linux server, special configuration steps are required when you:

Use Active Directory in mixed mode

Want to use Websense Logon Agent to transparently identify users via Active

Directory in native mode

Want to use DC Agent to transparently identify users

In these environments, Websense software must be configured to communicate with a

Windows Internet Name Server (WINS) to resolve domain names to domain controller IP addresses. The precise steps vary, depending on your environment.

If your network uses Windows Active Directory in mixed mode:

1.

In the Web Security manager, go to the Settings > General > Directory Services page.

2.

Select Windows Active Directory (Mixed Mode). This is the default option.

3.

Enter the name and password for the administrative user.

4.

Enter the Domain name.

If your organization uses multiple domains, enter the name of a domain that is trusted by all domains that authenticate your users.

5.

Enter the IP address of a Windows Internet Name Server (WINS) that can resolve the domain name entered above to a domain controller IP address.

6.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

If your network uses Active Directory (Native Mode), and you need to configure

WINS settings:

1.

Go to the Settings > General >Directory Services page.

486

Websense Web Security Solutions

Troubleshooting

2.

Provide administrative credentials and identify the Windows Internet Name

Server (WINS), as follows.

a.

Select Windows Active Directory (Mixed Mode), which is the default.

b.

Enter the name and password for the administrative user.

c.

Enter the Domain name.

If your organization uses multiple domains, enter the name of a domain that is trusted by all domains that authenticate your users.

d.

Enter the IP address of a Windows Internet Name Server (WINS) that can resolve the domain name entered above to a domain controller IP address.

e.

Click OK to cache your changes. f.

Click Save and Deploy to implement these changes.

3.

On the Directory Service page, select Active Directory (Native Mode).

4.

Configure the global catalog servers and other settings for your directory service.

See

Windows Active Directory (Native Mode)

, page 79,

for assistance.

5.

Click OK to cache your changes. Changes are not implemented until you click

Save and Deploy.

Remote users are not prompted for manual authentication

Web Security Help | Web Security Solutions | Version 7.8.x

If you have configured remote users to manually authenticate when accessing the

Internet, there may be some occasions when individual users are not prompted for the authentication. This can occur in situations where some in-network IP addresses have been configured to bypass manual authentication.

When a remote user accesses the network, Websense software reads the last portion of the computer’s Media Access Control (MAC) address. If this matches an in-network

IP address that has been configured to bypass manual authentication, the remote user will not be prompted to authenticate manually when accessing the Internet.

One solution is to reconfigure the in-network IP address to use manual authentication.

An alternative solution is to disable the manual authentication requirement for the affected remote user.

Remote users are not being filtered correctly

Web Security Help | Web Security Solutions | Version 7.8.x

If remote users are not receiving the correct policies, check the RADIUS Agent logs for the message Error receiving from server: 10060 (Windows) or Error receiving

from server: 0 (Linux).

This usually occurs when the RADIUS server does not recognize RADIUS Agent as a client (source of RADIUS requests). Ensure that your RADIUS server is configured properly (see the Using RADIUS Agent for Transparent User Identification technical paper).

Web Security Help

487

Troubleshooting

If you have installed remote filtering software (see

Manage Off-site Users

, page 249 ),

off-site users cannot be filtered if the Remote Filtering Client cannot communicate with the Remote Filtering Server within the network.

For instructions on configuring remote filtering software, see the Remote Filtering

Software technical paper.

Block message issues

Web Security Help | Web Security Solutions | Version 7.8.x

No block page appears for a blocked file type

, page 488

Users receive a browser error instead of a block page

, page 488

A blank white page appears instead of a block page

, page 489

No block page appears for a blocked file type

Web Security Help | Web Security Solutions | Version 7.8.x

When file type blocking is used, the block message may not always be visible to the user. For example, when a downloadable file is contained within an internal frame

(iframe) on a permitted site, the block message sent to that frame is not visible because the frame size is zero.

This is only a display problem; users cannot access or download the blocked file.

Users receive a browser error instead of a block page

Web Security Help | Web Security Solutions | Version 7.8.x

If users receive an error message instead of a block page, the 2 most likely causes are:

The user’s browser is configured to use an external proxy. In most browsers, there is a setting that enables use of an external proxy. Verify that the browser is not set to use an external proxy.

There is a problem identifying or communicating with the Filtering Service machine.

If the user’s browser settings are correct, make sure that the IP address of the Filtering

Service machine is listed correctly in the eimserver.ini file.

1.

Stop Websense Filtering Service (see

Stopping and starting Websense services

, page 398 ).

2.

Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default).

3.

Open the eimserver.ini file in a text editor.

4.

Under [WebsenseServer], add a blank line, and enter the following:

BlockMsgServerName = <Filtering Service IP address>

488

Websense Web Security Solutions

Troubleshooting

For example, if the Filtering Service IP address is 10.201.72.15, enter:

BlockMsgServerName = 10.201.72.15

5.

Save and close the file.

6.

Restart Filtering Service.

If the Filtering Service machine has more than one NIC, and the block page still does not display correctly after editing the eimserver.ini file, try the IP addresses of the other NICs in the BlockMsgServerName parameter.

If the block page still does not appear, make sure that users have read access to the files in the Websense block page directories:

Websense\BlockPages\en\Default

Websense\BlockPages\en\Custom

If the block page problem persists, search support.websense.com

for additional troubleshooting hints.

A blank white page appears instead of a block page

Web Security Help | Web Security Solutions | Version 7.8.x

When advertisements are blocked, or when a browser does not correctly detect the encoding associated with a block page, users may receive a blank white page instead of a block page. The reasons for this behavior are as follows:

When the Advertisements category is blocked, Websense software sometimes interprets a request for a graphic file as an advertisement request, and displays a blank image instead of a block message (the normal method for blocking advertisements). If the requested URL ends in .gif or similar, have the user reenter

the URL, leaving off the *.gif portion. See

Blocking graphical advertisements

, page 119

.

Some older browsers may not detect the encoding of block pages. To enable proper character detection, configure your browser to display the appropriate character set (UTF-8 for French, German, Italian, Spanish, Brazilian Portuguese,

Simplified Chinese, Traditional Chinese, or Korean; and Shift_JIS for Japanese).

See your browser’s documentation for instructions, or upgrade the browser to a newer version.

Log, status message, and alert issues

Web Security Help | Web Security Solutions | Version 7.8.x

Where do I find error messages for Websense components?

, page 490

Websense Health alerts

, page 490

Two log records are generated for a single request

, page 492

Usage Monitor is not available

, page 492

Web Security Help

489

Troubleshooting

Usage Monitor is not running

, page 493

Where do I find error messages for Websense components?

Web Security Help | Web Security Solutions | Version 7.8.x

When there are errors or warnings related to core Websense components, alert messages are listed on the Status > Alerts page in the Web Security manager. In addition, by default, short alert messages are displayed in the Health Alert Summary list at the top of the System tab of the Status > Dashboard page (see

Websense Health alerts

, page 490 ).

Click an alert summary in the dashboard to see more detailed information on the

Status > Alerts page.

Click Solutions next to a message on the Status > Alerts page for troubleshooting assistance.

Errors, warnings, and messages from Websense software components, as well as database download status messages, are recorded in the websense.log file in the

Websense bin directory (see

The Websense log file

, page 539 ).

For Websense software components installed on Windows machines, you can also

check the Windows Event viewer. See

The Windows Event Viewer

, page 539

.

Websense Health alerts

Web Security Help | Web Security Solutions | Version 7.8.x

By default, the System tab of the Web Security Dashboard includes a Health Alert

Summary that lists potential concerns encountered by monitored components of your

Websense software. These include:

The initial filtering database is in use

The Master Database is downloading for the first time

The Master Database is more than 1 week old

WebCatcher is not available

Log Server is not running

Presentation reports scheduler is not connected to the Log Database

The Log Database ETL job has not completed successfully after 4 hours

Log Server is not running

Low disk space on the Log Server machine

Log Server has not received data from

Filtering Service for over an hour

The Master Database is being updated

The Master Database did not download successfully

Low disk space on the TRITON management server machine

The primary Policy Broker is now available

The Log Database is not available

One or more presentation report jobs failed

There is no Log Server configured for a

Policy Server

The Log Database is not available

A Log Server cache directory contains more than 100 cache files

No Filtering Service has been configured for a Network Agent

490

Websense Web Security Solutions

Troubleshooting

No monitoring NIC has been configured for a Network Agent

Low memory on the Network Agent machine

Filtering Service is not running

Low disk space on the Filtering Service machine

High CPU usage on the Filtering

Service machine

High CPU usage on the Network Agent machine

There is no Network Agent configured for a Policy Server

Network Agent is not running

Low memory on the Filtering Service machine

A DC Agent instance is unable to access a required file

DC Agent has insufficient permissions

Filtering Service is unable to communicate with DC Agent

Filtering Service is unable to communicate with Logon Agent

Filtering Service is unable to communicate with RADIUS Agent

Filtering Service is unable to communicate with eDirectory Agent

Usage Monitor is not running

The forensics repository location could not be reached

A configuration problem is interfering with Threats forensics data collection

A Policy Broker replica has not synchronized with the primary in more than 24 hours

Usage Monitor is not available

The forensics repository has reached

90% of its maximum size

Some records in the forensics repository are scheduled to be deleted within 1 week

If you have subscribed to Websense Web Security Gateway or Gateway Anywhere,

Websense software monitors Content Gateway to provide alerts about the following conditions:

Content Gateway is not running

Content Gateway is not available

If you have subscribed to Websense Web Security Gateway Anywhere, or if your subscription includes both Web and data security components, Websense software monitors interoperability components to provide alerts about the following conditions:

A Sync Service is not running.

There is no Sync Service associated with a Policy Server instance.

On-premises components are unable to connect to the hybrid service.

Disk space is low on the partition hosting Sync Service.

24 hours since Sync Service downloaded log files from the hybrid service.

Missing information required to activate hybrid filtering.

A Directory Agent is not running.

There is no Directory Agent associated with a Policy Server instance.

Alerts were received from the hybrid service.

24 hours since Sync Service sent log files to Log Server.

Web Security Help

491

Troubleshooting

The icon next to the alert message indicates the potential impact of the related condition.

The message is informational, and does not reflect a problem with your installation (for example, WebCatcher is not enabled, or Filtering Service is downloading a Master Database update).

The alert condition has the potential to cause a problem, but will not immediately prevent policy enforcement or reporting (for example, the Master Database is more than 1 week old, or the subscription key is about to expire).

A Websense software component is not functioning (has not been configured or is not running), which may impair policy enforcement or reporting, or your subscription has expired.

Click an alert message in the Health Alerts Summary to go to the Status > Alerts page, which provides additional information about current alert conditions. Click Learn

More (for informational alerts) or Solutions (for errors or warnings) for details and

troubleshooting tips.

If a Health Alert indicates that messages were received from the hybrid service, check the Hybrid Filtering Alerts table for details.

In some cases, if you are receiving error or status messages about a component that you are not using, or that you have disabled, you can choose to hide the alert

messages. See

Reviewing current system status

, page 409,

for more information.

Two log records are generated for a single request

Web Security Help | Web Security Solutions | Version 7.8.x

When Windows QoS Packet Scheduler is installed on the same machine as Network

Agent, 2 requests are logged for each single HTTP or protocol request made from the

Network Agent machine. (This duplication does not occur with requests made by client machines within your network.)

To fix the problem, disable Windows QoS Packet Scheduler on the Network Agent machine.

This problem does not occur if you use Network Agent for all logging. See

Configuring NIC settings

, page 456, for details.

Usage Monitor is not available

Web Security Help | Web Security Solutions | Version 7.8.x

In order to enable category and protocol usage alerting and Real-Time Monitor,

Websense Usage Monitor must be installed. Typically, one Usage Monitor instance is installed for each Policy Server in your network. Usage Monitor may be installed on the Policy Server machine.

When installing Usage Monitor, make sure that it can communicate with:

492

Websense Web Security Solutions

Troubleshooting

Policy Server on ports 55806 and 40000

Policy Broker on port 55880

Filtering Service and Real-Time Monitor on port 55809

Usage Monitor should also be able to receive information from Policy Server and

Filtering Service on its listening port: 55813.

Usage Monitor is not running

Web Security Help | Web Security Solutions | Version 7.8.x

When Websense Usage Monitor is stopped:

Category and protocol access information cannot be collected for alerting purposes.

Category and protocol usage alerts cannot be generated.

Real-Time Monitor does not receive Internet activity data.

To start Usage Monitor:

Windows: Open the Windows Services tool, scroll to Websense Usage Monitor, right-click the service, and select Start.

Linux: Use the /opt/Websense/WebsenseDaemonControl command.

If Usage Monitor will not start, check the Windows Event Viewer or websense.log file for error information from the service.

Policy Server and Policy Broker issues

Web Security Help | Web Security Solutions | Version 7.8.x

I forgot my password

, page 493

The Websense Policy Database service fails to start

, page 494

Policy Server stops unexpectedly

, page 494

A Policy Broker replica cannot synchronize data

, page 495

I forgot my password

Web Security Help | Web Security Solutions | Version 7.8.x

If you are a Super Administrator or delegated administrator using a local account to log on to the TRITON Unified Security Center, any Global Security Administrator can reset the password. Global Super Administrators can manage accounts and passwords on the TRITON Settings > Administrators page.

If a Global Super Administrator is not available, administrators using local accounts can request a new password via the Forgot my password link on the TRITON logon page.

Web Security Help

493

Troubleshooting

A temporary password is sent to the email address associated with your administrator account.

The temporary password is valid for only 30 minutes. If more than 30 minutes elapses before you attempt to log on with the temporary password, you must request a new password again.

You are prompted to enter a new password after you have logged on using the temporary password.

The Websense Policy Database service fails to start

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Policy Database runs as a special account: WebsenseDBUser. If this account experiences logon problems, the Policy Database is unable to start.

To address this issue, change the WebsenseDBUser password.

1.

Log on to the Policy Database machine as a local administrator.

2.

Go to Start > Programs > Administrative Tools > Computer Management.

3.

In the navigation pane, under System Tools, expand Local Users and Groups, and then select Users. User information is displayed in the content pane.

4.

Right-click WebsenseDBUser and select Set Password.

5.

Enter and confirm the new password for this user account, and then click OK.

6.

Close the Computer Management dialog box.

7.

Open the Windows Services tool:

Windows Server 2012: Server Manager > Tools > Services

Windows Server 2008 R2: Start > Administrative Tools > Services

8.

Right-click Websense Policy Database and select Properties.

9.

On the Log On tab of the Properties dialog box, enter the new WebsenseDBUser password information, and then click OK.

10.

Right-click Websense Policy Database again, and then select Start.

When the service has started, close the Services tool.

Policy Server stops unexpectedly

Web Security Help | Web Security Solutions | Version 7.8.x

If the hard disk on the Policy Server machine runs out of free space, the Websense

Policy Server service or daemon stops. Even if the lack of disk space is the result of a transient condition (another application creates large temporary files, for example, and then removes them), Policy Server does not restart automatically.

If Filtering Service or Network Agent is installed on the Policy Server machine, a

Health Alert message in the Web Security manager will provide a warning that disk space is getting low.

494

Websense Web Security Solutions

Troubleshooting

When Policy Server stops, a Health Alert message is displayed in the Web

Security manager.

Manually restart Policy Server to address the immediate issue. Then, determine which application is sometimes filling up all available disk space on the machine. You can then decide whether the best solution is to move the application to another machine or to add disk space to the Policy Server machine.

A Policy Broker replica cannot synchronize data

Web Security Help | Web Security Solutions | Version 7.8.x

In a replicated Policy Broker deployment, each replica synchronizes its policy and configuration data with the primary Policy Broker on a regular basis to ensure that current information is available to all components in the deployment.

If a replica is unable to connect to the primary Policy Broker for more than 24 hours, a health alert is displayed. To resolve this issue:

Make sure that 2-way network communication is possible between the primary and replica host machines on port 6432. (The firewall must allow both inbound and outbound connections on this port.)

Make sure that the primary Policy Broker machine is up, and the Policy Broker service or daemon is running.

Make sure that the Policy Broker replica machine is up, and the Policy Broker service or daemon is running.

The replica Policy Broker must use the synchronization password configured during primary Policy Broker configuration. If you have recently replaced the primary Policy Broker, make sure that the correct synchronization password was used.

Delegated administration issues

Web Security Help | Web Security Solutions | Version 7.8.x

Managed clients cannot be deleted from role

, page 495

Logon error says someone else is logged on at my machine

, page 496

Recategorized sites are filtered according to the wrong category

, page 496

I cannot create a custom protocol

, page 496

Managed clients cannot be deleted from role

Web Security Help | Web Security Solutions | Version 7.8.x

Clients cannot be deleted directly from the managed clients list on the Delegated

Administration >Edit Role page if:

 the administrator has applied a policy to the client

Web Security Help

495

Troubleshooting

 the administrator has applied a policy to one or more members of a network, group, domain, or organizational unit

There may also be problems if the Super Administrator is connected to a different

Policy Server than the one that communicates with the directory service containing the clients to be deleted. In this situation, the current Policy Server and directory service do not recognize the clients.

For assistance deleting managed clients, see

Delete managed clients

, page 362

.

Logon error says someone else is logged on at my machine

Web Security Help | Web Security Solutions | Version 7.8.x

When you attempt to log on to the TRITON console you may sometimes receive the error “Logon failed. The role role_name has been in use by user_name, since date,

time, on computer 127.0.0.1.” The IP address 127.0.0.1 is also called the loopback address, and typically indicates the local machine.

This message means that someone is logged on to the Web Security manager from the

TRITON management server machine, in the same role you are requesting. You can select a different role (if you administer multiple roles), log on for reporting only, or wait until the other administrator logs off.

Recategorized sites are filtered according to the wrong category

Web Security Help | Web Security Solutions | Version 7.8.x

Recategorized URLs affect only the clients managed by a role in which the URLs are added. For example, when a Super Administrator recategorizes URLs, clients managed by delegated administration roles continue to be filtered according to the

Master Database category for those sites.

To apply the recategorization to clients in other roles, the Super Administrator can switch to each role and recategorize the sites for that role.

I cannot create a custom protocol

Web Security Help | Web Security Solutions | Version 7.8.x

Only Super Administrators are able to create custom protocols. However, delegated administrators can set actions for custom protocols.

When Super Administrators create custom protocols, they should set the appropriate default action for most clients. Then, inform delegated administrators of the new protocol so they can update the filters for their role, as appropriate.

496

Websense Web Security Solutions

Troubleshooting

Log Server and Log Database issues

Web Security Help | Web Security Solutions | Version 7.8.x

Log Server is not running

, page 497

Log Server has not received log files from Filtering Service

, page 498

Low disk space on the Log Server machine

, page 500

No Log Server is installed for a Policy Server

, page 501

Log Database was not created

, page 503

Log Database is not available

, page 503

Log Database size causes reporting delays

, page 504

More than 100 files in the Log Server cache directory

, page 505

Last successful ETL job ran more than 4 hours ago

, page 506

Configure Log Server to use a database account

, page 507

Log Server is not recording data in the Log Database

, page 508

Updating the Log Server connection account or password

, page 508

Configuring user permissions for Microsoft SQL Server

, page 509

Log Server cannot connect to the directory service

, page 509

Wrong reporting page displayed

, page 510

Log Server is not running

Web Security Help | Web Security Solutions | Version 7.8.x

If Log Server is not running, or if other Websense components are unable to communicate with Log Server, Internet usage information is not stored. Charts on the

Status > Dashboard page stop updating, and you may not be able to generate reports.

Log Server may be unavailable if:

It is unable to contact the Log Database after 20 attempts.

Make sure that the Log Database machine is running, that Microsoft SQL Server is operating properly, and that network communication has not been interrupted between the Log Server and Log Database machines.

There is insufficient disk space on the Log Server machine.

Verify the amount of free disk space on the Log Server machine, and remove extraneous files, as needed.

You changed the Microsoft SQL Server password without updating the ODBC or

Log Server connection.

See

Updating the Log Server connection account or password

, page 508, for

information about addressing this issue.

It has been more than 14 days since the Master Database was downloaded successfully.

Web Security Help

497

Troubleshooting

See

The Master Database is more than 1 week old

, page 464, and

The Master

Database does not download

, page 464,

for information about addressing this issue.

The logserver.ini file is missing or corrupted.

Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin, by default) and make sure that you can open

logserver.ini in a text editor. If this file has been corrupted, replace it with a

backup file.

You stopped Log Server to avoid logging Internet usage information.

Check the Windows Services tool to verify that Log Server has started, and restart

the service if necessary (see

Stopping and starting Websense services

, page 398

).

If none of these address the issue, check the Windows Event Viewer and websense.log

file for error messages from Log Server (see

Troubleshooting tips and tools

, page 538 )

in order to better understand the problem.

Log Server has not received log files from Filtering Service

Web Security Help | Web Security Solutions | Version 7.8.x

Log Server receives Internet usage information from Filtering Service and stores it in the Log Database. If Log Server is not receiving files from Filtering Service, no data is being logged, recent data is not displayed on the Status > Dashboard page, and you cannot generate Internet usage reports that include recent data.

Log Server may not be receiving files from Filtering Service if:

Filtering Service is not running.

See

Filtering Service is not running

, page 470,

for information about addressing this issue.

The two services are not able to communicate across the network.

Verify that there have been no recent changes to firewall rules that might affect traffic between the machines on port 55805 (default), or the custom port your organization uses.

Use a utility like telnet or ping to verify that the machines can communicate.

Verify that the Log Server IP address and port (55805, by default) is correct on the Settings > General > Logging page in the Web Security manager.

If the loopback address (127.0.0.1) or “localhost” is shown, enter the actual IP address of the Log Server machine.

Use the Check Status button on the Settings > General > Logging page to verify that it is possible to connect to Log Server.

If the status check fails: a.

Verify there is no firewall blocking the port.

b.

Run the following command on the Log Server machine to verify that

Log Server is listening on the port: netstat -ban > port.txt

498

Websense Web Security Solutions

Troubleshooting

Network Agent, Content Gateway, or a third-party integration product is not configured properly and not receiving Internet traffic.

See

Network Agent issues

, page 474,

and

Network Configuration

, page 451,

for information about addressing Network Agent configuration issues.

See the Deployment and Installation Center and Content Gateway Help for information about addressing Content Gateway configuration issues.

See the Deployment and Installation Center and your vendor’s documentation for information about other supported integrations.

There is not sufficient disk space for Log Server to create new cache files.

See

Low disk space on the Log Server machine

, page 500, for more information

about addressing this issue.

Filtering Service is associated with a Policy Server that is not configured for logging or is sending logs to TestLogServer.

See

No Log Server is installed for a Policy Server

, page 501,

and

Configuring how requests are logged

, page 422,

for more information about addressing this issue.

Files cannot be written to the cache or BCP folders.

Verify that the path defined for ODBC cache files or BCP files on the Settings >

Reporting > Log Server page is correct, and that the account used to run Log

Server has permissions to write to the path.

Log Server did not install properly.

Use the following steps to verify that the Log Server service is registered properly with the Windows operating system:

1. Use the Windows Services tool to stop the Websense Log Server service.

2. Open a command prompt (Run > cmd) and navigate to the Websense bin directory (C:\Program Files or Program Files (x86)\Websense\Web

Security\bin, by default).

3. Enter the following command.

LogServer .exe -c

• If no errors display, the service is registered correctly.

• If errors display, continue with the next step.

4. To remove the Log Server service, enter:

LogServer.exe -u

5. To register the executable, enter:

LogServer.exe -i

6. Once again, enter the following command. Verify that no errors appear.

LogServer .exe -c

If none of the items above addresses your issue:

Verify that the Log Server executable version matches the installed product version. To find the Log Server version:

1. Open a Windows command prompt on the Log Server machine.

Web Security Help

499

Troubleshooting

2. Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin, by default).

3. Enter the command: logserver -v

This should match the version shown next to Web Security build on the Help >

About the TRITON Console page in the TRITON Unified Security Center.

Occasionally, the Filtering Service on a Websense Appliance does not restart as expected after a settings change. If the Filtering Service on an appliance stops running, go to Status > Modules and restart the entire Websense Web Security module.

If Log Server stops running immediately after restarting and the runtime error “C error (Visual C Runtime Error)” displays, delete the LogServer.state file located in the Log Server Cache folder (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin\Cache, by default) and restart the Websense

Log Server service.

If you are using TestLogServer, verify that the tool is set up to forward log data to

Log Server.

See support.websense.com

for detailed information about TestLogServer.

Low disk space on the Log Server machine

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Log Server stores Internet activity records in temporary log cache files or

BCP (bulk copy program) files on the Log Server machine until they can be processed into the Log Database.

Websense software watches the space available for both log cache files and BCP files.

By default:

Log cache files are stored in the C:\Program Files or Program Files

(x86)\Websense\Web Security\bin\Cache directory.

BCP files are stored in the C:\Program Files or Program Files

(x86)\Websense\Web Security\bin\Cache\BCP directory.

The log cache file and BCP file location can be changed on the Settings >

Reporting > Log Server page in the Web Security manager. See

Configuring Log

Server

, page 424 .

Note

If you have multiple Log Servers that forward their data to a primary Log Server, disk space is tracked for the primary

Log Server only.

500

Websense Web Security Solutions

Troubleshooting

A Health Alert message is displayed on the System tab of the Status > Dashboard page if the space available at either of these locations drops too low. If there is insufficient disk space, logging stops.

A warning message appears when the free disk space falls below 10% on the drive where log cache files and BCP files are stored. Although logging continues, you should clear disk space on the machine as soon as possible to avoid loss of log data.

An error message appears when there is less that 4 MB of free disk space on the drive where log cache files and BCP files are stored.

When disk space dips below 4 MB, logging may become intermittent or stop completely. To minimize loss of log data, clear disk space on the Log Server machine as soon as possible after the error message appears.

No Log Server is installed for a Policy Server

Web Security Help | Web Security Solutions | Version 7.8.x

Websense Log Server collects Internet usage information and stores it in the Log

Database for use in investigative reports, presentation reports, and the charts and summaries on the Dashboard page in the Web Security manager.

Log Server must be installed for reporting to occur.

You may see this message if:

Log Server is installed on a different machine than Policy Server, and the Log

Server IP address is incorrectly set to localhost in the Web Security manager.

You are not using Websense reporting tools.

Log Server is associated with a different Policy Server instance.

To verify that the correct Log Server IP address is set in the Web Security manager:

1.

Select the Settings tab of the left navigation pane, and then go to General >

Logging.

2.

Enter the IP address of the Log Server machine in the Log Server IP address or

name field.

3.

Click OK to cache your change, and then click Save and Deploy.

If you are not using Websense reporting tools, or if Log Server is associated with a different Policy Server instance, you can hide the alert message in the Web Security manager.

1.

On the Main tab of the left navigation pane, go to Status > Alerts.

2.

Under Active Alerts, click Advanced.

3.

Mark Hide this alert for the “No Log Server installed” message.

4.

Click Save Now. The change is implemented immediately.

Web Security Help

501

Troubleshooting

More than one Log Server is installed for a Policy Server

Web Security Help | Web Security Solutions | Version 7.8.x

Each Policy Server instance can connect to only one instance of Web Security Log

Server. When multiple instances of Log Server attempt to connect to the same Policy

Server, log data is not recorded properly, causing problems with multiple reporting tools.

To resolve this issue:

If multiple, active Log Server instances are running, uninstall all but one of the

Log Server instances connecting to the Policy Server that is reporting the error.

If you would like to configure multiple Log Server instances to communicate with a central Log Server that is responsible for recording data in the Log Database, see

Extending your Web Security deployment in the Deployment and Installation

Center.

If this error appears, but only one instance of Log Server is active, it is likely that:

Policy Server was not running when a Log Server instance was uninstalled.

The Policy Server IP address was changed after Log Server was installed.

During installation, Log Server connected to a Policy Server instance on another machine. Later, a Policy Server instance was installed on the Log

Server machine.

In all of these cases, the safest way to address the problem is:

1. Uninstall the Log Server instance or instances currently connected to the

Policy Server instance displaying the error.

2. Stop Websense Policy Server (via the Windows Services tool or the /opt/

Websense/WebsenseDaemonControl command).

3. Navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin) and make a backup copy of config.xml in another location. Do not skip this step.

4. Open the original config.xml file in a basic text editor (not an XML or HTML editor).

5. Near the top of the file, locate the WebsenseLogServer container. This contains the ID for the “ghost” Log Server instance.

<container name="WebsenseLogServer">

6. Delete the entire container, including the close tag. For example:

<container name="WebsenseLogServer">

<data name="0c65012f-93af-11e1-8616f215ee9c7d9d">10.201.136.34</data>

</container>

7. Save and close the config.xml file.

8. Delete the config.xml.bak file from the Websense bin directory.

9. Use the Windows Services tool or /opt/Websense/WebsenseDaemonControl command to start Websense Policy Server.

502

Websense Web Security Solutions

Troubleshooting

Log Database was not created

Web Security Help | Web Security Solutions | Version 7.8.x

If the installer cannot create the Log Database, make sure that:

The account used to log on for installation has inadequate SQL Server permissions to create a database. The required permissions depend on the version of Microsoft SQL Server:

SQL Server Standard or Enterprise requires dbcreator server role membership, db_datareader role membership, and membership in one of the following roles:

• SSQLAgentUserRole

• SQLAgentReader Role

• SQLAgentOperator Role

SQL Server Express: sysadmin permissions required

Update the logon account or log on with an account that already has the required

permissions (see

Configuring user permissions for Microsoft SQL Server

, page

509 ), then run the installer again.

A file or files exist with the default Log Database names (wslogdb70 and wslogdb70_1), but the files are not properly connected to the database engine and cannot be used by the Websense installer.

To address this issue:

If you don’t want to upgrade the existing database files, remove or rename them, and then run the installer again.

If the existing database files are from a version that can be upgraded, and you want to continue using them, use the SQL Server Management Studio to attach the files to the database engine, then run the installer again.

The account used to run the installer has inadequate permissions on the drive where the database is being installed.

Update the logon account to have read and write permissions for the installation location, or log on with a different account that already has these permissions.

Then, run the installer again.

There is insufficient disk space available to create and maintain the Log Database at the specified location.

Clear enough space on the selected disk to install and maintain the Log Database.

Then, run the installer again. Alternatively, choose another location.

Log Database is not available

Web Security Help | Web Security Solutions | Version 7.8.x

The Websense Log Database stores Internet usage information for use in presentation reports, investigative reports, and the charts and summaries on the Dashboard page in the Web Security manager.

Web Security Help

503

Troubleshooting

If Websense software is unable to connect to the Log Database, first verify that the database engine (Microsoft SQL Server or Microsoft SQL Server Express) is running on the Log Database machine.

1.

Open the Windows Services tool (see

The Windows Services tool

, page 538

) and verify that the MSSQLSERVER service is running.

If you are running Microsoft SQL Server Standard or Enterprise (not Express), also make sure that the SQLSERVERAGENT service is running.

2.

If a service has stopped, right-click the service name and click Start.

If the service does not restart, check the Windows Event Viewer (see

The

Windows Event Viewer

, page 539

) for Microsoft SQL Server errors and warnings.

3.

If you are running Microsoft SQL Server Standard or Enterprise (not Express), double-click the SQLSERVERAGENT service to open a Properties dialog box, and verify that the Startup type is set to Automatic. This ensures that SQL

Server Agent restarts each time Microsoft SQL Server, or the database engine machine, is restarted.

If the Startup type is Manual or Disabled, change it to Automatic, and then click

OK.

If the database engine and (if applicable) SQL Server Agent services are running:

Use the Windows Services tool to make sure that the Websense Log Server service is running.

If Log Server and the Log Database are on different machines, make sure that both machines are running, and that the network connection between the machines is not impaired.

Make sure that there is enough disk space on the Log Database machine, and that the Log Database has a sufficient quantity of allocated disk space (see

Log Server is not recording data in the Log Database

, page 508 ).

Make sure that the SQL Server password has not been changed. If the password changes, you must update the password information Log Server uses to connect to the database. See

Updating the Log Server connection account or password

, page

508 .

Make sure that there are no network interruptions that are preventing the Web

Security manager from communicating with the Log Database.

After making sure that the database engine and related services are running, and that any network problems have been resolved, use the Windows Services tool to restart the Websense TRITON - Web Security service. This ensures that presentation reports scheduler can save job definitions (see

No Log Server is installed for a Policy Server

, page 501 ).

Log Database size causes reporting delays

Web Security Help | Web Security Solutions | Version 7.8.x

Log Database size is always a concern. If you have been successfully generating

Websense reports and notice the reports are now taking much longer to display, or you

504

Websense Web Security Solutions

Troubleshooting begin receiving timeout messages from your Web browser, consider disabling some database partitions.

1.

In the Web Security manager, go to Settings > Reporting > Log Database.

2.

Locate the Available Partitions section of the page.

3.

Mark the check box next to any partitions that are not required for current reporting operations, then click Disable.

4.

Click OK, then Save and Deploy to implement the change.

See

Log Database sizing guidance

, page 442,

for more information about estimating database size.

More than 100 files in the Log Server cache directory

Web Security Help | Web Security Solutions | Version 7.8.x

Normally, Log Server ODBC cache files or BCP files are moved to the Log Database at a steady rate. If temporary files are accumulating on the Log Server machine, current Internet usage information is not being sent to the Log Database.

Log Server may be unable to process temporary files if:

The Log Database is not running, the connection to the Microsoft SQL Server

machine is down, or the database is busy. See

Log Database is not available

, page

503 .

The Log Database is not installed properly or is the wrong version. See

Log

Database was not created

, page 503

.

The ETL job has stopped running and the incoming buffer is full.

The Log Database is out of allocated disk space. See

Log Server is not recording data in the Log Database

, page 508 .

The database creation path is invalid.

There is no current active partition.

There is a problem with BCP insertion.

There is a problem with the size of tempdb.

To troubleshoot the problem:

Make sure Microsoft SQL Server is running (see

Log Database is not available

, page 503 ), and that no other processes that use significant resources, such as a full

backup or antivirus scan, are running.

Also check the disk IO to verify that the machine is able to handle a fast insertion rate into the database.

Verify that you are using a certified version of Microsoft SQL Server:

SQL Server 2008 SP3 (or the latest service pack from Microsoft)

SQL Server 2008 R2 SP2 (or the latest service pack from Microsoft)

SQL Server 2012 SP1 (or the latest service pack from Microsoft)

Web Security Help

505

Troubleshooting

For very small networks and evaluation environments, SQL Server 2008 R2

Express SP 2 (packaged in the TRITON Unified Installer).

Use SQL Server Management Studio to verify that the ETL job is running.

If you are using SQL Server Enterprise or Standard, and the ETL job is not running, make sure the SQL Server Agent service is running on the machine.

If SQL Server Agent is running:

Expand the catalog database (wslogdb70) and verify that there are records in the INCOMINGBUFFER. If the INCOMINGBUFFER is full, Log Server cannot add additional records.

If records exist in the INCOMINGBUFFER table: a.

Locate the wse_etl_config table.

b.

Right-click, then select Open Table.

c.

Change the value for max_buffer_size to 40000.

Use SQL Server Management Studio to verify that the Auto Growth option is enabled for the catalog database.

Go to the Settings > Reporting > Log Database page in the Web Security manager and verify that:

The File Path entries under Partition Management are valid.

There is at least one active partition listed under Available Partitions.

If Log Server has been configured to use BCP insertion, but BCP files are not being processed, change the insertion method to ODBC and see if new cache files are processed:

1. Go to the Settings > Reporting > Log Server page in the Web Security manager.

2. Expand the Log Record Creation section.

3. Select the ODBC (Open Database Connectivity) radio button.

4. Click OK to cache your changes, then click Save and Deploy to implement them.

By default, ODBC cache files are created in the C:\Program Files or Program

Files (x86)\Websense\Web Security\bin\Cache directory.

The log (ldf) file for the database tempdb may be full. Restart the Microsoft SQL

Server (MSSQLSERVER) services to clear the tempdb database.

Last successful ETL job ran more than 4 hours ago

Web Security Help | Web Security Solutions | Version 7.8.x

The ETL (Extract, Transform, and Load) job is responsible for processing data into the partition database. If the job does not run regularly, data is delayed in being written to the Log Database, resulting in reports and Dashboard charts that are out of date.

Typically, the ETL job runs quickly and is scheduled to start again 10 seconds after it completed its last process. If no records are being passed to the database, however,

(for example, because there’s no traffic due to a network problem, or because Filtering

506

Websense Web Security Solutions

Troubleshooting

Service or Log Server is not running), the job does not run until it starts receiving data again.

If the job has not run recently:

Make sure Microsoft SQL Server is running (see

Log Database is not available

, page 503 ), and that no other processes that use significant resources, such as a full

backup or antivirus scan, are running.

Also check the disk IO to verify that the machine is able to handle a fast insertion rate into the database.

Use the linked procedure to check for Log Database problems .

Verify that you are using one of the following certified versions of Microsoft SQL

Server:

SQL Server 2008 SP3 (or the latest service pack from Microsoft)

SQL Server 2008 R2 SP2 (or the latest service pack from Microsoft)

SQL Server 2012 SP1 (or the latest service pack from Microsoft)

For very small networks and evaluation environments, SQL Server 2008 R2

Express SP 2 (packaged in the TRITON Unified Installer).

(Microsoft SQL Server Standard and Enterprise) Use the Windows Services tool on the SQL Server machine to verify that the SQL Server Agent service is running.

Use SQL Server Management Studio to make sure the ETL job is running. If it isn’t, check for errors in the job history and restart or manually run the job.

Use the following procedures:

Make sure Filtering Service is sending data

Look for problems on the Log Server machine

You can also use the TestLogServer utility to verify logging behavior. See Using

TestLogServer for Web Security Troubleshooting .

Configure Log Server to use a database account

Web Security Help | Web Security Solutions | Version 7.8.x

To configure Log Server to use a database account (like sa) to connect to the Log

Database:

1.

In the Web Security manager, go to the Settings > Reporting > Log Server page.

2.

Under Log Database Connection, select the SQL Server authentication radio button.

3.

Enter the Account name (like sa) and Password for a SQL Server account with create, read, and write permissions. See

Configuring user permissions for

Microsoft SQL Server

, page 509, for more information.

4.

Click Test Connection to verify that Log Server can connect to the Log Database using the selected account, and that the account has the correct permissions.

5.

Click OK to cache your changes, then click Save and Deploy to implement them.

Web Security Help

507

Troubleshooting

6.

Use the Windows Services tool to restart the Websense TRITON - Web Security service.

Log Server is not recording data in the Log Database

Web Security Help | Web Security Solutions | Version 7.8.x

Usually, when Log Server is unable to write data to the Log Database, the database has run out of allocated disk space. This can occur either when the disk drive is full, or in the case of Microsoft SQL Server, if there is a maximum size set for how large the database can grow.

If the disk drive that houses the Log Database is full, you must add disk space to the machine to restore logging.

If your SQL Server Database Administrator has set a maximum size for how large an individual database within Microsoft SQL Server can grow, do one of the following:

Contact your SQL Server Database Administrator to increase the maximum.

Find out the maximum size, and go to Settings > Reporting > Log Database to configure the Log Database to roll over when it reaches approximate 90% of the maximum size. See

Configuring database partition options

, page 433 .

If your IT department has established a maximum amount of disk space for SQL

Server operations, contact them for assistance.

Updating the Log Server connection account or password

Web Security Help | Web Security Solutions | Version 7.8.x

To change the account or password that Log Server uses to connect to the Log

Database:

1.

In the Web Security manager, go to the Settings > Reporting > Log Server page.

2.

Under Log Database Connection, verify that the correct database (by default, wslogdb70) appears in the Data source name (DSN) field.

3.

Make sure that SQL server authentication is selected as the connection method, and that a valid account name (like sa) appears in the Account field.

4.

Enter the current password for the connection account.

5.

Click Test Connection to verify that Log Server can use the account.

6.

Click OK to cache your changes, then click Save and Deploy to implement them.

7.

Use the Windows Services tool to restart the Websense TRITON - Web Security service.

508

Websense Web Security Solutions

Troubleshooting

Configuring user permissions for Microsoft SQL Server

Web Security Help | Web Security Solutions | Version 7.8.x

Microsoft SQL Server Standard and Enterprise editions define SQL Server Agent roles that govern accessibility of the job framework. The SQL Server Agent jobs are stored in the SQL Server msdb database.

To install Websense Log Server successfully, the user account that owns the Websense database must:

1.

Be a member of the dbcreator fixed server role.

2.

In the msdb database:

Have membership in the db_datareader role.

Have membership in one of the following roles:

• SQLAgentUserRole

• SQLAgentReader Role

• SQLAgentOperator Role

Use Microsoft SQL Server Management Studio to grant the database user account the necessary permissions to successfully install Log Server.

1.

On the SQL Server machine, go to Start > Programs > Microsoft SQL Server

2008 or 2012 > Microsoft SQL Server Management Studio.

2.

Select the Object Explorer tree, and then go to select Security > Logins.

3.

Select the login account to be used during the installation.

4.

Right-click the login account and select Properties for this user.

5.

Select User Mapping and do the following: a.

Select msdb in database mapping.

b.

Grant membership to one of these roles:

• SQLAgentUserRole

• SQLAgentReader Role

• SQLAgentOperator Role c.

Grant membership to the db_datareader role.

d.

Click OK to save your changes.

6.

Select Server Roles, and then select dbcreator. The dbcreator role is created.

7.

Click OK to save your changes.

Log Server cannot connect to the directory service

Web Security Help | Web Security Solutions | Version 7.8.x

If either of the errors below occurs, Log Server is unable to access the directory service, which is necessary for updating user-to-group mappings for reports. These

errors appear in the Windows Event Viewer (see

The Windows Event Viewer

, page

539 ).

Web Security Help

509

Troubleshooting

EVENT ID:4096 - Unable to initialize the Directory Service. Websense Server may be down or unreachable.

EVENT ID:4096 - Could not connect to the directory service. The groups for this user will not be resolved at this time. Please verify that this process can access the directory service.

The most common cause is that Log Server and User Service are on different sides of a firewall that is limiting access. To resolve this problem, configure the firewall to permit access over port 55815.

The default ports used for directory service communication are:

139

389

636

3268

3269

NetBIOS communication: Active Directory

LDAP communication: Active Directory, Novell eDirectory, Oracle (formerly Sun Java) Directory Server

SSL port: Novell eDirectory, Oracle (formerly Sun Java)

Directory Server

Active Directory

SSL port: Active Directory

Wrong reporting page displayed

Web Security Help | Web Security Solutions | Version 7.8.x

If you have deployed a V-Series appliance, the time zone settings on the TRITON management server and Log Server machines must match the time zone on the appliance.

When the time zone settings are out of sync, the wrong page is displayed when administrators attempt to open the Reporting > Investigative Reports page or the

Settings > Reporting > Log Database page in the Web Security manager. A logon

page or a “logon failed” message is displayed instead of the expected functionality.

To resolve this issue, update the time zone on the TRITON management server and

Log Server machines to match the time zone on the appliance, then restart the off-box services.

Investigative report and presentation report issues

Web Security Help | Web Security Solutions | Version 7.8.x

Presentation Reports Scheduler not connected to Log Database

, page 511

Inadequate disk space to generate presentation reports

, page 511

Scheduled jobs in presentation reports failed

, page 512

Wrong reporting page displayed

, page 510

Bandwidth is larger than expected

, page 512

510

Websense Web Security Solutions

Troubleshooting

Some protocol requests are not being logged

, page 514

All reports are empty

, page 514

Microsoft Excel output is missing some report data

, page 516

Saving presentation reports output to HTML

, page 516

Error generating presentation report, or report does not display

, page 517

Investigative reports search issues

, page 517

General investigative reports issues

, page 518

Presentation Reports Scheduler not connected to Log Database

Web Security Help | Web Security Solutions | Version 7.8.x

When a health alert warns that Presentation Reports Scheduler is disconnected from the Log Database, do not create any scheduled jobs in presentation reports until you resolve the problem.

Any scheduled jobs that you create in presentation reports while this connection is broken are only stored temporarily; they cannot be written to the Log Database and saved permanently. As a result, the job definitions are lost when the TRITON machine has to be restarted, or any other time the Websense TRITON - Web Security service is restarted.

Make sure that the database engine is running and any network problems have been resolved. Then, restart the Websense TRITON - Web Security service.

1.

On the TRITON machine, open the Windows Services tool.

2.

Select Websense TRITON - Web Security in the services list.

3.

Click the Restart button in the toolbar.

4.

Close the Services tool after the service has started.

Inadequate disk space to generate presentation reports

Web Security Help | Web Security Solutions | Version 7.8.x

By default, to generate presentation reports, Websense software uses space in the following folder on the TRITON machine:

C:\

Program

Files (x86)\Websense\Web Security\ReportingOutput

If the space available at this location falls below 1 GB, a warning message appears in the Health Alert Summary on the System tab of the Status > Dashboard page.

When this message appears, clear disk space on the appropriate disk of the TRITON machine to avoid problems generating presentation reports or other system performance problems.

Web Security Help

511

Troubleshooting

Scheduled jobs in presentation reports failed

Web Security Help | Web Security Solutions | Version 7.8.x

If one or more scheduled jobs cannot run successfully in presentation reports, the

Health Alert Summary on the System tab Status > Dashboard page displays a warning message.

Scheduled jobs may fail for a variety of reasons, such as:

Email server information has not been configured on the Settings > Reporting >

Preferences page. See

Configuring reporting preferences

, page 421, for

instructions.

There is insufficient disk space on the TRITON machine to generate presentation

reports. See

Inadequate disk space to generate presentation reports

, page 511,

for more information.

Connectivity with the Log Database has been lost. See

No Log Server is installed for a Policy Server

, page 501, for more information.

The configured email server is not running. Work with your system administrator to resolve the problem.

To find out which job has failed, go to the Presentation Reports > Job Queue page.

If known problems have been resolved, mark the check box for the failed job, and then click Run Now to try the job again.

Click the Details link for the failed job to display the Job History page, which gives information about recent attempts to run the selected job.

Data on Internet browse time reports is skewed

Web Security Help | Web Security Solutions | Version 7.8.x

Be aware that consolidation may skew the data for Internet browse time reports. These reports show the time users spend accessing the Internet and can include details about the time spent at each site. Internet browse time is calculated using a special algorithm, and enabling consolidation may skew the accuracy of the calculations for these reports.

Bandwidth is larger than expected

Web Security Help | Web Security Solutions | Version 7.8.x

Many, but not all, Websense integrations provide bandwidth information. If your integration does not provide bandwidth information, you can configure Network

Agent to perform logging so that bandwidth data is included.

When a user requests a permitted file download, the integration product or Network

Agent sends the full file size, which Websense software logs as bytes received.

If the user subsequently cancels the actual download, or the file does not download completely, the bytes received value in the Log Database still represents the full file

512

Websense Web Security Solutions

Troubleshooting size. In these circumstances, the reported bytes received will be larger than the actual number of bytes received.

This also affects reported bandwidth values, which represent a combination of bytes received and bytes sent.

Trend data is missing from the Log Database

Web Security Help | Web Security Solutions | Version 7.8.x

Trend data is inserted into the Log Database first by the ETL job (which generates daily trend data) and then by the trend job (which generates weekly, monthly, and yearly tables). This data is then used in presentation trend reports.

If there is no trend data in your database, or some trend data is missing:

Verify that you have enabled trend data retention on the Settings > Reporting >

Log Database page in the Web Security manager. The Store trend data check box

(under Trend Data Retention) must be marked in order for any trend data to be generated and stored.

If you are using Microsoft SQL Server Standard or Enterprise, verify that the

SQL Server Agent service is running, and that it is running as the correct user. See

Configuring user permissions for Microsoft SQL Server

, page 509,

and

SQL

Server Agent job

, page 515 .

Use the Windows Services tool to verify that the SQL Server Agent service is running.

Verify that the ETL and trend database jobs are running.

The ETL job generates daily trend data, and the trend job runs on a nightly basis to generate weekly, monthly and yearly trend values. Use SQL Server

Management Studio to verify that both jobs are running. If they’re not, check for

errors in the job history and restart or manually run the jobs. See

Last successful

ETL job ran more than 4 hours ago

, page 506, for additional information.

Trend reports are not displaying data

Web Security Help | Web Security Solutions | Version 7.8.x

When you use presentation reports, you can generate trend reports to provide trend information by day, week, month or year. There are separate tables in the Log

Database that maintain trend data for each of these time periods.

If the trend reports you generate contain no data, first see:

All reports are empty

, page 514

Error generating presentation report, or report does not display

, page 517

Trend data is missing from the Log Database

, page 513

If these topics don’t help to determine the problem, verify that:

The report you are running is defined for a trend period that has valid data.

Web Security Help

513

Troubleshooting

There are 4 different time periods for which trend data can be stored, for which reports can be defined: daily, weekly, monthly, or yearly. Make sure there is trend data for the time option selected for the trend report you are running.

Presentation reports is connected to the Log Database.

If the connection to the Log Database has been lost, the presentation reports tool cannot create the reports. See

Log Database is not available

, page 503 .

There is disk space available for the report to be created and stored.

The presentation reports tool writes to the disk when it generates a report. See

Inadequate disk space to generate presentation reports

, page 511 .

Some protocol requests are not being logged

Web Security Help | Web Security Solutions | Version 7.8.x

A few protocols, such as those used by ICQ and AOL, prompt users to log into a server using one IP address, and then send a different identifying IP address and port number to the client for messaging purposes. In this case, all messages sent and received may not be monitored and logged by the Websense Network Agent, because the messaging server is not known at the time messages are exchanged.

As a result, the number of requests logged may not match the number of requests actually sent. This affects the accuracy of reports produced by Websense reporting tools.

All reports are empty

Web Security Help | Web Security Solutions | Version 7.8.x

If there is no data for any of your reports, make sure that:

The active database partitions include information for the dates included in the reports. See

Database partitions

, page 514 .

The SQL Server Agent job is active on the Microsoft SQL Server machine. (This

service is not used with SQL Server Express.) See

SQL Server Agent job

, page

515 .

Log Server is correctly set up to receive log information from Filtering Service.

See

Log Server configuration

, page 515 .

Database partitions

Web Security Help | Web Security Solutions | Version 7.8.x

Websense log records are stored in partitions within the database. New partitions may be created based on size or date, depending on your database engine and configuration.

You can activate or deactivate individual partitions in the Web Security manager. If you attempt to generate a report based on information stored in deactivated partitions, no information is found and the report is empty.

514

Websense Web Security Solutions

Troubleshooting

To make sure the appropriate database partitions are active:

1.

Go to Settings > Reporting > Log Database.

2.

Scroll down to the Available Partitions section.

3.

Mark the Enable check box for each partition that contains data to be included on the reports.

4.

Click Save Now to implement the change.

SQL Server Agent job

Web Security Help | Web Security Solutions | Version 7.8.x

If you are using a Standard or Enterprise addition of Microsoft SQL Server, it is possible that the SQL Server Agent database job has been disabled. This job must be running for the log records to be processed into the database by the ETL database job.

1.

Go to Start > Administrative Tools > Services.

2.

Make sure that both the MSSQLSERVER and SQLSERVERAGENT services are started.

3.

Make sure that the SQLSERVERAGENT service is configured for Automatic startup. (Double-click the service name in the Services list to open a Properties dialog box that includes Startup type information.)

This ensures that SQL Server Agent restarts automatically any time SQL Server or the host machine is restarted.

If you do not have access to the SQL Server machine, ask your Database

Administrator to make sure the SQL Server Agent job is running, and configured for automatic startup.

Log Server configuration

Web Security Help | Web Security Solutions | Version 7.8.x

Configuration settings must be correct in both the Web Security manager and Log

Server to make sure that Log Server receives log information from Filtering Service.

Otherwise, log data is never processed into the Log Database.

First, verify that the Web Security manager is connecting to the Log Server successfully.

1.

Log on to the TRITON console with unconditional Super Administrator permissions.

2.

Go to the Settings > General > Logging page.

3.

Enter the IP address or hostname for the Log Server machine.

4.

Enter the port that Log Server is listening on (the default is 55805).

5.

Click Check Status to determine whether the Web Security manager is able to communicate with the specified Log Server.

A message indicates whether the connection test passed. Update the IP address or machine name and port, if needed, until the test is successful.

Web Security Help

515

Troubleshooting

6.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Next, verify your Log Server settings.

1.

Go to the Settings > Reporting > Log Server page.

2.

Under Location, verify that the Port matches the value on the Settings >

General > Logging page.

3.

Click OK to validate and cache any change, then click Save and Deploy to implement it.

4.

If you changed the Log Server port setting, use the Windows Services tool to restart the Websense Log Server and Websense TRITON - Web Security services.

Microsoft Excel output is missing some report data

Web Security Help | Web Security Solutions | Version 7.8.x

The largest number of rows that can be opened in a Microsoft Excel worksheet is

65,536. If you export a report with more than 65,536 records to Microsoft Excel format, the 65,537th and all following records are not available in the worksheet.

To assure access to all information in the exported report, do one of the following:

For presentation reports, edit the report filter to define a smaller report, perhaps by setting a shorter date range, selecting fewer users and groups, or selecting fewer actions.

For investigative reports, drill down into the data to define a smaller report.

Select a different export format.

Saving presentation reports output to HTML

Web Security Help | Web Security Solutions | Version 7.8.x

If you generate a report directly from the Reporting > Presentation Reports page, you can choose from 3 display formats: HTML, PDF, and XLS. If you choose the HTML display format, you can view the report within the Web Security manager.

Printing and saving presentation reports from the browser are not recommended. The printed output includes the entire browser window, and opening a saved file launches the TRITON console.

To print or save reports more effectively, choose PDF or XLS as the output format.

You can open these file types immediately if the viewing software (Adobe Reader or

Microsoft Excel) is installed on the local machine. You also can save the file to disk

(the only option if the proper viewing software is not available).

After you open a report in Adobe Reader or Microsoft Excel, use that program’s print and save options to produce the desired final output.

516

Websense Web Security Solutions

Troubleshooting

Error generating presentation report, or report does not display

Web Security Help | Web Security Solutions | Version 7.8.x

Presentations reports offers 2 options for running a report immediately: schedule the report to run in the background (default) or run the report without scheduling (if you deselect the default option).

If you run the report without scheduling (in the foreground) and select HTML format, the report is displayed in the content pane. If you select PDF or XLS format, you are given the option to open the report or save it. In some cases, instead of displaying a completed report:

The message “error generating report” is displayed.

A “report complete” message is displayed, but no report is shown.

If you encounter this issue, navigate away from the Presentation Reports page in the

Web Security manager, and then run the report again. If that does not work, log off of the TRITON console and log back on before running the report again.

If the problem persists, you can:

Use the Schedule the report to run in the background option and open reports from the Review Reports page.

Use Firefox or Chrome, rather than Internet Explorer, when generating reports.

Investigative reports search issues

Web Security Help | Web Security Solutions | Version 7.8.x

The Search fields above the bar chart on the main Investigative Reports page allow searches for a specific term or text string in the selected chart element. There are two potential concerns related to searching investigative reports: extended ASCII characters and search pattern matching.

If you are using Mozilla Firefox on a Linux machine to access the Web Security manager, you cannot enter extended ASCII characters in the Search fields. This is a known limitation of Firefox on Linux.

If you need to search an investigative report for a text string that includes extended ASCII characters, access the Web Security manager from a Windows machine, using any supported browser.

Sometimes, investigative reports is unable to find URLs associated with a pattern entered in the Search fields on the main investigative reports page. If this occurs, and you are reasonably certain that the pattern exists within the URLs reported, try entering a different pattern that would also find the URLs of interest.

Web Security Help

517

Troubleshooting

General investigative reports issues

Web Security Help | Web Security Solutions | Version 7.8.x

Some queries take a very long time. You may see a blank screen or get a message saying that your query has timed out. This can happen for the following reasons:

Web server times out

Microsoft SQL Server times out

Proxy or caching server times out

You may need to manually increase the timeout limit for these components.

If users are not in any group, they will not show up in a domain either. Both Group and Domain choices will be inactive.

Even if the Log Server is logging visits instead of hits, investigative reports label this information as Hits.

Other reporting issues

Web Security Help | Web Security Solutions | Version 7.8.x

Low memory on the Real-Time Monitor machine

, page 518

Real-Time Monitor is not running

, page 519

Real-Time Monitor is not responding

, page 519

Cannot access certain reporting features

, page 520

No charts appear on the Status > Dashboard page

, page 520

There is a forensics data configuration problem

, page 520

The forensics repository location could not be reached

, page 521

Forensics data will soon exceed a size or age limit

, page 521

Websense Multiplexer is not running or not available

, page 522

Low memory on the Real-Time Monitor machine

Web Security Help | Web Security Solutions | Version 7.8.x

This alert is displayed when available memory on the Real-Time Monitor machine is at 15% or less of total memory. Low memory can prevent Real-Time Monitor from receiving, displaying, and storing some or all records.

This can result in gaps in the data displayed in the monitor, or prevent the monitor’s server and database components from running at all.

Use the Windows Task Manager to evaluate memory usage on the Real-Time Monitor machine. To solve the problem, you can:

Upgrade the RAM on the machine.

518

Websense Web Security Solutions

Troubleshooting

Move applications or components with high memory requirements to another machine.

Move Real-Time Monitor to a machine with more available memory.

Real-Time Monitor is not running

Web Security Help | Web Security Solutions | Version 7.8.x

This alert is displayed when the Websense RTM Server service is stopped.

Use the Windows Services tool to verify that all 3 Real-Time Monitor services are started, and to start any of the following services that have stopped:

Websense RTM Database

Websense RTM Server

Websense RTM Client

If any service will not start:

Check the Windows Event Viewer for any errors or warnings from Websense

RTM Server.

Check the WebsenseRTMMemoryOutput0.log file (located, by default, in the

C:\Program Files or Program Files (x86)\Websense\Web Security\rtm\logs directory) for information about Real-Time monitor memory usage.

Make sure that there are sufficient resources (memory, hard disk, and CPU) available for the services to run.

If the service is running, but the alert continues to appear, this may indicate that Real-

Time Monitor was unable to register with Policy Server. Verify that the Policy Server associated with this Real-Time Monitor instance is running, and that the Real-Time

Monitor machine can communicate with the Policy Server machine on port 55836

(encrypted communication) or 55856 (non-encrypted communication).

If the services do start, make sure that they are configured for Automatic (not

Manual) startup.

Real-Time Monitor is not responding

Web Security Help | Web Security Solutions | Version 7.8.x

If Real-Time Monitor is installed on a different machine from the TRITON Unified

Security Center, use the ping command to make sure that the 2 machines can communicate across the network. Also verify that the TRITON machine can communicate with Real-Time Monitor on port 9445 (for user interface display).

In addition, Real-Time Monitor must be able to communicate with:

Usage Monitor on port 55835

Policy Server on port 55836 (encrypted communication) or 55856 (non-encrypted communication)

Web Security Help

519

Troubleshooting

If there is not a network communication problem, Real-Time Monitor may be experiencing resource constraints.

Check memory, CPU usage, and available disk space on the Real-Time Monitor machine.

Note that the RTM Database can hold a maximum of 10,000 records, which should help to limit its impact on available disk space.

The database may be receiving too many requests, or be unable to accept additional connections.

If the Windows Event Viewer shows Websense RTM Database errors, you can restart the service to address the problem.

Note that when the database is restarted, all records are cleared, so older data is lost. Data that is not available for display in Real-Time Monitor is still stored in the Log Database, and can be seen in investigative and presentation reports.

Cannot access certain reporting features

Web Security Help | Web Security Solutions | Version 7.8.x

If your Web browser has popup blocking at a very strict setting, it may block certain reporting features. To use those features, you must decrease the blocking level or disable popup blocking entirely.

No charts appear on the Status > Dashboard page

Web Security Help | Web Security Solutions | Version 7.8.x

Typically, the Status > Dashboard page displays charts and other elements showing the status of your Web Security deployment.

If you have just deployed a Websense Web Security solution, there may not be any reporting data to display. You can use a tool like TestLogServer to see whether traffic is currently being logged. See the Using TestLogServer for Web Security

Troubleshooting technical article for instructions.

In organizations that use delegated administration, review the reporting permissions for the delegated administrator’s role. If View dashboard charts is not selected, these chart do not appear for delegated administrators in that role.

If the TRITON console loses its connection to the Log Database (for example, because of a network problem, or because the Microsoft SQL Server instance hosting the database is down), no data can be displayed. Check the Status > Alerts page for alerts relating to the Log Database.

There is a forensics data configuration problem

Web Security Help | Web Security Solutions | Version 7.8.x

When forensics data collection is enabled on the Settings > Reporting > Dashboard page in the Web Security manager, transaction details related to attempts to send data

520

Websense Web Security Solutions

Troubleshooting out of your network, as well as the actual data files involved, are recorded in a forensics repository.

In rare circumstances, files used to enable collection and storage of this forensic data may be damaged or corrupted. Assistance from Websense Technical Support is required to resolve such issues.

The forensics repository location could not be reached

Web Security Help | Web Security Solutions | Version 7.8.x

When forensics data collection is enabled on the Settings > Reporting > Dashboard page in the Web Security manager, the administrator provides a location (local directory or UNC path) for storing the file, and credentials for an account with read, write, and delete permissions to the specified directory.

If a health alert indicates problems reaching the forensics repository location, verify that:

The path and credential information on the Settings > Reporting > Dashboard page is correct.

The specified account does have read, write, and delete permissions to the directory.

No network problem impedes communication between the TRITON Management

Server and the remote machine.

Forensics data will soon exceed a size or age limit

Web Security Help | Web Security Solutions | Version 7.8.x

When forensics data collection is enabled on the Settings > Reporting > Dashboard page in the Web Security manager, the administrator sets both a maximum size (in

GB) for the repository, and a maximum length of time (in days) for storing forensic data.

When the size of the forensics repository approaches the limit, a health alert is displayed. When the limit is reached, the oldest records are deleted, one day’s worth a time, until there is room for new, incoming records to be stored.

If the size limit has not been reached, but records are approaching the maximum record age, the health alert is also displayed. When the age limit is reached, records exceeding that limit are deleted.

There is no mechanism available for retrieving deleted forensic data.

Web Security Help

521

Troubleshooting

Websense Multiplexer is not running or not available

Web Security Help | Web Security Solutions | Version 7.8.x

When SIEM integration is enabled for Websense Web Security solutions, Websense

Multiplexer passes Internet activity data (logs) from Filtering Service to both Log

Server and the configured SIEM product.

If Multiplexer is not running or not available, a failover feature ensures that Filtering

Service passes log data to Log Server. No data, however, is sent to the SIEM product.

To resolve this issue in a Websense appliance-based deployment:

1.

If you have not enabled the Multiplexer service, go to the Administration >

Toolbox > Command Line Utility in Appliance Manager.

Select multiplexer, then use the enable command.

2.

If Multiplexer has already been enabled, but is not running, go to the Status >

General page in Appliance Manager and restart the Websense Web Security

module.

To resolve this issue in a software-only deployment:

1.

Start or restart the Multiplexer service or daemon:

Windows: Use the Services tool to start (or restart) the Websense

Multiplexer service.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to start

(or restart) Multiplexer.

2.

If the service is unable to restart, the Multiplexer Controller executable may have become unresponsive.

Windows: Use Task Manager to stop the MuxCtrl.exe process, then use the

Services tool to start Websense Multiplexer.

Linux: Kill the MuxCtrl process, then use the /opt/Websense/

WebsenseDaemonControl command to start Multiplexer.

Interoperability issues

Web Security Help | Web Security Solutions | Version 7.8.x

Content Gateway is not running

, page 523

Content Gateway is not available

, page 523

Content Gateway non-critical alerts

, page 524

Administrator unable to access other TRITON modules

, page 526

Sync Service is not available

, page 527

Sync Service has been unable to download log files

, page 528

Sync Service has been unable to send data to Log Server

, page 528

Hybrid policy enforcement data does not appear in reports

, page 528

522

Websense Web Security Solutions

Troubleshooting

Disk space is low on the Sync Service machine

, page 529

The Sync Service configuration file

, page 529

Directory Agent is not running

, page 530

Directory Agent cannot connect to the domain controller

, page 531

Directory Agent does not support this directory service

, page 533

The Directory Agent configuration file

, page 533

Directory Agent command-line parameters

, page 535

Alerts were received from the hybrid service

, page 535

Unable to connect to the hybrid service

, page 536

Hybrid service unable to authenticate connection

, page 536

Missing key hybrid configuration information

, page 537

Hybrid failover proxy removed from explicit proxies list

, page 538

Content Gateway is not running

Web Security Help | Web Security Solutions | Version 7.8.x

When a Content Gateway instance registers with Policy Server, that connection is tracked in the Web Security manager. Information about the Content Gateway instance appears on the Settings > General > Content Gateway Access page, and in the

Filtering Service Summary on the System tab of the Status > Dashboard page.

If the registered instance stops, or is removed, a health alert message is displayed in the Web Security manager.

If the instance has stopped unexpectedly, check the syslog file on the Content

Gateway machine for information about what caused the failure.

If you have relocated Content Gateway to another IP address or physical machine, or if you have removed an instance that was not needed, you can manually remove the instance from the Settings > General > Content Gateway Access page to stop the health alert from being displayed.

Content Gateway is not available

Web Security Help | Web Security Solutions | Version 7.8.x

When a Content Gateway instance registers with Policy Server, that connection is tracked in the Web Security manager. Information about the Content Gateway instance appears on the Settings > General > Content Gateway Access page, and in the

Filtering Service Summary on the System tab of the Status > Dashboard page.

If Web Security components can no longer communicate with the registered instance, a health alert message is displayed in the Web Security manager.

Make sure that the Content Gateway machine is up, and that Content Gateway is running.

Web Security Help

523

Troubleshooting

This alert may indicate a network problem. Verify that Content Gateway can communicate with the Policy Server (ports 55806 and 55880) and Filtering

Service (port 15868) machines.

Content Gateway non-critical alerts

Web Security Help | Web Security Solutions | Version 7.8.x

When you receive notification that non-critical alerts have been received from a

Content Gateway instance, any of the following errors or conditions may have occurred. To determine which error occurred, check the Content Gateway manager associated with the affected Content Gateway instance.

Use the table below to get an overview of the error condition. More detailed information can be found in the system, error, and event log files on the Content

Gateway machine.

Alert

Content Gateway process reset

Cache configuration issue

Unable to create cache partition

Unable to initialize cache

Unable to open configuration file

Description

A problem that caused Content Gateway to restart.

See the Content Gateway syslog file for information about what caused the reset.

Content Gateway was unable to configure a cache.

See “Configuring the Cache” in the

Content Gateway Manager Help for more information.

An error occurred during cache configuration.

See “Configuring the Cache” in the

Content Gateway Manager Help.

A cache failure occurred.

Content Gateway tolerates disk failure on any cache disk. If the disk fails completely, Content Gateway marks the disk as corrupt and continues using the remaining disks.

See “Configuring the Cache” in the

Content Gateway Manager Help.

There is a problem in a configuration file.

Check the system log for information about which file is affected.

Permissions to the file or directory may have changed.

If the file was edited outside the

Content Gateway manager, there may be invalid syntax or other problems preventing the file from being read.

524

Websense Web Security Solutions

Troubleshooting

Alert

Invalid fields in configuration file

Unable to update configuration file

Clustering peer operating system mismatch

Could not enable virtual IP addressing

Connection throttle too high

Host database disabled

Logging configuration error

Description

One or more parameters or parameter values in a configuration file is incorrect.

Check the system log for information about which file is affected.

There is a problem preventing a configuration file from being saved.

Check the system log for information about which file is affected.

The nodes in a cluster must be homogeneous, with the same:

Hardware platform

Operating system version

Content Gateway attempted to enable virtual IP address failover, but failed.

This often occurs when the designated virtual IP address is already in use in the network.

Like all IP addresses, virtual IP addresses must be pre-reserved before they can be assigned to Content Gateway.

A connection throttle event occurs when client or origin server connections reach

90% of half the configured connection limit (45000 by default).

When you raise the connection throttle limit, the system must have adequate memory to handle the client connections required. A system with limited RAM might need a throttle limit lower than the default value.

The host database stores the Domain

Name Server (DNS) entries of origin servers to which the proxy connects. It tracks:

DNS information (for fast conversion of hostnames to IP addresses)

The HTTP version of each host (so advanced protocol features can be used with hosts running modern servers)

Host reliability and availability information (to avoid waits for nonfunctional servers)

Content Gateway can be configured to log transactions, errors, or both to a location that you specify.

See “Working with Log Files” in the

Content Gateway Manager Help for information about logging.

Web Security Help

525

Troubleshooting

Alert

Unable to open Content Gateway

Manager

ICMP echo failed for a default gateway

HTTP origin server is congested

Congestion alleviated on the HTTP origin server

Content scanning skipped

WCCP configuration error

Description

Content Gateway is unable to set up a socket to handle management API calls to start the Web interface.

A Content Gateway node failed to contact its default gateway while assigning virtual

IP addresses for a cluster. The node will shut down.

When Content Gateway is deployed as a

Web proxy cache, user requests for Web content pass through Content Gateway on the way to the destination Web server

(origin server).

When a client requests an HTTP object that is stale in the cache, Content Gateway revalidates the object, querying the origin server to check if the object is unchanged.

If the origin server is congested (unable to accept additional connections), and does not respond to the revalidation query, the proxy does not perform any validation; it serves the stale object from the cache.

An origin server that previously denied connection attempts is now accepting requests again.

Content Gateway did not scan content for a requested site that would have ordinarily be scanned.

This may occur when Content Gateway is experiencing too many connections, or inadequate system resources (CPU and memory).

See the “WCCP Configuration” section of the Content Gateway Manager Help for configuration parameter details.

Administrator unable to access other TRITON modules

Web Security Help | Web Security Solutions | Version 7.8.x

If you receive an error when you click Data Security or Email Security in the

TRITON console, the local or network account that you use to log on to the TRITON console may not have been granted Data Security or Email Security access permissions.

A Global Security Administrator must give an administrator access to each module on the TRITON Settings > Administrators page before an administrator can switch between TRITON modules.

The default TRITON Unified Security Center administrator account, admin, has full access to all installed modules.

526

Websense Web Security Solutions

Troubleshooting

See the TRITON Console Help (which can be opened from the Help menu on any

TRITON Settings page) for more information.

Sync Service is not available

Web Security Help | Web Security Solutions | Version 7.8.x

In Websense Web Security Gateway Anywhere deployments, Websense Sync Service is responsible for communication between the on-premises and hybrid services. Sync

Service:

Sends policy configuration data to the hybrid service

Sends user information collected by Directory Agent to the hybrid service

Receives reporting log records from the hybrid service

If you have not yet activated your hybrid service account, or if you have attempted to activate the hybrid service, but have not been able to do so, note that your local

Websense software components must be able to communicate with Sync Service before the connection to the hybrid service can be created.

To troubleshoot this issue, make sure that:

Sync Service is running.

Sync Service is successfully binding to the correct IP address and port.

The IP address and port that Sync Service is attempting to use are listed in the

syncservice.ini file, located in the Websense bin directory on the Sync

Service machine.

The IP address and port shown on the Settings > Hybrid Configuration >

Shared User Data page in the Web Security manager must match those listed in the syncservice.ini file. If you update the configuration file, also manually update the Settings page.

The IP address and port in the syncservice.ini file must match the Sync

Service IP address and port values in the das.ini file (located in the Websense

bin directory on the Directory Agent machine).

Verify that no other service on the Sync Service machine is binding to the IP address and port that Sync Service is attempting to use. If you suspect that Sync

Service is unable to bind to the correct IP address and port, stop the service, open a command prompt, and try to start the service in console mode: syncservice -c

In console mode, Sync Service displays the IP address and port that it is using, or displays an error, if it is unable to bind to the IP address and port.

The Sync Service machine can communicate with the Policy Broker machine on port 55880.

The Sync Service machine can connect to the Policy Server machine on ports

55806 and 40000, and receive data from Policy Server on ports 55830 and 55831.

The TRITON management server machine can create an HTTP connection to the

Sync Service machine on port 55832.

Web Security Help

527

Troubleshooting

Also check the Windows Event Viewer or websense.log file for errors from Sync

Service.

Sync Service has been unable to download log files

Web Security Help | Web Security Solutions | Version 7.8.x

Sync Service attempts to connect to the hybrid service to download reporting log files

at an interval that you configure (see

Schedule communication with the hybrid service

, page 239 ). If Sync Service is unable to make the connection, or if Sync Service is

unable to retrieve the log files after connecting, the following problems may occur:

The hybrid service stores log files for only 14 days. After that period, the files are deleted, and cannot be recovered. When this occurs, your organization is no longer able to report on hybrid policy enforcement activity recorded in those logs.

Depending on the volume of Internet activity that your organization sends through the hybrid service, reporting log files may grow quickly. If Sync Service is unable to download log files for a day or more, the bandwidth required to download the files and the disk space required to temporarily store them may be substantial.

To address this issue, check the Status > Hybrid Service page to verify that Sync

Service is able to connect to the hybrid service. See

Unable to connect to the hybrid service

, page 536, for more troubleshooting steps.

If Sync Service is connecting to the hybrid service, but cannot retrieve log records, check the Status > Alerts page for information from the hybrid service. Also check the administrative email address associated with your hybrid service account.

Sync Service has been unable to send data to Log Server

Web Security Help | Web Security Solutions | Version 7.8.x

After Sync Service downloads reporting log files from the hybrid service, it passes the files to Log Server so that they can be processed into the Log Database and included in reports. If Sync Service cannot pass the data to Log Server, log files may accumulate on the Sync Service machine, consuming potentially large amounts of disk space.

Use the telnet command to verify that it is possible for the Sync Service machine to connect to the Log Server machine on port 55885.

Make sure that Log Server is running, and that no Log Server errors appear on the

Status > Alerts page.

Hybrid policy enforcement data does not appear in reports

Web Security Help | Web Security Solutions | Version 7.8.x

If Internet activity information for users managed by the hybrid service does not appear in reports, first make sure that:

528

Websense Web Security Solutions

Troubleshooting

A hybrid logging port is configured on the Settings > General > Logging page.

See

Configuring how requests are logged

, page 422

.

The Have the hybrid service collect reporting data for the clients it filters check box is selected on the Settings > Hybrid Configuration > Scheduling page.

See

Schedule communication with the hybrid service

, page 239

.

The Status > Hybrid Service page shows that Sync Service has successfully connected to the hybrid service, and retrieved log records. See

Monitor communication with the hybrid service

, page 245 .

No health alerts appear on the System tab of the Status > Dashboard page

indicating Sync Service communication problems or Log Server errors. See

Sync

Service has been unable to send data to Log Server

, page 528 .

If you are running version 7.8.1 and your deployment uses distributed logging, in which multiple, remote Log Servers send data to a centralized Log Server instance, also make sure that Sync Service is configured to communicate with the central Log

Server. Hybrid logging data cannot be passed to the central Log Server by remote Log

Server instances in version 7.8.1.

Disk space is low on the Sync Service machine

Web Security Help | Web Security Solutions | Version 7.8.x

If Sync Service is unable to pass reporting log files collected by the hybrid service to

Log Server in a timely manner, log files may accumulate on the Sync Service machine, consuming large amounts of disk space. To avoid this issue:

Make sure that Sync Service is collecting reporting log data from the hybrid service at appropriate intervals. The more Internet activity your organization sends through the hybrid service, the more frequently log files should be downloaded to avoid large backlogs.

Make sure that the Sync Service machine is able to connect to the Log Server machine on port 55885.

Allocate sufficient resources on the Sync Service machine for the volume of reporting data being processed.

The Sync Service configuration file

Web Security Help | Web Security Solutions | Version 7.8.x

Use the syncservice.ini file to configure aspects of Sync Service behavior that cannot be configured in the Web Security manager.

The syncservice.ini file is located in the Websense bin directory (C:\Program Files or

Program Files (x86)\Websense\Web Security\bin, by default).

Use a text editor to edit the file.

When you are finished making changes, save and close the file, and then restart

Sync Service. Changes do not take effect until the service has restarted.

Web Security Help

529

Troubleshooting

The file contains the following information:

SyncServiceHTTPAddress: The IP address that Sync Service binds to for

communication with Directory Agent and the Web Security manager. It must match the Sync Service IP address on the Settings > Hybrid Configuration >

Shared User Data page.

SyncServiceHTTPPort: The port that Sync Service listens on for communication

from Directory Agent and the Web Security manager (default 55832). It must match the Sync Service port displayed on the Settings > Hybrid Configuration >

Shared User Data page.

UseSyncServiceProxy: Indicates whether Sync Service goes through a proxy to

connect to the hybrid service. Values are true or false.

SyncServiceProxyAddress: The IP address of the proxy through which Sync

Service connects to the hybrid service.

SyncServiceProxyPort: The port of the proxy through which Sync Service

connects to the hosted service.

SyncServiceProxyUsername: The user name (if required) that Sync Service

uses to connect to the proxy in order to contact the hybrid service.

SyncServiceProxyPassword: The password (if required) that Sync Service

uses to connect to the proxy in order to contact the hybrid service.

Directory Agent is not running

Web Security Help | Web Security Solutions | Version 7.8.x

In Websense Web Security Gateway Anywhere deployments, Websense Directory

Agent gathers user information from your directory service and sends it to the hybrid service for use in applying policies.

When Directory Agent is not available, the hybrid service’s user data may become outdated.

Make sure that Directory Agent is installed (software) or enabled (appliance), and that the service or daemon is running.

Appliance: Go to the Status > General page in Appliance Manager and verify that Websense Directory Agent appears as a running service.

If Directory Agent is listed as a disabled service (in pale gray), go to the

Administration > Toolbox > Command Line Utility page and select

directory-agent-service, then enable.

If Directory Agent is enabled but not running, restart the Websense Web

Security module.

Windows: Use the Windows Services tool to start the service or verify that it is running.

Linux: Use the /opt/Websense/WebsenseDaemonControl command to start the daemon or verify that it is running.

If Directory Agent is running, but the alert message continues to appear, verify that:

530

Websense Web Security Solutions

Troubleshooting

The Directory Agent machine can communicate with the Policy Server machine

(ports 40000 and 55806).

The Directory Agent machine can communicate with the Sync Service machine

(port 55832).

The firewall permits communication on the Directory Agent port (55900).

If the service starts, but does not continue to run:

Check the Administration > Logs page (Appliance), Event Viewer (Windows), or websense.log file (Linux) for errors.

For software installations, navigate to the Websense bin directory (C:\Program

Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default) and verify that the das.ini file exists, and that it has not been corrupted or truncated.

Make sure that there is enough disk space on the Directory Agent machine to store a full snapshot of your directory. For example, a snapshot of a 200,000 user directory requires about 100 MB of disk space.

Make sure that there is enough available memory for Directory Agent to compare its current snapshot with the previous one. For example, comparing snapshots of a

200,000 user directory requires about 100 MB of memory.

Directory Agent cannot connect to the domain controller

Web Security Help | Web Security Solutions | Version 7.8.x

Directory Agent must be able to connect to the domain controller to gather user information from the directory service. If there are communication problems between the Directory Agent machine and the domain controller, the hybrid service’s user data may become outdated, leading to incorrect policy enforcement.

To troubleshoot this problem:

Make sure that the Directory Agent machine is bound to the domain, and that the firewall permits communication on the directory service port.

Port

139

389

636

3268

3269

Used for:

NetBIOS communication: Active Directory

LDAP communication: Active Directory, Novell eDirectory, Oracle (formerly Sun Java) Directory Server

SSL port: Novell eDirectory, Oracle (formerly Sun Java)

Directory Server

Active Directory

SSL port: Active Directory

Go to the Settings > General > Directory Services page in the Web Security manager and verify that your directory service configuration has not changed since you last updated your Directory Agent settings.

Web Security Help

531

Troubleshooting

Go to the Settings > Hybrid Configuration > Shared User Data page and verify that Directory Agent is attempting to search a valid context (path) for user and group information. To do this:

If you are using Windows Active Directory, click a directory server name or

IP address, and then click Test Context. Repeat this process for each global catalog server.

If you are using Oracle (formerly Sun Java) Directory Server or Novell eDirectory, click Test Context.

On the Shared User Data page, also make sure that the context is not only valid, but appropriate. The context should be limited to include only those users and groups filtered by the hybrid service.

Still on the Shared User Data page, make sure that the Directory Search option is set correctly, so that Directory Agent is searching only the relevant portion of your directory service.

Verify that it is possible to connect to the directory service IP address and port from the Directory Agent machine.

Directory Agent communication issues

Web Security Help | Web Security Solutions | Version 7.8.x

If Directory Agent is prevented from communicating with directory service to gather user information, or if Directory Agent cannot connect to Sync Service, updated user and group information cannot be sent to the hybrid service.

Communication problems can occur if:

There is problem in the network.

The ports used for directory service (see table) or Sync Service (55832) communication are blocked between the Directory Agent machine and the target machine.

Port

139

389

636

3268

3269

Used for:

NetBIOS communication: Active Directory

LDAP communication: Active Directory, Novell eDirectory, Oracle (formerly Sun Java) Directory Server

SSL port: Novell eDirectory, Oracle (formerly Sun Java)

Directory Server

Active Directory

SSL port: Active Directory

Directory Agent is using incorrect credentials, or the target service is unable to authenticate the connection.

A service is not available, because of a service restart or a machine reboot, for example.

532

Websense Web Security Solutions

Troubleshooting

To determine what is causing the communication problem, consult the Windows

Event Viewer or websense.log file for detailed information.

Directory Agent does not support this directory service

Web Security Help | Web Security Solutions | Version 7.8.x

Directory Agent is only able to retrieve user and group information from LDAP-based directory services. Windows Active Directory (Mixed Mode) is not supported. The supported directory services include:

Windows Active Directory (Native Mode)

Oracle (formerly Sun Java System) Directory

Novell eDirectory

If you are not using a supported directory service, the hybrid service can still manage filtered locations. User and group-based policy enforcement, however, cannot be performed.

The Directory Agent configuration file

Web Security Help | Web Security Solutions | Version 7.8.x

Use the das.ini file to configure aspects of Directory Agent behavior that cannot be configured in the Web Security manager. These include the maximum memory the agent can use, the maximum threads it can create, the directory where it should store user information snapshots, and more.

The das.ini file is located in the Websense bin directory (C:\Program Files or

Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default).

Use a text editor to edit the file.

For parameters that can take multiple values, use the pipe symbol (“|”) to separate entries.

For parameters that are either enabled or disabled, the only valid values are 0 (for disable) and 1 (for enable). In this file, the values “on” and “off” cannot be used.

When you are finished making changes, save and close the file, and then restart the Directory Agent service or daemon. Changes do not take effect until the service has restarted.

Key values that can be configured in the file include:

The maximum amount of memory that Directory Agent can use, in megabytes

(MB). If Directory Agent is configured to collect a very large number of directory entries (more than 200,000 user or group definitions), you may need to increase this number.

MaxMemory=100

The full directory path showing where Directory Agent stores directory service snapshots (complete views of the directory, used to determine what has changed between one query and the next).

Web Security Help

533

Troubleshooting

SnapshotDir=./snapshots/

This relative path translates to C:\Program Files or Program Files

(x86)\Websense\bin\snapshots (Windows) or /opt/Websense/bin/snapshots/

(Linux).

The full directory path showing where Directory Agent stores the LDIF files that

Sync Service sends to the hybrid service.

DiffDir=./diffs/

The regular expression Directory Agent uses to validate email addresses in LDAP records. Records whose email addresses do not match the pattern are dropped. For example, [a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-

]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

Leave the parameter blank (default) if you do not want Directory Agent to perform email address validation.

EmailValidateRegex=

The number of times Directory Agent retries after a failed attempt to connect to

Sync Service. Takes an integer value between 1 and 65535.

SyncServiceRetryCount=5

The number of seconds Directory Agent waits between retry attempts when establishing a connection to Sync Service. Takes an integer value between 1 and

65535.

SyncServiceRetryDelay=60

The number of times Directory Agent retries after a failed attempt to connect to the directory service. Takes an integer value between 1 and 65535.

DirServiceRetryCount=5

The number of seconds Directory Agent waits between retry attempts when establishing a connection to the directory service. Takes an integer value between

1 and 65535.

DirServiceRetryDelay=60

The number of seconds the Directory Agent backup subsystem waits between attempts to reconnect to Sync Service. The backup subsystem is responsible for verifying that user data is successfully received by Sync Service and sent to the hybrid service. In the event of a failure, the backup subsystem makes sure that the

LDIF file that could not be sent is preserved for a later retry attempt.

Takes an integer value between 1 and 65535.

BackupPollPeriod=60

The number of times the Directory Agent backup subsystem attempts to reconnect to Sync Service to determine the status of the last transaction. Takes an integer value between 1 and 65535.

BackupRetryCount=60

Configuration settings if you are using Sun Java System Directory or Oracle

Directory Server to send user and group information to the hybrid service. Enable these parameters by removing the # symbol from the beginning of the lines.

# GroupMembershipAttribute=uniqueMember

# MemberOfAttribute=memberOf

534

Websense Web Security Solutions

Troubleshooting

Whether or not Directory Agent follows LDAP referrals. Takes a value of 1

(enabled) or 0 (disabled).

EnableLDAPReferrals=1

Directory Agent command-line parameters

Web Security Help | Web Security Solutions | Version 7.8.x

Directory Agent has a command-line interface that you can use to install, uninstall, start, and stop the agent if necessary. You can also print version and usage information about the agent.

To start Directory Agent in console mode (as an application), open a command prompt and navigate to the Websense bin directory (C:\Program Files or Program Files

(x86)\Websense\Web Security\bin or /opt/Websense/bin/, by default) and enter the following:

DAS.exe -c

Directory Agent accepts the following command-line parameters. Note that some parameters can only be used in Microsoft Windows environments.

Parameter

-i

-r

-s

-u

-c

-v

-h

-?

-help

<no option>

Description

Installs Directory Agent service. Registers itself with the operating system (Windows only).

Uninstalls Directory Agent service. (Windows only).

Runs Directory Agent in console mode.

Runs Directory Agent as daemon or service.

Stops the Directory Agent service. (Windows only).

Prints version information about the Directory Agent service.

Prints usage information about the Directory Agent service.

Alerts were received from the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

When the hybrid service encounters a problem that could affect your organization, it sends an alert to your installation of Sync Service. Alerts are sent for issues that affect either the hybrid service as a whole, or that are specific to your account. When the alert is received:

A general alert is displayed under Health Alerts on the System tab of the Status >

Dashboard page in the Web Security manager.

A more specific alert is shown on the Status > Alerts page under Hybrid Filtering

Alerts.

Web Security Help

535

Troubleshooting

If there are steps that you can take to correct the problem (for example, prompting

Directory Agent to re-send user information, or clicking Save and Deploy to prompt

Sync Service to re-send policy information), that information is included in the detailed alert message on the Status > Alerts page.

In many cases, alerts from the hybrid service are informational, making sure that you are aware that a temporary issue may be preventing user or policy information from being received, or reporting data from being sent. No action on your part is required to address such issues.

When the condition causing the problem has been resolved, both the System dashboard summary alert and the alerts on the Status > Alerts page are cleared.

Unable to connect to the hybrid service

Web Security Help | Web Security Solutions | Version 7.8.x

The on-premises and hybrid portions of your Websense Web Security Gateway

Anywhere solution must communicate regularly to ensure consistent policy enforcement and accurate reporting.

Sync Service may be prevented from accessing the hybrid service due to network problems, either affecting Internet or internal network connections.

Use a browser or the ping utility to verify that the Sync Service machine can connect to the Internet.

Make sure that an HTTPS connection to the Internet can be established from the

Sync Service machine. Sync Service uses port 443 to connect to the hybrid service.

Make sure that Sync Service can communicate with other on-premises components in the network via ports 55830 and 55831.

Also verify that there is not a problem preventing the hybrid service from accepting the Sync Service connection.

Check the Hybrid Filtering Alerts table on the Status > Alerts page for information from the hybrid service.

Make sure that administrators have been monitoring the email account provided as a contact address on the Settings > General > Account page for messages from

Websense Technical Support.

Hybrid service unable to authenticate connection

Web Security Help | Web Security Solutions | Version 7.8.x

In environments that use the hybrid service, Sync Service provides an account identifier each time it connects to the hybrid service to send or retrieve information.

This identifier is unique to your organization, and updated each time the admin password changes.

536

Websense Web Security Solutions

Troubleshooting

Under rare circumstances, possibly involving a serious problem with the Policy

Database, the connection between your on-premises software and the hybrid service may be lost. In these cases, you must request a security token, used to generate a new identifier for your hybrid service account. The security token is sent to the contact

email address specified on the Settings > General > Account page in the Web

Security manager.

To request a new token:

1.

Click the Get Token button that appears next to the “unable to authenticate connection” alert on the Status > Alerts page in the Web Security manager.

2.

Verify that you receive a success message stating that the request has been sent to the hybrid service.

3.

Monitor the administrative email account associated with your hybrid service account. It may take some time for the request for a new security token to be processed.

4.

When you receive an email message from the hybrid service, go to the Settings >

General > Account page in the Web Security manager.

5.

Scroll down to the Hybrid Filtering section of the page and enter the Security

token provided in the email message,

6.

Click Connect.

The temporary token is verified and used to resume communication between Sync

Service and the hybrid service.

Missing key hybrid configuration information

Web Security Help | Web Security Solutions | Version 7.8.x

In environments that use hybrid the hybrid service, Sync Service provides an account identifier each time it connects to the hybrid service to send or retrieve information.

This identifier is unique to your organization, and updated each time the admin password changes.

Under rare circumstances, possibly involving a serious problem with the Policy

Database, the connection between your on-premises software and the hybrid service may be lost. In these cases, you must request a security token, used to generate a new identifier for your hybrid service account. The security token is sent to the contact

email address specified on the Settings > General > Account page.

If you receive the alert message, “Missing configuration information; connection to hybrid filtering lost,” either no contact email address has been provided, or the contact email address is no longer valid.

In this case, in order to maximize the security of your organization’s private data, you must contact

Websense Technical Support

directly to update your hybrid service account.

Web Security Help

537

Troubleshooting

Hybrid failover proxy removed from explicit proxies list

Web Security Help | Web Security Solutions | Version 7.8.x

In Websense Web Security Gateway Anywhere version 7.6, failover to the hybrid service was configured by manually adding the hybrid proxy address to the list of explicit proxies, then including that proxy as the last explicit proxy in the list for a filtered location. Failover is configured differently in versions 7.7 and 7.8, which means the hybrid proxy is removed from the explicit proxy list on upgrade from v7.6.

Failover to the hybrid proxy must now be enabled for each filtered location and then

approved by the hybrid service. See

Configuring failover to the hybrid service

, page

221 .

Troubleshooting tips and tools

Web Security Help | Web Security Solutions | Version 7.8.x

The Windows Services tool

, page 538

The Windows Event Viewer

, page 539

The Websense log file

, page 539

Where is the Websense “bin” directory?

Web Security Help | Web Security Solutions | Version 7.8.x

Many Websense Web Security executable and configuration files are installed in the

Websense bin directory. When a troubleshooting step prompts you to navigate to this directory, the location depends on the operating system and installed components.

Linux platforms

/opt/Websense/bin/

Windows platforms

C:\

Program Files or Program

Files (x86)\Websense\Web Security\bin

The Windows Services tool

Web Security Help | Web Security Solutions | Version 7.8.x

On Microsoft Windows machines, Filtering Service, Network Agent, Policy Server,

User Service, and other Web Security components run as services. You can use the

Windows Services tool to check the status of these services.

1.

To launch the tool:

Windows Server 2012: Go to Server Manager > Tools > Services.

538

Websense Web Security Solutions

Troubleshooting

Windows Server 2008 R2: Go to Start > Administrative Tools > Services.

2.

Scroll through the list of services to find the service you are troubleshooting.

The service entry includes the service name, a brief service description, the service status (started or stopped), how the service starts, and what account the service uses to perform its tasks.

3.

Double-click a service name to open a properties dialog box with more detailed information about the service.

The Windows Event Viewer

Web Security Help | Web Security Solutions | Version 7.8.x

The Windows Event Viewer records error messages about Windows events, including service activities. These messages can help you identify network or service errors that may be causing Internet policy enforcement or user identification problems.

1.

Done one of the following:

Windows Server 2012: Go to Server Manager > Tools > Event Viewer.

Windows Server 2008 R2: Go to Start > Administrative Tools > Event

Viewer.

2.

In the Event Viewer:

Windows Server 2012: Expand the Windows Logs tree, then select

Application.

Windows Server 2008 R2: Click Application for a list of error messages, warnings, and informational messages.

3.

Scroll through the list to identify errors or warnings from Websense services.

The Websense log file

Web Security Help | Web Security Solutions | Version 7.8.x

Websense software writes error messages to the websense.log file, located in the

Websense bin directory (C:\Program Files or Program Files (x86)\Websense\Web

Security\bin or /opt/Websense/bin/, by default).

The information in this file is comparable to that found in the Windows Event Viewer.

In Windows environments, the Event Viewer presents messages in a more userfriendly format. The websense.log file, however, is available on Linux systems, and can be sent to Websense Technical Support if you need help troubleshooting a problem.

Web Security Help

539

Troubleshooting

540

Websense Web Security Solutions

Index

Numerics

30-Day Risk Trends ,

42

A

accessing Web Security manager ,

18

,

351

account information configuring ,

25

hybrid filtering , account override ,

216

88

in multiple Policy Server environment , multiple Filtering Service instances ,

385

388

actions ,

Block ,

58

58

58

block based on bandwidth ,

Block File Types ,

59

Block Keywords ,

Confirm ,

59

59

Permit ,

Quota ,

58

59

selecting for presentation reports ,

141

active content removing ,

204

Active Directory hybrid configuration ,

Native Mode ,

79

ActiveX content removing ,

204

231

Add category filter , protocol filter ,

Add Chart ,

34

62

custom LDAP groups , keywords ,

274

limited access filter , policies ,

94

84

263

65

adding

206

Always Scan or Never Scan list entries , category filters ,

62

clients ,

84

email domains (hybrid) , explicit proxy ,

220

file types ,

293

protocol filters ,

226

filtered locations ,

218

limited access filters ,

263

policies ,

94

65

root contexts for hybrid service , to Websense-defined protocols , unfiltered destinations ,

223

admin ,

19

deleting , user ,

340

340

administrative roles ,

340

236

284

administrator accounts viewing ,

352

administrator permissions exceptions only ,

343

administrators ,

340

accessing Web Security manager , adding to role ,

354

,

357

concurrent access to same role ,

367

346

Content Gateway direct access permissions , deleting from role ,

354

exceptions only permissions ,

Filter Lock, effects of ,

347

343

full policy permissions , in multiple roles ,

343

345

,

346

,

357

notifying of responsibilities , overview ,

341

351

permissions ,

342

permissions, setting ,

354

,

358

Real-Time Monitor permissions , reporting permissions ,

343

,

356

343

Super Administrator , tasks for delegated ,

342

364

tasks for Super Administrator , tracking changes made ,

396

unable to switch modules ,

526

347

343

Web Security Help



541

Index unconditional policy permissions , viewing role definition ,

364

advanced malware detection , advertisements, blocking ,

119

35

alerts ,

409

category usage ,

401

category usage, adding ,

405

category usage, configuring , category usage, editing ,

405

405

configuring limits ,

402

configuring methods ,

402

email ,

403

health summary , hybrid filtering ,

44

535

methods for sending , preventing excessive , protocol usage ,

401

401

402

protocol usage, adding ,

407

protocol usage, configuring , protocol usage,editing ,

407

SNMP ,

406

real-time database updates ,

Real-Time Security Updates ,

409

409

403

suspicious activity , system ,

401

401

alternate block messages ,

, system, configuring ,

Websense health ,

404

409

408

126

Always Scan list adding sites ,

206

deleting entries ,

206

342

AMT job

Log Database ,

432

anonymous logging ,

423

anti-tampering password , applets quota time ,

60

application reporting ,

178

332

application reports

182

browser detail report , dependencies ,

179

overview ,

132

platform detail report , populating ,

181

183

542



Websense Web Security Solutions search ,

179

Trend job ,

182

application scanning ,

196

Apply Policy to Clients ,

97

Apply to Clients ,

95

ASCII characters, extended searching investigative reports , audit log ,

396

auditor permissions ,

345

authentication

Internet applications , selective ,

306

241

306

authentication exceptions , authentication requests report ,

241

average browse time ,

439

517

B

backing up Websense data , backup files naming ,

410

storing ,

415

backup utility ,

410

command reference , configuration file ,

417

415

running ,

414

scheduling backups ,

412

410

stopping scheduled backups ,

417

bandwidth larger than expected , managed by Network Agent , managing ,

284

512

logged for blocked requests ,

158

managed by Content Gateway ,

285

285

setting limits ,

286

used by categories , used by protocols ,

Bandwidth category ,

284

284

,

285

53

bandwidth logged, blocked requests ,

167

bandwidth savings dashboard ,

45

,

46

banner , bar chart ,

21

159

BCP for log record insertion ,

426

bin directory , blacklists ,

538

105

managing ,

105

blank block page ,

119

blank page instead of block page ,

Block ,

58

based on bandwidth ,

File Types ,

59

58

Keywords ,

59

Block All filter ,

67

and filtering precedence ,

101

block messages changing frame size , creating alternate ,

123

126

creating custom , customizing ,

120

122

for file types , block pages ,

117

290

,

292

account override , advertisements ,

88

119

,

489

blank white page , changing logo ,

489

124

content variables ,

Continue button ,

124

59

customizing for hybrid service , error message appears ,

488

hybrid filtering ,

225

489

227

not displayed for file type block , partial ,

119

password override , reverting to default , source files ,

120

87

126

Use Quota Time button , blocked advertisements ,

59

119

blocked and locked , categories ,

349

348

file types , keywords , protocols ,

349

349

350

blocked requests bandwidth logged ,

158

blocked requests, bandwidth logged , blocking based on keyword ,

274

488

167

embedded content , file types ,

287

119

posts to some sites , protocols ,

279

blocking NIC ,

457

277

BlockMessageBoardPosts , browse session ,

439

browse time detailed ,

440

Internet (IBT) ,

132

,

439

browser detail report ,

182

browser reports , detail ,

182

179

populating ,

181

bypassing decryption ,

211

277

C

cached changes ,

22

calculating bandwidth saved , calculating time saved ,

46

catalog database , report ,

430

134

46

categories added to Master Database , adding custom ,

271

Bandwidth ,

53

bandwidth usage , custom ,

268

284

defined ,

27

,

51

editing custom ,

268

Extended Protection , list of all ,

51

54

52

locking for all roles , logging ,

422

Productivity ,

53

renaming custom ,

Security ,

54

348

270

,

349

selecting for presentation reports ,

Special Events ,

53

categorizing content ,

193

211

Category Bypass settings , category filters ,

61

adding ,

95

140

Index

Web Security Help



543

Index creating , defined ,

62

49

duplicating , editing ,

63

renaming , templates ,

62

63

62

,

68

category management , category usage alerts adding ,

405

and logging , configuring , deleting ,

405

422

405

editing ,

405

267

changes caching , reviewing ,

23

23

saving ,

23

changing roles ,

343

changing URL category , character set

MBCS ,

463

character sets used with LDAP , charts

82

30-Day Risk Trends , adding to dashboard ,

275

42

44

Filtering Service Status ,

User Activity ,

44

44

Check Policy

Find User ,

299

Check Policy tool ,

297

checklist initial setup ,

19

CLI, Directory Agent , clients ,

73

adding ,

84

535

applying policies , assigning policies , computers ,

73

,

75

73

95

,

97

custom LDAP groups ,

Directory ,

73

75

editing , groups ,

86

76

managing ,

74

544



Websense Web Security Solutions move to role , networks ,

89

73

,

75

selecting for presentation reports , users ,

76

clients, managed , adding in roles ,

340

363

applying policies , assigning to roles ,

364

355

,

359

,

365

deleting from roles , in multiple roles ,

355

,

362

359

,

366

moving to role ,

89

overlapping roles ,

360

139

columns for detail investigative reports , combining

165

hybrid and on-premises filtering ,

215

commands

WebsenseAdmin (Linux) ,

WebsenseAdmin (Win) ,

399

399

WebsenseDaemonControl ,

Component List ,

376

,

378

399

component status , components ,

370

376

Content Gateway ,

DC Agent ,

375

395

Directory Agent , eDirectory Agent ,

376

375

Filtering Plug-In ,

Filtering Service ,

376

371

Linking Service ,

Log Database ,

376

374

Log Server ,

Logon Agent ,

374

375

Master Database ,

Multiplexer ,

374

371

Network Agent ,

Policy Broker ,

371

371

Policy Database ,

Policy Server ,

371

371

RADIUS Agent ,

375

Real-Time Monitor ,

374

Remote Filtering Client ,

Remote Filtering Server , starting and stopping ,

250

,

372

250

,

372

377

,

378

State Server , status ,

377

372

,

status monitor ,

Sync Service ,

376

376

391

Usage Monitor ,

User Service ,

372

375

Web Security manager ,

372

Websense Content Gateway ,

Computer Browser service enabling ,

484

computers clients ,

73

372

conditional Super Administrators permissions ,

343

configuration

Log Server ,

424

configuring DC Agent ,

Confirm ,

59

313

in multiple Policy Server environment , multiple Filtering Service instances ,

385

388

consolidation and full URL logging ,

438

and Internet browse time ,

512

contacting technical support ,

24

content blocking embedded , categorization ,

193

threat scanning ,

195

119

content delay handling ,

Content Gateway ,

204

372

,

395

Access page ,

396

396

accessing from TRITON console , non-critical alerts ,

524

not available , not running ,

523

523

subscription key , system alerts ,

404

191

343

Content Gateway direct access permissions , content stripping ,

204

Continue button ,

59

copy

135

presentation reports ,

Copy to Role ,

266

filters ,

62

policies , copying

93

category filters ,

62

limited access filters , presentation reports , protocol filters ,

62

62

135

creating category filters ,

95

limited access filters , policies ,

94

protocol filters ,

96

95

custom authentication adding rules ,

242

editing rules ,

243

custom block messages , custom categories ,

268

adding , creating ,

271

267

editing ,

268

renaming ,

270

122

83

custom LDAP groups , adding ,

84

editing ,

84

custom logo block pages ,

124

hybrid block pages , presentation reports , custom protocols ,

278

227

138

,

143

creating , editing ,

282

280

identifiers , renaming ,

281

281

unable to create ,

496

custom URLs defined ,

275

filtering precedence , not filtered correctly , customer support ,

31

customize block messages ,

120

276

473

hybrid filtering block pages ,

227

proxy auto-configuration (PAC) file ,

230

Index

Web Security Help



545

Index

D

das.ini

,

533

dashboard ,

33

Add Chart ,

34

adding elements , customizing tabs ,

44

bandwidth saved calculations , calculating value estimates ,

46

46

44

Database Download , monitoring ,

47

no charts appear , printing ,

34

520

34

Risks ,

33

,

42

Status Monitor ,

System ,

33

,

44

Threats ,

35

34

time saved calculations ,

Usage ,

33

,

43

46

dashboard charts

443

maximum time period , overview ,

131

Dashboard settings , data aggregation ,

443

394

data security ,

257

data sent by WebCatcher , data source name (DSN) configuring ,

425

30

database catalog ,

430

for scanning ,

Log Database ,

207

430

Log Database jobs ,

431

Log Database partitions , maintenance job ,

436

Master Database ,

Policy Database ,

27

380

431

real-time database updates ,

Real-Time Security Updates ,

28

28

Database Download , database download , configuring ,

29

34

27

disk space requirements , memory requirements ,

467

468

Real-Time Security Updates ,

28

546



Websense Web Security Solutions real-time updates ,

28

restriction application problems , resuming ,

390

scanning , status ,

207

389

subscription problems , troubleshooting ,

464

465

verify Internet access , via proxy ,

30

465

database jobs

AMT ,

432

ETL ,

431

432

Internet browse time (IBT) , maintenance ,

432

SQL Server Agent , trend ,

432

515

468

database partitions creating ,

434

deleting ,

435

,

437

enabling or disabling , rollover options ,

433

selecting for reports , database updates ,

28

514

435

real-time ,

28

,

409

Real-Time Security , scanning ,

207

28

,

409

date range investigative reports scheduled job ,

174

150

presentation reports scheduled job ,

DC Agent ,

312

,

375

configuring ,

313

dc_config.txt file ,

481

,

482

insufficient permissions ,

480

missing required file , permissions ,

485

481

Default policy , default user ,

92

340

deleting ,

340

delegated administration adding administrators , adding roles ,

352

,

353

357

applying policies , auditors ,

345

363

Content Gateway direct access permissions ,

343

deleting clients from roles , deleting roles ,

352

deleting roles, effects of , editing roles ,

354

362

362

exceptions only permissions , full policy permissions ,

343

notifying administrators , overview ,

339

351

343

permissions ,

342

policy permissions , preparation ,

347

343

343

Real-Time Monitor permissions , reporting access ,

419

reporting permissions , role conflicts ,

360

343

using ,

352

delegated administrators deployment status permissions ,

344

deleting entries from the Always Scan or Never

Scan lists ,

208

deleting managed clients ,

495

Deployment page access permissions , deployment status ,

355

376

deployment status permissions ,

344

detail view columns ,

165

configuring defaults , investigative reports , modifying ,

164

detailed browse time ,

447

163

440

database sizing impacts ,

Directory Agent ,

231

,

376

443

adding contexts , and off-site users ,

236

231

,

254

communication issues , configuration file ,

533

532

533

directory service not supported , exclude contexts ,

237

not running ,

530

status information ,

245

unable to connect to domain controller ,

Directory Agent command-line interface , directory clients ,

73

531

535

Index

Directory Performance ,

377

,

379

directory service configuration problems , performance details ,

380

482

status ,

379

directory service settings troubleshooting ,

482

directory services configuring ,

77

configuring for TRITON console logon ,

Log Server connecting to ,

509

searching ,

85

supported for hybrid filtering ,

231

368

Windows Active Directory (Mixed Mode) , directory settings advanced ,

81

disk space database download requirements , presentation reports usage ,

147

467

display options investigative reports ,

448

drill down, investigative reports , dynamic content categorizing ,

193

157

78

E

eDirectory ,

80

eDirectory Agent , configuring ,

321

,

375

322

eDirectory server replicas configuring ,

323

Edit category filter ,

63

custom LDAP group ,

Edit Categories button ,

Edit Protocols button ,

84

267

267

editing category filters , client settings ,

63

86

email domains (hybrid) , explicit proxy ,

220

policies ,

227

filtered locations ,

218

limited access filters ,

264

95

protocol filters ,

66

Web Security Help



547

Index root contexts for hybrid service , unfiltered destinations ,

223

eimserver.ini

236

BlockMessageBoardPosts parameter ,

SecurityCategoryOverride parameter , email report distribution ,

421

email address

216

hybrid filtering contact , email alerts ,

403

email message customizing for investigative reports ,

277

276

174

151

customizing for presentation reports , empty block page ,

119

endpoint anti-tampering password , error log

332

437

deleting for Log Database ,

Event Viewer ,

539

Websense.log

,

539

error messages finding ,

490

health alerts ,

ETL job ,

431

490

evaluating filtering policies ,

Event Details ,

37

customizing , forensic data ,

Event Viewer ,

38

38

539

131

Example - Standard User policy , examples category and protocol filters , policies ,

91

91

67

Excel format audit log ,

396

247

,

248

hybrid service authentication reports , investigative reports ,

156

,

174

presentation reports , reports incomplete ,

145

,

147

,

151

516

exceptions defined ,

105

managing ,

105

searching for ,

107

exceptions only permissions ,

343

exceptions to user identification ,

305

explicit proxies adding ,

220

editing ,

220

hybrid filtering ,

220

extended ASCII characters in DC Agent machine name ,

313

searching investigative reports ,

517

Extended Protection ,

54

Extract, Transform, and Load (ETL) job ,

431

F

fail closed remote filtering software , timeout ,

251

fail open

251

remote filtering software , failed batches ,

437

Favorites investigative reports , presentation reports , file analysis file extensions ,

202

251

156

,

171

,

172

135

,

142

,

144

file extensions adding to file type ,

294

293

adding to predefined file type , filtering by ,

287

for scanning ,

202

in predefined file types ,

290

file name

147

scheduled presentation report , file scanning scanning timeout ,

204

setting maximum size ,

204

file signatures filtering by , file types ,

267

287

adding , blocking ,

293

59

editing ,

293

locking for roles , files blocking access , filter components ,

349

287

267

Filter Lock configuring ,

347

548



Websense Web Security Solutions

creating ,

342

,

348

effect on roles ,

367

locking categories , locking file types ,

349

349

locking keywords , locking protocols , logging protocols , filter templates ,

68

349

350

350

filtered locations adding ,

218

defined , editing ,

217

218

explicit proxies ,

220

filtering actions ,

58

combining solutions , component overview , diagram ,

100

file types , order ,

97

287

precedence ,

100

215

369

precedence, custom URLs , process ,

100

protocols ,

279

276

249

remote or roaming users , search images ,

60

toolbox ,

296

with keywords ,

272

filtering methods combining ,

217

,

253

Filtering Plug-In ,

Filtering Service ,

376

371

,

388

Content Gateway connections , database downloads ,

389

Details page ,

389

389

389

finding version information , high CPU alert ,

471

IP address change , multiple instances , not running ,

470

475

391

status chart ,

44

updating UID ,

476

filtering settings configuring ,

69

Index filters ,

61

category ,

49

,

61

copy to role ,

266

creating for role ,

366

determining usage ,

96

editing active , editing for role ,

96

366

limited access ,

61

,

262

presentation reports ,

135

protocol ,

49

,

61

restoring defaults ,

68

firewall settings database download , flood control, alerts ,

466

402

forensic data for threat incidents , forensics repository ,

38

445

configuring size , data expiration ,

445

521

errors , location ,

520

521

full policy permissions , full URL logging ,

343

428

,

438

database sizing impacts ,

442

G

getting started tutorials , launching ,

19

global catalog ,

79

group search filters , groups ,

76

custom LDAP ,

75

238

19

H

handling encrypted traffic ,

Health Alert Summary ,

44

211

health alerts , described , solutions , summary ,

409

490

492

44

heartbeat changing interval ,

253

remote filtering software , hiding user names

250

Web Security Help



549

Index investigative reports ,

160

hits defined ,

429

hits and visits ,

429

database sizing impacts ,

HTML format presentation reports ,

147

442

saving presentation reports ,

516

HTML format, presentation reports ,

HTTP tunneling ,

194

exceptions ,

195

HTTPS sites custom filtering , hybrid authentication

473

adding custom rules , editing custom rules ,

242

243

145

hybrid block pages customizing ,

227

logo , text ,

227

228

hybrid filtering , account ,

216

alerts ,

215

Active Directory configuration ,

Active Directory root context ,

231

,

233

233

535

connection lost ,

536

contact email address , custom authentication , custom block pages ,

216

241

225

,

227

exclude contexts , filtered locations ,

237

217

missing configuration information , missing from reports ,

528

537

Novell eDirectory configuration ,

Novell eDirectory root context ,

235

235

NTLM identification , off-site user passwords ,

329

231

off-site users ,

217

,

226

,

253

Oracle Directory Server configuration ,

Oracle Directory Server root context ,

234

234

PAC file ,

224

registering domains ,

226

scheduling policy, user, and log record sychronization ,

239

secured form authentication , self-registration ,

225

,

254

SSL certificate , status ,

245

228

329

supported directory services , transparent identification ,

231

328

unable to authenticate , unfiltered destinations , user access ,

224

536

222

user and group search filters , user identification ,

328

,

330

238

Web Endpoint ,

331

hybrid log records collecting ,

240

not downloaded ,

528

not sent to Log Server , hybrid user identification

Active Directory ,

231

Novell eDirectory ,

235

528

Oracle Directory Server ,

234

I

identifiers protocol ,

281

Information Technology sites miscategorized ,

472

initial database ,

27

initial filtering database , initial setup checklist ,

19

463

installation directories ,

401

Internet browse time (IBT) and consolidation ,

512

configuration , database job , explained ,

132

439

132

last site , reports ,

440

439

time per site ,

439

Investigate User tool ,

298

investigative reporting permissions ,

344

role type ,

341

investigative reports , anonymous ,

160

155

550



Websense Web Security Solutions

bar chart ,

159

choosing a Log Database , configuring ,

446

custom email , default settings ,

174

447

446

detail view ,

163

,

164

,

165

detailed browse time ,

440

display options ,

Excel format ,

448

156

,

174

,

177

Favorites ,

156

,

171

,

172

general issues ,

518

hiding user names , job queue ,

160

156

,

175

multi-level summary , options ,

156

162

outliers ,

156

,

175

output options ,

448

overview ,

131

PDF format ,

156

,

174

,

177

pie chart , printing ,

159

177

red lettering ,

159

saving Favorites ,

171

scheduled jobs , search patterns , searching ,

156

,

172

517

160

,

517

self-reporting ,

178

,

450

setting schedule for ,

173

standard , summary ,

156

,

170

157

User Activity ,

156

User Activity Detail by Day ,

168

User Activity Detail by Month ,

169

XLS format ,

177

IP address change

Policy Server ,

386

IP addresses filtering by ,

75

J

JavaScript content removing ,

204

job queue investigative reports ,

156

,

175

presentation reports , jobs

ETL ,

IBT ,

431

432

Log Database ,

431

135

Log Database AMT ,

432

Log Database maintenance ,

Log Database trend ,

432

432

scheduled investigative reports , scheduled presentation reports ,

SQL Server Agent ,

515

172

,

175

146

,

151

K

key ,

24

keyword blocking troubleshooting , keywords ,

472

267

,

272

blocking , defining ,

59

274

locking for roles , not being blocked ,

349

472

L

last site browse time ,

440

LDAP character sets , custom groups ,

82

83

limited access filters , adding ,

95

creating ,

263

61

,

262

filtering precedence , regular expressions , renaming ,

264

262

265

URLs not permitted , limiting access time ,

59

473

Linking Service ,

376

locating product information ,

24

log audit , log data

396

394

sending to SIEM integration ,

Log Database ,

374

,

419

active ,

433

administering ,

420

,

432

Index

Web Security Help



551

Index

AMT job ,

432

catalog database ,

430

connect for investigative reports , creating partitions ,

433

database partitions , deleting errors ,

437

431

443

growth rates and sizing ,

IBT job ,

132

,

432

introducing , jobs ,

431

430

log record consolidation , maintenance ,

436

not created ,

427

maintenance job , not available ,

503

432

,

436

503

not recording data , reindexing ,

437

508

446

435

selecting partitions for reports , settings ,

432

size ,

442

,

504

trend job ,

432

Log Database connection

DSN ,

425

log file ,

539

log record consolidation , database sizing impacts ,

427

442

log records ,

208

for scanning activity ,

ODBC or BCP ,

426

210

Sync Service unable to download ,

Log Server ,

374

configuration , configuring ,

515

420

,

424

528

509

connecting to directory service , low disk space ,

500

not installed , not running ,

501

497

updating connection ,

508

user and group updates ,

429

logging anonymous , categories ,

423

422

configuring ,

422

multiple Policy Servers ,

422

552



Websense Web Security Solutions defined ,

419

full URLs ,

428

,

438

hits ,

429

scanning options ,

208

scanning options compare with filtering , selective category ,

424

user information , logging on ,

19

422

logging protocols for all roles ,

350

logo changing on block page ,

124

changing on hybrid filtering block page , presentation reports ,

138

logo, presentation reports ,

Logon Agent ,

317

,

375

143

configuring , permissions , logon error ,

496

318

485

209

227

M

Main tab ,

22

maintenance job configuring ,

436

Log Database , managed clients ,

432

,

436

340

adding in roles , assigning to role ,

363

355

,

359

deleting from roles , moving to roles ,

89

355

,

362

management console , manual authentication , enabling ,

305

Master Database , categories ,

51

18

303

27

,

371

download problems , download schedule , download servers ,

464

29

465

download status , downloading ,

27

389

enhancing , initial ,

463

30

more than 1 week old , protocols ,

51

464

Real-Time Security Updates , real-time updates ,

28

resuming download , updating ,

464

390

maximum size for file scanning , memory requirements database download ,

468

Microsoft Excel incomplete reports , missing users after upgrade ,

463

516

Mixed Mode

Active Directory ,

Mobile Security

78

mobile integration , mobile users filtering ,

249

modes

Policy Broker ,

381

258

185

monitor Internet activity , monitoring NIC ,

456

move to role , clients ,

89

89

moving sites to another category , multiple group policies ,

98

multiple policies filtering precedence , multiple Policy Servers , multiple roles, permissions ,

Multiplexer ,

374

73

385

345

MyWebsense portal ,

24

28

204

275

N

Native Mode

Active Directory ,

79

navigating Web Security manager ,

NetBIOS enabling ,

481

Network Agent ,

371

,

451

blocking NIC ,

457

20

communication with Filtering Service , global settings ,

453

high CPU use ,

477

insufficient memory , local settings ,

454

476

475

monitoring NIC , more than 2 NICs ,

456

476

NIC configuration , not installed ,

474

456

not monitoring , not running ,

475

474

protocol management ,

457

network credentials accessing Web Security manager , networks clients ,

73

Never Scan list , adding sites ,

192

206

deleting entries ,

206

NIC configuration blocking ,

457

monitoring , settings ,

456

456

Novell eDirectory ,

80

hybrid configuration ,

NTLM identification hybrid filtering ,

329

235

367

O

ODBC for log record insertion , off-site users

426

configuring remote filtering software , enable hybrid filtering for ,

226

filtering options ,

249

identifying (hybrid) ,

231

,

254

self-registration (hybrid) , optimizing search results ,

254

238

options, investigative reports ,

156

Oracle Directory Server hybrid configuration ,

234

order filtering ,

100

outliers reports ,

156

,

175

output options investigative reports ,

448

override action categories ,

270

protocols ,

282

250

Index

Web Security Help



553

Index

P

PAC file. See proxy auto-configuration (PAC) file.

partitions creating ,

434

deleting ,

435

Log Database , rollover options ,

431

433

selecting for reports ,

435

password anti-tampering , resetting ,

493

332

password override , patches ,

87

in multiple Policy Server environment , multiple Filtering Service instances ,

385

388

24

PDF format hybrid service authentication reports , investigative reports ,

156

,

174

,

177

presentation reports ,

145

,

147

,

151

247

,

248

performance directory details , directory service , permissions administrator , auditor ,

345

380

377

,

379

342

343

Content Gateway direct access ,

DC Agent ,

480

,

485

Deployment page access , deployment status ,

344

355

full policy ,

343

installation drive ,

503

344

investigative reporting ,

Logon Agent ,

485

multiple roles ,

345

344

policy management and reporting ,

Real-Time Monitor ,

343

releasing policy , reporting ,

351

343

,

364

setting ,

354

,

356

,

358

SQL Server ,

503

,

509

start components , stop components , unconditional policy ,

User Service ,

485

355

355

342

Permit ,

58

Permit All filter and filtering precedence ,

Permit All filters ,

67

101

permitting URLs for all users (hybrid) , pie chart ,

159

platform detail report , platform reports ,

179

183

detail ,

183

populating ,

181

223

policies adding ,

93

,

94

applying to clients ,

95

,

97

applying to managed clients , applying to users and groups , copy to role ,

266

copying to roles , creating for role ,

Default ,

92

93

,

361

366

defined ,

49

,

91

descriptions ,

94

97

determining applicable , editing ,

93

,

95

editing for role , enforcing ,

97

366

363

,

364

76

Example - Standard User , filtering precedence ,

100

multiple group , printing to file , renaming ,

95

98

93

91

troubleshooting for directory clients , troubleshooting for remote clients ,

473

473

Unrestricted , viewing ,

93

91

305

when user not identified ,

Policy Broker ,

371

,

380

configuration data , list ,

381

380

replica sync fails ,

Policy Broker modes ,

495

381

Policy Broker replication ,

381

policy configuration restoring defaults ,

Policy Database ,

68

371

,

380

554



Websense Web Security Solutions

Index does not start , policy definition schedule ,

95

494

policy exceptions , managing ,

105

105

policy management and reporting permissions ,

344

role type ,

341

policy permissions releasing ,

351

unconditional ,

Policy Server ,

342

371

,

382

and Policy Broker ,

380

and the Web Security manager , changing IP address ,

386

connections ,

377

multiple instances ,

385

382

multiple instances, configuring logging ,

Policy Broker connection ,

381

422

removing from Web Security manager , status monitor ,

376

stops unexpectedly ,

494

Web Security manager connections ,

Policy Server Map ,

376

,

377

384

384

popup blocking reporting access , precedence

520

360

delegated administration role , filtering ,

100

filtering policy ,

73

preferences, reporting ,

421

presentation reports confirming report filter , copying ,

135

custom ,

135

custom logo ,

138

,

143

disk space usage ,

147

do not display , errors ,

517

517

144

Excel format ,

Favorites ,

145

,

151

135

,

142

,

144

file name ,

147

HTML format , job history ,

153

145

,

147

job queue ,

135

,

151

low disk space ,

511

output format , overview ,

131

151

PDF format , printing ,

146

145

,

147

,

151

report catalog ,

134

report catalog name , report filter ,

142

135

,

137

retaining ,

147

Review Reports ,

135

Review Reports page , running ,

145

saving ,

145

XLS format ,

153

scheduled job fails , scheduling ,

512

135

,

146

,

148

setting date range for job , viewing scheduled ,

153

150

145

,

147

Presentation Reports Scheduler not connected ,

511

Print Policies To File ,

93

printing dashboard ,

34

dashboard charts ,

410

investigative reports ,

177

presentation reports , priority, role ,

352

,

360

146

Privacy Category ,

211

private IP addresses and hybrid filtering ,

Productivity category ,

217

53

protocol definitions , management ,

278

267

protocol detection , protocol filters ,

61

194

adding , creating ,

96

65

defined , editing ,

49

66

renaming , templates ,

66

65

,

68

protocol identifiers ,

281

Web Security Help



555

Index

IP addresses , ports ,

281

281

protocol management

Network Agent ,

457

protocol usage alerts adding ,

407

configuring , editing ,

407

406

protocols added to master database , bandwidth usage ,

284

selecting for presentation reports ,

TCP and UDP support ,

66

52

collecting usage information , creating new ,

280

defined ,

27

,

51

defining custom , definitions ,

278

filtering , list of all ,

66

,

279

51

267

Security Protocol Groups ,

26

locking for all roles , logging for all roles , modifying Websense-defined , not logged ,

514

348

,

350

350

284

renaming custom ,

281

58

selecting for investigative reports ,

166

141

224

proxy auto-configuration (PAC) file , browser configuration ,

229

customized fragment , customizing ,

230

230

default , defined ,

230

229

status information ,

245

unfiltered destinations ,

222

proxy server

30

database download configuration , proxy settings database download , verifying ,

467

466

Q

Quota ,

59

quota time ,

59

556



Websense Web Security Solutions applets ,

60

applying to clients , sessions ,

60

in multiple Policy Server environment , multiple Filtering Service instances ,

385

388

60

R

RADIUS Agent , configuring ,

319

,

375

320

real-time database updates ,

Real-Time Monitor ,

28

,

409

185

,

374

filtering results , low memory ,

186

518

multiple Policy Servers , no data ,

492

,

493

not responding , not running ,

519

519

overview ,

132

starting and stopping , timeouts ,

186

187

398

Real-Time Monitor permissions ,

343

real-time options file analysis ,

196

real-time scanning, see scanning ,

Real-Time Security Updates ,

189

28

,

409

enabling ,

29

275

recategorized URLs , adding ,

275

editing ,

275

explained ,

267

not applied ,

496

red lettering, investigative reports , regular expressions ,

267

,

296

in a limited access filter , recategorizing URLs ,

265

269

reindexing the Log Database , release policy permissions ,

437

351

Remote Filtering Client ,

Remote Filtering Server ,

Remote Filtering settings ,

Block all requests ,

250

,

372

250

,

372

251

251

159

remote filtering software ,

250

bandwidth-based filtering ,

250

changing heartbeat interval ,

253

Index communication , fail closed ,

251

fail open , heartbeat ,

251

250

251

ignoring FTP traffic ,

252

ignoring HTTPS traffic ,

252

inside the network , outside the network ,

250

251

supported protocols , timeout interval ,

251

250

remote users filtered incorrectly , filtering ,

249

487

manual authentication issues , removing active content ,

204

487

Always Scan or Never Scan list entries ,

206

Policy Server instances from Web Security manager ,

384

VB Script content ,

204

rename category ,

270

category filters , custom protocol , limited access filters , policies ,

95

63

281

264

protocol filters ,

66

replica

Policy Broker , report catalog ,

381

134

name ,

142

report filter, presentation reports , confirming ,

144

selecting actions ,

141

selecting categories ,

140

selecting clients ,

139

selecting protocols ,

141

selecting risk classes ,

140

135

report title, presentation reports ,

142

reporting access ,

419

configuring email server , configuring self-reporting ,

421

450

missing hybrid filtering data ,

528

,

137

overview ,

131

permissions ,

343

,

356

,

364

popup blocking , preferences ,

421

520

Real-Time Monitor , retrieve hybrid data , scanning information , scanning options ,

208

209

self-reporting ,

359

132

,

185

240

setting permissions , timeout ,

505

356

reports application , browser ,

132

,

178

179

configuring investigative , dashboard charts ,

131

editing ,

135

446

email distribution , empty ,

514

421

hybrid service authentication ,

246

hybrid user agent authentication ,

247

incomplete , investigative ,

516

131

platform ,

179

presentation ,

131

retaining ,

147

Review Reports page , using ,

153

User Activity Detail by Day ,

168

User Activity Detail by Month ,

169

131

153

viewing scheduled presentation , reputation filtering ,

54

restore utility ,

410

command reference , running ,

416

417

restoring Websense data ,

Review Reports ,

153

assigning categories ,

Business Usage ,

56

410

presentation reports , risk classes ,

135

55

,

419

,

420

420

,

416

in reporting ,

420

Legal Liability ,

55

Network Bandwidth Loss ,

55

,

56

Web Security Help



557

Index

Productivity Loss ,

Security Risk ,

56

55

,

57

selecting for investigative reports , selecting for presentation reports ,

Risks dashboard ,

42

roaming users filtering ,

249

166

140

roles adding ,

352

,

353

adding administrators , adding managed clients ,

354

,

357

355

,

359

,

363

,

365

administrative ,

340

administrators in multiple , applying policies ,

357

363

,

364

clients in multiple , creating filters ,

366

360

creating policies , deleting ,

352

366

deleting administrators , deleting clients ,

355

354

340

,

362

deleting Super Administrator , deleting, effects of ,

362

editing ,

354

editing filters , editing policies ,

366

366

Filter Lock, effects of , investigative reporting , locking categories ,

349

347

341

locking protocols , names ,

352

350

overlapping clients ,

366

341

policy management and reporting , priority ,

352

,

360

Super Administrator , switching ,

343

340

viewing definition ,

364

rollover options, database partitions , running Web Security manager ,

18

433

S

samples category and protocol filters , policies ,

91

Save and Deploy ,

22

67

saving presentation reports , scanning database updates , exceptions ,

190

207

how to enable , log records ,

191

209

overview , settings ,

189

191

subscription key , scanning files ,

196

reporting ,

191

scanning options ,

195

,

208

categorizing content ,

193

208

saving changes , stripping content ,

207

204

schedule

145

policy definition ,

95

scheduled jobs activating ,

153

customizing email , date range ,

151

,

174

150

,

174

deactivating , deleting ,

152

153

failed for presentation reports , investigative reports ,

156

,

172

512

job history , lost ,

511

153

output format , schedule ,

151

presentation reports , report file name ,

147

146

,

149

,

151

148

,

173

scheduled jobs list investigative reports , presentation reports ,

175

135

Scheduler, presentation reports ,

146

scheduling backups ,

412

hybrid directory synchronization , hybrid log record synchronization ,

239

240

hybrid policy synchronization ,

239

routing traffic through proxy or firewall , stopping scheduled backups ,

417

scheduling hybrid communication ,

239

search

240

558



Websense Web Security Solutions

for user agents , search filtering ,

60

179

search filters hybrid filtering ,

238

Real-Time Monitor ,

186

search pattern investigative reports ,

517

searching directory clients , from address bar ,

85

472

investigative reports ,

160

,

517

secured form authentication hybrid filtering ,

329

securewispproxy.ini file ,

Security category ,

54

252

,

253

Security Events by Type ,

Security Protocol Groups ,

35

58

Security Risk filtering sites , security threats

276

scanning for ,

195

security URLs tracking ,

26

SecurityCategoryOverride , selective authentication ,

276

306

selective category logging , and database size ,

442

424

self-registration ,

254

adding domains ,

226

editing domains , self-reporting ,

227

178

,

359

configuring , enabling ,

450

421

notifying users ,

450

services

398

stopping and starting ,

Services tool ,

538

session browse , timeout ,

439

47

session timeout ,

19

191

setting scanning options , settings

Account ,

Alerts ,

25

402

Content Gateway Access ,

Custom Authentication ,

396

241

Dashboard ,

443

Database Download ,

Directory Services ,

29

77

Filtered Locations ,

Filtering ,

69

217

Hybrid User Identification ,

Log Database ,

432

Network Agent ,

Policy Brokers ,

Policy Server ,

453

381

383

Remote Filtering ,

Scheduling ,

239

251

328

,

330

Shared User Data ,

SIEM Integration ,

User Identification ,

Settings tab ,

22

231

,

234

,

235

,

236

394

304

severity alerts ,

401

SIEM integration ,

394

sizing, Log Database ,

SNMP alerts ,

403

442

Special Events ,

53

SQL Server permissions ,

503

,

509

SQL Server Agent job ,

515

SQL Server Agent job ,

509

SSL certificate hybrid filtering ,

228

SSL decryption bypass , overview ,

190

Privacy Category ,

211

211

156

,

170

standard reports, investigative , starting

Linux daemons ,

399

Websense services ,

398

Windows services ,

State Server ,

399

372

,

391

Status

Alerts ,

409

Audit Log ,

396

Dashboard ,

Deployment ,

33

376

Index

Web Security Help



559

Index

Hybrid Service ,

Status Monitor ,

34

245

Status Monitor mode ,

47

stopping

Linux daemons ,

399

Websense services ,

398

Windows services , storing backup files ,

399

415

storing forensic data ,

445

stripping active content ,

204

subscription key , entering ,

25

24

462

invalid or expired , not verified ,

462

verifying , subscriptions ,

465

24

exceeded , expired ,

24

24

MyWebsense portal ,

24

summary reports investigative reports , multi-level ,

162

157

Sun Java System Directory ,

80

Super Administrator adding clients to role , admin ,

19

361

conditional permissions , deleting role ,

340

,

362

permissions , role ,

340

343

Filter Lock, effects of ,

347

moving clients from role ,

89

342

switching roles , unconditional ,

343

343

suspicious activity alerts ,

401

,

408

Suspicious Event Summary ,

35

columns , filters ,

36

37

switching roles ,

Sync Service ,

343

231

,

376

configuration file , configuring ,

239

529

low disk space , not available ,

529

527

560



Websense Web Security Solutions status information , unable to download log records , syncservice.ini

,

529

245

unable to connect to hybrid service , unable to connect to Log Server ,

536

528

528

BlockMessageBoardPosts parameter ,

278

277

SecurityCategoryOverride parameter , system alerts ,

401

configuring ,

404

Content Gateway ,

Web Security ,

404

404

System dashboard ,

44

system status monitoring ,

47

T

TCP and UDP support , technical support ,

31

templates ,

68

category filter , protocol filter ,

66

62

,

68

65

,

68

Test Filtering

Find User ,

299

Test Filtering tool ,

298

threat incident details ,

37

threat scanning ,

195

Threats

Event Details ,

37

threats alerting ,

408

identifying ,

35

in files ,

196

in web pages ,

195

Threats dashboard ,

35

filters ,

35

time period dashboard charts , time savings dashboard ,

45

,

46

443

time-based Internet access , timeout

59

disable for Web Security manager , reporting ,

505

title, presentation reports ,

Toolbox ,

296

142

47

tools

Check Policy ,

297

Find User option ,

299

Investigate User ,

Test Filtering ,

298

298

URL Access ,

URL Category ,

298

297

Top Security Destinations , tracking

Internet activity , system changes ,

401

396

transparent identification hybrid filtering ,

328

35

transparent user identification , agents ,

302

configuring ,

DC Agent ,

304

312

eDirectory Agent , exceptions ,

305

users not identified ,

321

Logon Agent ,

317

RADIUS Agent ,

319

305

302

Trap server

SNMP alert configuration , trend data

403

443

database sizing impacts , not available ,

513

storing ,

440

Trend job and application reports , trend job

Log Database ,

432

182

trend reports empty ,

513

enabling ,

440

TRITON banner ,

TRITON console ,

21

18

session timeouts ,

19

526

unable to switch modules , troubleshooting tools

Event Viewer ,

539

Services tool , websense.log

,

538

539

tunneled protocol detection , tutorial

194

Index initial setup , tutorials

19

getting started ,

19

U

unable to add user and groups ,

482

unblocking URLs (hybrid) ,

223

uncategorized URLs reporting ,

26

unconditional Super Administrator , unfiltered destinations adding ,

223

defined , editing ,

222

223

PAC file , syntax ,

222

223

webmail ,

222

unfiltered URLs for hybrid filtering , replacement ,

105

Unrestricted policy ,

91

223

updates

Master Database ,

464

updating the scanning database ,

207

upgrade missing users ,

URL Access tool ,

463

298

URL Category tool , usage alerts ,

401

297

category, adding ,

405

category, configuring , category,editing ,

405

protocol, adding ,

405

logging categories , not generated ,

422

492

,

493

407

406

protocol, configuring , protocol,editing ,

407

Usage dashboard ,

Usage Monitor ,

43

372

not available , not running ,

492

493

Use custom filters ,

81

Use more restrictive blocking , with limited access filters ,

262

262

342

Web Security Help



561

Index use quota time ,

59

block page button ,

59

user access to hybrid filtering ,

224

user accounts admin ,

340

User Activity Detail by Day report ,

168

User Activity Detail by Month report ,

169

User Activity zoom trend chart ,

User Agent Volume Report ,

247

44

user agents ,

241

identifying ,

181

in reports , searching ,

178

179

User Agents by Volume report ,

User by Day/Month reports ,

241

156

,

168

user identification hybrid filtering ,

328

hybrid user reports ,

246

manual ,

303

remote users , transparent ,

303

302

troubleshooting ,

Web Endpoint ,

477

331

User Identification page , user information, logging ,

304

422

user search ,

85

user search filters ,

User Service ,

238

77

,

375

not available , on Linux ,

486

471

performance , permissions ,

379

485

483

ports for directory communication ,

WINS settings ,

486

users ,

76

identifying ,

301

manual authentication ,

303

transparent identification ,

302

users not identified ,

305

utilities

Log Server Configuration ,

424

V

Value Estimates

562



Websense Web Security Solutions calculations ,

46

View Pending Changes ,

23

W

Web Endpoint defined ,

331

deploying ,

331

Web Security installation directories , system alerts ,

404

401

Web Security Dashboard no charts appear ,

520

Web Security management console ,

Web Security manager ,

372

disable timeout , logging on ,

19

18

accessing with network account ,

367

concurrent access by administrators ,

346

47

navigation ,

20

382

,

384

Policy Server connections ,

Web Security status ,

377

WebCatcher ,

26

,

30

how data is sent ,

31

what is sent ,

30

Websense bin directory ,

538

380

Websense configuration information ,

Websense Master Database ,

27

Websense proxy ,

395

Websense software components ,

370

Websense status ,

Alerts ,

409

409

Audit Log ,

396

Websense Web Security Gateway subscription key ,

191

websense.log

,

539

WebsenseAdmin command

Linux ,

399

Windows ,

399

399

WebsenseDaemonControl command , whitelists ,

105

managing ,

105

Windows

Event Viewer ,

Services tool ,

539

538

Windows Active Directory (Mixed Mode) ,

Windows Active Directory (Native Mode) ,

WINS configuring User Service settings , enabling ,

486

486

78

79

X

XLS format audit log ,

396

investigative reports , presentation reports ,

156

,

177

145

,

147

Index

Web Security Help



563

Index

564



Websense Web Security Solutions

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents