advertisement
15
Delegated Administration and Reporting
Web Security Help | Web Security Solutions | Version 7.8.x
Delegated administration provides an effective way to distribute responsibility for
Web Security configuration, policy management, reporting, and compliance auditing to multiple individuals. For example:
Allow individual managers to set policies and run reports on users in their teams.
Give local administrators for regional offices or campuses policy management permissions, as well as some access to local configuration options, but limit reporting access to protect end-user privacy.
Ensure that Human Resources can run Internet activity reports on some or all clients, identified by user name or IP address.
Grant auditors access to view all configuration and policy management screens in the Web Security manager without the ability to save changes.
The sections that follow detail the main concepts of delegated administration, and then provide specific configuration and implementation instructions.
The fundamentals of delegated administration
Preparing for delegated administration
Managing delegated administration roles
Updating delegated administration roles
Performing delegated administrator tasks
Web Security Help
339
Delegated Administration and Reporting
The fundamentals of delegated administration
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Delegated administration roles
Delegated administration and reporting permissions
Administrators in multiple roles
Multiple administrators accessing the TRITON console
Before setting up delegated administration for your organization, there are 3 main concepts to understand:
Roles are containers used to group administrators and clients. There are 3 types
Delegated administration roles
Administrators are individuals or groups given responsibility for configuring
Web Security manager settings, managing policies for clients, running Internet activity reports, or auditing the system. An administrator’s set of responsibilities is determined by the role and permissions that the administrator is assigned. See
.
Permissions determine what responsibilities (like creating policies or running
reports) an administrator has within a role. The available permissions change
based on which type of role an administrator is assigned to. See
Delegated administration and reporting permissions
Delegated administration roles
Web Security Help | Web Security Solutions | Version 7.8.x
A role groups clients—users, groups, domains (OUs), computers, and networks— with one or more administrators.
Clients in a delegated administration role are referred to as managed clients.
Administrators can perform different tasks (like managing policies or running reports) for managed clients in their role, based on their permissions.
The Web Security manager includes one predefined role: Super Administrator.
Although it is not shown, admin, the Global Security Administrator account, is a member of this role. The admin account cannot be deleted, nor can its permissions be changed.
Important
You cannot delete the Super Administrator role or the admin account.
340
Websense Web Security Solutions
Delegated Administration and Reporting
Administrators assigned to the Super Administrator role have the ability to create roles, assign administrators and managed clients to roles, and determine the permissions for administrators in the role. Global Security Administrators can add administrators to the Super Administrator role.
Super Administrators can create 2 types of delegated administration and reporting roles:
Policy management and reporting: User policies are managed by administrators
in the role. Administrators in the role can optionally also run reports.
Investigative reporting: Administrators can run investigative reports showing
Internet activity for only managed clients in the role. Client policies are managed in one or more other roles.
Define as many additional roles as are appropriate for the organization. For example:
Create a role for each department, with the department manager as administrator and the department members as managed clients.
In a geographically distributed organization, create a role for each location and assign all the users at the location as managed clients of that role. Then, assign one or more individuals at the location as administrators.
Delegated administrators
Web Security Help | Web Security Solutions | Version 7.8.x
Administrators are the individuals who can access the TRITON console. Depending on their permissions, in the Web Security manager they may be able to:
Log on and view some elements of the Web Security Dashboard, but take no other actions.
Access all configuration and management features of the Web Security manager, but save no changes.
Run reports on specific groups of clients, or on all clients.
Manage policies for specific groups of clients.
Have full configuration access to all features of the Web Security manager.
The specific permissions available depend on the administrator’s role type (Super
Administrator, policy management and reporting, or investigative reporting). See
Delegated administration roles
Global Security Administrators (like admin) define administrator accounts in
TRITON Settings. These accounts may either be network logon accounts (defined in a supported directory service) or local accounts, used only to access TRITON. Once an account has been defined, the Global Security Administrator assigns each one a level of logon access to one or more TRITON modules.
The levels of Web Security access that can be granted to administrators are:
Access and account management, which grants unconditional Super
Administrator permissions (see
Delegated administration and reporting
Web Security Help
341
Delegated Administration and Reporting
Access, which allows the administrator to log on and view limited portions of the
Status > Dashboard and Alerts pages only. Super Administrators can add those administrators to roles to allow them some level of additional policy management access, reporting access, or both.
Any administrator account that has been granted access to the Web Security module appears on the Delegated Administration > View Administrator Accounts page. These accounts are also listed on the Delegated Administration > Edit Role > Add
Administrators page.
Only administrators that have already been granted Web Security access via TRITON
Settings can be added to roles.
Delegated administration and reporting permissions
Web Security Help | Web Security Solutions | Version 7.8.x
The permissions available to an administrator depend on whether the administrator is assigned to the Super Administrator role, a policy management and reporting role, or an investigative reporting role.
Super Administrator permissions
The Super Administrator role can contain 2 types of administrators: unconditional
Super Administrators and conditional Super Administrators.
When you create a Global Security Administrator account on the TRITON Settings >
Administrators page, or select the Web Security > Grant access and the ability to
modify access permissions for other accounts option, the account is automatically
added to the Super Administrator role in the Web Security manager with unconditional permissions.
Unconditional Super Administrators can:
Access all system configuration settings for Websense Web security solutions
(managed via the Settings tab).
Add or remove administrators in the Super Administrator role.
Create or edit the Filter Lock that blocks certain categories and protocols for all users managed by delegated administration roles. See
Manage policies for clients in the Super Administrator role, including the Default policy that applies to all clients not assigned another policy in any role.
Create and run reports on all clients, regardless of which role they are assigned to.
Access Real-Time Monitor.
Review component status and stop or start components from the Status >
Deployment page.
Review the audit log, which records administrator access to and actions within the
Web Security manager.
342
Websense Web Security Solutions
Delegated Administration and Reporting
(Web Security Gateway and Gateway Anywhere) Open the Content Gateway manager via a button on the Settings > General > Content Gateway Access page and be logged on automatically, without having to provide credentials.
When an unconditional Super Administrator adds additional administrators to the
Super Administrator role (via the Policy Management > Delegated Administration page in the Web Security manager), the new administrators are granted conditional permissions.
Unlike unconditional Super Administrators, whose permissions cannot be changed, conditional Super Administrators can be granted a combination of policy management, reporting, and access permissions.
Full policy permissions allow conditional Super Administrators to:
Create and edit delegated administration roles, filter components, filters, policies, and exceptions, and to apply policies to clients that are not managed by any other role.
Access database download, directory service, user identification, and
Network Agent configuration settings. Conditional Super Administrators with reporting permissions can also access configuration settings for the reporting tools.
Create and edit delegated administration roles, but not to delete roles or remove the administrators or managed clients assigned to them.
Exceptions only permissions allow conditional Super Administrators to create
and edit exceptions. (Exceptions permit or block URLs for specified users, regardless of which policy normally governs their Internet access.)
Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden for Super Administrators with exceptions only permissions.
Reporting permissions allow conditional Super Administrators to:
Access Web Security Dashboard charts.
Run investigative and presentation reports on all users.
If an administrator is granted reporting permissions only, the Check Policy tool does not appear in the Toolbox.
Real-Time Monitor permissions allow Super Administrators to monitor all
Internet activity for each Policy Server associated with the Web Security manager.
Content Gateway direct access permissions allow Super Administrators to be
logged on to the Content Gateway manager automatically via a button on the
Settings > General > Content Gateway Access page in the Web Security manager.
Only one administrator at a time can log on to a role with full policy or exceptions
only permissions. Therefore, if an administrator is logged on to the Super
Administrator role to perform policy or configuration tasks, other Super
Administrators can log on with only reporting, auditor, or status monitor permissions in the role. Super Administrators also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the Web
Security toolbar and select a role.
Web Security Help
343
Delegated Administration and Reporting
Policy Management and Reporting permissions
Delegated administrators in policy management and reporting roles can be given any combination of the following permissions:
Full policy permissions allow delegated administrators to create and manage filter
components (including custom categories and recategorized URLs), filters
(category, protocol, and limited access), policies, and exceptions (black and white lists) for their managed clients.
Filters created by delegated administrators are restricted by the Filter Lock, which may designate some categories and protocols as blocked and locked. These categories and protocols cannot be permitted by delegated administrators. (As part of enforcing the Filter Lock, delegated administrators cannot give their managed clients password override permissions.)
Only one administrator at a time can log on to a role with policy permissions.
Therefore, if an administrator is logged on to a role to perform policy tasks, other administrators in the role can log on with auditing (read-only), reporting, or Real-
Time Monitor permissions only. Administrators who have been assigned to multiple roles also have the option to select a different role to manage.
To switch to another role after logon, go to the Role drop-down list in the banner and select a role.
Exceptions only permissions allow delegated administrators to create and
manage exceptions for managed clients in their role. (Exceptions permit or block
URLs for specified users, regardless of which policy normally governs their
Internet access.)
Policies, filters, and filter components are hidden for delegated administrators with exceptions only permissions.
Deployment status permissions allow delegated administrators to review
component status on the Status > Deployment page. Delegated administrators with deployment status permissions can also be granted permission to start components, stop components, or both.
Reporting permissions can be granted in either of 2 general categories: report on
all clients, or report on only managed clients in the role.
Any delegated administrator with reporting permissions can be given access to the Web Security Dashboard, investigative reports, and the Settings pages used to manage Log Server and the Log Database.
Delegated administrators with the option to report on all clients can also be given access to presentation reports.
Real-Time Monitor permissions allow administrators to monitor all Internet
activity for each Policy Server associated with the Web Security manager.
Investigative reporting permissions
Administrators in investigative reporting roles can create investigative reports for managed clients in their role. (Clients’ policies are managed in other roles.) They can also use the URL Category, URL Access, and Investigate User tools.
344
Websense Web Security Solutions
Delegated Administration and Reporting
These administrators do not have access to presentation reports or Real-Time Monitor, but can optionally be allowed to view charts on the Web Security Dashboard.
Auditors
Any conditional Super Administrator or delegated administrator account can be granted Auditor permissions. An auditor can see most Web Security manager features and functions, but cannot save any changes.
Instead of the OK and Cancel buttons that allow other administrators to cache or discard changes, Auditors are given a single Back button. The Save and Deploy button is disabled.
Administrators in multiple roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Delegated administration roles
Delegated administration and reporting permissions
Depending on the needs of your organization, the same administrator may be assigned to multiple roles. Administrators assigned to multiple roles must choose a single role to manage at logon.
After logon, your permissions are as follows:
Policy management:
Full policy: You can add and edit filters and policies for the role selected
during logon, and apply policies to that role’s managed clients.
Exceptions only: You can create and manage exceptions for the role selected
during logon, and apply exceptions to that role’s managed clients.
Reporting: you have the combined reporting permissions of all your roles. For
example, suppose you are assigned to 3 roles, with reporting permissions as follows:
Role 1: no reporting
Role 2: investigative reporting only
Role 3: report on all clients, full access to all reporting features
In this situation, regardless of which role you choose during logon, you are permitted to view charts on the Web Security Dashboard, and report on all clients, using all reporting features.
If you are logged on for reporting only, the Role field in the banner bar indicates whether you have Full Reporting (report on all clients) or Limited Reporting
(report on managed clients only) permissions.
Web Security Help
345
Delegated Administration and Reporting
Multiple administrators accessing the TRITON console
Web Security Help | Web Security Solutions | Version 7.8.x
Administrators in different roles can access the Web Security manager simultaneously to perform whatever activities their role permissions allow. Since they manage different clients, they can create and apply policies without conflict.
The situation is different if administrators with policy permissions in the same role try to connect at the same time. Only one administrator at a time can log on with full policy or exceptions-only permissions in the shared role. If a second administrator tries to log on with full policy or exceptions-only permissions while another administrator logged on, the second administrator is given a choice:
Log on with read-only access (similar to temporary auditor permissions).
When this option is selected, the Role drop-down box shows “Role Name - [Read-
Only]” as the current role, and offers the option of switching to “Role Name”
(without any modifiers). This makes it possible to access the role with policy permissions when the role is no longer locked.
Log on for reporting only, if the administrator has reporting permissions.
Log on to a different role, if the administrator is assigned to any other roles.
Log on to view only the Status pages until the role becomes available (Limited
Status access).
Try again later, after the first administrator logs off.
Administrators who are not using their policy permissions can do one of the following to unlock the role and allow another administrator to log on to manage polices:
If generating reports, select Release Policy Permissions from the Role dropdown list.
When this option is selected, policy management features are hidden from the logged-on administrator, but reporting features remain active.
If monitoring system performance, select Status Monitor from the Role dropdown list.
Administrators in Status Monitor mode can access the Status > Dashboard and
Alerts pages, as well as Real-Time Monitor (if applicable). Their session does not time out.
If administrators in Status Monitor mode try to go to a page other than Dashboard,
Alerts, or Real-Time Monitor, they are prompted to log on again.
346
Websense Web Security Solutions
Delegated Administration and Reporting
Preparing for delegated administration
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The fundamentals of delegated administration
Preparing delegated administrators
Managing delegated administration roles
Before creating delegated administration roles, there are 2 key planning and setup tasks for the Super Administrator to perform:
Review and edit the Filter Lock, which blocks specified categories and protocols for managed clients in all delegated administration roles. By default, the Filter
Lock blocks and locks several categories, so it is important to check the default settings against the requirements of your organization. (See
.)
Filter Lock restrictions are automatically enforced for all filters created in or copied to a delegated administration role, and cannot be modified by the delegated administrator.
Delegated administrators can apply any action to categories and protocols not blocked and locked in the Filter Lock.
Changes to the Filter Lock are implemented for all managed clients as soon as the changes are saved. Delegated administrators who are working in the Web
Security manager when the changes take effect will not see the changes in their filters until the next time they log on.
Filter Lock restrictions do not apply to clients managed by the Super
Administrator role.
Determine which Super Administrator policies and filters will be copied to each new role that you plan to create, and make adjustments to existing policies as needed.
By default, each role is created with a single Default policy, created from the
Default category and protocol filter (not the Default policy) currently configured for the Super Administrator role.
Optionally, you can instead copy all policy objects (policies, filters, custom categories, and custom URLs) from the Super Administrator role to the new role. The delegated administrator then starts with a complete set of policies and policy components.
• Copies of policies and filters in a delegated administration role are subject to the Filter Lock, and are therefore not identical to the same policies and filters in the Super Administrator role.
Web Security Help
347
Delegated Administration and Reporting
• When the Unrestricted policy is copied, the policy and filter names are changed to reflect the fact that they are subject to the Filter Lock, and no longer permit all requests.
Copying Super Administrator policy objects to a new role can take a very long time, depending on how much information must be copied.
Once these planning steps are completed, each of the following delegated administration components must be put into place:
1.
A Global Security Administrator creates administrator accounts on the TRITON
Settings > Administrators page, and grant the accounts the appropriate level of
Web Security access.
2.
A Super Administrator creates delegated administration roles on the Policy
Management > Delegated Administration page, then adds administrators and
managed clients to the roles. See
Managing delegated administration roles
3.
The Super Administrator notifies the delegated administrators that they have been granted administrative access to the Web Security manager, and explains their
Preparing delegated administrators
Creating a Filter Lock
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The Policy Management > Filter Lock page lets you specify categories and protocols that are blocked for all managed clients in delegated administration roles.
Any category or protocol that is blocked in the Filter Lock is considered blocked and
locked.
Click the Categories button to block and lock specific categories or category elements (keywords and file types). See
Click the Protocols button to block and lock protocols, or to specify protocols that are always logged. See
.
348
Websense Web Security Solutions
Delegated Administration and Reporting
Locking categories
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Use the Policy Management > Filter Lock > Categories page to select the categories to be blocked and locked for all members of delegated administration roles.
You also can block and lock keywords and file types for a category.
1.
Select a category in the tree.
Delegated administration roles do not have access to custom categories created by the Super Administrators. Therefore, custom categories do not appear in this tree.
2.
Set the restrictions for this category in the box that appears beside the category tree.
Option
Lock category
Lock keywords
Lock file types
Apply to
Subcategories
Description
Blocks and locks access to sites in this category.
Blocks and locks access based on keywords defined for this category in each role.
Blocks and locks the selected file types for sites in this category.
Be sure to mark the check box for each file type to be blocked and locked.
Custom file types created by the Super Administrator are included on this list because they are available to delegated administration roles.
Applies the same settings to all subcategories of this category.
You can block and lock selected elements for all categories at once, if appropriate.
Select All Categories in the tree, and then select the elements to be blocked for all categories. Then, click Apply to Subcategories.
3.
When you are finished making changes, click OK to cache the changes and return to the Filter Lock page. Changes are not implemented until you click Save and
Deploy.
Web Security Help
349
Delegated Administration and Reporting
Locking protocols
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Use the Policy Management > Filter Lock > Protocols page to block and lock access to or lock logging of selected protocols for all clients managed by delegated administration roles.
Note
Protocol logging is associated with protocol usage alerts.
You cannot generate usage alerts for a protocol unless it is set for logging in at least one protocol filter. Enabling the
Lock protocol logging option through the Filter Lock
assures that usage alerts can be generated for the protocol.
See
Configuring protocol usage alerts
1.
Select a protocol in the tree.
Delegated administration roles do have access to custom protocols created by the
Super Administrator. Therefore, custom protocols do appear in this tree.
2.
Set the restrictions for this protocol in the box that appears beside the protocol tree.
Option
Lock protocol
Lock protocol logging
Apply to Group
Description
Blocks and locks access to applications and websites using this protocol.
Logs information about access to this protocol, and prevents delegated administrators from disabling logging.
Applies the same settings to all protocols in the group.
When you are finished making changes, click OK to cache the changes and return to the Filter Lock page. Changes are not implemented until you click Save and Deploy.
350
Websense Web Security Solutions
Delegated Administration and Reporting
Preparing delegated administrators
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The fundamentals of delegated administration
Preparing for delegated administration
Performing delegated administrator tasks
After assigning individuals as administrators in any administrative role, make sure to give them the following information:
The URL for logging on to the TRITON console. By default: https://<TRITON_location>:9443/triton/
Substitute the IP address or hostname of the TRITON management server.
What Policy Server to select after logon, if applicable. In an environment with multiple Policy Server instances, administrators can select the Policy Server to use from the Web Security toolbar. They must select the Policy Server that is configured to communicate with the directory service that authenticates their managed clients.
Whether to use their network logon account or a local Websense account when logging on to the TRITON console. If administrators log on with local accounts, provide the user name and password.
Their permissions: to create and apply policies to clients in the role, generate reports, create policies and generate reports, or audit administrator tasks without implementing changes.
Advise administrators who have both policy and reporting permissions to consider what activities they plan to perform during the session. If they only plan to generate reports, recommend that they go to the Role field in the banner, and choose Release Policy Permissions. This frees the policy permissions for the role, enabling another administrator to access the Web Security manager and manage policy for that role.
How to find the list of clients managed by their role. Administrators can go to
Policy Management > Delegated Administration, and then click their role name to display the Edit Role page, which includes a list of managed clients.
Limitations imposed by the Filter Lock, if any categories or protocols have been blocked and locked.
The tasks that are generally performed by administrators. See
Performing delegated administrator tasks
.
Be sure to notify delegated administrators when you add or change custom file types and protocols. These components automatically appear in filters and policies for all roles, so it is important for those administrators to know when changes have been made.
Web Security Help
351
Delegated Administration and Reporting
Managing delegated administration roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
The fundamentals of delegated administration
Preparing for delegated administration
The Policy Management > Delegated Administration page offers different options, depending on whether it is viewed by a Super Administrator or a delegated administrator.
Super Administrators see a list of all the roles currently defined, and have the following options available.
Option
Add
Role
Delete
Advanced
Manage Role
Priority
View
Administrator
Accounts
Description
Click a role name to view or configure the role. See
.
Mark the check box next to a role name, then click the button to delete the selected roles. Available to unconditional Super
Administrators only.
, page 362, for information about how a
role’s clients are managed after the role is deleted.
Click to access the Manage Role Priority function.
Click to specify which role’s policy settings are used when the same client exists in multiple groups that are managed by
.
Click to see the local and network administrator accounts with Web Security manager access, and review their
permission level and role assignments. See
Reviewing administrator accounts
Delegated administrators see only the roles in which they are administrators, and have access to more limited options.
Option
Role
Description
Click to view the clients assigned to the role, and the specific
reporting permissions granted. See
.
352
Websense Web Security Solutions
Delegated Administration and Reporting
Adding roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Preparing for delegated administration
Managing delegated administration roles
Use the Delegated Administration > Add Role page to provide a name and description for the new role.
1.
Enter a Name for the new role.
The name must be between 1 and 50 characters long, and cannot include any of the following characters:
* < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,
Role names can include spaces and dashes.
2.
Enter a Description for the new role.
The description may be up to 255 characters. The character restrictions that apply to role names also apply to descriptions, with 2 exceptions: descriptions can include periods (.) and commas (,).
3.
Specify the Role Type:
A Policy management and reporting role allows administrators the ability to create filters and policies and apply them to manage clients. Administrators in these roles may also be given permission to report on managed clients or all clients.
If you select this role type, also indicate whether or not to Copy all Super
Administrator policies, filters, and filter components to the new role. If
you select this option, the process of creating the role may take several minutes.
If you do not copy all Super Administrator policies to the role, a Default policy is created for the role that enforces the Super Administrator Default category and protocol filters.
An Investigative reporting role allows administrators to report on their managed clients only, using the investigative reports tool. Managed clients in an investigative reporting role may also be added to a policy management and reporting role.
4.
Click OK to display the Edit Role page and define the characteristics of this role.
See
.
If you created a policy management and reporting role, the new role is added to the Role drop-down list in the Web Security toolbar the next time you log on.
Web Security Help
353
Delegated Administration and Reporting
If you created an investigative reporting role, the name does not appear in the role drop-down. This reflects the fact that reporting permissions are cumulative (see
Administrators in multiple roles
Editing roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Managing delegated administration roles
Delegated administrators can use the Delegated Administration > Edit Role page to view the list of clients managed by their role, and the specific reporting permissions granted.
Super Administrators can use this page to select the administrators and clients for a role, and to set administrator permissions, as described below. Only unconditional
Super Administrators can delete administrators and clients from a role.
1.
Change the role Name and Description, as needed.
The name of the Super Administrator role cannot be changed.
2.
Add or remove administrators for this role (Super Administrators only).
Item
User Name
Description
Administrator’s user name.
Account Type Indicates whether the user is defined in the network directory service (Directory) or unique to the TRITON console
(Local).
Reporting
Real-Time
Monitor
Policy
Auditor
Give the administrator permission to use reporting tools.
Give the administrator permission to monitor all Internet activity for any Policy Server.
Give the administrator permission to create filters and policies, and apply policies to the role’s managed clients.
In the Super Administrator role, administrators with policy permission can also manage certain Websense configuration settings. See
Super Administrator permissions
.
Give the administrator permissions to see all of the features and functions available to other administrators in the role, but without the ability to save changes.
The check boxes for other permissions are disabled when
Auditor permissions are selected.
354
Websense Web Security Solutions
Delegated Administration and Reporting
Item
Add
Delete
Description
Open the Add Administrators page. See
.
Remove the selected administrators from the role.
Available to unconditional Super Administrators only.
Unconditional Super Administrator accounts can only be removed from the TRITON Settings > Administrators page.
3.
Add and delete Managed Clients for the role.
Changes can be made by Super Administrators only. Delegated administrators can view the clients assigned to their role.
Item
<Name>
Add
Delete
Description
Displays the name of each client explicitly assigned to the role. Administrators in the role must add the clients to the
Clients page before policies can be applied. See
Performing delegated administrator tasks
.
Opens the Add Managed Clients page. See
Available to unconditional Super Administrators only, this button removes from the role any clients marked in the managed clients list.
Some clients cannot be deleted directly from the managed
information.
4.
Use the Deployment Status Permissions area to indicate whether administrators in this role can Access the Status > Deployment page to see information about the status of the Web Security components in your deployment.
If you grant delegated administrators access to the page, also select whether they can Start components or Stop components.
5.
Use the Reporting Permissions area to select the features available to administrators in this role who have reporting access.
Web Security Help
355
Delegated Administration and Reporting a.
Choose the general level of reporting permissions:
Option
Report on all clients
Report on managed clients only
Description
Select this option to give administrators permission to generate reports on all network users.
Use the remaining options in the Reporting
Permissions area to set the specific permissions for administrators in this role.
Select this option to limit administrators to reporting on the managed clients assigned to this role. Then, select the investigative reports features these administrators can access.
Administrators limited to reporting on managed clients only cannot access presentation reports or user-based reports on the Web Security Dashboard.
b.
Mark the check box for each reporting feature that appropriate administrators in the role are permitted to use.
Option
Access presentation reports
Access the Web
Security Dashboard
Access the Threats dashboard
Access forensics data in the Threats dashboard
Access investigative reports
View user names in investigative reports
Description
Enables access to presentation reports features.
This option is available only when administrators can report on all clients. See
Enables display of charts showing Internet activity on the Risks, Usage, and System dashboards. See
If this option is deselected, administrators can view only the Health Alert and Value Estimates (if displayed) sections of the System dashboard.
Allows administrators to access charts, summary tables, and event details related to advanced malware threat activity in your network. See
.
With Websense Web Security Gateway or Gateway
Anywhere, allows administrators to view files associated with threat activity, and review information about attempts to send the files. See
Configuring forensics data storage
Enables access to basic investigative reports features. When this option is selected, additional investigative reports features can be selected, also.
Allows administrators in this role to view user
names, if they are logged. See
Configuring how requests are logged
.
Deselect this option to show only system-generated identification codes, instead of names.
This option is available only when administrators are granted access to investigative reports.
356
Websense Web Security Solutions
Delegated Administration and Reporting
Option
Save investigative reports as favorites
Schedule investigative reports
Manage the Log
Database
Access application reports
Description
Allows administrators in this role to create favorite investigative reports. See
Favorite investigative reports
This option is available only when administrators are granted access to investigative reports.
Allows administrators in this role to schedule investigative reports to run at a future time or on a repeating cycle.
Scheduling investigative reports
.
This option is available only when administrators are granted permissions to save investigative reports as favorites.
Allows administrators to access the Settings >
Reporting > Log Database page.
Log Database administration settings
Allows administrators to see browser, platform, and user agent data on the Reporting > Applications page.
.
6.
When you are finished making changes, click OK to cache the changes and return to the Delegated Administration page. Changes are not implemented until you click Save and Deploy.
Adding Administrators
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Super Administrators can use the Delegated Administration > Edit Role > Add
Administrators page to specify which individuals are administrators for a role.
Note
Administrators can be added to multiple roles. These administrators must choose a role during logon. In this situation, the administrator receives the combined reporting permissions for all roles.
Delegated administrators have significant control over the Internet activities of their managed clients. To ensure that this control is handled responsibly and in accordance
Web Security Help
357
Delegated Administration and Reporting with your organization’s acceptable use policies, Super Administrators should use the
Audit Log page to monitor changes made by administrators. See
Viewing and exporting the audit log
1.
If you plan to assign network accounts as delegated administrators, make sure you are logged on to the Policy Server whose Settings > General > Directory Service configuration (see
) matches the TRITON Settings >
User Directory configuration.
If you are adding only local accounts as administrators, you can be logged on to any Policy Server.
2.
Under Local Accounts, mark the check box for one or more users, and then click the right arrow button to move the highlighted users to the Selected list.
3.
Under Network Accounts, mark the check box for one or more users, and then click the right arrow (>) button to move them to the Selected list.
Note
Custom LDAP groups cannot be added as administrators.
4.
Set the Permissions for administrators in this role.
Option
Administrator:
Policy
Management
Administrator:
Reporting
Administrator:
Real-Time
Monitor
Auditor
Description
Let administrators in this role apply policies to their managed clients. This also grants access to certain Websense configuration settings.
Grant administrators access to reporting tools. Use the Edit
Role page to set the specific reporting features permitted.
Allow administrators to monitor Internet traffic in real time.
Give the administrator access to view all features available to other administrators in the role, without the ability to save changes.
5.
When you are finished making changes, click OK to return to the Edit Role page.
6.
Click OK on the Edit Role page to cache your changes. Changes are not implemented until you click Save and Deploy.
358
Websense Web Security Solutions
Delegated Administration and Reporting
Adding managed clients
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Managing delegated administration roles
Managed clients are the users and computers assigned to a role, whose policies are set by the role’s administrators. Directory clients (users, groups, and domains [OUs]), computers (individual IPv4 or v6 addresses), and networks (IPv4 or v6 address ranges) can all be defined as managed clients.
Super Administrators can use the Delegated Administration > Edit Role > Add
Managed Clients page to add as many clients to a role as needed. Each client can be
assigned to only one policy management and reporting role.
If you assign a network range as managed client in one role, you cannot assign individual IP addresses within that range to any other role. Additionally, you cannot specifically assign a user, group, or domain (OU) to 2 different roles. However, you can assign a user to one role, and then assign to a different role a group or domain
(OU) of which the user is a member.
Note
If a group is a managed client in one role, and that role’s administrator applies a policy to each member of the group, individual users in that group cannot later be assigned to another role.
When adding managed clients, consider which client types to include.
If you add IP addresses to a role, administrators for that role can report on all activity for the specified machines, regardless of who is logged on.
If you add users to a role, administrators can report on all activity for those users, regardless of the machine where the activity occurred.
Administrators are not automatically included as managed clients in the roles they administer, since that would enable them to set their own policy. To allow
administrators to view their own Internet usage, enable self-reporting (see
If your organization has deployed multiple Policy Servers, and the Policy Servers communicate with different directories, be sure to select the Policy Server connected to the directory containing the clients you want to add.
Note
Best practices indicate that all directory clients in the same role be defined in the same directory.
Web Security Help
359
Delegated Administration and Reporting
1.
Select clients for the role:
Under Directory, mark the check box for one or more users.
If your environment uses Active Directory (Native Mode) or another LDAPbased directory service, you can search the directory to find specific user,
group, or domain (OU) names. See
Searching the directory service
.
Under Computer, enter the IP address to be added to this role in IPv4 or IPv6 format.
Under Network, enter the first and last IP addresses in a range in IPv4 or IPv6 format.
2.
Click the right arrow (>) button adjacent to the client type to move the clients to the Selected list.
3.
When you are finished making changes, click OK to return to the Edit Role page.
4.
Click OK on the Edit Role page to cache your changes. Changes are not implemented until you click Save and Deploy.
Managing role conflicts
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Managing delegated administration roles
Directory services allow the same user to belong to multiple groups. As a result, a single user may exist in groups that are managed by different delegated administration roles. The same situation exists with domains (OUs).
Additionally, it is possible for a user to be managed by one role, and belong to a group or domain (OU) that is managed by a different role. If the administrators for both of these roles are logged on simultaneously, the administrator responsible for the user could apply policy to that user at the same time as the administrator responsible for the group applies policy to the individual members of the group.
Use the Delegated Administration > Manage Role Priority page to tell Websense software what to do if different policies apply to the same user because of an overlap.
When a conflict occurs, Websense software applies the policy from the role that appears highest on this list.
1.
Select any role on the list, except Super Administrator.
Note
The Super Administrator role is always first on this list. It cannot be moved.
2.
Click Move Up or Move Down to change its position in the list.
360
Websense Web Security Solutions
Delegated Administration and Reporting
3.
Repeat steps 1 and 2 until all roles have the desired priority.
4.
When you are finished making changes, click OK to cache the changes and return to the Delegated Administration page. Changes are not implemented until you click Save and Deploy.
Updating delegated administration roles
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Policies and managed clients are typically added to a role when the role is created.
Delegated administrators with policy permissions can edit existing policies and create new policies within the role that they manage.
As new members join the organization, a Super Administrator can add them to
).
Super Administrators can also move clients (see
Copying filters and policies to roles
, page 266 ) from the Super Administrator
role to an existing delegated administration role at any time.
When a client is moved to a delegated administration role, the policy applied in the Super Administrator role is also copied. During this copy process, the filters are updated to enforce the restrictions of the Filter Lock, if any.
In the target role, the tag “(Copied)” is added to the end of the filter or policy name. Administrators for that role can readily identify the new item and update it appropriately.
Encourage administrators in the role to rename the filters and policies, and to edit them as needed, to clarify their settings and to minimize duplicates. These changes can simplify future maintenance efforts.
After the client is moved to the new role, only an administrator in that role can modify the client’s policy or the filters it enforces. Changes in the original policy or filters in the Super Administrator role do not affect copies of the policy or filters in delegated administration roles.
When policies and filters are copied to a delegated administration role directly, the same constraints are enforced that apply when filters and policies are copied as part of moving a client.
Filter Lock restrictions are implemented during the copy.
Permit All category and protocol filters are renamed, and become editable filters subject to the Filter Lock.
Copied filters and policies are identified in the role by the (Copied) tag in the name.
Web Security Help
361
Delegated Administration and Reporting
Consider editing policy descriptions before starting the copy, to assure that they are meaningful to the administrators in the target roles.
Delete roles
Web Security Help | Web Security Solutions | Version 7.8.x
On the Delegated Administration page, unconditional Super Administrators can delete any roles that have become obsolete.
Deleting a role also removes all clients that the role’s administrators have added to the
Clients page. After the role is deleted, if those clients belong to any networks, groups, or domains managed by other roles, they are governed by the appropriate policy
). Otherwise, they are governed by the Super Administrator’s Default policy.
1.
On the Delegated Administration page, mark the check box beside each role to be deleted.
Note
You cannot delete the Super Administrator role.
2.
Click Delete.
3.
Confirm the delete request to remove the selected roles from the Delegated
Administration page. Changes are not permanent until you click Save and
Deploy.
The deleted role is cleared from Role drop-down list in the banner the next time you log on to the TRITON console.
Delete managed clients
Web Security Help | Web Security Solutions | Version 7.8.x
Clients cannot be deleted directly from the managed clients list (Delegated
Administration > Edit Role) if: the administrator has applied a policy to the client the administrator has applied a policy to one or more members of a network, group, or domain (OU)
There may also be problems if the Super Administrator is connected to a different
Policy Server than the one that communicates with the directory service containing the clients to be deleted. In this situation, the current Policy Server and directory service do not recognize the clients.
An unconditional Super Administrator can assure that the appropriate clients can be deleted, as follows.
362
Websense Web Security Solutions
Delegated Administration and Reporting
1.
Open the Policy Server list in the Web Security toolbar and make sure that you are connected to the Policy Server that communicates with the appropriate directory. You must be logged on with unconditional Super Administrator permissions.
2.
Open the Role list in the Web Security toolbar, and select the role from which managed clients are to be deleted.
3.
Go to Policy Management > Clients to see a list of all the clients to which the delegated administrator has explicitly assigned a policy.
This may include both clients that are specifically identified on the role’s managed clients list, and clients who are members of networks, groups, domains, or organizational units on the managed clients list.
4.
Delete the appropriate clients.
5.
Click OK to cache the changes.
6.
Open the Role list in the banner, and select the Super Administrator role.
7.
Go to Policy Management > Delegated Administration > Edit Role.
8.
Delete the appropriate clients from the managed clients list, and then click OK to confirm the delete request.
9.
Click OK on the Edit Role page to cache the changes. Changes are not implemented until you click Save and Deploy.
Managing Super Administrator clients
Web Security Help | Web Security Solutions | Version 7.8.x
Clients who are not specifically assigned to a delegated administration role are managed by Super Administrators. There is no Managed Clients list for the Super
Administrator role.
To apply policies to these clients, add them to the Policy Management > Clients page.
See
, page 84 . Clients who have not been assigned a specific policy are
governed by the Super Administrator Default policy.
There may be times when you cannot add clients to the Clients page. This can occur when the client is a member of a network, group, or domain (OU) that is assigned to another role. If the administrator of the other role has applied a policy to individual members of the network or group, those clients cannot be added to the Super
Administrator role.
Performing delegated administrator tasks
Web Security Help | Web Security Solutions | Version 7.8.x
Any delegated administrator who uses a Websense account (not their network credentials) to log onto the TRITON console can review account their account
Web Security Help
363
Delegated Administration and Reporting
information and change their password. See
.
Delegated administrators who have policy permissions can perform the following tasks.
View their role definition.
Navigate to the Policy Management > Delegated Administration page and click the role name. This brings up the Edit Role page, which lists the role’s managed clients and shows the reporting features available to administrators who have reporting permissions in the role.
Add clients to the Clients page
.
.
Apply policies to clients on the Clients page (see
Reporting permissions can be granted at a granular level. The specific reporting
permissions granted to your role determine which of the following tasks are available to administrators with reporting permissions.
To learn which features you can use, go to the Delegated Administration page and click the role name. The Edit Role page shows the reporting features for which you have permissions. For information about using any of those features, see:
View your user account
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Performing delegated administrator tasks
Add clients to the Clients page
If you log on to the TRITON console with network credentials, password changes are handled through your network directory service. Contact your system administrator for assistance.
If you have been assigned a local user name and password, view information about your account and change your password within the TRITON console.
1.
Click TRITON Settings in the TRITON toolbar, just under the banner.
The My Account page opens.
364
Websense Web Security Solutions
Delegated Administration and Reporting
2.
To change your password, first enter your current password, then enter and confirm a new password.
The password must be between 4 and 255 characters.
Strong passwords are recommended: 8 characters or longer, including at least one uppercase letter, lowercase letter, number, and special character (such as hyphen, underscore, or blank).
Click OK to save and implement the change.
3.
To see a list of roles that you can administrator, go to the Web Security manager
Policy Management > Delegated Administration > View Administrator Accounts page.
If you are assigned to manage only one role, its name appears in the list.
If you are assigned to manage multiple roles, click View next to your user name to see them listed.
4.
When you are finished, click Close to return to the Delegated Administration page.
Add clients to the Clients page
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Performing delegated administrator tasks
After Super Administrators assign managed clients to a role, delegated administrators
can add them to the Clients page and assign them policies. See
When clients are added to a managed clients list, their Internet requests are immediately subject to a policy in the role.
Clients previously assigned a policy within the Super Administrator role are governed by a copy of that policy in the new role. The Move to Role process automatically copies the applicable policy.
Clients not previously assigned a policy receive the new role’s Default policy.
Initially, this Default policy enforces a Default category and protocol filter copied from the Super Administrator role.
Any client that appears in the Managed Clients list on the Delegated Administration >
Edit Role page for your role can be added to the Clients page and assigned a policy.
For groups, domains (OUs), and networks assigned to the role, you can also can add:
Individual users who members of the group or OU
Individual computers that are members of the network
Web Security Help
365
Delegated Administration and Reporting
Because a user may be part of multiple groups or OUs, adding individuals from a larger client grouping has the potential to create conflicts when different roles manage groups our OUs with common members. If administrators in different roles access the
Web Security manager at the same time, they might add the same client (individual member of a group, for instance) to their Clients page. In that situation, policy enforcement for that client is governed by the priority established for each role. See
Create policies and filters
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
Performing delegated administrator tasks
Add clients to the Clients page
When your role was created, it automatically inherited the current Default category filter and protocol filter from the Super Administrator role. A role-specific Default policy was created that enforces the inherited Default category and protocol filters.
(This role-specific Default policy is automatically applied to any client added to the role until another policy is assigned.)
The Super Administrator may have copied other policies and filters to your role, as well.
In addition to policies and filters, you also inherit any custom file types and protocols created by the Super Administrator.
You can edit inherited policies and filters. Changes you make affect your role only.
Any changes the Super Administrator later makes to the original policies and filters do not affect your role.
Note
Changes the Super Administrator makes to file types and protocols automatically affect the filters and policies in your role.
When a Super Administrator informs you of changes to these components, review your filters and policies to be sure they are handled appropriately.
You can also create as many new filters and policies as you need. Filters and policies created by a delegated administrator are available only to administrators logged on to your role. For instructions on creating policies, see
For instructions on creating filters, see
.
366
Websense Web Security Solutions
Delegated Administration and Reporting
You can edit filter components for your role, with some limitations.
Categories: Add or edit custom categories; assign custom URLs and keywords to
custom or Master Database categories; change the action applied by default in category filters. (Changes to a category’s default action are implemented only if the category is not locked by the Filter Lock.)
Protocols: Change the action applied by default in protocol filters in your role.
(Changes to a protocol’s default action are implemented only if the protocol is not locked by the Filter Lock.) Delegated administrators cannot add or delete protocol definitions.
File types: View the file extensions assigned to each file type. Delegated
administrators cannot add file types or change the extensions assigned to a file type.
.
If a Super Administrator has implemented Filter Lock restrictions, there may be categories or protocols that are automatically blocked, and cannot be changed in the filters you create and edit.
Reviewing administrator accounts
Web Security Help | Web Security Solutions | Version 7.8.x
Use the Delegated Administration > View Administrator Accounts page to:
See a list of local and network accounts that have been given Web Security access by a Global Security administrator.
Check the level of permissions assigned to each account.
See a list of roles associated with each account.
If an account has been added to a single role as an administrator, that role is listed to the right of the account name. If the account can be used to manage multiple roles, click View to see the roles listed
Delegated administrators see account information for only their own account, and not for all accounts.
When you are finished reviewing administrator accounts, click Close to return to the
Delegated Administration page.
Enabling network accounts
Web Security Help | Web Security Solutions | Version 7.8.x
Global Security Administrators can use the TRITON Settings > User Directory page to enter the directory service information needed to allow administrators to log on to the TRITON console with their network credentials.
Web Security Help
367
Delegated Administration and Reporting
This task is done in addition to the configuration done by Web Security Super
Administrators to define the directory service used to identify user and group clients.
Note
Client directory service information is configured on the
Settings > Directory Services page (see
).
TRITON administrators’ network credentials must be authenticated against a single directory service. If your network includes multiple directories, a trusted relationship must exist between the directory specified in TRITON Settings and the others.
If it is not possible to define a single directory service for use with the TRITON
Unified Security Center, consider creating local accounts for administrators.
Specific instructions for defining the directory used to authenticate administrator logons can be found in the TRITON Settings Help.
368
Websense Web Security Solutions
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
advertisement
Table of contents
- 3 Contents
- 17 Getting Started
- 17 Overview
- 18 Working in the TRITON console
- 20 Navigating the Web Security manager
- 23 Reviewing, saving, and discarding changes
- 24 Your subscription
- 24 Managing your account through the MyWebsense Portal
- 25 Configuring your account information
- 27 The Websense Master Database
- 29 Configuring database downloads
- 30 What is WebCatcher?
- 31 Websense Technical Support
- 33 The Web Security Dashboard
- 35 Threats dashboard
- 37 Investigate threat event details
- 39 How severity is assigned to suspicious activity
- 39 Reviewing threat incident details
- 41 Reviewing threat-related forensic data
- 42 Risks dashboard
- 43 Usage dashboard
- 43 System dashboard
- 44 Adding elements to a dashboard tab
- 46 Time and bandwidth saved
- 47 Web Security Status Monitor mode
- 49 Internet Usage Filters
- 50 Managing access to categories and protocols
- 52 When a category or protocol is blocked
- 52 New Master Database categories and protocols
- 53 Special categories
- 55 Risk classes
- 58 Security protocol groups
- 58 Actions
- 59 Using quota time to limit Internet access
- 60 Search filtering
- 61 Working with filters
- 62 Creating a category filter
- 63 Editing a category filter
- 65 Creating a protocol filter
- 65 Editing a protocol filter
- 67 Websense-defined category and protocol filters
- 68 Category and protocol filter templates
- 69 Configuring filtering settings
- 73 Clients
- 74 Working with clients
- 75 Working with computers and networks
- 76 Working with users and groups
- 77 Directory services
- 78 Windows Active Directory (Mixed Mode)
- 79 Windows Active Directory (Native Mode)
- 80 Novell eDirectory and Oracle (Sun Java) Directory Server
- 81 Advanced directory settings
- 83 Working with custom LDAP groups
- 84 Adding or editing a custom LDAP group
- 84 Adding a client
- 85 Searching the directory service
- 86 Changing client settings
- 87 Password override
- 88 Account override
- 89 Moving clients to roles
- 90 Working with hybrid service clients
- 91 Internet Access Policies
- 92 The Default policy
- 93 Working with policies
- 94 Creating a policy
- 95 Editing a policy
- 97 Assigning a policy to clients
- 97 Enforcement order
- 98 Prioritizing group and domain policies
- 100 Responding to a URL request
- 105 Exceptions to Policies
- 105 Managing exceptions
- 107 How are exceptions organized?
- 108 Adding or editing an exception
- 110 Overriding an exception
- 111 If multiple exceptions could apply, which takes precedence?
- 111 Editing multiple exceptions at the same time
- 112 Exception shortcuts
- 112 How do I block or permit a URL for everyone?
- 113 How do I block or permit a URL for one person?
- 113 How do I block or permit a URL for my entire role?
- 114 How do I block or permit a URL for one of my managed clients?
- 115 How do I create an unfiltered URL?.
- 117 Block Pages
- 119 Blocking graphical advertisements
- 119 Blocking embedded pages
- 120 Working with block pages
- 122 Customizing the block message
- 123 Changing the size of the message frame
- 124 Changing the logo that displays on the block page
- 124 Using block page content variables
- 126 Reverting to the default block pages
- 126 Creating alternate block messages
- 127 Using an alternate block page on another machine
- 128 Determining why a request was blocked
- 128 Request blocked by Filtering Service
- 129 Request blocked by the hybrid service
- 131 Use Reports to Evaluate Internet Activity
- 132 What is Internet browse time?
- 133 Presentation reports
- 136 Creating a new presentation report
- 137 Defining the report filter
- 139 Selecting clients for a report
- 140 Selecting categories for a report
- 141 Selecting protocols for a report
- 141 Selecting actions for a report
- 142 Setting report options
- 143 Customizing the report logo
- 143 Confirming report filter definition
- 144 Working with Favorites
- 145 Running a presentation report
- 146 Scheduling presentation reports
- 147 Setting the schedule
- 149 Selecting reports to schedule
- 150 Setting the date range
- 151 Selecting output options
- 151 Viewing the scheduled jobs list
- 153 Viewing job history
- 153 Reviewing scheduled presentation reports
- 155 Investigative reports
- 157 Summary reports
- 160 Using search to generate a summary report
- 161 Anonymizing investigative reports
- 161 The Anonymous option
- 162 Multi-level summary reports
- 163 Flexible detail reports
- 165 Columns for flexible detail reports
- 167 User Activity Detail reports
- 168 User activity detail by day
- 169 User activity detail by month
- 170 Standard reports
- 171 Favorite investigative reports
- 172 Scheduling investigative reports
- 175 Managing scheduled investigative reports jobs
- 175 Outliers reports
- 176 Output options for investigative reports
- 178 Accessing self-reporting
- 178 Application reporting
- 181 How is user agent data collected?
- 182 Browser use details
- 183 Platform use details
- 184 Real-Time Monitor
- 187 Real-Time Monitor in Multiple Policy Server Deployments
- 189 Content Gateway Analysis
- 191 Scanning options
- 193 Content categorization
- 194 Tunneled protocol detection
- 195 Security threats: Content security
- 196 Security threats: File analysis
- 202 Outbound security
- 203 Advanced options
- 205 Scanning exceptions
- 207 Data files used with scanning
- 208 Reporting on advanced analysis activity
- 209 How analysis activity is logged
- 211 SSL decryption bypass
- 215 Configure the Hybrid Service
- 216 Activate your hybrid service account
- 217 Define filtered locations
- 218 Adding or editing filtered locations
- 220 Managing explicit proxies
- 220 Adding or editing an explicit proxy
- 221 Configuring failover to the hybrid service
- 222 Specify sites not managed by the hybrid service
- 223 Adding or editing unfiltered destinations
- 224 Configure user access to the hybrid service
- 226 Adding domains
- 227 Editing domains
- 227 Customizing hybrid block pages
- 228 Enabling HTTPS notification pages
- 229 What is a PAC file?
- 231 Send user and group data to the hybrid service
- 231 Configure Directory Agent settings for the hybrid service
- 233 Configure how data is gathered for the hybrid service
- 234 Oracle (Sun Java) Directory Server and the hybrid service
- 235 Novell eDirectory and the hybrid service
- 236 Adding and editing directory contexts
- 238 Optimizing search results
- 239 Schedule communication with the hybrid service
- 241 Define custom authentication settings
- 242 Adding custom authentication rules
- 243 Editing custom authentication rules
- 245 Monitor communication with the hybrid service
- 246 View hybrid service authentication reports
- 247 View User Agent Volume report
- 249 Manage Off-site Users
- 250 Using remote filtering software
- 251 Configuring Remote Filtering settings
- 252 Configure remote filtering to ignore FTP or HTTPS traffic
- 253 Configure the Remote Filtering Client heartbeat interval
- 253 Hybrid service management of off-site users
- 254 Configuring hybrid filtering for off-site users
- 254 Off-site user self-registration
- 257 Protect Vital Information
- 257 Protecting against data loss
- 258 Protecting end users’ devices
- 258 Mobile Integration
- 261 Refine Web Security Policies
- 261 Restricting users to a defined list of URLs
- 262 Limited access filters and enforcement order
- 263 Creating a limited access filter
- 264 Editing a limited access filter
- 265 Adding sites from the Edit Policy page
- 266 Copying filters and policies to roles
- 267 Building filter components
- 268 Working with categories
- 268 Editing categories and their attributes
- 269 Reviewing all customized category attributes
- 270 Making global category changes
- 270 Renaming a custom category
- 271 Creating a custom category
- 272 Keyword-based policy enforcement
- 273 Defining keywords
- 274 Reclassifying specific URLs
- 276 Prioritizing Security Risk categorization
- 277 Blocking posts to sites in some categories
- 278 Working with protocols
- 279 Protocol-based policy enforcement
- 280 Editing custom protocols
- 280 Adding or editing protocol identifiers
- 281 Renaming a custom protocol
- 282 Making global protocol changes
- 282 Creating a custom protocol
- 284 Adding to a Websense-defined protocol
- 284 Using Bandwidth Optimizer to manage bandwidth
- 286 Configuring the default Bandwidth Optimizer limits
- 287 Managing traffic based on file type
- 288 Enforcement based on file extension
- 291 Enforcement based on file analysis
- 292 Enabling file type blocking in a category filter
- 293 Working with file type definitions
- 294 Adding custom file types
- 294 Adding file extensions to a file type
- 296 Using regular expressions
- 296 Using the Toolbox to verify policy enforcement behavior
- 297 URL Category
- 297 Check Policy
- 298 Test Filtering
- 298 URL Access
- 298 Investigate User
- 299 Identifying a user to check policy or test filtering
- 301 User Identification
- 302 Transparent identification
- 303 Transparent identification of remote users
- 303 Manual authentication
- 304 Configuring user identification methods
- 306 Setting authentication rules for specific machines
- 306 Defining exceptions to user identification settings
- 307 Revising exceptions to user identification settings
- 308 Secure manual authentication
- 309 Generating keys and certificates
- 310 Activating secure manual authentication
- 311 Accepting the certificate within the client browser
- 312 DC Agent
- 313 Configuring DC Agent
- 315 Reviewing DC Agent polled domains and domain controllers
- 316 The dc_config.txt file
- 317 Logon Agent
- 318 Configuring Logon Agent
- 319 RADIUS Agent
- 320 Configuring RADIUS Agent
- 321 eDirectory Agent
- 322 Configuring eDirectory Agent
- 323 Adding an eDirectory server replica
- 324 Configuring eDirectory Agent to use LDAP
- 325 Enabling full eDirectory Server queries
- 326 Configuring an agent to ignore certain user names
- 328 Identification of hybrid users
- 330 Authentication priority and overrides
- 331 Web Endpoint deployment overview
- 333 Manually deploying Web Endpoint for Windows
- 335 Manually deploying Web Endpoint for Mac OS X
- 335 Integrating a single sign-on identity provider
- 336 Websense Directory Agent
- 337 Directory Agent and User Service
- 338 When users are not identified
- 339 Delegated Administration and Reporting
- 340 The fundamentals of delegated administration
- 340 Delegated administration roles
- 341 Delegated administrators
- 342 Delegated administration and reporting permissions
- 345 Administrators in multiple roles
- 346 Multiple administrators accessing the TRITON console
- 347 Preparing for delegated administration
- 348 Creating a Filter Lock
- 349 Locking categories
- 350 Locking protocols
- 351 Preparing delegated administrators
- 352 Managing delegated administration roles
- 353 Adding roles
- 354 Editing roles
- 357 Adding Administrators
- 359 Adding managed clients
- 360 Managing role conflicts
- 361 Updating delegated administration roles
- 362 Delete roles
- 362 Delete managed clients
- 363 Managing Super Administrator clients
- 363 Performing delegated administrator tasks
- 364 View your user account
- 365 Add clients to the Clients page
- 366 Create policies and filters
- 367 Reviewing administrator accounts
- 367 Enabling network accounts
- 369 Web Security Server Administration
- 370 Websense Web Security components
- 371 Policy enforcement and management components
- 374 Reporting components
- 375 User identification components
- 376 Interoperability components
- 376 Reviewing your Web Security deployment
- 377 Using the Policy Server map
- 378 Using the component list
- 379 Evaluating directory performance
- 380 Review directory server details
- 380 Understanding Policy Broker
- 381 Reviewing Policy Broker connections
- 382 Working with Policy Server
- 383 Reviewing Policy Server connections
- 384 Adding or editing Policy Server instances
- 385 Working in a multiple Policy Server environment
- 386 Changing the Policy Server IP address
- 388 Working with Filtering Service
- 389 Review Filtering Service details
- 389 Review Master Database download status
- 390 Resuming Master Database downloads
- 390 Filtering Service support for YouTube in Schools
- 391 Policy Server, Filtering Service, and State Server
- 394 Integrating with a third-party SIEM solution
- 395 Working with Content Gateway
- 396 Managing Content Gateway connections
- 396 Viewing and exporting the audit log
- 398 Stopping and starting Websense services
- 401 Websense Web Security installation directories
- 401 Alerting
- 402 Flood control
- 402 Configuring general alert options
- 403 Configuring system alerts
- 405 Configuring category usage alerts
- 405 Adding or editing category usage alerts
- 406 Configuring protocol usage alerts
- 407 Adding or editing protocol usage alerts
- 408 Configuring suspicious activity alerts
- 409 Reviewing current system status
- 410 Backing up and restoring your Websense data
- 412 Scheduling backups
- 414 Running immediate backups
- 415 Maintaining the backup files
- 416 Restoring your Websense data
- 417 Discontinuing scheduled backups
- 417 Command reference
- 419 Reporting Administration
- 420 Assigning categories to risk classes
- 421 Configuring reporting preferences
- 422 Configuring how requests are logged
- 424 Configuring Log Server
- 429 Testing the Log Database connection
- 430 Introducing the Log Database
- 431 Database jobs
- 432 Log Database administration settings
- 433 Configuring database partition options
- 436 Configuring Log Database maintenance options
- 438 Configuring how URLs are logged
- 439 Configuring Internet browse time options
- 440 Configuring trend and application data retention
- 442 Log Database sizing guidance
- 443 Configuring Dashboard reporting data
- 446 Configuring investigative reports
- 446 Database connection and report defaults
- 448 Display and output options
- 450 Self-reporting
- 451 Network Configuration
- 452 Network Agent configuration
- 453 Configuring global settings
- 454 Configuring local settings
- 456 Configuring NIC settings
- 457 Configuring monitoring settings for a NIC
- 458 Adding or editing IP addresses
- 459 Verifying Network Agent configuration
- 461 Troubleshooting
- 461 Installation and subscription issues
- 462 There is a subscription problem
- 462 Unable to verify the subscription key
- 463 After upgrade, users are missing from the Web Security manager
- 463 Master Database issues
- 463 The initial filtering database is being used
- 464 The Master Database is more than 1 week old
- 464 The Master Database does not download
- 465 Subscription key
- 465 Internet access
- 466 Verify firewall or proxy server settings
- 467 Insufficient disk space on the Filtering Service machine
- 468 Insufficient memory on the Filtering Service machine
- 468 Restriction applications
- 469 Master Database download does not occur at the correct time
- 469 Contacting Technical Support for database download issues
- 470 Policy enforcement issues
- 470 Filtering Service is not running
- 471 User Service is not available
- 471 High CPU usage on the Filtering Service machine
- 472 Sites are incorrectly categorized as Information Technology
- 472 Keywords are not being blocked
- 473 Custom or limited access filter URLs are not handled as expected
- 473 Websense software is not applying user or group policies
- 473 Remote users do not receive the correct policy
- 474 Network Agent issues
- 474 Network Agent is not installed
- 474 Network Agent is not running
- 475 Network Agent is not monitoring any NICs
- 475 Network Agent can’t communicate with Filtering Service
- 476 Update Filtering Service IP address or UID information
- 476 Insufficient memory on the Network Agent machine
- 477 High CPU usage on the Network Agent machine
- 477 User configuration and identification issues
- 477 User and group-based policies are not applied
- 478 Unusually high directory server connection latency
- 479 Filtering Service can’t communicate with transparent ID agent
- 480 DC Agent has insufficient permissions
- 481 DC Agent unable to access required file
- 482 DC Agent Domains and Controllers page is blank
- 482 I cannot add users and groups to the Web Security manager
- 483 Directory service connectivity and configuration
- 483 Directory service configuration
- 484 User identification and Windows Server
- 484 Turning on the Computer Browser service
- 485 Changing DC Agent, Logon Agent, and User Service permissions
- 486 User Service on a Websense appliance or Linux server
- 487 Remote users are not prompted for manual authentication
- 487 Remote users are not being filtered correctly
- 488 Block message issues
- 488 No block page appears for a blocked file type
- 488 Users receive a browser error instead of a block page
- 489 A blank white page appears instead of a block page
- 489 Log, status message, and alert issues
- 490 Where do I find error messages for Websense components?
- 490 Websense Health alerts
- 492 Two log records are generated for a single request
- 492 Usage Monitor is not available
- 493 Usage Monitor is not running
- 493 Policy Server and Policy Broker issues
- 493 I forgot my password
- 494 The Websense Policy Database service fails to start
- 494 Policy Server stops unexpectedly
- 495 A Policy Broker replica cannot synchronize data
- 495 Delegated administration issues
- 495 Managed clients cannot be deleted from role
- 496 Logon error says someone else is logged on at my machine
- 496 Recategorized sites are filtered according to the wrong category
- 496 I cannot create a custom protocol
- 497 Log Server and Log Database issues
- 497 Log Server is not running
- 498 Log Server has not received log files from Filtering Service
- 500 Low disk space on the Log Server machine
- 501 No Log Server is installed for a Policy Server
- 502 More than one Log Server is installed for a Policy Server
- 503 Log Database was not created
- 503 Log Database is not available
- 504 Log Database size causes reporting delays
- 505 More than 100 files in the Log Server cache directory
- 506 Last successful ETL job ran more than 4 hours ago
- 507 Configure Log Server to use a database account
- 508 Log Server is not recording data in the Log Database
- 508 Updating the Log Server connection account or password
- 509 Configuring user permissions for Microsoft SQL Server
- 509 Log Server cannot connect to the directory service
- 510 Wrong reporting page displayed
- 510 Investigative report and presentation report issues
- 511 Presentation Reports Scheduler not connected to Log Database
- 511 Inadequate disk space to generate presentation reports
- 512 Scheduled jobs in presentation reports failed
- 512 Data on Internet browse time reports is skewed
- 512 Bandwidth is larger than expected
- 513 Trend data is missing from the Log Database
- 513 Trend reports are not displaying data
- 514 Some protocol requests are not being logged
- 514 All reports are empty
- 514 Database partitions
- 515 SQL Server Agent job
- 515 Log Server configuration
- 516 Microsoft Excel output is missing some report data
- 516 Saving presentation reports output to HTML
- 517 Error generating presentation report, or report does not display
- 517 Investigative reports search issues
- 518 General investigative reports issues
- 518 Other reporting issues
- 518 Low memory on the Real-Time Monitor machine
- 519 Real-Time Monitor is not running
- 519 Real-Time Monitor is not responding
- 520 Cannot access certain reporting features
- 520 No charts appear on the Status > Dashboard page
- 520 There is a forensics data configuration problem
- 521 The forensics repository location could not be reached
- 521 Forensics data will soon exceed a size or age limit
- 522 Websense Multiplexer is not running or not available
- 522 Interoperability issues
- 523 Content Gateway is not running
- 523 Content Gateway is not available
- 524 Content Gateway non-critical alerts
- 526 Administrator unable to access other TRITON modules
- 527 Sync Service is not available
- 528 Sync Service has been unable to download log files
- 528 Sync Service has been unable to send data to Log Server
- 528 Hybrid policy enforcement data does not appear in reports
- 529 Disk space is low on the Sync Service machine
- 529 The Sync Service configuration file
- 530 Directory Agent is not running
- 531 Directory Agent cannot connect to the domain controller
- 532 Directory Agent communication issues
- 533 Directory Agent does not support this directory service
- 533 The Directory Agent configuration file
- 535 Directory Agent command-line parameters
- 535 Alerts were received from the hybrid service
- 536 Unable to connect to the hybrid service
- 536 Hybrid service unable to authenticate connection
- 537 Missing key hybrid configuration information
- 538 Hybrid failover proxy removed from explicit proxies list
- 538 Troubleshooting tips and tools
- 538 Where is the Websense “bin” directory?
- 538 The Windows Services tool
- 539 The Windows Event Viewer
- 539 The Websense log file
- 541 Index