Websense

Websense Cloud Security – Users stopped appearing in reports

Posted by on 24 Feb, 2015 in Security, Websense | 1 comment

Setup:

  • Websense Cloud Security Installed and Configured
  • Websense endpoint installed on users machines.
  • Users and groups synced up from Active Directory using DirSyncClient (DSC)

 

Problem:

Users stopped appearing in the Websense reports catalogue and if you run any reports from the reports builder they do not appear in the results

 

Solution:

Log into the Triton portal. Select Account > End Users > Search for all users ending with nosuchdomain.autoregistration.proxy. Delete all users ending with nosuchdomain and run another DSC to make sure there are no more nosuchdomain users appearing.  Wait about 10-15 minutes and the users should start appearing in the reports.

Read More

Websense – Cloud Security Configuration and Deployment

Posted by on 14 Jan, 2015 in Security, Websense | 0 comments

Websense Cloud Security is a cloud based proxy server which filters HTTP/HTTPS traffic and protects networks against malware, inappropriate content, torrenting, etc. It also allows you to setup quotas for browsing sites such as Facebook/YouTube and has a reporting feature to see who is looking at what. With the endpoint installed I have found that you can have more accurate reporting then the on premise server.

I will go through how I set up the Triton cloud portal and deployed the endpoint.

 

Step 1 – Rollout the Websense Root certificate

The root certificate is required to decrypt HTTPS traffic. The certificate can be found when you log into the portal then select:

Web > Policies > (Select a policy) > SSL Decryption Tab > Select Websense root certificate

Once the certificate (.crt file) is downloaded copy to a domain controller and open up group policy manager

I rolled this out using group policy. I won’t be going through the group policy itself as there is a lot of information on the internet for deploying certificates such as:

 

http://technet.microsoft.com/en-us/library/cc772491.aspx

 

Step 2 – Directory Synchronisation

 

The directory synchronisation tools allows you to sync the on premise active directory users and groups.

Download and install the relevant sync client for your operating system from account > directory synchronisation > download directory synchronisation client.

You need to create a contact that has access to the Websense directory for the synchronisation. I recommend you create a new account that only has access to the directory and not a Websense admin. To create a contact select Account > Contacts > Add. Enter the relevant information about the contact account (The username should be an email address).

Once the account has been created select the username to assign permissions. Enter a password for the account and select directory synchronisation.

 

 

websense1

 

Next create the required Active Directory groups for each office/department and assign the relevant users to each group. You will be able to assign different Websense filtering options for each group you create.

Once the group has been created you will need to use the directory sync client (DSC) to sync the users and groups up to Websense.

Run the directory sync client select file new. Assign a name and select group for the configuration.

 

websense2

 

Select Next > Microsoft Active directory > Next

Enter the host name for you domain, the LDAP port number and a user that has access to read the local AD.

 

websense3

 

Select Next. In the drop down box drill down to the OU that holds the Websense groups and click next

 

websense4

 

Select Next. This will bring up all the groups in the OU selected on the previous screen. Select Next. If you did not put the Websense groups in a separate OU you can use the group select to select just the groups you want to sync up.

Select the repository type as portal. Click Next. Enter the details of the contact you created in Websense.

 

websense5

 

Click Next. If you want to add any AD filters you can add them here. I just clicked Next. For the threshold limits I left them all un-ticked and clicked Next. Enter your SMTP details. You can select the email notifications you want to receive. I selected summary and log (info). This will send you an email every time the sync completes.

Click Next and select Save. Once saved you need to modify the settings and select the configuration type as users and run through the wizard again entering the same details as before but selecting the users OU in AD. Once complete you select verify to make sure it works. You can also schedule the sync to run automatically.

 

Step 3 – Create a policy

 

Log into the Triton web portal and select Web > Policies > Add Give the policy a name and provide an email address for the policy.

 

websense6

If you have offices across time zones then you can leave the setting as the default which is to use the connection time zone. If you want to block explicit thumbnails and images in the search results for search engines (recommended) then you need to enable the setting enable search filtering at the bottom of the page.

You can also set the quota limits here. By default it is set to an hour so if you want to create a policy for staff to be able to access certain sites such as Facebook only during the lunch hour then you can leave the default of 60 minutes or change to your preference.

 

Step 4 – Configure Policy

 

Once the policy is created you need to configure the policy to need your needs. If you have multiple sites then you need to decide whether you want a different policy per site. I don’t recommend this as maintaining multiple policies will become a pain if you have to make a change then you have to duplicate the change for each policy. Instead the best practice is to create a standard policy for everyone then create exceptions for the different sites using Active Directory groups. That way if you have to make changes to exceptions (non-proxied locations) you just need to make the change once.

 

Step 4.1 – Connections Tab

 

Under Proxied locations add the IP addresses or address ranges for all the offices that will be filtered. You can also set the time zones if the offices are in various locations. By adding the IP’s here you can set different policies for when users are in the office and out of the corporate network (i.e. Laptop users)

The next section under the connections tab is non proxied locations. This is for domains\IP’s that will not be filtered. I recommend adding the following domains to the non proxied locations as I have found issues when using applications such as office 365, WebEx, go to meeting etc. through Websense.

 

Office 365:

  • com
  • com
  • net
  • com
  • com

Remote Access/Meeting:

  • com
  • com
  • com
  • com
  • com
  • com

Adobe Creative cloud suite (required to login and download creative cloud applications)

  • com
  • com

Mimecast (required to get the MSO working in outlook)

  • com
  • co.uk

Microsoft (required to make purchases from Windows 8 app store)

  • com

Company Domain

  • co.uk

 

Step 4.2 – Access Control Tab

I strongly recommend rolling out the endpoint (discussed later on) to all machines that will be filtered as it allows more accurate reporting and even if users have local admin rights they can’t uninstall the endpoint without the password you set in the portal. If you are using the endpoint I recommend the settings below as they won’t require to enter their credentials to connect to the proxy server. Instead it will use their windows credentials.

 

websense7

Step 4.3 – End Users Tab

 

Under the directory synchronisation you need to assign the groups that will be assigned to this default policy. I assigned all the groups that were synched up to Websense and then you can customise each AD group on the next tab.

 

Step 4.4 – Web Categories Tab

 

Create a standard set of rules that will apply to everyone then create exceptions for any AD group that is different from the standard set of rules. This will vary greatly from company to company so I won’t go into much detail here but will look at creating a separate blog for the web categories tab.

 

Step 4.5 – SSL Decryption Tab

 

If you want to decrypt SSL traffic and you have rolled out the root certificate then you can select which categories to decrypt here.

 

Step 5- Bypass Settings

 

Under Account > Bypass settings you can enter domains/URLS to bypass authentication settings. I recommend the following if you use these applications.

 

websense8

Step 6 – Endpoint rollout

 

Once everything is setup you can deploy the endpoint. You can deploy manually, Group Policy or SCCM. I will show you the manual deployment and SCCM 2012 as that is what I used.

In the portal go to Web > Endpoint. Here you can select the default policy the endpoint uses, the password to uninstall the endpoint and the download of the 32/64bit endpoint client. There is also the GPO code. Make a note of this as you need this to install the endpoint and register it to your Websense account. It will be in the format of:

WSCONTEXT=a67df7abc9ed6gf7abc6ed6gdf7abc9-0

 

Step 6.1 – Endpoint rollout – Manual

 

Once the endpoint has been downloaded extract the contents of the Zip into a folder on the machine.

Open up command prompt as administrator and enter the following command:

D:\websense\setup.exe /v” /quiet /norestart WSCONTEXT=a67df7abc9ed6gf7abc6ed6gdf7abc9-0″

 

D:\websense\setup.exe = Location of the endpoint setup.exe

/v /quiet /norestart = Switches to install in the background and without restarting

WSCONTEXT=a67df7abc9ed6gf7abc6ed6gdf7abc9-0 = GPO taken from you Websense account above.

 

Once installed you will see the Websense icon in the system tray and you can test your policy.

 

Step 6.2 – Endpoint rollout – SCCM 2012

 

Once you have tested the manually deployment and it works as you expected you can deploy to the company. You can use System Center Configuration Manager 2012 to deploy the endpoint to the relevant machines.

Create a share on the SCCM server and place the extracted files for the endpoint in the shared location.

In SCCM select Software Library > right click packages > Create Package > enter the endpoint details and browse to the shared location where the setup.exe is located.

 

websense9

 

Click Next > select Standard program > Next > Select the options below and place you GPO in the command window.

 

websense10

 

Click Next and select the operating systems you want to deploy too. Then select Next > Next > Close.

Wait for the package to be distributed to the distribution points then right click the created package

Select Deploy > select the collection you wish to deploy too > click Next > set the purpose as required > Select the settings below to deploy Websense straight away or select the options you require.

 

websense11

 

Click Next> select the options below

 

websense12

 

Click Next

 

websense13

 

Click Next > Next > Next > Close

 

Websense will now be installed for the relevant collection and will install automatically during the next sync of the SCCM client with the server or when new devices are added to the collection.

Read More