Recently, I was tasked with implementing Websense to help monitor the activities of our user base in LA and NY.  After a few discussions with the Websense sales engineers, I came up with a design to utilize the ASA firewalls in both my locations.

The Websense components were installed as follows:

For the filters:

User Service - This service identifies the users, groups, and domains within Windows Active Directory.

Filtering Service - This is the service that will monitor or block content.

Network Agent - This component is how the server will communicate with the Policy Server.

DC Agent - This service integrates AD authentication for end users who don’t want to be filtered.

Usage Monitor - This service collects usage information based on categories, protocols, etc.

For the manager:

Policy Database - Microsoft SQL is required to store your database.

Policy Broker - This service updates the filter servers whenever a change is made to the policy.

Policy Server - This service provides policy management.

Websense Manager - This service allows you to manage your filters.

Log Server - This service collects the logs off the filters for reporting.

The Websense engineers recommended that I install the Policy Broker, Server, and Database on one of the filter server.  I felt it didn’t make sense to add the bulk of the processing power to a dedicated filter box.  Plus, I’d rather have all the management components reside on a central server.

During my initial install of each of the filters, I only had one network card enabled.  Also, for some odd reason I was unable to set up ‘integrated’ mode and was forced to install each filter as ’stand-alone’ devices.  Integrated mode allows you tie in with your ASA firewall, but can only filter http, https, or ftp.  Here are the commands I used:

url-server (inside) vendor websense host 11.27.194.44 timeout 30 protocol TCP version 4 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
url-block url-mempool 1500 –> Recommended configuration from Websense.
url-block url-size 4 –> Recommended configuration from Websense.

Even though I was running in stand-alone mode, I was still able to run the ASA firewall commands and the filter started working.  This particular setup ran for about a week until we had to move a new group who seem to have had stringent requirements for their web surfing activities.  What it boiled down to was they weren’t very pleased with the fact that our Internet connection was monitored and filtered.

Our LA filter was performing just fine, but our NY filter where the new group resided was extremely slow.  There were complaints that simple websites would take anywhere between 10-60+ seconds to load.  To troubleshoot the performance problem, I verified performance to/from the intermediate switches, core routers, and firewalls which all checked out fine.  The design I had built took into account that there were 150 end-users combined from both locations and the Websense engineers validated that the integration with our firewalls was sufficient.  After verifying the network, I had contacted the sales engineer to engage their support.

Websense support noticed I wasn’t running integrated mode properly and walked me through updating each filter.  Once we were fully integrated, the performance for NY suffered even more to the point that web pages were taking minutes to load.  So now I started questioning whether or not the integrated mode could support a handful of users.  Websense’s documentation clearly states that the integrated mode with an ASA firewall can easily support up 250+ users which was obviously not the case.

I had to engage support yet again and was told to run each filter in stand-alone mode, activate the second network card on the filters, and SPAN the data to the second NIC.  Websense support clearly stated that RSPAN doesn’t work with their product and that it was unsupported.  To the set the record straight, RSPAN does work with Websense.  You just have to figure out the IOS configuration because most of Cisco’s documentation still refers to the ‘reflector-port’ option which doesn’t run on 3560s or 3750s.

My ASA inside interface in LA was configured as a trunk on port Gi1/0/3 on SW11; nothing special needed to be configured on the trunk port where the firewall was connected.  Here’s my configuration on SW11:

vlan 888 –> This vlan number should be lower than 1000.  I tried 1888, but that didn’t seem to work.
name RSPAN-ASA-INSIDE
remote-span

interface vlan 888 –> A ’show interface’ will reveal that the line protocol is down, which is fine.
no shutdown

monitor session 1 source vlan 8 –> Using ’source interface gi 1/0/3′ didn’t work for me.
monitor session 1 destination remote vlan 888

interface GigabitEthernet1/0/25
description CONNECTED-TO-SW13-G0/24
switchport trunk allowed vlan add 888 –> I do this because I specifically allow certain VLANs across the trunk.

Here’s my configuration on SW13:

vlan 888
name RSPAN-ASA-INSIDE
remote-span

interface vlan 888
no shutdown

interface GigabitEthernet0/24
description CONNECTED-TO-SW11-G1/0/25
switchport trunk allowed vlan add 888

monitor session 1 source remote vlan 888
monitor session 1 destination interface Gi0/22 encapsulation dot1q ingress untagged vlan 8

Once I entered the destination interface, my stand-alone LA filter started seeing all the protocols.  The performance appeared to be much better and can supposedly handle up to 1200+ users.  I’ve excluded the new groups from being filtered for the time being and have activated it for the rest of my group to validate the performance.  I’ll probably monitor the behavior over the long weekend before implementing entirely, but hopefully my performance problems are now behind me.

I wonder if it would’ve been easier to implement Cisco’s Ironport web filter??

Since my last posting I’ve been quite busy with various projects at work and took on a few weekend contracts to familiarize myself with some of the SP technologies.  My time for studying was split between working and enjoying whatever free time I had to spare.  Aside from keeping up with all my TV shows (i.e Stargate Universe, Sanctuary, V, Dexter, Californication, Heroes, Trauma, Vampire Diaries, How I Met Your Mother, The Big Bang Theory, Fringe, Cake Boss, Crash, etc.), I did manage to squeeze in some reading of a few technologies (i.e. MPLS, QoS, and IS-IS).  I know what you are thinking, does he really watch all those shows?  The answer is ‘yes’ and then some.  Aside from playing basketball once a week and going to the gym 3-4 times a week, it was the only way of keeping my brain from melting with a 7-day work schedule.

Another outlet for me has been Twitter; I don’t really tweet as much and mainly use it as a means of aggregating information on potential IE candidates, IEs, and sports.  Most of the bloggers who were diligently updating their sites before have now turned to tweeting.  In fact, many of their sites have gone unattended, so I finally decided to clean up my blogroll.  Can’t you tell the list is shorter? 

My game plan from this point forward is to finish off my projects and contracts before the Christmas holidays.  I’ve already reserved some ‘me’ time with the family, so they know I’ll be concentrating on studying the last week of the year.  I have a little over 100 days from now until my scheduled lab, 03/04/2010, so hopefully the exam doesn’t change by then.

Ahmed passed his R&S lab last week.  My apologies for announcing this so late, but I’ve been preoccupied with my own studies.  He only passed his written in April and manage to stick to his studies to pass the lab in 6 months.  Send him your congrats.

Chris aka ipv6freely on twitter passed his R&S lab yesterday.  He used INE’s material and rated his version of the lab a 4 regardless of the new OEQs.  Send him your congrats.