12-29-2004 02:00 PM - edited 03-09-2019 09:52 AM
I am upgrading from Websense 4.X to Websense 5.5.
I am also Converting branch offices from Novell to Microsft AD 2003.
The old websense server is configured to integrate with the novell sites to filter web traffic and I want to set the new websense server to filter the new AD sites which are also being re-subnetted to a 10.0.0.0 networ from 172.16.0.0 network which is our Novell sites. Once the migration from Novell is done, I would like to sunset the old Websense server.
Can the pix be configured with some policy so that http traffic from the 172.16.0.0 network uses the URL-SERVER for my old websense and the traffic from the 10.0.0.0 network uses the URL-SERVER of my new websense server?
I know the Pix supports multiple URL-SERVER commands but does not seem to be able to choose which URL server to forward requests to based on source network.
Thanks for any help and feedback.
- Rob
12-29-2004 04:42 PM
I dont think it is possible. the only option you have is defining exception in your filter commands, but still the request will go to one server first or the other.
12-30-2004 08:05 AM
Thanks for the response.
That actually suprises me in that I have for the most part found Cisco equipment to be so modular and configurable that almost anything is possible in the manipulation of IP packets.
I have spoken with Websense, and they suggested I use their network agent in non-integrated mode to monitor my new subnets, and use the old 4.4 websense server to monitor my old subnets.
- Rob
01-03-2005 12:07 PM
Are these remote sites?
Just thinking out of the box here....
If they are remote sites, couldn't you just write an ACL to deny one network access to the websense server you dont want it to hit, and just set your websense timeouts real low in the PIX?
Example:
172.16.1.254=Old Websense Server
10.1.1.254=New Websense Server
Remote PIX:
access-list inside deny
access-list inside deny
access-list inside permit ip any any
url-server websense 10.1.1.254 timeout 5....
url-server websense 172.16.1.254 timeout 5....
Like I said, just thinking out of the box. I have no idea if that would work, or what your topology is. But I figured I'd throw that out there.
01-03-2005 12:20 PM
Thanks for the response, yes that sounds like a really good idea.
I wish I would have heard it last week, as I have already setup my new websense server stand alone and have implemented it.
It seems to work, I think after my original Websense server is sunsetted I will rebuild it to 5.5 and use it as the HTTP filter server and use my new Websense 5.5 server as a Real Time Analyzer \ other protocols filter server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide