Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
4
Replies

Multiple Websense Servers

robert.dobson
Level 1
Level 1

‎12-29-2004 02:00 PM - edited ‎03-09-2019 09:52 AM

I am upgrading from Websense 4.X to Websense 5.5.

I am also Converting branch offices from Novell to Microsft AD 2003.

The old websense server is configured to integrate with the novell sites to filter web traffic and I want to set the new websense server to filter the new AD sites which are also being re-subnetted to a 10.0.0.0 networ from 172.16.0.0 network which is our Novell sites. Once the migration from Novell is done, I would like to sunset the old Websense server.

Can the pix be configured with some policy so that http traffic from the 172.16.0.0 network uses the URL-SERVER for my old websense and the traffic from the 10.0.0.0 network uses the URL-SERVER of my new websense server?

I know the Pix supports multiple URL-SERVER commands but does not seem to be able to choose which URL server to forward requests to based on source network.

Thanks for any help and feedback.

- Rob

Labels:
0 Helpful
4 Replies 4

nkhawaja
Cisco Employee
Cisco Employee

‎12-29-2004 04:42 PM

I dont think it is possible. the only option you have is defining exception in your filter commands, but still the request will go to one server first or the other.

0 Helpful

robert.dobson
Level 1
Level 1
In response to nkhawaja

‎12-30-2004 08:05 AM

Thanks for the response.

That actually suprises me in that I have for the most part found Cisco equipment to be so modular and configurable that almost anything is possible in the manipulation of IP packets.

I have spoken with Websense, and they suggested I use their network agent in non-integrated mode to monitor my new subnets, and use the old 4.4 websense server to monitor my old subnets.

- Rob

0 Helpful

cscott
Level 1
Level 1

‎01-03-2005 12:07 PM

Are these remote sites?

Just thinking out of the box here....

If they are remote sites, couldn't you just write an ACL to deny one network access to the websense server you dont want it to hit, and just set your websense timeouts real low in the PIX?

Example:

172.16.1.254=Old Websense Server

10.1.1.254=New Websense Server

Remote PIX:

access-list inside deny 10.1.10.0 255.255.255.0 host 172.16.1.254

access-list inside deny 172.16.10.0 255.255.255.0 host 10.1.1.254

access-list inside permit ip any any

url-server websense 10.1.1.254 timeout 5....

url-server websense 172.16.1.254 timeout 5....

Like I said, just thinking out of the box. I have no idea if that would work, or what your topology is. But I figured I'd throw that out there.

0 Helpful

robert.dobson
Level 1
Level 1
In response to cscott

‎01-03-2005 12:20 PM

Thanks for the response, yes that sounds like a really good idea.

I wish I would have heard it last week, as I have already setup my new websense server stand alone and have implemented it.

It seems to work, I think after my original Websense server is sunsetted I will rebuild it to 5.5 and use it as the HTTP filter server and use my new Websense 5.5 server as a Real Time Analyzer \ other protocols filter server.

0 Helpful
Customers Also Viewed These Support Documents