cancel
Showing results for 
Search instead for 
Did you mean: 
brianfrazer
Level 7

Websense, Smartfilter, or Something Like it

Greetings,

I have a remote location that is creating a VPN tunnel between their ASA5505 and my ASA5520.  On the old Webwasher (Secure Computting), I could send an http query to the Secure Computing Smartfilter thru the ASA5520.  If the response from the Smartfilter was an ok, then they were allowed access to the URL via a split tunnel (direct access) to the net instead of accessing the net thru their VPN tunnel.  This worked extremely well when Secure Computing owned Webwasher.   Under McAfee ownership, this option is no longer available from what I can see.  Additionally, it does not look like Websense is supported either. 

Can  tell me if either of these options or something similar are available in MWG 7.0.2 or will be on a newer release.  I really really do not want to flood my VPN tunnel with Internet traffic.

Thanks,

Brian

0 Kudos
8 Replies
McAfee Employee

Re: Websense, Smartfilter, or Something Like it

Hi Brian,

What I imagine you are speaking of is called IFP, it is implemented in McAfee Web Gateway version 6.x, but not currently in 7.x.

If you open up a SR, we can add you on to the feature request for that for tracking purposes.

~Jon

0 Kudos
brianfrazer
Level 7

Re: Websense, Smartfilter, or Something Like it

Hey Jon,

Thanks muchly for the response.  I am familiar with IFP, had just forgotten about it.  This was such a great feature to have that I can't believe they took it out.

Thanks again,

Brian

0 Kudos
McAfee Employee

Re: Websense, Smartfilter, or Something Like it

Hello Brian,

thanks for bringing this up. We are counting votes to bring this back to the product. Can you elaborate a little on your infrastructure, so we can maybe find a way for you to survive until we adding it back?

thanks,

Michael

0 Kudos
brianfrazer
Level 7

Re: Websense, Smartfilter, or Something Like it

I am in the Seattle area, I have an office in North Carolina.  My data center is on the West coast with me.  In my data center i have an ASA 5520 which handles my firewall and VPN.  In the data center is also my MWG 7.0.2 which is used strickly for handling our web access.  In my East coast office I have an ASA 5505 which creates an IPSEC VPN tunnel to my data center.  This is how they utilize network resources, email, accounting, etc. 

When Secure Computing owned Web Washer, there was a supported option in the ASA 5520 to use Secure Computing Smartfilter on port 4005.  My end user in NC would open their browser and request access to any given site.  That request would be sent from the EU PC to their ASA 5505, which in turn would send that request to my ASA 5520.  My ASA 5520 would send the request on port 4005 to the Web Washer.  If the Web Washer returned an allowed response, that response would be sent back to the remote 5505 in NC and the user would be allowed access to the site via a split tunnel (direct access).  On the surface, this looks slow, but it is not.  This process is very quick and very reliable and I would love to have this back.

As of now I have two options for this location.  First, full unfiltered, direct access to the net which is not going to happen.  Second, setup my remote users as proxy clients (done), send all traffic to the data center and just deal with the speed issues.  The speed issues are significant in this setup as local sites to this location have now become a 12,000 mile round trip in their browser.

Anyway, I don't know if this answered your question or not.

Thanks,

Brian

0 Kudos
clausonna
Level 9

Re: Websense, Smartfilter, or Something Like it

Sorry for posting to an old thread.  I have a similar issue and have discovered a free/open-source program that can act as either an n2h2 or websense IFP server.  In other words, I -think- you can run this program, which opens up a port on 4005 for IFP, and will then redirect an incoming requests to ANY proxy server, and then reply back to the requesting system if it was kosher or not.

I am still testing it but will reply again to let everyone know how it goes.  I know this will not be an optimal solution for many companies, but at least (I think) it would allow you to use MWG 7.x as an IFP-like server.

Here's the URL to the program at SourceForge:

http://sourceforge.net/projects/openufp/

Here's the help file after you install it on a linux box:

Usage: openufp [OPTIONS] <-n|-w> <BACKEND>

Example: openufp -n -p '192.168.1.10:3128:Access Denied.'

Example: openufp -n -f blacklist -p '192.168.1.10:3128:Access Denied.'

Example: openufp -C http://www.test.com

OPTIONS:

   -l PORT   on which port openufp will listen for incoming requests

   -r URL    when url is denied the client will be redirected to this url; n2h2 only

   -c SECS   cache expire time in seconds; default 3600; 0 disables caching

   -C URL    remove specified URL from cache

   -d LEVEL  debug level 1-3

FRONTEND:

   -n        act as n2h2 server

   -w        act as websense server

BACKEND:

   -p IPSmiley TongueORTSmiley Very HappyENY_PATTERN   use the proxy backend

             IP is the ipnumber of the proxy server

             PORT is the portnumber where the proxy server is listening on

             DENY_PATTERN is a piece of text that should match the deny page

   -f FILE   use the blacklist file backend

             FILE is a file which contains blacklisted urls

   -g        use the squidGuard backend

NOTE:

   The default location of the cache db is /var/cache/openufp/cache.db.

   When squidguard backend is used be sure that this program has rw permissions

   to the squidguard db files.

Version: 1.06

Report bugs to: jeroen@nijhofnet.nl

0 Kudos
eelsasser
Level 15

Re: Websense, Smartfilter, or Something Like it

Interesting project. I tried it out.

It does accept an IFP packet, create a proxy request, get a response, and send an IFP response back to the router.

There are some fundamental issues that will not make it a viable method for use with MWG7.

1) Authentication is one of them.

You won't be able to get any kind of username into the session in a manner that MWG will recognize.

IFP on MWG6 uses a redirect to a dynamic URL that did AuthServer authentication and used that for it tracking of users.

openufp does not return the redirection URL back to the client to facilitate that process.

2) You're making a proxy request to the MWG. MWG will actually get the page and process it and send the whole page back to openufp.

In essence here's what happens:

  • A client goes through a Cisco firewall/router using IFP.
  • A packet is sent to openufp.
  • openufp creates a GET request to MWG and sends it the proxy port.
  • MWG actually gets the entire request from the site.
  • MWG sends the entire content back to openufp.
  • openufp looks for the first line of the response and throws the rest content away.
  • Tells the router/firewall it's ok to proceed.
  • The router/firewall allows the client to access the site and download all that content again fromt he web server.

So you are actually getting the page twice from the web server, and the MWG is sending the page back to openufp, which actually doubles the bandwidth usage since each request goes to the site twice.

A better method would be to send an ICAP request to MWG instead of a proxy request. I would even offer to help get that working with the openufp developer except that IFP is going to be in MWG7 eventually and I don't know that I have the time to do it.

Nice try, though.

0 Kudos
brianfrazer
Level 7

Re: Websense, Smartfilter, or Something Like it

Greetings All

WOW, I can't believe there are new posts to this very old post of mine.  Anyway, I did finally settle on using the proxy setting and send all web traffic down the vpn tunnel.  After some research and "playing" around, this turned out to be a very effective and effecient way of handling my users.

What I ended up doing (Simplified explanation);

Under Settings

     Authentication

          Method NTLM

          AD Server

          AD Groups

Under Lists

     String

          Create AD User Groups-Add your AD Groups

          Allowed User Groups-Add your AD User Groups

I have a number of users that are allowed very limited internet access to a specified list of sites.

Under Wildcard Expression

     Renamed Global Whitelist with -OLD.  Wanted to preserve the original

     Created a new Global Whitelist-Contains list of sites for restricted users

Under Rule Sets

     Create the restrictive user rule

         

Name:
Restricted Web Access

Comment:

Rule Criteria:
Authentication.UserGroups contains "Restricted AD Group Name" AND
URL does not match Global Whitelist

Action:
Block

Remaining Users for standard filtering

     Create standard content filtering rule

Name:
Company Allowed Categories

Comment:

Rule Criteria:
Authentication.UserGroups contains "AD Group Name" AND
URL.Categories<Default> at least one in list Company Category AllowedList

Action:
Stop Rule Set

Events:

The standard filtering rule does not always stop access to unwanted catergories.  I think I need to add a block to the rule above.

When I first posted my question, I was not as familair with the changes on the MWG as I would normally be.  I have become very pleased with this box.  I am able to get very granular in how I deal with caching, allowed content, blocked content, users and groups, etc

If anyone has a suggestion in streamling what I am doing......please send.  Otherwise, I am quite happy with this solution and am moving on.

Thank to everyone for your replies,

Brian

0 Kudos
genemoore
Level 9

Re: Websense, Smartfilter, or Something Like it

IFP has been added back into MWG version 7.3, just in case anyone comes across this old thread again.

0 Kudos