8 Replies Latest reply on Nov 7, 2012 2:36 PM by genemoore

    Websense, Smartfilter, or Something Like it

      Greetings,

       

      I have a remote location that is creating a VPN tunnel between their ASA5505 and my ASA5520.  On the old Webwasher (Secure Computting), I could send an http query to the Secure Computing Smartfilter thru the ASA5520.  If the response from the Smartfilter was an ok, then they were allowed access to the URL via a split tunnel (direct access) to the net instead of accessing the net thru their VPN tunnel.  This worked extremely well when Secure Computing owned Webwasher.   Under McAfee ownership, this option is no longer available from what I can see.  Additionally, it does not look like Websense is supported either. 

       

      Can  tell me if either of these options or something similar are available in MWG 7.0.2 or will be on a newer release.  I really really do not want to flood my VPN tunnel with Internet traffic.

       

      Thanks,

      Brian

        • 1. Re: Websense, Smartfilter, or Something Like it
          Jon Scholten

          Hi Brian,

           

          What I imagine you are speaking of is called IFP, it is implemented in McAfee Web Gateway version 6.x, but not currently in 7.x.

           

          If you open up a SR, we can add you on to the feature request for that for tracking purposes.

           

          ~Jon

          1 of 1 people found this helpful
          • 2. Re: Websense, Smartfilter, or Something Like it

            Hey Jon,

             

            Thanks muchly for the response.  I am familiar with IFP, had just forgotten about it.  This was such a great feature to have that I can't believe they took it out.

             

            Thanks again,

            Brian

            • 3. Re: Websense, Smartfilter, or Something Like it
              michael_schneider

              Hello Brian,

               

              thanks for bringing this up. We are counting votes to bring this back to the product. Can you elaborate a little on your infrastructure, so we can maybe find a way for you to survive until we adding it back?

               

              thanks,

              Michael

              • 4. Re: Websense, Smartfilter, or Something Like it

                I am in the Seattle area, I have an office in North Carolina.  My data center is on the West coast with me.  In my data center i have an ASA 5520 which handles my firewall and VPN.  In the data center is also my MWG 7.0.2 which is used strickly for handling our web access.  In my East coast office I have an ASA 5505 which creates an IPSEC VPN tunnel to my data center.  This is how they utilize network resources, email, accounting, etc. 

                 

                When Secure Computing owned Web Washer, there was a supported option in the ASA 5520 to use Secure Computing Smartfilter on port 4005.  My end user in NC would open their browser and request access to any given site.  That request would be sent from the EU PC to their ASA 5505, which in turn would send that request to my ASA 5520.  My ASA 5520 would send the request on port 4005 to the Web Washer.  If the Web Washer returned an allowed response, that response would be sent back to the remote 5505 in NC and the user would be allowed access to the site via a split tunnel (direct access).  On the surface, this looks slow, but it is not.  This process is very quick and very reliable and I would love to have this back.

                 

                As of now I have two options for this location.  First, full unfiltered, direct access to the net which is not going to happen.  Second, setup my remote users as proxy clients (done), send all traffic to the data center and just deal with the speed issues.  The speed issues are significant in this setup as local sites to this location have now become a 12,000 mile round trip in their browser.

                 

                Anyway, I don't know if this answered your question or not.

                 

                Thanks,

                Brian

                • 5. Re: Websense, Smartfilter, or Something Like it
                  clausonna

                  Sorry for posting to an old thread.  I have a similar issue and have discovered a free/open-source program that can act as either an n2h2 or websense IFP server.  In other words, I -think- you can run this program, which opens up a port on 4005 for IFP, and will then redirect an incoming requests to ANY proxy server, and then reply back to the requesting system if it was kosher or not.

                   

                  I am still testing it but will reply again to let everyone know how it goes.  I know this will not be an optimal solution for many companies, but at least (I think) it would allow you to use MWG 7.x as an IFP-like server.

                   

                  Here's the URL to the program at SourceForge:

                  http://sourceforge.net/projects/openufp/

                   

                  Here's the help file after you install it on a linux box:

                  Usage: openufp [OPTIONS] <-n|-w> <BACKEND>

                  Example: openufp -n -p '192.168.1.10:3128:Access Denied.'

                  Example: openufp -n -f blacklist -p '192.168.1.10:3128:Access Denied.'

                  Example: openufp -C http://www.test.com

                   

                  OPTIONS:

                     -l PORT   on which port openufp will listen for incoming requests

                     -r URL    when url is denied the client will be redirected to this url; n2h2 only

                     -c SECS   cache expire time in seconds; default 3600; 0 disables caching

                     -C URL    remove specified URL from cache

                     -d LEVEL  debug level 1-3

                   

                  FRONTEND:

                     -n        act as n2h2 server

                     -w        act as websense server

                  BACKEND:

                     -p IP:PORT:DENY_PATTERN   use the proxy backend

                               IP is the ipnumber of the proxy server

                               PORT is the portnumber where the proxy server is listening on

                               DENY_PATTERN is a piece of text that should match the deny page

                     -f FILE   use the blacklist file backend

                               FILE is a file which contains blacklisted urls

                     -g        use the squidGuard backend

                   

                  NOTE:

                     The default location of the cache db is /var/cache/openufp/cache.db.

                     When squidguard backend is used be sure that this program has rw permissions

                     to the squidguard db files.

                   

                  Version: 1.06

                  Report bugs to: jeroen@nijhofnet.nl

                  • 6. Re: Websense, Smartfilter, or Something Like it

                    Interesting project. I tried it out.

                    It does accept an IFP packet, create a proxy request, get a response, and send an IFP response back to the router.

                     

                    There are some fundamental issues that will not make it a viable method for use with MWG7.

                    1) Authentication is one of them.

                    You won't be able to get any kind of username into the session in a manner that MWG will recognize.

                    IFP on MWG6 uses a redirect to a dynamic URL that did AuthServer authentication and used that for it tracking of users.

                    openufp does not return the redirection URL back to the client to facilitate that process.

                     

                    2) You're making a proxy request to the MWG. MWG will actually get the page and process it and send the whole page back to openufp.

                    In essence here's what happens:

                    • A client goes through a Cisco firewall/router using IFP.
                    • A packet is sent to openufp.
                    • openufp creates a GET request to MWG and sends it the proxy port.
                    • MWG actually gets the entire request from the site.
                    • MWG sends the entire content back to openufp.
                    • openufp looks for the first line of the response and throws the rest content away.
                    • Tells the router/firewall it's ok to proceed.
                    • The router/firewall allows the client to access the site and download all that content again fromt he web server.

                     

                    So you are actually getting the page twice from the web server, and the MWG is sending the page back to openufp, which actually doubles the bandwidth usage since each request goes to the site twice.

                     

                    A better method would be to send an ICAP request to MWG instead of a proxy request. I would even offer to help get that working with the openufp developer except that IFP is going to be in MWG7 eventually and I don't know that I have the time to do it.

                     

                    Nice try, though.

                    • 7. Re: Websense, Smartfilter, or Something Like it

                      Greetings All

                       

                      WOW, I can't believe there are new posts to this very old post of mine.  Anyway, I did finally settle on using the proxy setting and send all web traffic down the vpn tunnel.  After some research and "playing" around, this turned out to be a very effective and effecient way of handling my users.

                       

                      What I ended up doing (Simplified explanation);

                      Under Settings

                           Authentication

                                Method NTLM

                                AD Server

                                AD Groups

                       

                      Under Lists

                           String

                                Create AD User Groups-Add your AD Groups

                                Allowed User Groups-Add your AD User Groups

                       

                      I have a number of users that are allowed very limited internet access to a specified list of sites.

                       

                      Under Wildcard Expression

                           Renamed Global Whitelist with -OLD.  Wanted to preserve the original

                           Created a new Global Whitelist-Contains list of sites for restricted users

                       

                      Under Rule Sets

                           Create the restrictive user rule

                               

                      Name:
                      Restricted Web Access

                      Comment:

                      Rule Criteria:
                      Authentication.UserGroups contains "Restricted AD Group Name" AND
                      URL does not match Global Whitelist

                      Action:
                      Block

                       

                      Remaining Users for standard filtering

                           Create standard content filtering rule

                       

                      Name:
                      Company Allowed Categories

                      Comment:

                      Rule Criteria:
                      Authentication.UserGroups contains "AD Group Name" AND
                      URL.Categories<Default> at least one in list Company Category AllowedList

                      Action:
                      Stop Rule Set

                      Events:

                       

                      The standard filtering rule does not always stop access to unwanted catergories.  I think I need to add a block to the rule above.

                      When I first posted my question, I was not as familair with the changes on the MWG as I would normally be.  I have become very pleased with this box.  I am able to get very granular in how I deal with caching, allowed content, blocked content, users and groups, etc

                       

                      If anyone has a suggestion in streamling what I am doing......please send.  Otherwise, I am quite happy with this solution and am moving on.

                       

                      Thank to everyone for your replies,

                      Brian

                      • 8. Re: Websense, Smartfilter, or Something Like it
                        genemoore

                        IFP has been added back into MWG version 7.3, just in case anyone comes across this old thread again.