46
TRITON - Web Security Help
183
Filter Users Off Site
Filtering occurs when Remote Filtering Client, outside the network, successfully
communicates with Remote Filtering Server.
You can configure what action Remote Filtering Client takes if it cannot contact
Remote Filtering Server.
By default, Remote Filtering Client fails open, permitting all HTTP, SSL, and
FTP requests while it continues attempting to contact Remote Filtering Server.
When the communication is successful, the appropriate filtering policy is
enforced.
When Remote Filtering Client is configured to fail closed, or block all requests, a
timeout value is applied (default 15 minutes). The clock begins running when the
remote computer is started. Remote Filtering Client attempts to connect to
Remote Filtering Server immediately and continues cycling through available
Remote Filtering Servers until it is successful.
If the user has Web access at startup, no filtering occurs (all requests are
permitted) until Remote Filtering Client connects to the Remote Filtering Server.
When this occurs, the appropriate filtering policy is enforced.
If Remote Filtering Client cannot connect within the configured timeout period,
all Internet access is blocked (fail closed) until connection to Remote Filtering
Server can be established.
This timeout period allows users who pay for Internet access when travelling to
start the computer and arrange for connection without being locked out. If the user
does not establish Web access before the 15 minute timeout period expires, Web
access cannot be established during that session. When this occurs, the user must
restart the computer to begin the timeout interval again.
To change the fail open/fail closed setting, and change the timeout value, see
Configuring Remote Filtering settings, page 184.
Virtual Private Network (VPN)
Note
If Remote Filtering Server cannot connect to Filtering
Service for any reason, an error is returned to the Remote
Filtering Client, and filtering always fails open.
Related topics:
Using remote filtering software, page 180
Identifying remote users, page 182
When server communication fails, page 182
Configuring Remote Filtering settings, page 184
51
Filter Users Off Site
184
Websense Web Security and Websense Web Filter
Remote filtering software supports VPN connections, including split-tunneled VPN.
When an off-site machine connects to the internal network via VPN (non split-
tunneled), Remote Filtering Client is able to send a heartbeat to Remote Filtering
Server. As a result, Remote Filtering Client becomes passive and all HTTP, SSL, and
FTP requests from the remote computer are filtered by the internal integration product
or Network Agent, like other in-network computers.
If the remote computer connects to the internal network via a split-tunneled VPN
client, Remote Filtering Client detects this and does not send a heartbeat to Remote
Filtering Server. Remote Filtering Client assumes that it is operating externally and
submits requests to Remote Filtering Server for filtering.
Websense software supports split-tunneling for the following VPN clients:
Checkpoint SecureClient
Cisco
Juniper/Netscreen
Microsoft PPTP
Nokia
Nortel
SonicWALL
Configuring Remote Filtering settings
Use the Settings > General > Remote Filtering page to configure options that affect
all Remote Filtering Clients associated with this installation.
For more information about remote filtering software, see Using remote filtering
software, page 180.
1. Select the Block all requests... check box to prevent users from accessing the
Internet when Remote Filtering Client cannot communicate with Remote Filtering
Server.
By default, users have unfiltered access to the Internet when Remote Filtering
Client cannot communicate with the Remote Filtering Server.
Related topics:
Identifying remote users, page 182
When server communication fails, page 182
Virtual Private Network (VPN), page 183
Configure remote filtering to ignore FTP or HTTPS traffic, page
185
Configure the Remote Filtering Client heartbeat interval, page 186
48
TRITON - Web Security Help
185
Filter Users Off Site
2. If you selected the block all requests option, specify a Timeout interval (by
default, 15 minutes). During the timeout period, all HTTP, SSL, and FTP requests
are permitted.
If the Remote Filtering Client cannot communicate with Remote Filtering Server
during the timeout interval, all Internet access will be blocked until
communication is reestablished.
Selecting No timeout may lock out a remote computer before the user can
establish Internet connection from a hotel or other pay-for-use-provider.
3. Select a Maximum size for the Remote Filtering Client log file size (in
megabytes), up to 10. Select No log to disable logging.
This controls the size and existence of the log file the remote computer creates
when it is initially disconnected from the Remote Filtering Server. This log file
tracks the following events:
The computer leaves the network
The computer rejoins the network
The Remote Filtering Client is restarted
Fail open condition occurs
Fail closed condition occurs
Remote Filtering Client receives a policy update
The computer retains the 2 most recent logs. These logs can be used to
troubleshoot connection issues or other problems with remote filtering software.
Configure remote filtering to ignore FTP or HTTPS traffic
You can configure remote filtering software to ignore FTP traffic, HTTPS traffic, or
both. HTTP traffic is always monitored.
If you have multiple Remote Filtering Servers, repeat these steps for each instance.
1. Navigate to the Websense bin directory (C:\Program Files\Websense\bin or /opt/
Websense/bin, by default) on the Remote Filtering Server machine.
2. Open the securewispproxy.ini file in a text editor.
3. To disable FTP filtering for this Remote Filtering Server instance, add the
following line to the file:
FilterFTP=0
If you want to later turn FTP filtering back on, change the parameter value from
“0” to “1”.
4. To disable HTTPS filtering for this Remote Filtering Server instance, add the
following line to the file:
Warning
Websense, Inc., does not recommend choosing No timeout
or setting the timeout period to a very low number.
41
Filter Users Off Site
186
Websense Web Security and Websense Web Filter
FilterHTTPS=0
If you want to later turn HTTPS filtering back on, change the parameter value
from “0” to “1”.
5. Save and close the file.
6. Restart the Remote Filtering Server service or daemon.
Configure the Remote Filtering Client heartbeat interval
In order to determine whether it is inside or outside of the network, Remote Filtering
Client sends a heartbeat to Remote Filtering Server. If the heartbeat connection
succeeds, Remote Filtering Client knows that it is inside the network. By default,
Remote Filtering Client continues to send the heartbeat every 15 minutes to ensure
that its status has not changed.
If you would prefer that Remote Filtering Client send the heartbeat less frequently
once it has determined that it is inside the network, you can increase the heartbeat
interval. In this case, Remote Filtering Client will only send a more frequent heartbeat
if it registers a change in network.
To change the heartbeat interval:
1. Navigate to the Websense bin directory (C:\Program Files\Websense\bin or /opt/
Websense/bin, by default) on the Remote Filtering Server machine.
2. Open the securewispproxy.ini file in a text editor.
3. Find the HeartbeatRetryInterval parameter and change its value. For example:
HeartbeatRetryInterval=360
In this example, the heartbeat will be sent every 360 minutes, or 6 hours.
The value can be any number of minutes between 0 and 1440 (24 hours).
The default is 15 minutes.
4. Save and close the file.
5. Restart the Remote Filtering Server service or daemon.
Applying hybrid filtering to off-site users
In Websense Web Security Gateway Anywhere deployments, hybrid filtering can be
applied to off-site users, regardless of how those users are filtered when they are in-
network.
Related topics:
Configuring hybrid filtering for off-site users, page 187
Off-site user self-registration, page 189
47
TRITON - Web Security Help
187
Filter Users Off Site
For users filtered by on-premises components (Filtering Service) when they are
inside the network, you can configure the browser PAC file to determine whether
the user is in-network or off-site before sending an Internet request for filtering.
If you are using the PAC file generated by the hybrid service, this configuration
occurs automatically based on the settings that you provide in TRITON - Web
Security.
For users filtered by hybrid filtering both in and outside the network, no PAC file
changes are required. When off-site users make an Internet request, they are
prompted to log on to hybrid filtering so that the appropriate user or group-based
policy can be applied.
Configuring hybrid filtering for off-site users
Use the Off-Site Users tab of the Settings > User Access page to configure hybrid
filtering for users outside a filtered location.
1. If hybrid filtering uses directory data collected by Directory Agent to identify
users, you have 2 options:
Configure the hybrid service to automatically create a hybrid logon password
for all user accounts sent by Directory Agent. Passwords are sent to each
user’s email address in staggered intervals to avoid a sudden influx of email
messages.
Have users request their own password the first time they connect to the
hybrid service from outside a filtered location. In order for the process to
succeed, users must provide an email address that matches an account sent by
Directory Agent. The password is then sent to that email address.
To have the hybrid service generate passwords for all user accounts that it sees,
mark Automatically generate and email passwords.
2. If on-premises filtering is applied to users when they are inside the network, but
hybrid filtering is applied to users when they are outside the network, enter a Host
name that can only be resolved outside the network.
When the user initiates an Internet request, hybrid filtering checks to see if the
host name resolves.
Important
While you can use remote filtering software for some off-
site users and hybrid filtering for others, the hybrid service
cannot be used to monitor Internet activity for machines
that also have Remote Filtering Client installed.
Note
For this reason, be sure that your organization’s webmail
address has been added as an unfiltered destination. See
Specify sites not filtered by the hybrid service, page 167.
47
Filter Users Off Site
188
Websense Web Security and Websense Web Filter
If the name does not resolve, the request is passed to on-premises components
for filtering.
If the name resolves, hybrid filtering processes the request.
3. If Internet requests from in-network machines pass through an explicit proxy,
provide the proxy location (Host name or IP address) and Port to ensure
requests are routed properly when the user is on-site.
4. If your organization does not use directory data collected by Websense Directory
Agent to identify users connecting to the hybrid service, you can let users self-
register for the service. This allows users with email accounts associated with
domains that you specify to identify themselves to the hybrid service.
Users requesting Internet access from an unrecognized IP address are prompted to
self-register. The domain portion of the user’s email address is used to associate
the user with your organization so that the proper Default policy is applied.
Users who cannot be associated with an organization are filtered by the hybrid
service Default policy.
Click Add to add a domain (see Adding domains, page 188).
Click a domain entry to edit the domain or its attributes (see Editing domains,
page 189).
5. When you are finished, click OK to cache your changes. Changes are not
implemented until you click Save All.
Adding domains
Use the User Access > Add Domain page to identify the domains and subdomains (if
any) belonging to your organization. This makes it possible for users with email
addresses in the specified domains to self-register (authenticate themselves) for hybrid
filtering. This is typically enabled only in organizations that do not use Directory
Agent to send user information to hybrid filtering.
The hybrid service is unable to provide user name information about self-registered
users to the on-premises components for use in reporting. Only the IP address from
which the request originated is logged.
1. Enter a Domain name (in the format sampledomain.org) belonging to your
organization.
2. Enter a clear Description of the domain as a point of reference to simplify hybrid
filtering administration.
3. If you want users with email addresses in both the domain and its subdomains
(like university.edu and humanities.university.edu) to be able to self-register,
mark Include subdomains.
4. Click OK to return to the Off-Site Users tab of the User Access page.
5. Click OK again to cache your changes. Changes are not implemented until you
click Save All.
32
TRITON - Web Security Help
189
Filter Users Off Site
Editing domains
Use the User Access > Edit Domain page to make changes to the domain entries that
allow users to self-register for hybrid filtering.
1. Verify the domain Name and make changes, if necessary.
2. Update the Description as needed.
3. To change whether or not email addresses in subdomains are considered valid,
mark or clear Include subdomains.
4. Click OK to return to the User Access page.
5. Click OK again to cache your changes. Changes are not implemented until you
click Save All.
Off-site user self-registration
If you are not sending directory service data to the hybrid service (in other words, if
you have not enabled Directory Agent), users must self-register in order to be filtered
properly when they are off site (outside a filtered location).
In order for users to be allowed to self-register, you must first identify the domains
associated with your organization on the Off-Site Users tab of the Settings > User
Access page in TRITON - Web Security (see Configuring hybrid filtering for off-site
users, page 187).
Users connecting to hybrid filtering from outside a filtered location are prompted to
enter a user name and password, or to register. To register with the hybrid service:
1. The user provides a name and email address.
2. Hybrid filtering then sends a password to the user via email, along with a link that
can be used to change the password.
3. The user clicks the link, and is prompted to enter the password.
4. Registration is complete.
When registered users connect to the hybrid service from outside a filtered location,
they enter their email address and password. Hybrid filtering then applies your
organization’s Default policy to their Internet requests.
4
Filter Users Off Site
190
Websense Web Security and Websense Web Filter
Documents you may be interested
Documents you may be interested
