NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Websense/Web Filtering



While talking about new version ...
I'm glad the latest version of WebSense for FW1 introduces user and group
authentication. But I'd like to know if we will finally get rid of this
annoying 10 minutes authentication latency.
Up to 4.2.2, a user would launch a browser, type in a url, get the
authentication pop up, enter a login/pw, surf and close the browser when
finished. But as far as I saw, he's still authenticated during 10 minutes.
So if he starts a browser again during this period, he doesn't have to
reauthenticate before these 10 minutes are over.
The support team at our supplier's told me it's hard coded in WebSense and
there is nothing to do against that.
So what is the status of this 'feature' in 4.2.4 ?
 
Emmanuel Bailleul

ASCOM Adilan

FRANCE 

 -----Message d'origine-----
De: Hubbard, Dan [mailto:[email protected]]
Date: vendredi 16 février 2001 21:53
À: 'Chris F'; Brian Mulford; Check Point FW List (E-mail)
Objet: RE: [FW1] Websense/Web Filtering



Chris; 

I am sorry to hear you are having problems with WS and CKP. Below I am going
to explain technically the difference between WS 3.X with CKP and WS 4.X
with CKP. I also understand your fustrations as to having to deal with two
seperate companies pointing the fingers at each other. 

Although I am not familiar with the *exact* problem you are having (I am
getting a status report from our technical support dept.). The information
below should clear things up for you as far as the differences between 3.x
4.x and between different UFP versions.

Websense V3.X was our original version that talked to FW-1 with the UFP
(note not CVP). This version talked directly to the UFP code in FW-1 over a
socket. We wrote all the code for the "communication" from the UFP server
side.

Due to some additional features that we have added to our product (including
defer/continue, redirect of sites, user-authentication w/LDAP,NT, and an
expanded category base) we used the "new UFP V2) in our 4.X version of
Websense. Checkpoint mandates that with this version of the UFP they handle
all socket based communications from the UFP server to the Firewall. Unlike
previously where we handled them. We use libraries from Checkpoint on the
UFP server side in order for the socket communication to work. 

Thus, all TCP traffic between the Firewall and the UFP server is handled by
Checkpoint not us. We simply get messages from the libraries that we
compiled with. The standard UFP port is 18182.  By "snooping" the traffic
between the UFP server (ie: Websense) and the Firewall you are looking at
packets that are all handled by Checkpoint code. As I mentioned above in the
original UFP we had control of this communication. However in the new UFP we
have no control of this communication.

The "new UFP" socket communication does appear to have some bugs in it. If
you hear of any other problem with the joint solution, let me know offline
what the trouble ticket is and I will look into it.

Thanks 



-----Original Message----- 
From: Chris F [ mailto:[email protected] <mailto:[email protected]>
] 
Sent: Friday, February 16, 2001 8:40 AM 
To: Brian Mulford; Check Point FW List (E-mail) 
Subject: Re: [FW1] Websense/Web Filtering 



Hi Brian, 

I've used Websense for a few years in the Unix/NT 
environment. 

Back in the days of Solaris 2.5.1, Websense v3.11, and 
CP FW1 v3.0b Build 3064 -- EVERYTHING WORKED! 

When working -- Websense is easy to implement and 
configure. Once you set your filters, there is little 
(or no) administration. Websense will update it's 
database automatically for you -- I have it auto 
update every night. 
There is no noticeable network lag from using Websense 
and only a few sites will give you problems (easily 
fixed in your security policy). I have used Websense 
on the firewall, and as a stand alone CVP/URI server. 

Since the introduction of FW v4.x and Websense v4.x.x 
- I've had some problems with the communication 
between CP http security server and Websense. 

I'm now on Solaris 2.6 5/98 HW version (patched with 
patches as of Jan 26, 2001), FW1 v4.1 SP3 -- built 
from scratch, and I'm having the same issues 
(unfortunately). 

What's most frustrating is getting the vendor pointing 
when things don't go as planned: Websense will blame 
CP's http security server for any problems you have, 
and CP will blame Websense. Yet, you pay for support 
from both -- and no one wants to help you. Nice 
partnership, eh? 

Because of this, I'm getting better at using "snoop" 
and call their bluff when they try and tell me 
otherwise :) 

Telemate.Net makes a similar product -- a hardware 
solution for filtering. I'm still investigating this 
product. 

www.telemate.net if you're interested. 

Please feel free to contact me if you have any 
details/questions. Sorry for this book reply. 

HTH -- Chris 



--- Brian Mulford <[email protected]> wrote: 
> 
> I am evaluating websense as a content management 
> filter that integrates 
> with FW1. Anyone have any comments good or bad, or 
> possible other 
> software that may be better? Thanks 
>  
> Brian 
> 
> 
> 
============================================================================
==== 
>      To unsubscribe from this mailing list, please 
> see the instructions at 
>               
> http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>  
> 
============================================================================
==== 


__________________________________________________ 
Do You Yahoo!? 
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/ <http://personal.mail.yahoo.com/>  


============================================================================
==== 
     To unsubscribe from this mailing list, please see the instructions at 
               http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>  
============================================================================
==== 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.