Re: [FW-1] Websense and FW1 Nokia

Subject: Re: [FW-1] Websense and FW1 Nokia

From: "Romero, Cosmo" <[email protected]>

Date: Tue, 8 Oct 2002 05:51:13 -0700

Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>

Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] Websense and FW1 Nokia

It sounds to me like we should Integrate Websense with the ISA server and allow the ISA server straight through the Firewall (not pointing any traffic to the Websense Server). That way we are not invoking the security server on Firewall 1. With the configuration you have currently setup, the source IP for all http traffic will be the same (the IP address of the ISA server) therefore, you will not be able to see the correct IP addresses in Websense Reports and you will not be able to take advantage of ISA's authentication and reporting benefits. Since the ISA is already installed behind the Firewall you should be able to backup your ws.cfg and do a modify install on the Websense Server. Once Websense is setup to Integrated with ISA then we can remove the rule from Checkpoint's Firewall1 rule base, which will allow you to have Internet access and report ability (as ISA send duration and bytes transferred information to Websense).

Sincerely,
Cosmo

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, October 07, 2002 11:27 AM
To: [email protected]
Subject: Re: [FW-1] Websense and FW1 Nokia

Let me try and understand exactly what you are attempting to do. First, you have the FireWall set to pass it's traffic through an ISA Server, or is the ISA Server on a DMZ and you are expecting the users to proxy to that device for Web access? Is the FireWall set to pass the Web traffic using a proxied connection or using the SecureNAT option on the ISA Server? I suspect based on the error that you are reporting that the FireWall is set to proxy to the ISA Server for Web traffic.

That being said, the error really has nothing to do with Websense, but more with how the FireWall is configured. When you enable the rule on the FireWall to filter traffic through Websense, the Web traffic then passes through the HTTP Security Server. The error that you are receiving is from the HTTP Security Server. If you have configured your browsers to proxy to a server outside of the FireWall using port 80, the FireWall will try and intercept the request, and fail because it is not the destination proxy server.

So, there are two immediate options that I can see to solve this issue, and it will depend on how you want your traffic to flow, as well as what reporting options you want to have occur. One option is to not use proxied traffic at all for your internal browsers, setting the FireWall to send the Web requests to Websense for evaluation, and then have the FireWall point to the ISA Server (either by proxy or by SecureNAT) for the outbound Web traffic. If you are planning on using Websense Reporter and trying to identify specific user names, you would have to rely on the Websense Server components to identify the users. I have not tested the forwarding proxy option in NG, so I don't know how well it will work, but it wasn't all that great in v4.1 for Web traffic. Another option is to use Websense filtering on the ISA Server and then set the client browsers to proxy to the ISA Server. The FireWall would then be set to pass Web traffic on through to only the ISA server from your internal clients. In this case, if you wished to use Websense Reporter to report on specific users, if the ISA Server has access to the internal user database, either it or the Websense Server components can be used to track your users Web access.

I'm sure that there are a number of other options that can be accomplished as well, if we understand what specifically you are attempting to do.

Thank you.

-----Original Message-----
From: Denni Ugolotti [mailto:[email protected]]
Sent: Monday, October 07, 2002 12:55 AM
To: [email protected]
Subject: [FW-1] Websense and FW1 Nokia

Hello all!
We have a problem about websense version 4.4 and Checkpoint FW1 NG FP1,
on a Nokia IP530 IPSO ver. 3.4.2. The problem is the following:
We have this topology:

Internal LAN (websense +hosts)---FW1-----(Proxy ISA Server)--->Internet
Router--->

We have configured the FW1 as the manual said, the configuration seems to be
ok, but when
we try to get out (the WEB) with the web browser (proxy configured) we get a
strange message from
FW1, the message from the log is:

Rejected: reasonRequest to proxy other than the next proxy resource
http://www.xyz.xx

We have tried to bypass the proxy using the web browser only to get on the
WEB,
and it works! Why if we use the proxy (ISA Server) the things get worse????
Thanks to all who respond!

Andrea & Denni

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================