Professional Documents
Culture Documents
TRITON - AP WEB v80 Professional Lab Guide BF033
TRITON - AP WEB v80 Professional Lab Guide BF033
TRITON - AP WEB v80 Professional Lab Guide BF033
4 | Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 | Customizing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7 | Designing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
10 | SSL Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Lab Objective
Websense TRITON AP-WEB protects your network by detecting and blocking web-
based security threats and also detecting and enforcing network policies for user
requests to non-work-related or otherwise prohibited sites and content.
To enable access to its management consoles and to enable/disable certain services on
the V10000 appliance, you must pre-configure several basic parameters that the
appliance’s “firstboot” script will prompt you to provide.
To successfully complete the firstboot preconfiguration of a V-Series appliance, you
must specify the ‘security mode’ (TRITON AP-WEB, TRITON AP-EMAIL, or dual
mode) and then the host name, IP address, and network mask, default gateway, and
DNS server for the ‘C’ interface, along with a few other basic networking parameters
Important
In all v8.x Websense-certification lab environments, Firstboot has already
been run. This enables the appliances to be preconfigured to optimize
available hardware resources, provides a way to validate the basic health of
the appliance, and enables TCP/IP-based (SSH) console access to the
appliance for environments in which virtual serial-line console connections
are not available.
For classroom events, your instructor may choose to demonstrate the
firstboot process using a live lab environment or simply show the interface
and information prompts of firstboot using the presentation slides.
In special cases, or as prompted by your instructor, you can run the Firstboot
configuration wizard at any time from the CLI of the serial-line console by
executing the command “firstboot”. Except for being able to specify (or
change) the configuration mode of the appliance, all other aspects of the
experience will be the same as if running it for the very first time.
Warning
Attempting to abort the firstboot configuration at the wrong time (that is, too
late in the process) can result in the corruption of your system. Please give
careful attention to the sequence of steps and the exact point at which you
are advised to press Ctrl-C.
Tip
See the appendix Using the ReadyTech Environment for instructions
for logging onto and using ReadyTech-hosted lab environments.
Note
Configuring the network interface parameters for the C interface and
setting/resetting the console password takes several minutes, even if no
new changes are made.
You can exit the Firstboot configuration wizard at anytime by pressing
Ctrl-C, in which case you will be returned immediately to the CLI
command prompt.
Tip
If you are using a vSphere terminal session (or other VMware-based
direct terminal session) press Ctrl+Alt to release the mouse.
Upon completing of the very first use of the Firstboot configuration wizard, a
“Welcome to the Websense V10000” banner of text is displayed at the top of the
Subsequent completions of the Firstboot wizard will simply return you to the CLI
prompt.
Lab Objective
Appliance Manager runs in the privileged “domain zero” (Dom0) of the virtualization
architecture that Websense® V-Series™ appliances use for system partitioning and
resource allocation. Dom0 also hosts the hypervisor that provides hardware
virtualization for the other domains within the system (which may also be called
“modules,” “partitions,” or “virtual machines” depending on the discussion). Dom0 is
the only domain with direct access to the hardware layer of the appliance.
Appliance Manager provides a graphical web-based console and a text-based
command-line interface to configure, monitor, and manage the basic operational
parameters of the appliance. Appliance Manager binds to the ‘C’ network interface.
The IP address of the C interface is the address you use to make browser-based
(HTTP/S) and terminal-based (SSH) connections to the Appliance Manager module.
In this lab you will complete the configuration of the Appliance Manager. To do so,
you will configure the IP address of the P1 network interface and the system time
settings.
Important
Most of the steps in this lab have already been completed for you.
Review each step to confirm that the correct information has been entered
and to follow the typical configuration steps required for a new installation.
Steps
4. On the Configuration > System page in the Time and Date section, make the
following changes:
Important
This step has NOT been preconfigured for you.
a. For the time zone setting, select Pacific Time (all the other servers in
your virtual environment are in this time zone as well).
b. In Time and Date: Select Automatically synchronize with an NTP
server and then enter 172.31.0.150 for the value of the “Primary NTP
server” setting. Accept the default settings for secondary and tertiary
server settings.
c. Optional: Add an Appliance Description of your choice, perhaps
something like “[YourName]’s Test Lab Appliance V10K-1”.
d. At the bottom of the page, click OK.
e. A notice appears to inform you that changing the system time may
automatically log you off of the Appliance Manager. Consequently, you
may need log on again after the change is complete. Click OK on the
confirmation window.
If you do not need to log on again, a confirmation that the time has been
set will appear at the top of the page after the system completes the
change.
5. On the Configuration > Network Interfaces page
a. Verify the settings in Appliance Controller Interface (C) resembles the
screenshot below:
c. For the Network Agent Interface, verify that Interface C is selected and
accept the rest of the configuration parameters as they are (unconfigured).
d. At the bottom of the page, click OK.
e. When asked if you want to continue, click OK.
A confirmation that interface settings have been updated or that “Your
configuration did not change” will appear at the top of the page after the
system processes your request.
f. Log off the Appliance Manager web console and close the browser
window.
Lab Objective
TRITON Unified Security Center, also referred to as the TRITON Manager, provides
a unified management interface for:
Full system administration and policy management
Comprehensive reporting
Role-based access controls
In this lab, you will verify that the TRITON Infrastructure, TRITON AP-WEB, and
Data Security modules have been installed.
Steps
Important
The core TRITON management components required for TRITON AP-
WEB labs have been pre-installed on the TRITON-APX server for you. The
steps below ask you to confirm that the installation has been completed and
that all the services associated with the installation are running.
2. Verify that the Modify Installation page of the Websense TRITON Setup
program shows green check (or tick) marks for these major components.
• TRITON Infrastructure
• TRITON AP-WEB or Web Filter & Security
• TRITON AP-DATA
4. Use the “Remove” function to see which sub-components have been installed.
Click Remove to the right of “TRITON AP-WEBor Web Filter & Security”.
On the Remove Components page:
DO NOT CLICK ‘NEXT’ TO ACTUALLY REMOVE ANY
COMPONENTS.
5. By reviewing the components that are possible to remove, you can see which
components the TRITON Unified Installer has logged as currently installed.
a. Verify that these services are listed:
• Policy Broker
• Policy Server
• Filtering Service
• TRITON - Web Security
• Log Server
• Real-Time Monitor
• Linking Service
Leave this option selected, otherwise the local copy of the Websense installer files
in the C:\Windows\Installer\{E54} folder will be deleted.
Tip
Filtering Service, for example, often fails to start due to competition
for limited resources on the relatively crowded ESXi host.
If the Websense TRITON Settings Database (pgsqlEIP) service is
in a “stopped” state, and it will not start, usually the required
process actually is running. Unless the global “TRITON Settings”
pages will not display, you do not need to troubleshoot this.
d. If any services do not start, please consult with your instructor for the
appropriate remedy.
3. Revisit the Task Manager in 10-20 minutes and verify again that all services are
running and (re-)start those that are not running.
Lab Objective
In this lab you will configure the initial settings for TRITON AP-WEB and explore
the TRITON Web Filter & Security manager interface.
Steps
d. Click the IP address of the policy server listed in the navigation column of the
content page (172.31.0.155, in this case).
g. The main, summary Database Download page should report the current
database version, along with a status that includes a specific date and time.
3. When the process is complete, click Save and Deploy in the top-right corner of
the web console.
4. Go to the Settings > General > Account page and verify that the “product level”
listed for the subscription key is “TRITON AP-WEB, With Web Hybrid
Module, With Web DLP Module, With Web Sandbox Module” and that the
expiration date has not been passed.
c. Click OK.
d. In response to the popup notification that warns about the potential
consequences of the change, click Continue.
e. Wait for the process to complete, This ranges from a full 5 to 15 minutes,
depending on the state of the environment.
3. Upon receiving the confirmation that “The policy source has been set”, log off
Appliance Manager.
3. Verify that the appliance is added to the list of Registered Appliances in the
content-display area of the Manage Appliances page.
a. Click to expand the entry you just created and review the information that is
displayed.
b. Verify that the Single Sign-On (SSO) button appears on the right of the top
row of the list item.
4. Test SSO access to the Appliance Manager for V10K-1.
Notice the textual detail in parenthesis that follows the user name, “logged in via
TRITON”.
NOTE: In Internet Explorer, at the very bottom of the page, you may have to
select to “Always allow” pop-ups and then repeat the SSO logon attempt.
b. Click OK.
3. On the Policy Servers page, verify that the policy server on the appliance is added
to the tree and, at the bottom of the page, the click OK.
NOTE: In Internet Explorer, at the very bottom of the page, you may have to
select to “Always allow” pop-ups and then repeat the SSO logon attempt.
4. In Content Gateway Manager, verify the Subscription Details on the Monitor
[tab] > My Proxy > Summary page.
Take some time to explore both the TRITON Web interface and the Content
Gateway interface.
Go ahead and clear any alerts in the Content Gateway interface that appear to be
no loner relevant (such as licensing alerts that may have been triggered prior to
changing the policy mode of the appliance).
5. Finish by logging off and closing the Content Gateway session and then switching
the Web manager back to managing the 172.31.0.155 instance of Policy Server.
Lab Objective
Web Filter & Security includes four pre-configured category filters, named Default,
Basic, Basic Security, and Monitor Only, along with three pre-configured protocol
filters, named Default, Basic Security, and Monitor Only.
You can edit the parameters of the default filters to suit your needs. You can also
create new filters. New filters can be based on either an existing configuration or a
template filter, and can then be further modified.
In this lab, you will configure one of the default filters in Web Filter & Security with
customized parameters.
Steps
Modifying a Policy
After installation, the Default policy is applied to all clients. The default settings for
the default policy use the Monitor Only category filter and the Monitor Only protocol
filter.
1. Navigate to Main [tab] > Policy Management > Policies.
2. Read the descriptions of the available pre-configured policies.
5. Click OK.
Important
Note that changes are cached. To implement changes, you must commit
them using the Save and Deploy button.
6. You can click the magnifying glass button next to Save and Deploy to view any
pending changes.
c. Enter the IP address of the P1 interface on V10K-1 and port 8080 for “HTTP”
and “secure” types of servers. (Leave FTP and Socks types blank.) Enter
172.31.*.* as a proxy exception.
Lab Objective
In this lab, you will create a PAC file on the instance of Websense Content Gateway
that is running on the V10K-1 appliance and, then, configure the Client-W7 browser
to download and use your PAC file.
Steps
3. Click Apply.
Lab Objective
In this lab, you will configure Integrated Windows Authentication (IWA) and test
whether a user-attempt to override content filtering by entering an alternate set of user
credentials is successful. You will also configure DC Agent to identify users
transparently in cases where IWA does not work.
Steps
c. Click Test Connection to confirm that the connection to the global catalog
server is configured properly. If it is not, double-check your settings, verify
that the domain controller is running and retry.
d. Click OK at the bottom of the page, verify the entry you just made is added to
the list of global catalog servers.
c. Click the check box for user Tim Muller, then click the right arrow to move
the user to the Selected Users column.
d. Confirm that the Default policy is applied to this user and click OK.
3. Follow the same procedure to add the user Administrator, but apply the
Unrestricted policy to this user.
4. Click Save and Deploy.
5. In the Domain Discovery section, select User Service and click WINS Server
Information.
Fill in the WINS Server Information:
a. Administrative user: Administrator
b. Password: Websense1
c. Domain: WSCERT
This will take you to the Configure > Security > Access Control > Integrated
Windows Authentication page.
a. Enter the information as listed below.
Domain Name: wscert.com
NOTE: The IP address for the P1 interface has been pre-configured in the lab’s
DNS service as the name-resolution for v10k-1-wcg.wscert.com.
Note
To test/verify the functionality of DC Agent, you could also disable
authentication on WCG. Then reveal how users still get identified by
inspecting the block page.
Clicking More Information and then selecting to view the source code
of the page should show NetBIOS://[user] type identification, instead
of LDAP://[user] type.
Lab Objective
In this lab, you will design policies to apply category and protocol filtering.
Steps
Creating Policies
A policy is composed of three main components: category filter(s), protocol filter(s),
and a filter schedule. Once created, policies can be assigned to users, groups,
individual computers, host IP ranges, and organizational units (OUs).
1. On the TRITON-APX server, launch the TRITON - Unified Security Center if
it is not already open.
a. Log on with the user name admin and the password Websense1
b. Confirm that you are configuring the 172.31.0.155 Policy Server.
2. Create a new policy by navigating to Main > Policy Management > Policies and
click the Add button.
3. Create a policy named Engineering, based on the Default existing policy and
click OK.
Note
To assign a block to all of the sub-nodes of category,
highlight the category, click Block and then click Apply to
Subcategories.
3. Click Add.
4. Add the 0000-0900 weekday schedule to the policy.
5. Click Add.
6. Add the 0900-1730 weekday working hours schedule to the policy.
5. Click Close.
Note
In some cases, more than one policy may be applicable to a user based
on IP address or group memberships. When determining which policy
to apply to a user, this order is used by default:
user
IP address
network
groups
domain
You can change the order to the following by editing the eimserver.ini
file (see the Websense Knowledge Base for more information):
user
groups
domain
IP address
network
Note
In instances where a user is a member of multiple groups, the Filtering
Service applies the most permissive group policy by default. This
setting can be changed to apply the most restrictive group policy by
checking the appropriate box in the TRITON Manager > Web >
Settings > General > Filtering page.
4. Click More Information to view more information about why this site is blocked.
5. Right-click in the shaded area shown above and choose View Source. Scroll
down to see the information shown below. You should be able to see the user that
was blocked and how the user was identified by Websense Web Filter & Security.
Lab Objective
In this lab, you will configure and test Network Agent to monitor protocols and block
FTP traffic to selected sites.
Warning
Network Agent requires promiscuous mode on the switch port
attached to the N interface. However, your lab environment should
be already correctly configured with these settings.
Steps
IP Address 172.31.0.154
Subnet Mask 255.255.0.0
Default Gateway 172.31.0.1
Primary DNS 172.31.0.150
Secondary DNS [none]
3. Click the first packet, which contains the SYN request from the client to the server.
In the bottom pane, note the MAC address for the client (labeled Src:). It should
match the one displayed when you used the ipconfig command.
4. Now click the packet from the client to the server that contains the RST flag.
In the bottom pane, note the MAC address for the client (labeled Src:). It should
match the one displayed in the Appliance Manager for the N Interface.
Conclusions
The Network Agent is sending the TCP RST packets from the N interface as expected.
Lab Objective
In this lab, you will configure WCCP on the Cisco router (emulator) and on Websense
Content Gateway running on the V10000 appliance. Once configured, the router will
redirect all HTTP and HTTPS traffic to the Websense appliance.
Steps
Configuring WCCP
1. On Client-W7 (not Bastion7), change the default gateway to 172.31.0.254.
Tip
Run “ncpa.cpl” from the Start menu as a shortcut to the Network
Connections window.
Alternatively, use the “route” command from a command prompt.
route change 0.0.0.0 mask 0.0.0.0 172.31.0.254
route print
Verify the default gateway setting from a Windows command prompt using the
command ipconfig.
Tip
See the short troubleshooting section at the end of this lab to help
resolve any issues with the WCCP router.
Interface Value
FastEthernet0/0 172.31.0.254
8. Configure the router to use WCCP version 2. Type the following command to
load the configuration terminal prompt, and press Enter:
R1#configure terminal
You should see the following text displayed:
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
b. Configure the router to identify the Security Gateway service group. You will
create group 10 to be used for both HTTP and HTTPS protocols. Type the
following command and press Enter:
R1(config)#ip wccp 10
c. Enable the WCCP service on the interface where client traffic will be
intercepted and redirected. The interface is FastEthernet0/0. Type the
following commands and press Enter after you type each line:
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip wccp 10 redirect in
R1(config-if)#exit
R1(config)#exit
9. Perform some basic validation that your configuration changes are running.
a. Use the command show ip route to display the routing table. Verify that
you see the following—especially the underlined portion:
C 172.31.0.0/16 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 172.31.0.1
[1/0] via 172.31.0.1, FastEthernet0/0
b. Use the command show ip wccp to display global WCCP information.
Verify that you see information about “Service Identifier: 10” in the output.
After initial testing (below), you can return to the WCCP router console and
use this command to see the value of the “Total Packets s/w Redirected”
increase as you browse various sites.
2. Click Configure [tab] > My Proxy > Basic > General [tab].
a. Scroll down the page until you reach the Features > Networking section.
b. Select On for the WCCP setting, as shown in the picture below.
5. Having already created the service group 10 on the router, you must now assign
HTTP and HTTPS traffic to that service group.
WCCP redirection works on TCP ports, so for HTTP and HTTPS we need to
assign ports 80 and 443 to service group 10. Use the values specified in the table
below to edit the form fields.
Parameter Value
Service Group Status Enabled
Service Group Name HTTP
Service Group ID 10
Protocol TCP
Ports 80,443
Network Interface eth0
Special Device Profile ASA_Firewall
Packet Forwarding Method GRE
Packet Return Method GRE
Security Disabled
Multicast Disabled
WCCP Routers 172.31.0.254
c. After configuring all the necessary parameters, click Add in the bottom-left of
the form. The list-display area at the top of the page will show a plain-text
configuration string. You should be able to see some of the parameters you
just entered reflected in this string.
d. Click Apply in the top (or bottom) right of the page.
NOTE: No action is required in response to the warning message about the
requirement for “a corresponding ARM rule for every port specified in an
enabled WCCP service group.” The ports specified in our rules (80 and 443)
are already configured to be handled by the proxy. This warning is typically
useful only for helping to troubleshoot more complex configurations. Often
the requried rules are created without needing to be explicitly configured.
e. Click Close.
6. You must now restart WCG to implement the change(s) you just made.
On the My Proxy > Basic page, click Restart.
In this case, note the difference in “MASK” and “HASH” for the assignment
method for the service group. Hash is the default configuration option for
WCG, but in this case the mask method is the default for the router. The
assignment method is a means of distributing traffic across multiple proxy
servers (not relevant to this particular lab configuration).
In other cases, the negotiated parameters for even the packet forward and
return methods may be different than what is specified as preferred in the
WCG configuration. For example, you may specify L2, but GRE could end up
being the negotiated method, based on the configuration of the router.
5. Telnet to the WCCP router at 172.31.0.254, log on, and use the following
command to display WCCP statistics:
R1>show ip wccp
Troubleshooting Tips
Restart the WCCP Router–Related Services
If you cannot connect to the router via Telnet, it may be malfunctioning due to startup
failures due to resource contention during the initial deployment/boot of the system.
You should take the following action:
1. On the DC server, launch the Windows Task Manager and check the
Performance tab. If CPU usage is at 100% and stays there without returning to an
idle rate of 0 to 10% within a several seconds, this indicates that the Dynamips
emulator is not emulating idle CPU cycles properly and needs to be restarted.
Even if the CPU profile of the DC machine looks right, the services that provide
WCCP router functionality may not have started originally in the correct order.
2. Restart the router-related services.
a. On the DC server, in Windows Task Manager, go to the Services tab.
b. Find and stop the WCCP_Lab and dynagen services in that order.
c. Restart the services in reverse order, dynagen, then WCCP_Lab.
d. Windows Task Manager on the Services tab, find the
3. Check the Performance tab and verify that CPU usage returns to an idle value of
0 to 10%.
4. From Client-W7, verify that you can ping 172.31.0.254, and then attempt to
make a Telnet connection.
Using the GNS3 Interface for Control over the Router Configuration
On rare occasions, it may be useful to launch the WCCP router using the graphical
interface, GNS3, for the Dynamips emulator, instead of the light-weight command-
line interface (Dynagen—which is launched by the WCCP_Lab service).
Note
In prior editions of this lab manual, using GNS3 was the recommended
first-option for troubleshooting the Dynamips-based WCCP router.
Using GNS3, however, is NOT currently the recommended method for
restoring router functionality. It is generally better to simply restart the
services.
b. Double-click the WCCP folder (C:\websense\WCCP) and then select the file
topology.net.
c. When GNS3 loads the configuration, click the play button.
If you still cannot complete the lab, ask your instructor for assistance.
Lab Objective
Websense Content Gateway can decrypt and inspect secure HTTPS traffic for threat
scanning and category filtering just as it does for standard HTTP. The WCG proxy can
also re-encrypt traffic before it is forwarded back to the origin server.
Steps
b. Click Apply at the top (or bottom) of the page. A notice will appear that a
restart of the WCG module is required.
c. Click Restart.
If Internet Explorer blocks the display of secured content on any of these pages,
click Display or whatever other methods the IE interface presents to you to enable
the content to be shown.
Lab Objective
In the Websense Content Gateway, you can add specific HTTPS sites to be allowed,
blacklisted, or tunneled. In this lab, you will set a banking site to be tunneled By
Certificate. The option to use By Certificate provides greater security. If you add a
Web site By Certificate, clients cannot bypass the policy by using the IP address rather
than the URL.
Steps
a. Go to Configure > SSL > Incidents > Incident List in the Content Gateway
manager.
b. Next to the NATWEST rule, select Delete from the Action dropdown list and
click OK.
By enabling tunneling for web sites, you can bypass the certificate proxy process
for sites or applications that may require this configuration.
Lab Objective
Some organizations do not want to or, by law, are not allowed to decrypt HTTPS
connections between employees and their personal banks, health providers, and other
destinations the may or are likely to contain private information. To keep such user
data private, you can specify website categories that will bypass SSL decryption.
To enable the speedy configuration of the system to allow users to communicate
directly with such sites, Websense identifies certain categories as “Privacy
Categories” that you can select individually or all at once, as a group.
In this section, you will configure and test SSL category-bypass functionality.
Steps
Lab Objective
In this lab you will configure and test the advanced scanning features of Websense
TRITON AP-WEB v8.x
Steps
Warning
You must start the Websense Log Server for logging to
resume writing to the database. This important for
subsequent activities, including various validation steps
and running reports.
Scanning Exceptions
In this section, you will configure and test scanning exceptions.
Note
All scanning exceptions will work for outbound as well as
inbound web traffic.
2. On the Client-W7 web browser, click the link that hosts the .swf file at
testdatabasewebsense.com: http://testdatabasewebsense.com/realtime/
maliciouswebsites/maliciousRIAtest.swf and verify that the request to the file is
blocked as 'malicious' content.
3. Disable Scanning of Rich Internet Applications under Settings > Scanning >
Scanning Options > Security Threats: File Analysis.
4. Click the link that hosts the .swf file at testdatabasewebsense.com and verify
that the request to access the file is permitted.
As of writing, the SWF file is a white object with no text. The browser window, if
not blocked, will appear as a blank, white page. Right-click the page and choose
Settings to demonstrate that you are interacting with a real Flash object.
Remember also to clear the web cache/delete your temporary Internet files before
retesting access to the file.
Lab Objective
The Content Categorization scanning option can include the analysis of URL links
embedded in a page. Such analysis can provide more accurate categorization of
certain types of pages. For example, a page that otherwise has little or no undesirable
content but has links to sites known to be undesirable, can itself be more accurately
categorized.
URL link analysis can find malicious links embedded in hidden parts of a page, and
can detect pages returned by image servers that link thumbnails to undesirable sites. In
this lab, you will enable and test content link analysis.
Steps
Parameter Value
Command content-line -s
Variable Name proxy.config.diags.debug.enabled
Value 1
a. Click Run.
3. Optional: Next, configure and run a second “content-line” command based
on these parameters:
Parameter Value
Command content-line -s
Variable Name proxy.config.diags.debug.tags
Value wtg_txn.*|src.*|catz.*
a. Click Run.
b. Next, select content-line -x from the Command menu and click
Run.
Warning
Please be aware that the following activity tests the filtering capability of
the system to address images of an explicitly sexual nature.
Completing this activity may not be appropriate in some situations. Please
use caution and good judgement.
1. Verify that search filtering is turned off in TRITON - Web [tab]> Settings >
General > Filtering > Search Filtering.
Parameter Value
Command content-line -s
Variable Name proxy.config.diags.debug.enabled
Value 0
2. Next, select content-line -x from the Command menu and click Run.
2. Modify the sensitivity level and re-run some of the earlier tests and see if the
results differ.
Lab Objective
In this lab, you will explore TRITON AP-WEB’s ability to detect and manage HTTP/
HTTPS-tunneled protocols. Tunneled-protocol detection extends application-protocol
management features like protocol selection, Network Agent–like monitoring, and
bandwidth management to the HTTP/S proxy.
Steps
2. Click to ‘drill down’ on the available details about the incident(s) you generated.
Lab Objective
Configure and test Web DLP to inspect the content on web based email messages and
stop those with confidential information.
Warning
Web DLP only controls data sent using the POST method. If your
webmail provider uses non-standard protocols, the lab may not
operate as expected.
Steps
Tip
In production environments using a Microsoft Domain Controller for
LDAP, you may want to use the domain name in the IP address or host
name field and Port number 3268, as shown here, rather than the
standard LDAP port 389.
Using those settings will connect to the Global Catalog Server for
LDAP queries. When using the Global Catalog Server, LDAP queries
will go to any available domain controller rather than being directed to a
specific IP hostname. This will provide greater fault tolerance in the
event of a single domain controller failure.
4. Select Test Connection and confirm that the Active Directory connection is
configured correctly.
5. Scroll down the User Directory Server screen until you see the Directory Usage
section.
6. Enter: tmuller@wscert.com in the Sample email address field, and then select
the Test Attributes button.
7. Click View Results and review the default set of user attributes that were
retrieved.
8. When incidents occur, TRITON AP-DATA will use this information from the
directory server and make it available for the incident report. Additional attributes
can be specified in the Attributes to retrieve field. Any attributes that have not
been defined for a user will not be displayed.
9. Select OK.
10. Select the checkbox by the newly created server, and then select the Import Now
button and select OK.
11. Select the Refresh icon to verify that the users have been imported. After the
import has been verified, select the Close button.
12. To see the imported users, go to: Main > Policy Management > Resources >
User Directory Entries.
14. Additionally, the module must be set to Block by going to the HTTP/HTTPS tab
and enabling the settings as shown below. Click OK.
15. Repeat this process for both v10k appliances and the Deploy these settings.
Tip
You need to have HTTPS enabled in the WCG as well.
Verify that this is the case before proceeding further.
Note
The message above contains data that could be a US Social Security
Number (SSN), which has the pattern XXX-YY-ZZZZ
Note
This lab has been validated using:
www.mail.com
www.hotmail.com
mail.yahoo.com
www.gmail.com
Outlook Webmail (Websense Internal).
4. From the window above you can select further actions, which are grouped in three
categories:
Workflow
Remediate - Options shown in the screenshot below
Escalate
5. Attempt to release the incident. You are unable to do so, as this type of incident
cannot be released. You should receive an error like the one shown below.
Lab Objective
Reports are based on report templates, and are grouped into three categories:
Presentation, Investigative, and Real-Time Monitor. You can run and edit existing
report templates, save custom reports, and save reports as Favorites for faster access.
You can also enable self-reporting to allow users to control their own reporting needs
without administrator access.
In this lab, you will create reports to examine user activity and Web traffic network
behavior. You will also use these reports to investigate site activity and display real-
time Web traffic blocking for your site.
Steps
Note
You cannot often distribute reports via email in the lab environment.
But this is an excellent method to distribute reports in a production
environment.
f. Change the Job name from the default value to a name similar to Top-Sites-
Visited-test1 so you can recognize the report once it is complete.
4. Click the Run Now option at the bottom of the Run report options page to display
the Job Queue page. Your report should be the most recent entry in this list with
the name you provided: Top Sites Visited-test1.
If a warning message displays that the SMTP server has not been configured yet,
ignore it and close the message box.
5. Click the check box next to your Top Sites Visited report to select it, and then
click the Run Now option to run this report.
6. Navigate back to the Main > Reporting > Presentation Reports area, but now
click the Review Reports option to view your new report.
7. Locate your Top Sites Visited-test1 report in the list, and click the report name
link to display the PDF report.
a. If the security warning page appears, click Continue to this website.
8. Click Open when the Internet Explorer browser window prompts if you want to
open or save Top Sites Visited.pdf. This displays the finished report in a PDF
viewer so that you can review your Top Sites Visited details.
Configuring Self-Reporting
You will change the default settings and enable self-reporting, then log on as a
different user to view the self-reporting options.
1. Click Settings > Reporting > Preferences to change the default Report settings.
2. Click the Email Reports section, and enter admin@wscert.com as the default
Email address for all reports sent via email.
3. Click the SMTP server IPv4 address or name field, and enter 172.31.0.150 as the
SMTP server.
4. Click the Allow self-reporting check-box to enable this feature. This action adds
a new custom URL that you can share with your distributed Reporting users. The
URL will look similar to this:
https://172.31.0.155:9443/mng/pages/login/pages/selfReportLogin.jsf
5. Click Save Now, and then, if prompted, click Save and Deploy to activate these
changes.
a. If the security warning page appears, click Continue to this website.
6. Click the User Activity Detail by Month option to display even more results for
user Tim Muller.
7. In this case, the days with recorded activity for Tim Muller include [Month]
[Day], [Year], and [Month] [Day], [Year].
8. Click the link on the day of the month to expand the results for that day.
7. Click the Favorite Reports link at the top of the page to save this report to your
Favorites list.
8. Enter a report name similar to Category_blocked_test3 so you can locate the
report in your Favorites list.
9. Click Add to add this report, and you can see the new report name display in the
Favorites list.
10. Click back on the Reporting > Investigative Reports panel to see the new stored
report.
11. Click Favorite Reports to display the list.
12. Click the Category_blocked_test3 report to select it, and then click Run Now to
display the report options. You can also change the Specific Date Range if you
want to revise the report parameters.
13. Click Display Report to see the report with updated results.
3. Minimize the TRITON-APX server remote desktop window, and switch to the
Client-W7 remote desktop window with IP address 172.31.0.157. You should still
be logged into this workstation with the Tim Muller account.
4. On the Client W7 computer, click Start > All Programs > Internet Explorer to
open a new browser window.
a. Browse to this URL: http://testdatabasewebsense.com
Note
This is a site for testing Web pages and categories maintained by
Websense. You can use this to test traffic category and blocking
within your own organization.
b. Hold down the CTRL key while you click 8 to 10 of these test page links.
This CTRL + click action opens each link in a separate browser tab, which is
a rapid way to generate incidents.
c. Close the Internet Explorer browser window.
5. Minimize the Client-W7 remote desktop window, and return to the TRITON-
APX server.
a. Click Main > Reporting > Real-Time Monitor to return to the main monitor
window.
The basic lab topology is shown below to give you a visual representation of the
virtual machines you will be working with as you progress through the lab exercises in
this guide.
110 TRITON AP-WEB v8.0 Professional Lab Guide
Appendix B - Using the ReadyTech
Environment
Lab Objective
This document provides some general usage guidelines for accessing and using the
Websense virtual labs hosted by ReadyTech.
Steps
Logging On
1. You log on to the virtual labs by using the Access Code provided by Websense
and ReadyTech.
2. The first time an Access Code is used, the user will be prompted to enter their first
and last name before proceeding. First time users will also have to check the
disclaimer check box and click the Activate link.
4. This will open an RDP session with the bastion host. Log on with the user name
Administrator and the password Websense1.
3. To open a console session with the V10000, right-click the V10000 virtual
machine in vSphere and select Open Console.
6. From the Security tab, change the Promiscuous Mode to Accept. Click OK.
In Snapshot Manager, you can revert the virtual machine by selecting BASE, then
clicking the Go to button.