TRITON - AP WEB v80 Professional Lab Guide BF033

Table of Contents
1 | Websense® V10000 Appliance Firstboot (Optional) . . . . 3
2 | Configuring Appliance Manager . . . . . . . . . . . . . . . . . . . . . 7
3 | TRITON® Unified Security Center Installation . . . . . . . . . 11
4 | Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 | Customizing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6 | Integrated Windows Authentication . . . . . . . . . . . . . . . . . 35
7 | Designing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
8 | Using Network Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
9 | Transparent Proxy with WCCP . . . . . . . . . . . . . . . . . . . . . . 59
10 | SSL Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
11 | Tunneling HTTPS Websites . . . . . . . . . . . . . . . . . . . . . . . . 73
12 | SSL Category Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
13 | Configuring Advanced Scanning Features . . . . . . . . . . . . 79
14 | Content Categorization Link Analysis . . . . . . . . . . . . . . . . 85
15 | Tunneled Protocol Detection . . . . . . . . . . . . . . . . . . . . . . . 91
16 | Controlling Webmail via Web DLP . . . . . . . . . . . . . . . . . . 95
TRITON AP-WEB v8.0 Professional Lab Guide  1

17 | Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
| Appendix A - Lab Topology . . . . . . . . . . . . . . . . . . . . . . . .109
| Appendix B - Using the ReadyTech Environment . . . . . .111
2  TRITON AP-WEB v8.0 Professional Lab Guide

1 Websense® V10000 Appliance
Firstboot (Optional)
Lab Objective
Websense TRITON AP-WEB protects your network by detecting and blocking web-
based security threats and also detecting and enforcing network policies for user
requests to non-work-related or otherwise prohibited sites and content.
To enable access to its management consoles and to enable/disable certain services on
the V10000 appliance, you must pre-configure several basic parameters that the
appliance’s “firstboot” script will prompt you to provide.
To successfully complete the firstboot preconfiguration of a V-Series appliance, you
must specify the ‘security mode’ (TRITON AP-WEB, TRITON AP-EMAIL, or dual
mode) and then the host name, IP address, and network mask, default gateway, and
DNS server for the ‘C’ interface, along with a few other basic networking parameters
Important
In all v8.x Websense-certification lab environments, Firstboot has already
been run. This enables the appliances to be preconfigured to optimize
available hardware resources, provides a way to validate the basic health of
the appliance, and enables TCP/IP-based (SSH) console access to the
appliance for environments in which virtual serial-line console connections
are not available.
For classroom events, your instructor may choose to demonstrate the
firstboot process using a live lab environment or simply show the interface
and information prompts of firstboot using the presentation slides.
In special cases, or as prompted by your instructor, you can run the Firstboot
configuration wizard at any time from the CLI of the serial-line console by
executing the command “firstboot”. Except for being able to specify (or
change) the configuration mode of the appliance, all other aspects of the
experience will be the same as if running it for the very first time.
Warning
Attempting to abort the firstboot configuration at the wrong time (that is, too
late in the process) can result in the corruption of your system. Please give
careful attention to the sequence of steps and the exact point at which you
are advised to press Ctrl-C.

Steps
Mock Configuration of Firstboot Settings (Optional)

1. Open a console connection to the V10K-1 appliance.
a. In ReadyTech-hosted environments and other similar environments where the
VMware vSphere Client is available, use the Virtual Machine Console feature
to create the virtual serial-line console connection.
To do so, right-click the V10K-1 appliance in the inventory tree and select
Open Console. This launches the pop-out version of the Virtual Machine
Console.
Alternatively, select the V10K-1 in the inventory tree and click the Launch
Virtual Machine Console icon on the vSphere Client toolbar.
You may also click the Console tab in the content-display area when the
V10K-1 appliance is selected in the inventory tree.
Tip
See the appendix Using the ReadyTech Environment for instructions
for logging onto and using ReadyTech-hosted lab environments.
b. In other environments, use the PuTTY application on the TRITON APX

server to make a TCP/IP-based (SSH) connection.
2. If you are prompted for login credentials for V10K-1, enter the user name admin
and the password Websense1.
3. Enter firstboot to start the firstboot configuration process.
4. Enter yes to continue.
5. Enter the following details. Many of the values will be pre-populated since
firstboot has already run on this machine. Confirm all values before continuing.
Hostname: v10k-1.wscert.com
C interface IP: 172.31.0.151
Subnet mask: 255.255.0.0
Default Gateway: 172.31.0.1
DNS: 172.31.0.150
Secondary DNS: [leave blank]
Password: Websense1
6. Enter either yes or no to allow or prevent communication of statistics and other
data between the appliance and Websense, Inc.
For lab activities, “no” is generally the preferred setting for conserving hardware
resources and network bandwidth and to avoid sending non-real-world data back
to Websense Labs.
In production, the best practice is to choose “yes.”

Warning
Attempting to abort the firstboot configuration after entering “yes” for
the final prompt can result in the corruption of your system.
Please give careful attention below to the point at which you are advised
to press Ctrl-C.
If you do mistakenly enter “yes” and press Enter, allow the firstboot
process to complete. As long as the system parameters are correct, the
only impact to your lab experience will be the extra time it takes.
7. Verify that your configuration resembles the screen capture below.
8. Press Ctrl-C to cancel the job.

A message will display that “This job has been canceled,” and you are returned to
the command prompt. No changes to the system will have been made.
9. Type the command quit and press Enter to return to the logon prompt and close
the window (PuTTY windows will close automatically.)
Note
Configuring the network interface parameters for the C interface and
setting/resetting the console password takes several minutes, even if no
new changes are made.
You can exit the Firstboot configuration wizard at anytime by pressing
Ctrl-C, in which case you will be returned immediately to the CLI
command prompt.
Tip
If you are using a vSphere terminal session (or other VMware-based
direct terminal session) press Ctrl+Alt to release the mouse.
Upon completing of the very first use of the Firstboot configuration wizard, a
“Welcome to the Websense V10000” banner of text is displayed at the top of the

console window, followed by the IP address and hostname of the C interface, the
security mode, and then a prompt to enter a user name.
Subsequent completions of the Firstboot wizard will simply return you to the CLI
prompt.

2 Configuring Appliance Manager
Lab Objective
Appliance Manager runs in the privileged “domain zero” (Dom0) of the virtualization
architecture that Websense® V-Series™ appliances use for system partitioning and
resource allocation. Dom0 also hosts the hypervisor that provides hardware
virtualization for the other domains within the system (which may also be called
“modules,” “partitions,” or “virtual machines” depending on the discussion). Dom0 is
the only domain with direct access to the hardware layer of the appliance.
Appliance Manager provides a graphical web-based console and a text-based
command-line interface to configure, monitor, and manage the basic operational
parameters of the appliance. Appliance Manager binds to the ‘C’ network interface.
The IP address of the C interface is the address you use to make browser-based
(HTTP/S) and terminal-based (SSH) connections to the Appliance Manager module.
In this lab you will complete the configuration of the Appliance Manager. To do so,
you will configure the IP address of the P1 network interface and the system time
settings.
Important
Most of the steps in this lab have already been completed for you.
Review each step to confirm that the correct information has been entered
and to follow the typical configuration steps required for a new installation.
Steps
Configuring the Appliance

1. From the TRITON-APX server, open a web browser and go to
http://172.31.0.151 to launch the appliance Logon Portal.
(You will be automatically redirected to https://172.31.0.151:9447.)
On the warning page about the status of the website’s security certificate, click
Continue to this website (not recommended).
2. Click Appliance Manager.
On the warning page about the status of the website’s security certificate, click
Continue to this website (not recommended).

3. Enter the following user name and password and click Log On to launch the
Appliance Manager web console.
a. User name: admin
b. Password: Websense1
Note
Some of the steps below have already been completed for you.
Follow each step to confirm that the correct information has been
entered and to follow the typical configuration steps required for a
new installation.
4. On the Configuration > System page in the Time and Date section, make the
following changes:
Important
This step has NOT been preconfigured for you.
a. For the time zone setting, select Pacific Time (all the other servers in
your virtual environment are in this time zone as well).
b. In Time and Date: Select Automatically synchronize with an NTP
server and then enter 172.31.0.150 for the value of the “Primary NTP
server” setting. Accept the default settings for secondary and tertiary
server settings.
c. Optional: Add an Appliance Description of your choice, perhaps
something like “[YourName]’s Test Lab Appliance V10K-1”.
d. At the bottom of the page, click OK.
e. A notice appears to inform you that changing the system time may
automatically log you off of the Appliance Manager. Consequently, you
may need log on again after the change is complete. Click OK on the
confirmation window.
If you do not need to log on again, a confirmation that the time has been
set will appear at the top of the page after the system completes the
change.
5. On the Configuration > Network Interfaces page
a. Verify the settings in Appliance Controller Interface (C) resembles the
screenshot below:

b. Under Websense Content Gateway Interfaces (P1 and P2), verify that the
following configuration parameters are correctly entered:
• Select the option: P1 only
• P1 IP Address: 172.31.0.152
• Subnet Mask: 255.255.0.0
• Default Gateway: 172.31.0.1
• Primary DNS: 172.31.0.150
• Secondary DNS: [leave blank]
c. For the Network Agent Interface, verify that Interface C is selected and
accept the rest of the configuration parameters as they are (unconfigured).
d. At the bottom of the page, click OK.
e. When asked if you want to continue, click OK.
A confirmation that interface settings have been updated or that “Your
configuration did not change” will appear at the top of the page after the
system processes your request.
f. Log off the Appliance Manager web console and close the browser
window.

3 TRITON® Unified Security Center
Installation
Lab Objective
TRITON Unified Security Center, also referred to as the TRITON Manager, provides
a unified management interface for:
 Full system administration and policy management
 Comprehensive reporting
 Role-based access controls
In this lab, you will verify that the TRITON Infrastructure, TRITON AP-WEB, and
Data Security modules have been installed.
Steps
Important
The core TRITON management components required for TRITON AP-
WEB labs have been pre-installed on the TRITON-APX server for you. The
steps below ask you to confirm that the installation has been completed and
that all the services associated with the installation are running.
Verify the Installation of the TRITON Unified Security Center

Verify the Version and the Specific Components Installed
1. From the Windows desktop of the TRITON-APX Server, click Start > All
Programs > Websense > Websense TRITON Setup.
2. Verify that the Modify Installation page of the Websense TRITON Setup
program shows green check (or tick) marks for these major components.
• TRITON Infrastructure
• TRITON AP-WEB or Web Filter & Security
• TRITON AP-DATA

3. Verify that the version numbers displayed show v7.8.x.
4. Use the “Remove” function to see which sub-components have been installed.
Click Remove to the right of “TRITON AP-WEBor Web Filter & Security”.
On the Remove Components page:
DO NOT CLICK ‘NEXT’ TO ACTUALLY REMOVE ANY
COMPONENTS.
5. By reviewing the components that are possible to remove, you can see which
components the TRITON Unified Installer has logged as currently installed.
a. Verify that these services are listed:
• Policy Broker
• Policy Server
• Filtering Service
• TRITON - Web Security
• Log Server
• Real-Time Monitor
• Linking Service

b. Read the short description that is provided for each component, and validate
your basic understanding of the role that each of these components play in
Websense solutions by engaging your lab partners) and/or your instructor in
conversation about anything that is unclear or about which you have
questions.
c. Click Cancel and then Quit to close the Remove Components window.
6. Click Close to close the setup program and click Yes to exit the installation. When
exiting the installation the “Keep installation files” option is selected by default.
Leave this option selected, otherwise the local copy of the Websense installer files
in the C:\Windows\Installer\{E54} folder will be deleted.
Verify that All Websense Services Are Running as Expected

1. Open the Windows Task Manger.
2. Go to the Service tab and sort the list by “Description” (in current lab
environments, this will be the default view).
a. Verify that the service SQL Server (MSSQLSERVER) is running, and if it is
not, (re-)start it.
b. On the Services tab, scroll down to the Websense-named services.

c. Start the services that are stopped. Start with database-related services and
then web-server–based services, and then start the others.
Tip
Filtering Service, for example, often fails to start due to competition
for limited resources on the relatively crowded ESXi host.
If the Websense TRITON Settings Database (pgsqlEIP) service is
in a “stopped” state, and it will not start, usually the required
process actually is running. Unless the global “TRITON Settings”
pages will not display, you do not need to troubleshoot this.
d. If any services do not start, please consult with your instructor for the
appropriate remedy.
3. Revisit the Task Manager in 10-20 minutes and verify again that all services are
running and (re-)start those that are not running.
Verify the Basic Functions of the TRITON Manager

1. On the desktop of the TRITON-APX server, double click the TRITON Unified
Security Center icon.
a. If a security warning appears about the website’s security certificate appears,
click Continue to this website.
b. Log on with the user name admin and the password Websense1
2. The Web manager should display by default. The Initial Setup Checklist page
should display in the middle content area of the page. The prompt to enter a
subscription key will reflect a status of “NOT COMPLETED.”
3. Test access to the TRITON AP-DATA manager.
 Click Data (button) at the top of the TRITON Manager.
 The TRITON AP-DATA manager should display the Today page by default
and show that “Your subscription is valid” in the Health Alert Summary
section of the page.
 If the Web and Data managers and their dependent services do not start,
please consult with your instructor on the appropriate remedy.
4. Click the Appliances button in the toolbar area and verify that the page displays.
The Registered Appliances list will be empty.
5. Click the TRITON Settings button in the toolbar area and verify that the page
displays.

Optional: Configure Directory Services and Add a Directory User to
the TRITON Web Console
1. Click the TRITON Settings > User Directory and configure the following
parameters:
User Directory Server: Active Directory
IP address or hostname: 172.31.0.150
User distinguished name: WSCERT\Administrator
Password: Websense1
Root naming context: [blank]
2. Click Test Connection.
The connection attempt should succeed. If it does not, verify the parameters you
entered and test again.
3. If the test-connection attempt succeeds, click OK.
A status notification of “Your changes were saved,” along with a green check
(tick) mark icon, should appear at the top of the page.
4. Go to the TRITON Settings > Administrators and page.
a. Without additional step-by-step guidance, use the controls on this page to add
network-directory user Tim Muller (tmuller) as a Global Security
Administrator.
b. Click the added user account and review the options available.
c. Cancel the user-permission-settings configuration without making any
changes.
5. Log off the TRITON Manager and log back on as “tmuller” using the password
“Websense1”.

4 Initial Configuration
Lab Objective
In this lab you will configure the initial settings for TRITON AP-WEB and explore
the TRITON Web Filter & Security manager interface.
Steps
Enter Your Subscription Key for TRRITON AP-WEB

1. In the TRITON Manager > Web manager, locate the “1. Enter Subscription
Key (Required)” task on the Initial Setup Checklist page.
a. Enter the subscription key - TST9N6AG8T22G2P2
b. Click Apply.

c. After the preliminary validation of the syntax of the key is completed, you
should receive a “COMPLETED!” indication (see above) and a message that
says that “Your key is a valid format but the product will not be fully
functional until a database download has completed.”
2. Start and/or monitor and then wait for the downloading and complete processing
of the Websense Master Database.
a. Click Main [tab] > Status > Dashboard and wait for the TRITON AP-WEB
Dashboard page to display (showing the blue global map of suspicious
network activity).
b. In the toolbar area of the content-display area, click Database Download.

c. If the database update status does not indicate “Download in progress” or “A
database update is being processed,” click Update to start the process.
d. Click the IP address of the policy server listed in the navigation column of the
content page (172.31.0.155, in this case).

e. Allow time (up to 10 to 40 minutes) for the process to complete entirely.
f. Completion is indicated by a new page that reports status as “Checked for

updates” on a specific date and time, along with an indication of “No update
required”.
g. The main, summary Database Download page should report the current
database version, along with a status that includes a specific date and time.
3. When the process is complete, click Save and Deploy in the top-right corner of
the web console.
4. Go to the Settings > General > Account page and verify that the “product level”
listed for the subscription key is “TRITON AP-WEB, With Web Hybrid
Module, With Web DLP Module, With Web Sandbox Module” and that the
expiration date has not been passed.
Connect V10K-1 to the Policy Broker on the TRITON-APX server

By design, we have installed Policy Broker (and with that, the Policy Database) on the
TRITON-APX application server. This can be called an “off-box deployment of the
full policy source.”
By default V-Series appliances run their own instances of Policy Broker (and Policy
Server) and point to themselves as the “full policy source.”
You need to change the configuration of V10K-1 to point to the TRITON-APX server
as the full policy source. To illustrate the ability of the TRITON AP-WEB manager to
manage multiple Policy Servers, we will retain the default instance of Policy Server
that runs on the appliance by selecting ‘User Directory and Filtering” (instead of
Filtering Only) for the policy-mode configuration of the appliance.

1. Open a new browser tab (or window) and launch the Appliance Manager for
V10K-1 (via http://172.31.0.151 or https://172.31.0.155:9447/appmng) and log
on (admin/Websense1).
2. In the navigation column, click Configuration > Web Components.
a. Select “User directory and filtering”.
b. Enter the IP address of the off-box instance of Policy Broker, in this case
172.31.0.155.
c. Click OK.
d. In response to the popup notification that warns about the potential
consequences of the change, click Continue.
e. Wait for the process to complete, This ranges from a full 5 to 15 minutes,
depending on the state of the environment.
3. Upon receiving the confirmation that “The policy source has been set”, log off
Appliance Manager.
Register the Appliance with TRITON Unified Security Center

1. In the TRITON Manager, click the Appliances button in the top, product-
manager–selection area.
a. On the Manage Appliances page, click Register Appliance in the top-left of
the toolbar area of the page.

b. In the Register Appliance form, enter the following parameters:
IP address: 172.31.0.151
Enable single-sign on... : Enabled (selected)
Administrator password: Websense1
c. Click OK at the bottom of the form.

2. Verify the information in the Appliance Details summary; then click Done.
3. Verify that the appliance is added to the list of Registered Appliances in the
content-display area of the Manage Appliances page.
a. Click to expand the entry you just created and review the information that is
displayed.
b. Verify that the Single Sign-On (SSO) button appears on the right of the top
row of the list item.
4. Test SSO access to the Appliance Manager for V10K-1.
Notice the textual detail in parenthesis that follows the user name, “logged in via
TRITON”.
NOTE: In Internet Explorer, at the very bottom of the page, you may have to
select to “Always allow” pop-ups and then repeat the SSO logon attempt.

a. Verify that all the services on the appliance that are expected to be running are
still running (have green check/tick marks displayed for their status).
b. Log off / close the Appliance Manager.
c. Click to return to the TRITON AP-WEB manager.
Add the Appliance to the Policy Servers Tree

1. In the TRITON Manager, in the Web manager, click Settings [tab] > General
> Policy Servers.
2. On the Policy Servers page, click Add.
a. Configure the following parameters:
IP address or hostname: 172.31.0.151
Port: 55806
Description: V10K-1 Appliance
Key sync type: Secondary
Select primary: 172.31.0.155
Directory Services: Select “Inherit from the primary Policy Server”
b. Click OK.
3. On the Policy Servers page, verify that the policy server on the appliance is added
to the tree and, at the bottom of the page, the click OK.

4. Click Save and Deploy in the upper-right of the main Web manager display area
to apply the change.
Monitor and Confirm Master Database Download on V10K-1

1. Log off and log back on to the TRITON Manager and open the Web manager.
Doing so, after adding a second policy server to the policy-server-tree
configuration, enables the Switch button to be displayed in the top, middle toolbar
area of the Web manager.
2. Use the Switch button in the tool bar area of the Web manager to manage the
instance of Policy Server running on the appliance.
Click Switch.
a. Select 172.31.0.151 using the dropdown menu.

b. Click OK.
c. Confirm that the IP address of the Policy Server listed to the left of the Switch
button is “172.31.0.151.”
3. Click Database Download and use the same procedure for the appliance that you
used on the TRITON-APX server to monitor and confirm the completion of the
download and processing of the Master Database.
Add/Verify the Log Server Connection on V10K-1 to the Instance of

Log Server Running on the TRITON-APX Server
The Filtering Service on the secondary Policy Server (172.31.0.151) must be
configured to communicate with the Log Server running on the TRITON-APX server.
Depending on the sequence in which the environment is configured, sometimes this
setting is not picked up automatically from the primary policy server.
1. Confirm that you are still working on the 172.31.0.151 Policy Server.
2. Navigate to Settings [tab] > General > Logging.
3. In the Reporting Log Records section, verify (or enter, if necessary) the IP
address for the Log Server (172.31.0.155) and accept the default port number
55805. Also accept the default port number 55885 for logging hybrid activity.

Click Check Status for the 55805 port to confirm that a connection to the Log
Server can be established.
4. Click OK and then Save and Deploy.
Verify Content Gateway Access from TRITON Manager

Always keep in mind that you have two instances of Policy Server running: one on the
TRITON-APX server (which is designated as primary) and one on the V10000
Appliance (which is a secondary policy server, meaning that it gets its subscription
information from an associated primary server).
1. Verify that you are still managing the Policy Server running on 172.31.0.151
2. Click Web > Settings [tab] > General > Content Gateway Access.
3. Click the Log On button. A new browser tab/window will open.
NOTE: In Internet Explorer, at the very bottom of the page, you may have to
select to “Always allow” pop-ups and then repeat the SSO logon attempt.
4. In Content Gateway Manager, verify the Subscription Details on the Monitor
[tab] > My Proxy > Summary page.

All the features should be listed as purchased. The subscription key is
automatically sent to the Content Gateway after it is entered in TRITON AP-
WEB
Take some time to explore both the TRITON Web interface and the Content
Gateway interface.
Go ahead and clear any alerts in the Content Gateway interface that appear to be
no loner relevant (such as licensing alerts that may have been triggered prior to
changing the policy mode of the appliance).
5. Finish by logging off and closing the Content Gateway session and then switching
the Web manager back to managing the 172.31.0.155 instance of Policy Server.

5 Customizing Filters
Lab Objective
Web Filter & Security includes four pre-configured category filters, named Default,
Basic, Basic Security, and Monitor Only, along with three pre-configured protocol
filters, named Default, Basic Security, and Monitor Only.
You can edit the parameters of the default filters to suit your needs. You can also
create new filters. New filters can be based on either an existing configuration or a
template filter, and can then be further modified.
In this lab, you will configure one of the default filters in Web Filter & Security with
customized parameters.
Steps
The Default Category Filters

1. On the TRITON-APX server, log on to the TRITON Manager and in the Web
manager, click Main [tab] > Policy Management > Filters.
2. Read the descriptions of the available pre-configured filters.

Note
The “Default” category and protocol filters can be modified but not
deleted. All other filters can be edited and can be deleted.

3. Click the link for the Default category filter.
4. Take a moment to inspect the different categories and their associated actions
(Bock, Permit, Quota, etc.).
5. Verify that the Weapons category (at the bottom of the list) is set to Block.
Modifying a Policy
After installation, the Default policy is applied to all clients. The default settings for
the default policy use the Monitor Only category filter and the Monitor Only protocol
filter.
1. Navigate to Main [tab] > Policy Management > Policies.
2. Read the descriptions of the available pre-configured policies.
3. Click the Default policy.

4. For the Category/Limited Access Filter parameter, select the Default filter from
the drop-down menu. This is the filter that you inspected in the previous section of
this lab.
5. Click OK.
Important
Note that changes are cached. To implement changes, you must commit
them using the Save and Deploy button.
6. You can click the magnifying glass button next to Save and Deploy to view any
pending changes.
7. Click Save and Deploy to commit your changes.

Verifying Filtering
You will now verify that clients are being filtered by the Default policy and the
Default filter.
1. From the Bastion7 host, log on to the Client-W7 machine (via RDP) as
WSCERT\tmuller, using the password Websense1.
2. Verify the default gateway on Client-W7 is set to 172.31.0.1. (Change if needed.)
3. Go to Internet Explorer > Tools > Internet Options > Connections [tab] >
LAN settings [button].
a. Deselect Automatically detect settings.
b. Select Use a proxy server for your LAN and then click Advanced.
c. Enter the IP address of the P1 interface on V10K-1 and port 8080 for “HTTP”
and “secure” types of servers. (Leave FTP and Socks types blank.) Enter
172.31.*.* as a proxy exception.

d. Click OK three times to finish configuring the proxy settings.
4. In Internet Explorer, navigate to http://www.guns.com. You should receive a
block page.

6 Configuring Browser PAC Files
Lab Objective
In this lab, you will create a PAC file on the instance of Websense Content Gateway
that is running on the V10K-1 appliance and, then, configure the Client-W7 browser
to download and use your PAC file.
Steps
Create a PAC File that Sends HTTP Requests by Proxy and

Sends HTTPS Requests Directly to the Target Server
Create the PAC File

1. On the TRITON-APX server, open Internet Explorer and go to:
http://172.31.0.151
2. Click the Content Gateway Manager link and then log on to Content Gateway
Manager with user name admin and password Websense1.
a. Click Configure [tab] > Content Routing > Browser Auto-Config >
PAC [tab].
b. In the PAC Settings window, enter the following script:
function FindProxyForURL (url, host)
{
url = url.toLowerCase();
host = host.toLowerCase();
if (url.substring(0,5) == "http:") {
return "PROXY 172.31.0.152:8080";
}
else {
return "DIRECT";
}
}

Tip
This file instructs the browser to send all HTTP traffic to
the proxy IP address 172.31.0.152 on port 8080, and to
send all other traffic directly outbound.
3. Click Apply.
Configure the Browser and Test the PAC File

1. Go to the Client-W7 machine and log on as tmuller (password: Websense1).
2. Launch Internet Explorer and click Tools > Internet options > Connections
[tab] > LAN settings.
a. Make the following changes to the “Automatic configuration” settings.
b. Click to enable the Use automatic configuration script option.
c. In the Address text box, type the following URL:
http://172.31.0.152:8083/proxy.pac
d. In the bottom section of the window, deselect/clear any existing explicit proxy
server settings.
e. Click OK, and then click OK again to close the configuration windows.
3. Attempt to go to http://www.guns.com
4. You should receive a block page from the V10K-1 C interface.
If you do not receive the block page, return to the WCG console and review
carefully all aspects of the PAC file you entered.
Make any necessary corrections, apply them, and then retest by simply returning
to Client-W7, closing Internet Explorer, relaunching it, and navigating to a URL
that should be blocked.
(Optional) Create a PAC File with Exceptions and Failover

1. Use a text editor to create a PAC file with the following content. It bypasses
Google addresses for one IP address; and it allows failover, if the proxy is
unavailable.
function FindProxyForURL(url, host) {
if (shExpMatch(host, "*.google.com")) {
return "DIRECT";
}
else if (isInNet(myIpAddress(), "172.31.0.155",
"255.255.255.255")) {
return "PROXY 172.31.0.152:8080; DIRECT";
}
else {
return "PROXY 172.31.0.152:8080";
}
}

2. Deploy of the PAC file on WCG.
a. Open Internet Explorer and go to the URL: http://172.31.0.151
b. Click the Content Gateway Manager link and log on using the account:
User: admin
Password: Websense1
c. Click Configure [tab] > Content Routing > PAC File.
d. Paste the content of the PAC file you created in the previous section in the text
area. Leave the default port set to 8083.
e. Click Apply.
3. On the TRITON-APX server, open Internet Explorer and choose Tools >
Internet Options > Connections.
a. Click LAN Settings. Select Use a proxy server. Enter the address http://
172.31.0.152:8083/proxy.pac. Restart the browser.
b. In the same way, configure proxy for Client-W7 Internet Explorer.
Test PAC File

1. Create a policy that blocks Search Engines and apply it to all users:
a. In TRITON Web open Main > Filters.
b. Under Category Filters click Add.
c. Filter name is No Search, base it on the category filter template Basic. Click
OK and Save changes.
d. In the customization page enter “Search Engines” into Find Category text
field.
e. Block the “Search Engines and Portals” category for the new filter. Click OK
and save changes.
f. In TRITON Web open Main > Policies > Default, select category filter No
Search.
2. From the TRITON-APX server visit http://www.google.com and http://
www.baidu.com. Verify the first address is NOT blocked and the second is
blocked.
3. From Client-W7 access http://www.google.com and http://www.baidu.com.
Make sure that PAC file is downloaded in this machine as well.
4. Open http://172.31.0.151, and log on to Appliance Manager. Configure P1
address from its current value 172.31.0.152 to a different value, e.g. 172.31.0.252.
This would make proxy temporarily unavailable.
5. From the TRITON-APX server visit http://www.cnn.com. The browser should
bypass the proxy, and you should see the page.
6. From Client-W7 visit http://www.cnn.com. Your Web client no longer has
access to the Internet, because proxy address has changed and failover is not
enabled.

Reset the Configuration
1. Disable the no-search-engine policy that you created.
2. Restore the WCG address to its original value — 172.31.0.152.
3. On the TRITON-APX server, remove the PAC file setting in Internet Explorer.

7 Integrated Windows
Authentication
Lab Objective
In this lab, you will configure Integrated Windows Authentication (IWA) and test
whether a user-attempt to override content filtering by entering an alternate set of user
credentials is successful. You will also configure DC Agent to identify users
transparently in cases where IWA does not work.
Steps
Install the User Service and DC Agent Components

To implement transparent user identification for Windows users, you must install the
DC Agent service. DC Agent is not required for IWA, but if IWA fails, DC Agent
allows the system to fall back to NTLM authentication.
1. Launch the TRITON installer. On the TRITON-APX server, click Start > All
Programs > Websense > Websense TRITON Setup.
2. Add the User Service and DC Agent to your Web Filter & Security installation.
a. Click Modify on the status line for Web Filter & Security.
b. Select Install additional components on this machine and click Next.

c. Select the User Service and the DC Agent components and click Next.
d. When asked if you use Active Directory to authenticate users, select Yes and
click Next.
e. When asked “Do you want to start the Computer Browser service now?”
select No and click Next. (In many cases when selecting ‘yes,’ the installer
does not have sufficient rights to start the service. In which case, a notice
appears that asks you to start the service manually using the Windows
Services console. You then click Next to continue as if you had selected No.)

f. On the Directory Service Access page, select Configure directory access
later (not recommended) and click Next. (If you select “Use this account” in
the lab environment you may receive an error indicating that the installer
cannot verify the domain settings, but that you will be able to configure any
required parameters after the installation is complete.)
g. Verify that both User Service and DC Agent are listed on the pre-installation
summary page and then click Next.
h. The installation process usually takes less than two minutes. On the
Installation Complete page, click Next.
i. On returning to the main setup page, click Close then Yes to exit the installer.
3. Manually enable/start the Computer Browser service.
a. Launch the Windows Services console (services.msc). Use your own
preferred method, or click to Start > Administrative Tools > Services.
b. Start the Computer Browser service. (If the service is already started,
simply continue to the next step.)
To start this service the first time, you must generally open the Properties
window and change the startup type to Manual, then try to start the service.
In some cases, you may need to re-start the server.
4. Manually configure enterprise admin permissions for the DC Agent service.
If in step 2f above the installer could not verify the domain settings, add manual
permissions to the DC Server using the Windows Services console.
a. Launch the Windows Services console, locate the Websense DC Agent
service, right-click it and choose Properties.
b. On the Log On tab, select This account and enter admin credentials for
Administrator@wscert (pasword Websense1).
c. Click Apply. Read the popup notification and click OK.

d. On the General tab, click to Stop and then click to Start the service.
e. After the service is restarted, click OK to close the Properties window, and
then click to close the Services console.
5. Verify that options associated with DC Agent are listed in the TRITON Manager.
a. On the TRITON-APX server, log on to the TRITON Manager.
b. In the Web manager, verify that you are managing Policy Server
172.31.0.155, and if not Switch to it.

c. Click Web > Settings [tab] > General > User Identification.
d. Verify that DC Agent is listed in the table of transparent-identification agents.
Configure Directory Services Access

To apply policies to individual users and groups, Web Filter & Security must be able
to obtain user, group, domain, and organizational-unit information from your directory
service.
To configure access to Active Directory:
1. Click Web > Settings [tab] > General > Directory Services.
2. Select Active Directory (Native Mode) from the list of supported directories.
3. In the section Active Directory (Native Mode), click Add.
a. Enter the IP address of the wscert domain controller - 172.31.0.150
b. In the Administrative Access section, enter the password (Websense1) and

the DNS domain name (wscert.com).
c. Click Test Connection to confirm that the connection to the global catalog
server is configured properly. If it is not, double-check your settings, verify
that the domain controller is running and retry.
d. Click OK at the bottom of the page, verify the entry you just made is added to
the list of global catalog servers.

e. Click OK again and then click Save and Deploy.
Add Clients to Web-Security Policies

1. Click Web > Main [tab] > Policy Management > Clients.
2. Click Add.
a. Click the folder icon next to Directory Entries.
b. Drill down to the DC=com, DC=wscert, CN=Users folder.
c. Click the check box for user Tim Muller, then click the right arrow to move
the user to the Selected Users column.
d. Confirm that the Default policy is applied to this user and click OK.
3. Follow the same procedure to add the user Administrator, but apply the
Unrestricted policy to this user.
4. Click Save and Deploy.
Configuring Account Override

1. From the Main > Policy Management > Clients page, click the name of the Tim
Muller user.
a. In the Account Override section, select Enable account override.

b. Click OK.
c. Click Save and Deploy.

Configure DC Agent on the Secondary Policy Server
You will now configure the Policy Server running on the appliance to point to the
instance of DC Agent that you installed on the TRITON-APX server.
1. To configure the Policy Server running at 172.31.0.151, you must switch to that
Policy Server from within the TRITON Manager.
a. Click Switch in the TRITON Manager.
b. Select the 172.31.0.151 Policy Server and click OK.

2. Click Settings [tab] > General > User Identification.
3. Click Add Agent... and select DC Agent.
4. Under Basic Agent Authentication, enter the IP address of the TRITON-APX
server.
5. In the Domain Discovery section, select User Service and click WINS Server
Information.
Fill in the WINS Server Information:
a. Administrative user: Administrator
b. Password: Websense1
c. Domain: WSCERT

d. WINS server: 172.31.0.150
6. Click OK twice and then click Save and Deploy.
Verify Active Directory Settings on V10K Have Been Inherited from

the Primary Policy Server on the TRITON-APX Server
Recall that when we added the secondary Policy Server on 172.31.0.151 to the policy
tree on the Settings > Policy Servers page that we selected to inherit directory-services
settings from the primary Policy Server. Let’s make sure the inheritance has happened.
1. Click Web > Settings [tab] > General > Directory Services.
2. Under Directories, verify Active Directory (Native Mode) is selected and that IP
address 172.31.0.150 appears in the lis of global catalog servers.
a. Select global-catalog server 172.31.0.150 and click Edit.

b. Verify that the required configuration parameters are populated with
information that looks correct and then click Test Connection.
c. Verify that the connection-test result is “Connection succeeded”.

3. Click Cancel twice to return to the Directory Services page.
Configure Content Gateway for Windows Authentication.

1. To access the Websense Content Gateway Manager from the TRITON Manager,
verify that you are still viewing the 172.31.0.151 Policy Server configuration.
If your are not, click Switch in the TRITON Manager and select the 172.31.0.151
Policy Server and click OK.
2. Click Web [tab] > Settings > General > Content Gateway Access and then
click Log On. A new browser window will open.
3. Click Configure [tab] > My Proxy > Basic > General.
a. Scroll down to the Authentication section.
b. Select the radio button for Integrated Windows Authentication.
c. Click Apply at the top (or bottom) of the page.
d. Click Restart to apply the new configuration.
4. After the Websense Content Gateway is restarted, scroll down and click the
Configure link next to Integrated Windows Authentication.
This will take you to the Configure > Security > Access Control > Integrated
Windows Authentication page.
a. Enter the information as listed below.
Domain Name: wscert.com

Administrator Name: Administrator
Administrator Password: Websense1
DC name or IP address: dc.wscert.com
Content Gateway Hostname: v10k-1-wcg.wscert.com
b. Click Join Domain.

c. On success, a notification that you have successfully joined the domain
appears.
5. Click to Restart the Websense Content Gateway

(go to the My Proxy > Basic page).
Confirm dc_config.txt File

Occasionally, the system will not create the required text file to enable communication
with the domain controller. To confirm the existence of this file and create it if needed,
take these steps.
1. On the TRITON-APX server, go to the folder:
C:\Program Files (x86)\Websense\Web Security\bin
2. Locate the dc_config.txt file. If you can locate it, open it and confirm that the
following lines are in the file:
[wscert]
DC=on

3. If the file is not present, open Notepad and create the file and save it to the proper
target directory.
Testing Account Override

1. Log on to Client-W7 as WSCERT\tmuller with the password Websense1.
2. Change the default gateway for the client from 172.31.0.254 to 172.31.0.1 since
we are no longer going to be testing WCCP.
3. Open Internet Explorer.
a. Open the Tools > Internet Options menu.
b. Click the Connections tab.
c. Click the LAN Settings button.
d. Check the box for Use a proxy server for your LAN and click Advanced.
e. Enter the IP address of the P1 interface on your V10000 appliance for both
HTTP and Secure traffic with the port of 8080. Enter 172.31.*.* as a proxy
exception.
f. Click OK three times to finish configuring the proxy settings.
4. In Internet Explorer, go to http://www.guns.com. You should receive the block
page with the override option (“Enter New Credentials”).
5. On the TRITON-APX server, return to the Content Gateway Manager.

a. Navigate to Monitor > Security > Integrated Windows Authentication.
b. Notice that the client session was authenticated using NTLM rather than
Kerberos. In order for Kerberos to work, the client must resolve the name of
the proxy rather than using the IP address.
NOTE: The IP address for the P1 interface has been pre-configured in the lab’s
DNS service as the name-resolution for v10k-1-wcg.wscert.com.

6. Return to Client-W7 and change the proxy address to v10k-1-wcg.wscert.com on
port 8080.
a. Close Internet Explorer.

b. Log off Client-W7. Click Start [button] > Log off.
c. After the RDP connection terminates, log back on to Client-W7 as tmuller.
7. On Client-W7, open Internet Explorer and go to http://www.guns.com.
You should receive the block page with the account override option.
a. Click Enter New Credentials.
b. Enter the user name of Administrator and the password Websense1.

c. Click Switch Credentials.
You should be redirected to www.guns.com.
8. Return to Content Gateway Manager and notice that the Kerberos
authentication values have increased.
(Optional) Use ConsoleClient to Validate DC Agent Functionality

To verify that the DC Agent is working, you can use the ConsoleClient.exe utility in
the Web Security\bin directory to try to export the XID Map that DC Agent generates.

1. On the TRITON-APX server, open a Command Prompt and make the working
directory C:\Program Files (x86)\Websense\Web Security\bin.
2. Run the following command:
3. ConsoleClient 172.31.0.155 30601
a. Choose PrintSelf
b. Choose Dump to Local File
c. Specify level 3.
d. Specify a filename. Use dc-agent-xid-map.txt.
e. Choose XID User Map.
f. The screen will refresh. Choose quit.
4. Use the command prompt to type the contents of dc-agent-xid-map.txt to the
screen or open the file in Notepad, and examine your results.
Note
To test/verify the functionality of DC Agent, you could also disable
authentication on WCG. Then reveal how users still get identified by
inspecting the block page.
Clicking More Information and then selecting to view the source code
of the page should show NetBIOS://[user] type identification, instead
of LDAP://[user] type.

8 Designing Policies
Lab Objective
In this lab, you will design policies to apply category and protocol filtering.
Steps
Creating Policies
A policy is composed of three main components: category filter(s), protocol filter(s),
and a filter schedule. Once created, policies can be assigned to users, groups,
individual computers, host IP ranges, and organizational units (OUs).
1. On the TRITON-APX server, launch the TRITON - Unified Security Center if
it is not already open.
a. Log on with the user name admin and the password Websense1
b. Confirm that you are configuring the 172.31.0.155 Policy Server.
2. Create a new policy by navigating to Main > Policy Management > Policies and
click the Add button.
3. Create a policy named Engineering, based on the Default existing policy and
click OK.

4. Click OK.
Note
Basing a new policy on an existing policy to then modify
can help make policy creation quicker.
Creating New Category Filters

You will now create a new category filter to apply to the policy you just created.
1. Navigate to Main > Policy Management > Filters.
2. Click the Add button under Category Filters.
3. Assign the filter name as Engineering Categories and base the filter on the Basic
category filter and click OK.
4. Update the new category filter to block the following categories:

• Bandwidth (all subcategories)
• Drugs (all subcategories)
• Job Search
Note
To assign a block to all of the sub-nodes of category,
highlight the category, click Block and then click Apply to
Subcategories.
5. Click OK and then click Save and Deploy.

Define the Policy Schedule
You will now define the Engineering policy to use the following schedule:
 Saturday and Sunday
 Basic Security Category Filter and Monitor Only Protocol Filters
 Monday to Friday
 Working hours 0900-1730
• The Engineering Categories Category Filter and the Default Protocol Filter
 Outside working hours 1730-2400 and 0000-0900
• The Basic Category Filter and Default Protocol Filter
1. Navigate to the Engineering Policy by going to Main > Policy Management >
Policies and click the Engineering policy.
2. Create the first schedule for the weekend filtering described above.
3. Click Add.
4. Add the 0000-0900 weekday schedule to the policy.
5. Click Add.
6. Add the 0900-1730 weekday working hours schedule to the policy.

7. Click Add to add the weekday after work schedule.
8. Click OK and then click Save and Deploy.
Assigning Policies to Clients

You will now assign the Engineering policy to a client.
1. Navigate to Main > Policy Management > Clients and click the Add button.
a. Click Directory Entries.
b. Drill down to the DC=com, DC=wscert, DC=Users folder.
c. Click the box next to the user Mark Dean, then click the right arrow to move
the user to the Selected Users column.
d. Select the Engineering policy for this user and click OK and then click Save
and Deploy.
2. In the right hand column of the TRITON Manager, go to the Toolbox and click
Check Policy.
3. Enter the user name mdean and click Go.

4. You should see the following pop-up that confirms that mdean is being filtered by
the Engineering policy.
5. Click Close.
Note
In some cases, more than one policy may be applicable to a user based
on IP address or group memberships. When determining which policy
to apply to a user, this order is used by default:
 user
 IP address
 network
 groups
 domain
You can change the order to the following by editing the eimserver.ini
file (see the Websense Knowledge Base for more information):
 user
 groups
 domain
 IP address
 network
Note
In instances where a user is a member of multiple groups, the Filtering
Service applies the most permissive group policy by default. This
setting can be changed to apply the most restrictive group policy by
checking the appropriate box in the TRITON Manager > Web >
Settings > General > Filtering page.
Testing the Policy

You will now test the Engineering policy by logging on to Client-W7 as user mdean
and navigating to a blocked category.
1. Log on to Client-W7 as WSCERT\mdean with the password Websense1.

2. Open Internet Explorer and configure it for explicit proxy.
3. In Internet Explorer, navigate to testdatabasewebsense.com and click the test

link for the category Gambling or Drugs.
4. Click More Information to view more information about why this site is blocked.
5. Right-click in the shaded area shown above and choose View Source. Scroll
down to see the information shown below. You should be able to see the user that
was blocked and how the user was identified by Websense Web Filter & Security.
6. Log off Client-W7.

9 Using Network Agent
Lab Objective
In this lab, you will configure and test Network Agent to monitor protocols and block
FTP traffic to selected sites.
Warning
Network Agent requires promiscuous mode on the switch port
attached to the N interface. However, your lab environment should
be already correctly configured with these settings.
Steps
Network Agent Configuration

You need to configure the Network Agent interface (N) in the Appliance Manager.
You can use the N interface to both monitor and block; this requires the span port to be
set in bi-directional mode. In production, however, it is recommended that you use the
N interface to monitor and the C interface to block.
1. On the TRITON-APX server, open the Appliance Manager, and go to
Configuration > Network Interfaces.
2. In the content-display are, scroll down to the Network Agent section. Select the
Interface N radio button.
3. Configure the Network Agent Interface parameters with these values:
IP Address 172.31.0.154
Subnet Mask 255.255.0.0
Default Gateway 172.31.0.1
Primary DNS 172.31.0.150
Secondary DNS [none]
The final setting looks similar to the screen capture below:

4. Write down the MAC Address of the N interface. You will need this to verify that
the lab is working as designed.
5. Click OK and click OK again to confirm the changes.
Global Network Agent Configuration

1. Log on to the TRITON Manager and use the Switch button to load the
management interface for the Policy Server running on the appliance at
172.31.0.151.
2. Go to Web [tab] > Settings [tab] > Network Agent > Global.
3. Navigate to Ignore Internal Traffic and confirm that the IP address for your
subnet is already listed (172.16.0.0-172.31.255.255). By default, Network Agent
will monitor traffic that is destined for an address outside of this range.
Create an FTP Policy

1. Go to Web [tab] > Main [tab] > Policy Management > Policies.
2. Click the Default policy.
The configuration page for the default policy appears.
a. In the Policy Definition section, verify the Protocol Filter is set to Default.
b. Locate the Protocol Filter: Default section. Scroll down the protocol list and
verify that the File Transfer > FTP is configured to be blocked.
(The previous lab, “Tunneled Protocol Detection,” asked you to set FTP to be
blocked. Verify that FTP is still set to be blocked.)
If FTP is not set to be blocked, change the configuration so that it is..
3. Click the OK then click Save and Deploy.

Verifying Blocked Traffic
1. On the TRITON-APX server, in the Web manager, verify that the manager has
the inteface to Policy Server 172.31.0.151 loaded.
2. Click Main [tab] > Reporting > Real-Time Monitor to start the RTM process.
3. On Client-W7, open a Windows command prompt and enter the command:
ftp ftp.mozilla.org
or
ftp ftp.websense.com
You should recieve an almost immediate failure to connect and the notification
“Connection closed by remote host.”
Promiscuous mode traffic monitoring in the lab can, however, be slow and the
FTP session will not get teminated on the first connection attempt, but should
after additional traffic is sent—by attempting to log on to the FTP site, for
example.
4. On the TRITON-APX server, return your focus to the Web Filter & Security
manager for Policy Server 172.31.0.151, and in a few seconds you should see the
that the FTP request was blocked as shown below.
Testing the Policy

1. On Client-W7, start Wireshark.
2. In Wireshark, click Capture > Interfaces > Start (on the 172.31.0.157 interface).
3. In the Filter: field, at the top of the Wireshark interface, type:
tcp.port == 21
this setting only displays the FTP traffic that the software is sniffing. Click Apply.
4. Return to the Windows command prompt.
5. From the prompt type the command:
ipconfig /all
and note the MAC address of the interface, as shown in the image below.

6. From the prompt type the command:
ftp ftp.mozilla.org
Verifying Packet Capture Details

1. Return to Wireshark and observe the packets captured. Locate the beginning of
the FTP transaction, from IP address 172.31.0.157 to 63.245.209.137.
NOTE: This IP address can change. You can DNS resolve ftp.mozilla.org before
starting the lab to verify the current IP address
2. The screen will appear somewhat similar to the image below.
3. Click the first packet, which contains the SYN request from the client to the server.
In the bottom pane, note the MAC address for the client (labeled Src:). It should
match the one displayed when you used the ipconfig command.
4. Now click the packet from the client to the server that contains the RST flag.
In the bottom pane, note the MAC address for the client (labeled Src:). It should
match the one displayed in the Appliance Manager for the N Interface.

5. Now click the packet from the server to the client, which contains the RST flag.
In the bottom pane note the MAC address for the client (labeled Src:), and the
server (labeled Dst:). Source MAC address should match the one displayed in
the Appliance Manager for the N Interface, while the Destination MAC address
should match the one of the machine from where you started the FTP session.
Conclusions
The Network Agent is sending the TCP RST packets from the N interface as expected.

10 Transparent Proxy with WCCP
Lab Objective
In this lab, you will configure WCCP on the Cisco router (emulator) and on Websense
Content Gateway running on the V10000 appliance. Once configured, the router will
redirect all HTTP and HTTPS traffic to the Websense appliance.
Steps
Configuring WCCP
1. On Client-W7 (not Bastion7), change the default gateway to 172.31.0.254.
Tip
Run “ncpa.cpl” from the Start menu as a shortcut to the Network
Connections window.
Alternatively, use the “route” command from a command prompt.
route change 0.0.0.0 mask 0.0.0.0 172.31.0.254
route print
Verify the default gateway setting from a Windows command prompt using the
command ipconfig.

2. Open PuTTY, which is located on the machine’s desktop and Telnet (not SSH) to
the IP address of the router:
IP Address: 172.31.0.254
Connection Type: Telnet
Tip
See the short troubleshooting section at the end of this lab to help
resolve any issues with the WCCP router.
3. Log on with the password Websense1.

4. At the “R1>” router prompt, enter the enabled mode. To do so, type the command
shown below and press Enter.
R1>enable
5. Enter the password for the router and press Enter:
Password: Websense1
6. At the “R1#” prompt, type the following command and press Enter:
R1#show ip interface brief
7. Verify that the setting displayed by the command match the values in the table.
Interface Value
FastEthernet0/0 172.31.0.254
8. Configure the router to use WCCP version 2. Type the following command to
load the configuration terminal prompt, and press Enter:
R1#configure terminal
You should see the following text displayed:
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#

a. Configure a default route for the router. Type the following command and
press Enter:
R1(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet 0/0 172.31.0.1
b. Configure the router to identify the Security Gateway service group. You will
create group 10 to be used for both HTTP and HTTPS protocols. Type the
following command and press Enter:
R1(config)#ip wccp 10
c. Enable the WCCP service on the interface where client traffic will be
intercepted and redirected. The interface is FastEthernet0/0. Type the
following commands and press Enter after you type each line:
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip wccp 10 redirect in
R1(config-if)#exit
R1(config)#exit
9. Perform some basic validation that your configuration changes are running.
a. Use the command show ip route to display the routing table. Verify that
you see the following—especially the underlined portion:
C 172.31.0.0/16 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 172.31.0.1
[1/0] via 172.31.0.1, FastEthernet0/0
b. Use the command show ip wccp to display global WCCP information.
Verify that you see information about “Service Identifier: 10” in the output.
After initial testing (below), you can return to the WCCP router console and
use this command to see the value of the “Total Packets s/w Redirected”
increase as you browse various sites.
Configure the Websense Appliance for WCCP

1. On the TRITON-APX server, open the Content Gateway Manager. However,
instead of using the Logon Portal, let’s demonstrate single-sign-on access to
Content Gateway Manager by way of the Web manager view of the instance of
Policy Server running on the V10K appliance.
a. In the TRITON Manager > Web Security manager, click Switch and choose
policy server 172.031.0.151.

b. Navigate to Settings > General > Content Gateway Access.
c. Click Log On. A new browser window will open.
2. Click Configure [tab] > My Proxy > Basic > General [tab].
a. Scroll down the page until you reach the Features > Networking section.
b. Select On for the WCCP setting, as shown in the picture below.
c. Click Apply at the top (or bottom) of the page.

d. Click Restart.
3. After the restart completes, click Configure [tab] > Networking > WCCP.

4. You need to create WCCP service groups on the Web Content Gateway that
correspond to the configuration on the router. To configure the WCCP settings,
click Edit File, as shown below.
5. Having already created the service group 10 on the router, you must now assign
HTTP and HTTPS traffic to that service group.
WCCP redirection works on TCP ports, so for HTTP and HTTPS we need to
assign ports 80 and 443 to service group 10. Use the values specified in the table
below to edit the form fields.
Parameter Value
Service Group Status Enabled
Service Group Name HTTP
Service Group ID 10
Protocol TCP
Ports 80,443
Network Interface eth0
Special Device Profile ASA_Firewall
Packet Forwarding Method GRE
Packet Return Method GRE
Security Disabled
Multicast Disabled
WCCP Routers 172.31.0.254

a. The image below depicts the entry of the parameters specified the table above.
b. Scroll down to the Router Information > WCCP Routers section.

Enter the IP address of the WCCP router: 172.31.0.254. Since you are using
the ASA_Firewall profile, you do not need to add GRE tunnel endpoints or
next-hop router specifications.
c. After configuring all the necessary parameters, click Add in the bottom-left of
the form. The list-display area at the top of the page will show a plain-text
configuration string. You should be able to see some of the parameters you
just entered reflected in this string.
d. Click Apply in the top (or bottom) right of the page.
NOTE: No action is required in response to the warning message about the
requirement for “a corresponding ARM rule for every port specified in an
enabled WCCP service group.” The ports specified in our rules (80 and 443)
are already configured to be handled by the proxy. This warning is typically
useful only for helping to troubleshoot more complex configurations. Often
the requried rules are created without needing to be explicitly configured.
e. Click Close.
6. You must now restart WCG to implement the change(s) you just made.
On the My Proxy > Basic page, click Restart.

7. After the restart completes, go to the Monitor [tab] > Networking > WCCP
page.
a. Verify the router IP address
b. Verify that a router ID has been received.
c. Verify that a negotiated mode is listed. Note that negotiation may result in a
configuration that is different than the “configured mode”.
In this case, note the difference in “MASK” and “HASH” for the assignment
method for the service group. Hash is the default configuration option for
WCG, but in this case the mask method is the default for the router. The
assignment method is a means of distributing traffic across multiple proxy
servers (not relevant to this particular lab configuration).
In other cases, the negotiated parameters for even the packet forward and
return methods may be different than what is specified as preferred in the
WCG configuration. For example, you may specify L2, but GRE could end up
being the negotiated method, based on the configuration of the router.
Testing Transparent Proxy Configuration

1. Perform testing from Client-W7.
2. Close all windows on your desktop.
3. Remove any existing explicit proxy settings.
Warning
On Client-W7, you must remove the explicit proxy setting in the
Internet Explorer settings.
Firefox will normally pickup any existing proxy setting that you may
have configured via Internet Explorer.
So, whether you test using Internet Explorer or Firefox, you must
remove any existing explicit proxy settings.

4. Use Internet Explorer or Firefox to and attempt to connect to these URLs, along
with five or so others of your choosing:
URL Expected Result

http://www.google.com Permitted
http://www.chase.com Quota Time Page
http://www.espn.com Quota Time Page
5. Telnet to the WCCP router at 172.31.0.254, log on, and use the following
command to display WCCP statistics:
R1>show ip wccp
Notice in particular the following section:

Service Identifier: 10
[ . . . ]
Total Packets s/w Redirected: 2139
Process: 284
Fast: 0
CEF: 1855
The total packets redirected should be a non-zero number. Browse a few

additional sites that produce block pages, and then re-run the command and verify
that the number reported increases.
Troubleshooting Tips
Restart the WCCP Router–Related Services
If you cannot connect to the router via Telnet, it may be malfunctioning due to startup
failures due to resource contention during the initial deployment/boot of the system.
You should take the following action:
1. On the DC server, launch the Windows Task Manager and check the
Performance tab. If CPU usage is at 100% and stays there without returning to an
idle rate of 0 to 10% within a several seconds, this indicates that the Dynamips
emulator is not emulating idle CPU cycles properly and needs to be restarted.
Even if the CPU profile of the DC machine looks right, the services that provide
WCCP router functionality may not have started originally in the correct order.
2. Restart the router-related services.
a. On the DC server, in Windows Task Manager, go to the Services tab.
b. Find and stop the WCCP_Lab and dynagen services in that order.
c. Restart the services in reverse order, dynagen, then WCCP_Lab.
d. Windows Task Manager on the Services tab, find the
3. Check the Performance tab and verify that CPU usage returns to an idle value of
0 to 10%.
4. From Client-W7, verify that you can ping 172.31.0.254, and then attempt to
make a Telnet connection.

Verify Promiscuous Mode Is Enabled
This should not be a problem in Websense-hosted environments, but there may be
instances where promiscuous mode on vSwitch to which the DC machine is attached
is not enabled.
The security policy exception for the acceptance of promiscuous mode MUST be set
to “accept” for the WCCP router to work in VMware-hosted environments.
See the section “Enabling Promiscuous Mode” in Appendix B - Using the ReadyTech
Environment for information on the click-path to this setting in vSphere Client.
Using the GNS3 Interface for Control over the Router Configuration
On rare occasions, it may be useful to launch the WCCP router using the graphical
interface, GNS3, for the Dynamips emulator, instead of the light-weight command-
line interface (Dynagen—which is launched by the WCCP_Lab service).
Note
In prior editions of this lab manual, using GNS3 was the recommended
first-option for troubleshooting the Dynamips-based WCCP router.
Using GNS3, however, is NOT currently the recommended method for
restoring router functionality. It is generally better to simply restart the
services.
1. Stop the WCCP_Lab and dynagen services if they are running.

2. Click Start > Programs > GNS3 > GNS3.
a. When the GNS3 application loads, select Open a project on the default
getting-started form, or click File > Open.
b. Double-click the WCCP folder (C:\websense\WCCP) and then select the file
topology.net.
c. When GNS3 loads the configuration, click the play button.

3. After the link light on the link for the router R1 turns green, from Client-W7,
verify that you can ping 172.31.0.254, and then attempt to make a Telnet
connection.
If you still cannot complete the lab, ask your instructor for assistance.

11 SSL Configuration
Lab Objective
Websense Content Gateway can decrypt and inspect secure HTTPS traffic for threat
scanning and category filtering just as it does for standard HTTP. The WCG proxy can
also re-encrypt traffic before it is forwarded back to the origin server.
Steps
Enable HTTPS on the WCG

1. From the TRITON-APX server, log onto the Content Gateway Manager
(accessible from the Appliance Manager at http://172.31.0.151) with user name
admin and password Websense1.
a. Click Configure [tab] > My Proxy > Basic and scroll down to the Features
section and under the Protocols heading, click to turn On the HTTPS option.
b. Click Apply at the top (or bottom) of the page. A notice will appear that a
restart of the WCG module is required.
c. Click Restart.

2. After the restart completes, click Configuration [tab] > SSL [navigation-
menu heading] and explore the menu options.
If Internet Explorer blocks the display of secured content on any of these pages,
click Display or whatever other methods the IE interface presents to you to enable
the content to be shown.
Create a Self-signed Certificate

1. In the Content Gateway Manager, click Configure > SSL > Internal Root CA.
2. Click the tab Create Root CA.
a. Fill in the three required fields (marked by asterisks) with this information:
Common name: Websense Test CA
Passphrase: Websense1
b. Click Generate and Deploy Certificate.
c. Wait for the notification that the certificate was created successfully.
3. Click the tab Backup Root CA.

a. Click Save Public CA Key.
b. Save the certificate using the default name to C:\My_Share on the local
machine (that is the TRITON-APX server).
4. On the Configuration [tab] > My Proxy > Basic page, click Restart to ensure
that the changes take effect.
Test Your SSL Configuration

1. On the Client-W7 machine, configure/verify that Internet Explorer is configured
with an explicit proxy setting that points to 172.31.0.152 or v10K-1-
wcg.wscert.com on port 8080 for both HTTP and Secure traffic.
2. Go to https://www.wikipedia.org. You should receive a certificate error for this,
or any, HTTPS site through the proxy since Internet Explorer does not trust the
self-signed certificate on the proxy. Click Continue to this website.

3. Click Certificate Error to the right of the address bar in Internet Explorer.
a. Click View certificates.

Notice the certificate is issued by “Websense Test CA.” The certificate is the
one you just created.
For the browser to trust the certificate, you must install it in the Root
Certificate Authority store on the client.
b. Close the web browser.
4. Launch Windows Explorer and go to Z:\ (\\EIP\My_Share) or where you saved
the Public CA key if another location.
a. Double click the PCAcert.cer file and then click Open.
Notice that in this view, the certificate shows that it is “Issued to: Websense
Test CA,” whereas from within the browser, the certificate showed as being
issued to the website to which you had connected.
b. Click Install Certificate and then Next.
c. Select Place all the certificates in the following store and click Browse
d. Select Trusted Root Certification Authorities store and click OK.
e. Click Next and then Finish.

f. Click Yes to confirm the installation. You should receive a notification that the
import was successful, in response to which click OK.
g. Click OK again to close the Certificate window.

5. Re-test HTTPS connection and certificate validation.
a. Close and re-open your browser.
b. Connect to one or more HTTPS sites to test your results.
• https://www.wikipedia.org
• https://www.google.com
• https://www.facebook.com
The certificate you created will continue to be used to proxy HTTPS
connections. You should now be able to browse to any secure site without
receiving the certificate-error warning.
c. Click the lock icon to the right of the address bar in Internet Explorer to verify
that “Websense Test CA” is the identifier of the site visited.

12 Tunneling HTTPS Websites
Lab Objective
In the Websense Content Gateway, you can add specific HTTPS sites to be allowed,
blacklisted, or tunneled. In this lab, you will set a banking site to be tunneled By
Certificate. The option to use By Certificate provides greater security. If you add a
Web site By Certificate, clients cannot bypass the policy by using the IP address rather
than the URL.
Steps
Tunneling HTTPS Websites
Configuring and Testing HTTPS Tunneling

1. On the TRITON-APX server, open Internet Explorer and go to the URL: http://
172.31.0.151
2. Click the Content Gateway Manager link.
a. In the Content Gateway Manager window, log on using the account:
User: admin
Password: Websense1
b. Navigate to Configure > SSL > Incidents > Add Website. You may need to
click “display blocked content” in you browser.
c. Enter the following parameters:
URL: https://www.nwolb.com
Select By URL
Select the Tunnel action
TRITON AP-WEB 201 Lab Guide  73

d. Click Apply.
3. On Client-W7, try navigating to https://www.nwolb.com in another browser tab.
Can you get to the site? Click the padlock and click the View Certificates link.
Who issued the certificate?
a. Go to Configure > SSL > Incidents > Incident List in the Content Gateway
manager.
b. Next to the NATWEST rule, select Delete from the Action dropdown list and
click OK.

c. Try navigating to https://www.nwolb.com again. Who is the certificate issued
by now?
By enabling tunneling for web sites, you can bypass the certificate proxy process
for sites or applications that may require this configuration.
TRITON AP-WEB 201 Lab Guide  75

13 SSL Category Bypass
Lab Objective
Some organizations do not want to or, by law, are not allowed to decrypt HTTPS
connections between employees and their personal banks, health providers, and other
destinations the may or are likely to contain private information. To keep such user
data private, you can specify website categories that will bypass SSL decryption.
To enable the speedy configuration of the system to allow users to communicate
directly with such sites, Websense identifies certain categories as “Privacy
Categories” that you can select individually or all at once, as a group.
In this section, you will configure and test SSL category-bypass functionality.
Steps
Enable the Privacy Categories

1. On the TRITON-APX server, log on to the Web manager and go to the Settings
[tab] > Scanning > SSL Decryption Bypass page.
2. Click the Select Privacy Categories button then click the right arrow to move
them into the right column.
3. Click OK and then Save and Deploy.

Test SSL Category Bypass
1. On Client-W7, open a Internet Explorer.
a. Open this website:
https://www.nwolb.com
b. Verify that the certificate was issued by the original root CA and not
Websense.
This site is included in the privacy categories, so it should not decrypted and
analyzed by the WCG and should use the certificate from actual web site and
not the self-signed certificate you created in an earlier lab.
c. Open a new browser tab and go to a site that should not be bypassed like
https://www.google.com
https://www.wikipedia.org
https://www.redhat.com
Verify that the certificate is from the proxy and not from Redhat.
2. On the TRITON-APX server, expand the Web > Tool Box > URL Category
widget.
a. Determine the category for redhat.com.
b. Add this category to the list of categories bypassed.
3. On Client-W7, test again to verify that site is bypassed for decryption.
Verify the certificate is signed by original root CA.
NOTE: After changing the bypass categories, it may take a few minutes for the
change to take effect.

14 Configuring Advanced Scanning
Features
Lab Objective
In this lab you will configure and test the advanced scanning features of Websense
TRITON AP-WEB v8.x
Steps
Configuring Advanced Scanning Features
Run TestLogServer on the TRITON-APX Server

In this task, you will setup TestLogServer on the TRITON-APX server. You will then
use it to verify the category/protocol classifications that Content Gateway makes.
1. Log on to the TRITON-APX server and open a Command Prompt.
a. Change working directory to:
C:\Program Files (x86)\Websense\Web Security\bin
b. Stop the Websense Log Server service so that we can bind TestLogServer to
the default log-server port. Use the following command:
logserver -s
(Note: The -s switch stops the service. The -r switch runs the service.)
c. Execute the command testlogserver -help and briefly review the
accepted syntax of the command and the options available.
d. Start TestLogServer using the -file switch to send output to the text file that
you name and the -onlyip switch to filter based on source IP.
testlogserver -file Filename.txt -onlyip 172.31.0.157
The output to screen should say “Accepting connections on port 55805...”
e. Leave the Command Prompt window open and the TestLogServer application
running
2. Log onto Client-W7 as tmuller with password Websense1.
a. Launch Internet Explorer
b. Go to http://www.google.com.

3. Return to the TRITON-APX server and verify that the instance of TestLogServer
you left running in the Command Prompt window has received and printed to
screen the log activity generated by visiting the Google home page.
You should see output similar to the figure below for each object retrieved.
4. Restore your environment to its original settings.

a. Press Ctrl-C to stop TestLogServer.
b. Start the Websense Log Server service:
logserver -r
c. Close the Command Prompt window.
Warning
You must start the Websense Log Server for logging to
resume writing to the database. This important for
subsequent activities, including various validation steps
and running reports.
Scanning Exceptions
In this section, you will configure and test scanning exceptions.
Client Exceptions - Real-time Scanning

Clients may be excluded from all real-time scanning by adding their IP address (or
network range) to Scanning Exceptions.
1. Log onto the TRITON Manager and click Web [tab] > Settings > Scanning >
Scanning Exceptions.
a. Scroll down to the Client Exceptions section.

b. Enter the IP address of Client-W7 (172.31.0.157) in the Enter clients box and
click the arrow (‘>’) to move it to the Client exceptions list.
c. Click OK and Save and Deploy.

2. Log onto Client-W7.
a. Open Internet Explorer and clear the browser cache.
b. Go to http://testdatabasewebsense.com.
c. Scroll down to the list of Real-time Analysis Test Pages.
d. Click some of the links to confirm that real-time analysis is not being applied
to this client.
In doing so, be mindful that the Default policy is being applied to user tmuller,
and that not all test links in the list would be filtered by the policy even if the
client were not excepted from scanning by IP address.
3. Return to the TRTITON console on the TRITON-APX server and delete the
client exception.
a. Click OK and then Save and Deploy.
b. Re-test connections from Client-W7 to various real-time-analysis test pages
to confirm that real-time analysis is now taking place. (Note: clear the web
cache/delete your temporary Internet files before doing so.)
Always Scan/Never Scan List

In this section, you will configure the Never Scan option to test exceptions of
destination URLs.
Note
All scanning exceptions will work for outbound as well as
inbound web traffic.
1. On the TRITON-APX server, in the TRITON Manager, click Web [tab]>

Policy Server 172.31.0.151 [switch if necessary] > Settings > Scanning >
Scanning Exceptions.
2. In the Hostname/URL Exceptions section, at the bottom of the Never Scan list,
click Add Hostname/URL.

a. Enter http://testdatabasewebsense.com and check all the available options.
Then click OK.
b. Click OK and then Save and Deploy.

3. On Client-W7, launch Internet Explorer and clear the browser cache.
a. Go to http://testdatabasewebsense.com.
b. Scroll down to the list of Real-time Analysis Test Pages.
c. Click some of the links to confirm that real-time analysis is not being applied
to this client.
Again, be mindful that the Default policy is being applied and that not all test
links in the list would be filtered by the policy even if the ‘never-scan’
exception were not in place.
4. Return to the TRTITON console on the TRITON-APX server and delete the
never-scan exception.
a. Click OK and then Save and Deploy.
b. Re-test connections from Client-W7 to various real-time-analysis test pages
to confirm that real-time analysis is now taking place. (Note: clear the web
cache/delete your temporary Internet files before doing so.)
Rich Internet Applications

By scanning for security threats (enabled by default) you can detect and block
instances in which “rich internet applications,” such as Flash, contain malicious code.
You can enable and disable this option in the “Security Threats: File Analysis” section
of the Settings > Scanning > Scanning Options page.
In this section, you will enable and test the scanning of traffic that contains instances
of rich Internet applications.

1. Ensure that Scanning of Rich Internet Applications is enabled. This is located
under TRITON APX- Web [tab] > Scanning > Scanning Options > Security
Threats: File Analysis.
2. On the Client-W7 web browser, click the link that hosts the .swf file at
testdatabasewebsense.com: http://testdatabasewebsense.com/realtime/
maliciouswebsites/maliciousRIAtest.swf and verify that the request to the file is
blocked as 'malicious' content.
3. Disable Scanning of Rich Internet Applications under Settings > Scanning >
Scanning Options > Security Threats: File Analysis.
4. Click the link that hosts the .swf file at testdatabasewebsense.com and verify
that the request to access the file is permitted.
As of writing, the SWF file is a white object with no text. The browser window, if
not blocked, will appear as a blank, white page. Right-click the page and choose
Settings to demonstrate that you are interacting with a real Flash object.
Remember also to clear the web cache/delete your temporary Internet files before
retesting access to the file.

15 Content Categorization Link
Analysis
Lab Objective
The Content Categorization scanning option can include the analysis of URL links
embedded in a page. Such analysis can provide more accurate categorization of
certain types of pages. For example, a page that otherwise has little or no undesirable
content but has links to sites known to be undesirable, can itself be more accurately
categorized.
URL link analysis can find malicious links embedded in hidden parts of a page, and
can detect pages returned by image servers that link thumbnails to undesirable sites. In
this lab, you will enable and test content link analysis.
Steps
Content Categorization Case 1

In this section, you will verify that link analysis is properly scanning web content.
1. Enable Link Analysis (Analyze links embedded in Websense Content) in
TRITON - Web [tab] > Settings > Scanning > Scanning Options.
2. Ensure the testlogserver tool is still running on the TRITON-APX server

(this was turned on in the Configuring Advanced Scanning Features lab).
Optional for Detailed Debugging Only: Configure Debug on the WCG

In this task, you will configure debug functionality on the WCG. During the labs
you will view content_gateway.out to determine the analytic process
applied to the web requests. The selected debug tags are:

• wtg.* - includes interaction of processes within in WCG, for example
tag wtg_txn shows memory available, wtg_txn_type shows the file type
detected by WCG, wtg_txn_size shows content size, etc.
• src.* - which debugs all WCG management communications, internally
between the components (e.g. database download) and externally back to
the PS / PB (e.g. information of interaction with filtering)
• catz.* - which scrapes the links during the link analysis process
1. Optional: Log onto the Appliance Manager for V10K-1.
a. In the navigation column, click Administration > Toolbox.
b. In the Appliance Command Line > Command Line Utility section,
click Launch Utility.
2. Optional: Click Module [drop-down list] > Websense Content Gateway.
a. Use the parameters below to configure a “content-line” command:
Parameter Value
Command content-line -s
Variable Name proxy.config.diags.debug.enabled
Value 1
a. Click Run.
3. Optional: Next, configure and run a second “content-line” command based
on these parameters:
Parameter Value
Variable Name proxy.config.diags.debug.tags
Value wtg_txn.*|src.*|catz.*
a. Click Run.
b. Next, select content-line -x from the Command menu and click
Run.

Required: Content Categorization Case 1 Continued
3. From Client-W7, navigate to the following URLs at testdatabase.websense.com
and verify that the page is categorized correctly.
a. http://testdatabasewebsense.com/realtime/SexAndAdultLA.html
b. http://testdatabasewebsense.com/realtime/MWSLA.html
c. http://testdatabasewebsense.com/realtime/GamblingLA.html
4. View the output from testlogserver and verify that the disposition is logged as
Link Analysis (permitted or blocked depending on filtering policy configured).
Content Categorization Case 2

In this section, you will verify that Link Analysis can properly identify and prevent the
display of linked thumbnail images that violate policies.
Warning
Please be aware that the following activity tests the filtering capability of
the system to address images of an explicitly sexual nature.
Completing this activity may not be appropriate in some situations. Please
use caution and good judgement.
1. Verify that search filtering is turned off in TRITON - Web [tab]> Settings >
General > Filtering > Search Filtering.
2. From the client machine, go to http://www.bing.com. Click Images and enter a

search word of your choice that will trigger the adult content policy.
3. Verify that the request is categorized by Link Analysis as Sex using testlogserver
on the TRITON-APX server.

Optional for Detailed Debugging Only: Test and Check Debug Output
1. From the Client-W7, navigate to the following URLs at
testdatabase.websense.com and verify that the page is categorized correctly.
a. http://testdatabasewebsense.com/realtime/SexAndAdultLA.html
b. http://testdatabasewebsense.com/realtime/MWSLA.html
c. http://testdatabasewebsense.com/realtime/GamblingLA.html
2. View the log output.
a. Open Appliance Manager.
b. Navigate to Administration > Logs.
c. Select Websense Content Gateway and View last 100 lines.
d. View the links that have been scraped in the content_gateway.out
log.
Optional for Detailed Debugging Only: TURN OFF Debugging

1. Use the Content Gateway Manager > Administration > Toolbox >
Appliance Command Line > Command Line Utility and the parameters
below to configure a “content-line” command:
Parameter Value
Variable Name proxy.config.diags.debug.enabled
Value 0
2. Next, select content-line -x from the Command menu and click Run.
Outbound Scanning (Web Content)

Outbound scanning detects and blocks bot and spyware phone home traffic as well as
other malicious content. It also checks for malicious content attached to web
applications such as web mail. In this section, you will enable and test the scanning of
outbound web content.
1. On the TRITON-APX server, ensure Security Threats: Content Scanning is
enabled under the TRITON - Web [tab] > Settings > Scanning > Scanning
Options menu.
2. In the Security Threats: Content Security section, check the On box and the
Aggressive analysis - Perform advanced security analysis for sites... box.

3. Click OK and Save and Deploy.
4. Test from Client-W7 by browsing to http://testdatabasewebsense.com/realtime/
mwos.html. Click Submit Query. You should see a block page.
5. Check the testlogserver and the source code of the block page to see which
category was used to block the POST attempt.
Content Scanning Sensitivity Control

The Content categorization Sensitivity Level control allows administrators to adjust
the sensitivity of the thresholds that determine Content categorization. Note that
sensitivity is Optimized (tuned) by Websense Security Labs to provide best results for
typical use.
1. The Sensitivity Level control is located under TRITON - Web [tab] Manager >
Settings > Scanning > Scanning Options > Advanced Options menu.
2. Modify the sensitivity level and re-run some of the earlier tests and see if the
results differ.

16 Tunneled Protocol Detection
Lab Objective
In this lab, you will explore TRITON AP-WEB’s ability to detect and manage HTTP/
HTTPS-tunneled protocols. Tunneled-protocol detection extends application-protocol
management features like protocol selection, Network Agent–like monitoring, and
bandwidth management to the HTTP/S proxy.
Steps
Configure and Test Tunneled Protocol Inspection

1. On the TRITON-APX server, launch the TRITON Manager and use the Web
[tab] manager to configure the Default policy. Set the Protocol Filter to Default.
a. Additionally configure the default protocol-filter policy to block the
following protocol:
File Transfer > FTP
b. Click OK and then Save and Deploy.

2. Go to the Web [tab] > Settings [tab] > Scanning > Scanning Options page and
verify that Tunneled Protocol Detection is enabled.
3. On the Client-W7 machine, log on as tmuller.

a. Verify that the browser is configured explicitly to use v10k-1-wcg.wscert.com
as a proxy.
b. Verify that FTP is included in the explicit proxy configuration. (This is the
setting that causes the browser to tunnel FTP requests entered in the address
bar over HTTP.) On the Local Area Newtork (LAN) Settings configuration
page, in the “Proxy server” configuration section, click the Advanced button.
c. Enter ftp://ftp.websense.com in the address bar and press Enter.

4. Verify that the connection attempt is blocked.

Protocol Reporting
In addition to the ability to detect and block protocols tunneled over HTTP/S you can
get reports that provide details about connection attempts that use protocols that are
blocked.
1. Verify the protocols detected by tunneled-protocol detection are present in
TRITON Manager > Web [tab] > Investigative Reports.
2. Click to ‘drill down’ on the available details about the incident(s) you generated.

17 Controlling Webmail via Web
DLP
Lab Objective
Configure and test Web DLP to inspect the content on web based email messages and
stop those with confidential information.
Warning
Web DLP only controls data sent using the POST method. If your
webmail provider uses non-standard protocols, the lab may not
operate as expected.
Steps
Web DLP configuration

You need to configure the Web DLP component in the TRITON interface to ensure it
communicates properly with the Web Content Gateway (WCG). You also need to
verify that the WCG can successfully communicate with the Web DLP component.
Register Websense Content Gateway

1. On the TRITON-APX server, go to http://172.31.0.151
2. Click Content Gateway Manager and log on with the credentials admin/
Websense1.
3. Go to: Configure > My Proxy > Basic > General.
4. Under Features > Networking locate Web DLP. Select the On radio button on
the far right, then select Integrated on-box.
5. Click Apply and Restart the proxy.

6. On restart, a registration status link appears: Not registered
7. Click the Not registered link to open the Configure > Security > Web DLP
registration screen.

8. Enter the IP address of the TRITON AP-DATA Management Server:
172.31.0.155
9. Enter the user name (admin) and password (Websense1) for a TRITON AP-
DATA administrator with Deploy Settings privileges.
10. Click Register. You are reminded to synchronize the system time between the
proxy machine and the TRITON AP-DATA Management Server.
11. If registration succeeds, a Web DLP Configuration page displays. Verify that the
following configuration options are correct, as follows:
a. Analyze FTP Uploads: Enable this option to send FTP uploads to
TRITON AP-DATA for analysis and policy enforcement.
b. Analyze HTTPS Content: Enable this option to send decrypted HTTPS
posts to TRITON AP-DATA for analysis and policy enforcement.
12. These options can be accessed whenever TRITON AP-DATA is registered by
going to the Configure > Security > Web DLP > General page.
13. Click Apply.
14. Restart the Content Gateway.
Deploy TRITON AP-DATA

1. In TRITON - Unified Security Center, click the Security tab.
2. Verify that Settings > Deployment > System Modules includes Content
Gateway.
3. Click the Deploy button and OK.
Import Users and Groups

1. In TRITON AP-DATA Manager, go to Settings > System > User Directories
2. Select the New button.
3. Create the Active Directory connection using the following parameters:
Name: WSCERT
Type: Active Directory
IP Address or Hostname: 172.31.0.150
Port Number: 3268
User distinguished name: wscert\administrator

Password: Websense1
Tip
In production environments using a Microsoft Domain Controller for
LDAP, you may want to use the domain name in the IP address or host
name field and Port number 3268, as shown here, rather than the
standard LDAP port 389.
Using those settings will connect to the Global Catalog Server for
LDAP queries. When using the Global Catalog Server, LDAP queries
will go to any available domain controller rather than being directed to a
specific IP hostname. This will provide greater fault tolerance in the
event of a single domain controller failure.
4. Select Test Connection and confirm that the Active Directory connection is
configured correctly.
5. Scroll down the User Directory Server screen until you see the Directory Usage
section.
6. Enter: tmuller@wscert.com in the Sample email address field, and then select
the Test Attributes button.
7. Click View Results and review the default set of user attributes that were
retrieved.
8. When incidents occur, TRITON AP-DATA will use this information from the
directory server and make it available for the incident report. Additional attributes
can be specified in the Attributes to retrieve field. Any attributes that have not
been defined for a user will not be displayed.
9. Select OK.
10. Select the checkbox by the newly created server, and then select the Import Now
button and select OK.
11. Select the Refresh icon to verify that the users have been imported. After the
import has been verified, select the Close button.
12. To see the imported users, go to: Main > Policy Management > Resources >
User Directory Entries.

13. For blocking to occur you must first confirm that the WCG Module is enabled by
going to the Settings > System Modules > Content Gateway Details > General
tab by clicking on the Content Gateway you wish to view.
14. Additionally, the module must be set to Block by going to the HTTP/HTTPS tab
and enabling the settings as shown below. Click OK.
15. Repeat this process for both v10k appliances and the Deploy these settings.
Tip
You need to have HTTPS enabled in the WCG as well.
Verify that this is the case before proceeding further.
Web DLP Policy Configuration

1. Return to the TRITON Manager and go to Data > Main > Policy Management >
DLP Policies > Web DLP.
2. Click Attributes > Regulatory & Compliance.
3. Check the box for Enable attribute.
4. Click the link for No regions selected.
5. Select USA and click OK.
6. Check the box next to Personally Identifiable Information (PII) and click the
text that has now become a hyperlink to select the policy.
7. Check the box next to Social Security Numbers and click OK.
8. Click OK and Deploy the newly created policy.

Web DLP testing
1. Confirm that your the browser is set to use the FQDN of the proxy
(v10k-1-wcg.wscert.com) as an explicit proxy (this should be configured already
from earlier labs). From Client-W7, log on as tmuller with the password
Websense1. Open Internet Explorer and go to Tools > Internet Options >
Connections > LAN Settings.
2. You can test the configuration in one of two ways:
a. Use your own web-based email account (a personal account, for example) to
send an email to your instructor, to yourself, or to someone else.
b. Go to dlpse.com and use the Home > Demo > Send Mail tool.
3. Anywhere in the body of the email, write:
“My new number is 345-12-6789. Please keep it for yourself”
Note
The message above contains data that could be a US Social Security
Number (SSN), which has the pattern XXX-YY-ZZZZ
4. You should receive an error which depends on your webmail provider.
Note
This lab has been validated using:
www.mail.com
www.hotmail.com
mail.yahoo.com
www.gmail.com
Outlook Webmail (Websense Internal).
Reviewing DLP Incidents

1. On the TRITON-APX server, launch the TRITON Manager, click Data.
2. Go to Main > Reporting > Data Loss Prevention and click
1. Incidents (last 3 days) as shown in the screen capture below.

3. You can review the list of incidents from the last 3 days. Double-click one
incident. A new browser window opens up; you can review the details of the
incident.
4. From the window above you can select further actions, which are grouped in three
categories:
 Workflow
 Remediate - Options shown in the screenshot below
 Escalate
5. Attempt to release the incident. You are unable to do so, as this type of incident
cannot be released. You should receive an error like the one shown below.

18 Creating Reports
Lab Objective
Reports are based on report templates, and are grouped into three categories:
Presentation, Investigative, and Real-Time Monitor. You can run and edit existing
report templates, save custom reports, and save reports as Favorites for faster access.
You can also enable self-reporting to allow users to control their own reporting needs
without administrator access.
In this lab, you will create reports to examine user activity and Web traffic network
behavior. You will also use these reports to investigate site activity and display real-
time Web traffic blocking for your site.
Steps
Creating and Customizing Reports
Creating a Presentation Report

Presentation reports are designed for collecting higher-level data and details. You will
create an Internet traffic presentation report that displays all the Top Sites Visited.
1. On the TRITON-APX server, launch the TRITON - Unified Security Center
and log on.
2. Confirm that you are configuring the 172.31.0.155 Policy Server.
3. Create a new report job.

a. Click Main [tab] > Reporting > Presentation Reports.
b. Expand the Internet Activity group of report templates in the Report
Catalog.
c. Click the Top Sites Visited report template to select it, and then click Run to
display the Run Report options page.
d. Change the Start date and End date so that it includes the entire current
month. This includes all recent test traffic monitored by the Security Center.

e. Change the Output format type to PDF, and then add the
tmuller@wscert.com email address to the Recipient email addresses field.
Note
You cannot often distribute reports via email in the lab environment.
But this is an excellent method to distribute reports in a production
environment.
f. Change the Job name from the default value to a name similar to Top-Sites-
Visited-test1 so you can recognize the report once it is complete.
4. Click the Run Now option at the bottom of the Run report options page to display
the Job Queue page. Your report should be the most recent entry in this list with
the name you provided: Top Sites Visited-test1.
If a warning message displays that the SMTP server has not been configured yet,
ignore it and close the message box.
5. Click the check box next to your Top Sites Visited report to select it, and then
click the Run Now option to run this report.
6. Navigate back to the Main > Reporting > Presentation Reports area, but now
click the Review Reports option to view your new report.
7. Locate your Top Sites Visited-test1 report in the list, and click the report name
link to display the PDF report.
a. If the security warning page appears, click Continue to this website.
8. Click Open when the Internet Explorer browser window prompts if you want to
open or save Top Sites Visited.pdf. This displays the finished report in a PDF
viewer so that you can review your Top Sites Visited details.
Saving A Report as a Favorite

You will create a Top Sites by Bandwidth presentation report and save it as a Favorite.
1. Create a new report job by navigating to Main > Reporting > Presentation
Reports.
2. Expand the Network Activity group of report templates in the Report Catalog.
3. Click the Top Sites by Bandwidth report to select it, and click the Favorite
option to save this report to your Favorites list. The selected report also displays a
star symbol to show that it is a favorite.

4. Click Run to display the Run Report options page.
5. Change the Start date and End date so that it includes the entire current month,
and change the Output format type to PDF.
6. Change the Job name from the default value to a name similar to Top Sites
Bandwidth-test2.
7. Click the Run Now option at the bottom of the Run report options page to display
the Job Queue page. Your report should be the most recent entry in this list with
the name you provided: Top Sites Bandwidth-test2.
a. If a warning message displays that the SMTP server has not been configured
yet, ignore it and close the message box.
8. Locate your Top Sites Bandwidth-test2 report in the list, and click the report
name link to display the PDF report.
9. Click Open when the Internet Explorer browser window prompts if you want to
open or save Top Sites Bandwidth-test2.pdf. This will display the report in a
PDF viewer so that you can review your results.
Configuring Self-Reporting
You will change the default settings and enable self-reporting, then log on as a
different user to view the self-reporting options.
1. Click Settings > Reporting > Preferences to change the default Report settings.
2. Click the Email Reports section, and enter admin@wscert.com as the default
Email address for all reports sent via email.
3. Click the SMTP server IPv4 address or name field, and enter 172.31.0.150 as the
SMTP server.
4. Click the Allow self-reporting check-box to enable this feature. This action adds
a new custom URL that you can share with your distributed Reporting users. The
URL will look similar to this:
https://172.31.0.155:9443/mng/pages/login/pages/selfReportLogin.jsf
5. Click Save Now, and then, if prompted, click Save and Deploy to activate these
changes.

6. Click back on the Settings > Reporting > Preferences link to refresh the page
with the new changes.
7. In the Email Reports section, click the custom URL used to access self-reporting
to open it in a new tab.
8. Click the new tab that displays the Self-Reporting logon page.
9. Log on with the user name administrator and the password Websense1.
10. This displays the self-reporting dashboard, which allows this user to
independently create Investigative Reports.
Creating an Investigative Report

Investigative reports are designed for digging deeper into individual user behavior, or
tracking Internet traffic to a particular site or traffic category. You will create an
Investigative Report to determine Top Sites Visited.
1. Create a new report job by navigating to Main > Reporting > Investigative
Reports.
2. Click the User by Day/Month link at the top of the Investigative Reports section
to display the report options for User Detail by Day.
3. Enter tmuller in the Search for user field, and then click Search to display
matching users.
4. Click Muller, Tim [tmuller] to select the user, then change the date to [Month]
[Day], [Year].
5. Click the Go to User by Day option to display the collected results for Tim
Muller for [Month] [Day], [Year]. The results for this investigative report are
grouped by categories such as Religion, and Pay To Surf websites.
6. Click the User Activity Detail by Month option to display even more results for
user Tim Muller.
7. In this case, the days with recorded activity for Tim Muller include [Month]
[Day], [Year], and [Month] [Day], [Year].
8. Click the link on the day of the month to expand the results for that day.

Saving An Investigative Report as a Favorite
You will create a new Investigative Report to review blocked sites and add it as a
Favorite.
1. Create a new report by navigating to Main > Reporting > Investigative Reports.
2. Click the Standard Reports link at the top of the Investigative Reports section to
display the most popular types of investigative reports.
3. Click the Which sites were blocked most? report in the Most Blocked report
category to display the report options and filters.
4. Click the View pull-down option and change it from One Day to All to display all
available results.
5. You can now see all the available results for blocked sites, sorted by category.
6. Click the orange bar chart listed for the URL Hostname to display additional
details about that category.
Note
This report includes sites blocked for all users, not just
sites blocked for the Tim Muller user account.
7. Click the Favorite Reports link at the top of the page to save this report to your
Favorites list.
8. Enter a report name similar to Category_blocked_test3 so you can locate the
report in your Favorites list.
9. Click Add to add this report, and you can see the new report name display in the
Favorites list.
10. Click back on the Reporting > Investigative Reports panel to see the new stored
report.
11. Click Favorite Reports to display the list.
12. Click the Category_blocked_test3 report to select it, and then click Run Now to
display the report options. You can also change the Specific Date Range if you
want to revise the report parameters.
13. Click Display Report to see the report with updated results.

Using the Real Time Monitor
Displaying Real-Time Monitor Results

The Real-Time Monitor displays all current monitored site traffic and activity, almost
like a more customized version of the main Dashboard. You will generate some
blocked traffic and display those results in the Real-Time Monitor.
1. Navigate to Main > Reporting > Real-Time Monitor.
2. Click the Show Results option to refresh the display. The Real-Time monitor will
display all recently monitored traffic.
3. Minimize the TRITON-APX server remote desktop window, and switch to the
Client-W7 remote desktop window with IP address 172.31.0.157. You should still
be logged into this workstation with the Tim Muller account.
4. On the Client W7 computer, click Start > All Programs > Internet Explorer to
open a new browser window.
a. Browse to this URL: http://testdatabasewebsense.com
Note
This is a site for testing Web pages and categories maintained by
Websense. You can use this to test traffic category and blocking
within your own organization.
b. Hold down the CTRL key while you click 8 to 10 of these test page links.
This CTRL + click action opens each link in a separate browser tab, which is
a rapid way to generate incidents.
c. Close the Internet Explorer browser window.
5. Minimize the Client-W7 remote desktop window, and return to the TRITON-
APX server.
a. Click Main > Reporting > Real-Time Monitor to return to the main monitor
window.

b. Click Show Results to refresh the display. You will see all the recently
blocked traffic display in the monitor.
c. Click Customize to review the monitor options.
d. Click the Number of records shown pull-down option, change this option to
250, and then click OK to close the Customize dialog.

Appendix A - Lab Topology
The basic lab topology is shown below to give you a visual representation of the
virtual machines you will be working with as you progress through the lab exercises in
this guide.
Appendix B - Using the ReadyTech
Environment
Lab Objective
This document provides some general usage guidelines for accessing and using the
Websense virtual labs hosted by ReadyTech.
Steps
First Time Configuration

1. The first time you connect to the environment from your computer, you will need
to configure your system with the correct plug-ins.
After navigating to http://websense.hostedtraining.com, click the link to
Configure Automatically.

2. The system will automatically check your browser to make sure it is compatible
with the hosted lab environment and will make configuration suggestions if any
changes are necessary.
Depending on your browser configuration, you may need to download Java or

other plugins in order to access the hosted training environment.
3. After the installation is complete, click Save Settings to complete the
configuration.
Logging On
1. You log on to the virtual labs by using the Access Code provided by Websense
and ReadyTech.

Using your web browser, go to http://websense.hostedtraining.com, enter the
Access Code and click Submit.
2. The first time an Access Code is used, the user will be prompted to enter their first
and last name before proceeding. First time users will also have to check the
disclaimer check box and click the Activate link.
3. Click Connect to initiate access to the environment.
4. This will open an RDP session with the bastion host. Log on with the user name
Administrator and the password Websense1.

Accessing the Virtual Machines
1. On the bastion host, there are desktop shortcuts to initiate RDP sessions with the
Windows machines you need access in order to execute the lab exercises. You also
have a desktop shortcut to the VMware vSphere client.
The vSphere client provides console access to all the virtual machines including
the V10000 appliance. Double click the vSphere desktop icon to start a session.
You can log on with the user name of root and the password training.
2. Click Ignore in the Security Warning.
3. To open a console session with the V10000, right-click the V10000 virtual
machine in vSphere and select Open Console.

Tip
When working in a VM console, you can return mouse and keyboard
control to the host Windows machine, by hitting the key combination
Ctrl+Alt.
Enabling Promiscuous Mode

In order for network traffic to flow as expected in the virtual environment, you must
enable promiscuous mode on the virtual switch within the ESX server.
1. In the vSphere client, click the esxhost.
2. Click the Configuration tab.
3. Under the Hardware section, click Networking.

4. In the Virtual Switch section, click Properties.
5. With the vSwitch selected, click the Edit button.
6. From the Security tab, change the Promiscuous Mode to Accept. Click OK.

7. Click OK to confirm that you want to make this change.
8. Click Close to exit the vSwitch Properties window.
Reverting Virtual Machines

In the event that a virtual machine has become unresponsive or mis-configured, you
can revert it back to its original state at the beginning of the labs.
First, shut down the VM(s) you want to revert (if a VM is non-responsive, then shut
off the [virtual] power).
Then, in vSphere, right-click the machine and go to Snapshot > Snapshot Manager.
In Snapshot Manager, you can revert the virtual machine by selecting BASE, then
clicking the Go to button.


TRITON - AP WEB v80 Professional Lab Guide BF033

Uploaded by

Copyright:

Available Formats

You might also like

TRITON - AP WEB v80 Professional Lab Guide BF033

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TRITON - AP WEB v80 Professional Lab Guide BF033

Uploaded by

Copyright:

Available Formats

Table of Contents

1 | Websense® V10000 Appliance Firstboot (Optional) . . . . 3

2 | Configuring Appliance Manager . . . . . . . . . . . . . . . . . . . . . 7

3 | TRITON® Unified Security Center Installation . . . . . . . . . 11

6 | Integrated Windows Authentication . . . . . . . . . . . . . . . . . 35

8 | Using Network Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

9 | Transparent Proxy with WCCP . . . . . . . . . . . . . . . . . . . . . . 59

11 | Tunneling HTTPS Websites . . . . . . . . . . . . . . . . . . . . . . . . 73

12 | SSL Category Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

13 | Configuring Advanced Scanning Features . . . . . . . . . . . . 79

14 | Content Categorization Link Analysis . . . . . . . . . . . . . . . . 85

15 | Tunneled Protocol Detection . . . . . . . . . . . . . . . . . . . . . . . 91

16 | Controlling Webmail via Web DLP . . . . . . . . . . . . . . . . . . 95

TRITON AP-WEB v8.0 Professional Lab Guide  1

| Appendix A - Lab Topology . . . . . . . . . . . . . . . . . . . . . . . .109

| Appendix B - Using the ReadyTech Environment . . . . . .111

2  TRITON AP-WEB v8.0 Professional Lab Guide

TRITON AP-WEB v8.0 Professional Lab Guide  3

Mock Configuration of Firstboot Settings (Optional)

b. In other environments, use the PuTTY application on the TRITON APX

4  TRITON AP-WEB v8.0 Professional Lab Guide

7. Verify that your configuration resembles the screen capture below.

8. Press Ctrl-C to cancel the job.

TRITON AP-WEB v8.0 Professional Lab Guide  5

6  TRITON AP-WEB v8.0 Professional Lab Guide

Configuring the Appliance

TRITON AP-WEB v8.0 Professional Lab Guide  7

8  TRITON AP-WEB v8.0 Professional Lab Guide

TRITON AP-WEB v8.0 Professional Lab Guide  9

Verify the Installation of the TRITON Unified Security Center

TRITON AP-WEB v8.0 Professional Lab Guide  11

12  TRITON AP-WEB v8.0 Professional Lab Guide

Verify that All Websense Services Are Running as Expected

TRITON AP-WEB v8.0 Professional Lab Guide  13

Verify the Basic Functions of the TRITON Manager

14  TRITON AP-WEB v8.0 Professional Lab Guide

TRITON AP-WEB v8.0 Professional Lab Guide  15

Enter Your Subscription Key for TRRITON AP-WEB

TRITON AP-WEB v8.0 Professional Lab Guide  17

b. In the toolbar area of the content-display area, click Database Download.

18  TRITON AP-WEB v8.0 Professional Lab Guide

f. Completion is indicated by a new page that reports status as “Checked for

Connect V10K-1 to the Policy Broker on the TRITON-APX server

TRITON AP-WEB v8.0 Professional Lab Guide  19

Register the Appliance with TRITON Unified Security Center

20  TRITON AP-WEB v8.0 Professional Lab Guide

c. Click OK at the bottom of the form.

TRITON AP-WEB v8.0 Professional Lab Guide  21

Add the Appliance to the Policy Servers Tree

22  TRITON AP-WEB v8.0 Professional Lab Guide

Monitor and Confirm Master Database Download on V10K-1

a. Select 172.31.0.151 using the dropdown menu.

Add/Verify the Log Server Connection on V10K-1 to the Instance of

TRITON AP-WEB v8.0 Professional Lab Guide  23

4. Click OK and then Save and Deploy.

Verify Content Gateway Access from TRITON Manager

3. Click the Log On button. A new browser tab/window will open.

24  TRITON AP-WEB v8.0 Professional Lab Guide