Josh,
If you
have a terminal server environment at all, it is recommended that you stay with
the Microsoft Proxy Servers. Using the NT Challenge/Response
authentication method and an IE browser, it is possible to identify the
individual user sessions on the terminal server correctly.
Also,
as Robert Fowler mentioned, FireWall-1 does not have any caching ability as far
as actual content. Your bandwidth use will increase due to the increased
traffic being fetched from every site. And we are not a stand alone proxy
that has any caching capabilities either.
Personally, based on some of the potential problems you
may encounter optimizing the HTTP Security Server on the FireWall to be able to
handle your current traffic loads, and the fact that you have terminal servers
in your network, I would recommend that you either stay with the Microsoft Proxy
Servers, or upgrade them to ISA servers rather than go with a FireWall-1
integration. It is a solution that currently works (I'm assuming), and
offers the benefit of a cache and unique user
identification.
-----Original Message-----
From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 8:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Using WebSense instead of proxy serversThanks for the input.I believe we will be doing the second option. -- Having WebSense query the DC for user authentication. We will have some IP issue because we are using DHCP and some users are dialed into Term Servs so that IP would be reflected .So basically I would like for WebSense to be integrated with FW-1. And also query the DC to determine if the user can be authenticated and has HTTP access.Another problem, even though some users can be authenticated they shouldn't have http access. So I have to address that issue also.Thanks,JP-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 14, 2002 5:56 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Using WebSense instead of proxy serversJosh,There are two ways that we have to identify users beyond the integration partner (in your case currently the Microsoft Proxy Server and soon to be the FireWall-1 system), and we have numerous successful installations using either or both methods. The first, as you mentioned, is what we call the DC Agent. It is an application that can monitor the logons to your Windows-based domain controllers (either NT or Windows 2000) and associate the user name with the workstation IP address. So, when the FireWall sends the workstation IP address through the UFP request, we can then associate a name with that request. The other method is to manually challenge the user to provide a user name and password to the Websense Server. This only works with FireWall-1 v4.1 SP3 and later. With this method we can authenticate users against either an LDAP server or a Windows-based domain controller, and if successful, associate the user with that workstation IP address.There are several other things to consider on this type of configuration change. You may want to contact our Technical Support department to talk to them about the advantages and disadvantages of the changes you are considering. They can be reached either by calling 858-458-2940 or by this web site http://www.websense.com/support/form/index.cfmThank you.-----Original Message-----
From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 14, 2002 12:32 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] Using WebSense instead of proxy serversHello,I want to setup Websense with my FW-1 installation and phase out the MS proxy servers. Currently we use proxies because they authenticateour users. ( Some users aren't allowed WWW access and others are)We use DHCP and have 300-700 users so DENY rules wouldn't be efficient. Is anyone using Websense/ FW-1 to authenticate users for WWW?And what problems have you ran into...? I hear there is an agent you install on your domain controllers to query the users DB..ThanksJosh Perrymon
Network Security Consultant
BE&K , INC
(205) 972-6745
