Redirect Web Filtering in ScreenOS Using NSM Overview
Redirect Web Filtering enables you to block or permit access to different websites based on their URLs, domain names, and IP addresses. NSM supports redirect Web filtering using either the Websense Enterprise Engine or SurfControl Web Filter.
For Websense, ScreenOS supports up to eight Web-filtering servers. On vsys devices, one server is reserved for the root, leaving seven servers available for vsys (one server per vsys, all remaining vsys must use the root server). For vsys-capable devices running ScreenOS 5.2, you can assign the same server to multiple vsys devices, and then configure a profile name for each vsys to enable the filtering server to distinguish between vsys devices.
Select the redirect Web filtering method you want to use, enable Web filtering for that method, and then configure the settings.
Table 1 describes the options available for configuring Web filtering settings.
Table 1: Web Filtering Options
Web Filtering Options
The source from which the security device initiates Web filter requests to a Web-filtering server.
The IP address or fully qualified domain name (FQDN) of the Websense or SurfControl server.
The port number on the filtering server that handles filtering requests. The default port for Websense is 15868; the default port for SurfControl is 15868.
The profile name uniquely identifies the device when connecting to the filtering server. When configuring Websense (Redirect) Web-Filtering for multiple vsys devices using the same root device, you can assign the same Web-filtering server and port to multiple vsys devices as long as you use a unique profile name for each device.
Note: This option is applicable for vsys capable devices running ScreenOS 5.2 only.
The time interval, in seconds, that the security device waits for a response from the Web-filtering server. If the server does not respond within the time interval, the security device either blocks the request or permits it. For the time interval, you can enter a number between 10 and 240.
The fail mode (Block or Permit) determines how the security device handles HTTP requests if the device loses contact with the Web-filtering server.
The source of the message the user receives when Websense or SurfControl blocks a site.
Message Sent to Blocked Client
The message the security device returns to the user after blocking a website. You can use the message sent from the Websense or SurfControl server, or create a message (up to 500 characters).
If you change the default port on the server you must also change the port on the security device.
All vsys devices assigned to the same WebSense Web-Filtering server use the same Server Timeout, Fail Mode, and Message Type. Although you can configure different values for these fields for different vsys devices in the NSM UI, the WebSense server uses only the values defined for the vsys device that most recently contacted the Web-Filtering server.
If you select NSM, some of the functionality that Websense provides, such as redirection, is suppressed.