Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Redirect Web Filtering in ScreenOS Using NSM Overview

 

Redirect Web Filtering enables you to block or permit access to different websites based on their URLs, domain names, and IP addresses. NSM supports redirect Web filtering using either the Websense Enterprise Engine or SurfControl Web Filter.

Note

For Websense licensing information, go to www.websense.com. For SurfControl licensing information, go to www.surfcontrol.com.

For Websense, ScreenOS supports up to eight Web-filtering servers. On vsys devices, one server is reserved for the root, leaving seven servers available for vsys (one server per vsys, all remaining vsys must use the root server). For vsys-capable devices running ScreenOS 5.2, you can assign the same server to multiple vsys devices, and then configure a profile name for each vsys to enable the filtering server to distinguish between vsys devices.

Select the redirect Web filtering method you want to use, enable Web filtering for that method, and then configure the settings.

Table 1 describes the options available for configuring Web filtering settings.

Table 1: Web Filtering Options

Web Filtering Options

Description

Source Interface

The source from which the security device initiates Web filter requests to a Web-filtering server.

Server Name

The IP address or fully qualified domain name (FQDN) of the Websense or SurfControl server.

Server Port

The port number on the filtering server that handles filtering requests. The default port for Websense is 15868; the default port for SurfControl is 15868.

Profile Name

The profile name uniquely identifies the device when connecting to the filtering server. When configuring Websense (Redirect) Web-Filtering for multiple vsys devices using the same root device, you can assign the same Web-filtering server and port to multiple vsys devices as long as you use a unique profile name for each device.

Note: This option is applicable for vsys capable devices running ScreenOS 5.2 only.

Server Timeout

The time interval, in seconds, that the security device waits for a response from the Web-filtering server. If the server does not respond within the time interval, the security device either blocks the request or permits it. For the time interval, you can enter a number between 10 and 240.

Fail Mode

The fail mode (Block or Permit) determines how the security device handles HTTP requests if the device loses contact with the Web-filtering server.

Message Type

The source of the message the user receives when Websense or SurfControl blocks a site.

  • If you select NetPartners Websense/SurfControl, the security device forwards the message it receives from the Websense or SurfControl server.

  • If you select NetScreen, the security device sends the message that you entered in the Message Sent to Blocked Client box.

Message Sent to Blocked Client

The message the security device returns to the user after blocking a website. You can use the message sent from the Websense or SurfControl server, or create a message (up to 500 characters).

If you change the default port on the server you must also change the port on the security device.

All vsys devices assigned to the same WebSense Web-Filtering server use the same Server Timeout, Fail Mode, and Message Type. Although you can configure different values for these fields for different vsys devices in the NSM UI, the WebSense server uses only the values defined for the vsys device that most recently contacted the Web-Filtering server.

If you select NSM, some of the functionality that Websense provides, such as redirection, is suppressed.