Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentDIRECTORY SERVER 2.0 - GATEWAY
11121314151617181920
Websense Content Gateway is downstream
A simple deployment has Websense Content Gateway as the downstream proxy,
closest to the client. In this scenario, Websense Content Gateway security features are
well positioned for maximum protection and network performance.
In this scenario, use of Websense Content Gateway authentication to validate client
credentials is preferred. You must disable authentication on the third-party proxy.
However, if the upstream third-party proxy requires authentication, you must disable
authentication on Websense Content Gateway and enable the pass-through
authentication feature via an entry in the records.config file (in the /WCG/config/
directory by default). An example records.config entry is as follows:
CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 1
You can then use an XID agent (for example, Logon Agent) to facilitate client
identification. Websense Content Gateway can additionally send the client IP address
to the upstream third-party proxy using the X-Forwarded-For HTTP header via an
entry in records.config. To enable this function, the following entry would be made:
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
The X-Forwarded-For HTTP header is the de facto standard for identifying the
originating IP address of a client connecting through an HTTP proxy. Some proxies do
not utilize the X-Forwarded-For header.
For information about installing and deploying XID agents, see the Websense Web
Security/Websense Web Filter installation and deployment guides.
Websense Content Gateway is upstream
When Websense Content Gateway is the upstream proxy, the downstream third-party
proxy can perform authentication and send client IP and username information in the
HTTP request headers. Websense Content Gateway authentication must be disabled.
In this scenario, caching must be disabled on the third-party proxy. Allowing the third-
party proxy to cache Web content effectively bypasses Websense Content Gateway’s
filtering and inspection capabilities for any Web site that was successfully accessed
previously from the third-party proxy.
For an upstream Websense Content Gateway to identify users:
Enable authentication on the third-party proxy.
Designate Websense Content Gateway as the parent proxy in the third-party
proxy’s configuration.
Set the Read authentication from child proxy option in the Websense Content
Gateway Configure pane (Configure > My Proxy > Basic > Authentication).
This option allows Websense Content Gateway to read the X-Forwarded-For and
X-Authenticated-User HTTP headers. The downstream third-party proxy passes
the client IP address via the X-Forwarded-For header and the user domain and
username in the X-Authenticated-User header.