To configure a security device to perform redirected web filtering, follow these steps:
1. Set Up a Domain Name System (DNS) Server
The Juniper Networks security device incorporates Domain Name System (DNS) support, allowing you to use domain names as well as IP addresses for identifying locations. You must configure at least one DNS server to enable the security device to resolve the CPA server name to an address. For more information about DNS, refer to “Domain Name System Support” on page 2-217.
2. Set Up Communication with the Web-Filtering Servers
Configure the security device to communicate with one of the following servers:
Websense server
SurfControl server using the SurfControl Content Filtering Protocol (SCFP) You can set up communications with up to eight web-filtering servers.
WebUI
Security > Web Filtering > Protocol > Select Redirect (Websense) or Redirect (SurfControl), then click Apply.
CLI
Enter the web-filtering context for SurfControl (scfp) or Websense (websense) redirect filtering. For more information, see “Using the CLI to Initiate
Web-Filtering Modes” on page 97.
device-> set url protocol type { websense | scfp } device-> set url protocol { websense | scfp }
device(url:scfp)-> set server { ip_addr | dom_name } port_num timeout_num
Configure the following web-filtering settings at the system level for web-filtering server communication:
Source Interface: The source from which the device initiates web-filter requests to a web-filtering server.
Server Name: The IP address or Fully Qualified Domain Name (FQDN) of the computer running the Websense or SurfControl server.
Server Port: If you have changed the default port on the server, you must also change it on the security device. (The default port for Websense is 15868, and the default port for SurfControl is 62252.) Please refer to your Websense or SurfControl documentation for full details.
Communication Timeout: The time interval, in seconds, that the device waits for a response from the web-filtering server. If the server does not respond within the time interval, the device either blocks or allows the request. For the time interval, enter a value from 10 through 240.
If a device with multiple virtual systems connects to a Websense server, the virtual systems can share the server. To configure multiple virtual systems to share a Websense server, use the following CLI commands to create an account name for each vsys:
device-> set url protocol type websense device-> set url protocol websense device(url:websense)-> set account name
Once you have configured the vsys names, you define the settings for the
web-filtering server and the parameters for the behavior that you want the security device to take when applying web filtering. If you configure these settings in the root system, they also apply to any vsys that shares the web-filtering configuration with the root system. For a vsys, the root and vsys administrators must configure the settings separately. Virtual systems that share the same Websense web-filtering server must have the same web-filtering settings.
3. Enable Web Filtering at the Root and Vsys Levels
You must enable web filtering at the system level. For a device that is hosting virtual systems, enable web filtering for each system that you want to apply it. For example, if you want the root system and a vsys to apply web filtering, enable web filtering in both the root system and that vsys.
To enable web filtering, do either of the following:
WebUI
Security > Web Filtering > Protocol > Select Redirect (Websense) or Redirect (SurfControl), then click Apply.
Enable Web Filtering checkbox.
CLI
device-> set url protocol type { websense | scfp } device-> set url protocol { websense | scfp }
When web filtering is enabled at the system level, HTTP requests are redirected to a Websense or SurfControl server. This action allows the device to check all HTTP traffic for policies (defined in that system) that require web filtering. If you disable web filtering at the system level, the device ignores the web-filtering component in policies and treats the policies as “permit” policies.
4. Define the System-Level Behavioral Parameters
Define the parameters that you want the system—root or vsys—to use when applying web filtering. One set of parameters can apply to the root system and any vsys that shares the web-filtering configuration with the root system. Other sets can apply to virtual systems that have a dedicated web-filtering server.
The options are as follows:
If connectivity to the server is lost: If the security device loses contact with the web-filtering server, you can specify whether to Block or Permit all HTTP requests.
Blocked URL Message Type: If you select NetPartners Websense/SurfControl, the security device forwards the message it receives in the “block” response from the Websense or SurfControl server. When you select Juniper Networks, the device sends the message that you have previously entered in the
Juniper Networks Blocked URL Message field.
Juniper Networks Blocked URL Message: This is the message the security device returns to the user after blocking a site. You can use the message sent from the Websense or SurfControl server, or you can create a message (up to 500 characters) to be sent from the device.
To configure these settings, use either of the following:
WebUI
Security > Web Filtering > Protocol > Select Redirect (Websense) or Redirect (SurfControl), then click Apply.
CLI
device-> set url protocol type { websense | scfp } device-> set url protocol { websense | scfp } device(url:scfp)-> set fail-mode permit
device(url:scfp)-> set deny-message use-server
NOTE: If you select Juniper Networks, some of the functions that Websense provides, such as redirection, are suppressed.
5. Enable Web Filtering in Individual Policies
Configure the device to contact the web-filtering server based on the policy.
To enable web filtering in a policy, use either of the following:
WebUI
Policy > Policies > Click Edit (edit the policy that you want web filtering to apply), then select the Web Filter checkbox.
Select the web-filtering profile from the dropdown box.
CLI
set policy from zone to zone src_addr dst_addr service permit url-filter