Remote Filtering Server provides Web filtering for machines such as laptops that are located outside the network firewall. A remote computer must be running the Remote Filtering Client to be filtered by the Remote Filtering Server.
Remote Filtering Server is installed on a separate, dedicated machine with the same installer used for other Websense components. Ideally, it should be installed behind the outermost network firewall, but in the DMZ outside the firewall that protects the rest of the network.
During the installation, Remote Filter Server connects to ports 40000, 15868, 15871, 55880, and 55806 on the machine or machines running Policy Server, Policy Broker, and Filtering Service. Also, Policy Server uses port 55825 to communicate with the Remote Filtering machine.
If a firewall is installed between Remote Filtering Server and these other components, open these ports on the firewall. After the installation is complete, ports 15868, 15871, 55880 must remain open.
Remote Filtering Server may be installed on a Windows or Linux machine. If this is a Windows machine, install Remote Filtering Client Pack (see page 67) along with Remote Filtering Server. This installs an MSI installer package that can be used to deploy the Remote Filtering Client to target user machines.
When Remote Filtering Server is selected, the following screens appear during installation:
Policy Server Connection
Enter the IP address of the machine on which Policy Server is installed and the port Policy Server uses to communicate with other Websense components (default is 55806).
Important
Do not modify the websense.ini file.
Important
Deploy the Remote Filtering Client to user machines but do not deploy it to this (Remote Filtering Server) machine.
The port used by Policy Server to communicate with other Websense components must be in the range 1024-65535. Policy Server may have been automatically configured to use a port other than the default 55806. When Policy Server is installed, if the installation program finds the default port to be in use, it is automatically incremented until a free port is found. To determine what port is used by Policy Server, check the websense.ini file—located in C:\Program Files\Websense\bin (Windows) or /opt/Websense/bin (Linux)—on the Policy Server machine. In this file, look for the PolicyServerPort value.
If Policy Server is not installed yet, anywhere in your network, you must install it before installing Remote Filtering Service.
Remote Filtering Server Communication
The external IP address or host name of the firewall or gateway must be visible from outside the network. If you enter a host name, it must be in the form of a fully-qualified domain name: <machine name>.<domain name>
The external communication port can be any free port in the range 10-65535 on this machine. This port receives HTTP/HTTPS/FTP requests from external Remote Filtering Client machines (i.e. user machines, running Remote Filtering Client, outside the network). The default is 80. If a Web server is running on this machine, it may be necessary to use a different port.
Important
Do not modify the websense.ini file.
Important
Remember whether you entered an IP address or a host name here. When installing the Remote Filtering Client on user machines, you must enter this address in the same form (IP address or domain name).
Note
It is a best practice to use IP addresses, rather than host names, unless you are confident of the reliability of your DNS servers. If host names cannot be resolved, Remote Filtering Clients will be unable to connect to the Remote Filtering Server.
Note
The external network firewall or gateway must be
configured to route traffic, typically via PAT or NAT, from Remote Filtering Client machines to the internal IP
The internal communication port can be any free port in the range 1024-65535 on this machine. The default is 8800. This is the port to which remote client heartbeats are sent to determine whether a client machine is inside or outside the network. The external network firewall must be configured to block traffic on this port. Only internal network connections should be allowed to this port.
For more information, see the Remote Filtering Software technical paper.
Remote Filtering Pass Phrase
The pass phrase can be any length. This pass phrase is combined with unpublished keys to create an encrypted authentication key (shared secret) for secure client/server communication.
If you want this instance of Remote Filtering Server to function as a backup (secondary or tertiary) server for a primary Remote Filtering Server, you must enter the same pass phrase used when installing the primary Remote Filtering Server.
The pass phrase must include only ASCII characters but cannot include spaces. Do not use extended ASCII or double-byte characters.
You must use this pass phrase when you install the Remote Filtering Client on user machines that will connect to this Remote Filtering Server.
Important
Record this pass phrase and keep it in a safe place. If it is lost or forgotten, Websense software cannot be used to retrieve it.
Filtering Service Information for Remote Filtering
• Internal IP address: Enter the actual IP address of the Filtering Service machine to be used by this instance of Remote Filtering Server.
• Filtering port and Block page port: The filtering port is used by Filtering Service to communicate with other Websense components. The block page port is used by Filtering Service to send block pages to client machines.
These ports must be in the range 1024-65535. These ports must be open on any firewall between the Remote Filtering Server and Filtering Service.
Filtering Service may have been automatically configured to use ports other than the default 15868 (filtering port) and 15871 (block page port).
When Filtering Service is installed, the installation program checks whether these default ports are already in use on that machine. If either is already in use, the port is automatically incremented until a free port is found.
To find the ports used by Filtering Service, check the eimserver.ini file—located in C:\Program Files\Websense\bin (Windows) or / opt/Websense/bin (Linux)—on the Filtering Service machine. Look for the WebsenseServerPort (filtering port) and BlockMsgServerPort (block page port) values.
• Translated IP address: Use this box to provide the translated IP address of Filtering Service if it is behind a network-address-translating device.
You must check A firewall or other network device performs address translation between Remote Filtering Server and Filtering Service to activate this box.
See the Remote Filtering Software technical paper (available in the in the Documentation > Planning, Installation and Upgrade folder of the Websense Knowledge Base) for information on installing, configuring, and using remote filtering.
Important
Do not modify the eimserver.ini file.