I don't think you going to like the answer, but here goes (grin). There is no correct answer, all solutions are valid. As a rule of thumb, I always try to put Websense at the last connection point to the Internet. Since your router does not support Websense (at least, not yet; Cisco is rumoured to be working on it), the best place for Websense is your firewall. My favorite firewall is the Cisco PIX as it is the easiest to configure, maintain and secure. Most firewall products will support the Websense filtering (including the Cisco PIX and Checkpoint Firewall-1). My reasons are these:
- Not all proxy servers work for every technology, (In particular, Microsoft proxy product has a very poor reputation in real life even after its recent revision) and sometimes you want to bypass the proxy for a given website. Typically, this is when a new technology comes along which the proxy cannot support. If you bypass the proxy, you may bypass the WebSense filtering.
- Don't overload your servers. You want to spread your load around. The firewall should be dedicated to task and adding Websense would be a natural relationship.