Problem solve Get help with specific problems with your technologies, process and projects.

Best place to put Websense?

I wonder if you can give me an advice about our network topology. We have a checkpoint firewall, MS Exchange and Proxy servers, Esafe virus scan server, a server which DNS, DHCP and WINS services are on, and a Websense server. I want all clients to reach the Internet through proxy and I want to do the URL filtering by Websense. But whomever I talk to suggests a different topology. Some said that proxy should stay at LAN whereas some said it should be at DMZ with Websense. What would be the optimum topology?
I don't think you going to like the answer, but here goes (grin). There is no correct answer, all solutions are valid.

As a rule of thumb, I always try to put Websense at the last connection point to the Internet. Since your router does not support Websense (at least, not yet; Cisco is rumoured to be working on it), the best place for Websense is your firewall. My favorite firewall is the Cisco PIX as it is the easiest to configure, maintain and secure. Most firewall products will support the Websense filtering (including the Cisco PIX and Checkpoint Firewall-1).

My reasons are these:
  1. Not all proxy servers work for every technology, (In particular, Microsoft proxy product has a very poor reputation in real life even after its recent revision) and sometimes you want to bypass the proxy for a given website. Typically, this is when a new technology comes along which the proxy cannot support. If you bypass the proxy, you may bypass the WebSense filtering.
  2. Don't overload your servers. You want to spread your load around. The firewall should be dedicated to task and adding Websense would be a natural relationship.

This was last published in May 2001

Dig Deeper on Networking Tutorials and Technical Guides

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.