Websense gets me crazy (integration with PIX)

From: Alfonso Deo (axi-ck_at_iximail.com)
Date: 04/28/04 

Date: 28 Apr 2004 03:21:55 -0700

Hi all,

Websense gets me crazy, here is a brief background...

In our setup we have the following

Websense Policy server --- Firewall (NAT) --- Internet ---
Gateway --- Websense Manager
10.1.1.2 10.1.1.1 (98.201.123.242)
           (admin user)

When the admin user tries to connect to the policy server, he connects
to the IP 98.201.123.242. The traffic from the Websense manager goes
out and over the internet to the Firewall (which is performing NAT).
The 98.201.123.242 address is then translated to the 10.1.1.2 actual
address of the Websense policy server. This part all works ok. We
can see that communication works when we do a tcpdump.

When the Websense policy server responds, it replies with the 10.1.1.2
IP. It hits the firewall which then does the NAT to 98.201.123.242
and then reaches the admin user. This part works ok, as far as
internet traffic/communication goes. Again, when we do the tcpdumps,
we see this traffic communicate.

Now this next part is where the problem lies.

Now, when the Websense policy server responds, it is sending a
response back to the admin user, but what the payload/data of this
response states is, "please connect to the policy server on IP
10.1.1.2". When the Admin user/Websense Manager receives this
response, the GUI will then sent a second communication attempt to
10.1.1.2 where it is being told is the policy server is.

Now, when the Websense manager now goes and tries to attempt a
connection to 10.1.1.2, it cannot communicate with the end device,
since the 10.1.1.2 IP is not a routable IP and it cannot establish a
session with this. I cannot verify this for sure since I do not have
a the ability to tcpdump my workstation's traffic, but I'm trying to
come up with a way that I can try to put another device outside the
firewall that is doing the NAT so that i can try to see what is
actually going on.

Websense's solution to this problem is to have the admin user's
gateway perform reverse nat of the 10.1.1.2 IP.

Basically when the admin user tries to communicate with the 10.1.1.2
IP, that traffic goes to the user's gateway, where we need to perform
reverse NAT (gateway NATs any outbound packet with a destination IP of
10.1.1.2 to 98.201.123.242). However, in order for us to do this, we
would have to make a change on our Gateway in front of the admin user.
 This is no a valid solution, since we can't perform the NAT of this
IP on our end since it may cause problems with our internal network.
In addition, that means anytime there is a Websense device, we would
have to add a NAT on our corporate firewalls so that we could reach
the device.

A better solution is if there is a way that we can tell the Websense
policy server not to send its real IP in the data packet, but instead
send its NAT IP. I'm not sure how we can actually do this at this
time.

So, can anybody helps me? The websense server gets his NAT on a PIX
firewall.

What would you do? How? I can't modify anything on the corporate
firewall because of our network policies

Many thanks,

Alfonso