Configuring Websense Enterprise Content Filtering

Websense Enterprise is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWALL.

1. Select Websense Enterprise from the Content Filter Type list.
2. Click Configure to display the Websense Properties window.

Note: You specify enforcement of content filtering on the Network > Zones page.

Websense Properties

The General page in the Websense Properties window includes the following settings. After configuring Websense content filtering in the Websense Properties window, click OK.

Websense Server Status

This section displays the status of the Websense Enterprise server used for content filtering.

Settings

• Server Host Name or IP Address - Enter the Server Host Name or the IP address of the Websense Enterprise server used for the Content Filter List.
• Server Port - Enter the UDP port number for the SonicWALL to “listen” for the Websense Enterprise traffic. The default port number is 15868.
• User Name - To enable reporting of users and groups defined on the Websense Enterprise server, leave this field blank. To enable reporting by a specific user or group behind the SonicWALL, enter the User Name configured on the Websense Enterprise Server for the user or group. If using NT-based directories on the Websense Enterprise Server, the User Name is in this format, for example: NTLM:\\domainname\username. If using LDAP-based directories on the Websense Enterprise server, the User Name is in this format, for example: LDAP://o-domain/ou=sales/username.

Warning: Alert! If you are not sure about the entering a user name in this section, leave the field blank and consult your Websense documentation for more information.

• If Server is unavailable for (seconds) - Defines what action is taken if the Websense Enterprise server is unavailable. The default value for timeout of the server is 5 seconds, but you can enter a value between 1 and 10 seconds.
• Block traffic to all Web sites - Selecting this option blocks traffic to all Web sites except Allowed Domains until the Websense Enterprise server is available.
• Allow traffic to all Web sites - Selecting this option allows traffic to all Web sites without Websense Enterprise server filtering. However, Forbidden Domains and Keywords, if enabled, are still blocked.

Note: If you have Websense Enterprise selected as the content filter type, the firewall does not store allowed or forbidden keywords. If the Websense server becomes unavailable, the firewall does not send any queries to the Websense database, and allowed and forbidden keywords will not work. Allowed and forbidden keywords work only when the Websense server is available. However, if you have SonicWall’s Content Filter Service selected as the content filter type, you can still use allowed and forbidden keywords even if the Content Filter Service server becomes unavailable.

URL Cache

• Cache Size (KB) - Configure the size of the URL Cache in KB.

Tip: Tip! A larger URL Cache size can result in noticeable improvements in Internet browsing response times.

YouTube for School Content Filtering Support

YouTube for Schools is a service that allows for customized YouTube access for students, teachers, and administrators. YouTube Education (YouTube EDU) provides schools access to hundreds of thousands of free educational videos. These videos come from a number of respected organizations. You can customize the content available in your school. All schools get access to all of the YouTube EDU content, but teachers and administrators can also create playlists of videos that are viewable only within their school's network. Before configuring your SonicWALL security appliance for YouTube for Schools, you must first sign up:

www.youtube.com/schools

The configuration of YouTube for Schools depends on the method of Content Filtering you are using, which is configured on the Security Services > Content Filter page.

Membership in Multiple Groups

If a user is a member of multiple groups where one policy allows access to any part of YouTube and the other policy has a YouTube for Schools restriction, the user will be filtered by the YouTube for Schools policy and not be allowed unrestricted access to YouTube.

A user cannot be a member of multiple groups that have different YouTube for School IDs. While the firewall will accept the configuration, this is not supported.

Note: For more information on the general configuration of CFS, refer to the Security Services > Content Filter section in the SonicOS Administrator’s Guide.

When the CFS Policy Assignment pulldown menu is set to Via Application Control, YouTube for Schools is configured as an App Control Policy.

1. Navigate to Firewall > Match Objects and click Add New Match Object.





2. Type in a descriptive name, and then select CFS Allow/Forbidden List as the Match Object Type.
3. Select Partial Match for the Match Type.
4. In the Content field, type in “youtube.com” and then click Add.
5. Type in “ytimg.com” and then click Add.
6. Click OK to create the Match Object.
7. Navigate to the Firewall > App Rules page and click Add New Policy.





8. Type in a descriptive Policy Name.
9. For the Policy Type, select CFS.
10. Select the appropriate settings for Match Object and Action Object, based on your environment.
11. For CFS Allow/Excluded List, select the Match Object you just created (our example uses “CFS Allow YT4S”).
12. Select the Enable YouTube for Schools checkbox.
13. Paste in your School ID, which is obtained from www.youtube.com/schools
14. Click OK to create the policy.

Note: Once the policy has been applied, any existing browser connections will be unaffected until the browser has been closed and reopened. Also, if you have a browser open as administrator on the firewall, you will be excluded from CFS policy enforcement unless you configure the firewall specifically not to exclude you (select the Do not bypass CFS blocking for the Administrator checkbox on the Security Services > Content Filter page).

When the CFS Policy Assignment pulldown menu is set to Via User and Zone Screens, YouTube for Schools is configured as part of the Content Filter policy.

On the Security Services > Content Filter page, select Content Filter Service for the Content Filter Type pulldown menu.

1. Click the Configure button.
2. On the Policy tab, click the Configure icon for the CFS policy on which you want to enable YouTube for Schools.
3. Click on the Settings tab, and select the Enable YouTube for Schools checkbox.
4. Paste in your School ID, which is obtained from www.youtube.com/schools.





5. Click OK.
6. On the Custom List tab, click the Add button for Allowed Domains.
7. In the dialog box, type “youtube.com” into the Domain Name field and click OK.
8. Click Add again.
9. Type “ytimg.com” into the Domain Name field and click OK.





10. Click OK.

These settings will override any CFS category that blocks YouTube.

Note: Once the policy has been applied, any existing browser connections will be unaffected until the browser has been closed and reopened. Also, if you have a browser open as administrator on the firewall, you will be excluded from CFS policy enforcement unless you configure the firewall specifically not to exclude you (select the Do not bypass CFS blocking for the Administrator checkbox on the Security Services > Content Filter page).

YouTube for Schools and HTTPS

The SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:

Enable Client DPI-SSL with CFS inspection. DPI-SSL feature activation requires separate license and this is supported on NSA 240 and higher models.

Create a LAN (or DMZ) to WAN Access Rule as under:

• Action: Deny
• Service: HTTPS
• Source: Any
• Destination: Create an FQDN Address Object for youtube.com and ytimg.com

Issues

DPI-SSL cannot be used to block https://youtube.com, but only to allow it. So the DPI section above should not be part of the solutions that can be implemented to work around this.

In creating the above rule to block HTTPS access to youtube.com or www.youtube.com and s.ytimg.com, we have found that https://www.google.com is now also blocked, as well as https://drive.google.com and https://play.google.com are blocked also.

Other google sites such as calendar.google.com and gmail work fine.

Creating fqdns for the blocked site and creating an allow rule for the group, also allows https youtube to be accessed.

In summary, creating the deny rules for https>youtube fqdns also blocks other google ssl sites. So there is no way that we have found to use youtube for schools and block access to ssl youtube without blocking other google ssl sites. And there is no way to allow the other sites without also causing ssl youtube to be allowed as well.