Tuesday, December 7, 2010

Integrating Websense with ISA 2006

I recently had the dubious “pleasure” of having to install and integrate Websense with an ageing ISA 2006 Server.  After lots of trials and tribulations (then it works, then it doesn’t, or it appears to work but doesn’t filter etc. etc.)  I finally had to throw in the towel and call Websense support.  Here is what I had to do to get it working:

  1. Install Websense (with Filtering module) on the ISA server, making sure to select "the “ISA Integration” option during installation
  2. Installed the Websense ISAPI filter as per this Websense guide
  3. Stop and disabled the Filtering Service
  4. Edited the wsMSP.ini file (located in %windir%\system32) on the ISA 2006 server and change the EIMServerIP value to match the IP of the Websense server (in this case my ISA server)
  5. Created a “ignore.txt” file as per the Configuring ISAPI Filter section in the Websense Installation Guide for Microsoft ISA Server
  6. Websense support then had me disable ALL authentication methods in ISA Server.  I did this via Configuration – Networks – Internal – Properties – Web Proxy – Authentication
  7. They then had me set up the following Access Rule in ISA Server: "All outbound traffic" TO AND FROM "Local Host" and "All Protected Networks"

Only after all this did it work as expected.  I have not had the opportunity to test this with ISA’s successor, Microsoft’s Threat Management Gateway, but I would imagine that the procedure should remain fairly similar.