VMware

This Question is Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
9 Replies Last post: Oct 26, 2009 6:12 AM by Bisti  

Does anyone have Websense Web Filter working in a guest VM? Please help!!!! posted: Feb 16, 2009 1:29 AM

Click to view shakiel's profile Novice
shakiel
14 posts since
Mar 31, 2008
Hi

I am running a 3 host ESX 3.5 U3 cluster managed by vCenter 2.5 U3.


I have 4 vSwitches on each host, 1 x VM, 1 x iSCSI, 1 vMotion, 1
Websense (internet monitor) which is in promiscous mode (no other
vswitches are in promiscous mode).


Here is my issue. I have a guest VM running Windows Server 2003 SP2 (not R2) which is running Websense Web Filter v6.3.2.


I have dedicated 1 Vnic to my Websense Vswitch and port mirrored the internet connection on my switch.


When using wireshark on the guest vm to monitor internet traffic I am
unable to see any traffic going from the client to the firewall but can
see the response from the firewall to the client.


As part of the troubleshooting process I ran wireshark on a physical
host conected to the same physical switch (after changing the port
mirror) and it worked fine - therefore localizing the issue to VMware.

I have logged support calls with Vmware and Websense but neither can find the issue?

If you have got Websense working in a guest VM could you let me know your config?

Thanks

Tags: 3.5, networking, network, esx3.5, vswitch, websense

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

1. Feb 16, 2009 1:55 AM in response to: shakiel
Click to view Rumple's profile Master
Rumple
1,400 posts since
Jan 6, 2005

See if anything here helps

http://communities.vmware.com/message/371562

Could need ot enable the promiscous mode in the VM...

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

2. Feb 16, 2009 9:05 AM in response to: shakiel
Click to view Texiwill's profile Guru User Moderators vExpert
Texiwill
10,432 posts since
Jan 13, 2004
Hello,

I have 4 vSwitches on each host, 1 x VM, 1 x iSCSI, 1 vMotion, 1
Websense (internet monitor) which is in promiscous mode (no other
vswitches are in promiscous mode).

You made the whole vSwitch promiscuous or just the portgroup for websense?

Here is my issue. I have a guest VM running Windows Server 2003 SP2 (not R2) which is running Websense Web Filter v6.3.2.

I have dedicated 1 Vnic to my Websense Vswitch and port mirrored the internet connection on my switch.

You may be able to port mirror within hte pSwitch but not within the vSwitch so not sure what you did here exactly. I assume the pSwitch.

When using wireshark on the guest vm to monitor internet traffic I am
unable to see any traffic going from the client to the firewall but can
see the response from the firewall to the client.

Did you set the VLAN ID of the portgroup Websense is on within the vSwitch to 4095? Sounds like this is an out of band monitoring and you may have tagged packets, Tagged packets are dropped by the vSwitch unless a) there is a portgroup with the appropriate VLAN ID or you are using VLAN ID 4095 on the portgroup. Multiply tagged packets will be dropped by the vSwitch no matter the portgroup VLAN ID. So your network looks like:

pSwitch <-> port A <-> regular network
pSwitch <-> mirror of port A <-> pNIC <-> Promiscuous vSwitch <-> Portgroup w/VLAN ID = ??? <-> Websense

Is this correct?


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

3. Feb 16, 2009 9:35 AM in response to: Texiwill
Click to view shakiel's profile Novice
shakiel
14 posts since
Mar 31, 2008
Hi,

In response to your questions....


You made the whole vSwitch promiscuous or just the
portgroup for websense?

At present the whole vSwicth is promiscuous, I have tested with just the portgroup and the output is the same.


You may be able to port mirror within the pSwitch but not
within the vSwitch so not sure what you did here exactly. I assume the pSwitch.

Correct I have used port mirroring on my physical switch. Websense wont work without the internet connection port being mirrored on the physical switch

Did you set the VLAN ID of the portgroup Websense is on
within the vSwitch to 4095? Sounds like this is an out of band monitoring and
you may have tagged packets, Tagged packets are dropped by the vSwitch unless
a) there is a portgroup with the appropriate VLAN ID or you are using VLAN ID
4095 on the portgroup. Multiply tagged packets will be dropped by the vSwitch
no matter the portgroup VLAN ID. So your network looks like:

pSwitch port
A regular network

pSwitch mirror of
port A pNIC Promiscuous vSwitch Portgroup w/VLAN ID = ??? Websense

I have set a VLAN ID of the Websense vSwitch to 4095 so it monitors all traffic. (well should???)

Yes your network description is correct.

Thanks for your help!

Message was edited by: Texiwill: Removed XML Formatting commands

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

4. Feb 16, 2009 9:38 AM in response to: shakiel
Click to view Texiwill's profile Guru User Moderators vExpert
Texiwill
10,432 posts since
Jan 13, 2004
Hello,

If it was me, I would use your physical setup with wireshark to see if the packets being sent to websense are mutliply tagged, I.e. double encapsulated packets. If they are, then they will be rejected by the vSwitch and you will NOT be able to use websense as a VM. If they are not multiply tagged then something else is going on.

I would put in place of websense a VM on which you run wireshark, perhaps a standard Linux or windows VM, and see what it is receiving. Are you sure the ethernet port on the VM is being put into promiscuous mode as well?


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

5. Feb 16, 2009 9:41 AM in response to: Texiwill
Click to view oreeh's profile Guru User Moderators vExpert
oreeh
9,970 posts since
Nov 30, 2005
I've never used Websense in sniffing mode in a VM. However the proxy mode works fine.

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

6. Feb 16, 2009 11:08 AM in response to: Texiwill
Click to view shakiel's profile Novice
shakiel
14 posts since
Mar 31, 2008

Hi Edward

Thanks for this I will test using a standard VM build. I'll post my results....

Thanks again


Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

7. May 13, 2009 9:46 AM in response to: shakiel
Click to view tmcgoffin's profile Lurker
tmcgoffin
1 posts since
May 13, 2009

Hey, did you ever get Websense to work on virtual switch port in promiscuous mode? We are just virtualizing the newest version of Websense and would like to do this as well instead of dedicating a physical NIC to the process. However, even if we can get it going, it might be a resouce hog. What did you end up doing?


Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

8. May 13, 2009 11:10 AM in response to: tmcgoffin
Click to view shakiel's profile Novice
shakiel
14 posts since
Mar 31, 2008
Hello

Yes I did get this working in the end. I did not have any luck getting this working in a vSwitch though and had to dedicate a physical NIC to do the job....

This still gave me a headache though, the setup at this site was to have 6 physical NIC's in each host ( 2x LAN, 2 x iSCSI and 2 vMotion). I took a NIC from the vMotion team and enabled promiscuous mode, dedicated vSwitch etc etc and it still didn't work. The physical NIC was on an Intel quad gigabit expansion card. As part of testing I swapped things round and used the onboard Broadcom (HP Servers) and it worked instantly!!!

Hope this helps

Re: Does anyone have Websense Web Filter working in a guest VM? Please help!!!!

9. Oct 26, 2009 6:12 AM in response to: shakiel
Click to view Bisti's profile Novice
Bisti
24 posts since
Nov 21, 2008
Any chance you could bypass the need of dedicating one physical NIC for Websense using Cisco Nexus 1000V (virtual cisco switch)? I mean to set monitor port output on cisco writual switch directly to VM.

Actions

VMware Beta Programs

Want to be Considered for Future Beta Programs?

Learn More

VMware Developer

Download SDKs, APIs, videos,
training, and more in the Developer community.

Learn More

Developer
Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld
Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

Only VMware ... Delivers Nexus 1000V

Ensure consistent, policy-based network capabilities to virtual machines across your data center.

Learn More

Communities