September 15, 2009
The /3GB boot.ini switch is perhaps the most misunderstood Windows tuning parameter there is. If you are not familiar with this switch, enabling it allows user mode processes to address 3GB of virtual memory instead of the usual 2GB. It does this at the expense of valuable kernel memory, however. The ISA firewall relies heavily on kernel memory (fweng.sys is the heart of the firewall core and runs in kernel mode) and cutting it in half can dramatically affect stability and performance by reducing the amount of available Paged and Non-paged Pool memory and reducing the maximum number of System Page Table Entries (PTEs). It has been well documented that the use of the /3GB boot.ini switch can cause serious issues, and in fact the ISA Best Practices Analyzer complains when it finds this switch in use.
Applications must be configured to take advantage of this additional memory made available by the /3GB switch. You can verify which applications are configured in this manner by using the dumpbin.exe utility that is included with Microsoft Visual C++ and specifying the /HEADERS parameter. Websense has enabled this functionality for some of their core services, and by looking at the headers for eimserver.exe version 7.1.0.1154 we can see that this image does indeed support large address space.
Websense is now optionally recommending that the /3GB switch be enabled when applying certain hotfixes. If you have Websense components installed on the ISA firewall itself I would strongly dissuade you from enabling the /3GB switch. If you are experiencing memory related issues with Websense services on your ISA firewall, add additional RAM. If memory related issues persist, remove all Websense services other than the filtering plug-in and place them on a separate system outside of the ISA firewall. You can then safely enable the /3GB switch on that system.
2 Comments | 
ISA 2006 Enterprise, ISA 2006 General, ISA 2006 Standard, Websense Content Filtering | 
Permalink
Posted by Richard Hicks
July 28, 2009
When stopping or starting the services for Websense content filtering software, there is a specific order in which the services should be stopped and started. While this information is documented by Websense, it can sometimes be difficult to find so I’ve decided to publish this information here as an additional reference.
Begin by stopping the following services in any order:
Apache Services (Websense 7.x)
Apache2Websense
ApacheTomcatWebsense
Transparent Identification Agents
Websense DC Agent
Websense e-Directory Agent
Logging and Reporting Services
Websense Explorer Report Scheduler
Websense Information Service for Explorer
Websense Reporter Scheduler
Websense Log Server
Other Websense Services
Websense Usage Monitor
Once these services has been stopped you can proceed with stopping the Websense core services in the following order:
Websense Network Agent
Websense Filtering Service
Websense User Service
Websense Policy Server
Websense Policy Broker (Websense 7.x)
Websense Policy Database (Websense 7.x)
To start these services simply proceed in the reverse order of that listed above.
3 Comments | Websense Content Filtering | Permalink
Posted by Richard Hicks
February 22, 2009
Websense content filtering software is an excellent add-on product for the Microsoft ISA firewall. If you have deployed the ISA firewall to secure outbound Internet access for your organization, I would strongly encourage you to consider this powerful software suite. An ISA/Websense solution will provide unparalleled protection against spyware, malicious mobile code, and many other threats. Websense features granular, user and group based filtering policies and with its modular design is highly scalable. With Websense Web Security you also get features such as enhanced security categories as well as real-time security updates, ensuring that your users are protected at all times, even from today’s advanced blended threats.
Although under most circumstances the Websense content filtering does a fantastic job, it is possible to bypass Websense filtering policies if the software is not configured correctly. For instance, if a workstation is configured as a web proxy client to the ISA firewall, communication is filtered properly. If the workstation also has the Firewall Client installed, the user can simply disable any proxy settings in their web browser, resulting in their HTTP communication being sent to the ISA firewall by the Firewall Client. Due to some vagaries with the inner workings of the Websense filtering mechanism, this communication may not be filtered.
The good news is that this issue is simple to resolve. A little known, and perhaps often overlooked, configuration change needs to be made if you expect content filtering to work correctly for ISA SecureNAT and Firewall Clients. That change is documented in the Websense Installation Guide Supplement for Microsoft ISA Server. On page 13 under the ‘Configuring the ISAPI Filter’ section you will see that in order to correctly filter SecureNAT and Firewall Clients you must create a file called ‘ignore.txt’ in the Windows\System32 folder. This file should contain the hostname of the ISA firewall that the filtering plug-in is installed on (note also that this entry should be in all caps). Recycle the Websense services in order for this change to take effect.
Leave a Comment » | ISA 2006 General, Websense Content Filtering | Permalink
Posted by Richard Hicks
