Secure block pages

Filtering Service can be configured to serve block pages using the HTTPS protocol so that sensitive information is protected.

Important: TLS v1.2 is required to successfully serve an HTTPS block page, but some browsers disable TLS v1.2 by default. To use this feature, TLS v1.2 must be enabled on the client browsers.

Steps

  1. Generate a TLS certificate and key for each instance of Filtering Service that is serving HTTPS block pages.
    See Generating keys and certificates for instructions on how to generate the certificate and key, and how to accept the certificate in the client browser.
    Note: Using a self-signed certificate is not advisable, because some of the latest browsers do not allow you to easily override certificate verification. Create a Certificate Authority (CA) first, and then use that to sign the block page certificate.

    The CA certificate can be installed as a trusted root CA on Windows for IE and Chrome browsers, but needs to be installed separately on Firefox. This process is similar to the process used for proxy SSL decryption certificates.

  2. Stop Filtering Service.
  3. Use a text editor to edit the file eimserver.ini (by default, in C:\Program Files\ Websense\Web Security\bin or /opt/Websense/bin/).

    Under the [WebsenseServer] section, add the following values:

    SSLBlockPage=on

    SSLCertFileLoc=<path to SSL certificate>

    SSLKeyFileLoc=<path to SSL key>

  4. Save eimserver.ini.
  5. Restart Filtering Service.
    Important:

    If SSLBlockPage is enabled, then Manual Authentication will also use HTTPS, even if Secure Manual Authentication is not enabled.

    If secure block pages are enabled and client browsers are set to proxy through Content Gateway, port 15871 must be included in the Tunnel Port or HTTPS ports list on the Configure > Protocols > HTTP page of Content Gateway manager.

Next steps

See Secure manual authentication for additional details.