Virtual Secure Web Gateway

I am potentially looking at building Web Gateway (virtual edition), and in reading through the online features I see that it supports several network configuration (inline, simple inline, port span/tap, inline + proxy, proxy, etc.).

The primary purpose of this device is to (a) authenticate users (preferably automatically) before they can access the internet.  If the user doesn't belong to a specific group in our AD, then they don't get access to the internet... and (b) have the device do URL filtering (If any  user tries to access gambling web sites for example, they are blocked).

This being said, can the Symantec Web Gateway be configured through the type of network configurations where computer/user web browsers don't have to have proxy server/port settings configured and pointing to this Web Gateway server before they can access the internet?

For example, a WebSense deployment listens for web traffic, intercepts it, authenticates and filters the requests, then sends the request out to the internet.  There is no configuration (manual or automatic) required of the user's web browser proxy settings that are required in this deployment to gain internet access.   This is the type of deployment of a Web Gateway we are looking for.   On the other hand, Microsoft's ForeFront TMG server requires that either the user's web browser proxy settings be configured and pointed to the ForeFront TMG server before the user can get access to the internet, or a TMG client be installed on all computers.   We don't want to have to manually (or even through automatic means) configure user's web browser proxy settings.

So for the various network configuration deployments listed above for the Web Gateway... is there a network configuration which once implemented will emulate what a WebSense deployment would do, where it listens for or intercepts web traffic (or other types of traffic) on the network, authenticates it and filters it, before sending those web requests off to the internet? 

You should use SWG in inline mode. You can integrate SWG with AD (LDAP + NTLM/"DC INterface") and you can use content filtering policies too without any proxies. (SWG proxy mode, or external proxy are only optional.)

Regards,

Viktor

Actually one thing to point out here, Symantec don't recommend you run the Web Gateway Virtual Edition in Inline mode, this is because we don't support the hardware bypass as we do with physical appliances.

When you run the Web Gateway in Proxy mode the Web Gateway is an explicit proxy so this does require that users browsers need to be redirected to the Proxy, but there are ways to help make this transparent by using PAC files, WPAD, or even using Active Directory policies to roll out proxy settings.

The other option you have is Port Span/Tap mode where we are transparent and can normally block access to bad sites as you want to do, however in that mode we can't block threat files that are downloaded through the SWG and can only log these events when we see them. 

There are two methods to integrate with AD, so that should not be an issue for you.

Best Regards,

Kevin

I will have to look at the Inline or Span/Tap method.   We are trying to avoid anything that has to do with any manual or automatic (PAC/WPAD configs) to configure browser proxy settings.  We have been down this path before in the past, and has not worked well in our environment.  We have a lot of mobile/temporary users who come in from other offices or contract firms and attach to our network.  These computers do not have accounts on our systems, and therefore do not join our domain.  Therefore any solution requiring the push of  proxy settings via AD will not work.   Nor do we like the idea of these mobile users generating massive amounts of calls to our helpdesk because they can't get on the internet, and our helpdesk would need to walk these users through the process of how to set the proxy settings for our environment.   This is why we are looking for a transparent solution which simply listens or intercepts web traffic, filters the requests, and sends those request out appropriately.     

As for the Inline "bypass" issue.   I'm not concerned about this.  If the SGW VM goes down for some reason... then it goes down.   I understand that while SGW is down no one can get on the internet (because there is no bypass mode on the VM version)... but that is not a concern to us.