How to Deploy Websense In Stand-alone Mode on a Hyper-V Virtual Machine? #HyperV #Websense

5 Min. Read

Hello folks,

Since the initial release of Hyper-V back in 2008, my hope was to move all the physical workloads to Hyper-V, however, one of the roles that were impossible to move is Websense Web Security!

Websense Web Filter and Security block web threats to reduce malware infections, decrease help desk incidents and free up valuable IT resources. More information on Websense.

Since then, I had several conversations with Websense and Microsoft folks and all the feedbacks came negative Sad smile

So what is the reason that Websense cannot run on Hyper-V virtual machine?

Websense feedback was that Hyper-V server does not allow setting a virtual NIC (vNIC) to promiscuous mode, Websense does not certify and support the platform. Websense Network Agent requires a NIC set to promiscuous/stealth mode. As Microsoft does not intend to support this feature, Network Agent cannot successfully monitor traffic from other systems on its monitoring NIC.

If Websense is working with an integration mode other than Network Agent (Standalone mode), where port spanning is not necessary, then Hyper-V is a viable platform. The integration mode like Threat Management Gateway (TMG). While TMG has been officially deprecated by Microsoft, and it is still supported until April of 2020.

The high-level architecture of standalone mode deployment in the physical world is showing in the figure below:

HV-Websense02

Microsoft feedback was, Hyper-V virtual switch does not offer promiscuous mode on its virtual interfaces.

In short, the promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. The most typical use cases include network intrusion detection systems (NIDS), monitoring tools such as (Wireshark, Microsoft Message Analyzer, etc.), web security tools such as Websense, or recording of calls in VOIP-based centers such as MiaRec. This mode of operation is given to a network server that captures and saves all packets for analysis.

The Websense deployment and configuration is already well explained elsewhere, so I’ll keep the basics to Hyper-V here.

VMware does support promiscuous mode, but I believe in Hyper-V, so what is the solution?

Microsoft in Windows Server 2012/2012 R2 Hyper-V introduced the concept called (port mirroring) which can be enabled on any virtual machine vNIC adapter. There is quite some official documentation available if you want to set up port monitoring between two or more Virtual Machines.

How does port mirroring work?

Port Mirroring allows you to monitor virtual network traffic from one or many virtual machines (sources) to another virtual machine (destination). Port Mirroring works at the Virtual Switch level and to be precise, it’s the Hyper-V virtual switch extension capabilities that are being used to achieve port mirroring/capturing. The extensible vSwitch by itself uses port ACLs to set a rule that forwards traffic from one vNIC in a VM to another vNIC in another VM.

For example, if we need to monitor all traffic sent and received by both VM1 and VM2, you can run the following PowerShell cmdlets where MonitorVM has a network monitoring tool installed i.e. Wireshark in order to capture the traffic.

Set-VMNetworkAdapter VM1 –PortMirroring Source
Set-VMNetworkAdapter VM2 –PortMirroring Source
Set-VMNetworkAdapter MonitorVM –PortMirroring Destination

This is a great feature for internal traffic between VMs on the same physical host, but this does not solve my pain point with Websense, because we need to be able to monitor the traffic from a port on the physical switch to a virtual port (vNIC) inside a VM.

What about external traffic?

Hyper-V does not support setting a “promiscuous mode” flag on a virtual port, as you need to specify if a given port is supposed to be the source or the destination of the network packets.

The interesting part is that the official documentation does not state that you can also capture traffic from an external network or from the host parent partition. Waw this is what is needed in my scenario.

The Hyper-V Extensible Switch and the PowerShell module have the bells and whistles to tackle this problem.

What are the requirements to capture external traffic?

1. Two vNICs To Websense VM (Block NIC and Monitoring NIC).
2. Set the Mirroring mode of Websense VM monitoring vNIC to “Destination“.
3. Enable Microsoft NDIS Capture on the Hyper-V Virtual Switch Extensions where Websense VM is attached to.
4. Set the Mirror mode on the External port of the Hyper-V Virtual Switch where Websense VM is attached to reflect as the “Source“.
5. Configure port mirroring on the physical switch to mirror any traffic on your firewall/router port ==> to the port that the Hyper-V server is connected to.

Step 1: Add Two Virtual NICs To Websense VM

Add-VMNetworkAdapter -VMName Websense -Name Block -SwitchName VM_vSwitch
Add-VMNetworkAdapter -VMName Websense -Name Monitor -SwitchName Mirroring_VM_vSwitch

HV-Websense03a

Step 2: Set The Mirroring Mode Of  The Monitoring Virtual NIC To “Destination”

Get-VMNetworkAdapter -VMName Websense | ? Name -eq Monitor | Set-VMNetworkAdapter -PortMirroring Destination

HV-Websense03b

The same can be done in Hyper-V Manager

HV-Websense04

Step 3: Enable Microsoft NDIS Capture Extension On The Virtual Switch

  1. Open the Virtual Switch Manager on the Hyper-V Host.
  2. Expand the virtual switch name “Mirroring_VM_vSwitch” and click on “Extensions“.
  3. Enable Microsoft NDIS Capture under Extensions.

HV-Websense05

Step 4: Set The Mirror Mode On The External Port Of The Virtual Switch To “Source”

The Hyper-V PowerShell module includes the following cmdlets (Add-VMSwitchExtensionPortFeature, Get-VMSystemSwitchExtensionPortFeature, Remove-VMSystemSwitchExtensionPortFeature, and Set-VMSystemSwitchExtensionPortFeature) that can be used to manage port monitoring at the host level.

We need to configure the Hyper-V vSwitch name “Mirroring_VM_vSwitch” that any traffic hits the external port “SOURCE”, has to be forwarded to the vNIC “Monitor” that we configured “DESTINATION” on Websense VM.

The following PowerShell cmdlets will help you to set the External vSwitch port to “SOURCE” Mirror mode:

$ExtPortFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
$ExtPortFeature.SettingData.MonitorMode = 2
Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirroring_VM_vSwitch -VMSwitchExtensionFeature $ExtPortFeature

Let’s validate the Monitoring mode is set to “SOURCE” by running the following cmdlet:

Get-VMSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings" -SwitchName Mirroring_VM_vSwitch -ExternalPort | select -ExpandProperty SettingData

HV-Websense09

MonitorMode=2 is “SOURCE“, MonitorMode=1 is “DESTINATION“, and MonitorMode=0 is “NONE

Once you run the above cmdlets on the Hyper-V host, all traffic passing on the external NIC of Mirroring_VM_vSwitch will be “mirrored” to Websense VM which port monitoring mode has been set to destination.

Step 5: Configure Port Mirroring On The Physical Switch

HV-Websense06

In my demo, I am mirroring the traffic to two destinations NIC interfaces where the Hyper-V host is connected to, because I am using NIC Teaming on the host and the “Mirroring_VM_vSwitch” is created on top of the team.

As soon as you start mirroring the traffic to the Hyper-V host, you can open Websense VM and observe the received traffic on the mirroring vNIC.

HV-Websense08

Once the above steps are followed, you should be able to start filtering the happy users Smile:

HV-Websense07

What are the best practices?

1. Have a separate dedicated physical NIC or team NICs on the host.
2. Have a separate external vSwitch, because Websense VM will be always available and you don’t want to flood your existing production vSwitch.

Closing thoughts

Keep in mind that all this works within the boundaries of the same physical host. Which means that if you want to move Websense VM across nodes in a cluster or to a different host, you need to configure step 3, 4 and 5 above on each node separately with the same virtual switch name. This means that when Websense VM is live migrated to a second node, it will continue monitoring the traffic. That works!

Happy filtering day!

Cheers,
-Charbel

Previous

Get The List of All VMs in Virtual Machine Manager and Their Virtual Disks #VMM #SCVMM #HyperV #PowerShell

Getting Started With Savision’s Cloud Reporter #SysCtr #Savision #SCOM #SCVMM #HyperV

Next

34 thoughts on “How to Deploy Websense In Stand-alone Mode on a Hyper-V Virtual Machine? #HyperV #Websense”

Leave a comment...

  1. I’ve followed the guide and am running into issues. I have set up everything but the block nic. I thought this would just be the main NIC the server uses. Do I need to have 3 NICs? 1 Monitor, 1 block, and 1 actual uplink?

  2. Hello Preston,

    Thanks for the feedback.

    I strongly recommend to have a dedicated Physical NIC on the Hyper-V Host used for Websense.
    As for Websense VM, you need two vmNICs, one is used for the MGMT with IP to send block pages to the users and the second one is used for traffic monitoring.
    The Physical NIC on the host is bound to a new Virtual Switch and then follow the steps in this article to set the VM Switch Extension Port Feature.

    Hope this helps!

    Cheers,
    ~Charbel

  3. Thanks. I do have a dedicated NIC for the uplink to the network. Then I added one NIC for monitoring which is connected to the physical switch on a span port. Judging by your screenshots it looks like you connected the block NIC just to the regular uplink, so I understood this to mean that you were using the regular NIC for blocking as well.

    I opened up a Microsoft support request and they suggested that the setup would not work due to the block NIC and monitoring NIC being connected to different vSwitches. Where am I misunderstanding? :(

  4. Hello Preston,

    As you can see in my screenshot for Websense VM settings. I have two different vmNICs, the first vmNIC is attached to Team vSwitch that I am using for all VMs on that host, this vmNIC has the MGMT IP address for Websense, and the second vmNIC is attached to the dedicated Websense vSwitch set in Mirroring mode as source, this vmNIC inside the VM is set without IP address, in other words the IPv4 and IPv6 (TCP/IP) Protocols are deselected.

    I have the same deployment in more than 10 sites and it’s working perfect.

    Hope this help.

    Cheers,
    ~Charbel

  5. So the monitor NIC is set as source? I am set up exactly like that (I’ve actually flipped Source and Destination around to test that way as well..), but see no traffic on the second NIC with IPv4 and IPv6 disabled.

    I can plug a laptop into the span port and see all the traffic with no issues..

  6. Hello Preston,

    The monitor vmNIC in Websense VM settings is set to Destination, and the Virtual Switch is set to Source, please refer to the article again.

    One important point to mention, you will not see traffic inside the Guest OS (Websense) until you finish Websense configuration and the filtering service is up and running correctly (Network Agent, Block NIC, etc…).

    Hope this helps.

    Cheers,
    ~Charbel

  7. When you say that I won’t see traffic until Websense is configured, does that mean even if I go into the control panel and look at the NIC I won’t see any traffic?

  8. Yes, even if you go into control panel (Network and Sharing Center) and you open the vNIC, you won’t see any traffic (received traffic actually and not sent) until you configure Websense / Physical Switch with port mirroring.
    However in the physical world this is different.
    If you check the Physical NIC on the host that is assigned to Websense Virtual Switch, you will see incoming traffic.

  9. Hi Charbel,

    I am setting up a VM within Hyper-V 2012 R2 which following your guide sees traffic but it appears to be only one direction (inbound) any ideas what would cause this on Hyper-V?

  10. Hello Colin,

    This is normal for mirroring NIC, you will see incoming traffic (Receive) on the mirroring NIC and not send.
    The second vmNIC which is configured with IP address will send the block pages to the users.

    Could you please describe more your setup?

    Cheers,
    ~Charbel

  11. Hi Charbel,

    Thanks for this guide, much appreciated, I’ve followed through this but at the 3rd step of configuring the source port/NIX I do receive this error..

    PS C:\> Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName SWITCHPORTNAME -VMSwitchExtensionFeature $ExtPortFeature

    Add-VMSwitchExtensionPortFeature : Failed while modifying virtual Ethernet switch connection settings.
    At line:1 char:1
    + Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName SPANPORT -VMSwitchExt

    I have a VM with two NIC’s as you do, one management/blocking NIC and the other set up as the destination/monitoring NIC. On the host I can see ALL traffic on the dedicated physical NIC adapter which is bound to my virtual monitoring NIC…however the traffic isn’t passing through to the vNIC.

    Your guide has given me hope with the Server 2012 port mirroring feature because other sites I’ve visited indicate that Server 2012 mirroring is purely for monitoring between VM’s and not for monitoring traffic on a physical network using a VM.

    Thanks
    Stuart

  12. Hello Stuart,

    Are you running the following cmdlets as Administrator?

    $ExtPortFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName “Ethernet Switch Port Security Settings”
    $ExtPortFeature.SettingData.MonitorMode = 2
    Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirroring_VM_vSwitch -VMSwitchExtensionFeature $ExtPortFeature

    You won’t see traffic passed into the vmNIC inside the VM unless you enable and start the Network Agent for Websense.

    I have the same setup deployed in multiple sites and it’s working beautifully.

    Hope this helps.
    -Charbel

  13. Ignore that, got it working! removed all previously created switches and NIC’s and stepped through your guide again…also had to reinstall Network Agent to pick up the new NIC’s but fine now.

    Thank you very much, I’m happy, not sure my users will be ;-)

    Stuart

  14. Well done!

    Thanks for the confirmation.

  15. I would like to know if this would work for pfSense?

    It seems like it would.

    I have a server with two physical NICs. One is for WAN and the other is for LAN. Does your method mean I need to add a third physical NIC to the server?

    How is the configuration of your vSwitches done?

  16. Hello Zane,

    Please follow the number of NICs needed based on pfSense requirements.
    The configuration for the vSwitches are done as documented in this post.
    Yes, it should work with any product that requires promiscuous mode.

    Cheers,
    Charbel

  17. Hello,

    I am up to Step 4

    At step 4, your prompt has a “$”. How do you get into this mode?

    My prompt has: “PS C:\”

    Thanks

  18. Thanks for your comment,
    At step 4, this is a variable that starts with $ and not a prompt.
    So in your case, this would be PS C:\>$ExtPortFeature = …
    Hope that helps!

  19. Hello Charbel,
    Thanks for the explanation
    Am now seeing the following error:
    Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirrored-Gateway-VSwitch -VMSwitchExtensionFeature $ExtPortFeature
    Add-VMSwitchExtensionPortFeature : Failed while modifying virtual Ethernet switch connection settings.
    At line:1 char:1
    + Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirrored-G …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Add-VMSwitchExtensionPortFeature], VirtualizationException
    + FullyQualifiedErrorId : OperationFailed,Microsoft.HyperV.PowerShell.Commands.AddVMSwitchExtensionPortFeature

    The NIC attached to the mirrored port on the switch, is configured as Mirrored-Gateway-VSwitch

    Any ideas what is wrong here?

    VW

  20. Hello VW,
    Please check your syntax and repeat the 3 commands below:

    $ExtPortFeature = Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings" $ExtPortFeature.SettingData.MonitorMode = 2 Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName "Virtual-Switch-Name-Here" -VMSwitchExtensionFeature $ExtPortFeature

    What Hyper-V version are you running?

  21. Hello Charbel,
    The first two commands are accepted.
    Unfortunately no change with the 3rd command.
    Windows Server 2016 Standard
    Presumably there is a command that I can use to display the available switches; I think that would be useful for troubleshooting, to confirm that the switchname is recognised in the config.
    Thanks,
    VW

  22. Hello VW,
    Please run the following command and confirm the available switches:
    <strong>Get-vmSwitch</strong>
    If you want further help, please contact me using the following form.
    Thanks!

  23. Hello Charbel,
    The form says ‘payment is required’, I can’t see how to actually make the donation.
    The vSwitch that I am using in the third command is correctly identified, so I think there must be an issue with the 3rd command itself with Windows Server 2016
    VW

  24. Hello VW,
    You can follow the details noted on the form here. Once you submit the form, you will be guided to make the donation. And of course, you don’t have to. Thank you for your support!
    In regards to your question, I have just tried all the commands in my environment and I was able to configure the virtual switch as described in this article without any error.
    Please make sure that the following option is NOT selected on the mirroring virtual switch: Allow management operating system to share this network adapter in Hyper-V Manager.
    Sorry, I can’t provide more support here, I need to connect and check your environment.
    Thanks!

  25. Hello Charbel,
    Nothing happens when I click on the ‘Submit and Pay’ button. I have tried two browsers.
    Regards
    VW

  26. Thank you Vee for reporting this issue. I fixed it.
    Could you please try again now?
    Thanks!

  27. Hello Charbel,
    Yes the donate button now works.
    I’ve done some further troubleshooting and I think I have identified the issue.
    On the Extensions page, when the Microsoft NDIS Capture extension is highlighted. There is a message: The selected extension is not operating correctly. Check the EventLogs for further info.
    Unfortunately there is no Critical or Error event logged in relation to HyperV.
    Have you encountered this before?
    Thanks
    VW

  28. Hello Vee, thank you for the donation, much appreciated!
    What I suggest in this case is to delete and remove the virtual switch and then create a new one.
    The Microsoft NDIS Capture extension is not working for that vSwitch anymore.
    Please start from scratch and repeat the steps.
    Thanks!

  29. Hello Charbel,

    I have tried re-creating the mirror vSwitch from scratch.

    This time I have been able to successfully enter the commands in step 4. The reason that one of these commands failed previously was that I was using an x86 Powershell session rather than x64 Powershell session to enter the commands.

    I can see that the MonitorMode is set to 2.

    However the VM still cannot see any traffic on the mirror port.

    Before I created the vSwitch, I confirmed that the physical NIC on the HyperV host could see traffic on the mirror port. So the issue is with the VM, not the port configuration of the physical switch or the NIC driver.

    The only differences / potential issues that I can see are:

    1. In your screenshot of the Mirror vSwitch Extensions, the Microsoft NDIS Capture extension is listed first. On my system it is listed third, and I cannot change the order

    2. On the details for selected extension; I have the warning: The selected extension is not operating correctly. Check the EventLogs for further info. I have checked the EventLogs and there is no further info.

    On the face of it, the error in relation to the extension seems to be the likely culprit; however I have seen other posts where they say that this ‘error’ can be ignored.

    Have you ever encountered the error message regarding the ‘selected extension is not operating correctly’?

  30. Hello Charbel,

    Either my last or 2nd last update …

    I wanted to let you know (and any other readers) that I was able to get the VM working using your instructions, by doing the following

    – Installing Hyper V on a separate box (that is running Windows Server 2012)
    – Following your instructions
    – On this box I did not encounter any errors with the NDIS Capture extension, and the setup process was exactly as you described
    – So clearly the error that I encountered with the NDIS Capture extension on the first system was the reason why my previous setup failed

    I have posted some questions elsewhere in relation to the error with the NDIS Capture extension; and if I happen to make any progress with that in the future, then I will update here with the findings.

    Thanks again for your blog article and assistance

    Cheers
    VW

  31. Hello Vee,
    It’s quite difficult to give an advise without seeing the environment.
    As you noted, you were using PowerShell x86 session and not x64. Always use x64 session.
    Could you please check and confirm that Step 1, Step 2, and Step 3 are done right on the VM as documented in this article?
    Yes, you can disregard this warning:

    The selected extension is not operating correctly. Check the Event Logs for further info.

    Are you sure that your physical switch is configured correctly to mirror the traffic to the assigned physical port?
    Another issue that I found out that in Windows Server Hyper-V (2016 and 2019) is that we cannot change the order of the extension.
    Please make sure that none of the extensions is enabled except for Microsoft NDIS Capture (Monitoring).
    Final test is to try the same setup using Windows Server 2012 R2 (Hyper-V) and see if it works.
    If you need further support please contact me here.
    Thanks!

  32. I am happy to hear that the issue is resolved using Windows Server 2012 R2 (Hyper-V).
    Thanks for the update!

  33. Hello Charbel,
    Disabling the other extensions was the answer with Server 2016.
    Thanks!
    Regards
    VW

  34. Hello Vee,
    Thanks for the update. In Server 2016, there are only 2 extensions by default as follows:
    Name: Microsoft Windows Filtering Platform
    Name: Microsoft NDIS Capture

    “Microsoft NDIS Capture” should be only enabled for port mirroring to work.
    Thanks!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!