How to Deploy Websense In Stand-alone Mode on a Hyper-V Virtual Machine? #HyperV #Websense

5 Min. Read

Hello folks,

Since the initial release of Hyper-V back in 2008, my hope was to move all the physical workloads to Hyper-V, however, one of the roles that were impossible to move is Websense Web Security!

Websense Web Filter and Security block web threats to reduce malware infections, decrease help desk incidents and free up valuable IT resources. More information on Websense.

Since then, I had several conversations with Websense and Microsoft folks and all the feedbacks came negative Sad smile

So what is the reason that Websense cannot run on Hyper-V virtual machine?

Websense feedback was that Hyper-V server does not allow setting a virtual NIC (vNIC) to promiscuous mode, Websense does not certify and support the platform. Websense Network Agent requires a NIC set to promiscuous/stealth mode. As Microsoft does not intend to support this feature, Network Agent cannot successfully monitor traffic from other systems on its monitoring NIC.

If Websense is working with an integration mode other than Network Agent (Standalone mode), where port spanning is not necessary, then Hyper-V is a viable platform. The integration mode like Threat Management Gateway (TMG). While TMG has been officially deprecated by Microsoft, and it is still supported until April of 2020.

The high-level architecture of standalone mode deployment in the physical world is showing in the figure below:

HV-Websense02

Microsoft feedback was, Hyper-V virtual switch does not offer promiscuous mode on its virtual interfaces.

In short, the promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. The most typical use cases include network intrusion detection systems (NIDS), monitoring tools such as (Wireshark, Microsoft Message Analyzer, etc.), web security tools such as Websense, or recording of calls in VOIP-based centers such as MiaRec. This mode of operation is given to a network server that captures and saves all packets for analysis.

The Websense deployment and configuration is already well explained elsewhere, so I’ll keep the basics to Hyper-V here.

VMware does support promiscuous mode, but I believe in Hyper-V, so what is the solution?

Microsoft in Windows Server 2012/2012 R2 Hyper-V introduced the concept called (port mirroring) which can be enabled on any virtual machine vNIC adapter. There is quite some official documentation available if you want to set up port monitoring between two or more Virtual Machines.

How does port mirroring work?

Port Mirroring allows you to monitor virtual network traffic from one or many virtual machines (sources) to another virtual machine (destination). Port Mirroring works at the Virtual Switch level and to be precise, it’s the Hyper-V virtual switch extension capabilities that are being used to achieve port mirroring/capturing. The extensible vSwitch by itself uses port ACLs to set a rule that forwards traffic from one vNIC in a VM to another vNIC in another VM.

For example, if we need to monitor all traffic sent and received by both VM1 and VM2, you can run the following PowerShell cmdlets where MonitorVM has a network monitoring tool installed i.e. Wireshark in order to capture the traffic.

Set-VMNetworkAdapter VM1 –PortMirroring Source
Set-VMNetworkAdapter VM2 –PortMirroring Source
Set-VMNetworkAdapter MonitorVM –PortMirroring Destination

This is a great feature for internal traffic between VMs on the same physical host, but this does not solve my pain point with Websense, because we need to be able to monitor the traffic from a port on the physical switch to a virtual port (vNIC) inside a VM.

What about external traffic?

Hyper-V does not support setting a “promiscuous mode” flag on a virtual port, as you need to specify if a given port is supposed to be the source or the destination of the network packets.

The interesting part is that the official documentation does not state that you can also capture traffic from an external network or from the host parent partition. Waw this is what is needed in my scenario.

The Hyper-V Extensible Switch and the PowerShell module have the bells and whistles to tackle this problem.

What are the requirements to capture external traffic?

1. Two vNICs To Websense VM (Block NIC and Monitoring NIC).
2. Set the Mirroring mode of Websense VM monitoring vNIC to “Destination“.
3. Enable Microsoft NDIS Capture on the Hyper-V Virtual Switch Extensions where Websense VM is attached to.
4. Set the Mirror mode on the External port of the Hyper-V Virtual Switch where Websense VM is attached to reflect as the “Source“.
5. Configure port mirroring on the physical switch to mirror any traffic on your firewall/router port ==> to the port that the Hyper-V server is connected to.

Step 1: Add Two Virtual NICs To Websense VM

Add-VMNetworkAdapter -VMName Websense -Name Block -SwitchName VM_vSwitch
Add-VMNetworkAdapter -VMName Websense -Name Monitor -SwitchName Mirroring_VM_vSwitch

HV-Websense03a

Step 2: Set The Mirroring Mode Of  The Monitoring Virtual NIC To “Destination”

Get-VMNetworkAdapter -VMName Websense | ? Name -eq Monitor | Set-VMNetworkAdapter -PortMirroring Destination

HV-Websense03b

The same can be done in Hyper-V Manager

HV-Websense04

Step 3: Enable Microsoft NDIS Capture Extension On The Virtual Switch

  1. Open the Virtual Switch Manager on the Hyper-V Host.
  2. Expand the virtual switch name “Mirroring_VM_vSwitch” and click on “Extensions“.
  3. Enable Microsoft NDIS Capture under Extensions.

HV-Websense05

Step 4: Set The Mirror Mode On The External Port Of The Virtual Switch To “Source”

The Hyper-V PowerShell module includes the following cmdlets (Add-VMSwitchExtensionPortFeature, Get-VMSystemSwitchExtensionPortFeature, Remove-VMSystemSwitchExtensionPortFeature, and Set-VMSystemSwitchExtensionPortFeature) that can be used to manage port monitoring at the host level.

We need to configure the Hyper-V vSwitch name “Mirroring_VM_vSwitch” that any traffic hits the external port “SOURCE”, has to be forwarded to the vNIC “Monitor” that we configured “DESTINATION” on Websense VM.

The following PowerShell cmdlets will help you to set the External vSwitch port to “SOURCE” Mirror mode:

$ExtPortFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
$ExtPortFeature.SettingData.MonitorMode = 2
Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirroring_VM_vSwitch -VMSwitchExtensionFeature $ExtPortFeature

Let’s validate the Monitoring mode is set to “SOURCE” by running the following cmdlet:

Get-VMSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings" -SwitchName Mirroring_VM_vSwitch -ExternalPort | select -ExpandProperty SettingData

HV-Websense09

MonitorMode=2 is “SOURCE“, MonitorMode=1 is “DESTINATION“, and MonitorMode=0 is “NONE

Once you run the above cmdlets on the Hyper-V host, all traffic passing on the external NIC of Mirroring_VM_vSwitch will be “mirrored” to Websense VM which port monitoring mode has been set to destination.

Step 5: Configure Port Mirroring On The Physical Switch

HV-Websense06

In my demo, I am mirroring the traffic to two destinations NIC interfaces where the Hyper-V host is connected to, because I am using NIC Teaming on the host and the “Mirroring_VM_vSwitch” is created on top of the team.

As soon as you start mirroring the traffic to the Hyper-V host, you can open Websense VM and observe the received traffic on the mirroring vNIC.

HV-Websense08

Once the above steps are followed, you should be able to start filtering the happy users Smile:

HV-Websense07

What are the best practices?

1. Have a separate dedicated physical NIC or team NICs on the host.
2. Have a separate external vSwitch, because Websense VM will be always available and you don’t want to flood your existing production vSwitch.

Closing thoughts

Keep in mind that all this works within the boundaries of the same physical host. Which means that if you want to move Websense VM across nodes in a cluster or to a different host, you need to configure step 3, 4 and 5 above on each node separately with the same virtual switch name. This means that when Websense VM is live migrated to a second node, it will continue monitoring the traffic. That works!

Happy filtering day!

Cheers,
-Charbel

Previous

Get The List of All VMs in Virtual Machine Manager and Their Virtual Disks #VMM #HyperV #PowerShell

Getting Started With Savision’s Cloud Reporter #SysCtr #Savision #SCOM #SCVMM #HyperV

Next

34 thoughts on “How to Deploy Websense In Stand-alone Mode on a Hyper-V Virtual Machine? #HyperV #Websense”

Leave a comment...

  1. Hello Charbel,
    The first two commands are accepted.
    Unfortunately no change with the 3rd command.
    Windows Server 2016 Standard
    Presumably there is a command that I can use to display the available switches; I think that would be useful for troubleshooting, to confirm that the switchname is recognised in the config.
    Thanks,
    VW

  2. Hello VW,
    Please run the following command and confirm the available switches:
    <strong>Get-vmSwitch</strong>
    If you want further help, please contact me using the following form.
    Thanks!

  3. Hello Charbel,
    The form says ‘payment is required’, I can’t see how to actually make the donation.
    The vSwitch that I am using in the third command is correctly identified, so I think there must be an issue with the 3rd command itself with Windows Server 2016
    VW

  4. Hello VW,
    You can follow the details noted on the form here. Once you submit the form, you will be guided to make the donation. And of course, you don’t have to. Thank you for your support!
    In regards to your question, I have just tried all the commands in my environment and I was able to configure the virtual switch as described in this article without any error.
    Please make sure that the following option is NOT selected on the mirroring virtual switch: Allow management operating system to share this network adapter in Hyper-V Manager.
    Sorry, I can’t provide more support here, I need to connect and check your environment.
    Thanks!

  5. Hello Charbel,
    Nothing happens when I click on the ‘Submit and Pay’ button. I have tried two browsers.
    Regards
    VW

  6. Thank you Vee for reporting this issue. I fixed it.
    Could you please try again now?
    Thanks!

  7. Hello Charbel,
    Yes the donate button now works.
    I’ve done some further troubleshooting and I think I have identified the issue.
    On the Extensions page, when the Microsoft NDIS Capture extension is highlighted. There is a message: The selected extension is not operating correctly. Check the EventLogs for further info.
    Unfortunately there is no Critical or Error event logged in relation to HyperV.
    Have you encountered this before?
    Thanks
    VW

  8. Hello Vee, thank you for the donation, much appreciated!
    What I suggest in this case is to delete and remove the virtual switch and then create a new one.
    The Microsoft NDIS Capture extension is not working for that vSwitch anymore.
    Please start from scratch and repeat the steps.
    Thanks!

  9. Hello Charbel,

    I have tried re-creating the mirror vSwitch from scratch.

    This time I have been able to successfully enter the commands in step 4. The reason that one of these commands failed previously was that I was using an x86 Powershell session rather than x64 Powershell session to enter the commands.

    I can see that the MonitorMode is set to 2.

    However the VM still cannot see any traffic on the mirror port.

    Before I created the vSwitch, I confirmed that the physical NIC on the HyperV host could see traffic on the mirror port. So the issue is with the VM, not the port configuration of the physical switch or the NIC driver.

    The only differences / potential issues that I can see are:

    1. In your screenshot of the Mirror vSwitch Extensions, the Microsoft NDIS Capture extension is listed first. On my system it is listed third, and I cannot change the order

    2. On the details for selected extension; I have the warning: The selected extension is not operating correctly. Check the EventLogs for further info. I have checked the EventLogs and there is no further info.

    On the face of it, the error in relation to the extension seems to be the likely culprit; however I have seen other posts where they say that this ‘error’ can be ignored.

    Have you ever encountered the error message regarding the ‘selected extension is not operating correctly’?

  10. Hello Charbel,

    Either my last or 2nd last update …

    I wanted to let you know (and any other readers) that I was able to get the VM working using your instructions, by doing the following

    – Installing Hyper V on a separate box (that is running Windows Server 2012)
    – Following your instructions
    – On this box I did not encounter any errors with the NDIS Capture extension, and the setup process was exactly as you described
    – So clearly the error that I encountered with the NDIS Capture extension on the first system was the reason why my previous setup failed

    I have posted some questions elsewhere in relation to the error with the NDIS Capture extension; and if I happen to make any progress with that in the future, then I will update here with the findings.

    Thanks again for your blog article and assistance

    Cheers
    VW

  11. Hello Vee,
    It’s quite difficult to give an advise without seeing the environment.
    As you noted, you were using PowerShell x86 session and not x64. Always use x64 session.
    Could you please check and confirm that Step 1, Step 2, and Step 3 are done right on the VM as documented in this article?
    Yes, you can disregard this warning:

    The selected extension is not operating correctly. Check the Event Logs for further info.

    Are you sure that your physical switch is configured correctly to mirror the traffic to the assigned physical port?
    Another issue that I found out that in Windows Server Hyper-V (2016 and 2019) is that we cannot change the order of the extension.
    Please make sure that none of the extensions is enabled except for Microsoft NDIS Capture (Monitoring).
    Final test is to try the same setup using Windows Server 2012 R2 (Hyper-V) and see if it works.
    If you need further support please contact me here.
    Thanks!

  12. I am happy to hear that the issue is resolved using Windows Server 2012 R2 (Hyper-V).
    Thanks for the update!

  13. Hello Charbel,
    Disabling the other extensions was the answer with Server 2016.
    Thanks!
    Regards
    VW

  14. Hello Vee,
    Thanks for the update. In Server 2016, there are only 2 extensions by default as follows:
    Name: Microsoft Windows Filtering Platform
    Name: Microsoft NDIS Capture

    “Microsoft NDIS Capture” should be only enabled for port mirroring to work.
    Thanks!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!