Deployment Planning for X10G Chassis and Blades > Choosing a policy source machine

Choosing a policy source machine

One of your earliest deployment decisions is your selection of the policy source machine. Only one computer must be designated as your policy source. Other servers look to this machine to obtain your current filtering policy.

You can select either a blade server or a server off the X10G chassis for this purpose.

What distinguishes your policy source machine is that (in addition to other filtering components) it runs two Websense components that do not run on any other server or blade: Websense Policy Database and Policy Broker. Although multiple servers can be used for Web filtering, only a single Policy Database holds policy and general configuration data for your organization. Your primary instance of Policy Server also runs on the policy source machine.

All machines running Websense filtering components need up-to-date policy information obtained from the single policy source machine.

Following is a brief description of the key filtering components that you are deploying. You have several choices about which components will run on each security blade in your X10G chassis, and whether it would be advisable for your network to use additional off-chassis instances.

For component limits and rations, see this article in the Websense Technical Library.

Filtering components

Component	Description
Policy Database	Stores Websense software settings and policy information. Installed automatically with Policy Broker. Runs on policy source machine only. Typicall installed on Windows server off-chassis.
Policy Broker	Manages requests from Websense components for policy and general configuration information. Runs on policy source machine only. Typically installed on Windows server off-chassis.
Policy Server	Can run on every blade. Primary copy runs on policy source machine. Identifies and tracks the location and status of other Websense components. Stores configuration information specific to a single Policy Server instance. Communicates configuration data to Filtering Service, for use in filtering Internet requests. Configure Policy Server settings in the TRITON - Web Security console. Policy and most configuration settings are shared among all Policy Servers that share a Policy Database.
Filtering Service	Can run on every blade. Provides Internet filtering in conjunction with Network Agent or a third-party integration product. When a user requests a site, Filtering Service receives the request and determines which policy applies. Filtering Service must be running for Internet requests to be filtered and logged. Each Filtering Service instance downloads its own copy of the Websense Master Database. Configure filtering and Filtering Service behavior in the TRITON - Web Security console.
Network Agent	Can run only on the blade in slot 16, and can run off-chassis. Enhances filtering and logging functions Enables non-HTTP amd non-HTTPS protocol management
Master Database	Includes more than 36 million Web sites, sorted into more than 90 categories and subcategories Contains more than 100 non-HTTP protocol definitions for use in filtering protocols After all modules are set up, download the Websense Master Database to activate Internet filtering, and schedule automatic updates. If the Master Database is more than 2 weeks old, no filtering occurs.
TRITON - Web Security	Runs off-chassis on a Windows server. Serves as the configuration, management, and reporting interface for Websense software. Use the TRITON - Web Security console to define and customize Internet access policies, configure Websense software components, report on Internet filtering activity, and more. The TRITON - Web Security console is made up of the following services: Websense - TRITON Web Security Websense Web Reporting Tools Websense Explorer Report Scheduler Websense Information Service for Explorer Websense Reporter Scheduler
Usage Monitor	Can run on every blade. Enables alerting based on Internet usage. Provides Internet usage information to Real-Time Monitor. Usage Monitor tracks URL category access (shown in Real-Time Monitor) and protocol access, and generates alert messages according to the alerting behavior you have configured.
Content Gateway	Can run on every blade. (Not used on the blade in slot 16 if Network Agent is enabled.) Provides a robust proxy and cache platform. Can analyze the content of Web sites and files in real time to categorize previously uncategorized sites. Enables protocol management As part of a Websense Web Security Gateway deployment, also: Analyzes HTML code to find security threats (for example, phishing, URL redirection, Web exploits, and proxy avoidance). Inspects file content to assign a threat category (for example, viruses, Trojan horses, or worms). Strips active content from certain Web pages.
Remote Filtering Client	Resides on client machines outside the network firewall. Identifies the machines as clients to be filtered, and communicates with Remote Filtering Server.
Remote Filtering Server	Allows filtering of clients outside a network firewall. Communicates with Filtering Service to provide Internet access management of remote machines.

Deployment Planning for X10G Chassis and Blades > Choosing a policy source machine