Component limits and ratios

General Deployment Recommendations for Web Security > Component limits and ratios

Component limits and ratios

Applies to

Web Filter v7.6

Web Security v7.6

Web Security Gateway v7.6

Web Security Gateway Anywhere v7.6

In this topic

u

Overview

u

Component Limits

u

Component ratios

u

Multiple Directory Agent instances

Overview

Some components are limited to a single instance in the entire network, or to a single instance of components that depend on them. When deploying Websense software, consider the following restrictions.

Component Limits

Note

Even when the number of dependent components is not limited to one, there are best practice component-to-dependent-component ratios. See Component ratios.

Per entire deployment:

One Policy Broker

One Sync Service (Websense Web Security Gateway Anywhere deployments)

Per Policy Broker:

u

One TRITON Unified Security Center

Per Policy Server:

u

One Web Security Log Server

u

One User Service

u

One Usage Monitor

u

One Directory Agent (Websense Web Security Gateway Anywhere deployments; see Multiple Directory Agent instances for additional information)

Per Filtering Service:

u

One primary Remote Filtering Server

Component ratios

Best practice component deployment ratios may vary, based on network configuration and Internet traffic volume.

Larger systems (more than 2500 users) may require a more distributed deployment for load balancing and support of multiple languages.

Multiple Network Agent instances may be required, for example, to detect outbound traffic on individual network segments.

It may be appropriate to install multiple Filtering Service instances for load balancing. Some load balancing configurations allow the same user to be filtered by different Filtering Service instances, depending on the current load.

For limits on transparent identification agents, see Deploying transparent identification agents.

For more information about the interaction of Websense components, see the TRITON - Web Security Help.

Network Agents per Filtering Service

As a best practice, no more than 4 Network Agent instances should be deployed per Filtering Service. One Filtering Service instance may be able to handle more than 4 Network Agents, depending on the number of Internet requests, but if Filtering Service or Network Agent capacities are exceeded, filtering and logging inconsistencies may occur.

Network Agent can typically monitor 50 Mbps of traffic per second, or about 800 requests per second. The number of users that Network Agent can monitor depends on the volume of Internet requests from each user, the configuration of the network, and the location of Network Agent in relation to the computers it is assigned to monitor. Network Agent functions best when it is close to those computers.

Contact your Websense software provider for technical assistance with specific Network Agent sizing guidelines.

Filtering Services per Policy Server

As a best practice, no more than 10 Filtering Service instances should be deployed per Policy Server. A Policy Server instance may be able to handle more, depending on the load. However, if the number of Filtering Service instances exceeds the Policy Server's capacity, responses to Internet requests may be slowed.

Multiple Filtering Service instances are useful to manage remote or isolated sub-networks.

The appropriate number of Filtering Service instances for a Policy Server depends on:

The number of users per Filtering Service

The configuration of the Policy Server and Filtering Service machines

The volume of Internet requests

The quality of the network connection between the components

If a ping command sent from one machine to another receives a response in fewer than 30 milliseconds (ms), the connection is considered high-quality. See Testing the connection for more information.

If Filtering Service and Policy Server become disconnected, all Internet requests are either blocked or permitted, depending on which option you have chosen in the TRITON - Web Security console. For more information, see the Getting Started topic in the TRITON - Web Security Help.

Filtering Service machines running behind firewalls or running remotely (at a great topological distance, communicating through a series of routers) may need their own Policy Server instance. In a multiple Policy Server environment, a single Websense Policy Database holds the policy settings for all Policy Server instances. See the TRITON - Web Security Help for more information.

Testing the connection

Run a ping test to check the response time and connection between the Policy Server and Filtering Service machines. A response time of fewer than 30 milliseconds is recommended.

1.

Open a command prompt (Windows) or terminal session (Linux) on the Policy Server machine.

2.

Enter the following command:

ping <IP address or hostname>

Here, <IP address or hostname> identifies the Filtering Service machine.

Interpreting your results

When you run the ping command on a Windows machines, the results resemble the following:

C:\>ping 11.22.33.254

Pinging 11.22.33.254 with 32 bytes of data:

Reply from 11.22.33.254: bytes=32 time=14ms TTL=63

Reply from 11.22.33.254: bytes=32 time=15ms TTL=63

Reply from 11.22.33.254: bytes=32 time=14ms TTL=63

Reply from 11.22.33.254: bytes=32 time=15ms TTL=63

Ping statistics for 11.22.33.254:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 14ms, Maximum = 15ms, Average = 14ms

In a Linux environment, the results look like this:

[root@localhost root]# ping 11.22.33.254

PING 11.22.33.254 (11.22.33.254) 56(84) bytes of data.

64 bytes from 11.22.33.254: icmp_seq=2 ttl=127 time=0.417 ms

64 bytes from 11.22.33.254: icmp_seq=3 ttl=127 time=0.465 ms

64 bytes from 11.22.33.254: icmp_seq=4 ttl=127 time=0.447 ms

64 bytes from 11.22.33.254: icmp_seq=1 ttl=127 time=0.854 ms

Ensure that Maximum round trip time or the value of time=x.xxx ms is fewer than 30 ms. If the time is greater than 30 ms, move one of the components to a different network location and run the ping test again. If the result is still greater than 30 ms, locate and eliminate the source of the slow response.

Multiple Directory Agent instances

Typically, only one Directory Agent instance is required in a deployment. Multiple instances may be deployed if necessary. However, specific configuration of the additional Directory Agent instances is required. See the TRITON - Web Security Help for more information and configuration instructions.

Important

In a V-Series Appliance-based deployment of Websense Web Security Gateway Anywhere, be aware that Directory Agent is already installed on the appliance. Additional instances of Directory Agent are not typically necessary. If you need to deploy additional instances, see the TRITON - Web Security Help for important configuration instructions.

	Note Even when the number of dependent components is not limited to one, there are best practice component-to-dependent-component ratios. See Component ratios.

	Important In a V-Series Appliance-based deployment of Websense Web Security Gateway Anywhere, be aware that Directory Agent is already installed on the appliance. Additional instances of Directory Agent are not typically necessary. If you need to deploy additional instances, see the TRITON - Web Security Help for important configuration instructions.

Quick Links

General Deployment Recommendations for Web Security > Component limits and ratios