Integrating Web Security with Other Products > Integrating Web Security with Microsoft ISA Server or Forefront TMG

Integrating Web Security with Microsoft ISA Server or Forefront TMG

Applies to

Web Filter v7.6

Web Security v7.6

In this topic

u

Overview

u	Single Microsoft ISA/TMG configuration

u	Array configuration

Overview

 

Note  In this section, ISA/TMG refers to ISA Server and Forefront TMG collectively. When information differs for the two products, they are referred to specifically as ISA Server or Forefront TMG.

When you integrate Websense software with Microsoft ISA/TMG, the Websense ISAPI Filter must be installed on the ISA/TMG machine. The Websense ISAPI Filter allows ISA/TMG to communicate with Filtering Service, and must be installed on every ISA/TMG machine that communicates with Websense software.

You can install Policy Broker, Policy Server, Filtering Service, and User Service on the same machine as Microsoft ISA Server.

 

Important  No Websense components, other than the ISAPI Filter plug-in and Control Service, can be installed on a Forefront TMG machine. Control Service is automatically installed when you install the ISAPI Filter plug-in.

If your environment includes an array of ISA/TMG machines, install Websense software on a machine outside the array.

For more information, see Microsoft ISA Server or Forefront TMG Integration, page 227.

Single Microsoft ISA/TMG configuration

The following illustration shows all Websense components, including the Websense ISAPI Filter, running on the same machine as a pre-TMG version of Microsoft ISA Server. Unless the Internet traffic volume is light, this configuration requires a powerful machine.

 

Important  No Websense components, other than the ISAPI Filter plug-in and Control Service, can be installed on a Forefront TMG machine.

The diagram provides a general overview and best practice location for your integration product, but does not show all Websense components. Larger networks require Websense components to be distributed across several dedicated machines. Logon Agent can be used instead of or in combination with DC Agent.

 

An alternative setup, shown in the following illustration, places Websense filtering components on a Windows machine separate from the ISA/TMG machine. This configuration is required if you are using Forefront TMG, and eases the load on the machine for earlier versions of ISA.

u	The ISAPI Filter must be installed on the ISA/TMG machine so that Internet activity information can be communicated to Filtering Service.

u	The Filtering Service and ISA/TMG machines must be able to communicate over the network.

The diagram provides a general overview and best practice location for your integration product, but does not show all Websense components. Larger networks require Websense components to be distributed across several dedicated machines. Logon Agent can be used instead of or in combination with DC Agent.

Array configuration

Websense software is compatible with most array configurations, including Cache Array Routing Protocol (CARP) arrays. It is a best practice to install Websense software outside an array of ISA/TMG machines. Install the Websense ISAPI Filter on each member of the array. See the following illustration.

When Websense software is deployed in this configuration, all array members send Internet requests to Filtering Service outside the array.

Other configurations are possible. See your Microsoft ISA/TMG documentation for information about ISA/TMG configurations.

The diagram provides a general overview and best practice location for your integration product, but does not show all Websense components. Larger networks require Websense components to be distributed across several dedicated machines. Logon Agent can be used instead of or in combination with DC Agent.

Integrating Web Security with Other Products > Integrating Web Security with Microsoft ISA Server or Forefront TMG