Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Web Security Deployment Recommendations > Standalone deployment guidelines for Network Agent
Standalone deployment guidelines for Network Agent
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
Applies to:                                         
In this topic                                       
*
Web Filter, Web Security, and Web Security Gateway (Anywhere), v7.7.x
*
Network Agent with multiple NICs
*
NAT and Network Agent
Network Agent manages Internet protocols (including HTTP, HTTPS, and FTP), by examining network packets and identifying the protocol.
As with integrated proxies, firewalls, and network appliances, Network Agent can be configured to monitor HTTP requests, query Filtering Service to determine whether to permit or block each request, and then log the results of the query. Network Agent can also be configured to monitor, filter, and log non-HTTP requests (including requests that do not originate from an Internet browser).
When Network Agent is used, it must be installed:
*
Inside the corporate firewall
*
Where it can see all Internet requests for the machines it is assigned to monitor
Network Agent monitors and manages only the traffic that passes through the network device (typically a switch) to which it is attached. Multiple Network Agent instances may be needed, depending on:
*
network size
*
volume of Internet requests
*
network configuration
While a simple network may require only a single Network Agent, a segmented network may require (or benefit from) a separate Network Agent instance for each segment.
Network Agent functions best when it is closest to the computers that it is assigned to monitor.
For more information, see:
*
Network Agent with multiple NICs
*
NAT and Network Agent
*
Positioning Network Agent in the network
Network Agent with multiple NICs
Network Agent is capable of using more than one network interface card (NIC).
*
Best practices suggest a maximum of 5 NICs.
*
The NICs can be connected to ports on the same network device (switch or router), or to different network devices.
If the machine running Network Agent has multiple NICs:
*
Only one instance of Network Agent can be installed on the machine.
*
The blocking or inject NIC (used to serve block pages) must have an IP address.
*
Each NIC can be configured to monitor or block Internet requests, or both.
*
Each NIC can be configured to monitor a different network segment.
*
At least one NIC must be configured for blocking.
When you configure separate network cards to monitor traffic and send block messages (shown in the illustration below):
*
The monitoring and blocking NIC do not have to be assigned to the same network segment.
*
The monitoring NIC must be able to see all Internet traffic in the network segment that it is assigned to monitor.
*
Multiple monitoring NICs can use the same blocking NIC.
*
The blocking NIC must be able to send block messages to all machines assigned to the monitoring NICs, even if the machines are on another network segment.
*
A monitoring NIC can be set for stealth mode.
*
The blocking NIC must have an IP address (cannot be set to stealth mode).
During installation, you specify which NIC is used by Websense software for communication and which NIC or NICs are used by Network Agent.
For information on configuring multiple NICs, see the Network Agent Quick Start.
NAT and Network Agent
If you use Network Address Translation (NAT) on internal routers, Network Agent may be unable to identify the source IP address of client machines. When Network Agent detects traffic after it is passed through such a router, the agent sees the IP address of the router's external interface as the source of the request, rather than the IP address of the client machine.
To address this issue, either disable NAT, or install Network Agent on a machine located between the NAT router and the monitored clients.

Go to the table of contents Go to the previous page Go to the next page
Web Security Deployment Recommendations > Standalone deployment guidelines for Network Agent
Copyright 2016 Forcepoint LLC. All rights reserved.