Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Deploying Web Protection Solutions > Extending your deployment with additional web protection components
Extending your deployment with additional web protection components
Deployment and Installation Center | TRITON AP-WEB and Web Filter & Security | v8.0.x
In this topic                                       
*
Filtering Services per Policy Server
*
Network Agents per Filtering Service
*
Policy Server, Filtering Service, and State Server
*
Policy Server, Filtering Service, and Multiplexer
In large, high-traffic, or geographically distributed organizations, you can deploy multiple groups of policy components, each with its own Websense Policy Server instance, to:
*
Provide load-balancing capabilities.
*
Improve responsiveness in locations far away from the central deployment.
*
Manage high amounts of traffic.
When Policy Broker is installed in standalone mode, all Policy Server instances connect to the same, central Policy Broker. When Policy Broker is installed in replicated mode, you can configure how each Policy Server determines which Policy Broker instance to use.
Each Policy Server instance can support:
*
Up to 10 Filtering Service instances (see Filtering Services per Policy Server)
*
Each Filtering Service can support up to 4 Network Agent instances (see Network Agents per Filtering Service)
*
1 User Service
*
1 Usage Monitor
*
1 Log Server
*
1 State Server (see Policy Server, Filtering Service, and State Server)
*
1 Multiplexer (see Policy Server, Filtering Service, and Multiplexer)
*
1 Directory Agent (Web Hybrid module only; see Directory Agent)
For high-level diagrams of larger deployments, see Deploying web protection for a distributed enterprise.
Filtering Services per Policy Server
As a best practice, deploy no more than 10 Filtering Service instances per Policy Server. A Policy Server instance may be able to handle more, depending on the load. If the number of Filtering Service instances exceeds the Policy Server's capacity, however, responses to Internet requests may be slowed.
Multiple Filtering Service instances are useful to manage remote or isolated sub-networks.
The appropriate number of Filtering Service instances for a Policy Server depends on:
*
The number of users per Filtering Service
*
The configuration of the Policy Server and Filtering Service machines
*
The volume of Internet requests
*
The quality of the network connection between the components
If a ping command sent from one machine to another receives a response in fewer than 30 milliseconds (ms), the connection is considered high-quality. See Testing the Policy Server to Filtering Service connection.
If Filtering Service and Policy Server become disconnected, all Internet requests are either blocked or permitted, as configured in the Web module of the TRITON Manager. See Configuring your account information for details.
Filtering Service machines running behind firewalls or running remotely (at a great topological distance, communicating through a series of routers) may need their own Policy Server instance.
Testing the Policy Server to Filtering Service connection
Run a ping test to check the response time and connection between the Policy Server and Filtering Service machines. A response time of fewer than 30 milliseconds is recommended.
1.
Open a command prompt (Windows) or terminal session (Linux) on the Policy Server machine.
2.
Enter the following command:
ping <IP address or hostname>
Use the IP address or hostname of the Filtering Service machine.
On Windows machines, the results resemble the following:
C:\>ping 11.22.33.254
Pinging 11.22.33.254 with 32 bytes of data:
Reply from 11.22.33.254: bytes=32 time=14ms TTL=63
Reply from 11.22.33.254: bytes=32 time=15ms TTL=63
Reply from 11.22.33.254: bytes=32 time=14ms TTL=63
Reply from 11.22.33.254: bytes=32 time=15ms TTL=63
Ping statistics for 11.22.33.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 15ms, Average = 14ms
In a Linux environment, the results look like this:
[root@localhost root]# ping 11.22.33.254
PING 11.22.33.254 (11.22.33.254) 56(84) bytes of data.
64 bytes from 11.22.33.254: icmp_seq=2 ttl=127 time=0.417 ms
64 bytes from 11.22.33.254: icmp_seq=3 ttl=127 time=0.465 ms
64 bytes from 11.22.33.254: icmp_seq=4 ttl=127 time=0.447 ms
64 bytes from 11.22.33.254: icmp_seq=1 ttl=127 time=0.854 ms
Ensure that Maximum round trip time or the value of time=x.xxx ms is fewer than 30 ms. If the time is greater than 30 ms, move one of the components to a different network location and run the ping test again. If the result is still greater than 30 ms, locate and eliminate the source of the slow response.
Network Agents per Filtering Service
As a best practice, deploy no more than 4 Network Agent instances per Filtering Service. One Filtering Service instance may be able to handle more than 4 Network Agents, depending on the number of Internet requests, but if Filtering Service or Network Agent capacities are exceeded, policy enforcement and logging inconsistencies may occur.
Network Agent can typically monitor 50 Mbps of traffic per second, or about 800 requests per second. The number of users that Network Agent can monitor depends on the volume of Internet requests from each user, the configuration of the network, and the location of Network Agent in relation to the computers it is assigned to monitor. Network Agent functions best when it is close to those computers.
Network Agent communicates with Filtering Service on port 15868.
Policy Server, Filtering Service, and State Server
If your deployment includes multiple instances of Filtering Service that might handle a request from the same user, an optional component, Websense State Server, can be installed to enable proper application of time-based policy actions. (Quota time, for example, is a time-based action that can be used to give users access to websites in selected categories for a configurable time period.)
When State Server is installed, all of its associated Filtering Service instances share timing information, so users receive the correct allotment of access to time-restricted categories.
*
State Server is typically installed on a Policy Server machine, and only one State Server instance is required per logical deployment.
A logical deployment is any group of Policy Server and Filtering Service instances that might handle requests from the same set of users.
*
State Server can be enabled via the command-line interface on full policy source or user identification and filtering appliances.
*
All Filtering Service instances that communicate with the same State Server instance must share the same time zone, and the time on all machines must be in synch.
*
State Server communicates with Filtering Service on port 55828.
*
Each Filtering Service instance can communicate with only one State Server.
*
All Filtering Service instances associated with the same Policy Server must communicate with the same State Server.
*
Multiple Policy Server instances can share a single State Server.
In a geographically dispersed organization, where each location has its own Policy Server and Filtering Service instances, deploy one State Server instance (on the Policy Server machine or Websense appliance) at each location.
In an organization where all requests are managed through a central location, only one State Server instance is needed.
Policy Server, Filtering Service, and Multiplexer
Websense web protection solutions can be configured to pass logging data (the same information processed by Log Server) to a third-party Security and Information and Event Management (SIEM) product.
When SIEM integration is enabled, Websense Multiplexer collects log data from Filtering Service and passes it to both Log Server and the integrated SIEM product. (When SIEM integration is disabled, Filtering Service sends log data directly to Log Server, with no intermediary.)
*
Multiplexer is typically installed on the Policy Server machine.
*
When Policy Server resides on a Websense appliance, always enable Multiplexer on the appliance. Do not attempt to connect an off-appliance Multiplexer instance to the on-appliance Policy Server.
*
With software (non-appliance) installations of Policy Server, it does not matter whether Multiplexer is on the same machine or a different machine.
*
Install one Muliplexer per Policy Server.
*
Multiplexer can be enabled via the command-line utility on full policy source or user identification and filtering appliances.
Multiplexer communicates with the following components:
*
Policy Server on ports 40000, 55806, and 56010
*
Filtering Service on port 55805 (inbound)
*
Log Server on port 55805 (outbound)
*
SIEM integration (port varies; 514 for TCP and 515 for UDP)

Go to the table of contents Go to the previous page Go to the next page
Deploying Web Protection Solutions > Extending your deployment with additional web protection components
Copyright 2016 Forcepoint LLC. All rights reserved.