Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Setting Up V-Series Appliances > Configuring Web appliance components
Configuring Web appliance components
Deployment and Installation Center | Web Protection Solutions | v8.2.x.
Applies to:                                                                                                          
*
TRITON AP-WEB and Web Filter & Security, v8.2.x
*
V-Series appliances, v8.2.x
Be sure that you have selected your policy source machine before starting to complete this section. The policy source is the machine where appliances get web protection solution global configuration and policy information. If a Windows or Linux server will be the policy source machine in your network, set it up first, so that you can point the V-Series appliances to it.
Use the Configuration > Web Components page to specify which Web components are active on the appliance, and where the appliance gets web protection solution global configuration and filtering policy information. You should also specify the location of the Web module of the TRITON Manager.
1.
Under Policy Source, select which web protection solution configuration is used on this appliance: Full policy source (default; see What is a policy source?), User directory and filtering, or Filtering only (see What if an appliance is not the policy source?).
*
If this is a Full policy source appliance, it acts as both the Policy Broker and a Policy Server. There can be only 1 Full policy source appliance in your network.
*
If this is a User directory and filtering appliance, it also acts as a Policy Server. Enter the IP address of the Policy Broker appliance or server.
*
If this is a Filtering only appliance, enter the IP address of a Policy Server. It does not have to be the IP address of the Policy Broker machine.
2.
The TRITON Manager (management consoles) must be installed on a Windows Server 2008 R2 SP1 64-bit, Windows Server 2012, or Windows Server 2012 R2 Standard Edition machine. Identify this machine here by IP address.
3.
Click OK to save and apply your changes.
What is a policy source?
Every TRITON AP-WEB deployment must include a policy source. This is an appliance or other server that hosts at least 2 components: a Policy Broker and a Policy Database (a Policy Server must also be present; additional components are often installed). All other V-Series appliances or other servers point to this machine and receive regular updates from it.
Policy Broker is the component that controls access to global configuration information and policy data consumed by other components. Policy Broker can be deployed in a standalone configuration or in a replicated configuration.
*
A standalone configuration has 1 Policy Broker for the entire deployment. All Policy Servers connect to the same Policy Broker. In a standalone deployment, Policy Broker can reside on a Windows or Linux server, or a V-Series appliance.
*
In a replicated configuration, there is 1 primary Policy Broker, to which configuration and policy changes are saved, and one or more replica instances, each with its own read-only copy of the configuration and policy data. Each Policy Server can be configured to specify whether it attempts to connect to the primary Policy Broker or a replica instance at startup.
In a replicated configuration, Policy Broker cannot reside on a V-Series appliance. The primary Policy Broker and all replica instances must be hosted by a Windows or Linux server.
When Policy Broker replication is enabled, if the primary Policy Broker machine fails, all components connect to replica Policy Broker instances and continue to run normally, using the read-only configuration and policy data stored by the replica.
When a Web appliance with Content Gateway is configured as a policy source, all available web components run on that appliance, including.
*
Filtering Service
*
Policy Database
*
Policy Broker
*
Policy Server
*
User Service
*
Directory Agent (required only for hybrid service)
*
State Server (optional; disabled by default)
*
Multiplexer (optional; disabled by default; unavailable when the appliance is Filtering only)
*
Usage Monitor
*
Control Service
*
Content Gateway module
*
Network Agent module (optional)
Windows-only services, like the TRITON Manager, Log Server, and optional services, like transparent identification agents, still run on other machines.
A non-appliance policy source is a server hosting Policy Broker. The Policy Database is automatically created and run on the Policy Broker machine. This machine typically also includes a Policy Server instance, and may include additional TRITON software components.
The Policy Database holds all filtering policies (including client definitions, filters, and filter components) for all appliances and all domains in the network. It also holds global configuration information that applies to the entire deployment.
What if an appliance is not the policy source?
A V-Series appliance that is not serving as the policy source can be designated to run either User directory and filtering or Filtering only.
*
A User directory and filtering appliance is a lightweight version of the policy source machine. It runs:
*
Policy Server
*
User Service
*
Usage Monitor
*
Filtering Service
*
Control Service
*
Directory Agent
*
Content Gateway module (if installed)
*
Network Agent module (required for web protection solutions that do not include the Content Gateway; optional with Content Gateway)
Having User Service and Policy Server on remote appliances means that you are able to obtain local network user names. Latency between User Service and Policy Server is eliminated, because both run on the same appliance.
Whenever you make a policy change, that change is immediately updated on the policy source appliance. The change is pushed out to user directory and filtering appliances within 30 seconds.
These appliances can continue filtering for as long as 14 days if their connection with the policy source machine is interrupted. So even if a network connection is poor or is lost, filtering continues as expected.
A User directory and filtering appliance is configured to point to the full policy source for updates.
*
A Filtering only appliance does not run Policy Server. It runs only:
*
Filtering Service
*
Control Service
*
Content Gateway module (if installed)
*
Network Agent module (required for web protection solutions that do not include the Content Gateway; optional with Content Gateway)
A Filtering only appliance is configured to point to a Policy Server. This works best when the appliance is close to the Policy Server and on the same network.
These appliances require a continual connection to the centralized Policy Server, not only to stay current, but also to continue filtering. If the connection to the Policy Server becomes unavailable for any reason, filtering on a Filtering only appliance can continue for up to 3 hours.
If the Policy Server machine is on a remote network, with a WAN connection, it can be difficult to obtain user name/IP address maps for the local users.
User directory with V-Series appliances
If your organization relies on user identification or authentication, each appliance that is running Forcepoint User Service must be configured to talk to a user directory. Multiple appliances can talk to the same user directory, or to different user directories.
Preparing for a hybrid configuration
In environments that include the Web Hybrid Module, some users may be filtered by the hybrid (cloud) service. In this situation, an interoperability component on the appliance called Directory Agent is required to enable user-, group-, and domain- (OU) based filtering.
Directory Agent must be able to communicate with:
*
A supported LDAP-based directory service:
*
Windows Active Directory® (Mixed Mode)
*
Windows Active Directory (Native Mode®)
*
Oracle (Sun Java™) System Directory
*
Novell eDirectory
*
Forcepoint Sync Service
After deployment, use the Web module of the TRITON Manager to configure User Service and Directory Agent.
*
User Service configuration is performed on the Settings > General > Directory Services page.
*
Directory Agent configuration is performed on the Settings > Hybrid Configuration > Shared User Data page.
*
You can have multiple Directory Agent instances.
*
Each Directory Agent must use a unique, non-overlapping root context.
*
Each Directory Agent instance must be associated with a different Policy Server.
*
All Directory Agent instances must connect to a single Sync Service. (A deployment can have only one Sync Service instance.)
*
You must configure the Sync Service connection manually for all supplemental Directory Agent instances (these are the Directory Agents running on User Directory and filtering, and Filtering only appliances). Communication is configured automatically for the Directory Agent instance that connects to the same Policy Server as Sync Service. See the Administrator Help for TRITON AP-WEB for details.
You can configure Directory Agent to use a different root context than User Service, and to process its directory data differently than User Service. Also, with Windows Active Directory, if User Service is configured to communicate with multiple global catalog servers, Directory Agent can communicate with all of them.
Redundancy
Web traffic management requires interaction between several TRITON software components:
*
User requests for Internet access are proxied and analyzed by Content Gateway.
*
User requests for Internet access may also be managed by Network Agent.
*
The requests are sent to Filtering Service for processing.
*
Filtering Service communicates with Policy Broker to apply the appropriate policy in response to the request.
In some networks, additional machines may be used to deploy additional instances of Content Gateway, Filtering Service, Network Agent, or other components. For example, in a large, segmented network, you may need a separate Network Agent for each segment. Or, you might deploy the Remote Filtering Server on a separate computer, to enable filtering of laptops and other computers that are outside the organization's network.
Check the Forcepoint Deployment and Installation Center for component distribution options. Contact your Forcepoint Sales Engineer, or your authorized Forcepoint reseller, for assistance in planning a more complex deployment.

Go to the table of contents Go to the previous page Go to the next page
Setting Up V-Series Appliances > Configuring Web appliance components
Copyright 2016 Forcepoint LLC. All rights reserved.