Web protection distributed deployment models

Deployment and Installation Center | TRITON AP-WEB and Web Filter & Security | v8.3.x

In this topic

Sites in a region

Expanding sites in a region

National or worldwide offices

Deployment scenarios vary with different enterprise configurations. For example, an organization with 50 remote sites, all located in the same general region, deploys web protection software differently than a company with remote sites spread throughout the world. This section discusses 3 basic example models for distributed enterprises:

Sites in a region: Remote sites located within one region

Expanding sites in a region: Remote sites located within one region, with a growing number of employees or sites (or both)

National or worldwide offices: Remote sites located nationally or globally

Sites in a region

The simplest deployment for a distributed enterprise is a network with remote sites in a single region, such as San Diego County, California, U.S.A. Most organizations with sites like this can use a single TRITON AP-WEB or Web Filter & Security on-premises deployment, centrally located within that region, to provide policy enforcement for all clients.

Each remote site would be managed as shown in the illustration under Web Filter & Security. The site at which the software is deployed is represented as the "main site", but need not be truly a main site in your organization. It is whichever one houses the web protection software.

Off-site users, not shown in the above illustration, can be handled using the Web Hybrid module (TRITON AP-WEB) or Remote Filter module (Web Filter & Security).

Expanding sites in a region

Some organizations deploy TRITON AP-WEB or Web Filter & Security within a given region and later decide to increase the number of remote sites in that area.

To compensate for the additional sites and employees, the organization can:

Improve the performance of the machines running web protection components. Increasing the RAM and CPU, and installing faster hard drives on the machines allows web protection software to respond to an increased number of requests without additional latency. This type of upgrade can help with a moderate increase in head count, or the addition of a few more offices.

Deploy additional machines to run web protection components. If a significant number of new users or sites is added, the deployment of additional instances of certain components, such as Filtering Service and Network Agent, distributes the load and provides optimum performance for each remote site.

Additional instances of web protection components can be deployed within the region as the number of offices continues to grow.

Off-site users, not shown in the above illustration, can be handled using the Web Hybrid module (TRITON AP-WEB) or Remote Filter module (Web Filter & Security).

National or worldwide offices

On-premises only

Some organizations have hundreds of remote sites spread through a country or around the world. In such cases, one or two TRITON AP-WEB or Web Filter & Security installations are not enough because:

Each remote site would be geographically distant from the policy enforcement components. Request lookups would have to travel farther over the Internet for management. This distance increases the total latency of the response and may lead to slower Internet access for end users.

Large numbers of employees generate more Internet requests than recommended for one or two web protection machines, leading to delays in returning web pages to requesting clients.

These organizations should divide their sites into logical regions and deploy policy enforcement components in each region. For example, a distributed enterprise might group their United States sites into a western region, a central region, and an eastern region. Web protection components are deployed at a central site in each region.

The logical division of sites into regions depends on the location and grouping of remote sites and the total number of employees at each site. For example, a company with a large number of remote sites in a concentrated area, such as New York City, may need to deploy multiple web protection machines within that area. Or an enterprise may only have three sites in California with 100 to 250 employees each. In this case, a single web protection installation might be deployed for all three sites. This enterprise also can deploy web protection components locally at each site (rather than using a distributed approach), particularly if IT staff is present at each location.You may consider installing instances of Policy Server, Filtering Service, Content Gateway, and Network Agent to improve response time.

Given the significant number of variables, large organizations should contact a Forcepoint partner or Sales Engineer to plan a rollout strategy before deployment.

With the Web Hybrid module

The Web Hybrid module for TRITON AP-WEB is particularly well-suited for organizations with sites distributed nationally or worldwide.

Single main site

An organization with one main site (such as headquarters office or main campus) and multiple, geographically dispersed remote or branch sites can deploy TRITON AP-WEB at the main site (with policy enforcement for main-site users managed by the on-premises components) and have all remote sites managed by the hybrid service.

Off-site users, not shown in the above illustration, may also be managed by the hybrid service.

Multiple large sites

Organizations with multiple large sites (such as main headquarters and regional headquarters) can deploy on-premises software at the larger sites while managing small, remote sites through the hybrid service. Though the illustration shows a V-Series appliance deployment, this can also be accomplished with X-Series appliances and software-only deployments.