Library Search:


Go to the table of contents Go to the previous page Go to the next page
Network Agent Quick Start : Deploying Network Agent

Deploying Network Agent
Topic 50181 / Updated: 29-Apr-2011
Applies To:
Websense Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere
Versions 7.5, 7.6
Where does Network Agent belong in the network?
Install Network Agent where can it see all Internet requests (HTTP and non-HTTP) from the machines it is assigned to monitor. This monitoring must be done inside the firewall.
Optionally, deploy multiple Network Agent instances, with each instance monitoring a different segment of the network. This may be necessary in a busy network.
The size and configuration of the network, the hardware capabilities of each Network Agent machine, and the volume and type of network traffic all play a role in determining how many Network Agent instances are needed. Some sites can use one Network Agent machine for every thousand users; others use one Network Agent machine for several thousand users. Websense Technical Support and Sales Engineering can assist with deployment decisions.
Network Agent machines can connect to the network via a switch or hub.
Although Network Agent can be installed on the same machine as some integration products, it should never be installed on the same machine as the firewall.
If your network includes a router or Network Address Translation (NAT) device, position Network Agent to see the original (not the translated) IP addresses for all monitored machines.
Network interface cards (NICs)
Network Agent requires at least one network card (NIC) to monitor and block traffic, and can be configured to use multiple NICs. Each NIC that Network Agent uses for monitoring must be able to see all inbound and outbound traffic for the network or segment that it is configured to monitor.
Install and configure each NIC before installing Network Agent:
*
Each NIC must be connected to a switch or hub and enabled in the operating system.
*
The NIC used to monitor traffic must be configured to capture all packets on the network, not only the packets addressed directly to it (promiscuous mode).
If Network Agent is installed on a Linux machine make sure that either:
*
The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
*
You delete the routing table entry for the monitoring NIC.
If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.
If you add a NIC after installing Network Agent, restart the Network Agent service, and then use TRITON - Web Security to configure the new NIC.
Connecting to a switch
If the Network Agent machine connects to a switch, the switch must support port spanning (mirroring). This means that a copy of all network traffic seen on the switch is sent to the span or mirror port for monitoring.
If you use a switch that supports bidirectional spanning (allowing packets to be monitored and sent from the same port), Network Agent needs only one NIC.
Some switches do not allow bidirectional traffic in spanning (mirroring) mode. The network card receiving data on the Network Agent machine can only listen, not send. In this case:
1.
Use the NIC connected to the span port to monitor traffic.
2.
Install a second NIC on the Network Agent machine. The NIC must have an IP address.
3.
Attach the second NIC to a port that can communicate with all monitored machines and the Filtering Service machine.
4.
Configure the second NIC as the blocking NIC.
Connecting to a hub
If the device connected to the Network Agent machine is a dumb hub (which distributes traffic to all ports), Network Agent requires only one NIC.
Network Agent must see the traffic, in both directions, for those segments of the network that it is assigned to monitor. The port to which the Network Agent machine is attached must be capable of bidirectional port spanning (mirroring).
Connecting to a gateway
A gateway provides a connection between two networks, such as between your network and the Internet.
In small to medium-sized Microsoft Windows environments, Network Agent can be installed on the gateway machine. This allows Network Agent to manage and monitor all Internet traffic. The gateway can either be a proxy server or a network appliance. Do not install Network Agent on a firewall.
In larger networks, performance can suffer as a result of resource competition between the gateway software and Network Agent.

Quick Links




Go to the table of contents Go to the previous page Go to the next page
Network Agent Quick Start : Deploying Network Agent
(c) 2011 Websense, Inc. All Rights Reserved.