Configuring Network Agent

Network Agent Quick Start | Web Security Solutions | v7.7.x, v7.8.x | 17-Sep-2013

Use TRITON - Web Security to configure Network Agent to recognize machines in your internal network, communicate with Filtering Service, monitor traffic from specified machines, log appropriate data, and more.

To configure Network Agent settings in TRITON - Web Security, select the Settings tab of the left navigation pane, and then expand the Network Agent section.

Configure Global settings

Refer to Planning Worksheet 1 for help in configuring Network Agent Global settings. All Network Agent instances in your network use these settings.

Log on to TRITON - Web Security and go to Settings > Network Agent > Global.

Make sure that the Ignore Internal Traffic list includes all IP addresses in your network.


	Important This information is not used to determine which machines are monitored for filtering. Instead, it allows Network Agent to ignore internal communications while monitoring Internet traffic.

An initial set of entries is provided by default. You can add additional entries, or edit or delete existing entries.

IP addresses and ranges in the list may use IPv4 or IPv6 format.

Be sure to include all IP addresses that are part of your network, whether or not you want Network Agent to monitor traffic to or from the machine. Later, you will configure whether Network Agent monitors traffic to specific internal IP addresses, and specify which IP addresses are monitored for outgoing Internet traffic.

Click Add to add an IP address or IP address range to the list.

Click an entry in the list to edit it.

Mark the check box next to an entry, and then click Delete to remove it from the list.

IP address ranges in the list cannot overlap, and you cannot enter an individual IP address that falls within a range already in the list.

Use the Internal Traffic to Monitor list to specify internal IP addresses (included in the network definition list) for which you do want Network Agent to monitor connections from other internal IP addresses. You might include internal Web servers, for example, to help track access to internal resources.

Any requests sent from within the network to the specified internal machines is monitored by Network Agent. This traffic can be filtered and will appear in reports.

By default, the list is blank.

Use the Additional Settings options allow you to determine how often Network Agent calculates bandwidth usage, and whether and how often protocol traffic is logged:


Field	What to do
Bandwidth calculation interval	Enter a number between 1 and 300 to specify how frequently, in seconds, Network Agent should calculate bandwidth usage. An entry of 300, for example, indicates that Network Agent will calculate bandwidth every 5 minutes. The default is 10 seconds.
Log protocol traffic periodically	Mark this option to log protocol traffic for use in reports, and to enable the Logging interval field.
Logging interval	Enter a number between 1 and 300 to specify how frequently, in minutes, Network Agent logs information about protocol traffic. An entry of 60, for example, indicates that Network Agent will write to the log file every hour. The default is 1 minute.

When you are finished making changes, click OK to cache the changes. Changes are not implemented until you click Save and Deploy.

Configure local settings

Refer to Planning Worksheets 2 and 3 for help in configuring local settings. Only the selected Network Agent instance uses these settings.

Under Settings > Network Agent, highlight or click Global, and then select the IP address of the Network Agent instance that you want to configure. The IP address of the selected instance appears in the title bar at the top of the content pane.

Select the Filtering Service IPv4 address that identifies the Filtering Service instance with which this Network Agent will communicate (Planning Worksheet 2). If Network Agent and Filtering Service are installed on the same machine, the local IP address is selected by default.

Indicate whether Network Agent should block or permit all requests If Filtering Service is not available.

Under the Network Interface Cards list, use the Proxies and Caches list to specify an proxy or cache machines that monitored machines use to access the Internet. This keeps Network Agent from identifying requests from both the client machine and the proxy or cache machine, which could result in duplicate log records or incorrect filtering.

Click Add to include a proxy or cache IP address in the list.

Expand Advanced Network Agent Settings:

If Websense software is installed in integrated mode, verify that the Integration manages HTTP traffic on ports value is correct. (The default is 80, 8080.)

If you have installed Websense software in standalone mode, all ports are monitored and the field is disabled.

If you want Network Agent to ignore traffic on specific ports, mark Configure this Network Agent instance to ignore traffic on the following ports, and then enter one or more ports in a comma-separated list.

With some integrations, this may be used to prevent double logging of HTTPS traffic.

Do not make changes to the Debug Settings options unless directed to do so by Websense Technical Support.

Click OK to cache your changes. Changes are not saved until you click Save and Deploy.

Configure NIC settings

Refer to Planning Worksheet 4 for help in configuring NIC settings. These settings determine which NIC is used for monitoring and which is used for blocking and communication with other Websense components. They also determine which IP addresses this Network Agent instance monitors, and how the agent responds to requests for non-HTTP protocols.

Click an entry in the Network Interface Cards list on the Local Settings page for the Network Agent instance that you are configuring.

The NIC Information list provides a description of the selected network card.

Indicate whether or not to Use this NIC to monitor traffic.

If the Network Agent machine has multiple NICs, you can configure more than one NIC to monitor traffic.


	Note If Network Agent runs on a Linux machine with multiple NICs, the operating system determines in real-time which NIC to use for monitoring. Network Agent may sometimes use a NIC other than the one specified here.

If this NIC will be used for monitoring, click Configure, and continue with step 3.

If this NIC will not be used for monitoring, go to step 4.

Use the Local Settings > NIC Configuration > Monitor List page to configure monitoring behavior:

Use the Monitor List to identify which IP addresses (All, None, or Specific) this Network Agent instance monitors.

If you select Specific, add the IPv4 and IPv6 address ranges and individual IPv4 or IPv6 addresses that this Network Agent should monitor.

Under Monitor List Exceptions, add any IP addresses within the monitored ranges that Network Agent should not monitor.

When you are finished making changes, click OK to return to the NIC Configuration page.

Indicate which NIC Network Agent should use as a Blocking NIC. This NIC is also used for communication with other Websense software components, and must have an IP address.

If you are using Websense software in standalone mode, the Integrations options are disabled. Continue with step 6.

If you have integrated Websense software with a firewall, proxy, network appliance, or other product:

Select Log HTTP requests to improve accuracy in Websense reports.

Select Filter all requests not sent over HTTP ports to use Network Agent to filter only those HTTP requests not sent through the integration product.

Under Protocol Management, indicate whether Network Agent should be used to Filter non-HTTP protocol requests and Measure bandwidth by protocol.

Click OK to cache your changes, and then click Save and Deploy to implement them.

After configuring Network Agent, you may want to use a packet analyzer to ensure that the monitoring NIC is able to see traffic from all of the IP addresses that it is configured to monitor.

Wireshark is a free, popular, open source network protocol analyzer, available for Windows and Linux systems from www.wireshark.org.

If traffic from some IP addresses is not visible:

Review the network configuration and NIC placement requirements.

Review the more detailed network configuration information in the Deployment and Installation Center for your Websense software.

Verify that you have properly configured the monitoring NIC.