Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Network Agent Quick Start : Deploying Network Agent
Deploying Network Agent
Network Agent Quick Start | Web Protection Solutions | v8.2.x, v8.3.x | 22-Nov-2016
Where does Network Agent belong in the network?
Install Network Agent where it can see all Internet requests (HTTP and non-HTTP) from the machines it is assigned to monitor. This monitoring must be done inside the firewall.
Optionally, deploy multiple Network Agent instances, with each instance monitoring a different segment of the network. This may be necessary in a busy network.
The size and configuration of the network, the hardware capabilities of each Network Agent machine, and the volume and type of network traffic all play a role in determining how many Network Agent instances are needed. Some sites can use one Network Agent machine for every thousand users; others use one Network Agent machine for several thousand users. Forcepoint Technical Support and Sales Engineering can assist with deployment decisions.
Network Agent machines can connect to the network via a switch or hub.
Although Network Agent can be installed on the same machine as some integration products, it should never be installed on the same machine as the firewall.
If your network includes a router or Network Address Translation (NAT) device, position Network Agent to see the original (not the translated) IP addresses for all monitored machines.
Network interface cards (NICs)
Network Agent requires at least one network card (NIC) to monitor and block traffic, and can be configured to use multiple NICs. Each NIC that Network Agent uses for monitoring must be able to see all inbound and outbound traffic for the network or segment that it is configured to monitor.
Install and configure each NIC before installing Network Agent:
*
Each NIC must be connected to a switch or hub and enabled in the operating system.
*
The NIC used to monitor traffic must be configured to capture all packets on the network, not only the packets addressed directly to it (promiscuous mode).
If Network Agent is installed on a Linux machine make sure that either:
*
The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
*
You delete the routing table entry for the monitoring NIC.
If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.
If your network uses 802.1Q VLAN tagging, the NIC used to monitor Internet traffic connects to the switch port with a 802.1Q protocol header. The NIC used for blocking does not need to include the 802.1Q protocol header. As a result, it cannot be connected directly to trunk ports.
If you add a NIC after installing Network Agent, restart the Network Agent service, and then use the Web module of the TRITON Manager to configure the new NIC.
Connecting to a switch
If the Network Agent machine connects to a switch, the switch must support port spanning (mirroring). This means that a copy of all network traffic seen on the switch is sent to the span or mirror port for monitoring.
If you use a switch that supports bidirectional spanning (allowing packets to be monitored and sent from the same port), Network Agent needs only one NIC.
If your switch does not allow bidirectional traffic in spanning (mirroring) mode:
1.
Use the NIC connected to the span port to monitor traffic.
2.
Install a second NIC on the Network Agent machine. The NIC must have an IP address.
3.
Attach the second NIC to a port that can communicate with all monitored machines and the Filtering Service machine.
4.
Configure the second NIC as the blocking NIC.
Connecting to a gateway
In small to medium-sized Microsoft Windows environments, Network Agent can be installed on the gateway machine. This allows Network Agent to manage and monitor all Internet traffic. The gateway can either be a proxy server or a network appliance. Do not install Network Agent on a firewall.
In larger networks, performance can suffer as a result of resource competition between the gateway software and Network Agent.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Network Agent Quick Start : Deploying Network Agent
Copyright 2016 Forcepoint LLC. All rights reserved.