Network Agent deployment and setup

How do I configure Websense Network Agent? I have installed Websense software in Stand-Alone mode, and need Network Agent to filter and log Internet activity, or I have integrated Websense software with a third-party product for HTTP and HTTPS filtering, but want the protocol logging and/or enhanced logging capabilities that Network Agent provides.

Network topology - switch or hub?

Network Agent should be placed as close as possible to the device that is the exit/entry point of your network or LAN. In most environments this gateway device is a firewall or router. For instance, if your firewall or router's internal interface connects to a central or core switch, then the Network Agent machine should also be connected to that same switch.

If you are connecting to a switch, you must consider the precise make and model plus its capabilities. While the individual ports on a true hub will be able to "see" all traffic passing through that hub, no matter its destination port, a switch operates differently.
 
By default, each port on a switch sees only the traffic destined for that port. In order for your Network agent to see all the traffic going out from the switch to the gateway device, you must configure port spanning or port mirroring (the two terms refer to the same functionality, and are variously used by different switch vendors - for simplicity's sake this article will refer to port spanning).

• Higher end switches support bidirectional port spanning, in which the same Network Interface Card (NIC) can both listen ("see" or monitor the traffic) and send on the same port.
• Low-end to mid-range switches may support port spanning, but with a more limited functionality: the attached NIC can only listen or monitor, not send. In this instance, you would need a second NIC in the Network Agent machine: one for normal network communications and one dedicated to monitoring the traffic. Both NICs would be plugged into the same switch as the internal interface of the gateway device; the monitoring NIC must be plugged into the switch span port.
• If your switch does not support port spanning at all (for instance, if it is an unmanaged switch) then you can still allow Network Agent to see all outgoing traffic by use of a classic ("dumb") hub - see below for more details.

For detailed information on configuring your switch for port spanning, see your switch manufacturer's website. See below for more information on configuring your Network Agent and NICs.
 
If you need to connect to a hub instead, it must be a true hub in which every port sees all traffic for all ports on the hub. Many more recent hubs in fact have a certain amount of "intelligence" built in and do not behave as true hubs - you will need an old-style, classic "dumb" hub with no management or built-in intelligence whatsoever. The hub should be the last device on your network before the gateway device. In other words, it should sit in between the gateway device and the core switch. In this way, all traffic passes through the hub on its way out to the internet; if the Network Agent machine is also connected to the hub, it can therefore see all outgoing traffic.

 
One NIC or two?

In a larger environment, even if your switch does support bidirectional port spanning, Websense recommends using two NICs on your Network Agent machine. Many of today's servers come with two NICs onboard, so there is no reason not to make use of the load balancing opportunity this presents.

• Both NICs would be plugged into the same switch as the internal interface of the gateway device.
• The monitoring NIC must be plugged into the switch span port.

The primary NIC is associated with the IP address of the box (assuming that the Network Agent is on the same machine as the rest of the Websense Enterprise components, this will be the IP address of your Policy Server and Filtering Service) and will be used for normal network communications and for sending the Websense Block Page information.
 
The secondary NIC is dedicated to monitoring or listening to the outgoing traffic. This dedicated monitoring NIC need not even have an IP address; it can operate in "stealth" mode with TCP/IP unbound from the card and no IP address assigned. The NIC is said to be in promiscuous mode.
 
In a smaller environment, the choice of one or two NICs is determined by the make and model of switch in use:

• if bidirectional port spanning is supported, then one NIC will suffice
• if not, then two NICs are needed (as above)

If one NIC is used in a bidirectional port span, that card is associated with the server's IP address, delivers the Websense Block Page information and also monitors or listens to the outgoing traffic.
 
If a hub is used, one NIC can perform both the network communications and monitoring functions.

 
Configuration details

Check to make sure Network Agent is installed and running.
 
On Windows:

1. Open the Windows, select Control Panel > Administrative Tools > Services.
2. Locate Websense Network Agent, and verify that the service is present and running.

On Solaris or Linux, go to the /opt/websense directory and enter the following command:

./WebsenseAdmin status


 
Check to see that Network Agent is configured to monitor using the correct NIC(s)

• See the Network Agent Quick Start guide.

1. In Websense Manager, go to Server > Settings, and then expand the Network Agent node. (In versions 6.1 and earlier, simply select the node.)
2. Select Local Settings, and then verify that the correct number of NICs is listed for the server. If the number of NICs is incorrect, make any needed corrections in your server's network configuration, then uninstall and reinstall the Network Agent component only.
3. Verify that the IP address for each NIC is correct.
4. Verify that monitoring settings for each NIC are correct. For example, in a dual NIC environment, the NIC plugged into the span port should be configured to monitor (Yes radio button selected), while the NIC with the primary IP address, used to send out block messages, should not (No radio button selected).
5. Verify that all NICs have the same Communication settings. In other words, the configuration for each NIC should show the same card listed in the "Network Agent uses this NIC to send Block Information" (6.1 and earlier) or "Network Agent uses this NIC to block connections" field.

 
Sample configuration

All Websense components are installed on the same server, which has two NICs installed:

• NIC 1 is assigned the IP address associated with the server (the Policy Server and Filtering Service IP address) and is configured to send block page information.
• NIC 2 has no IP address (TCP/IP is unbound from the card), is configured to Monitor the traffic, and is plugged into the switch's span port. (It listens to the traffic going out the port connected to the gateway device's internal interface.)
• Both NICs are plugged into the same core switch, which also connects to the gateway device.

 
Additional information

• Occasionally even when using a "dumb" hub, Network Agent may not see any HTTP traffic. Check for any firewall settings which may be blocking the network interface, including software-based firewalls. Disable any firewall monitoring or blocking of the interface used by Network Agent.
• If you have a single NIC installed on the machine running Network Agent, be sure that the switch port it is connected to allow both "Ingress" and "Egress" (inbound/outbound) traffic. Both are required to properly configure a bidirectional span or port mirror.

• In a stand-alone installation, no filtering or logging will occur until the Network Agent sees all outbound traffic and is configured correctly. In an installation that is integrated with a third-party product such as a firewall, only HTTP/HTTPS traffic may be filtered and logged until the Network Agent sees all outbound traffic and is configured correctly.

• For version 7.6, the default directory for 'new' installs is C:\Program Files\Websense\Web Security\ (32-bit machines) or C:\Program Files (x86)\Websense\Web Security\ (64 bit machines). The directory for upgrades to v7.6 is C:\Program Files\Websense\.