Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index

As the number of users grows, or if Network Agent does not block Internet requests as expected, place Network Agent on a different machine from Filtering Service and Policy Server. You can also add a second Network Agent and divide the network monitoring between the 2 agents.
If Websense software is running in a high-load environment, or with a high capacity Internet connection, you can increase throughput and implement load balancing by installing multiple Network Agent instances. Install each agent on a different machine, and configure each agent to monitor a different portion of the network.
Important 
If multiple Network Agents are installed, each agent must monitor a different network segment (IP address range).
If a Network Agent machine connects to a switch, the monitor NIC must plug into a port that mirrors, monitors, or spans the traffic of all other ports. Locating Network Agent in multiple segment network, and Network Agent location, discuss locating Network Agent in more detail.
You can use Network Agent or an integration product to track HTTP requests and pass the information to Websense software, which uses the data to filter and log requests.
Network Agent and some integration products also track bandwidth activity (bytes sent and received), and the duration of each permitted Internet request. This data is also passed to Websense software for logging.
When both Network Agent and the integration product provide logging data, the amount of processor time required by Filtering Service increases.
If you are using both Network Agent and an integration product, you can avoid extra processing by configuring Websense software to use Network Agent to log HTTP requests (enhanced logging). When this feature is enabled, Websense software does not log HTTP request data sent by the integration product. Only the log data provided by Network Agent is recorded.
Microsoft SQL Server (as opposed to SQL Server Express) works best for larger networks, or networks with a high volume of Internet activity, because of its capacity for storing large amounts of data over longer periods of time (several weeks or months). See System Requirements for which versions of SQL Server are supported.
Under high load, Microsoft SQL Server operations are resource intensive, and can be a performance bottleneck for Websense software reporting. You can tune the database to improve performance, and maximize the hardware on which the database runs:
u
If Websense Log Server is installed on the database-engine machine, alleviate resource conflicts between Log Server and Microsoft SQL Server by increasing the CPU speed or the number of CPUs.
*
Provide adequate disk space to accommodate the growth of the Log Database. Microsoft SQL Client Tools can be used to check database size.
Note 
Consult Microsoft documentation for detailed information about optimizing Microsoft SQL Server performance.
Microsoft SQL Server 2008 R2 Express (SQL Server Express) is a free, limited-performance database engine best-suited to smaller networks, organizations with a low volume of Internet activity, or organizations planning to generate reports on only short periods of time (for example, daily or weekly archived reports, rather than historical reports over longer time periods). SQL Server Express cannot be optimized.
When you log visits, one log record is created for each Web page requested by a user, rather than each separate file included in the Web page request. This creates a smaller database and allows faster reporting.
When you log hits, a separate log record is generated for each HTTP request to display any element of a Web page, including graphics and ads. This type of logging results in a larger and more detailed database than the logging visits option.
Due to the large amount of disk space required, and due to the performance impact on reporting, it is a best practice not to keep live data from large networks for a year. When you break up the database into smaller pieces, you can generate reports much more quickly.
Enabling full URL logging creates a larger database than with logging hits, and also provides the most detailed reports. Log records include the domain name and the full path to specific pages requested. Use this option if you want reports of real-time scanning activity.
Consolidation helps to reduce the size of the database by combining Internet requests that share the same value for all of the following elements, within a certain interval of time (1 minute, by default):
For example, the user visits www.cnn.com and receives multiple pop-ups during the session. The visit is logged as a record.
*
If consolidation is turned on, additional visits to the site within a specified period are logged as a single record, with a hits (i.e., visits) count indicating the number of times the site was visited in that period.
If your deployment includes Network Agent, you have the option to log non-HTTP protocol traffic (for example, instant messaging or streaming media traffic) in addition to HTTP and HTTPS traffic.
The more protocols you choose to log, the greater the impact on the size of the Log Database. See the TRITON - Web Security Help for information about filtering and logging non-HTTP protocols.


Go to the table of contents Go to the previous page Go to the next page Go to the index