Deploying Network Agent > Locating Network Agent in multiple segment network
|
u Depending on the device used to connect network segments, some traffic may not be sent to all segments. A router, bridge, or smart hub serves as traffic control, preventing unneeded traffic from being sent to a segment. In this environment, the Web Filter and Web Security components must be deployed to see all network traffic.
Filtering Service must be installed where it can receive and manage Internet requests from the integration product, if any, and communicate with Network Agent.
Each Network Agent instance must be able to see all Internet requests on the segment or segments that it is configured to monitor.Multiple Network Agent instances may be needed in a multiple segment network to capture all Internet requests. A Network Agent can be installed on each segment to monitor the Internet requests from that segment.
A limit of 4 Network Agents is suggested for each Filtering Service. It may be possible to use more agent instances, depending on system and network configuration and the volume of Internet requests. See Network Agents per Filtering Service.
u Ensure that the instances are deployed such that they, together, monitor the entire network. Partial deployment results in incomplete filtering and loss of log data in network segments not watched by Network Agent.
u Network Agent instances must not be configured to monitor overlapping IP address ranges. An overlap can result in inaccurate logging and network bandwidth measurements, and improper bandwidth-based filtering.The network segment or IP address range monitored by each Network Agent is determined by the NIC settings for the agent configured in the TRITON - Web Security console. See the TRITON - Web Security Help for instructions.
Avoid deploying Network Agent across different LANs. If you install Network Agent on a machine in the 10.22.x.x network, and configure it to communicate with a Filtering Service machine in the 10.30.x.x network, communication may be slow enough to prevent Network Agent from blocking an Internet request before the site is returned to the user.A network with multiple segments can be filtered from a single location. Install Filtering Service where it can receive Internet requests from both the integration product, if any, and each Network Agent.If the network contains multiple switches, Network Agent instances are inserted into the network at the last switch in the series. This switch must be connected to the gateway that goes out to the Internet.
One Network Agent instance is installed with Filtering Service on Machine A. This machine is connected to the network via a switch that is configured to mirror or span the traffic of network Segment 1.
A second Network Agent is installed on Machine B, which is connected to the same switch as Machine A. Machine B is connected to a different port that is configured to mirror the traffic of Segments 2 and 3.
Each Network Agent is positioned to see all traffic for the network segment it monitors, and to communicate with other Websense components.
The switch is connected to the gateway, allowing the Network Agent instances to monitor network traffic for all network segments.The network diagram below shows a single Filtering Service with 3 Network Agents, one for each network segment. A deployment like this might be useful in organizations with satellite offices, for example.
u Filtering Service (Machine C) must be installed where it is able to receive and manage Internet requests from both the integration product (if any) and each of the Network Agent instances in all network segments.
u Each Network Agent (machines A, B and C) is connected to the network segment it monitors via the span or mirror port of a switch.See Deploying multiple Network Agents, for more information.In the following illustration, the switches are not connected in a series. However, each switch is connected to the router, which is connected to the gateway.
Deploying Network Agent > Locating Network Agent in multiple segment network
|