Technical Library
|
Support
Web Security Deployment Recommendations
> Positioning Network Agent in the network
Positioning Network Agent in the network
Collection: Deployment and Installation Center | Product: Web Security | Version: 7.7.x
Applies to:
In this topic
Web Filter, Web Security, and Web Security Gateway (Anywhere), v7.7.x
Locating Network Agent in a single-segment network
Locating Network Agent in a multiple-segment network
Network Agent on a gateway
Network Agent must be able to see all outgoing and incoming Internet traffic on the network segment that it is assigned to monitor.
If the Network Agent machine connects to a switch:
Configure the switch to use a mirror or span port, and connect Network Agent to this port, to allow the agent to see Internet requests from all monitored machines.
Note
Not all switches support port spanning or mirroring. Contact the switch vendor to verify that spanning or mirroring is available, and for configuration instructions.
Optionally, use a switch that supports bidirectional spanning. This allows Network Agent to use a single network interface card (NIC) to both monitor traffic and send block pages.
If the switch does not support bidirectional spanning, the Network Agent machine must have at least 2 NICs: one for monitoring and one for blocking.
Network Agent can also be installed on a dedicated machine, connected to an unmanaged, unswitched hub located between an external router and the network.
To ensure that Network Agent is able to monitor the expected traffic, it must both be positioned properly and configured in TRITON - Web Security. See
Network Agent
configuration
in the TRITON - Web Security Help for instructions.
Locating Network Agent in a single-segment network
A single segment network is a series of logically connected nodes (computers, printers, and so on) operating in the same portion of the network. In a single segment network, Filtering Service and Network Agent must be positioned to monitor Internet traffic across the entire network.
The following illustration shows the filtering components in a stand-alone Web Security deployment, installed in a central location to see both HTTP and non-HTTP traffic.
Locating Network Agent in a multiple-segment network
Depending on the device used to connect network segments, some traffic may not be sent to all segments. A router, bridge, or smart hub serves as traffic control, preventing unneeded traffic from being sent to a segment. In this environment:
Filtering Service must be installed where it can receive and manage Internet requests from Network Agent and any integration product.
Each Network Agent instance must be able to see all Internet requests on the segment or segments that it is configured to monitor.
Multiple Network Agent instances may be needed to capture all Internet requests. A Network Agent can be installed on each segment to monitor the Internet requests from that segment.
Note
A limit of 4 Network Agents is suggested for each Filtering Service. It may be possible to use more agent instances, depending on system and network configuration and the volume of Internet requests.
If multiple Network Agent instances are installed:
Ensure that the instances are deployed so that, together, they monitor the entire network. Partial deployment results in incomplete filtering and loss of log data in network segments not visible to Network Agent.
Each Network Agent instance must monitor a non-overlapping set of IP addresses. An overlap can result in inaccurate logging and network bandwidth measurements, and improper bandwidth-based filtering.
The network segment or IP address range monitored by each Network Agent instance is determined by the NIC settings for the agent, configured in TRITON - Web Security. See the TRITON - Web Security Help for instructions.
Avoid deploying Network Agent across different LANs. If you install Network Agent on a machine in the 10.22.x.x network, and configure it to communicate with a Filtering Service machine in the 10.30.x.x network, communication may be slow enough to prevent Network Agent from blocking an Internet request before the site is returned to the user.
Central Network Agent placement
A network with multiple segments can be filtered from a single location. Install Filtering Service where it can receive Internet requests from each Network Agent and any integration product.
If the network contains multiple switches, Network Agent instances are inserted into the network at the last switch in the series. This switch must be connected to the gateway that goes out to the Internet.
In the following illustration:
One Network Agent instance is installed with Filtering Service on Machine A. This machine is connected to the network via a switch that is configured to mirror or span the traffic of network Segment 1.
A second Network Agent is installed on Machine B, which is connected to the same switch as Machine A. Machine B is connected to a different port that is configured to mirror the traffic of Segments 2 and 3.
Each Network Agent is positioned to see all traffic for the network segment it monitors, and to communicate with other Websense components.
The switch is connected to the gateway, allowing the Network Agent instances to monitor network traffic for all network segments.
Distributed Network Agent placement
The network diagram below shows a single Filtering Service with 3 Network Agents, one for each network segment. A deployment like this might be useful in organizations with satellite offices, for example.
Filtering Service (Machine C) must be installed where it is able to receive and manage Internet requests from each Network Agent instance and any integration product.
Each Network Agent (machines A, B and C) is connected to the network segment it monitors via the switch's span or mirror port.
In the following illustration, the switches are not connected in a series. However, each switch is connected to the router, which is connected to the gateway.
Network Agent on a gateway
A gateway provides a connection between two networks. The networks do not need to use the same network communication protocol. The gateway can also connect a network to the Internet.
Network Agent can be installed on the gateway machine, allowing Network Agent to manage and monitor all Internet traffic. The gateway can either be a third-party proxy server or a network appliance.
Do not install Network Agent on a firewall. Also, if your network includes a software installation of Content Gateway, do not install Network Agent on the Content Gateway machine. (Content Gateway and Network Agent can reside on the same V-Series appliance.)
The following illustration shows Network Agent monitoring the Internet traffic at the proxy gateway or caching appliance directly attached to the firewall.
Important
The gateway configuration shown here is best used in small to medium networks.
In larger networks, performance can suffer as a result of resource competition between the gateway software and Network Agent.
Web Security Deployment Recommendations
> Positioning Network Agent in the network
Copyright 2016 Forcepoint LLC. All rights reserved.