Go to the table of contents Go to the previous page Go to the next page
Web Security Deployment Recommendations > Extending your Web Security deployment
Extending your Web Security deployment
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
In large, high-traffic, or geographically distributed organizations, you can deploy multiple groups of policy components, each with its own Websense Policy Server instance, to:
*
*
*
All Policy Server instances connect to the same, central Policy Broker. Except in very rare circumstances, all Policy Server instances also connect to the same, central instance of TRITON - Web Security.
Each Policy Server instance can support:
*
*
*
*
*
*
*
*
Filtering Services per Policy Server
As a best practice, no more than 10 Filtering Service instances should be deployed per Policy Server. A Policy Server instance may be able to handle more, depending on the load. However, if the number of Filtering Service instances exceeds the Policy Server's capacity, responses to Internet requests may be slowed.
Multiple Filtering Service instances are useful to manage remote or isolated sub-networks.
The appropriate number of Filtering Service instances for a Policy Server depends on:
*
*
*
*
If a ping command sent from one machine to another receives a response in fewer than 30 milliseconds (ms), the connection is considered high-quality. See Testing the Policy Server to Filtering Service connection.
If Filtering Service and Policy Server become disconnected, all Internet requests are either blocked or permitted, as configured on the Settings > General > Account page TRITON - Web Security. For more information, see Configuring your account information in the TRITON - Web Security Help.
Filtering Service machines running behind firewalls or running remotely (at a great topological distance, communicating through a series of routers) may need their own Policy Server instance. In a multiple Policy Server environment, a single Websense Policy Database holds the policy settings for all Policy Server instances. See the TRITON - Web Security Help for more information.
Testing the Policy Server to Filtering Service connection
Run a ping test to check the response time and connection between the Policy Server and Filtering Service machines. A response time of fewer than 30 milliseconds is recommended.
1.
2.
ping <IP address or hostname>
Use the IP address or hostname of the Filtering Service machine.
On Windows machines, the results resemble the following:
C:\>ping 11.22.33.254
Pinging 11.22.33.254 with 32 bytes of data:
Reply from 11.22.33.254: bytes=32 time=14ms TTL=63
Reply from 11.22.33.254: bytes=32 time=15ms TTL=63
Reply from 11.22.33.254: bytes=32 time=14ms TTL=63
Reply from 11.22.33.254: bytes=32 time=15ms TTL=63
Ping statistics for 11.22.33.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 15ms, Average = 14ms
In a Linux environment, the results look like this:
[root@localhost root]# ping 11.22.33.254
PING 11.22.33.254 (11.22.33.254) 56(84) bytes of data.
64 bytes from 11.22.33.254: icmp_seq=2 ttl=127 time=0.417 ms
64 bytes from 11.22.33.254: icmp_seq=3 ttl=127 time=0.465 ms
64 bytes from 11.22.33.254: icmp_seq=4 ttl=127 time=0.447 ms
64 bytes from 11.22.33.254: icmp_seq=1 ttl=127 time=0.854 ms
Ensure that Maximum round trip time or the value of time=x.xxx ms is fewer than 30 ms. If the time is greater than 30 ms, move one of the components to a different network location and run the ping test again. If the result is still greater than 30 ms, locate and eliminate the source of the slow response.
Network Agents per Filtering Service
As a best practice, no more than 4 Network Agent instances should be deployed per Filtering Service. One Filtering Service instance may be able to handle more than 4 Network Agents, depending on the number of Internet requests, but if Filtering Service or Network Agent capacities are exceeded, filtering and logging inconsistencies may occur.
Network Agent can typically monitor 50 Mbps of traffic per second, or about 800 requests per second. The number of users that Network Agent can monitor depends on the volume of Internet requests from each user, the configuration of the network, and the location of Network Agent in relation to the computers it is assigned to monitor. Network Agent functions best when it is close to those computers.
Network Agent communicates with Filtering Service on port 15868.
Policy Server, Filtering Service, and State Server
If your deployment includes multiple instances of Filtering Service that might handle a request from the same user, an optional component, Websense State Server, can be installed to enable proper application of time-based filtering actions. For example, users can be granted quota time, which gives them access to sites in selected categories for a limited (configurable) time period.
When State Server is installed, its associated Filtering Service instances share timing information, so users receive the correct allotment of access to time-restricted categories.
*
A logical deployment is any group of Policy Server and Filtering Service instances that might handle requests from the same set of users.
*
State Server can be enabled via the command-line interface on full policy source or user identification and filtering appliances.
*
*
*
*
*
In a geographically dispersed organization, where each location has its own Policy Server and Filtering Service instances, deploy one State Server instance (on the Policy Server machine or V-Series appliance) at each location.
In an organization where all requests are filtered through a central location, only one State Server instance is needed.
Policy Server, Filtering Service, and Multiplexer
Websense Web Security solutions can be configured to pass logging data (the same information processed by Log Server) to a third-party Security and Information and Event Management (SIEM) product.
When SIEM integration is enabled, Websense Multiplexer collects log data from Filtering Service and passes it to both Log Server and the integrated SIEM product. (When SIEM integration is disabled, Filtering Service sends log data directly to Log Server, with no intermediary.)
*
*
*
*
*
Multiplexer can be enabled via the command-line utility on full policy source or user identification and filtering appliances.
Multiplexer communicates with the following components:
*
*
*
*

Go to the table of contents Go to the previous page Go to the next page
Web Security Deployment Recommendations > Extending your Web Security deployment
Copyright 2016 Forcepoint LLC. All rights reserved.