Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Setting Up Websense V-Series Appliances > Configuring Web Security components
Configuring Web Security components
Deployment and Installation Center | Web and Email Security Solutions | Version 7.7.x
 
Applies to:                                         
In this topic                                       
*
Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7.x
*
V10000, V10000 G2, and V5000 G2, v7.7.x
*
What is a policy source?
*
What if an appliance is not the policy source?
*
User directory with V-Series appliances
*
Redundancy
Use the Configuration > Web Security Components page to specify which Web Security components are active on the appliance, and where the appliance gets Web Security global configuration and filtering policy information. Also define the TRITON - Web Security location.
*
Under Policy Source, select which Web Security configuration is used on this appliance: Full policy source (default; see What is a policy source?), User directory and filtering, or Filtering only (see What if an appliance is not the policy source?). If this is a Full policy source appliance, it acts as both the Policy Broker and a Policy Server. There can be only 1 Full policy source appliance in your network.
*
If this is a User directory and filtering appliance, it also acts as a Policy Server. Enter the IP address of the Policy Broker appliance or server.
*
If this is a Filtering only appliance, enter the IP address of a Policy Server. It does not have to be the IP address of the Policy Broker machine.
1.
Click OK to save and apply your changes.
2.
If this is a Web Security only (or Web Security Gateway only) appliance running as a Full policy source, under Web Security Components > TRITON - Web Security, specify whether to use the TRITON instance installed On the appliance, or whether to use an Off-appliance instance.
 
* 
Note 
When you upgrade from an earlier version of the appliance, your previous settings are preserved. If you do not have an off-appliance management console location already established, the system uses TRITON - Web Security on the policy source appliance by default.
*
If you are using Websense Data Security or Email Security Gateway in conjunction with Websense Web Security Gateway, the TRITON Unified Security Center must be installed on a Windows Server 2008 R2 64-bit machine.
*
Generally, the on-appliance installation of TRITON - Web Security is intended for evaluations and small deployments. Most production sites are advised to download the TRITON installer from mywebsense.com and install the TRITON console on a separate Windows server.
3.
If you are moving from using an off-appliance TRITON - Web Security instance to using the on-appliance instance, make sure you have backed up your original TRITON console. Then expand Import Configuration and browse to the location of your backup file.
This allows you to move much of your existing configuration and policy information to the appliance, rather than having to recreate your settings.
As always, be sure to verify the configuration in the new TRITON console, as some settings may not be preserved during migration.
4.
Click OK to save and apply your changes.
What is a policy source?
Every Websense Web Security deployment must include a single policy source. This is an appliance or other server that hosts 2 components: Websense Policy Broker and Websense Policy Database. All other Websense appliances or other servers point to this machine and receive regular updates from it. This appliance (or other server) is called the policy source.
*
When a Web Security only appliance (or Web Security Gateway only appliance) is configured as a policy source, all available Web Security components run on that appliance, including.
*
Filtering Service
*
Policy Database
*
Policy Broker
*
Policy Server
*
User Service
*
Directory Agent (required only for hybrid service)
*
State Server (optional)
*
Multiplexer (optional)
*
Usage Monitor
*
Control Service
*
TRITON - Web Security (optional)
*
Reports Information Service
*
Investigative Reports Scheduler
*
Manager Web Server
*
Reporting Web Server
*
Central Access
*
Unified Security Center
*
Settings Database
*
Websense Content Gateway module (only with Web Security Gateway)
*
Network Agent module (required for Web Security; optional for Web Security Gateway)
Windows-only services, like Log Server, and optional services, like transparent identification agents, still run on other machines.
*
When a policy source appliance runs in Web and Email Security mode (hosting Websense Web Security Gateway and Email Security Gateway), the TRITON services are disabled by default.
*
A non-appliance policy source is a server hosting Policy Broker. The Policy Database is automatically created and run on the Policy Broker machine. This machine typically also includes a Policy Server instance, and may include additional Websense software components.
The Policy Database holds all filtering policies (including client definitions, filters, and filter components) for all appliances and all domains in the network. It also holds global configuration information that applies to the entire deployment.
What if an appliance is not the policy source?
A Websense V-Series appliance that is not serving as the policy source can be designated to run either User directory and filtering or Filtering only.
*
A User directory and filtering appliance is a lightweight version of the policy source machine. It runs:
*
Policy Server
*
User Service
*
Usage Monitor
*
Filtering Service
*
Control Service
*
Directory Agent
*
Websense Content Gateway module (if Web Security Gateway is used)
*
Network Agent module (required for Web Security; optional for Web Security Gateway)
Having User Service and Policy Server on remote appliances means that you are able to obtain local network user names. Latency between User Service and Policy Server is eliminated, because both run on the same appliance.
Whenever you make a policy change, that change is immediately updated on the policy source appliance. The change is pushed out to user directory and filtering appliances within 30 seconds.
These appliances can continue filtering for as long as 14 days if their connection with the policy source machine is interrupted. So even if a network connection is poor or is lost, filtering continues as expected.
A User directory and filtering appliance is configured to point to the full policy source for updates.
*
A Filtering only appliance does not run Policy Server. It runs only:
*
Filtering Service
*
Control Service
*
Websense Content Gateway module (if Web Security Gateway is used)
*
Network Agent module (required for Web Security; optional for Web Security Gateway)
A Filtering only appliance is configured to point to a Policy Server. This works best when the appliance is close to the Policy server and on the same network.
These appliances require a continual connection to the centralized Policy Server, not only to stay current, but also to continue filtering. If the connection to the Policy Server becomes unavailable for any reason, filtering on a Filtering only appliance can continue for up to 3 hours.
If the Policy Server machine is on a remote network, with a WAN connection, it can be difficult to obtain user name/IP address maps for the local users.
User directory with V-Series appliances
If your organization relies on user identification or authentication, each appliance that is running Websense User Service must be configured to talk to a user directory. Multiple appliances can talk to the same user directory, or to different user directories.
Preparing for a hybrid configuration
In Web Security Gateway Anywhere environments, some users may be filtered by the hybrid (SaaS) service. In this situation, an interoperability component on the appliance called Directory Agent is required to enable user-, group-, and domain- (OU) based filtering.
Directory Agent must be able to communicate with:
*
A supported LDAP-based directory service:
*
Windows Active Directory® (Mixed Mode)
*
Windows Active Directory (Native Mode®)
*
Oracle (Sun Java™) System Directory
*
Novell eDirectory
*
Websense Sync Service
After deployment, use TRITON - Web Security to configure User Service and Directory Agent.
*
User Service configuration is performed on the Settings > General > Directory Services page.
*
Directory Agent configuration is performed on the Settings > Hybrid Configuration > Shared User Data page.
*
You can have multiple Directory Agent instances.
*
Each Directory Agent must use a unique, non-overlapping root context.
*
Each Directory Agent instance must be associated with a different Policy Server.
*
All Directory Agent instances must connect to a single Sync Service. (A deployment can have only one Sync Service instance.)
*
You must configure the Sync Service connection manually for all supplemental Directory Agent instances (these are the Directory Agents running on User Directory and filtering, and Filtering only appliances). Communication is configured automatically for the Directory Agent instance that connects to the same Policy Server as Sync Service. See the TRITON - Web Security Help for details.
You can configure Directory Agent to use a different root context than User Service, and to process its directory data differently than User Service. Also, with Windows Active Directory, if User Service is configured to communicate with multiple global catalog servers, Directory Agent can communicate with all of them.
Redundancy
Internet usage filtering requires interaction between several Websense software components:
*
User requests for Internet access are proxied by Content Gateway.
*
User requests for Internet access may also be monitored by Network Agent.
*
The requests are sent to Websense Filtering Service for processing.
*
Filtering Service communicates with Policy Server and Policy Broker to apply the appropriate policy in response to the request.
In some networks, additional machines may be used to deploy additional instances of Content Gateway, Filtering Service, Network Agent, or other components. For example, in a large, segmented network, you may need a separate Network Agent for each segment. Or, you might deploy the Remote Filtering Server on a separate computer, to enable filtering of laptops and other computers that are outside the organization's network.
Check the Websense Deployment and Installation Center for component distribution options. Contact your Websense Sales Engineer, or your authorized Websense reseller, for assistance in planning a more complex deployment.

Go to the table of contents Go to the previous page Go to the next page
Setting Up Websense V-Series Appliances > Configuring Web Security components
Copyright 2016 Forcepoint LLC. All rights reserved.