Go to the table of contents Go to the previous page Go to the next page
Deploying Web Protection Solutions > Deployment guidelines for Network Agent
Deployment guidelines for Network Agent
Deployment and Installation Center | Web Protection Solutions | v8.5.x
Network Agent manages Internet protocols (including HTTP, HTTPS, and FTP in standalone deployments), by examining network packets and identifying the protocol.
When Network Agent is used, it must be installed:
*
*
Network Agent monitors and manages only the traffic that passes through the network device (typically a switch) to which it is attached. Multiple Network Agent instances may be needed, depending on:
*
*
*
While a simple network may require only a single Network Agent, a segmented network may require (or benefit from) a separate Network Agent instance for each segment.
Network Agent functions best when it is closest to the computers that it is assigned to monitor.
NAT and Network Agent
If you use Network Address Translation (NAT) on internal routers, Network Agent may be unable to identify the source IP address of client machines. When Network Agent detects traffic after it is passed through such a router, the agent sees the IP address of the router's external interface as the source of the request, rather than the IP address of the client machine.
To address this issue, either disable NAT, or install Network Agent on a machine located between the NAT router and the monitored clients.
Network Agent NIC configuration
Network Agent must be able to see all outgoing and incoming Internet traffic on the network segment that it is assigned to monitor. Do not install multiple instances of Network Agent on the same machine.
If the Network Agent machine connects to a switch:
*
 
Note 
*
If the switch does not support bidirectional spanning, the Network Agent machine must have at least 2 NICs: one for monitoring and one for blocking.
*
*
Network Agent can also connect to an unmanaged, unswitched hub located between an external router and the network.
If the machine running Network Agent has multiple NICs:
*
*
The blocking or inject NIC (used to serve block pages) must have an IP address (cannot be set for stealth mode).
*
See Network Agent and stealth mode NICs for more details about stealth mode.
*
*
When you configure separate network cards to monitor traffic and send block messages:
*
*
*
*
During installation, you specify which NIC is used for communication and which NIC or NICs are used by Network Agent.
For information on positioning Network Agent in your network, see:
*
*
*

Go to the table of contents Go to the previous page Go to the next page
Deploying Web Protection Solutions > Deployment guidelines for Network Agent
Copyright 2017 Forcepoint. All rights reserved.