interfaceisaserver
isaserver 时间:2021-04-04 阅读:(
)
v7DeploymentGuideWebsenseWebSecurityWebsenseWebFilter1996–2008,Websense,Inc.
Allrightsreserved.
10240SorrentoValleyRd.
,SanDiego,CA92121,USAPublished2008PrintedintheUnitedStatesofAmericaandIrelandTheproductsand/ormethodsofusedescribedinthisdocumentarecoveredbyU.
S.
PatentNumbers6,606,659and6,947,985andotherpatentspending.
Thisdocumentmaynot,inwholeorinpart,becopied,photocopied,reproduced,translated,orreducedtoanyelectronicmediumormachine-readableformwithoutpriorconsentinwritingfromWebsenseInc.
Everyefforthasbeenmadetoensuretheaccuracyofthismanual.
However,WebsenseInc.
,makesnowarrantieswithrespecttothisdocumentationanddisclaimsanyimpliedwarrantiesofmerchantabilityandfitnessforaparticularpurpose.
WebsenseInc.
shallnotbeliableforanyerrororforincidentalorconsequentialdamagesinconnectionwiththefurnishing,performance,oruseofthismanualortheexamplesherein.
Theinformationinthisdocumentationissubjecttochangewithoutnotice.
TrademarksWebsenseandWebsenseEnterpriseareregisteredtrademarksofWebsense,Inc.
intheUnitedStatesandcertaininternationalmarkets.
WebsensehasnumerousotherunregisteredtrademarksintheUnitedStatesandinternationally.
Allothertrademarksarethepropertyoftheirrespectiveowners.
Microsoft,Windows,WindowsNT,WindowsServer,InternetExplorer,andActiveDirectoryareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Sun,SunJavaSystem,SunONE,andallSunJavaSystembasedtrademarksandlogosaretrademarksorregisteredtrademarksofSunMicrosystems,Inc.
,intheUnitedStatesandothercountries.
MozillaandFirefoxareregisteredtrademarksoftheMozillaFoundationintheUnitedStatesand/orothercountries.
eDirectoryandNovellDirectoryServicesarearegisteredtrademarksofNovell,Inc.
,intheUnitedStatesandothercountries.
Adobe,Acrobat,andAcrobatReaderareeitherregisteredtrademarksortrademarksofAdobeSystemsIncorporatedintheUnitedStatesand/orothercountries.
PentiumisaregisteredtrademarkofIntelCorporation.
RedHatisaregisteredtrademarkofRedHat,Inc.
,intheUnitedStatesandothercountries.
LinuxisatrademarkofLinusTorvalds,intheUnitedStatesandothercountries.
Citrix,CitrixPresentationServer,andMetaFramearetrademarksorregisteredtrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Cisco,CiscoSystems,CiscoPIXFirewall,CiscoIOS,CiscoRouters,andCiscoContentEngineareregisteredtrademarksortrademarksofCiscoSystems,Inc.
,intheUnitedStatesandcertainothercountries.
CheckPoint,OPSEC,FireWall-1,VPN-1,SmartDashboard,andSmartCenteraretrademarksorregisteredtrademarksofCheckPointSoftwareTechnologiesLtd.
oritsaffiliates.
Inktomi,theInktomilogo,andInktomiTrafficServerareregisteredtrademarksofInktomiCorporation.
NetworkApplianceisatrademarkandNetCacheisaregisteredtrademarkofNetworkAppliance,Inc.
,intheU.
S.
andothercountries.
ThisproductincludessoftwaredistributedbytheApacheSoftwareFoundation(http://www.
apache.
org).
Copyright(c)2000.
TheApacheSoftwareFoundation.
Allrightsreserved.
Otherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompaniesandarethesolepropertyoftheirrespectivemanufacturers.
DeploymentGuide3ContentsListofFigures5ListofTables7Chapter1Introduction9WebsenseComponents.
11ReportingComponents14Chapter2GeneralDeploymentRecommendations17Operatingsystemrequirements18VMWaresupport24Networkconsiderations.
24Systemrecommendations25Deploymentconfigurations.
25Componentlimits26Componentsuggestions27Networkconsiderations.
27NetworkAgentsuggestions28NumberofFilteringServicesallowedperPolicyServer28Requiredexternalresources30Supporteddirectoryservices.
30Deployingtransparentidentificationagents.
31Combiningtransparentidentificationagents.
32Maximizingsystemperformance34NetworkAgent34HTTPreporting34DatabaseEngine35LogDatabasediskspacerecommendations36Stand-AloneEdition.
39RemoteFiltering.
42Supportedintegrations44Chapter3DeployingNetworkAgent47NetworkAgent47NetworkAgentsettings.
48NetworkAgentlocation494WebsenseWebSecurityandWebsenseWebFilterContentsSinglesegmentnetwork50Multiplesegmentnetwork51DeployingmultipleNetworkAgents51CentralNetworkAgentplacement52DistributedNetworkAgentplacement53Hubconfiguration.
54SwitchednetworkswithasingleNetworkAgent55SwitchednetworkswithmultipleNetworkAgents.
58Gatewayconfiguration59UsingmultipleNICs.
61NATandNetworkAgentdeployment62Chapter4IntegrationDeployment.
63WebsenseContentGateway.
63Ciscodeployment.
65CiscoContentEngine66CiscoIOSRouters.
67CheckPoint68Simple68Distributed.
69MicrosoftISAServer70SingleMicrosoftISAServerconfiguration71Arrayconfiguration.
73SquidWebProxyCachedeployment.
75SingleSquidWebProxyCacheconfiguration75Arrayconfiguration.
77NetCacheintegration79Universalintegration80Citrix.
81Index83DeploymentGuide5ListofFiguresFigure1,ExampleofRemoteFilteringDeployment43Figure2,Websensesoftwareinasingle-segmentnetwork50Figure3,Websensesoftwareinamultiple-segmentnetwork52Figure4,MultipleNetworkAgentsinamultiple-segmentnetwork53Figure5,NetworkAgentconnectedtoahub54Figure6,Simpledeploymentinaswitchedenvironment55Figure7,Multiplesubnetsinaswitchedenvironment.
56Figure8,Switchedenvironmentwitharemoteofficeconnection.
57Figure9,MultipleNetworkAgentsinaswitchedenvironment.
58Figure10,NetworkAgentinstalledonthegateway59Figure11,NetworkAgentdeployedwithWebsenseContentGateway60Figure12,DualNICconfiguration.
62Figure13,IntegrationwithWebsenseContentGateway64Figure14,CommonWindowsNetworkConfigurationforCiscoPIXFirewallorASA65Figure15,CommonWindowsnetworkconfigurationforCiscoContentEngine66Figure16,CommonWindowsnetworkconfigurationforCiscoIOSRouters.
.
67Figure17,Simplenetworkconfiguration.
68Figure18,Multi-Segmentednetworkconfiguration69Figure19,FilteringcomponentsinstalledwithMicrosoftISAServer.
71Figure20,FilteringcomponentsinstalledseparatelyfromMicrosoftISAServer72Figure21,MicrosoftISAServerarrayconfiguration#173Figure22,MicrosoftISAServerarrayconfiguration#274Figure23,FilteringcomponentsinstalledwithSquidWebProxyCache75Figure24,FilteringcomponentsandSquidWebProxyCacheonseparatemachines76Figure25,SquidWebProxyCachearrayconfiguration#1.
77Figure26,SquidWebProxyCachearrayconfiguration#2.
78Figure27,Commonnetworkconfiguration79Figure28,Commonnetworkconfiguration80Figure29,Citrixintegration816WebsenseWebSecurityandWebsenseWebFilterListofFiguresDeploymentGuide7ListofTablesTable1,WebsenseComponents.
11Table2,ReportingComponents14Table3,ComponentsandRequiredSoftware18Table4,OperatingSystems.
23Table5,DistributedLayout.
26Table6,DeployingMultipleTransparentIDAgents.
32Table7,Stand-AloneSystemRecommendations.
40Table8,RemoteFilteringServerSystemRecommendations42Table9,SupportedIntegrations.
448WebsenseWebSecurityandWebsenseWebFilterListofTables1DeploymentGuide9IntroductionUsethisguidetoplanyourWebsensesoftwaredeploymentbeforeinstallation.
TheguideprovidesanoverviewofhowWebsensesoftwarecanbedeployedinanetwork,aswellasoperatingsystemandhardwarerequirements.
ThisguideappliestoWebsenseWebSecurityandWebsenseWebFilter,Version7.
ReferencestoWebsensesoftwareorWebsenseWebSecurityincludebothproducts,unlessotherwiseindicated.
WebsensesoftwareconsistsofcomponentswhichworktogethertomonitorInternetrequests,logactivity,applyInternetusagefilters,andreportonactivity.
Websensecomponentscanbeinstalledtogetherononemachine,ordistributedacrossmultiplemachines.
Theappropriatedeploymentisdeterminedbythenetworksizeandconfiguration,Internetrequestvolume,hardwareavailable,andfilteringneeds.
ThismanualprovidessystemrecommendationstooptimizeWebsensecomponentperformance.
Performancecanalsobeimprovedbyusingmorepowerfulmachinesforresource-intensivecomponents.
ThischapterintroducestheWebsensefilteringandreportingcomponents.
Seealso:Chapter2:GeneralDeploymentRecommendations—operatingsystemrequirementsforrunningWebsensecomponents,componentlimits,tipsformaximizingperformance,plusrecommendationsfordeployingtransparentidentificationagents,RemoteFiltering,andtheStand-AloneEdition.
Versionrequirementsarealsoincludedforvariousintegrations.
Chapter3:DeployingNetworkAgent—informationfordeployingacrosssingleandmultiplesegmentnetworks.
AlsoprovidesNetworkAgentplacementdetails,settings,andrelationshiptohubs,switchesandgateways.
Chapter4:IntegrationDeployment—overviewofdeployingWebsensesoftwarewithfirewalls,proxyservers,cachingapplications,networkappliances,orotherintegrationproductsordevices.
NoteThetechnicalpapersandotherdocumentsmentionedinthisguideareavailablefromtheDocumentation>Planning,Installation,andUpgradefolderintheWebsenseKnowledgeBase(www.
websense.
com/docs).
Introduction10WebsenseWebSecurityandWebsenseWebFilterAseriesofsupplementstothisdocumentprovidedeploymentandhardwarerecommendationsbasedonnetworksize:Smallnetwork:1-500users,or1-25requestspersecondMediumnetwork:500-2,500users,or25-125requests/secLargenetwork:2,500-10,000users,or125-500requests/secEnterprisenetwork:10,000-25,000users,or500-1250requests/secVerylargeenterprisenetwork:25,000+users,ormorethan1250requests/secRequestspersecondestimatesarebasedonaverageusagewith"medium"—neitherlightnorheavy—Internetaccessneeds.
AdeploymentsupplementisalsoincludedforWebsenseContentGateway.
ThegatewayprovidesWebandproxycaching,dynamicclassificationofWebsites,Web2.
0categorization,andanoptionalSSLmanager.
SeetheWebsenseContentGatewaydocumentationformoreinformationonthisproduct.
NoteDeploymentrecommendationsallowforsomenetworkgrowthandanincreaseinInternetrequests.
Asyournetworkreachestheupperlimitsofitssizeclassification(small,medium,andsoon),reviewthedeploymentdocumentstoensureanoptimalsystemconfiguration.
NotePleasecontactWebsenseSalesEngineeringforassistanceindesigningyourWebsensesoftwaredeployment.
ASalesEngineercanhelpyouoptimizeWebsensecomponentdeploymentandunderstandtheassociatedhardwareneeds.
DeploymentGuide11IntroductionWebsenseComponentsTable1providesabriefdescriptionoftheWebsensefilteringcomponents.
Thistablegroupsthecomponentsintocore(includedinastandarddeployment)andoptional.
Table2,onpage14,providesabriefdescriptionoftheWebsensereportingcomponents.
Reviewthesedescriptionstobetterunderstandtheinteractionbetweencomponents.
SeeTable3,onpage18,andTable4,onpage23,forinformationontheoperatingsystemversionsneededtorunthesecomponents.
NOTECertainintegrationsincludeWebsenseplug-ins.
ThesearediscussedinTable9,onpage44.
Table1WebsenseComponentsComponentDefinitionCoreComponentsPolicyDatabaseStoresglobalWebsensesoftwaresettings(configuredinWebsenseManager)andpolicyinformation(includingclients,filters,andfiltercomponents).
IsinstalledinthebackgroundwithPolicyBroker.
SettingsspecifictoasinglePolicyServerinstancearestoredseparately.
InmultiplePolicyServerenvironments,asinglePolicyDatabaseholdspolicyandgeneralconfigurationdataformultiplePolicyServers.
PolicyBrokerManagesrequestsfromWebsensecomponentsforpolicyandgeneralconfigurationinformationstoredinthePolicyDatabase.
PolicyServerIdentifiesandtracksthelocationandstatusofotherWebsensecomponents.
LogseventmessagesforWebsensecomponents.
StoresconfigurationinformationspecifictoasinglePolicyServerinstance.
CommunicatesconfigurationdatatoFilteringServiceforuseinfilteringInternetrequests.
PolicyandmostconfigurationsettingsaresharedbetweenPolicyServersthatshareaPolicyDatabase.
PolicyServeristypicallyinstalledonthesamemachineasFilteringService.
LargeordistributedenvironmentscanincludemultiplePolicyServers.
Introduction12WebsenseWebSecurityandWebsenseWebFilterFilteringServiceWorkswithNetworkAgentoranintegrationproducttoprovideInternetfiltering.
Whenauserrequestsasite,FilteringServicereceivestherequestanddetermineswhichpolicyapplies.
FilteringServicemustberunningforInternetrequeststobefilteredandlogged.
EachFilteringServiceinstancedownloadsitsowncopyoftheWebsenseMasterDatabase.
FilteringServiceistypicallyinstalledonthesamemachineasPolicyServer.
LargeordistributedenvironmentsmayincludemultipleFilteringServiceinstances.
NetworkAgentEnablesprotocolmanagement,bandwidth-basedfiltering,andreportingonbytestransferred.
Inastand-alonedeployment,enablesHTTPandnon-HTTPfilteringInanintegrateddeployment,enablesfilteringforprotocolsnotmanagedbyyourintegrationproductandprovidesenhancedlogginginformationMasterDatabaseIncludesmillionsofWebsites,sortedintomorethan90categoriesandsubcategoriesContainsmorethan100protocoldefinitionsforuseinfilteringprotocolsDownloadtheWebsenseMasterDatabasetoactivateInternetfiltering,andmakesurethatthedatabaseiskeptuptodate.
IftheMasterDatabaseismorethan2weeksold,nofilteringcanoccur.
AcopyoftheMasterDatabaseisdownloadedbyeachFilteringServiceinstance.
WebsenseManagerServesastheconfigurationandmanagementinterfacetoWebsensesoftware.
UseWebsenseManagertodefineandcustomizeInternetaccesspolicies,addorremovefilteringclients,configureWebsensesoftwarecomponents,andmore.
InaWindowsinstallation,WebsenseManageralsoprovidesreportingfunctionality.
UsageMonitorEnablesalertingbasedonInternetusage.
UsageMonitortracksURLcategoryandprotocolaccess,andgeneratesalertmessagesaccordingtothealertingbehavioryouhaveconfigured.
Alertscanbesentviaemailoron-screendisplay,oranSNMPalertcanbesenttoanSNMPTrapServer.
UserServiceCommunicateswithanLDAPorNTLM-baseddirectoryservicetoapplyfilteringpoliciesbasedonusers,groups,domainsandorganizationalunits.
ThedirectoryserviceisnotaWebsenseproductorcomponent.
Table1WebsenseComponentsComponentDefinitionDeploymentGuide13IntroductionOptionalComponentsDCAgent1OfferstransparentuseridentificationforusersinaWindows-baseddirectoryservice.
Pollsdomaincontrollersinthenetworktotransparentlyidentifyusers.
CommunicateswithUserServicetoprovideup-to-dateuserlogonsessioninformationtoWebsensesoftwareforuseinfiltering.
eDirectoryAgent1,2WorkswithNovelleDirectorytotransparentlyidentifyusers.
GathersuserlogonsessioninformationfromNovelleDirectory,whichauthenticatesusersloggingontothenetwork.
AssociateseachauthenticateduserwithanIPaddress,andthenworkswithUserServicetosupplytheinformationtoFilteringService.
LogonAgent1ProvidesunsurpassedaccuracyintransparentuseridentificationinLinuxandWindowsnetworks.
Doesnotrelyonadirectoryserviceorotherintermediarywhencapturinguserlogonsessions.
Detectsuserlogonsessionsastheyoccur.
LogonAgentcommunicateswiththelogonapplicationonclientmachinestoensurethatindividualuserlogonsessionsarecapturedandprocesseddirectlybyWebsensesoftware.
LogonApplicationRunsfromalogonscriptonadomaincontrollertocapturelogonsessionsasuserslogonto,orlogoffof,Windowsdomainsinthenetwork.
Theapplication,LogonApp.
exe,identifiestheuserandsendstheinformationtotheLogonAgent.
RADIUSAgent1Enablestransparentidentificationofuserswhouseadial-up,VirtualPrivateNetwork(VPN),DigitalSubscriberLine(DSL),orotherremoteconnectiontoaccessthenetwork.
RemoteFilteringClientResidesonclientmachinesoutsidethenetworkfirewall.
Identifiesthemachinesasclientstobefiltered.
CommunicateswithRemoteFilteringServer,installedinsidetheorganization'sfirewall.
RemoteFilteringServerAllowsfilteringofclientsoutsideanetworkfirewall.
ActsasaproxythatacceptsrequestsfromRemoteFilteringClientandsubmitsthemforfiltering.
CommunicateswithFilteringServicetoprovideInternetaccessmanagementofremotemachines.
1.
Websense,Inc.
supportscertaincombinationsoftransparentidentificationagentswithinthesamenetwork,oronthesamemachine.
Formoreinformation,seeDeployingtransparentidentificationagents,page31.
2.
RunningeDirectoryAgentandDCAgentinthesamedeploymentisnotcurrentlysupported.
Table1WebsenseComponentsComponentDefinitionIntroduction14WebsenseWebSecurityandWebsenseWebFilterReportingComponentsAllreportingcomponentsrelyontheWebsensefilteringcomponents.
Installreportingcomponentsafterinstallingthefilteringcomponents.
Thefilteringcomponents(includingFilteringService,PolicyServer,andUserService)mustberunninginorderforcompletelogrecordstobegenerated.
InstallationinstructionsforWebsensereportingcomponentscanbefoundintheInstallationGuide.
ConsulttheWebsenseManagerHelpforinformationaboutusingWebsensereportingtools.
Table2ReportingComponentsComponentDefinitionDatabaseComponentsLogDatabase(requiresasupporteddatabaseengine)StoresInternetrequestdatacollectedbyLogServerforusebyWebsensereportingtools.
ThedatabaseiscreatedwhenLogServerisinstalled.
InaWindowsenvironments,reportingcomponentsrequireeitherMicrosoftSQLServerorMSDE.
(MSDEcanbeinstalledfromtheWebsenseWebsite.
)MySQLisrequiredforWebsenseExplorerforLinux.
LogServer,orLinuxLogServerRequiredforWebsensereporting.
LogsInternetrequestdata,including:TherequestsourceThecategoryorprotocolassociatedwiththerequestWhethertherequestwaspermittedorblockedWhetherkeywordblocking,filetypeblocking,quotaallocations,bandwidthlevels,orpasswordprotectionwereappliedLogServercanlogtoonlyoneLogDatabaseatatime,andonlyoneLogServercanbeinstalledforeachPolicyServer.
LogServermustbeinstalledonaWindowsmachinetoenableinvestigativeandpresentationreports,andTodayandHistorypagecharts,inWebsenseManager.
EnvironmentswithahighvolumeofInternetactivityshouldplaceLogServeronaseparatemachine.
LogServerprocessingcanconsumeconsiderablesystemresources.
ReportingapplicationsWebsenseManagerWhenWebsenseManagerandLogServerareinstalledonWindowsmachines,WebsenseManagerincludesmultiple,graphicalreportingoptions:ChartsontheTodayandHistorypagesshowcurrentandrecentInternetactivity.
InvestigativereportsprovideaninteractivewaytoviewinformationintheLogDatabase.
Presentationreportsincludeaseriesoftemplatesthatyoucanusetogenerategraphicalreports.
DeploymentGuide15IntroductionExplorerforLinuxGeneratesavarietyofeasy-to-understanddetailandsummaryreportsusingdatafromtheLogDatabase.
ExplorerforLinuxrequires:Apache2.
0.
50(Webserver;includedintheinstallationpackage)Firefox2.
x.
orlater(Webbrowser)Table2ReportingComponentsComponentDefinitionIntroduction16WebsenseWebSecurityandWebsenseWebFilter2DeploymentGuide17GeneralDeploymentRecommendationsBeforedeployingWebsensesoftware,ensurethatyourhardwareandnetworkconfigurationmeettherecommendationsprovidedinthisdocument.
Thischapterfocuseson:OperatingsystemrequirementsVMWaresupportComponentlimitsComponentsuggestionsRequiredexternalresourcesDeployingtransparentidentificationagentsMaximizingsystemperformanceStand-AloneEditionRemoteFilteringSupportedintegrationsSeeWebsenseComponents,page11,fordescriptionsoftheWebsensefilteringandreportingcomponents.
NotethatWebsensefilteringisbasedonprotocols(likeHTTPandFTP),notontheoperatingsystemofthecomputerbeingfiltered.
SupplementstothisdocumentproviderecommendationsfordeployingWebsensefilteringandreportingsoftwareinnetworksofdifferentsizes,andalsofordeployingWebsenseContentGateway.
NoteWebsensesoftwaresupportsonlyTCP/IP-basednetworks.
IfyournetworkusesbothTCP/IPandnon-IPbasednetworkprotocols,onlyusersintheTCP/IPportionofthenetworkarefiltered.
GeneralDeploymentRecommendations18WebsenseWebSecurityandWebsenseWebFilterOperatingsystemrequirementsThetablesinthissectionlistsupportedoperatingsystemsandrequiredapplicationsfortheWebsensecomponents.
Table3listseachcomponentanditssupportedoperatingsystems,alongwithothersoftwarerequiredtorunthecomponent.
Table4,onpage23,organizestherequirementsbyoperatingsystem.
Table9,onpage44,liststhesupportedintegrationversions.
NoteWebsensecomponentshavebeensuccessfullytestedontheoperatingsystemslistedbelow.
Thecomponentsmayalsorunonsubsequentversionsoftheseoperatingsystems,buttestingwasnotcompletedbeforepublication.
Table3ComponentsandRequiredSoftwareComponentSupportedOperatingSystemsOtherRequiredSoftwareDCAgentWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)Oneofthesedirectoryservices:WindowsActiveDirectoryWindowsNTDirectoryeDirectoryAgentRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)NovelleDirectory8.
51orlaterNMASauthenticationissupported.
RecommendNovellClientv4.
83orv4.
9(v4.
81andlateraresupported)ExplorerforLinux(Webserver)RedHatEnterpriseLinux5baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSFirefox2ApacheHTTPServer2.
0.
50(IncludedwiththeWebsensesoftwareinstallation.
)DeploymentGuide19GeneralDeploymentRecommendationsFilteringServiceRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)IfNetworkAgentisusedforprotocolfilteringandUserServiceisinstalledonaLinuxmachine,Sambaclient(v2.
2.
8aorlater)isrequiredontheUserServicemachinetoallowWindowsclientstodisplayprotocolblockmessages.
LogDatabase(Windows)TheLogDatabaseisdependentonthedatabaseengine(MicrosoftSQLServerorMSDE),andnottheoperatingsystemversion.
Oneofthesemustbeinstalled:MicrosoftSQLServer2005SP2(Workgroup,Standard,Enterprise,or64-bitedition)(recommended)MicrosoftSQLServer2000SP4MSDE2000SP4LogDatabase(Linux)WhenrunningExplorerforLinux,theLogDatabaserequiresMySQL.
MySQL5.
0LogServer(Windows)WindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)InternetExplorer7Oneofthesedatabases:MicrosoftSQLServer2005SP2(Workgroup,StandardorEnterprise,or64-bitedition)(recommended)MicrosoftSQLServer2000SP4MSDE2000SP4LogServer(Linux)RedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSMySQL5.
0LogonAgentRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)Canbeusedwith:WindowsNTDirectory(NTLM)WindowsActiveDirectory(nativeormixedmode)OtherLDAP-baseddirectoryservicesTable3ComponentsandRequiredSoftwareComponentSupportedOperatingSystemsOtherRequiredSoftwareGeneralDeploymentRecommendations20WebsenseWebSecurityandWebsenseWebFilterLogonApplicationWindowsXPProfessional,SP1orSP2WindowsVistaUltimateWindowsVistaBusinessWindowsVistaEnterpriseWindowsServer2003(StandardorEnterprise)WindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)Windows2000,SP3orlater(ProfessionalorServer)WindowsNT4.
0SP6a(WorkstationorServer)NetworkAgentRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)(32bitonly)WindowsServer2003,SP1(StandardorEnterprise)(32bitonly)WindowsServer2003(StandardorEnterprise)(32bitonly)Sambaclient(v2.
2.
8aorlater)isrequiredonthemachinerunningUserServicetoenableWindowsclientstodisplayprotocolblockmessages,ifNetworkAgentisusedforprotocolfilteringandUserServiceisinstalledonaLinuxmachine.
PolicyBrokerRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)PolicyServerRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)Table3ComponentsandRequiredSoftwareComponentSupportedOperatingSystemsOtherRequiredSoftwareDeploymentGuide21GeneralDeploymentRecommendationsRADIUSAgentRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003SP1orSP2(StandardorEnterprise)MoststandardRADIUSserversaresupported.
Thefollowingservershavebeentested:Livingston(Lucent)2.
xCistronRADIUSserverMeritAAAMicrosoftIASRemoteFilteringClientWindowsXPProfessionalwithSP1orSP2WindowsVistaUltimateWindowsVistaBusinessWindowsVistaEnterpriseWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)Windows2000withSP3orlater(Professional,Server,AdvancedServer)RemoteFilteringServerRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)UsageMonitorRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)Table3ComponentsandRequiredSoftwareComponentSupportedOperatingSystemsOtherRequiredSoftwareGeneralDeploymentRecommendations22WebsenseWebSecurityandWebsenseWebFilterUserServiceRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)Supports:NTLM-baseddirectoryservicesActiveDirectorySunJavaSystemDirectoryServer,4.
2and5.
2NovellDirectoryServices/eDirectory,8.
51andlaterSambaclient(v2.
2.
8aorlater)isrequiredtoenableWindowsclientstodisplayprotocolblockmessages,ifNetworkAgentisusedforprotocolfilteringandUserServiceisinstalledonaLinuxmachine.
WebsenseManagerRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4:AS,ES,andWSWindowsServer2003,R2(StandardorEnterprise)WindowsServer2003,SP1(StandardorEnterprise)WindowsServer2003(StandardorEnterprise)InternetExplorer7orFirefox2CommonDesktopEnvironment(CDE)ApacheTomcat6.
0.
13(installedautomaticallywithWebsenseManager)Table3ComponentsandRequiredSoftwareComponentSupportedOperatingSystemsOtherRequiredSoftwareDeploymentGuide23GeneralDeploymentRecommendationsTable4liststheoperatingsystemsonwhichtheWebsensecomponentsrun.
Table4OperatingSystemsOperatingSystemComponentMicrosoftWindowsWindowsServer2003,R2StandardorEnterpriseEditionsWindowsServer2003,SP1StandardandEnterpriseEditions(SP1isrequiredforRemoteFilteringServer)WindowsServer2003StandardandEnterpriseEditionsAllWebsensecomponents:LogDatabase(MicrosoftSQLServerorMSDEdatabaseengine)DCAgenteDirectoryAgentExplorerFilteringServiceLogServerLogonAgentLogonApplicationNetworkAgentPolicyServerRADIUSAgentRemoteFilteringClientRemoteFilteringServerReporterUsageMonitorUserServiceWebsenseManagerWindowsVistaUltimate(32-bitonly)WindowsVistaBusiness(32-bitonly)WindowsVistaEnterprise(32-bitonly)LogonApplicationRemoteFilteringClientWindowsXPProfessionalLogonApplicationWindows2000Professional,SP3orlaterLogonApplicationWindowsNTServerorWorkstation,4.
0SP6aLogonApplicationGeneralDeploymentRecommendations24WebsenseWebSecurityandWebsenseWebFilterVMWaresupportWebsenseWebSecurityandWebsenseWebFilteraresupportedonVMWareESXServer.
Installation,filtering,andreporting(butnotlogging)havebeentestedinaWindows2003Serverenvironment,runningonESXServerversions2.
5.
xand3.
x.
Thissectiondiscusses:NetworkconsiderationsSystemrecommendations,page25Deploymentconfigurations,page25NetworkconsiderationsWebsenseNetworkAgentrequiresthatthenetworkcard(NIC)itusesformonitoringbesettopromiscuousmodetoseenetworktraffic.
TheVMWarevirtualNICmustbeconfiguredforusebyNetworkAgent.
Tousebridgednetworking,eachvirtualmachinemusthaveitsownIPaddress.
Inaddition,VMWarerequiresthatifavirtualmachineisconfiguredtoincludemultipleoperatingsystems,eachOSmusthaveauniquenetworkaddress,evenifonlyoneOSrunsatatime.
ConsultyourVMWaredocumentationformoreconfigurationinformation.
LinuxRedHatEnterpriseLinux5:baseserverRedHatEnterpriseLinux3or4AS(AdvancedServer)RedHatEnterpriseLinux3or4ES(EnterpriseServer)RedHatEnterpriseLinux3or4WS(Workstation)LogDatabase(MySQLdatabaseengine)eDirectoryAgentExplorerforLinuxFilteringServiceLogonAgentNetworkAgentPolicyServerRADIUSAgentRemoteFilteringServerUnixLogServerUsageMonitorUserServiceWebsenseManagerTable4OperatingSystemsOperatingSystemComponentDeploymentGuide25GeneralDeploymentRecommendationsSystemrecommendationsTheDeploymentGuidesupplementsprovideharddiskspaceandRAMrecommendationsforWebsensecomponentsinspecificenvironments.
TheVMWaredocumentationprovidesrecommendationsforrunningVMWare.
GeneralrecommendationsforrunningWebsensesoftwareonVMWareinclude:RAIDforfaulttoleranceQuad-CoreIntelXeonprocessor,3.
0GHzorgreater8GBofRAM3-1GBNICsarerequired;4-1GBNICsarerecommended:OneNICdedicatedtotheVMWaremanagementconsole.
OneNICallocatedforavirtualswitchusedtomonitortraffic(stealthmode,withoutanIPaddress).
OneNICallocatedforavirtualswitchusedforcommunicationbetweenWebsensecomponents.
OneNICusedbytheVMWarehostsystemforothercommunication.
TheserecommendationscanvarywithahighervolumeofInternetrequests.
NospecificoperatingsystemisspecifiedonwhichtorunVMWare,althoughtestingwithWebsensesoftwarewasdoneonWindowsServer2003,SP2.
DeploymentconfigurationsInVMWareenvironments,Websensecomponentscanbeinstalledonseparatevirtualmachines.
ThefollowingtablesprovidepossibledeploymentsforWebsensesoftwareinadistributedenvironment.
Therecommendationsinthesetablesareforsmallnetworks,withuptoapproximately2000users.
HardwareneedsandcomponentlocationmayvarydependingonthevolumeofInternetrequests.
Forlargernetworks,moresystemresourcesormoreGeneralDeploymentRecommendations26WebsenseWebSecurityandWebsenseWebFilterdistributionofWebsensecomponentsmaybeneeded.
Forspecificcomponentdeploymentrecommendations,seetheDeploymentGuidesupplements.
ComponentlimitsWhendeployingWebsensesoftware,thesecomponentlimitsmustbeconsidered:1PolicyBrokerperdeployment1UserServiceperPolicyServer1UsageMonitorperPolicyServer1MasterDatabaseforeachFilteringService1primaryRemoteFilteringServerperFilteringServiceEachFilteringServicecancommunicatewithonly1LogServerIMPORTANTMicrosoftdoesnotsupportrunningSQLServerorMSDEonVMWare.
ToinstallWebsensereportingcomponentsonaWindowsoperatingsystem,thedatabaseenginemustbeinstalledandrunningonaseparatemachine.
ToinstallWebsensereportingcomponentsonaLinuxoperatingsystem,refertotheWebsenseExplorerforLinuxAdministrator'sGuideforsystemrequirements.
Table5DistributedLayoutVirtualMachineAllocatedHardwareWebsenseComponents#12GBRAM20GBfreediskspace2NICsPolicyBrokerPolicyServerFilteringService–MasterDatabaseNetworkAgentUserServiceTransparentidentificationagent#22GBRAM20GBfreediskspaceRemoteFilteringServer#34GBRAM100GBfreediskspaceWebsenseManagerDeploymentGuide27GeneralDeploymentRecommendationsComponentsuggestionsThissectionincludessuggestedcomponentdeploymentratios.
TheoptimumdeploymentmayvarybasedonnetworkconfigurationandInternettrafficvolume.
Largersystems(morethan1000users)mayrequireamoredistributeddeploymentforloadbalancingandsupportofmultiplelanguages.
MultipleNetworkAgentinstancesmayberequired,forexample,todetectoutboundtrafficonindividualnetworksegments.
ItmaybeappropriatetoinstallmultipleFilteringServiceinstancesforloadbalancing.
SomeloadbalancingconfigurationsallowthesameusertobefilteredbydifferentFilteringServiceinstallations,dependingonthecurrentload.
Thissectionincludes:NetworkAgentsuggestions,page28NumberofFilteringServicesallowedperPolicyServer,page28Forlimitsontransparentidentificationagents,seeDeployingtransparentidentificationagents,page31.
FormoreinformationabouttheinteractionofWebsensecomponents,seetheInstallationGuideSupplementfortheintegrationusedwithyourWebsensesoftware,andtheWebsenseManagerHelp.
NetworkconsiderationsToensureeffectivefiltering,Websensesoftwaremustbeinstalledsothat:FilteringServicecanreceiveHTTPrequestsfromanintegratedfirewall,proxyserver,orcachingapplication,orNetworkAgent.
Inamulti-segmentednetwork,FilteringServicemustbeinstalledinalocationwhereitcanbothreceiveandmanageInternetrequestsfromtheintegrationproductandcommunicatewithNetworkAgent.
NetworkAgent:MustbedeployedwhereitcanseeallinternalInternettrafficforthemachinesthatitisassignedtomonitor.
Canbeinstalledonadedicatedmachinetoincreaseoverallthroughput.
MusthavebidirectionalvisibilityintoInternettraffictofilternon-HTTPrequests(suchasinstantmessaging,chat,streamingmedia,andotherInternetapplicationsandprotocols).
MultipleinstancesofNetworkAgentmayberequiredinlargerordistributednetworks.
EachNetworkAgentmonitorsaspecificIPaddressrangeornetworksegment.
UsingmultipleNetworkAgentsensuresthatallnetworktrafficismonitored,andpreventsserveroverload.
TherequirednumberofNetworkAgentsdependsonnetworksizeandInternetrequestvolume.
GeneralDeploymentRecommendations28WebsenseWebSecurityandWebsenseWebFilterFormoreinformation,seeChapter3:DeployingNetworkAgent.
AsanetworkgrowsandthenumberofInternetrequestsincreases,componentscanbedeployedtoadditional,non-dedicatedmachinestoimproveprocessingperformanceonthededicatedmachines.
YoucandeploymultipleFilteringServiceinstances,connectedtoonePolicyServer.
Thisisusefulforremoteorisolatedsub-networks.
Formoreinformation,seeNumberofFilteringServicesallowedperPolicyServer.
Sinceamaximumof5000connectionsperPolicyServerisrecommended,multiplePolicyServersmaybeneeded.
IMPORTANT:Toensuretheintegrityofthefirewall,donotinstallWebsensecomponentsonthefirewallmachine.
NetworkAgentsuggestionsUptofourNetworkAgentsperFilteringServiceOneFilteringServicemaybeabletohandlemorethanfourNetworkAgents.
NetworkAgentcantypicallymonitor50Mbitsoftrafficpersecond,orabout800requestspersecond.
ThenumberofusersthatNetworkAgentcanmonitordependsonthevolumeofInternetrequestsfromeachuser,theconfigurationofthenetwork,andthelocationofNetworkAgentinrelationtothecomputersitisassignedtomonitor.
NetworkAgentfunctionsbestwhenitisclosetothosecomputers.
Ifacomponent'scapacityisexceeded,filteringandlogginginconsistenciesmayoccur.
ContactyourWebsensesoftwareproviderfortechnicalassistancewithspecificNetworkAgentsizingguidelines.
NumberofFilteringServicesallowedperPolicyServerUpto10FilteringServicesperPolicyServerisrecommended.
APolicyServermaybeabletohandlemore,dependingontheload.
MultipleFilteringServiceinstancesareusefultomanageremoteorisolatedsub-networks.
TheappropriatenumberofFilteringServiceinstancesforaPolicyServerdependson:ThenumberofusersperFilteringServiceNoteNetworkAgentcanbedeployedwiththefilteringcomponentsoronaseparatemachine.
NetworkAgentshouldnotbedeployedonthesamemachineasresponse-criticalcomponents.
Formoreinformation,seeChapter3:DeployingNetworkAgent.
DeploymentGuide29GeneralDeploymentRecommendationsTheconfigurationofthePolicyServerandFilteringServicemachinesThevolumeofInternetrequestsThequalityofthenetworkconnectionbetweenthecomponentsIfapingcommandsentfromonemachinetoanotherreceivesaresponseinfewerthan30milliseconds(ms),theconnectionisconsideredhighquality.
SeetheTestingtheconnection,page29formoreinformation.
APolicyServermaybeabletohandlemorethan10FilteringServiceinstances.
IfthenumberofFilteringServiceinstancesexceedsthePolicyServer'scapacity,however,responsestoInternetrequestsmaybeslow.
IftheconnectionbetweenFilteringServiceandPolicyServerbreaks,allInternetrequestsareeitherblockedorpermitted,dependingonwhichoptionyouhavechoseninWebsenseManager.
Formoreinformation,seetheGettingStartedtopicintheWebsenseManagerHelp.
FilteringServicemachinesrunningbehindfirewallsorremotely(atagreatphysicaldistancecommunicatingthroughaseriesofrouters)mayneedtheirownPolicyServerinstance.
InamultiplePolicyServerenvironment,asingleWebsensePolicyDatabaseholdsthepolicysettingsforallPolicyServerinstances.
SeetheWebsenseManagerHelpformoreinformation.
TestingtheconnectionRunapingtesttochecktheresponsetimeandconnectionbetweenthePolicyServerandFilteringServicemachines.
Aresponsetimeoffewerthan30millisecondsisrecommended.
1.
Openacommandprompt(Windows)orterminalsession(Linux)onthePolicyServermachine.
2.
Enterthefollowingcommand:pingHere,identifiestheFilteringServicemachine.
InterpretingyourresultsWhenyourunthepingcommandonaWindowsmachines,theresultsresemblethefollowing:C:\>ping11.
22.
33.
254Pinging11.
22.
33.
254with32bytesofdata:Replyfrom11.
22.
33.
254:bytes=32time=14msTTL=63Replyfrom11.
22.
33.
254:bytes=32time=15msTTL=63Replyfrom11.
22.
33.
254:bytes=32time=14msTTL=63Replyfrom11.
22.
33.
254:bytes=32time=15msTTL=63Pingstatisticsfor11.
22.
33.
254:Packets:Sent=4,Received=4,Lost=0(0%loss),Approximateroundtriptimesinmilli-seconds:Minimum=14ms,Maximum=15ms,Average=14msInaLinuxenvironment,theresultslooklikethis:GeneralDeploymentRecommendations30WebsenseWebSecurityandWebsenseWebFilter[root@localhostroot]#ping11.
22.
33.
254PING11.
22.
33.
254(11.
22.
33.
254)56(84)bytesofdata.
64bytesfrom11.
22.
33.
254:icmp_seq=2ttl=127time=0.
417ms64bytesfrom11.
22.
33.
254:icmp_seq=3ttl=127time=0.
465ms64bytesfrom11.
22.
33.
254:icmp_seq=4ttl=127time=0.
447ms64bytesfrom11.
22.
33.
254:icmp_seq=1ttl=127time=0.
854msEnsurethatMaximumroundtriptimeorthevalueoftime=x.
xxxmsisfewerthan30ms.
Ifthetimeisgreaterthan30ms,moveoneofthecomponentstoadifferentnetworklocationandrunthepingtestagain.
Iftheresultisstillgreaterthan30ms,locateandeliminatethesourceoftheslowresponse.
RequiredexternalresourcesWebsensesoftwarereliesoncertainexternalresourcestofunctionproperlyinyournetwork.
TCP/IP:WebsensesoftwareprovidesfilteringinTCP/IP-basednetworksonly.
IfyournetworkusesbothTCP/IPandnon-TCPprotocols,onlythoseusersintheTCP/IPportionofyournetworkarefiltered.
DNSserver:ADNSserverisusedtoresolverequestedURLstoanIPaddress.
WebsensesoftwareoryourintegrationproductrequiresefficientDNSperformance.
DNSserversshouldbefastenoughtosupportWebsensefilteringwithoutbecomingoverloaded.
Directoryservices:IfWebsensesoftwareisconfiguredtoapplyuser-andgroup-basedpolicies,UserServicequeriesthedirectoryserviceforuserinformation.
AlthoughtheseusersandgrouprelationshipsarecachedbyWebsensesoftware,directoryservicemachinesmusthavetheresourcestorebuildthecacherapidlyWebsensesoftwarerequestsuserinformation.
SeeSupporteddirectoryservices.
Networkefficiency:TheabilitytoconnecttoresourcessuchastheDNSserveranddirectoryservicesiscriticaltoWebsensesoftware.
NetworklatencymustbeminimizedifFilteringServiceistoperformefficiently.
ExcessivedelaysunderhighloadcircumstancescanimpacttheperformanceofFilteringServiceandmaycauselapsesinfiltering.
SeetheDeployinginaDistributedEnterprisesupplementtothisguidefortipsonimprovingnetworkcommunication.
SupporteddirectoryservicesIfyourenvironmentincludesadirectoryservice,youcanconfigureWebsensesoftwaretofilterInternetrequestsbasedonpoliciesassignedtousers,groups,anddomains(organizationalunits).
Websensesoftwarecanworkwiththefollowingdirectoryservices:WindowsNTDirectoryandWindowsActiveDirectory(MixedMode)WindowsActiveDirectory(NativeMode)DeploymentGuide31GeneralDeploymentRecommendationsSunJavaSystemDirectoryServerNovellDirectoryServices/NovelleDirectoryForinformationonconfiguringWebsensesoftwaretocommunicatewithasupporteddirectoryservice,seetheWebsenseManagerHelp.
Websensesoftwaredoesnotneedtorunonthesameoperatingsystemasthedirectoryservice.
DeployingtransparentidentificationagentsIfyouareusingWebsensesoftwareinstand-alonemode,orifyourintegrationproductdoesnotsenduserinformationtoWebsensesoftware,useWebsensetransparentidentificationagentstoidentifyuserswithoutpromptingthemforausernameandpassword.
Thereare4optionaltransparentidentificationagents:DCAgenteDirectoryAgentLogonAgentRADIUSAgentIfyouhavedeployedWebsensesoftwareinasinglenetworklocation,asingletransparentidentificationagentinstanceisrecommended.
Indeploymentsthatcovermultiplelocations,youcaninstallanagentinstanceinmultipledomains.
Forexample:OneDCAgentinstancecanhandlemultipletrusteddomains.
Addadditionalinstancesbasedon:TheloadplacedonDCAgentWhetheraDCAgentinstancecanseeallthedomainsonthenetwork,includingremoteofficesLoadresultsfromthenumberofuserlogonrequests.
Ifthenetworkislarge(10,000+users,30+domains),havingmultipleDCAgentinstancesallowsforfasteridentificationofusers.
IfmultipleFilteringServicesareinstalled,eachFilteringServiceinstancemustbeabletocommunicatewithallDCAgentinstances.
OneeDirectoryAgentisrequiredforeacheDirectoryServer.
NoteDCAgentmusthavedomainadministratorprivilegestoretrieveuserlogoninformationfromthedomaincontroller.
GeneralDeploymentRecommendations32WebsenseWebSecurityandWebsenseWebFilterOneLogonAgentisrequiredforeachFilteringServiceinstance.
OneRADIUSAgentinstanceisrequiredforeachRADIUSserver.
Websense,Inc.
recommendsinstallingandrunningRADIUSAgentandtheRADIUSserveronseparatemachines.
(TheagentandservercannothavethesameIPaddress,andmustusedifferentports.
)Insomeenvironments,acombinationoftransparentidentificationagentsmaybeappropriatewithinthesamenetwork,oronthesamemachine.
SeeCombiningtransparentidentificationagents.
RefertotheInstallationGuidefortransparentidentificationagentinstallationinstructions.
SeetheWebsenseManagerHelpfordetailedconfigurationinformation.
MoreinformationisalsoavailableintheTransparentIdentificationofUserstechnicalwhitepaper.
CombiningtransparentidentificationagentsWebsensesoftwarecanbeworkwithmultipletransparentidentificationagents.
Ifyourenvironmentrequiresmultipleagents,itisbesttoinstallthemonseparatemachines.
eDirectoryorRADIUSAgentcanbeinstalledonthesamemachineasFilteringService,oronaseparateserveronthesamenetwork.
RunningeDirectoryAgentandDCAgentinthesamedeploymentisnotsupported.
Table6listssupportedcombinations.
Table6DeployingMultipleTransparentIDAgentsCombinationSamemachineSamenetworkConfigurationrequiredMultipleDCAgentsNoYesEnsurethatallinstancesofDCAgentcancommunicatewithFilteringService,andthattheindividualDCAgentsarenotmonitoringthesamedomaincontrollers.
MultipleRADIUSAgentsNoYesConfigureeachagenttocommunicatewithFilteringService.
MultipleinstancesoftheRADIUSAgentcannotbeinstalledonthesamemachine.
MultipleeDirectoryAgentsNoYesConfigureeachinstancetocommunicatewithFilteringService.
MultipleLogonAgentsNoYesConfigureeachinstancetocommunicatewithFilteringService.
DeploymentGuide33GeneralDeploymentRecommendationsDCAgent+RADIUSAgentYesYesInstalltheseagentsinseparatedirectories.
UseadifferentportforcommunicationbetweenDCAgentandFilteringServicethanyouuseforcommunicationbetweenRADIUSAgentandFilteringService.
SeetheWebsenseKnowledgeBaseformoredetails.
DCAgent+eDirectoryAgentNoNoWebsensedoesnotsupportcommunicationwithbothWindowsandNovellDirectoryServicesinthesamedeployment.
However,bothagentscanbeinstalled,withonlyoneactiveagent.
DCAgent+LogonAgentYesYesConfigurebothagentstocommunicatewithFilteringService.
Bydefault,eachagentusesauniqueport,soportconflictsarenotanissueunlesstheseportsarechanged.
RADIUSAgent+LogonAgentYesYesConfigureallagentstocommunicatewithFilteringService.
eDirectoryAgent+LogonAgentNoNoWebsensedoesnotsupportcommunicationwithbothNovellDirectoryServicesandaWindowsorLDAP-baseddirectoryserviceinthesamedeployment.
However,bothagentscanbeinstalled,withonlyoneactiveagent.
RADIUSAgent+eDirectoryAgentYesYesConfigureallagentstocommunicatewithFilteringService.
WhenaddingagentstoWebsenseManager,useanIPaddresstoidentifyone,andamachinenametoidentifytheother.
SeetheTransparentIdentificationofUserswhitepaperfordetails.
DCAgent+LogonAgent+RADIUSAgentYesYesThiscombinationisrarelyrequired.
Installeachagentinaseparatedirectory.
ConfigureallagentstocommunicatewithFilteringService.
Useseparateportsforthiscommunication.
Table6DeployingMultipleTransparentIDAgentsCombinationSamemachineSamenetworkConfigurationrequiredGeneralDeploymentRecommendations34WebsenseWebSecurityandWebsenseWebFilterMaximizingsystemperformanceAdjustWebsensecomponentstoimprovefilteringandloggingresponsetime,systemthroughput,andCPUperformance.
Websensesoftwarecanbeoptimizedfor:NetworkAgentLoggingofbytestransferredDatabaseengine(MicrosoftSQLServer2005/2000,MSDE2000,MySQL5.
0).
SQLServer2005isrecommended.
Forenterprisenetworks,seeDeployinginaDistributedEnterprisesupplementtothisguideformoreinformation.
NetworkAgentNetworkAgentcanbeinstalledonthesamemachineasotherWebsensecomponents,oronaseparatemachine.
Whenasmallormediumnetwork,forexample,exceeds1000users,orwhenNetworkAgentmissesInternetrequests,placeNetworkAgentonadifferentmachinethanFilteringServiceandPolicyServer.
IfWebsensesoftwareisrunninginahighloadenvironment,orwithahighcapacity(T3)Internetconnection,youcanincreasethroughputandimplementloadsharingbyinstallingmultipleNetworkAgentinstances.
Installeachagentonadifferentmachine,andconfigureeachagenttomonitoradifferentportionofthenetwork.
HTTPreportingYoucanuseNetworkAgentoranintegrationproducttotrackHTTPrequestsandpasstheinformationtoWebsensesoftware,whichusesthedatatofilterandlogrequests.
NetworkAgentandsomeintegrationproductsalsotrackbandwidthactivity(bytessentandreceived),andthedurationofeachpermittedInternetrequest.
ThisdataisalsopassedtoWebsensesoftwareforlogging.
ImportantNetworkAgentmusthavebidirectionalvisibilityintothenetworkornetworksegmentthatitmonitors.
IfmultipleNetworkAgentsareinstalled,eachagentmustmonitoradifferentnetworksegment(IPaddressrange).
IfaNetworkAgentmachineconnectstoaswitch,themonitorNICmustplugintoaportthatmirrors,monitors,orspansthetrafficofallotherports.
Multiplesegmentnetwork,page51,andNetworkAgentlocation,page49,discusslocatingNetworkAgentinmoredetail.
DeploymentGuide35GeneralDeploymentRecommendationsWhenbothNetworkAgentandtheintegrationpartnerprovideloggingdata,theamountofprocessortimerequiredbyFilteringServicedoubles.
IfyouareusingbothNetworkAgentandanintegrationproduct,youcanavoidextraprocessingbyconfiguringWebsensesoftwaretouseNetworkAgenttologHTTPrequests(enhancedlogging).
Whenthisfeatureisenabled:WebsensesoftwaredoesnotlogHTTPrequestdatasentbytheintegrationproduct.
OnlythelogdataprovidedbyNetworkAgentisrecorded.
Asabestpractice,NetworkAgentandFilteringServiceshouldnotrunonthesamemachine.
ConsulttheWebsenseManagerHelpforconfigurationinstructions.
DatabaseEngineInMicrosoftWindowsenvironments,theWebsenseLogDatabasecanbecreatedusinganyofthefollowingdatabaseengines:MicrosoftSQLServer2005(recommended)MicrosoftSQLServer2000MicrosoftDatabaseEngine(MSDE)2000WebsenseExplorerforLinuxandtheLinuxversionofLogServeruseMySQL5.
0.
LogServerlogsInternetactivityinformationtoonlyoneLogDatabaseatatime.
MicrosoftSQLServerMicrosoftSQLServerworksbestforlargernetworks,ornetworkswithahighvolumeofInternetactivity,becauseofitscapacityforstoringlargeamountsofdataoverlongerperiodsoftime(severalweeksormonths).
MicrosoftSQLServer2005isrecommended.
Underhighload,MicrosoftSQLServeroperationsareresourceintensive,andcanbeaperformancebottleneckforWebsensesoftwarereporting.
Youcantunethedatabasetoimproveperformance,andmaximizethehardwareonwhichthedatabaseruns:ImproveCPUperformancetoalleviateresourceconflictsbetweenLogServerandMicrosoftSQLServer:IncreasetheCPUspeed,thenumberofCPUs,orboth.
ConsiderprovidingadedicatedmachineforLogServer.
ProvideadequatediskspacetoaccommodatethegrowthoftheLogDatabase.
MicrosoftSQLClientToolscanbeusedtocheckdatabasesize.
UseadiskarraycontrollerwithmultipledrivestoincreaseI/Obandwidth.
GeneralDeploymentRecommendations36WebsenseWebSecurityandWebsenseWebFilterIncreasetheRAMontheMicrosoftSQLServermachinetoreducetime-consumingdiskI/Ooperations.
MSDEMicrosoftDatabaseEngine(MSDE)isafreedatabaseenginebestsuitedtosmallernetworks,organizationswithalowvolumeofInternetactivity,ororganizationsplantogeneratereportsononlyshortperiodsoftime(forexample,dailyorweeklyarchivedreports,ratherthanhistoricalreportsoverlongertimeperiods).
MSDEcannotbeoptimized.
WithMSDE,themaximumsizeoftheLogDatabaseisabout1.
5GB.
Whentheexistingdatabasereachesthislimit,itissaved(rolledover),andanewLogDatabaseiscreated.
UsetheODBCDataSourceAdministrator(accessedviatheWindowsControlPanel)toseeinformationaboutdatabasethathavebeensaved.
Iftheisrollingoverfrequently,considerupgradingtoMicrosoftSQLServer2005,SP2.
WhenusingMSDE,makesurethatthelatestservicepackshavebeenapplied.
MicrosoftSQLServerservicepackscanbeappliedtoMSDE2000.
TheservicepackupdatesonlythosefilesrelevanttoMSDE.
MySQLWebsenseExplorerforLinuxrequiresMySQL5.
0.
AlthoughMySQLisavailableforfree,alicensedversionmustbepurchasedforcommercialuse.
FormoreinformationonMySQL,visittheMySQLWebsite:www.
mysql.
com.
LogDatabasediskspacerecommendationsLogDatabaserequirementsvary,basedonthesizeofthenetworkandthevolumeofInternetactivity.
Thisguideusesthefollowingbaselineinformationtoprovidegeneralrecommendations:Anaverageuserrequests100URLs(visits)perday.
TheLogDatabasecreatesarecordforeachvisit.
NoteConsulttheMicrosoftWebsitefordetailedinformationaboutoptimizingMicrosoftSQLServerperformance.
NoteConsulttheInstallationGuidefordetailedinformationaboutselectingtheappropriatedatabaseengineforthedeployment.
DeploymentGuide37GeneralDeploymentRecommendationsEachrecordisapproximately500bytes.
EachURLrequiresroughly5to10HTTPGETS(hits).
IftheLogDatabaseisconfiguredtowritearecordforeachhit,thesizeofthedatabasemayincreasebyafactoroffive.
Duringinstallation,youareprovidedoptionsforminimizingthesizeoftheLogDatabase.
Afterinstallation,additionalconfigurationoptions,includingselectivecategorylogging,areavailabletohelpmanagethesizeoftheLogDatabase.
ConsulttheWebsenseManagerHelpfordetails.
Loggingvisits(defaultsettings)IftheLogDatabaseisconfiguredtorecordvisits(thedefault),youcancalculatethediskspacerequiredforthedatabaseasfollows:(#ofURLs)x(#ofbytes)x(#ofusers)Ifanaverageusergenerates50KBperday(100visitsx500bytes),andisloggedonfor20workdayspermonth,thatuserconsumes1MBintheLogDatabaseeachmonth(20daysx50KB/day).
Extrapolatingto500users,thedatabasewoulduse500MBpermonthtorecordvisits.
LogginghitsIftheLogDatabaseisconfiguredtorecordeachhit,youcancalculatethediskspacerequiredforthedatabaseasfollows:[(avg.
#ofURLs)x(avg.
#ofhits)x(#ofbytes)]x(#ofusers)Ifanaverageusergenerates250KBperday(100URLsx5getsperURLx500bytes),andisloggedonfor20workdayspermonth,thatuserconsumes5MBintheLogDatabaseeachmonth(20daysx250KB/day).
Extrapolatingto500users,thedatabasewoulduse2.
5GBpermonth.
Inthisexample,theLogDatabasewouldrequires30GBofdiskspaceforoneyear'sworthofdata(500usersat500hitsperday).
Duetothelargeamountofdiskspacerequired,andduetotheperformanceimpactonreporting,Websense,Inc.
,doesnotrecommendkeepinglivedatafromlargenetworksforayear.
Whenyoubreakthedatabaseintosmallerpieces,youcangeneratereportsmuchmorequickly.
LoggingfullURLsIftheLogDatabaseisconfiguredtologthefullURLs,eachURLrecordedcanbeupto1000characters,or2000bytes(2KB)inlength.
WhenfullURLloggingisturnedoff,alogentryrequiresonly500bytesperURL.
IftheLogDatabaseisgrowingtooquickly,youcanturnofffullloggingtodecreasethesizeofeachentryandslowgrowthbyafactorof4.
GeneralDeploymentRecommendations38WebsenseWebSecurityandWebsenseWebFilterConfigureURLloggingoptionsinWebsenseManager.
ConsulttheWebsenseManagerHelpfordetails.
ConsolidationConsolidationhelpstoreducethesizeofthedatabasebyrecordingasingleentryformultiplevisitstothesameURLbythesameuser.
Insteadofrecordingeachhitorvisitbyauser,theinformationisstoredinatemporaryfile.
Ataspecifiedinterval,thefileisprocessedandtheduplicaterecordsarenotwrittentothedatabase.
Forexample,theuservisitswww.
cnn.
comandreceivesmultiplepop-upsduringthesession.
Thevisitisloggedasarecord.
Ifconsolidationisturnedoff(thedefault),andtheuserreturnstothesitelater,asecondvisitislogged.
Ifconsolidationisturnedon,additionalvisitstothesitewithinaspecifiedperiodareloggedasasinglerecord.
ProtocolloggingInadditiontologgingHTTPandHTTPStraffic,ifyourdeploymentincludesNetworkAgent,youhavetheoptiontolognon-HTTPprotocoltraffic(forexample,instantmessagingorstreamingmediatraffic).
Themoreprotocolsyouchoosetolog,thegreatertheimpactonthesizeoftheLogDatabase.
SeetheWebsenseManagerHelpforinformationaboutfilteringandloggingnon-HTTPprotocols.
LogDatabasestrategyUsingthehitsandvisitscalculationsprovidedunderLogginghits,page37,evenwithoutloggingfullURLs,storingdatafor1yearcouldrequire:600GBforhits120GBforvisitsGeneratingreportsagainstsuchlargeamountsofdatacansignificantlyslowreportprocessing.
Usedatabasepartitionstolimitthescopeofthedatausetogeneratereports.
Adatabaserolloveristriggeredbyatimeorsizelimit.
Newdataiscollectedinanewpartition.
Olderdataispreservedinotherpartitions.
Youconfigurewhichpartitionyouwanttousetogeneratereports.
Adjustthepartitionorrolloverlimitstomaximizereportingperformanceandeasethemanagementofthedata.
ConsulttheWebsenseManagerHelpfordetails.
DeploymentGuide39GeneralDeploymentRecommendationsStand-AloneEditionTheStand-AloneEditionofWebsenseWebSecurityorWebsenseWebFilterusesNetworkAgent(ratherthananintegrationproductordevice)toprovideHTTP,HTTPS,FTP,andotherprotocolfiltering.
NetworkAgent:DetectsallInternetrequests(HTTPandnon-HTTP)CommunicateswithFilteringServicetoseeifeachrequestshouldbeblockedCalculatesthenumberofbytestransferredSendsarequesttoFilteringServicetologrequestinformationFormoreinformation,seetheInstallationGuideortheWebsenseManagerHelp.
TheStand-AloneEditionrunsontheoperatingsystemslistedearlierinthischapter(seeTable3,onpage18,andTable4,onpage23).
ReportingisrunsunderWebsenseManagerintheStand-AloneEditiononWindows.
WebsenseExplorerforLinuxmustbeinstalledforreportinginaLinuxinstallation.
Asinanydeployment,reportingcomponents,includingLogServer,shouldrunonaseparatemachinefromthefilteringcomponents.
TheStand-AloneEditioncanbedeployedinsmall,medium,andlargenetworks.
Componentsmayneedtobedistributedovermultiplemachinesforloadbalancingandimprovedperformanceinlargernetworks.
Forexample,youcoulddeploymultipleNetworkAgents(onWindowsorLinux)toaccommodateahighInternettrafficload.
Table7,onpage40,providessystemrecommendationsfordeployingtheStand-AloneEdition,basedonnetworksize.
Systemneedsvary,dependingonthevolumeofInternettraffic.
Thefollowingbaselineisusedtocreatetherecommendations:1-500users=1-100requestspersecond500-2,500users=100-500requests/sec2,500-10,000users=500-2,250requests/secIfyournetworktrafficexceedstheseestimates,morepowerfulsystemsorgreaterdistributionofcomponentsmayberequired.
NoteIfyouareusingLogonAgentinaLinuxdeployment,theLogonApplicationmustbeinstalledonWindows.
GeneralDeploymentRecommendations40WebsenseWebSecurityandWebsenseWebFilterImportantToensuretheintegrityofafirewall,donotinstallWebsensecomponentsonafirewallmachine.
EachNetworkAgentmachinemustbepositionedtoseeallInternetrequestsforthemachinesthatitisassignedtomonitor.
eDirectoryorRADIUSAgentcanbeinstalledonthesamemachineasFilteringService,oronaseparatemachineinthesamenetwork,butnotonthesamemachineasLogServer.
Table7Stand-AloneSystemRecommendationsNetworkSizeFilteringComponentsReporting(Windows)—or—Reporting(Linux)1-500usersWindowsorLinuxQuad-CoreIntelXeonprocessor,2.
5GHzorgreater2GBRAM10GBfreediskspace(Freespacemustequalatleast20%oftotaldiskspace.
)WindowsQuad-CoreIntelXeonprocessor,2.
5GHzorgreater4GBRAM100GBfreediskspaceMicrosoftSQLServer2005SP2,MicrosoftSQLServer2000SP4,orMSDE2000LinuxQuad-CoreIntelXeonprocessor,2.
5GHzorgreater2GBRAM80GBfreediskspaceMySQL5.
0500-2,500usersWindowsorLinuxQuad-CoreIntelXeonprocessor,2.
5GHzorgreater2GBRAM10GBfreediskspace(Freespacemustequalatleast20%oftotaldiskspace.
)WindowsQuad-CoreIntelXeonprocessor,2.
5GHzorgreater4GBRAM100GBfreediskspaceMicrosoftSQLServer2000SP4,MicrosoftSQLServer2005SP2,orMSDE2000LinuxQuad-CoreIntelXeonprocessor,2.
5GHzorgreater2GBRAM100GBfreediskspaceMySQL5.
0DeploymentGuide41GeneralDeploymentRecommendationsTorunbothfilteringandreportingonthesamemachineinthetwosmallernetworksizes,increasetheRAMto6GB,andconsiderusingafasterprocessorandharddrivetocompensatefortheincreasedload.
2,500-10,000usersWindowsorLinuxLoadbalancingrequiredQuadXeon,3.
0GHz,orgreater2GBRAM10GBfreediskspace(Freespacemustequalatleast20%oftotaldiskspace.
)SeetheImportantnotebelow.
WindowsQuad-CoreIntelXeonprocessor,2.
5GHzorgreater4GBRAM200GBfreediskspacewithadiskarray(TheLogDatabaserequiresadiskarraytoincreaseI/Oreliabilityandperformance.
)High-speeddiskaccessMicrosoftSQLServer2005SP2,orMicrosoftSQLServer2000SP4LinuxQuadXeon,2.
5GHzorgreater2GBRAM200GBfreediskspace,withadiskarray,RAIDlevel10HighspeeddiskaccessMySQL5.
0Table7Stand-AloneSystemRecommendationsNetworkSizeFilteringComponentsReporting(Windows)—or—Reporting(Linux)ImportantTwoNetworkAgentinstancesrunonseparatemachinesarerequiredfor2500-10000usernetworks.
Themachinesshouldhave:Quad-CoreIntelXeonprocessor,2.
5GHzorgreaterAtleast1GBofRAMMultipleFilteringServicemachinesmayalsobeneeded.
Machinerequirementsdependonthenumberofusersbeingmonitoredandfiltered.
GeneralDeploymentRecommendations42WebsenseWebSecurityandWebsenseWebFilterRemoteFilteringTheRemoteFilteringfeatureallowsWebsensesoftwaretomonitorcomputersoutsidethecorporatenetwork.
ARemoteFilteringClientmustbeinstalledoneachremotemachine.
TheremoteclientscommunicatewithaRemoteFilteringServer,whichactsasaproxytoFilteringService.
Thiscommunicationisauthenticatedandencrypted.
WheninstallingRemoteFiltering:TheRemoteFilteringServershouldbeinstalledonadedicatedmachinethatcancommunicatewiththeFilteringServicemachine.
SeeTable8,onpage42.
DonotinstallRemoteFilteringServeronthesamemachineastheFilteringServiceorNetworkAgent.
EachFilteringServiceinstancehasoneRemoteFilteringServer.
Asabestpractice,theRemoteFilteringServershouldbeinstalledinsidetheoutermostfirewall,intheDMZoutsidethefirewallprotectingtherestofthecorporatenetwork.
Thisishighlyrecommended.
SeeTable3,onpage18,foroperatingsystemrequirementsfortheRemoteFilteringServer.
RemoteFilteringClientsystemrecommendations:Pentium4orgreaterFreediskspace:25MBforinstallation;15MBtoruntheapplication512MBRAMTable8RemoteFilteringServerSystemRecommendationsNetworkSizeHardwareRecommendations1-500clientsWindowsorLinuxQuad-CoreIntelXeonprocessor,2.
5GHzorgreater1GBRAM20GBfreediskspace500-2000clientsWindowsorLinuxQuad-CoreIntelXeonprocessor,3.
2GHzorgreater2GBRAM20GBfreediskspace2000-5000clientsWindowsorLinuxQuad-CoreIntelXeonprocessor,3.
2GHzorgreater2GBRAM20GBfreediskspaceDeploymentGuide43GeneralDeploymentRecommendationsFigure1providesanexampleofaRemoteFilteringdeployment.
TheillustrationdoesnotincludeallWebsensecomponents.
Figure1ExampleofRemoteFilteringDeployment5000-10000clientsWindowsorLinuxQuadXeon,3.
2GHzorgreater-or-StaticloadbalancingwithDualXeon,3.
2GHzorgreater2GBRAM20GBfreediskspace10000+clientsWindowsorLinuxStaticloadbalancingwithQuadXeon,3.
2GHzorgreater2GBRAM20GBfreediskspaceTable8RemoteFilteringServerSystemRecommendationsNetworkSizeHardwareRecommendationsGeneralDeploymentRecommendations44WebsenseWebSecurityandWebsenseWebFilterSupportedintegrationsWebsensesoftwarecanbeintegratedwiththefollowingfirewalls,proxyservers,andcachingapplications(collectivelyreferredtoasintegrationproducts)toprovideInternetfiltering.
Table9SupportedIntegrationsIntegrationVersionSupportedCommentsCiscoCiscoPIXFirewallSoftwarev5.
0orgreaterCiscoAdaptiveSecurityAppliances(ASA)Softwarev7.
0orgreaterCiscoContentEngineACNSv5.
4orgreaterCiscoRouterswithCiscoIOSSoftwareRelease12.
3orgreaterCheckPointFireWall-1FP1orgreaterFireWall-1NGAIFireWall-1NGXCheckPointEdgeCheckPointR61CheckPointR65ContactCheckPointforassistanceisdeterminingwhichFireWall-1versionisrunning.
NetworkAgentcanrunonsamemachineonlyifitandtheintegrationeachhasitsownprocessor.
Citrix–CitrixPresentationServer–MetaFramePresentationServerMetaFramePresentationServer3.
0CitrixPresentationServer4.
0CitrixPresentationServer4.
5WebsensePlug-in:TheCitrixplug-inisonlysupportedonWindows.
Requireseither:MicrosoftWindowsServer2003(32bit)MicrosoftWindows2000Server(32bit)MicrosoftInternetSecurityandAcceleration(ISA)ServerIntegrations:MicrosoftISAServer2004,StandardEditionandEnterpriseEditionMicrosoftISAServer2006,StandardEditionandEnterpriseEditionClients:ISAFirewallClientsSecureNATClientsWebsensePlug-in:TheISAPIPlug-infortheMicrosoftISAServerissupportedonlyonWindows.
NetworkApplianceNetCacheNetCacheOSv5.
2.
1R1D4orgreater.
WebsenseprotocolmanagementrequiresNetCachev5.
5orlater.
DeploymentGuide45GeneralDeploymentRecommendationsSquidWebProxyCacheSquidSTABLEv2.
5SquidSTABLEv2.
6WebsensePlug-in:TheSquidPlug-infortheSquidWebProxyCacheissupportedonlyonLinux.
Table9SupportedIntegrationsIntegrationVersionSupportedCommentsGeneralDeploymentRecommendations46WebsenseWebSecurityandWebsenseWebFilter3DeploymentGuide47DeployingNetworkAgentWhenyourWebsensesoftwaredeploymentincludesNetworkAgent,thepositioningoftheagentandotherWebsensefiltercomponentsdependsonthecompositionofyournetwork.
Forthemostpart,Ethernetnetworksarebuiltofsegments.
(Verysimplenetworksaretheexception.
)Asegmentisasortofneighborhoodforagroupofmachines,whichareconnectedtotherestofthenetworkviaacentralconnectionpoint(router,bridge,switch,orsmarthub).
Mostofthesedeviceskeeplocaltrafficwithinasegment,whilepassingtrafficintendedformachinesonothersegments.
Thisarchitecturereducesnetworkcongestionbykeepingunnecessarytrafficfrompassingtothewholenetwork.
AverysimplenetworkmayrequireonlyasingleNetworkAgent.
Asegmentednetworkmayrequire(orbenefitfrom)aseparateNetworkAgentinstanceforeachsegment.
NetworkAgentfunctionsbestwhenitisclosesttothecomputersthatitisassignedtomonitor.
ThischapterprovidesconfigurationinformationandsampledeploymentdiagramstohelpyoupositionNetworkAgentinyourdeployment.
NetworkAgentNetworkAgentmanagesInternetprotocols(includingHTTP,HTTPS,andFTP),byexaminingnetworkpacketsandidentifyingtheprotocol.
Aswiththird-partyintegrationproducts(likefirewalls,routers,proxies,ornetworkappliances),NetworkAgentcanbeconfiguredtorouteHTTPrequeststoFilteringServiceforfiltering.
Inaddition,whenNetworkAgentdetectsanon-HTTPrequest,itqueriesFilteringServicetodeterminewhethertheprotocolshouldbeblocked,andthenlogstheresultsofthequery.
NetworkAgentmustbeinstalledontheinternalsideofthecorporatefirewall,inalocationwherecanitseeallInternetrequestsforthemachinesitisassignedtomonitor.
TheagentthenmonitorsHTTPandnon-HTTPrequestsfromthosemachines,andtheresponsethattheyreceive.
NetworkAgentonlymonitorsandmanagestrafficthatpassesthroughthenetworkdevice(switch,hub,orgateway)towhichitisattached.
MultipleNetworkAgentDeployingNetworkAgent48WebsenseWebSecurityandWebsenseWebFilterinstancesmaybeneeded,dependingonthesize,volumeofInternetrequestsandthenetworkconfiguration.
TheNetworkAgentmachinecanconnecttothenetworkviaaswitchorahub.
SeeHubconfiguration,page54,andSwitchednetworkswithasingleNetworkAgent,page55.
NetworkAgentcanbeinstalledonthesamemachineasanintegrationproduct.
SeeGatewayconfiguration,page59.
NetworkAgentsettingsConfigureNetworkAgentglobal(applyingtoallagentinstances)andlocal(specifictoasingleagentinstance)settingsinWebsenseManager.
ThesesettingstellNetworkAgentwhichmachinestomonitorandwhichtoignore.
Globalsettings:Specifywhichmachinesarepartofyournetwork.
IdentifyanymachinesinyournetworkthatNetworkAgentshouldmonitorforincomingrequests(forexample,internalWebservers).
Specifybandwidthcalculationandprotocolloggingbehavior.
Localsettings:SpecifywhichFilteringServiceisassociatedwitheachNetworkAgent.
IdentifyproxiesandcachesusedbythemachinesthatthisNetworkAgentmonitors.
Determinewhichnetworkcard(NIC)theNetworkAgentinstanceusestomonitorrequestsandwhichitusestosendblockpages.
ConfigurationsettingsfortheNICusedtomonitorrequestsdeterminewhichsegmentofthenetworktheagentinstancemonitors.
WarningDonotinstallNetworkAgentonamachinerunningafirewallorRemoteFilteringServer.
Onafirewall,NetworkAgent'spacket-capturingthatmayconflictwiththefirewallsoftware.
OnaRemoteFilteringServer,machineresourcesmaybetooheavilytaxed.
Thereisoneexception:AbladeserverorappliancewithseparateprocessorsorvirtualprocessorsmaybeabletosupportbothNetworkAgentandfirewallsoftwareorRemoteFilteringServer.
DeploymentGuide49DeployingNetworkAgentNetworkAgentlocationNetworkAgentmustbeabletoseealloutgoingandincomingInternettrafficonthenetworksegmentthatitisassignedtomonitor.
MultipleinstancesofNetworkAgentmaybeneededtomonitoranentirenetwork.
MultipleNetworkAgentsmaybeneededforlargerorhigh-trafficorganizations.
ANetworkAgentinstancecanbeplacedineachinternalnetworksegment.
TheNetworkAgentmachinemaybe:Connectedtoaswitchorrouter.
Configurethedevicetouseamirrororspanport,andconnectNetworkAgenttothisport,toallowtheagenttoseeInternetrequestsfromallmonitoredmachines.
(Onmostswitches,youcanchangeaportmodetospanning,mirroring,ormonitoringmode.
Thetermvariesbymanufacturer;thefunctionisthesame.
)Websense,Inc.
,stronglyrecommendsusingaswitchthatsupportsbidirectionalspanning.
ThisallowsNetworkAgenttouseasinglenetworkcard(NIC)tobothmonitortrafficandsendblockpages.
Iftheswitchdoesnotsupportbidirectionalspanning,theNetworkAgentmachinemusthaveatleast2NICs:oneformonitoringandoneforblocking.
SeeUsingmultipleNICs,page61.
Onadedicatedmachine,connectedtoanunmanaged,unswitchedhublocatedbetweenanexternalrouterandthenetwork.
ToensurethatNetworkAgentisabletomonitortheexpectedtraffic,youmustbothpositiontheNetworkAgentmachineappropriately,andconfigureNetworkAgentsettingsinWebsenseManager.
ConsulttheWebsenseManagerHelpforinstructions.
ThefollowingsectionsillustratepossiblesingleandmultipleNetworkAgentconfigurations.
NoteNotallswitchessupportportspanningormirroring.
Contacttheswitchvendortoverifythatspanningormirroringisavailable,andforconfigurationinstructions.
DeployingNetworkAgent50WebsenseWebSecurityandWebsenseWebFilterSinglesegmentnetworkAsinglesegmentnetworkisaseriesoflogicallyconnectednodes(computers,printers,andsoon)operatinginthesameportionofthenetwork.
Inasinglesegmentnetwork,FilteringServiceandNetworkAgentmustbepositionedtomonitorInternettrafficacrosstheentirenetwork.
Figure2showsthefilteringcomponentsoftheWebsensesoftwareStand-AloneEditioninstalledinacentrallocationtoseebothHTTPandnon-HTTPtraffic.
Figure2Websensesoftwareinasingle-segmentnetworkTolearnmoreaboutinstallingNetworkAgentinanetwork:Withahub,seeHubconfiguration,page54.
Withaswitch,seeSwitchednetworkswithasingleNetworkAgent,page55.
Withagateway,seeGatewayconfiguration,page59.
DeploymentGuide51DeployingNetworkAgentMultiplesegmentnetworkDependingonthedeviceusedtoconnectnetworksegments,sometrafficmaynotbesenttoallsegments.
Arouter,bridgeorsmarthubservesastrafficcontrol,preventingunneededtrafficfrombeingsenttoasegment.
Inthisenvironment,theWebsensefilteringcomponentsmustbedeployedtoseeallnetworktraffic.
FilteringServicemustbeinstalledwhereitcanreceiveandmanageInternetrequestsfromtheintegrationproduct,ifany,andcommunicatewithNetworkAgent.
EachNetworkAgentinstancemustbeabletoseeallInternetrequestsonthesegmentorsegmentsthatitisconfiguredtomonitor.
DeployingmultipleNetworkAgentsMultipleNetworkAgentinstancesmaybeneededinamultiplesegmentnetworktocaptureallInternetrequests.
ANetworkAgentcanbeinstalledoneachsegmenttomonitortheInternetrequestsfromthatsegment.
IfmultipleNetworkAgentinstancesareinstalled:Ensurethattheinstancesaredeployedtomonitortheentirenetwork.
PartialdeploymentresultsinincompletefilteringandlossoflogdatainnetworksegmentsnotwatchedbytheNetworkAgent.
NetworkAgentinstancemustnotbeconfiguredtomonitoroverlappingIPaddressranges.
Anoverlapcanresultininaccurateloggingandnetworkbandwidthmeasurements,andimproperbandwidth-basedfiltering.
ThenetworksegmentorIPaddressrangemonitoredbyeachNetworkAgentisdeterminedbytheNICsettingsfortheagentconfiguredinWebsenseManager.
SeetheWebsenseManagerHelpforinstructions.
AvoiddeployingNetworkAgentacrossdifferentLANs.
IfyouinstallNetworkAgentonamachineinthe10.
22.
x.
xnetwork,andconfigureittocommunicatewithaFilteringServicemachineinthe10.
30.
x.
xnetwork,communicationmaybeslowenoughtopreventNetworkAgentfromblockinganInternetrequestbeforethesiteisreturnedtotheuser.
NoteAlimitof4NetworkAgentsissuggestedforeachFilteringService.
Itmaybepossibletousemoreagentinstances,dependingonsystemandnetworkconfigurationandthevolumeofInternetrequests.
DeployingNetworkAgent52WebsenseWebSecurityandWebsenseWebFilterForexamplesofcentralanddistributedNetworkAgentplacement,see:Hubconfiguration,page54SwitchednetworkswithasingleNetworkAgent,page55.
Gatewayconfiguration,page59CentralNetworkAgentplacementAnetworkwithmultiplesegmentscanbefilteredfromasinglelocation.
InstallFilteringServicewhereitcanreceiveInternetrequestsfromboththeintegrationproduct,ifany,andeachNetworkAgent.
Ifthenetworkcontainsmultipleswitches,NetworkAgentinstancesareinsertedintothenetworkatthelastswitchintheseries.
ThisswitchmustbeconnectedtothegatewaythatgoesouttotheInternet.
InFigure3:OneNetworkAgentinstanceisinstalledwithFilteringServiceonMachineA.
ThismachineisconnectedtothenetworkviaaswitchthatisconfiguredtomirrororspanthetrafficofnetworkSegment1.
AsecondNetworkAgentisinstalledonMachineB,whichisconnectedtothesameswitchasMachineA.
MachineBisconnectedtoadifferentportthatisconfiguredtomirrorthetrafficofSegments2and3.
BothNetworkAgentsarepositionedtoseealltrafficforthenetworksegmentstheymonitor,andtocommunicatewithotherWebsensecomponents.
Theswitchisconnectedtothegateway,allowingtheNetworkAgentinstancestomonitornetworktrafficforallnetworksegments.
Figure3Websensesoftwareinamultiple-segmentnetworkDeploymentGuide53DeployingNetworkAgentDistributedNetworkAgentplacementThenetworkdiagrambelowshowsasingleFilteringServicewith3NetworkAgents,oneforeachnetworksegment.
Adeploymentlikethismightbeusefulinorganizationswithsatelliteoffices,forexample.
FilteringService(MachineC)mustbeinstalledwhereitisabletoreceiveandmanageInternetrequestsfromboththeintegrationproduct(ifany)andeachoftheNetworkAgentinstancesinallnetworksegments.
EachNetworkAgent(machinesA,BandC)isconnectedtothenetworksegmentitmonitorsviathespanormirrorportofaswitch.
SeeDeployingmultipleNetworkAgents,page51,formoreinformation.
InFigure4,theswitchesarenotconnectedinaseries.
However,eachswitchisconnectedtotherouter,whichisconnectedtothegateway.
Figure4MultipleNetworkAgentsinamultiple-segmentnetworkDeployingNetworkAgent54WebsenseWebSecurityandWebsenseWebFilterHubconfigurationAtthesimplestlevel,anetworkhubprovidesacentralconnectionpointforthesegmentsinanetworkandthedevicesinthosesegments.
TheporttowhichtheNetworkAgentmachineconnectsisdependentonthetypeofhub.
Somehubsbroadcasttraffictoalloftheirports,whileothersdonot.
NetworkAgentmustbeabletoseethetrafficforthenetworksegmentsitisassignedtomonitor.
Figure5NetworkAgentconnectedtoahubDeploymentGuide55DeployingNetworkAgentSwitchednetworkswithasingleNetworkAgentAswitchisabridgethatroutestrafficbetweennetworksegments.
Itpreventsalltrafficfromgoingtoallsegments,reducingnetworkcongestion.
Sincenotalltrafficgoingthroughaswitchisvisibletoalldevicesonthenetwork,themachinerunningNetworkAgentmustbeconnectedatapointwhereitcanmonitorallInternettrafficforthenetwork.
ConnecttheNetworkAgentmachinetotheportontheswitchthatmirrors,monitors,orspansthetrafficonthegatewayorfirewallport.
Thespanormirrorportseesallthetrafficthatleaveseachnetworksegment.
Figure6showsanetworkwithasingleswitch.
TheNetworkAgentmachineisattachedtotheportthatmirrorsalltrafficfromconnectedclients.
Subsequentillustrationsshowmultipleswitchandmultiplesubnetworkconfigurations.
Figure6SimpledeploymentinaswitchedenvironmentNoteNotallswitchessupportbidirectionalportspanningormirroring.
Contacttheswitchvendortoverifythatspanningormirroringisavailable,andforconfigurationinstructions.
Ifbidirectionalcommunicationisnotavailable,atleast2networkcards(NICs)areneededtomonitortrafficandcommunicatewithotherWebsensecomponents.
Ifportspanningisnotavailable,NetworkAgentcannotproperlymonitorthenetwork.
DeployingNetworkAgent56WebsenseWebSecurityandWebsenseWebFilterFigure7showstheuseofadditionalswitchestocreate2networksegments.
AllInternettrafficfromthesenetworksegmentsmustpassthroughSwitch#3,towhichNetworkAgentisattached.
Inamultipleswitchenvironment,failuretoenableportspanningormirroringcouldresultinmissedfilteringandinaccuratereports.
Figure7MultiplesubnetsinaswitchedenvironmentDeploymentGuide57DeployingNetworkAgentFigure8alsocontainsmultiplenetworksegments.
Thisnetworkaddsarouterforcommunicationwitharemoteoffice.
ThemachinerunningNetworkAgentisconnectedtoanadditionalswitch.
Figure8SwitchedenvironmentwitharemoteofficeconnectionNetworkAgentcanalsobepositionedclosertotheclients,asshowninFigure9,page58.
DeployingNetworkAgent58WebsenseWebSecurityandWebsenseWebFilterSwitchednetworkswithmultipleNetworkAgentsAbusynetworkmayneedmultipleNetworkAgentstomonitordifferentnetworksegmentsorIPaddressranges.
NetworkAgentoperatesbestwhenitisclosertothecomputersitisassignedtomonitor.
Figure9showsanetworkinwhichmultipleNetworkAgentinstancesmonitorseparatenetworksegments.
SeeDeployingmultipleNetworkAgents,page51,formoreinformation.
Figure9MultipleNetworkAgentsinaswitchedenvironmentDeploymentGuide59DeployingNetworkAgentGatewayconfigurationAgatewayprovidesaconnectionbetweentwonetworks.
Thenetworksdonotneedtousethesamenetworkcommunicationprotocol.
ThegatewaycanalsoconnectanetworktotheInternet.
NetworkAgentcanbeinstalledonthegatewaymachine,allowingNetworkAgenttomanageandmonitorallInternettraffic.
Thegatewaycaneitherbeathird-partyproxyserveroranetworkappliance.
DonotinstallNetworkAgentonafirewall.
Figure10showsNetworkAgentmonitoringtheInternettrafficattheproxygatewayorcachingappliancedirectlyattachedtothefirewall.
Figure10NetworkAgentinstalledonthegatewayImportantThegatewayconfigurationshownhereisbestusedinsmalltomediumnetworks.
Inlargernetworks,performancecansufferasaresultofresourcecompetitionbetweenthegatewaysoftwareandNetworkAgent.
DeployingNetworkAgent60WebsenseWebSecurityandWebsenseWebFilterFigure11showsNetworkAgentdeployedinanetworkthatincludesWebsenseContentGateway.
DonotinstallNetworkAgentontheWebsenseContentGatewaymachine.
Figure11NetworkAgentdeployedwithWebsenseContentGatewayDeploymentGuide61DeployingNetworkAgentUsingmultipleNICsNetworkAgentiscapableofusingmorethanonenetworkcard(NIC).
Bestpracticessuggestamaximumof5NICsTheNICscanbeconnectedtoportsonthesamenetworkdevice(switchorrouter),ortodifferentnetworkdevices.
IfthemachinerunningNetworkAgenthasmultipleNICs:OnlyoneinstanceofNetworkAgentcanbeinstalledonthemachine.
TheblockingorinjectNIC(usedtoserveblockpages)musthaveanIPaddress.
EachNICcanbeconfiguredtomonitororblockInternetrequests,orboth.
EachNICcanbeconfiguredtomonitoradifferentnetworksegment.
AtleastoneNICmustbeconfiguredforblocking.
Whenyouconfigureseparatenetworkcardstomonitortrafficandsendblockmessages(showninFigure12,page62):ThemonitoringandblockingNICdonothavetobeassignedtothesamenetworksegment.
ThemonitoringNICmustbeabletoseeallInternettrafficinthenetworksegmentthatitisassignedtomonitor.
MultiplemonitoringNICscanusethesameblockingNIC.
TheblockingNICmustbeabletosendblockmessagestoallmachinesassignedtothemonitoringNICs,evenifthemachinesareonanothernetworksegment.
AmonitoringNICcanbesetforstealthmode(noIPaddress).
Forinformationonconfiguringstealthmode,seetheWebsenseWebSecurityandWebsenseWebFilterInstallationGuide.
TheblockingNICmusthaveanIPaddress(cannotbesettostealthmode).
TheinstallerrequeststheIPaddressesfortheNICsthatWebsensesoftwareusesforcommunication,andfortheNICsthatNetworkAgentusestomonitortraffic.
Formoreinformation,seetheWebsenseWebSecurityandWebsenseWebFilterInstallationGuide.
DeployingNetworkAgent62WebsenseWebSecurityandWebsenseWebFilterForinformationonconfiguringmultipleNICs,consulttheWebsenseManagerHelp.
Figure12DualNICconfigurationNATandNetworkAgentdeploymentIfyouuseNetworkAddressTranslation(NAT)oninternalrouters,NetworkAgentmaybeunabletoidentifythesourceIPaddressofclientmachines.
WhenNetworkAgentdetectstrafficafterbeingpassedthroughsucharouter,theagentseestheIPaddressoftherouter'sexternalinterfaceasthesourceoftherequest,ratherthantheIPaddressoftheclientmachine.
Toaddressthisissue,eitherdisableNAT,orinstallNetworkAgentonamachinelocatedbetweentheNATrouterandthemonitoredclients.
4DeploymentGuide63IntegrationDeploymentThischapteraddressesconsiderationsfordeployingWebsensecomponentswithanintegrationproduct(suchasafirewall,proxy,orcachingapplication).
Mostofthenetworkdiagramsincludedinthischaptershowatypicalsmallnetworkinstallation(500usersorfewer).
ThediagramsshowtherecommendedlocationofyourintegrationproductrelativetoWebsensecomponents.
Thediagramsareintendedtoprovideageneraloverview,anddonotshowallWebsensecomponents.
LargernetworksrequirethatWebsensecomponentsbedistributedacrossseveraldedicatedmachines.
SeetheDeploymentGuideSupplementsformoreinformation.
WebsenseContentGatewayWebsenseContentGatewayisacentralgatewayforcontrollingWebcontentthatoffers:Theadvantagesofaproxycache,improvingbandwidthusageandnetworkperformancebystoringrequestedWebpagesand,ifthepageisstillconsidered"fresh,"servingtheWebpagetotherequestingclient.
Real-timecontentcategorization.
Thisfeatureexaminesthecontentofuncategorizedsitesandsitesthatincluderapidlychangingcontent,andthenreturnsarecommendedcategorytoFilteringService.
WebsenseContentGatewaycanruninexplicitortransparentproxymode.
Inexplicitproxymode,clientbrowsersmustbeconfiguredtopointtotheproxy.
Intransparentproxymode,theclientrequestisinterceptedandredirectedtotheproxy.
TrafficisredirectedthrougharouteroraLayer4switchandtheARM(AdaptiveRedirectionModule)featureoftheproxy.
NoteDCAgentislistedasthetransparentidentificationagentinmanyofthediagramsinthischapter.
LogonAgentcanalsobeused.
IntegrationDeployment64WebsenseWebSecurityandWebsenseWebFilterWebsenseContentGatewaycanparticipateinflexiblecachehierarchies,whereInternetrequestsnotfulfilledinonecachecanberoutedtootherregionalcaches.
Thegatewayalsoscalesfromasinglenodeintomultiplenodesthatformacluster,toimprovesystemperformanceandreliability.
WebsenseContentGatewayisinstalledonaLinuxmachine,separatefromotherWebsensecomponents.
SeetheWebsenseContentGatewayInstallationGuideformoreinformation.
Figure13showsWebsenseContentGatewayandWebsenseDataSecuritySuitedeployedwithWebsenseWebfilteringcomponents(includingPolicyBroker,PolicyServer,FilteringService,UserService,andatransparentidentificationagent).
TheWebsenseDataSecuritySuite,WebsenseContentGateway,andWebsensefilteringcomponentmachinesaccessnetworktrafficthrougharouter.
NetworkAgentisinstalledonaseparatemachine,attachedtothespanportonaswitch.
Figure13IntegrationwithWebsenseContentGatewayDeploymentGuide65IntegrationDeploymentCiscodeploymentAsimpleandcommonnetworktopologyplacesWebsensefilteringcomponentsonasinglemachine,orgroupofdedicatedmachines,communicatingwiththeCiscoPIXFirewallorCiscoAdaptiveSecurityAppliance(ASA)viaTCP/IP.
Websensereportingcomponentsareinstalledonaseparatemachine.
IfyouinstallNetworkAgent,itmustbepositionedtoseealltrafficontheinternalnetwork.
SeetheInstallationGuideSupplementforusewithCiscoIntegratedProductsforconfigurationinstructions.
Figure14CommonWindowsNetworkConfigurationforCiscoPIXFirewallorASAOtherconfigurationsarepossible.
ConsultyourCiscoPIXFirewallorASAdocumentationandtheinformationinthissectiontodeterminethebestconfigurationforyournetwork.
IntegrationDeployment66WebsenseWebSecurityandWebsenseWebFilterCiscoContentEngineInthiscommonconfiguration,Websensefilteringcomponentsareinstalledonasinglemachine,communicatingwiththeCiscoContentEnginethroughTCP/IP.
Websensereportingcomponentsareinstalledonaseparatemachine.
IfyouinstallNetworkAgent,itmustbepositionedtoseealltrafficontheinternalnetwork.
Figure15CommonWindowsnetworkconfigurationforCiscoContentEngineOtherconfigurationsarepossible.
ConsultyourContentEnginedocumentationandtheinformationinthischaptertodeterminethebestconfigurationforyournetwork.
DeploymentGuide67IntegrationDeploymentCiscoIOSRoutersInthiscommonconfiguration,Websensefilteringcomponentsareinstalledonasinglemachine,communicatingwiththeCiscoIOSRouter.
Websensereportingcomponentsareinstalledonaseparatemachine.
IfyouinstallNetworkAgent,itmustbepositionedtoseealltrafficontheinternalnetwork.
Therouterhasfirewallfunctionalityandcanbeusedwithorwithoutanaccompanyingfirewall.
IftheCiscoIOSRouterisusedwithaseparatefirewall,ensurethatallInternettrafficisconfiguredtopassthroughtherouterandisnotsettobypasstherouterandgodirectlytothefirewall.
TrafficfilteredthroughtheseparatefirewallcannotbefilteredbytheWebsensesoftware.
Figure16CommonWindowsnetworkconfigurationforCiscoIOSRoutersOtherconfigurationsarepossible.
ConsultyourCiscoRouterdocumentationandtheinformationinthischaptertodeterminethebestconfigurationforyournetwork.
IntegrationDeployment68WebsenseWebSecurityandWebsenseWebFilterCheckPointThissectionincludesageneraldiscussionof2commonCheckPointintegrationdeploymentoptions:simpledeploymentwithunifiedcomponents,anddistributeddeployment.
SeetheInstallationGuideSupplementforusewithCheckPointIntegratedProductsforconfigurationinstructions.
SimpleInthesimplestandmostcommonnetworktopology,anorganizationhasonefirewallthatresidesonadedicatedserver.
AllWebsensefilteringcomponentsareinstalledonaseparatemachineontheinternalnetwork.
Websensereportingcomponentsareinstalledonaseparatemachine.
IfyouinstallNetworkAgent,itmustbepositionedtoseealltrafficontheinternalnetwork.
Figure17SimplenetworkconfigurationDeploymentGuide69IntegrationDeploymentDistributedInFigure18,WebsensefilteringsoftwareisinstalledonasinglemachineinacentrallocationwhereitcanmanagebothprotocolandHTTPtraffic.
HTTPrequestsarehandledbytheCheckPointappliance,andthenon-HTTPtrafficismanagedbyNetworkAgent,whichispositionedtodetectalloutboundtraffic.
Figure18Multi-SegmentednetworkconfigurationToavoidperformanceandsecurityissues,donotinstallWebsensecomponentsonamachinerunningCheckPointsoftware,unlessthemachineisabladeserverthathasIntegrationDeployment70WebsenseWebSecurityandWebsenseWebFilterseparateprocessorstoaccommodateeachproduct.
NetworkAgentwillnotfunctioncorrectlyifinstalledontheCheckPointmachine.
MicrosoftISAServerWhenyouintegrateWebsensesoftwarewithMicrosoftISAServer,theWebsenseISAPIplug-inmustbeinstalledontheISAServermachine.
Theplug-inallowsMicrosoftISAServertocommunicatewithFilteringService,andmustbeinstalledoneveryISAServermachinethatcommunicateswithWebsensesoftware.
YoucaninstallPolicyBroker,PolicyServer,FilteringService,andUserServiceonthesamemachineasMicrosoftISAServer.
WhenWebsensefilteringsoftwareisinstalledonthesamemachineasMicrosoftISAServer,theWebsenseISAPIFilteringplug-inmustbeinstalledatthesametime.
IfyourenvironmentincludesanarrayofMicrosoftISAServermachines,installWebsensesoftwareonamachineoutsidethearray.
SeetheWebsenseInstallationGuideSupplementforusewithMicrosoftISAServerforinstructionsandmoreinformation.
WarningWebsense,Inc.
,andCheckPointdonotrecommendinstallingWebsensesoftwareandCheckPointonthesamemachine.
DonotinstallNetworkAgentonthesamemachineasCheckPointsoftware.
DeploymentGuide71IntegrationDeploymentSingleMicrosoftISAServerconfigurationFigure19showsallWebsensecomponents,includingtheWebsenseISAPIFilter,runningonthesamemachineasMicrosoftISAServer.
UnlesstheInternettrafficvolumeislight,thisconfigurationrequiresapowerfulmachine.
Figure19FilteringcomponentsinstalledwithMicrosoftISAServerIntegrationDeployment72WebsenseWebSecurityandWebsenseWebFilterAnalternatesetup,Figure20,placesWebsensefilteringcomponentsonaWindowsmachineseparatefromtheMicrosoftISAServermachine.
ThisconfigurationeasestheloadontheMicrosoftISAServermachine.
TheISAPIFiltermustbeinstalledontheMicrosoftISAServermachinesothatInternetactivityinformationcanbecommunicatedtoFilteringService.
TheFilteringServiceandMicrosoftISAServermachinesmustbeabletocommunicateoverthenetwork.
Figure20FilteringcomponentsinstalledseparatelyfromMicrosoftISAServerDeploymentGuide73IntegrationDeploymentArrayconfigurationWebsensesoftwareiscompatiblewithmostarrayconfigurations,includingCacheArrayRoutingProtocol(CARP)arrays.
IftheMicrosoftISAServermachinesinthearraycanrunWebsensesoftwarewithoutaperformanceimpact,installingtheWebsensecomponentsononeofthearraymachinesisrecommended.
Inthisconfiguration,thetwoapplicationsdonothavetocommunicateoverthenetwork.
InstalltheWebsenseISAPIFilteroneachMicrosoftISAServermachineinthearray.
Figure21showsWebsensefilteringcomponentsrunningonaMicrosoftISAServermachine,withWebsenseManagerandLogServerinstalledonacomputerthathasnetworkaccesstotheWebsensefilteringmachine.
Figure21MicrosoftISAServerarrayconfiguration#1IntegrationDeployment74WebsenseWebSecurityandWebsenseWebFilterIfinstallingWebsensefilteringcomponentsonaMicrosoftISAServermachineislikelytohaveaperformanceimpact,installWebsensesoftwareoutsidethearray.
InstalltheWebsenseISAPIFilteroneachmemberofthearray.
SeeFigure22.
WhenWebsensesoftwareisdeployedinthisconfiguration,allarraymemberssendInternetrequeststoFilteringServiceoutsidethearray.
Figure22MicrosoftISAServerarrayconfiguration#2Otherconfigurationsarepossible.
ConsultyourMicrosoftISAServerdocumentationforinformationaboutMicrosoftISAServerconfigurations.
DeploymentGuide75IntegrationDeploymentSquidWebProxyCachedeploymentWebsensefilteringcomponentscanbeinstalledonthesamemachineasSquidWebProxyCache,onaseparatemachine,oronmultiplemachines.
SquidWebProxyCachemachinesmaybedeployedinanarraytosharetheloadinalargernetwork.
AWebsenseSquidplug-inmustbeinstalledoneachmachinerunningSquidWebProxyCache.
ThediagramsinthissectionassumeaLinuxinstallation.
IfWebsensefilteringcomponentsareinstalledonaWindowsmachine,moveWebsenseManagertoanothermachine.
IfyouarerunningWebsenseManageronWindows,donotinstallasecondinstanceofWebsenseManageronaLinuxmachine.
SingleSquidWebProxyCacheconfigurationFigure23showstheWebsensefilteringcomponents,theSquidplug-in,andtheSquidWebProxyCacherunningonthesamemachine.
Inthisconfiguration,theWebsensefilteringandcomponentsareinstalledontheSquidWebProxyCachemachine.
YoucanalsoinstallaWebsensetransparentidentificationagentonthesamemachine,oronaseparatemachine.
Figure23FilteringcomponentsinstalledwithSquidWebProxyCacheIntegrationDeployment76WebsenseWebSecurityandWebsenseWebFilterAnalternatedeploymentplacesallWebsensefilteringcomponentsonaseparatemachinefromtheSquidWebProxyCache.
ThisconfigurationeasestheloadontheSquidWebProxymachine.
TheWebsenseSquidPlug-inmustbeinstalledontheSquidWebProxymachinetoenablecommunicationwithFilteringService.
TheFilteringServiceandSquidWebProxymachinesmustbeabletocommunicateoverthenetwork.
Figure24FilteringcomponentsandSquidWebProxyCacheonseparatemachinesDeploymentGuide77IntegrationDeploymentArrayconfigurationWebsensesoftwareiscompatiblewithmostarrayconfigurations,includingCacheArrayRoutingProtocol(CARP)arrays.
IftheSquidWebProxyCachemachinesinanarraycanrunWebsensesoftwarewithoutaperformanceimpact,installthemainWebsensefilteringcomponentsononeofthearraymachines.
Inthisconfiguration,thetwoapplicationsdonothavetocommunicateoverthenetwork.
Figure25showstheWebsensefilteringcomponentsrunningonaSquidWebProxyCachemachine,withWebsensereportingcomponentsonaseparatemachine.
Figure25SquidWebProxyCachearrayconfiguration#1IntegrationDeployment78WebsenseWebSecurityandWebsenseWebFilterIfinstallingtheWebsensefilteringcomponentsontheSquidWebProxyCachemachineislikelytohaveaperformanceimpact,installWebsensesoftwareonaseparatemachineoutsidethearray,andtheninstalltheSquidplug-inoneachmemberofthearray.
SeeFigure26.
WhenWebsensesoftwareisinstalledinthisconfiguration,allarraymemberssendInternetrequeststoFilteringServiceoutsidethearray.
Figure26SquidWebProxyCachearrayconfiguration#2Otherconfigurationsarepossible.
ConsultyourSquidWebProxyCachedocumentationforinformationaboutarrayconfigurations.
SeetheInstallationGuideSupplementforusewithSquidWebProxyCacheforWebsensesoftwareconfigurationinstructions.
DeploymentGuide79IntegrationDeploymentNetCacheintegrationNetCachehasbeenspecificallyenhancedtointegratewithWebsensesoftware.
WhenNetCachereceivesaclient'sInternetrequest,itqueriesFilteringServicetofindoutwhetherornotthesiteshouldbeblocked.
Ifthesiteisassignedtoapermittedcategory,FilteringServicenotifiesNetCachethatthesiteisnotblocked,andthesiteisreturnedtotheuser.
Figure29showsWebsensefilteringcomponentsinstalledtogetheronasinglemachine.
RememberthatNetworkAgentmustbeabletomonitorallInternettraffic.
Figure27CommonnetworkconfigurationOtherconfigurationsarepossible.
ConsultyourNetCachedocumentationforinformationaboutarrayconfigurations.
SeetheInstallationGuideSupplementforusewithNetCacheforWebsensesoftwareconfigurationinstructions.
IntegrationDeployment80WebsenseWebSecurityandWebsenseWebFilterUniversalintegrationIfyourfirewall,proxyserver,cachingapplication,ornetworkapplianceisnotoneoftheproductslistedinthischapter,youmaystillbeabletointegrateitwithWebsensesoftware.
CheckthelistofWebsenseTechnologyPartnersatwww.
websense.
com/global/en/Partners/TAPartners/SecurityEcosystem/toseeifWebsensesoftwarecanbeintegratedwiththeproduct.
Ifyourintegrationproductislisted,thatproducthasbeenspecificallyenhancedtointegratewithWebsensesoftware.
Typicalconfigurationsincludenetworkswithasinglefirewall,proxyserver,orcachingapplication,andnetworkswithanarrayoffirewalls,proxyservers,orcachingappliances.
AWebsensetransparentidentificationagent(DCAgent,LogonAgent,eDirectoryAgent,orRADIUSAgent)canbeinstalledontheFilteringServicemachineoronaseparatemachine.
Figure28CommonnetworkconfigurationOtherconfigurationsarepossible.
Consultyourintegrationproduct'sdocumentationforotherrecommendations.
SeetheInstallationGuideSupplementforusewithUniversalIntegrationsforWebsensesoftwareconfigurationinstructions.
DeploymentGuide81IntegrationDeploymentCitrixWebsensesoftwareintegratedwithaCitrixservercanmonitorHTTP,FTP,andSSLrequestsfromindividualCitrixusers.
NetworkAgentcanbeusedtofilterotherprotocols,ifneeded.
Figure29showsatypicaldeploymentusedtofilterbothuserswhoaccesstheInternetthroughaCitrixserveranduserswhoaccesstheInternetlocally.
TheWebsensefilteringcomponentsareinstalledonadedicatedmachinethatcanfilterboththeCitrixserverclientsandthenon-Citrixclients.
TheWebsenseCitrixIntegrationServicemustbeinstalledoneachCitrixservertoallowittocommunicatewithFilteringService.
NootherWebsensecomponentscanbeinstalledontheCitrixserver.
SeparateNetworkAgentinstancesareneededfortheCitrixandnon-Citrixusers.
Tosimplifythediagram,notallindividualWebsensecomponentsareshown.
Figure29CitrixintegrationOtherintegrationsalsocanbeusedinthenon-Citrixportionofthenetwork.
SeetheInstallationGuideSupplementforusewithIntegratedCitrixServersforWebsensesoftwareconfigurationinstructions.
IntegrationDeployment82WebsenseWebSecurityandWebsenseWebFilterDeploymentGuide83IndexAActiveDirectory,30DCAgentsupport,18authenticationdirectoryservices,30CCARParraydeployingWebsensesoftwarein,73CheckPointdeploymentwarning,70integration,68CheckPointintegrationdistributed,69simple,68Ciscointegration,65CiscoContentEngineintegrationdeployment,66CiscoRoutersconfiguringforWebsensesoftware,67integrationdeployment,67combiningTransparentIdentificationAgents,32componentsdefined,11FilteringService,12MasterDatabase,12NetworkAgent,12networkconsiderations,27OSrequirements,18,23PolicyBroker,11PolicyDatabase,11PolicyServer,11relationallimits,26softwarerequired,18suggestedratios,27UsageMonitor,12WebsenseManager,12configurationContentEnginewithWebsensesoftware,66IOSRouterswithWebsensesoftware,67consolidation,LogDatabase,38ContentEngineconfiguringwithWebsensesoftware,66DDatabaseEnginemaximizingsystemperformance,35MicrosoftSQLServer,35MSDE,36DCAgentActiveDirectory,18combineddeploymenteDirectoryAgent,33LogonAgent,33RADIUSAgent,33RADIUSandLogonAgents,33defined,13multipledeployment,32NTLMsupport,18OSrequirements,18softwarerequirements,18deploymentfilteringcomponentsontheSquidmachine,75Websensesoftwareaseparatemachine,76directoryservicesActiveDirectory,30eDirectory,31FIlteringServiceinteraction,30NovellDirectoryServices,31NTLM,30SunJavaSystemDirectory,31supportedtypes,30diskspacerecommendationsLogDatabase,36DNSserver,30IPaddressresolution,30EeDirectory,1884WebsenseWebSecurityandWebsenseWebFiltereDirectoryAgent,31combineddeploymentDCAgent,33LogonAgent,33RADIUSAgent,33defined,13eDirectoryServerlimit,31multipledeployment,32Novellrequirements,18OSrequirements,18softwarerequirements,18Explorerdefined,15OSrequirements,18softwarerequirements,18FFilteringService,12location,51enterprisenetwork,27LogonAgentlimit,32multipleinstallationsof,27OSrequirements,19RemoteFilteringServerlimit,26softwarerequirements,19suggestednumberperPolicyServer,28testingconnections,29Ggatewayconfiguration,59GlobalsettingsNetworkAgent,48HHTTPreporting,34maximizingsystemperformance,34hubconfigurationNetworkAgent,54IintegrationsCheckPoint,68Cisco,65ContentEngine,66IOSRouters,67MicrosoftISA,70SquidWebProxyCache,75Universal,80WebsenseContentGateway,63integrations,supportedversions,44IPaddressesavoidoverlappingcoverage,51DNSserverresolution,30ISAServerarrayconfiguration,77Lloadbalancing,27LocalsettingsNetworkAgent,48locationFilteringService,51NetworkAgent,49LogDatabaseconsolidation,38defined,14diskspacerecommendations,36strategy,38LinuxOSrequirements,19softwarerequirements,19LogServerlimit,26loggingfullURLs,37logginghits,37loggingvisits,37protocollogging,sizeimpact,38SolarisOSrequirements,19softwarerequirements,19WindowsOSrequirements,19softwarerequirements,19LogServercomponentlimits,26defined,14WindowsOSrequirements,19softwarerequirements,19loggingfullURLs,37logginghits,37LoggingVisits,37LogonAgentcombineddeploymentDeploymentGuide85DCAgent,33eDirectoryAgent,33RADIUSAgent,33RADIUSandDCAgents,33defined,13FilteringServicelimit,32multipledeployment,32OSrequirements,19softwarerequirements,19LogonApplicationdefined,13OSrequirements,20MMasterDatabase,12maximizingsystemperformance,34DatabaseEngine,35HTTPReporting,34MicrosoftSQLServer,35MSDE,36NetworkAgent,34MicrosoftISAServerarrayconfiguration,73integration,70separateinstallation,72singleconfiguration,71singlemachineinstall,71MicrosoftSQLServermaximizingsystemperformance,35MSDEdefined,36maximizingsystemperformance,36multipleNICsNetworkAgent,61multiplesegmentsdefined,NetworkAgentmultiplesegmentnetworks,51MySQLmaximizingsystemperformance,36NNAT(NetworkAddressTranslation),62NetworkAgent,12deploying,47FilteringServicesuggestions,28firewallrecommendation,48function,47functions,47gatewayconfiguration,59GlobalSettings,48globalsettings,48HTTPreporting,34hubconfiguration,54LocalSettings,48Localsettings,48location,49maximizingsystemperformance,34maximumnumber,51multiple,51multipleagentsIPaddressrange,51switchedconfiguration,58multipleNICs,61monitoringandblocking,61multiplesegments,51centralplacement,52distributedplacement,53NetworkAddressTranslation(NAT),62networkvisibility,34,49numberofusers,28OSrequirements,20RemoteFilteringrecommendation,48settings,48,48singlesegmentnetwork,50softwarerequirements,20Stand-AloneEdition,39switchedconfiguration,55visibility,27,34WebsenseContentGatewaydeployment,60networkconsiderationscomponents,27VMWare,24networkefficiency,30networkvisibilityNetworkAgent,34,49NovellDirectoryService,31NovellrequirementseDirectory,18NTLMDCAgentSupport,18NTLM-baseddirectories,3086WebsenseWebSecurityandWebsenseWebFilterOoperatingsystemscomponentsupport,23requirements,18,18,23Stand-AloneSystem,39Ppersecond,usersandrequests,39PolicyBroker,11PolicyDatabase,11PolicyServer,11componentlimits,26numberofFilteringServices,28OSrequirements,20testingconnections,29protocolloggingimpactonLogDatabase,38RRADIUSAgentcombineddeployment,33DCAgent,33DCandLogonAgents,33eDirectoryAgent,33defined,13multipledeployment,32OSrequirements,21RADIUSServerssupported,21serverlimits,32softwarerequirements,21supportedservers,21Real-TimeAnalyzerPolicyServerlimit,26RemoteFiltering,42Clientdefined,13OSrequirements,21systemrecommendations,42FilteringServicelimit,26Serverdeploymentrecommendations,42OSrequirements,21systemrecommendations10000+clients,431-500clients,422000-5000clients,425000-10000clients,43500-2000client,42RemoteFilteringServerdefined,13Reporterdefined,14Reportingcomponentsdefined,14requestspersecondandusers,39requestspersecondaverages,39requirements,operatingsystem,18Ssinglesegmentnetwork,50softwarerequirements,18SquidWebProxysingleconfiguration,75SquidWebProxyCacheintegration,75Stand-AloneEdition,391-500users,402,500-10,000users,41500-2,500users,40NetworkAgent,39operatingsystems,39SunJavaSystemDirectoryServer,31supportRADIUSServers,21TCP/IP,17,30switchedconfigurationNetworkAgent,55systemperformance,maximizingseemaximizingsystemperformancesystemrequirements,software,18TTCP/IPsupport,17TransparentIdentificationAgentscombining,32deployingXIDseeTransparentIdentificationAgentsUUniversalintegration,80DeploymentGuide87UnixLogServerdefined,14UsageMonitor,12OSrequirements,21PolicyServerlimit,26useridentificationdirectoryservices,30UserServiceOSrequirements,22PolicyServerlimit,26softwarerequirements,22usersandrequestspersecond,39VvisibilityNetworkAgent,27VMWarenetworkconsiderations,24WWebsensecomponentsdefined,11WebsenseContentGatewayintegration,63NetworkAgentdeployment,60WebsenseManager,12OSrequirements,22softwarerequirements,22WindowsActiveDirectory,30NTLM-baseddirectories,3088WebsenseWebSecurityandWebsenseWebFilter
hostodo怎么样?快到了7月4日美国独立日,hostodo现在推出了VPS大促销活动,提供4款Hostodo美国独立日活动便宜VPS,相当于7折,低至$13/年,续费同价。Hostodo美国独立日活动结束时间不定,活动机售完即止。Hostodo商家支持加密数字货币、信用卡、PayPal、支付宝、银联等付款。Hostodo美国独立日活动VPS基于KVM虚拟,NVMe阵列,1Gbps带宽,自带一个...
最近看到群里的不少网友在搭建大数据内容网站,内容量有百万篇幅,包括图片可能有超过50GB,如果一台服务器有需要多个站点的话,那肯定默认的服务器50GB存储空间是不够用的。如果单独在购买数据盘会成本提高不少。这里我们看到腾讯云促销活动中有2款带大数据盘的套餐还是比较实惠的,一台是400GB数据盘,一台是800GB数据盘,适合他们的大数据网站。 直达链接 - 腾讯云 大数据盘套餐服务器这里我们看到当前...
digital-vm,这家注册在罗马尼亚的公司在国内应该有不少人比较熟悉了,主要提供VPS业务,最高10Gbps带宽,还不限制流量,而且还有日本、新加坡、美国洛杉矶、英国、西班牙、荷兰、挪威、丹麦这些可选数据中心。2020年,digital-vm新增了“独立服务器”业务,暂时只限“日本”、“新加坡”机房,最高也是支持10Gbps带宽... 官方网站:https://digital-vm.co...
isaserver为你推荐
嘉兴商标注册嘉兴那里有设计商标的蒋存祺蒋存祺的主要事迹xyq.163.cbg.com梦幻西游藏宝阁mole.61.com摩尔大陆?????www.gegeshe.comSHE个人资料百度指数词为什么百度指数里有写词没有指数,还要购买www.idanmu.com万通奇迹,www.wcm77.HK 是传销么?bk乐乐BK乐乐和沈珂什么关系?www.zzzcn.com哪里有免费看书的网站ename.com趫 是什么意思?
域名抢注 n点虚拟主机管理系统 什么是域名地址 vir highfrequency 网络星期一 eq2 个人空间申请 空间出租 域名转接 双线机房 我的世界服务器ip 防cc攻击 lamp什么意思 睿云 dns是什么意思 ddos防火墙 qq登陆空间 2000元电脑主机配置 彩虹云点播点点版 更多