Policy source

In a web protection deployment, there is a policy source machine that hosts 2 components that do not run on any other server or appliance: Policy Database and Policy Broker. One of the first deployment decisions that must be made is the location of the policy source machine.
Important:

Deployments that include installations of Policy Server on standalone Windows or Linux servers and on Forcepoint appliances, must locate the policy source on a Windows or Linux server, and not on a Forcepoint appliance.

Deployments that configure Policy Broker Replication must locate the primary and replica Policy Broker instances on Windows or Linux servers.

All machines running Web protection components connect to the policy source machine to get up-to-date policy information. Your primary instance of Policy Server also runs on the policy source machine.

Most sites install the policy source on a Windows server (off-appliance). An alternative is to configure a V Series or X Series appliance (located in Slot-1). The policy mode of remaining appliances is chosen during each appliance’s firstboot. Here’s how it works:
  1. The policy source machine is set up, either off-appliance or on-appliance.
  2. When other appliances go through firstboot, the policy mode is set to either User directory and filtering mode or Filtering only mode.

If the policy source is located off-appliance, you have the option to configure replicated policy source servers. See Managing Policy Broker Replication.

User directory and filtering

A User directory and filtering appliance is a lightweight version of the policy source machine.

Whenever you make a policy change, that change is immediately updated on the policy source appliance. The change is pushed out to user directory and filtering appliances within 30 seconds.

If the connection with the policy source machine is interrupted, user directory and filtering appliances can continue handling traffic for as long as 14 days. So even if a network connection is poor or is lost, traffic processing continues as expected.

A user directory and filtering appliance is configured to point to the full policy source for updates.

A User directory and filtering appliance runs:
  • Policy Server
  • User Service
  • Usage Monitor
  • Filtering Service
  • Control Service
  • Directory Agent
  • Content Gateway module (Forcepoint Web Security only)

Filtering only

A Filtering only appliance is configured to point to a Policy Server. This works best when the appliance is close to the Policy Server and on the same network.

These appliances require a continual connection to the centralized Policy Server, not only to stay current, but also to continue handling traffic. If the connection to the Policy Server becomes unavailable for any reason, traffic on a filtering only appliance will continue to be handled for up to 3 hours.

A Filtering only appliance does not run Policy Server. It runs only:
  • Filtering Service
  • Control Service
  • Content Gateway module (Forcepoint Web Security only)