Deploying core web protection components

Applies to: In this topic
  • Forcepoint Web Security, v8.5.x
  • Forcepoint URL Filtering, v8.5.x
  • Core policy components
  • Core management components
  • Core reporting components

On-premises web protection solutions include the core policy, management, and reporting components shown in the diagram below and described in detail in the sections that follow, with one exception: Content Gateway is available only for Forcepoint Web Security.

Core policy components

To ensure effective policy enforcement, the core components must be installed so that:
  • All components can communicate with an instance of Policy Broker.
    • In Policy Broker standalone mode (software or appliance), there is only one Policy Broker instance for the entire deployment.
    • In Policy Broker replicated mode (software only), there is one primary Policy Broker (to which configuration updates are written) and one or more Policy Broker replicas (with a read-only copy of the configuration data).
    • In software installations, Policy Broker can run on Windows or Linux.
    • With Forcepoint appliances, the standalone Policy Broker is present on the full policy source appliance only.
    • Most components must be able to communicate with Policy Broker on port 55880. (The exceptions are all optional components: transparent identification agents, State Server, Linking Service, and Directory Agent.)
  • There is a central instance of Policy Server.
    • In software installations, the central Policy Server instance runs on the standalone or primary Policy Broker machine.
    • With Forcepoint appliances, Policy Server is present on the full policy source appliance.
    • Additional instances of Policy Server can be deployed on Windows or Linux machines, or on user identification and filtering appliances.
    • Most components must be able to communicate with Policy Server on ports 55806 and 40000. (The exceptions are Remote Filtering Server and State Server.)
  • At least one instance of Filtering Service communicates with the central Policy Server.
    • In software installations, Filtering Service can run on the same machine as Policy Broker and Policy Server, or on a separate machine.
    • With Forcepoint appliances, a Filtering Service instance is present on the full policy source appliance.
    • Additional instances of Filtering Service can be deployed on Windows or Linux machines, or on either user identification and filtering (includes Policy Server) or filtering only (must point to a remote Policy Server) appliances.
  • Filtering Service is configured to receive requests from one of the following (see Understanding standalone and integrated modes for web protection solutions.
    • Content Gateway (Forcepoint Web Security)

      For detailed information about deploying Content Gateway, see Content Gateway Deployment.

    • Network Agent (Forcepoint URL Filtering standalone deployments)
    • An integrated third-party firewall, proxy server, or caching application (Forcepoint URL Filtering integrated deployments)

Core management components

The Forcepoint Security Manager is the centralized management console. It includes global administrator settings and appliance connection data, as well as 3 management modules: Web, Data, and Email.

The Web Security module of the Forcepoint Security Manager is used to perform product configuration, policy management, and reporting tasks for on-premises web protection solutions.
  • Install all Forcepoint Security Manager components on a single Windows server (the management server).
  • The Web Security module of the Forcepoint Security Manager must be able to communicate with:
    • Policy Broker on port 55880
    • Policy Server on ports 40000, 55806, 55817, 55818, and 55824
    • Filtering Service on port 55807
    • Log Server on ports 55812 and 55805
    • User Service on port 55815

Core reporting components

Log Server receives information about Internet activity from and processes it into the Log Database.
  • Install Log Server on a dedicated Windows server.
    • Log Server does not run on appliances.
    • Because collecting and processing log records is resource-intensive, Log Server should typically not run on the same machine other resource-sensitive components, like the Forcepoint Security Manager or Filtering Service.
    • You may have one Log Server instance for the entire deployment, or multiple Log Server instances (see Additional reporting considerations), but you can never have more than one Log Server per Policy Server.
  • The Log Database resides on a supported Microsoft SQL Server machine.
    • Do not run Log Server on the SQL Server machine.
    • By default, Log Server communicates with SQL Server on the default ODBC port (1433). A custom port can be specified during installation. See Using a custom port to connect to the Log Database.
  • The management server machine must be able to communicate with Log Server and the Log Database.