Web protection distributed deployment models
Applies to: | In this topic |
---|---|
|
|
- Sites in a region: Remote sites located within one region
- Expanding sites in a region: Remote sites located within one region, with a growing number of employees or sites (or both)
- National or worldwide offices: Remote sites located nationally or globally
Sites in a region
The simplest deployment for a distributed enterprise is a network with remote sites in a single region, such as San Diego County, California, U.S.A. Most organizations with sites like this can use a single Forcepoint Web Security or Forcepoint URL Filtering on-premises deployment, centrally located within that region, to provide policy enforcement for all clients.
Each remote site would be managed as shown in the illustration under Forcepoint URL Filtering. The site at which the software is deployed is represented as the “main site”, but need not be truly a main site in your organization. It is whichever one houses the web protection software.
Off-site users, not shown in the above illustration, can be handled using the Web Security Hybrid Module (Forcepoint Web Security) or Remote Filter module (Forcepoint URL Filtering).
Expanding sites in a region
Some organizations deploy Forcepoint Web Security or Forcepoint URL Filtering within a given region and later decide to increase the number of remote sites in that area.
- Improve the performance of the machines running web protection components. Increasing the RAM and CPU, and installing faster hard drives on the machines allows web protection software to respond to an increased number of requests without additional latency. This type of upgrade can help with a moderate increase in head count, or the addition of a few more offices.
- Deploy additional machines to run web protection components. If a significant number of new users or sites is added, the deployment of additional instances of certain components, such as Filtering Service and Network Agent, distributes the load and provides optimum performance for each remote site.
Additional instances of web protection components can be deployed within the region as the number of offices continues to grow.
Off-site users, not shown in the above illustration, can be handled using the Web Security Hybrid Module (Forcepoint Web Security) or Remote Filter module (Forcepoint URL Filtering).
National or worldwide offices
On-premises only
- Each remote site would be geographically distant from the policy enforcement components. Request lookups would have to travel farther over the Internet for management. This distance increases the total latency of the response and may lead to slower Internet access for end users.
- Large numbers of employees generate more Internet requests than recommended for one or two web protection machines, leading to delays in returning web pages to requesting clients.
These organizations should divide their sites into logical regions and deploy policy enforcement components in each region. For example, a distributed enterprise might group their United States sites into a western region, a central region, and an eastern region. Web protection components are deployed at a central site in each region.
The logical division of sites into regions depends on the location and grouping of remote sites and the total number of employees at each site. For example, a company with a large number of remote sites in a concentrated area, such as New York City, may need to deploy multiple web protection machines within that area. Or an enterprise may only have three sites in California with 100 to 250 employees each. In this case, a single web protection installation might be deployed for all three sites. This enterprise also can deploy web protection components locally at each site (rather than using a distributed approach), particularly if IT staff is present at each location. You may consider installing instances of Policy Server, Filtering Service, Content Gateway, and Network Agent to improve response time.
Given the significant number of variables, large organizations should contact a Forcepoint partner or Sales Engineer to plan a rollout strategy before deployment.
With the Forcepoint Web Security Hybrid Module
The Web Security Hybrid Module for Forcepoint Web Security is particularly well- suited for organizations with sites distributed nationally or worldwide.
Single main site
An organization with one main site (such as headquarters office or main campus) and multiple, geographically dispersed remote or branch sites can deploy Forcepoint Web Security at the main site (with policy enforcement for main-site users managed by the on-premises components) and have all remote sites managed by the hybrid service.
Off-site users, not shown in the above illustration, may also be managed by the hybrid service.
Multiple large sites
Organizations with multiple large sites (such as main headquarters and regional headquarters) can deploy on-premises software at the larger sites while managing small, remote sites through the hybrid service. Though the illustration shows a V Series appliance deployment, this can also be accomplished with X Series and virtual appliances and software-only deployments.