Deploying Forcepoint Web Security Hybrid Module components
Applies to:
- Forcepoint Web Security, v8.5.x
The Hybrid Module for Forcepoint Web Security offers the ability to combine on- premises and hybrid (cloud or security-as-a-service) policy enforcement.
- Sync Service
- Directory Agent
Sync Service
- There can be only one Sync Service instance in your deployment.
- Sync Service can be installed on the Log Server machine.
- If you use a distributed logging deployment, Sync Service may communicate with either the central Log Server or a remote Log Server.
- If you have enabled Policy Broker replication, Sync Service must connect to the primary Policy Broker.
- The hybrid service on port 443
- Log Server on port 55885 (outbound)
- Directory Agent on port 55832 (inbound)
- Forcepoint Security Manager on port 55832 (inbound)
- Policy Broker on port 55880 (outbound)
- Policy Server on port 55830 (inbound) and ports 55806 and 40000 (outbound)
Directory Agent
Directory Agent is required to enable user, group, and domain (OU) based policy enforcement through the hybrid service.
- Typically, only one Directory Agent instance is required in a deployment. Deployments with multiple Policy Servers, however, would require multiple Directory Agent instances.
- Directory Agent can be installed on the same machine as other web protection components, including Sync Service and User Service.
- With Forcepoint appliances, Directory Agent is installed on the full policy source or user directory and filtering appliance.
- When Directory Agent is installed, it must connect to a Policy Server instance that has an associated User Service instance.
- Directory Agent must communicate with the same directory service as User Service.
- If you have multiple User Service instances connected to different directory services, you can also have multiple Directory Agent instances, each associated with a different Policy Server.
- All Directory Agent instances must connect to a single Sync Service. (A deployment can have only one Sync Service instance.)
Use the Web Security module of the Forcepoint Security Manager to configure the Sync Service connection manually for all supplemental Directory Agent instances.
See Directory Agent and User Service in the Administrator Help for configuration steps.
- Your supported LDAP-based directory service (Windows Active Directory in Native Mode, Oracle Directory Server, or Novell eDirectory)
If your organization uses Windows Active Directory in mixed mode, user and group data cannot be collected and sent to the hybrid service.
- Sync Service on port 55832
- Policy Server on ports 55806 and 40000
Once configured, Directory Agent collects user and group data from your directory service and sends it to Sync Service in LDIF format. At scheduled intervals, Sync Service sends the user and group information collected by Directory Agent to the hybrid service. Sync Service compresses large files before sending them.