Deploying Forcepoint Web Security Hybrid Module components

Applies to:

  • Forcepoint Web Security, v8.5.x

The Hybrid Module for Forcepoint Web Security offers the ability to combine on- premises and hybrid (cloud or security-as-a-service) policy enforcement.

Two on-premises components are used to enable communication with the hybrid service in the cloud:
  • Sync Service
  • Directory Agent

Sync Service

Sync Service is required to send policy updates and user and group information from the on-premises deployment to the hybrid service (in the cloud). Sync Service also retrieves reporting data from the hybrid service and passes it to Log Server so that it can be used in reports.
  • There can be only one Sync Service instance in your deployment.
  • Sync Service can be installed on the Log Server machine.
  • If you use a distributed logging deployment, Sync Service may communicate with either the central Log Server or a remote Log Server.
  • If you have enabled Policy Broker replication, Sync Service must connect to the primary Policy Broker.
Sync Service must be able to communicate with:
  • The hybrid service on port 443
  • Log Server on port 55885 (outbound)
  • Directory Agent on port 55832 (inbound)
  • Forcepoint Security Manager on port 55832 (inbound)
  • Policy Broker on port 55880 (outbound)
  • Policy Server on port 55830 (inbound) and ports 55806 and 40000 (outbound)

Directory Agent

Directory Agent is required to enable user, group, and domain (OU) based policy enforcement through the hybrid service.

Directory Agent collects user, group, and OU information from a supported directory service and passes it to Sync Service in LDIF format. Sync Service then forwards the information to the hybrid service.
  • Typically, only one Directory Agent instance is required in a deployment. Deployments with multiple Policy Servers, however, would require multiple Directory Agent instances.
  • Directory Agent can be installed on the same machine as other web protection components, including Sync Service and User Service.
  • With Forcepoint appliances, Directory Agent is installed on the full policy source or user directory and filtering appliance.
  • When Directory Agent is installed, it must connect to a Policy Server instance that has an associated User Service instance.
    • Directory Agent must communicate with the same directory service as User Service.
    • If you have multiple User Service instances connected to different directory services, you can also have multiple Directory Agent instances, each associated with a different Policy Server.
    • All Directory Agent instances must connect to a single Sync Service. (A deployment can have only one Sync Service instance.)

      Use the Web Security module of the Forcepoint Security Manager to configure the Sync Service connection manually for all supplemental Directory Agent instances.

      See Directory Agent and User Service in the Administrator Help for configuration steps.

Directory Agent must be able to communicate with:
  • Your supported LDAP-based directory service (Windows Active Directory in Native Mode, Oracle Directory Server, or Novell eDirectory)

    If your organization uses Windows Active Directory in mixed mode, user and group data cannot be collected and sent to the hybrid service.

  • Sync Service on port 55832
  • Policy Server on ports 55806 and 40000

Once configured, Directory Agent collects user and group data from your directory service and sends it to Sync Service in LDIF format. At scheduled intervals, Sync Service sends the user and group information collected by Directory Agent to the hybrid service. Sync Service compresses large files before sending them.