Deployment guidelines for Network Agent
| Applies to: | In this topic |
|---|---|
|
|
Network Agent manages Internet protocols (including HTTP, HTTPS, and FTP in standalone deployments), by examining network packets and identifying the protocol.
- Inside the corporate firewall
- Where it can see all Internet requests for the machines it is assigned to monitor
- network size
- volume of Internet requests
- network configuration
While a simple network may require only a single Network Agent, a segmented network may require (or benefit from) a separate Network Agent instance for each segment.
Network Agent functions best when it is closest to the computers that it is assigned to monitor.
NAT and Network Agent
If you use Network Address Translation (NAT) on internal routers, Network Agent may be unable to identify the source IP address of client machines. When Network Agent detects traffic after it is passed through such a router, the agent sees the IP address of the router's external interface as the source of the request, rather than the IP address of the client machine.
To address this issue, either disable NAT, or install Network Agent on a machine located between the NAT router and the monitored clients.
Network Agent NIC configuration
Network Agent must be able to see all outgoing and incoming Internet traffic on the network segment that it is assigned to monitor. Do not install multiple instances of Network Agent on the same machine.
- Configure the switch to use a mirror or span port, and connect Network Agent to this port, to allow the agent to see Internet requests from all monitored machines.Note: Not all switches support port spanning or mirroring. Contact the switch vendor to verify that spanning or mirroring is available, and for configuration instructions.
- You have the option to use a switch that supports bidirectional spanning. This allows Network Agent to use a single network interface card (NIC) to both monitor traffic and send block
pages.
If the switch does not support bidirectional spanning, the Network Agent machine must have at least 2 NICs: one for monitoring and one for blocking.
- Best practices suggest a maximum of 5 NICs.
- The NICs can be connected to ports on the same network device (switch or router), or to different network devices.
Network Agent can also connect to an unmanaged, unswitched hub located between an external router and the network.
If the machine running Network Agent has multiple NICs:
- Each NIC can be configured to monitor or block Internet requests, or both.
- The blocking or inject NIC (used to serve block pages) must have an IP address (cannot be set for stealth mode).
- A NIC configured only to monitor (but not block) does not need an IP address (can be set for stealth mode).
See Network Agent and stealth mode NICs for more details about stealth mode.
- Each NIC can be configured to monitor a different network segment.
- At least one NIC must be configured for blocking.
When you configure separate network cards to monitor traffic and send block messages:
- The monitoring and blocking NIC do not have to be assigned to the same network segment.
- The monitoring NIC must be able to see all Internet traffic in the network segment that it is assigned to monitor.
- Multiple monitoring NICs can use the same blocking NIC.
- The blocking NIC must be able to send block messages to all machines assigned to the monitoring NICs, even if the machines are on another network segment.
During installation, you specify which NIC is used for communication and which NIC or NICs are used by Network Agent.
For information on positioning Network Agent in your network, see:- Locating Network Agent in a single-segment network
- Locating Network Agent in a multiple-segment network
- Network Agent on a gateway