Locating Network Agent in a multiple-segment network
- Forcepoint Web Security, v8.5.x
- Forcepoint URL Filtering, v8.5.x
- Filtering Service must be installed where it can receive and manage Internet requests from Network Agent and any integration product.
- Each Network Agent instance must be able to see all Internet requests on the segment or segments that it is configured to monitor.Multiple Network Agent instances may be needed to capture all Internet requests. A Network Agent can be installed on each segment to monitor the Internet requests from that segment.Note: A limit of 4 Network Agents is suggested for each Filtering Service. It may be possible to use more agent instances, depending on system and network configuration and the volume of Internet requests.
If multiple Network Agent instances are installed:
- Ensure that the instances are deployed so that, together, they monitor the entire network. Partial deployment results in incomplete policy enforcement and loss of log data in network segments not visible to Network Agent.
- Each Network Agent instance must monitor a non-overlapping set of IP addresses. An overlap can result in inaccurate logging and network bandwidth measurements, and improper
bandwidth-based policy enforcement.
The network segment or IP address range monitored by each Network Agent instance is determined by the NIC settings for the agent, configured in the Forcepoint Security Manager. See the Administrator Help for instructions.
- Avoid deploying Network Agent across different LANs. If you install Network Agent on a machine in the 10.22.x.x network, and configure it to communicate with a Filtering Service machine in the 10.30.x.x network, communication may be slow enough to prevent Network Agent from blocking an Internet request before the site is returned to the user.
Central Network Agent placement
A network with multiple segments can be managed from a single location. Install Filtering Service where it can receive Internet requests from each Network Agent and any integration product.
If the network contains multiple switches, Network Agent instances are inserted into the network at the last switch in the series. This switch must be connected to the gateway that goes out to the Internet.
- One Network Agent instance is installed with Filtering Service on Machine A. This machine is connected to the network via a switch that is configured to mirror or span the traffic of network Segment 1.
- A second Network Agent is installed on Machine B, which is connected to the same switch as Machine A. Machine B is connected to a different port that is configured to mirror the traffic of Segments 2 and 3.
- Each Network Agent is positioned to see all traffic for the network segment it monitors, and to communicate with other web protection components.
- The switch is connected to the gateway, allowing the Network Agent instances to monitor network traffic for all network segments.
Distributed Network Agent placement
The network diagram below shows a single Filtering Service with 3 Network Agents, one for each network segment. A deployment like this might be useful in organizations with satellite offices, for example.
- Filtering Service (Machine C) must be installed where it is able to receive and manage Internet requests from each Network Agent instance and any integration product.
- Each Network Agent (machines A, B and C) is connected to the network segment it monitors via the switch’s span or mirror port.
In the following illustration, the switches are not connected in a series. However, each switch is connected to the router, which is connected to the gateway.