Introduction

Policy Broker is responsible for managing access to both policy data (including clients, filters, and exceptions) and global settings for web protection solutions.

You have the option to deploy Policy Broker in either a standalone or replicated configuration.

  • In a standalone configuration, there is one Policy Broker for the entire deployment.
  • In a replicated configuration, there is one primary Policy Broker, to which configuration and policy changes are saved, and one or more replica instances, each with their own read-only copy of the configuration and policy data.
    • The primary Policy Broker and all replica instances must reside on a Windows or Linux server. When you enable replication, Policy Broker cannot reside on an appliance.
    • If one Policy Broker instance becomes unavailable, components can connect to another instance, allowing database downloads, policy enforcement, and reporting to continue without interruption.
    • In geographically distributed deployments, having components retrieve information from a local Policy Broker may improve performance.
      Important: A replicated environment requires bidirectional communication on port 6432 between the primary Policy Broker and each of its replicas. Make sure that your firewalls are configured to allow this communication.

You can configure how each Policy Server instance in your deployment connects to Policy Broker, including:

  • Whether Policy Server attempts to connect to the primary Policy Broker or a replica Policy Broker at startup.
  • How Policy Server attempts to connect to a new Policy Broker if it loses its connection to its default Policy Broker.

For each Policy Server, you can manage a Policy Broker connection list. If Policy Server cannot connect to the first Policy Broker in the list, it attempts to connect to the second, then the third, and so on, until it establishes a successful connection.

By default, Policy Server attempts to connect to the Policy Broker instance on the same machine (if one exists) first. This is true when Policy Server is installed:

  • At the same time as Policy Broker
  • On a machine that already hosts a Policy Broker

If Policy Broker is installed on a machine that already hosts a Policy Server instance, the Policy Server is not automatically updated to attempt to connect to the new Policy Broker first.

Manage Policy Broker connection lists on the Web > Settings > General > Policy Brokers page in the Forcepoint Security Manager.

Refer to the articles in this collection for information about how to:

  • Change the Policy Broker mode
  • Update replica instances after the primary is restored from backup
  • Configure Policy Server to connect to a new primary or standalone Policy Broker
  • Reconfigure Policy Server after a standalone Policy Broker becomes a replica

Also find tips about:

  • Backup and restore for the primary Policy Broker
  • Backup and restore for replica instances
  • Changing from replicated to standalone mode
  • Remote Filtering Server and Policy Broker replication