Preparing to deploy the Management API

The Management API resides with Policy Server on a Linux server or Forcepoint appliance.

  • There can be multiple Management API instances in the deployment.
  • There can be only one Management API per Policy Server instance.
  • Only Policy Server instances that include a Management API instance can use API-managed categories for policy enforcement.

Before installing the Management API on a Linux server, be sure that the libgnutls.so.26 library is installed.

Warning: A key component of the Management API, Policy API Server, will fail to install if this library is missing.

The Management API must be able to communicate with the following components:

  • Policy Server provides connection information to allow Management API components to communicate with other Forcepoint Web Security components.

    The Management API and Policy Server must reside on the same machine.

  • Policy Broker is used to record API-managed categories, URLs, and IP addresses in the Policy Database. This allows URLs and IP addresses to be distributed throughout the deployment.

    Policy Broker communication occurs on port 55880.

  • Filtering Service queries the Management API for category, URL, and IP address information for use in policy enforcement.
    • Filtering Service communication occurs on port 17868.
    • Multiple Filtering Service instances can communicate with the same Management API instance.
    • All Filtering Service instances that connect to the same Policy Server also share the same Management API instance.

Client communication with the Management API uses port 15873, by default.

The primary component of the Management API is the Policy API Server.

  • Policy API Server listens on port 15873, accepting REST requests via HTTPS using basic authentication.
  • API-managed categories and their URLs and IP addresses are stored both in the Policy Database and a local database on the Policy API Server machine.

    In deployments with multiple Policy API Server instances, changes saved by one instance are replicated to the local databases for all other instances within a short period.

    • Each Policy API Server instance keeps the most recent 3 good databases.
    • The database location can be configured in the ApiParameters.ini file (see ApiParameters.ini.).
    • Any bad database is stored in a separate directory for troubleshooting by Forcepoint Technical Support.

Management API components run using an account created automatically during the installation process. This account is called forcepoint and has a password generated dynamically at installation time. The account is used only for running daemons, and cannot be used to log in to the server.

Note: If your deployment has multiple Filtering Service instances per Policy Server, see the Category lookup failures caused by connection issues KBA for additional configuration information.