KB Article | Forcepoint Support

Notes & Warnings

  • In a stand-alone installation, no filtering or logging will occur until the Network Agent sees all outbound traffic and is configured correctly. In an installation that is integrated with a third-party product such as a firewall, only HTTP/HTTPS traffic may be filtered and logged until the Network Agent sees all outbound traffic and is configured correctly.
  • Network Agent deployment and topology has not changed since version 7.0.
  • See Deployment Guidelines for Network Agent for more information regarding deployment.
  • See Network Agent Quickstart Guide for information on setting up a standalone deployment with no additional integration. 
  • See Network Agent Limitations for information regarding limitations in Network Agent Standalone environments.

Problem Description

If planning to or have configured Network Agent in my deployment as Standalone mode, this article goes into some detail for the following:
  • Where Network Agent fits in network topology.
  • Configuring Network Agent.

Resolution

Network Agent is the component that enables filtering of all protocols (HTTP and non-HTTP) in a stand-alone Forcepoint installation. When an integration product is used to pass HTTP/HTTPS requests to Forcepoint software, Network Agent can still be used to monitor non-HTTP protocols, enable bandwidth-based filtering restrictions, and collect enhanced log data for use in reporting.

In order for Network Agent to filter and log traffic properly, it must first be positioned to monitor network traffic.

Network topology - switch or hub?

Network Agent should be placed as close as possible to the device that is the exit/entry point of your network or LAN. In most environments this gateway device is a firewall or router. For instance, if your firewall or router's internal interface connects to a central or core switch, then the Network Agent machine should also be connected to that same switch. User-added image
If you are connecting to a switch, you must consider the precise make and model plus its capabilities. While the individual ports on a true hub will be able to "see" all traffic passing through that hub, no matter its destination port, a switch operates differently.
 
By default, each port on a switch sees only the traffic destined for that port. In order for your Network agent to see all the traffic going out from the switch to the gateway device, you must configure port spanning or port mirroring (the two terms refer to the same functionality, and are variously used by different switch vendors - for simplicity's sake this article will refer to port spanning).
  • Higher end switches support bidirectional port spanning, in which the same Network Interface Card (NIC) can both listen ("see" or monitor the traffic) and send on the same port.
  • Low-end to mid-range switches may support a more limited form of port spanning: the NIC can monitor, but not send. In this type of environment, the Network Agent machine needs to have 2 NICs: one for normal network communication and one dedicated to monitoring traffic.
    • Both NICs connect to the same switch as the internal interface of the gateway device.
    • The NIC used to monitor traffic must connect to the switch span port.
  • If your switch does not support port spanning at all (for instance, if it is an unmanaged switch), use a classic ("dumb") hub to allow Network Agent to see all outgoing traffic. More details appear below.
For detailed information on configuring your switch for port spanning, see your switch manufacturer's website. See below for more information on configuring your Network Agent and NICs.
 
If you need to connect to a hub instead, it must be a true hub in which every port sees all traffic for all ports on the hub. Many more recent hubs in fact have a certain amount of "intelligence" built in and do not behave as true hubs - you will need an old-style, classic "dumb" hub with no management or built-in intelligence whatsoever. The hub should be the last device on your network before the gateway device. In other words, it should sit in between the gateway device and the core switch. In this way, all traffic passes through the hub on its way out to the internet; if the Network Agent machine is also connected to the hub, it can therefore see all outgoing traffic.
User-added image

Note Some are reluctant to use a hub because it is older technology. With the placement of the hub right before your internet gateway, however, the hub will not be a bottleneck unless your internet bandwidth exceeds 10 Mbps (or the lowest speed associated with the hub). For most smaller offices with a T1 line, for instance, the hub will not be a cause for concern.

One NIC or two?

In a larger environment, even if your switch does support bidirectional port spanning, Forcepoint recommends using two NICs on your Network Agent machine. Many of today's servers come with two NICs onboard, so there is no reason not to make use of the load balancing opportunity this presents.
  • Both NICs would be plugged into the same switch as the internal interface of the gateway device.
  • The monitoring NIC must be plugged into the switch span port.

User-added image
The primary NIC is associated with the IP address of the box (assuming that the Network Agent is on the same machine as the rest of the Forcepoint Windows components, this will be the IP address of your Policy Server and Filtering Service) and will be used for normal network communications and for sending the Forcepoint Block Page information.
 
The secondary NIC is dedicated to monitoring or listening to the outgoing traffic. This dedicated monitoring NIC need not even have an IP address; it can operate in "stealth" mode with TCP/IP unbound from the card and no IP address assigned. The NIC is said to be in promiscuous mode.
 
In a smaller environment, the choice of one or two NICs is determined by the make and model of switch in use:
  • If bidirectional port spanning is supported, then one NIC is sufficient. The single NIC can both monitor traffic and send block pages.
  • If bidirectional port spanning is not supported, 2 NICs are needed.
If one NIC is used in a bidirectional port span, that card is associated with the server's IP address, delivers the Forcepoint Block Page information and also monitors or listens to the outgoing traffic.
 
If a hub is used, one NIC can perform both the network communications and monitoring functions.

Note In either of the above single NIC scenarios (switch or hub), if the network statistics indicate that the NIC is becoming overloaded, a second NIC should be installed (no need to bind TCP/IP or assign another IP address to it) to handle the monitoring part of the equation. After adding a second NIC, be sure to check that the new monitoring NIC is plugged into the span port for the switch

Check to make sure Network Agent is installed and running. 
Configuration details

  1. Open the Windows, select Control Panel > Administrative Tools > Services.
  2. Locate Websense Network Agent service, and verify that the service is present and running.

Check to see that Network Agent is configured to monitor using the correct NIC(s)

See the Network Agent Quick Start guide for information. 

Sample configuration

All Forcepoint components are installed on the same server, which has two NICs installed:
  • NIC 1 is assigned the IP address associated with the server (the Policy Server and Filtering Service IP address) and is configured to send block page information.
  • NIC 2 has no IP address (TCP/IP is unbound from the card), is configured to Monitor the traffic, and is plugged into the switch's span port. (It listens to the traffic going out the port connected to the gateway device's internal interface.)
  • Both NICs are plugged into the same core switch, which also connects to the gateway device.

Additional information

  • Occasionally even when using a "dumb" hub, Network Agent may not see any HTTP traffic. Check for any firewall settings which may be blocking the network interface, including software-based firewalls. Disable any firewall monitoring or blocking of the interface used by Network Agent.
  • If you have a single NIC installed on the machine running Network Agent, be sure that the switch port it is connected to allow both "Ingress" and "Egress" (inbound/outbound) traffic. Both are required to properly configure a bidirectional span or port mirror.

Article Feedback



Thank you for the feedback and comments.