Network Agent Standalone Topology and Setup
- Article Number: 000010910
- Products: Forcepoint URL Filtering, Forcepoint Web Security, TRITON AP-WEB, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.1, 7.0
- Last Published Date: June 12, 2020
Notes & Warnings
If planning to or have configured Network Agent in my deployment as Standalone mode, this article goes into some detail for the following:
Network Agent is the component that enables filtering of all protocols (HTTP and non-HTTP) in a stand-alone Forcepoint installation. When an integration product is used to pass HTTP/HTTPS requests to Forcepoint software, Network Agent can still be used to monitor non-HTTP protocols, enable bandwidth-based filtering restrictions, and collect enhanced log data for use in reporting.
In order for Network Agent to filter and log traffic properly, it must first be positioned to monitor network traffic.
Network topology - switch or hub?Network Agent should be placed as close as possible to the device that is the exit/entry point of your network or LAN. In most environments this gateway device is a firewall or router. For instance, if your firewall or router's internal interface connects to a central or core switch, then the Network Agent machine should also be connected to that same switch.
If you are connecting to a switch, you must consider the precise make and model plus its capabilities. While the individual ports on a true hub will be able to "see" all traffic passing through that hub, no matter its destination port, a switch operates differently.
By default, each port on a switch sees only the traffic destined for that port. In order for your Network agent to see all the traffic going out from the switch to the gateway device, you must configure port spanning or port mirroring (the two terms refer to the same functionality, and are variously used by different switch vendors - for simplicity's sake this article will refer to port spanning).
If you need to connect to a hub instead, it must be a true hub in which every port sees all traffic for all ports on the hub. Many more recent hubs in fact have a certain amount of "intelligence" built in and do not behave as true hubs - you will need an old-style, classic "dumb" hub with no management or built-in intelligence whatsoever. The hub should be the last device on your network before the gateway device. In other words, it should sit in between the gateway device and the core switch. In this way, all traffic passes through the hub on its way out to the internet; if the Network Agent machine is also connected to the hub, it can therefore see all outgoing traffic.
Note Some are reluctant to use a hub because it is older technology. With the placement of the hub right before your internet gateway, however, the hub will not be a bottleneck unless your internet bandwidth exceeds 10 Mbps (or the lowest speed associated with the hub). For most smaller offices with a T1 line, for instance, the hub will not be a cause for concern.
One NIC or two?In a larger environment, even if your switch does support bidirectional port spanning, Forcepoint recommends using two NICs on your Network Agent machine. Many of today's servers come with two NICs onboard, so there is no reason not to make use of the load balancing opportunity this presents.
The primary NIC is associated with the IP address of the box (assuming that the Network Agent is on the same machine as the rest of the Forcepoint Windows components, this will be the IP address of your Policy Server and Filtering Service) and will be used for normal network communications and for sending the Forcepoint Block Page information.
The secondary NIC is dedicated to monitoring or listening to the outgoing traffic. This dedicated monitoring NIC need not even have an IP address; it can operate in "stealth" mode with TCP/IP unbound from the card and no IP address assigned. The NIC is said to be in promiscuous mode.
In a smaller environment, the choice of one or two NICs is determined by the make and model of switch in use:
If a hub is used, one NIC can perform both the network communications and monitoring functions.
Note In either of the above single NIC scenarios (switch or hub), if the network statistics indicate that the NIC is becoming overloaded, a second NIC should be installed (no need to bind TCP/IP or assign another IP address to it) to handle the monitoring part of the equation. After adding a second NIC, be sure to check that the new monitoring NIC is plugged into the span port for the switch
Check to make sure Network Agent is installed and running.