Transcription
Deployment GuideWe bsense We b S ecuri tyWeb s ense Web Fi lt erv7.1
1996–2009, Websense, Inc.All rights reserved.10240 Sorrento Valley Rd., San Diego, CA 92121, USAPublished 2009Printed in the United States of America and IrelandThe products and/or methods of use described in this document are covered by U.S. Patent Numbers 6,606,659 and 6,947,985 and other patentspending.This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machinereadable form without prior consent in writing from Websense Inc.Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with respect to thisdocumentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable forany error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein.The information in this documentation is subject to change without notice.TrademarksWebsense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain international markets. Websensehas numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respectiveowners.Microsoft, Windows, Windows NT, Windows Server, Internet Explorer, and Active Directory are either registered trademarks or trademarks ofMicrosoft Corporation in the United States and/or other countries.Sun, Sun Java System, Sun ONE, and all Sun Java System based trademarks and logos are trademarks or registered trademarks of SunMicrosystems, Inc., in the United States and other countries.Mozilla and Firefox are registered trademarks of the Mozilla Foundation in the United States and/or other countries.eDirectory and Novell Directory Services are a registered trademarks of Novell, Inc., in the United States and other countries.Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/orother countries.Pentium is a registered trademark of Intel Corporation.Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds, in the UnitedStates and other countries.Citrix, Citrix Presentation Server, and MetaFrame are trademarks or registered trademarks of Citrix Systems, Inc. and/or one or more of itssubsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.Cisco, Cisco Systems, Cisco PIX Firewall, Cisco IOS, Cisco Routers, and Cisco Content Engine are registered trademarks or trademarks of CiscoSystems, Inc., in the United States and certain other countries.Check Point, OPSEC, FireWall-1, VPN-1, SmartDashboard, and SmartCenter are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates.Inktomi, the Inktomi logo, and Inktomi Traffic Server are registered trademarks of Inktomi Corporation.Network Appliance is a trademark and NetCache is a registered trademark of Network Appliance, Inc., in the U.S. and other countries.This product includes software distributed by the Apache Software Foundation (http://www.apache.org).Copyright (c) 2000. The Apache Software Foundation. All rights reserved.Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole propertyof their respective manufacturers.
ContentsList of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Chapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Websense Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Reporting Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Chapter 2General Deployment Recommendations . . . . . . . . . . . . . . . . . . . . . . 17Operating system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VMware support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .System recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Deployment configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Component limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Component suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network Agent suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Number of Filtering Services allowed per Policy Server . . . . . . . . .Required external resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Supported directory services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Deploying transparent identification agents. . . . . . . . . . . . . . . . . . . . . .Combining transparent identification agents. . . . . . . . . . . . . . . . . . .Maximizing system performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .HTTP reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Database Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Log Database disk space recommendations . . . . . . . . . . . . . . . . . . .Stand-Alone Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remote Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Supported integrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter ying Network Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Network Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Network Agent settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Network Agent location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Deployment Guide 3
ContentsSingle-segment network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Multiple-segment network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Deploying multiple Network Agents . . . . . . . . . . . . . . . . . . . . . . . .Central Network Agent placement . . . . . . . . . . . . . . . . . . . . . . . . . .Distributed Network Agent placement . . . . . . . . . . . . . . . . . . . . . . .Hub configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Switched networks with a single Network Agent . . . . . . . . . . . . . . . . .Switched networks with multiple Network Agents. . . . . . . . . . . . . .Gateway configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using multiple NICs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .NAT and Network Agent deployment . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 45051515253545558596162Integration Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Websense Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco Content Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cisco IOS Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Check Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Distributed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Microsoft ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Single Microsoft ISA Server configuration . . . . . . . . . . . . . . . . . . .Array configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Squid Web Proxy Cache deployment. . . . . . . . . . . . . . . . . . . . . . . . . . .Single Squid Web Proxy Cache configuration . . . . . . . . . . . . . . . . .Array configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .NetCache integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Universal integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Citrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63666768696970717274767678808182Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 WebsenseWeb Security and Websense Web Filter
List of FiguresFigure 1, Example of Remote Filtering Deployment . . . . . . . . . . . . . . . . . . . . . . 44Figure 2, Websense software in a single-segment network . . . . . . . . . . . . . . . . . 50Figure 3, Websense software in a multiple-segment network . . . . . . . . . . . . . . . 52Figure 4, Multiple Network Agents in a multiple-segment network . . . . . . . . . . 53Figure 5, Network Agent connected to a hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Figure 6, Simple deployment in a switched environment . . . . . . . . . . . . . . . . . . 55Figure 7, Multiple subnets in a switched environment . . . . . . . . . . . . . . . . . . . . . 56Figure 8, Switched environment with a remote office connection . . . . . . . . . . . . 57Figure 9, Multiple Network Agents in a switched environment. . . . . . . . . . . . . . 58Figure 10, Network Agent installed on the gateway . . . . . . . . . . . . . . . . . . . . . . 59Figure 11, Network Agent deployed with Websense Content Gateway . . . . . . . 60Figure 12, Dual NIC configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Figure 13, Integration with Websense Content Gateway . . . . . . . . . . . . . . . . . . . 65Figure 14, Common Windows Network Configuration forCisco PIX Firewall or ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Figure 15, Common Windows network configuration for Cisco Content Engine 67Figure 16, Common Windows network configuration for Cisco IOS Routers . . 68Figure 17, Simple network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Figure 18, Multiple-Segment network configuration . . . . . . . . . . . . . . . . . . . . . . 70Figure 19, Filtering components installed with Microsoft ISA Server. . . . . . . . . 72Figure 20, Filtering components installed separately from Microsoft ISA Server73Figure 21, Microsoft ISA Server array configuration #1 . . . . . . . . . . . . . . . . . . . 74Figure 22, Microsoft ISA Server array configuration #2 . . . . . . . . . . . . . . . . . . . 75Figure 23, Filtering components installed with Squid Web Proxy Cache . . . . . . 76Figure 24, Filtering components and Squid Web Proxy Cacheon separate machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Figure 25, Squid Web Proxy Cache array configuration #1. . . . . . . . . . . . . . . . . 78Figure 26, Squid Web Proxy Cache array configuration #2. . . . . . . . . . . . . . . . . 79Figure 27, Common network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Figure 28, Common network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Figure 29, Citrix integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Deployment Guide 5
List of Figures6 WebsenseWeb Security and Websense Web Filter
List of TablesTable 1,Table 2,Table 3,Table 4,Table 5,Table 6,Table 7,Table 8,Table 9,Websense Components .11Reporting Components .14Components and Required Software .18Operating Systems .24Distributed Layout .27Deploying Multiple Transparent ID Agents .33Stand-Alone System Recommendations.41Remote Filtering Server System Recommendations .43Supported Integrations.45Deployment Guide 7
List of Tables8 WebsenseWeb Security and Websense Web Filter
1IntroductionUse this guide to plan your Websense software deployment before installation. Theguide provides an overview of how Websense software can be deployed in a network,as well as operating system and hardware requirements.This guide applies to Websense Web Security and Websense Web Filter, Version 7.1.References to Websense software or Websense Web Security include both products,unless otherwise indicated.NoteThe technical papers and other documents mentioned inthis guide are available from the Documentation Planning, Installation, and Upgrade folder in the WebsenseKnowledge Base (www.websense.com/docs).Websense software consists of components that work together to monitor Internetrequests, log activity, apply Internet usage filters, and report on activity. Websensecomponents can be installed together on one machine, or distributed across multiplemachines. The appropriate deployment is determined by the network size andconfiguration, Internet request volume, hardware available, and filtering needs.This manual provides system recommendations to optimize Websense componentperformance. Performance can also be improved by using more powerful machinesfor resource-intensive components.This chapter introduces the Websense filtering and reporting components. See also: Chapter 2: General Deployment Recommendations—operating systemrequirements for running Websense components, component limits, tips formaximizing performance, plus recommendations for deploying transparentidentification agents, Remote Filtering, and the Stand-Alone Edition. Versionrequirements are also included for various integrations. Chapter 3: Deploying Network Agent—information for deploying across singleand multiple segment networks. Also provides Network Agent placement details;settings; and relationship to hubs, switches, and gateways. Chapter 4: Integration Deployment—overview of deploying Websense softwarewith firewalls, proxy servers, caching applications, network appliances, or otherintegration products or devices.Deployment Guide 9
IntroductionA series of supplements to this document provide deployment and hardwarerecommendations based on network size: Small network: 1 – 500 users, or 1 – 25 requests/second Medium network: 500 – 2,500 users, or 25 – 125 requests/second Large network: 2,500 – 10,000 users, or 125 – 500 requests/second Enterprise network: 10,000 – 25,000 users, or 500 – 1250 requests/second Very large enterprise network: 25,000 users, or more than 1250 requests/secondRequests per second estimates are based on average usage with “medium”—neitherlight nor heavy—Internet access needs.NoteDeployment recommendations allow for some networkgrowth and an increase in Internet requests.As your network reaches the upper limits of its sizeclassification (small, medium, and so on), review thedeployment documents to ensure an optimal systemconfiguration.Deploying in a distributed environment is the topic of another supplement. Adistributed enterprise can have any number of remote offices/workers located within asingle region or across the globe. The challenge of a decentralized network isproviding consistent, cost-effective Internet content filtering across all remotelocations.A deployment supplement is also included for Websense Content Gateway. Thegateway provides Web and proxy caching, dynamic classification of Web sites, Web2.0 categorization, and an optional SSL manager. See the Websense Content Gatewaydocumentation for more information on this product.NotePlease contact Websense Sales Engineering for assistancein designing your Websense software deployment. A SalesEngineer can help you optimize Websense componentdeployment and understand the associated hardware needs.10 Websense Web Security and Websense Web Filter
IntroductionWebsense Components Table 1 provides a brief description of the Websense filtering components. Thistable groups the components into core (included in a standard deployment) andoptional. Table 2, on page 14, provides a brief description of the Websense reportingcomponents.Review these descriptions to better understand the interaction between components.See Table 3, on page 18, and Table 4, on page 24, for information on the operatingsystem versions needed to run these components.NOTECertain integrations include Websense plug-ins. These arediscussed in Table 9, on page 45.Table 1 Websense ComponentsComponentDefinitionCore ComponentsPolicy DatabaseStores global Websense software settings (configured inWebsense Manager) and policy information (including clients,filters, and filter components) Is installed in the background together with Policy Broker Settings specific to a single Policy Server instance are storedseparately.In multiple Policy Server environments, a single PolicyDatabase holds policy and general configuration data formultiple Policy Servers.Policy BrokerManages requests from Websense components for policy andgeneral configuration information stored in the Policy DatabaseA deployment can have only 1 Policy Broker, which is bundledwith Policy Database.Policy ServerIdentifies and tracks the location and status of otherWebsense components Logs event messages for Websense components Stores configuration information specific to a single PolicyServer instance Communicates configuration data to Filtering Service foruse in filtering Internet requestsPolicy and most configuration settings are shared betweenPolicy Servers that share a Policy Database.Policy Server is typically installed on the same machine asFiltering Service. Large or distributed environments can includemultiple Policy Servers. Each Policy Server may communicatewith up to 10 Filtering Services. Deployment Guide 11
IntroductionTable 1 Websense ComponentsComponentDefinitionFiltering ServiceWorks with Network Agent or an integration product to provideInternet filtering. When a user requests a site, Filtering Servicereceives the request and determines which policy applies. Filtering Service must be running for Internet requests to befiltered and logged. Each Filtering Service instance downloads its own copy ofthe Websense Master Database.Filtering Service is typically installed on the same machine asPolicy Server. Large or distributed environments may includemultiple Filtering Service instances, up to 10 per Policy Server.Network AgentWorks with Filtering Service to enable protocol management,bandwidth-based filtering, and reporting on bytes tran
This guide applies to Websense Web Security and Websense Web Filter, Version 7.1. References to Websense software or Websense Web Security include both products, unless otherwise indicated. Websense software consists of components that work together to monitor Internet requests, log activity, apply Internet usage filters, and report on activity.
