5-Step Quick Start See - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation/support... · 2010-06-10 · (also known as mirroring). Traffic on monitored ports is simultaneously

Copyright 2006 Websense, Inc. All Rights Res

Quick Start for Network Agent

What is Network Agent?The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it.

Network Agent filters HTTP traffic and more than 70 other popular internet protocols, and captures data about bandwidth usage. It also integrates well with proxy servers, network caches, and firewalls.

Network Agent detects malicious peer-to-peer applications and spyware, even when they tunnel over well-known ports.

5-Step Quick Start SeeOVERVIEW: What does Network Agent do? What is Network Agent?, page 1

DEPLOYMENT: Where does Network Agentbelong on my network?

Hub Configuration, page 18Switched Configurations, page 19Gateway Configuration, page 23

CONFIGURATION: How do I configure Network Agent in Websense Manager?

To Configure Network Agent in Websense Manager, page 9

VERIFICATION: How do I verify that Network Agent is working?

Verifying that Network Agent is Working, page 14

TROUBLESHOOTING: How do I troubleshoot Network Agent?

Top Troubleshooting Tips, page 16

erved. 1 20060425


On how many machines should I deploy Network Agent?Capacity planning for Network Agent depends on many factors, including hardware capabilities, bandwidth, memory, number of Network Interface Cards (NICs), operating system, user profiles, traffic mix, database, which protocols you assign to Network Agent, and where you deploy it. Some sites use one Network Agent machine for every thousand users; some sites use one Network Agent machine for several thousand users. Websense Technical Support professionals and Systems Engineers can assist you with deployment decisions.

Where does Network Agent belong in my network?Network Agent must be installed where can it see all internet requests for the machines it is assigned to monitor. For those machines, Network Agent must see all URL and protocol requests going out to the internet and replies coming back from the internet. This monitoring must be done on the internal side of the corporate firewall.

A machine running Network Agent can access the network via a switch or hub, as discussed in the Network Topology Addendum, page 18. Network Agent can be installed on the same machine as an integration product, as discussed under Gateway Configuration, page 23.

Quick Start 2 Network Agent


Network Agent’s special roleWebsense software can filter internet requests based on protocols or internet applications used for:

instant messagingstreaming mediafile sharingfile transferinternet mailmedia playersvarious other network or database operations

When users make internet requests, if you use an integrated firewall, proxy, or cache product, the integration product distinguishes HTTP content from content provided by other protocols. The integration product then passes the HTTP content to Filtering Service for filtering, and leaves traffic from other protocols to be managed by Network Agent.

Network Agent can also be used without an integrated proxy, cache, or firewall. In this case, select Stand-alone during installation to cause Network Agent to manage requests for all protocols, according to your filtering policies. Network Agent also provides bandwidth usage data to Policy Server and filtering log data to Filtering Service.

Measuring network bandwidthBandwidth Optimizer is an optional feature that enables you to limit internet access based on bandwidth availability. Network Agent continually monitors overall network usage, including bytes transferred, and sends usage summaries to Filtering Service at predefined intervals.

Planning WorksheetsPlanning Worksheets on the next four pages capture all of the information you need to enter into Websense Manager to describe your configuration of Network Agent.

Assign each Network Agent machine to a Filtering Service by IP.

Worksheet 1

Ensure that the entire network is visible to Network Agent. Designate any internal machines to be monitored (intranet).

Worksheet 2

Identify proxy and cache machines and Network Agent ports. Worksheet 3

Assign a Network Interface card (NIC) to each segment of the network, with no overlap. Identify IP exceptions.

Worksheet 4



Worksheet 1: Network Agent Filtering Service Connections Status

More than one Network Agent may be connected to one Filtering Service.Enter this data into Websense Manager via Filtering Service Connections Status, page 10 Server > Settings > Network Agent

Filtering Services Network Agent Connections

Filtering Service IP address

For the Filtering Service at this IP address, indicate the IP address ofeach Network Agent machine to be connected. (Your network may haveonly one Network Agent machine. Network Agent may reside on the samemachine with the Filtering Service.)

Network Agent IP address

Are other Network Agents connected to this same Filtering Service?IP address

IP address

IP address

Filtering Service IP address

For the Filtering Service at this IP address, indicate the IP address ofeach Network Agent machine to be connected. (Network Agent may resideon the same machine with the Filtering Service.)

Network Agent IP address

Are other Network Agents connected to this same Filtering Service?IP address

IP address

IP address



Worksheet 2: Network Agent Global Settings (use once per network)

Identify the machines in your network, in IP ranges or individually.Enter this data into Websense Manager via Global Settings, page 10Server > Settings > Network Agent > Global Settings

Internal Network Definition

Network Agent needs to knowwhich machines are in your network. You may list individual IP addresses andranges of IP addresses (clickthe Add button). Known segments will appearon your screen.

Add these individual machines:

IP

IP

IP

IP

IP IP IP

IP IP IP

IP address ranges IP to IP

IP to IP

IP to IP

IP to IP

IP to IP

IP to IP

Internal Traffic MonitoringBy default, Network Agent ignores traffic between internal machines.Identify specific internal machines here (such as your intranet server), only if you want to monitor the traffic between this internal machine and all other internal machines.

IP IP IP

Additional Settings Most sites leave the following default settings as they are.

Bandwidth calculation inter-val (in seconds) (10) _______

Log requests and traffic volume by protocol? Yes / No

Log interval (in minutes):(1) ____________



Worksheet 3: Individual Network Agent Planning by IP Address (use once per copy of NA)

Enter this data into Websense Manager via Local Settings, page 11 Server > Settings > Network Agent > Global Settings > IP address of Network Agent machine

For this Network Agent IP:

Connected to this Filtering Service IP:

If this Filtering Service is unavailable: Block / Permit (choose one)

Proxy / Cache MachinesList the IP address of all proxy or cache servers used by the machines monitoredby this Network Agent machine. Any device used in proxy mode must be identified.

Proxy or cache IP address Proxy or cache IP address



Advanced Settings for this Network Agent (select only one)

If you use Websense Enterprise in Stand-Alone mode: List Ports to scan for HTTP traffic (default 80, 8080) ______________________ If you use Websense Web Security Suite in Stand-Alone mode:

Network Agent scans all ports by default for HTTP traffic (default all) If you use Websense Enterprise or Web Security Suite with an integration

product:List Ports used by the integration product to scan for HTTP traffic (default 80, 8080). Network Agent does not filter these ports. For some integrations that do not log bytes, Network Agent sends log records to the Filtering Service for these ports. _____________________

Troubleshooting

Do not change this section of the screen unless directed to do so by Websense Technical Support.



Worksheet 4: Network Interface Card (NIC) Settings (use once per NIC)

Enter this data into Websense Manager via Network Interface Card (NIC) Settings, page 13Server > Settings > Network Agent > Global Settings > Network Agent IP > NIC-id

NIC Identification NIC IP address

Monitor traffic passing through this NIC? Yes / No

If Yes, click Monitoring on screen and choose one answer: How much of the network should be monitored by this NIC for internet and protocol requests?

All (all machines in the network segment seen by this NIC)

None

Specific machines and ranges in this segment (Add IP addresses/ranges below.)

Single IP addresses: IP address

IP address IP address


Ranges of IP addresses, no overlap. Overlaps can cause inefficiencies in your network andlead to duplicate block messages and duplicate logging entries.

IP address -- IP address



Exceptions (do not monitor internet and protocol requests for these IPs seen by thisNIC). (Network Agent could safely ignore requests made by the CPM Server machine.)



Activities and Communication

Name the NIC that activates blocking (NIC name): This is typically the same NICused for monitoring. However, if a stealth NIC (a NIC without an IP address) is monitoring, it cannot also be used for blocking. Also, if your switch does not offer bi-directional port spanning, you must use two NICs on the machine: one for monitoringand a second NIC (identified here) for blocking.

Level of HTTP Monitoring (choose one) Filter and log HTTP requests (default for Stand-Alone Mode) Log HTTP requests (option only if integration product does the filtering)

Protocol Management (select all that apply) Filter protocol requests not sent over HTTP ports? Measure bandwidth by protocol?



Network Interface Cards (NICs)

After you have set up the hardware and installed Websense software, you need to specify Network Agents’s assignments in Websense Manager. This includes the network segments where Network Agent should monitor or filter traffic, which network interface card (NIC) it uses, and how it handles HTTP and other protocols.

All of this information can be captured on the Planning Worksheets.

NICs on the Network Agent machineYou can install Network Agent on one or more machines (install only once per machine). Each Network Agent machine must use at least one designated network interface card (NIC). In the example, Network Agent uses one NIC for monitoring traffic, and another to block.

Network Agent on a Dual-NIC Machine

Each NIC that Network Agent uses for monitoring must be able to see all traffic assigned to it, both inbound and outbound from your network. Network Agent needs to see the user IP addresses. Do not place Network Agent in a location on the network where the original user IP addresses have been translated by another network device (such as a router or other Network Address Translation device).

NOTEThe NICs (network interface cards) on machines running Network Agent must be connected to your hub or switch, enabled in the operating system, and activated.

Each NIC used for monitoring must capture all packets on the network, not only the packets that are addressed directly to it (promiscuous mode).

Complete the NIC hardware setup prior to software installation. Details in this section may help you to select the NICs you need to activate.



SwitchesIf the device connected to the Network Agent machine is a switch, it must support port spanning (also known as mirroring). Traffic on monitored ports is simultaneously sent to the monitoring port to which Network Agent is connected.

If you use a switch that supports bi-directional spanning, Network Agent needs only a single NIC.

Some switches do not allow bi-directional traffic in spanning (mirroring) mode. The network card that is receiving data on the Network Agent machine can only listen, not send.

If you do not have a bi-directional switch:

Use the NIC connected to the spanning port to monitor traffic. Install a second NIC on the machine where Network Agent resides.Attach the second NIC to a port on the switch that can access all assigned workstations. Use the second NIC to block. The blocking NIC must have an IP address.

If you add a NIC on the Network Agent machine, restart the Network Agent service, and then configure the new NIC via Websense Manager.

HubsIf the device connected to the Network Agent machine is a dumb hub (which distributes traffic from the up-linked port to all other ports), Network Agent requires only one NIC.

To Configure Network Agent in Websense Manager1. Choose Server > Settings.2. Select Network Agent at the left. Network Agent main settings panel displays.

Main Network Agent Settings Panel



Filtering Service Connections Status (Planning Worksheet 1) For each Filtering Service, connect at least one Network Agent machine.

Typically, Network Agent is installed on the Filtering Service machine. If so, the IP addresses for Filtering Service and the related Network Agent are the same.

Global Settings(Planning Worksheet 2) Global Settings determine the functions performed by all Network Agents. If your network includes multiple Network Agent machines, these settings apply to all.

Network Agent Global Settings Panel

Internal Network Definition: Identify the machines in your network. To add machines other than network segments recognized by default, click Add.

NOTETo monitor or filter file attachments exchanged internally via peer-to-peer messaging, tell Network Agent to monitor the internal machines involved.



Add IP or Range dialog box

Internal Traffic Monitoring: Network Agent monitors requests sent to and from the internal IP addresses you specify. To identify a machine, click Add, then enter its IP address.Additional Settings:

Bandwidth calculation interval (in seconds): A lower value (more frequent interval) ensures higher accuracy but also increases overall network traffic.Log requests and traffic volume by protocol: Do you want Network Agent to log requests and volume by protocol? Uncheck this box to prevent Network Agent from logging protocol requests periodically.If you enable protocol logging, either accept the default logging interval (1 minute), or specify a different interval (at least 1 minute). When protocol logging is selected, Network Agent provides to Log Server both the number of requests by protocol and the traffic volume for each protocol.

Local Settings(Planning Worksheet 3) These settings determine the functions performed by each Network Agent machine. By default, Network Agent monitors traffic to and from external sites for all internal machines it sees. Machine names are tracked in log data and Real-Time Analyzer output.

Configure how much of the internal network each Network Agent machine sees. Then, specify any exceptions to the default monitoring behavior. Configure one Network Agent per screen.

ENTERING IP ADDRESS RANGESEach IP address range should span only one subnet or network segment.



Network Agent Local Settings Panel

Filtering Service IP Address: The Filtering Service connected to this Network Agent.If Filtering Service is unavailable: Block or permit internet and protocol requests if the Filtering Service connected to this Network Agent is down?

Proxy/Cache Machines: Identify any proxy or cache server machines situated between this Network Agent machine and client machines. Network Agent ignores traffic from the proxy to external hosts. Include any device (such as a cache engine product) used in proxy mode. Otherwise, Network Agent may filter and log traffic only from the server, and not from the users.Advanced Settings for this Network Agent (select only one):

1. Websense Enterprise in Stand-Alone mode: List Ports to scan for HTTP traffic (default 80, 8080) ______________________

2. Websense Web Security Suite in Stand-Alone mode:Network Agent scans all ports by default for HTTP traffic (default all) ___________________

3. Websense Enterprise or Web Security Suites with an integration product:List Ports used by the integration product to scan for HTTP traffic (default 80, 8080). Network Agent does not filter these ports. For integrations that do not log bytes, Network Agent sends log records to the Filtering Service for these ports. _____________________

Debug Settings: Do not modify the debugging defaults unless instructed by Websense.



Network Interface Card (NIC) Settings(Planning Worksheet 4) The NIC used for monitoring can be set for stealth mode (no IP address), but it must be associated with a second NIC that is assigned an IP address and is used for blocking.

Network Agent NIC Settings Panel

Identification: The selected NIC.Monitoring: Use this NIC to monitor traffic? (If the Network Agent machine has multiple NICs, you can configure more than one NIC to monitor traffic. Each monitoring NIC must capture all packets it is assigned, not just packets that are addressed directly to it.)

If you select Yes, click Monitoring to continue configuration of this NIC.Monitor List: How much of the internal network should be monitored for internet and protocol requests?• All: Network Agent monitors requests from all machines it sees using the selected NIC.• None: Network Agent monitors no machines in the selected NIC’s network segment.• Specific: Network Agent monitors only a portion of the selected NIC’s network segment.

NOTEIf Network Agent runs on a Linux or Solaris machine with multiple NICs, the operating system determines real-time which NIC to use for monitoring. Network Agent may sometimes use a NIC other than the one specified here.



If you selected Specific, click Add to specify the IP addresses of the machines to monitor. Monitor List Exceptions: Identify internal machines to exclude from monitoring.

Activities and Communication: Which NIC is used to activate Websense blocking? By default, the NIC you are editing is used. Do not use a NIC with no valid IP address for blocking.

Filter and log HTTP requests: (Active by default in Stand-alone Mode) Network Agent performs full HTTP monitoring and logging using the selected NIC. Log HTTP requests: Network Agent logs but does not filter HTTP requests. Use this if the integration product filters HTTP traffic, but you want to use Network Agent’s detailed logging information for Reporting.Protocol Management: Should this Network Agent handle non-HTTP protocol and application requests via the selected NIC? • Filter protocol requests not sent over HTTP ports (Protocol Management)? • Measure bandwidth by protocol (Bandwidth Optimizer) activates the feature.

Verifying that Network Agent is WorkingRun the Websense Traffic Visibility Tool on the Network Agent machine.

1. To start:Windows: Start > Programs (or All Programs) > Websense > Utilities > Traffic Visibility Tool.Linux or Solaris: Run ./TrafficVisibility.sh from the Websense installation directory (/opt/Websense).

Traffic Visibility Tool

IMPORTANT

Click Save Changes above the navigation tree to save the Network Agent configuration.



2. From the Network Card drop-down list, select the network interface card (NIC) that the Network Agent is configured to use for monitoring.A default list of networks (netmasks) appears. Use the defaults or add your own.

3. If the network you want to test does not appear in the default list, click Add Network.The Add Network dialog box appears.

Enter a new netmask value in the Network ID field.The subnet mask defaults to 255.0.0.0 and changes as the netmask is defined.Click OK to return to the Websense Traffic Visibility Tool dialog box.Your new network appears in the list.

4. Select Remove Network to delete a network from the list.5. Click Start Test to begin testing all networks in the list.

The counter in the IP Address Count column should begin recording internet traffic immediately from the networks listed. The counter increments each time the NIC detects an individual IP address from the target network in a passing packet. The activity bar at the bottom of the dialog box indicates that a test is underway.If the count for a network remains at zero or is very low, the selected NIC cannot see the traffic it is supposed to monitor.

6. If the Network Agent NIC is unable to see the desired traffic:If the installation machine has multiple NICs, select a different card to test. If this card can see the desired traffic, configure Network Agent to use this card.Resolve network configuration issues to make sure that the NIC can see the desired traffic. This might involve connecting to a different router or configuring for port spanning in a switched environment.

7. Click Stop Test when you are finished.8. Click Close to exit.

The Network Agent NIC must be able to monitor all assigned internet traffic. If Network Agent cannot see the traffic, you must either reposition the machine in the network or select another machine for Network Agent.

Field Description

Network Card Name of the network interface card (NIC) to test. Active cards on the installation machine appear in this list. Cards without an IP address do not appear.

Networks Tested Displays the netmasks that are being tested. Use the defaults provided or add your own. These netmasks can reside in different network segments depending on the IP address ranges to be filtered.

IP Address Count Number of IP addresses for which traffic is detected during the test of a network.

IP Address List Detail

Lists all the IP addresses in the network from which internet traffic is being detected.



Top Troubleshooting Tips

Network Agent cannot communicate with Filtering Service after it has been reinstalledWhen Filtering Service has been uninstalled and reinstalled, the Network Agent does not automatically update the internal identifier (UID) for the Filtering Service. After the new installation is complete, Websense Manager attempts to query the Filtering Service using the old UID, which no longer exists.

To re-establish connection to Filtering Service:

1. Open Websense Manager.An error message is displayed stating Network Agent <IP address> is unable to connect with Filtering Service.

2. Clear the message and select Server > Settings.The same error message is displayed.

3. Clear the message again and select Network Agent from the Settings Selections list.4. Click Local Settings.5. Select the IP address listed above the NIC for the Network Agent.6. Click Edit Selection.

The Filtering Service Connection dialog box appears.7. Select the IP address of the Filtering Service machine from the Server IP Address drop-down

list.8. Click Finish.9. Click OK in the Local Settings dialog box.10. Click OK in the Settings dialog box to save the changes.

Network Agent fails to start with stealth mode NIC

IP address removed from Linux configuration fileThe Network Agent can monitor (not block) with a stealth mode NIC if the interface retains its old IP address in the Linux system configuration file. If you have bound the Network Agent to a network interface card configured for stealth mode, and then removed the IP address of the NIC from the Linux configuration file (/etc/sysconfig/network-scripts/ifcfg-<adapter name>), the Network Agent will not start.

An interface without an IP address will not appear in the list of adapters displayed in the installer or in Websense Manager and will be unavailable for use. To reconnect Network Agent to the NIC, restore the IP address in the configuration file.

Stealth mode NIC selected for Websense communications in Solaris and LinuxNetwork interface cards configured for stealth mode in Solaris and Linux are displayed in the Websense Enterprise installer as choices for Websense communication (blocking). If you have inadvertently selected a stealth mode NIC for communication (blocking), the Network Agent will not start, and Websense Enterprise services will not work. Select a different NIC in Websense Manager.



Spanning or mirroring has not been turned onThe switch port connected to the Network Agent machine must see all traffic.

On most switches, you can change the port mode to spanning, mirroring, or monitoring mode (the term varies with the manufacturer; the function is the same.) Cicso uses the term spanning. 3Com, DLink, and others use mirroring. HP and some other manufacturers call it monitoring.

To connect Network Agent to the network using a switch, plug the Network Agent machine into the port on the switch that mirrors (spans, monitors) the traffic going to the gateway or firewall port.

The span port mirrors all the traffic that leaves the network segment, so traffic is simultaneously sent to the monitoring port to which Network Agent is connected.

Spanning or mirroring is set on the wrong portMonitor (span, mirror) only the port going to the firewall or router port, not the entire network.

Router or Firewall traffic is being monitored in the wrong directionMonitor (span, mirror) the traffic going to the firewall/router. On Cicso switches, this means you need to specify Tx. On HP and 3Com switches, you need to specify Egress.

To log bytes sent and received, set both Tx and Rx (Cisco) or both Egress and Ingress (HP, 3Com).

Mono-directional spanning (mirroring, monitoring) is used with a single NICWebsense strongly recommends using a switch that supports bi-directional spanning. If such a switch is used, Network Agent can function successfully with a single Network Interface Card (NIC) performing both monitoring and blocking.

If the switch does not support bi-directional spanning, Network Agent must use separate NICs for monitoring and blocking.

How do I set up Network Agent on a machine with teamed NICs (TNICs)?TNICs share the load under one common identity, with four adapters load-balancing under a single IP address. This is also known as link aggregation or trunking.

Websense recommends against using teamed NICs for Network Agent.

An anti-spoofing mechanism has been used in the switchEither disable the anti-spoofing mechanism or contact Websense Technical Support for additional options.

Are other tools available for verifying that the Network Agent machine sees the traffic?Yes. Contact a Websense Technical Support specialist or Systems Engineer for information about network tools that can help verify Network Agent behavior.

Can a network tap be used with Network Agent?Yes. A tap can be used with the Network Agent machine. Network Agent must be able to see the traffic in both directions



Network Topology Addendum

Where Should Network Agent be Located on my Network?Network Agent must be installed where it can monitor all URL and protocol requests going out to the internet and all replies coming back from the internet.

On a busy network, you may need to deploy Network Agent on more than one machine, with each machine monitoring a segment of the network.

Locate Network Agent on the internal side of the corporate firewall. Several possible configurations are described below.

Hub ConfigurationNetwork Agent is often deployed on a dedicated machine, connected to an unmanaged, unswitched hub located between an external router and the network, as pictured here:

Network Agent Configured Through a Hub

Network Agent must see the traffic, in both directions, for those segments of the network that it is assigned to monitor. The port to which the Network Agent machine is attached must be capable of mirroring (also called bi-directional port spanning).

The Network Agent Planning Worksheets can help you plan your deployment and enter the decisions into Websense Manager.



Switched ConfigurationsNetwork Agent may be connected to a switch or router, as shown here:

Simple Deployment in a Switched Environment

Network Agent must see all outbound and inbound traffic. Thus, the (switch) port connected to the Network Agent machine must see all traffic.

On most switches, you can change the port to spanning or mirroring mode (the term varies with the manufacturer.) To connect to the network using a switch, plug the Network Agent machine into the port on the switch that mirrors (spans) the traffic on the gateway or firewall port. The span port mirrors all the traffic that leaves the network segment, so traffic on monitored ports is simultaneously sent to the monitoring port to which Network Agent is connected.

If a switch that supports bi-directional spanning is used, Network Agent can function successfully with a single Network Interface Card (NIC) performing both monitoring and blocking. If the switch does not support bi-directional spanning, Network Agent must use separate NICs for monitoring and blocking.



Multiple switchesIn a multiple switch environment, one Network Agent machine suffices if you connect it to the port on the switch that spans (mirrors) the port on which the firewall is connected:

Multiple Subnets in a Switched Environment



The following network uses a router for communications from a remote office. The machine running Network Agent is connected to an additional switch, on the port that mirrors (spans) the router port.

Switched Environment with a Remote Office Connection



Multiple Network AgentsOn a busy network, you may need to install Network Agent on multiple machines and assign each machine to monitor a segment of your network.

If you install multiple Network Agents, note:

One copy of Filtering Service can support more than one Network Agent. Websense suggests up to four Network Agents per Filtering Service; some sites successfully use more.Deploy the Network Agents so that together they filter the entire network. IP address ranges for the Network Agents should not overlap. This is inefficient and can lead to double filtering and logging.

Multiple Network Agents in a Switched Environment



Gateway ConfigurationA gateway provides a connection between two networks, such as between your network and the Internet.

Network Agent can be installed on the gateway machine. This allows Network Agent to manage and monitor all Internet traffic. The gateway can either be a proxy server or a network appliance. Do not install Network Agent on a firewall.

Network Agent Installed on the Gateway

i IMPORTANTThis configuration is supported on the Windows operating system only and should be used only in small to medium networks.

In larger networks, performance can suffer as a result of resource competition between the gateway software and Network Agent software.


Documents

5-Step Quick Start See - Forcepointkb.websense.com/pf/12/webfiles/WBSN Documentation/support... · 2010-06-10 · (also known as mirroring). Traffic on monitored ports is simultaneously