Quick Start for Network Agent 5-Step Quick Start See - Websense ...

Quick Start for Network AgentWhat is Network Agent?Websense Network Agent software monitors all internet traffic on the machines that you assign to it.Network Agent filters HTTP traffic and more than 70 other popular internet protocols, and capturesdata about bandwidth usage. It also integrates with proxy servers, network caches, and firewalls.Network Agent detects malicious peer-to-peer applications and spyware, even when they tunnel overwell-known ports.5-Step Quick StartSeeOVERVIEW: What does Network Agent do? What is Network Agent?, page 1DEPLOYMENT: Where does Network Agentbelong on the network?CONFIGURATION: How do I configure NetworkAgent in Websense Manager?VERIFICATION: How do I verify that NetworkAgent is working?TROUBLESHOOTING: How do I troubleshootNetwork Agent?Hub Configuration, page 18Switched Configurations, page 19Gateway Configuration, page 23To Configure Network Agent inWebsense Manager, page 9Verifying that Network Agent isWorking, page 14Top Troubleshooting Tips, page 16©Copyright 2006 Websense, Inc. All Rights Reserved. 1 Version 6.3

Quick Start for Network AgentOn how many machines should I deploy Network Agent?Capacity planning for Network Agent depends on hardware capabilities, bandwidth, memory,number of Network Interface Cards (NICs), operating system, user profiles, traffic mix, database,protocols assigned to Network Agent, and where you deploy it. Some sites use one Network Agentmachine for every thousand users; some sites use one Network Agent machine for several thousandusers. Websense Technical Support professionals and Sales Engineers can assist you with deploymentdecisions.Where does Network Agent belong in the network?Install Network Agent where can it see all internet requests for the machines it is assigned to monitor.For those machines, Network Agent must see all URL and protocol requests going out to the internetand replies coming back from the internet. This monitoring must be done on the internal side of thecorporate firewall.A machine running Network Agent can access the network via a switch or hub, as discussed in theNetwork Topology Addendum, page 18. Network Agent can be installed on the same machine as anintegration product, as discussed under Gateway Configuration, page 23.Quick Start 2 Network Agent

Network Agent’s special roleQuick Start for Network AgentWebsense software can filter internet requests based on protocols or internet applications used for:• instant messaging• streaming media• file sharing• file transfer• internet mail• media players• various other network or database operationsWhen users make internet requests, if you use an integrated firewall, proxy, or cache product, theintegration product distinguishes HTTP content from content provided by other protocols. Theintegration product then passes the HTTP content to Filtering Service for filtering, and leaves trafficfrom other protocols to be managed by Network Agent.Network Agent can also be used without an integrated proxy, cache, or firewall. In this case, selectStand-alone during installation to cause Network Agent to manage requests for all protocols,according to your filtering policies. Network Agent also provides bandwidth usage data to PolicyServer and filtering log data to Filtering Service.Measuring network bandwidthWith Bandwidth Optimizer, you can limit internet access based on bandwidth availability. NetworkAgent continually monitors overall network usage, including bytes transferred, and sends usagesummaries to Filtering Service at predefined intervals.Planning WorksheetsPlanning worksheets on the next 4 pages capture all of the information you need to describe yourNetwork Agent configuration via Websense Manager.Associate each Network Agent machine with a Filtering Worksheet 1Service instance.Ensure that the entire network is visible to Network Agent. Worksheet 2Designate any internal machines to be monitored (intranet).Identify proxy and cache machines and Network Agent ports. Worksheet 3Assign a Network Interface card (NIC) to each segment ofthe network, with no overlap. Identify IP exceptions.Worksheet 4Quick Start 3 Network Agent

Quick Start for Network AgentWorksheet 1: Associate Network Agent and Filtering ServiceMore than 1 Network Agent may connect to each Filtering Service.When you reach Filtering Service Connections Status, page 10, enter this data into WebsenseManager via Server > Settings > Network Agent.Filtering ServicesNetwork AgentConnectionsFiltering Service IP addressNetwork Agent IP addressIndicate the IP address of each NetworkAgent machine to associate with this instanceof Filtering Service.Your network may have only one NetworkAgent machine, and NetworkAgent and Filtering Service may resideon the same machine.Are other Network Agents connectedto this same Filtering Service?IP addressIP addressIP addressFiltering Service IP addressNetwork Agent IP addressIndicate the IP address of each NetworkAgent machine to associate with this instanceof Filtering Service.Network Agent and Filtering Servicemay reside on the same machine.Are other Network Agents connectedto this same Filtering Service?IP addressIP addressIP addressQuick Start 4 Network Agent

Quick Start for Network AgentWorksheet 2: Network Agent Global Settings (use once per network)Identify the machines in your network, either by individual IP address or IP range.When you reach Global Settings, page 10, enter this data into Websense Manager via Server >Settings > Network Agent > Global SettingsInternal Network DefinitionIdentify the machines in yournetwork for Network Agent tomonitor. Click Add to addindividual IP addresses or IPaddress ranges.Identified segments are listedon the screen.Add these individual machines:IPIPIPIPIP IP IPIP IP IPIP address ranges IP to IPIP to IPIP to IPIP to IPIP to IPIP to IPInternal Traffic MonitoringBy default, Network Agent ignores traffic between internal machines.Identify specific internal machines here (such as your intranet server), only if you want to monitor thetraffic between this internal machine and all other internal machines.IP IP IPAdditional SettingsMost sites leave the following default settings untouched.Bandwidth calculation interval(in seconds) (10) _______Log requests and trafficvolume by protocol? Yes / NoLog interval (in minutes):(1) ____________Quick Start 5 Network Agent

Quick Start for Network AgentWorksheet 3: Individual Network Agent Planningby IP Address (use once per copy of NA)When you reach Local Settings, page 11, enter this data into Websense Manager via Server >Settings > Network Agent > Global Settings > IP address of Network Agent machineFor this Network Agent IP:Connected to this Filtering Service IP:If this Filtering Service is unavailable:Block / Permit (choose one)Proxy / Cache MachinesList the IP address of all proxy or cache servers used by the machines monitoredby this Network Agent machine. Any device used in proxy mode must be identified.Proxy or cache IP addressProxy or cache IP addressProxy or cache IP addressProxy or cache IP addressProxy or cache IP addressProxy or cache IP addressAdvanced Settings for this Network Agent (select only one)If you use Websense Enterprise in Stand-Alone mode:List Ports to scan for HTTP traffic (default 80, 8080) ______________________If you use Websense Web Security Suite in Stand-Alone mode:Network Agent scans all ports by default for HTTP traffic (default all)If you use Websense Enterprise or Web Security Suite with an integrationproduct:List Ports used by the integration product to scan for HTTP traffic (default 80,8080). Network Agent does not filter these ports. For some integrations that do notlog bytes, Network Agent sends log records to the Filtering Service for these ports._____________________TroubleshootingDo not change this section of the screen unless directed to do so byWebsense Technical Support.Quick Start 6 Network Agent

Quick Start for Network AgentWorksheet 4: Network Interface Card (NIC) Settings (use once per NIC)When you reach Network Interface Card (NIC) Settings, page 13, enter this data into WebsenseManager via Server > Settings > Network Agent > Global Settings > Network Agent IP > NIC-#NIC IdentificationMonitor traffic passing through this NIC?NIC IP addressYes / NoIf Yes, click Monitoring on screen and choose one answer:How much of the network should be monitored by this NIC for internet and protocol requests?All (all machines in the network segment seen by this NIC)NoneSpecific machines and ranges in this segment (Add IP addresses/ranges below.)Single IP addresses:IP addressIP addressIP addressIP addressIP addressRanges of IP addresses, no overlap. Overlaps can cause inefficiencies in your network andlead to duplicate block messages and duplicate logging entries.IP address -- IP addressIP address -- IP addressIP address -- IP addressExceptions (do not monitor internet and protocol requests for these IPs seen by thisNIC). (Network Agent could safely ignore requests made by the CPM Server machine.)IP addressIP addressIP addressIP addressActivities and CommunicationName the NIC that activates blocking (NIC name): This is typically the same NICused for monitoring. However, if a stealth NIC (a NIC without an IP address) ismonitoring, it cannot also be used for blocking. Also, if your switch does not offer bidirectionalport spanning, you must use two NICs on the machine: one for monitoringand a second NIC (identified here) for blocking.Level of HTTP Monitoring (choose one) Filter and log HTTP requests (default for Stand-Alone Mode)Log HTTP requests (option only if integration product does the filtering)Protocol Management (select all that apply) Filter protocol requests not sent over HTTP ports?Measure bandwidth by protocol?Quick Start 7 Network Agent

Quick Start for Network AgentNetwork Interface Cards (NICs)NOTEThe NICs (network interface cards) on machines running NetworkAgent must be connected to your hub or switch, enabled in theoperating system, and activated.Each NIC used for monitoring must capture all packets on the network,not only the packets that are addressed directly to it (promiscuousmode).Complete the NIC hardware setup prior to software installation. Detailsin this section help you select the NICs you need to activate.After you set up the hardware and install Websense software, configure Network Agents in WebsenseManager. Specify the network segments where Network Agent should monitor or filter traffic, thenetwork interface card (NIC) to use, and the handling method for HTTP and other protocols.Use the planning worksheets to capture this information.NICs on the Network Agent machineYou can install Network Agent on 1 or more machines (but only once on each machine). EachNetwork Agent machine must use at least one designated network interface card (NIC). In theexample, Network Agent uses one NIC for monitoring traffic, and another to block.Each NIC that Network Agent uses for monitoring must be able to see all inbound and outboundtraffic assigned to it. Network Agent needs to see the user IP addresses. Do not place Network Agentin a location where the original user IP addresses have been translated by another network device(such as a router or other Network Address Translation device).SwitchesIf the device connected to the Network Agent machine is a switch, it must support port spanning (alsoknown as mirroring). Traffic on monitored ports is simultaneously sent to the monitoring port towhich Network Agent is connected.Quick Start 8 Network Agent

Quick Start for Network AgentHubsIf you use a switch that supports bi-directional spanning, Network Agent needs only one NIC.Some switches do not allow bi-directional traffic in spanning (mirroring) mode. The network cardreceiving data on the Network Agent machine can only listen, not send.If you do not have a bi-directional switch: Use the NIC connected to the spanning port to monitor traffic. Install a second NIC on the Network Agent machine. Attach the second NIC to a port on the switch that can access all assigned workstations. Use the second NIC to block. The blocking NIC must have an IP address.If you add a NIC on the Network Agent machine, restart the Network Agent service, and thenconfigure the new NIC via Websense Manager.If the device connected to the Network Agent machine is a dumb hub (which distributes traffic fromthe up-linked port to all other ports), Network Agent requires only one NIC.To Configure Network Agent in Websense Manager1. Go to Server > Settings.2. Select Network Agent at the left to display associations between Network Agent and FilteringService.Quick Start 9 Network Agent

Quick Start for Network AgentFiltering Service Connections Status(Planning worksheet 1) For each Filtering Service, connect at least one Network Agent machine.Typically, Network Agent is installed on the Filtering Service machine, so the IP address is the samefor both.Global Settings(Planning worksheet 2) Global Settings determine the functions performed by all Network Agents. Ifyour network includes multiple Network Agent machines, these settings apply to all.NOTETo monitor or filter file attachments exchanged internally via peer-topeermessaging, tell Network Agent to monitor the internal machinesinvolved.Quick Start 10 Network Agent

Quick Start for Network AgentInternal Network Definition: Identify the machines in your network.To add machines other than network segments recognized by default, click Add.Internal Traffic Monitoring: Network Agent monitors requests sent to and from the internal IPaddresses you specify. To identify a machine, click Add, then enter its IP address.Additional Settings:• Bandwidth calculation interval (in seconds): A lower value (more frequent interval)ensures higher accuracy but also increases overall network traffic.• Log requests and traffic volume by protocol: Do you want Network Agent to log requestsand volume by protocol? Uncheck this box to prevent Network Agent from logging protocolrequests periodically.• If you enable protocol logging, either accept the default logging interval (1 minute) or specifya different interval (at least 1 minute).When protocol logging is selected, Network Agent provides to Log Server both the numberof requests by protocol and the traffic volume for each protocol.Local Settings(Planning worksheet 3) These settings determine the functions performed by each Network Agentmachine. By default, Network Agent monitors traffic to and from external sites for all internalmachines it sees. Machine names are tracked in log data and Real-Time Analyzer output.Configure how much of the internal network each Network Agent machine sees. Then, specify anyexceptions to the default monitoring behavior. Configure one Network Agent per screen.Quick Start 11 Network Agent

Quick Start for Network Agent• Filtering Service IP Address: The Filtering Service connected to this Network Agent.• If Filtering Service is unavailable: Should internet and protocol requests be blocked orpermitted when Filtering Service is down?Proxy/Cache Machines: Identify any proxy or cache server machines situated between thisNetwork Agent machine and client machines. Network Agent ignores traffic from the proxy toexternal hosts. Include any device (such as a cache engine product) used in proxy mode.Otherwise, Network Agent may filter and log traffic only from the server, and not from the users.Advanced Settings for this Network Agent (select only one):1. Websense Enterprise in Stand-Alone mode:List Ports to scan for HTTP traffic (default 80, 8080) ______________________2. Websense Web Security Suite in Stand-Alone mode:Network Agent scans all ports by default for HTTP traffic (default all)___________________3. Websense Enterprise or Web Security Suites with an integration product:List Ports used by the integration product to scan for HTTP traffic (default 80, 8080).Network Agent does not filter these ports. For integrations that do not log bytes, NetworkAgent sends log records to the Filtering Service for these ports. _____________________Debug Settings: Do not modify the debugging defaults unless instructed by Websense.Quick Start 12 Network Agent

Quick Start for Network AgentNetwork Interface Card (NIC) Settings(Planning worksheet 4) The NIC used for monitoring can be set for stealth mode (no IP address), butit must be associated with a second NIC that is assigned an IP address and is used for blocking.Identification: The selected NIC.Monitoring: Use this NIC to monitor traffic? (If the Network Agent machine has multiple NICs,you can configure more than one NIC to monitor traffic. Each monitoring NIC must capture allpackets it is assigned, not just packets that are addressed directly to it.)NOTEIf Network Agent runs on a Linux or Solaris machine with multipleNICs, the operating system determines real-time which NIC to use formonitoring. Network Agent may sometimes use a NIC other than theone specified here.If you select Yes, click Monitoring to continue configuration of this NIC.• Monitor List: How much of the internal network should be monitored for internet andprotocol requests?• All: Network Agent monitors requests from all machines it sees using the selected NIC.• None: Network Agent monitors no machines in the selected NIC’s network segment.• Specific: Network Agent monitors only a portion of the selected NIC’s network segment.If you selected Specific, click Add to identify the IP addresses of the machines to monitor.• Monitor List Exceptions: Identify internal machines to exclude from monitoring.Quick Start 13 Network Agent

Quick Start for Network AgentActivities and Communication: Which NIC is used to activate Websense blocking? By default,the NIC you are editing is used. Do not use a NIC without a valid IP address for blocking.• Filter and log HTTP requests: (Active by default in Stand-alone Mode) Network Agentperforms full HTTP monitoring and logging using the selected NIC.• Log HTTP requests: Network Agent logs but does not filter HTTP requests. Use this if theintegration product filters HTTP traffic, but you want to use Network Agent’s detailedlogging information for Reporting.• Protocol Management: Should this Network Agent handle non-HTTP protocol andapplication requests via the selected NIC?• If so, check Filter protocol requests not sent over HTTP ports (ProtocolManagement).• Measure bandwidth by protocol (Bandwidth Optimizer) activates the feature.IMPORTANTClick Save Changes above the navigation tree to save the NetworkAgent configuration.Verifying that Network Agent is WorkingRun the Websense Traffic Visibility Tool on the Network Agent machine.1. To start:• Windows: Start > Programs (or All Programs) > Websense > Utilities > Traffic VisibilityTool.• Linux or Solaris: Run ./TrafficVisibility.sh from the Websense installationdirectory (/opt/Websense).Quick Start 14 Network Agent

Quick Start for Network AgentFieldNetwork CardNetworks TestedIP Address CountIP Address ListDetailDescriptionName of the network interface card (NIC) to test. Active cards on theinstallation machine appear in this list. Cards without an IP address donot appear.Displays the netmasks that are being tested. Use the defaults or addyour own. These netmasks can reside in different network segmentsdepending on the IP address ranges to be filtered.Number of IP addresses for which traffic is detected during the test.Lists all the IP addresses from which internet traffic is being detected.2. From the Network Card drop-down list, select the network interface card (NIC) that theNetwork Agent is configured to use for monitoring.A default list of networks (netmasks) appears. Use the defaults or add your own.3. If the network you want to test does not appear in the default list, click Add Network.• Enter a new netmask value in the Network ID field.The subnet mask defaults to 255.0.0.0 and changes as thenetmask is defined.• Click OK.Your new network appears in the list.4. Select Remove Network to delete a network from the list.5. Click Start Test to begin testing all networks in the list.The counter in the IP Address Count column should begin recording internet trafficimmediately. The counter increments each time the NIC detects an individual IP address from thetarget network in a passing packet. The activity bar at the bottom of the dialog box indicates thata test is underway.If the count for a network remains at zero or is very low, the selected NIC cannot see the traffic itis supposed to monitor.6. If the Network Agent NIC is unable to see the desired traffic:• If the installation machine has multiple NICs, select a different card to test. If this card cansee the desired traffic, configure Network Agent to use this card.• Resolve network configuration issues to make sure that the NIC can see the desired traffic.This might involve connecting to a different router or configuring for port spanning in aswitched environment.7. When you are finished, click Stop Test.8. Click Close.The Network Agent NIC must be able to monitor all assigned internet traffic. If Network Agentcannot see the traffic, either reposition the machine in the network or select another machine forNetwork Agent.Quick Start 15 Network Agent

Quick Start for Network AgentTop Troubleshooting TipsNetwork Agent cannot communicate with Filtering Service after it has been reinstalledWhen Filtering Service has been uninstalled and reinstalled, the Network Agent does notautomatically update the internal identifier (UID) for Filtering Service. After the new installation iscomplete, Websense Manager attempts to query Filtering Service using the old UID, which no longerexists.To re-establish connection to Filtering Service:1. Open Websense Manager.An error message is displayed stating Network Agent is unable to connect withFiltering Service.2. Clear the message and select Server > Settings.The same error message is displayed.3. Clear the message again and select Network Agent from the Settings Selections list.4. Click Local Settings.5. Select the IP address listed above the NIC for the Network Agent.6. Click Edit Selection.The Filtering Service Connection dialog box appears.7. Select the IP address of the Filtering Service machine from the Server IP Address drop-downlist.8. Click Finish.9. Click OK in the Local Settings dialog box.10. Click OK in the Settings dialog box to save the changes.Network Agent fails to start with stealth mode NICIP address removed from Linux configuration fileNetwork Agent can monitor (not block) with a stealth mode NIC if the interface retains its old IPaddress in the Linux system configuration file. If you have bound the Network Agent to a networkinterface card configured for stealth mode, and then removed the IP address of the NIC from theLinux configuration file (/etc/sysconfig/network-scripts/ifcfg-), Network Agent will not start.An interface without an IP address will not appear in the list of adapters displayed in the installer or inWebsense Manager and will be unavailable for use. To reconnect Network Agent to the NIC, restorethe IP address in the configuration file.Stealth mode NIC selected for Websense communications in Solaris and LinuxNetwork interface cards configured for stealth mode in Solaris and Linux are displayed in theWebsense Enterprise installer as choices for Websense communication (blocking). If you haveinadvertently selected a stealth mode NIC for communication (blocking), Network Agent will notstart, and Websense services will not work. Select a different NIC in Websense Manager.Quick Start 16 Network Agent

Quick Start for Network AgentSpanning or mirroring has not been turned onThe switch port connected to the Network Agent machine must see all traffic.On most switches, you can change the port mode to spanning, mirroring, or monitoring mode (theterm varies with the manufacturer; the function is the same). Cicso uses the term spanning. 3Com,DLink, and others use mirroring. HP and some other manufacturers call it monitoring.To connect Network Agent to the network using a switch, plug the Network Agent machine into theport on the switch that mirrors (spans, monitors) the traffic going to the gateway or firewall port.The span port mirrors all the traffic that leaves the network segment, so traffic is simultaneously sentto the monitoring port to which Network Agent is connected.Spanning or mirroring is set on the wrong portMonitor (span, mirror) only the port going to the firewall or router port, not the entire network.Router or Firewall traffic is being monitored in the wrong directionMonitor (span, mirror) the traffic going to the firewall/router. On Cicso switches, this means you needto specify Tx. On HP and 3Com switches, you need to specify Egress.To log bytes sent and received, set both Tx and Rx (Cisco) or both Egress and Ingress (HP, 3Com).Mono-directional spanning (mirroring, monitoring) is used with a single NICWebsense strongly recommends using a switch that supports bi-directional spanning. If such a switchis used, Network Agent can function successfully with a single Network Interface Card (NIC)performing both monitoring and blocking.If the switch does not support bi-directional spanning, Network Agent must use separate NICs formonitoring and blocking.How do I set up Network Agent on a machine with teamed NICs (TNICs)?TNICs share the load under one common identity, with four adapters load-balancing under a single IPaddress. This is also known as link aggregation or trunking.Websense recommends against using teamed NICs for Network Agent.An anti-spoofing mechanism has been used in the switchEither disable the anti-spoofing mechanism or contact Websense Technical Support for additionaloptions.Are other tools available for verifying that the Network Agent machine sees the traffic?Yes. Contact a Websense Technical Support specialist or Sales Engineer for information aboutnetwork tools that can help verify Network Agent behavior.Can a network tap be used with Network Agent?Yes. A tap can be used with the Network Agent machine. Network Agent must be able to see thetraffic in both directionsQuick Start 17 Network Agent

Quick Start for Network AgentNetwork Topology AddendumWhere Should Network Agent be Located on the Network?Network Agent must be installed where it can monitor all URL and protocol requests going out to theinternet and all replies coming back from the internet.On a busy network, you may need to deploy Network Agent on more than one machine, with eachmachine monitoring a segment of the network.Locate Network Agent on the internal side of the corporate firewall. Several possible configurationsare described below.Hub ConfigurationNetwork Agent is often deployed on a dedicated machine, connected to an unmanaged, unswitchedhub located between an external router and the network, as pictured here:Network Agent must see the traffic, in both directions, for those segments of the network that it isassigned to monitor. The port to which the Network Agent machine is attached must be capable of bidirectionalport spanning (also known as mirroring).Use the planning worksheets to plan your deployment, and then enter the results in WebsenseManager.Quick Start 18 Network Agent

Quick Start for Network AgentSwitched ConfigurationsNetwork Agent may be connected to a switch or router, as shown here:Network Agent must see all outbound and inbound traffic. Thus, the (switch) port connected to theNetwork Agent machine must see all traffic.On most switches, you can change the port to spanning or mirroring mode. To connect to the networkusing a switch, plug the Network Agent machine into the port on the switch that mirrors (spans) thetraffic on the gateway or firewall port. The span port mirrors all the traffic that leaves the networksegment, so traffic on monitored ports is simultaneously sent to the monitoring port to whichNetwork Agent is connected.If a switch that supports bi-directional spanning is used, Network Agent can function successfullywith a single Network Interface Card (NIC) performing both monitoring and blocking. If the switchdoes not support bi-directional spanning, Network Agent must use separate NICs for monitoring andblocking.Quick Start 19 Network Agent

Quick Start for Network AgentMultiple switchesIn a multiple switch environment, one Network Agent machine suffices if you connect it to the porton the switch that spans (mirrors) the port on which the firewall is connected:Quick Start 20 Network Agent

Quick Start for Network AgentThe following network uses a router for communications from a remote office. The machine runningNetwork Agent is connected to an additional switch, on the port that mirrors (spans) the router port.Quick Start 21 Network Agent

Quick Start for Network AgentMultiple Network AgentsOn a busy network, you may need to install Network Agent on multiple machines and assign eachmachine to monitor a segment of your network.If you install multiple Network Agents, note: One copy of Filtering Service can support more than one Network Agent. Websense suggests upto four Network Agents per Filtering Service; some sites successfully use more.Deploy the Network Agents so that together they filter the entire network.IP address ranges for the Network Agents should not overlap. This is inefficient and can lead todouble filtering and logging.Quick Start 22 Network Agent

Gateway ConfigurationQuick Start for Network AgentA gateway provides a connection between two networks, such as between your network and theinternet.Network Agent can be installed on the gateway machine. This allows Network Agent to manage andmonitor all Internet traffic. The gateway can either be a proxy server or a network appliance. Do notinstall Network Agent on a firewall.iIMPORTANTThis configuration is supported only on the Windows operating system and isintended for small to medium networks.In larger networks, performance can suffer as a result of resource competitionbetween the gateway software and Network Agent.Quick Start 23 Network Agent