Home > 8e6 Technologies > 8e6 setup R3000 - stand alone

8e6 setup R3000 - stand alone

Tags:  

Assumed Hardware:

  1. 8e6 R3000 G/S/H content filter (stand-alone)

  2. 8e6 Enterprise Reporter  (non-NAS models)

Installation Requirements:

  • three IP address (preferred private IP addresses, 10.x.x.x or 192.168.x.x). One address is assigned to “management" interfaces on both R3000 and Enterprise Reporter.  The third address is used for R3000 authentication.  

  • each R3000 appliance has two physical embedded NIC's.   In typical (also the default) configuration, one interface used exclusively to collector (or sense) web traffic.  The second interface is used for management, issue of block packets, hosting block page, and authentication (if used).
  • The two R3000 management and authentication addresses used on R3000 must be in same subnet.    One is physical address, the second is virtual address on same physical interface.

  • The two R3000 management and authentication addresses must be routable to/from end-user workstations being filtered (for block page and authentication).

  • 8e6 Authentication is required if you want usernames in reporting. Authentication can be transparent in Window Domain and Novell eDirectory environments. Otherwise, you'll only see end-user client IP addresses in reports. 8e6 Authentication can co-exist with other non authenticated clients on network (using filtering based on IP-address or global policy).

  • The two management IP addresses need static NAT to public IP addresses maintained on firewall. Firewall rule allows inbound SSH connection from 209.11.160.50 (ie. 8e6 support).

  • 2-U total of rack space. Each 8e6 appliance is 1-U. Each appliance requires separate power.

  • monitor and keyboard access to each appliance. This can be temporary access (ie. monitor and keyboard on cart) or permanent via KVM switch. It is possible to enable serial console access.

  • three network cables present at rack. Two for standard network access. One connected to switch port configured to mirror all TX (outbound) traffic at perimeter of network (inside of any NAT).

  • unique Directory account to be used for connection and searches by R3000 LDAP client. This account should be unique to 8e6 platform (eg. “8e6bind”). The full Directory Server object “DN” (distinguished name) of this account is required to configure 8e6 authentication (ie. X.500 address).

Example: “cn=8e6bind account,ou=users,dc=domain,dc=com”.

Platform Requirements Details:

  • 8e6 R3000 sense interface MUST have visibility of client IP address. This IP requirements is true regardless of whether policy being enforced based on IP_Group or Active_Directory. Ultimately, the policy decisions being made by R3000 are based on client IP address (whether R3000 knows about username or not).

  • end-user client machines will not have proxy setting in browser (ie. browsers talk directly to internet).   Note:  8e6 R3000 filter can easily co-exist with web proxy (or content cache) servers, but the physical location of traffic mirror changes to immediately downstream of proxy/cache.   The key,  the mirrored traffic viewed by 8e6 must see end-user client IP address (ie. downstream of NAT or proxy device. Domain integration does not affect this requirement).   We can further discuss this at length.

  • 8e6 R3000 filter(s) will be deployed in by-pass mode (ie. "invisible mode" in 8e6 documentation).    In this scenario, 8e6 will sense outbound web traffic on one interface, the second interface will be for management, issue of client redirect, block page, and authentication (form-based or transparent -- if used).

  • span/mirror port configured at perimeter of your network.   The specific location of traffic mirror must include visibility of end-user client IP address (ie. inside of any NAT device – firewall or proxy).

  • span/mirror port only configured to see TX (transmit) of outbound traffic.    The 8e6 R3000 filter only cares about the outbound TCP packet for HTTP, HTTPS, NNTP, and FTP.

  • The IP's assigned to management interface of the R3000 filters will need outbound firewall access for either FTP or HTTPS  to download of patches and library updates. If you plan to use default “HTTPS_Filtering” feature, the R3000 box must have outbound HTTPS (because R3000 issues separate HTTPS connection to site accessed by users to verify certificate contents – at default setting of Medium).

Authentication Requirement Details:


Network Architecture Requires Multiple Monitor Sessions:

Some network architectures dictate that no one switch will pass all network traffic.  This presents significant hurdle to "feed copy of all outbound network traffic" to 8e6 R3000 filter for analysis.    Keep in mind that single 8e6 R3000 can enforce policy on traffic passed to one network interface (ie. all traffic must be presented via one copper cable).

Many of our customers have leveraged the following "link aggregator" device to "aggregate" traffic from multiple points in network into one copper port for connection to 8e6 R3000.   Such a device is great for 8e6, IDS, and DLP products.   NetOptics does offer different flavors of box -- different # of source ports (instead of eight).    We have no relationship with NetOptics, but they are the best.

http://netoptics.com/products/product_family_details.asp?cid=4&pid=126

 RSS of this page