|
|
|
|
Assumed hardware:
-
8e6 R3000-IR appliance
Installation Requirements:
-
two IP addresses (preferred private IP addresses, 10.x.x.x or 192.168.x.x). one is “management address” used for R3000, one used for R3000 authentication. Both of these "routable" addresses will be used on SINGLE R3000-IR NIC (ie.management interface) -- one is physical address, second is virtual address. Note: both addresses MUST be in same subnet.
- each R3000 appliance has two physical embedded NIC's. In typical (also the default) configuration, one interface used exclusively to collector (or sense) web traffic. The second interface is used for management, issue of block packets, hosting block page, and authentication (if used).
The management IP address must be routable to/from the end-user workstations being filtered (for block page and authentication).
-
8e6 Authentication is required if you want usernames in reporting. Authentication can be transparent in Window Domain and Novell eDirectory environments. Otherwise, you'll only see end-user client IP addresses in reports. 8e6 Authentication can co-exist with other non authenticated clients on network (using filtering based on IP-address or global policy).
-
The one management IP address requires static NAT to public IP addresses maintained on firewall. Firewall rule allows inbound SSH connection from 209.11.160.50 (ie. 8e6 support).
-
1-U total of rack space. Each 8e6 appliance is 1-U. Each appliance requires separate power.
-
monitor and keyboard access to appliance. This can be temporary access (ie. monitor and keyboard on cart) or permanent via KVM switch. It is possible to enable serial console access.
-
two network cables present at rack. One for standard network access. One connected to switch port configured to mirror all TX (outbound) traffic at perimeter of network (inside of any NAT).
Platform Requirements Details:
-
8e6 R3000 sense interface MUST have visibility of client IP address. This IP requirements is true regardless of whether policy being enforced based on IP_Group or Active_Directory. Ultimately, the policy decisions being made by R3000 are based on client IP address (whether R3000 knows about username or not).
-
end-user client machines will not have proxy setting in browser (ie. browsers talk directly to internet). Note: 8e6 R3000 filter can easily co-exist with web proxy (or content cache) servers, but the physical location of traffic mirror changes to immediately downstream of proxy/cache. The key, the mirrored traffic viewed by 8e6 must see end-user client IP address (ie. downstream of NAT or proxy device. Domain integration does not affect this requirement). We can further discuss this at length.
-
8e6 R3000 filter(s) will be deployed in by-pass mode (ie. "invisible mode" in 8e6 documentation). In this scenario, 8e6 will sense outbound web traffic on one interface, the second interface will be for management, issue of client redirect, block page, and authentication (form-based or transparent -- if used).
-
span/mirror port only configured to see TX (transmit) of outbound traffic. The 8e6 R3000 filter only cares about the outbound TCP packet for HTTP, HTTPS, NNTP, and FTP.
-
The IP's assigned to management interface of the R3000 filters will need outbound firewall access for either FTP or HTTPS to download of patches and library updates. If you plan to use default “HTTPS_Filtering” feature, the R3000 box must have outbound HTTPS (because R3000 issues separate HTTPS connection to site accessed by users to verify certificate contents – at default setting of Medium).
Authentication Requirement Details:
|
Document Saved Successfully
|
|
|
|
|
|
|
