Vital Security Supported Topologies
|
|
- Ada Jennings
- 6 years ago
- Views:
Transcription
1 Vital Security Supported Topologies Software Release 9.0
2 Vital Security Supported Topologies Copyright Copyright Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No , , , , , , , , , , , , , , , , and may be protected by other U.S. Patents, foreign patents, or pending applications. Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. Websense is a registered trademark of Websense, Inc. IBM Proventia is a registered trademark of IBM Corporation. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners. For additional information, please visit or contact one of our regional offices: USA: San Jose 2025 Gateway Place Suite 180 San Jose, CA 95110, USA Toll Free: FINJAN 8 Tel: Fax: salesna@finjan.com USA: New York Chrysler Building 405 Lexington Avenue, 35th Floor New York, NY 10174, USA Tel: Fax: salesna@finjan.com Israel/Asia Pacific Hamachshev St. 1, New Industrial Area Netanya, Israel Tel: +972 (0) Fax: +972 (0) salesint@finjan.com Europe: UK 4 th Floor, Westmead House, Westmead, Farnborough, GU14 7LP, UK Tel: +44 (0) Fax: +44 (0) salesuk@finjan.com Europe: Germany Alte Landstrasse 27, Ottobrun, Germany Tel: +49 (0) Fax: +49 (0) salesce@finjan.com Europe: Netherlands Printerweg AD Amersfoort, Netherlands Tel: Fax: salesne@finjan.com Catalog Name: VSST-TB support@finjan.com Internet: Page ii
3 Vital Security Supported Topologies Table of Contents 1. System Overview 1 2. All in One vs. Distributed Topology 2 3. Managing the Policy Server and Scanning Server 2 4. Supported Topologies Basic Topologies Proxy Chain Mode ICAP Redirection Authentication Services Load Balancing NG-8100 Appliance Web Cache Communication Protocol 19 Appendix Topology Summary 23 Page iii
4 1. System Overview Located at the gateway to your network, the Vital Security Web Appliance monitors all traffic between your company and the Web. It identifies the true type of the content, scans it, then allows or blocks the content in line with the rules and policies that you and your organization define. You can also configure the extent of transaction logging and the generating of reports. The following functional servers are incorporated: Policy Server: A centralized repository and administration point for system configuration and security policy settings. The settings defined in the Policy Server are pushed to all Scanning Servers such that the system is always updated. Log Server: A short-term centralized repository for transactional information. The transactional information is generated by the Scanning Servers and queued in Log Relays, after which they are aggregated to the centralized repository. The Log Server is a subset of the Policy Server. Report Server: A long-term centralized repository for transactional information. The transactional information is generated by the Scanning Servers and queued in Log Relays, after which they are aggregated to the centralized repository. The Report Server is a subset of the Policy Server. Scanning Servers: Multiple servers that scan content using the various scanning engines, including Finjan's proactive scanning technology, and enforce the predefined policy regarding that content. Authentication Device: a special device, used to authenticate users before they can browse the Internet. The Authentication Device communicates with an Active Directory in order to authenticate the users. The following physical components can be incorporated in the full system deployment: Load Balancer: When the amount of traffic exceeds a Scanning Server s capacity, or following redundancy requirements, the deployment includes several Scanning Servers. A Load Balancer balances the load of incoming requests traffic between all active Scanning Servers. The load balancer can be any 3rd party load balancer. Caching Server: A deployment can include a Cache Appliance NG or any other third party caching server. The caching server can be connected to the Scanning Servers via an upstream proxy or downstream proxy. Although Vital Security supports many possible topologies, the following have been successfully tested and are therefore fully supported by Finjan. Page 1
5 If none of these topologies address your needs, please contact your local Finjan representative for the appropriate deployment. The supported topologies are categorized into the following groups: Basic topologies including both single and multiple Scanning Server topologies. Third party based topologies topologies that include other components such as caching servers and Layer 7 switches. 2. All in One vs. Distributed Topology Finjan s Vital Security appliance can be installed in different operational modes: All in One Distributed Topology (Policy Server and Scanning Server) When working in All in One mode, a single server is used both for scanning the traffic and for managing the security policies, Logs, Reports and Updates. When an All in One device is used to manage an additional Scanning device, it provides additional scanning capabilities. The device should be set to receive a scanning throughput of about 50% of the maximum scanning capabilities of a standalone device. This enables the All in One device to perform other tasks required of it. For more information about sizing, please contact your Finjan representative. Working in a distributed topology, where the Policy Server and Scanning Server are installed on separate and dedicated hardware allows more flexibility and maintainability to the Policy Server (users are not affected by the load / availability of the Policy Server). NOTE: An All in One does not include an Authentication Device. 3. Managing the Policy Server and Scanning Server In all the topologies presented in this document the Policy Server does not appear in the topology (unless the topology is All in One), due to the fact that the Policy Server can be located anywhere in the network, so long as it can communicate with the Scanning Server. In all management configurations, ensure that the IP address and Hostname of the Management unit is configured in the browser s list of servers that should not be accessed via the proxy. This will ensure that Page 2
6 active content which is used by the Management Console is not accidentally blocked by the scanning proxy rules. To ensure proper communication between Vital Security Web Appliance Series Version 9.0 Scanning Servers and Policy Server, several ports have to be open on the firewall. For detailed information, please refer to the Port Mapping Feature Description. 4. Supported Topologies The following Topologies are supported with Vital Security Software Release Basic Topologies Simple Proxy mode In the Simple Proxy mode, users are configured to work with a proxy server. In this mode the users use the IP address of the Scanning Server as their proxy server for HTTP (default port 8080), HTTPS scanning (default port 8443) and FTP (default port 2121). The Scanning Server can be located either behind a firewall, in the DMZ (see Figure 1) or on the same network as the users. Figure 1: Simple Proxy Mode (DMZ) Page 3
7 Figure 2: Simple Proxy Mode (Same network) The traffic flow is as follows: 1. The user initiates a connection to the Internet (HTTP, HTTPS, or FTP). The user sends the request to its proxy server, which is the Scanning Server. 2. The Scanning Server processes the request (identifying the user, authenticating the user if required and finding the user s policy) and if the content is allowed, then the Scanning Server issues a new request to the original destination server. 3. The returning traffic is processed again by the Scanning Server (the Scanning Server is the originator of the session) and only after processing, the end-user receives the data (or block message) Transparent Mode In the Simple Transparent mode, users are not configured to work with a proxy server. In this mode the users send their requests directly to the IP address of the original web server. A Layer 4 traffic redirector (as appears in Figure 3) intercepts all HTTP, HTTPS and FTP traffic to the Scanning Server (using the original destination IP of the HTTP (or FTP) server. In order to configure the proxy to work in transparent mode, transparency has to be enabled (Settings Devices Scanning Server General Click Enable in the Transparent Proxy Mode tab.) Page 4
8 Figure 3: Proxy Configuration for Transparent Mode Another way of achieving user transparency is by including a firewall rule which uses destination NAT for all HTTP and HTTPS (and possibly FTP) traffic. When users send HTTP or HTTPS traffic, this traffic is passed via the firewall. The destination NAT rule changes the destination IP address from the original web server in the Internet, to the IP address of the Vital Security Scanning Server. The traffic then reaches the Vital Security Scanning Server, which scans the traffic and fetches the information from the Internet. Returning traffic is scanned again and returned to the user. Figure 4: Simple Transparent Mode The traffic flow is as follows: 1. The user initiates a connection to the Internet (HTTP, HTTPS or FTP). The user sends the request to the original server such that the destination IP address of the request is the IP address of the real server. Page 5
9 2. The layer 4 switch transparently redirects all HTTP, HTTPS and FTP traffic to the Vital Security Scanning Server, which then processes the request (identifying the user, authenticating the user if required and finding the user s policy) and if the content is allowed, the Scanning Server issues a new request to the original destination server. 3. The returning traffic is processed again by the Scanning Server (the Scanning Server is the originator of the session) and only after processing, does the end-user receive the data (or block message) using the original server IP as the source IP address (i.e. as if the user communicates with the original server). 4.2 Proxy Chain Mode Vital Security Web Appliance can be installed as the Next Proxy of the existing proxy in the network. In this topology, the users can be configured to work with a proxy server (the existing proxy in the network) or the users can be transparently redirected to the proxy server (depending on the network topology and proxy transparency support). In the Proxy Chain Topology, the Scanning Server can be out-of-line or inline (connected with two interfaces). Figure 5: Proxy Chain Mode (with Scanning Server out-of-line) Page 6
10 Figure 6: Chain Mode (with Scanning Server in-line) NOTE: If user authentication is required verify that the proxy server supports Authentication Pass-through or forward user credentials via http headers. If this feature is supported, then when the Web Appliances request user authentication and the proxy server passes the request to the user. The out-of-line topology is preferred, since in case of Scanning Server failure, it is easier to neutralize the redirection to the Scanning Server (if required). If the corporate proxy is also a caching proxy which does not support IP spoofing, only one security policy can be enforced by the Scanning Servers. The traffic flow is as follows: 1. The user initiates a connection to the Internet (HTTP, HTTPS, or FTP). Depending on the network topology, the user sends the request either to the original server if the first proxy is a transparent proxy, or directly to the IP address of the proxy server, if the proxy server is nontransparent. 2. After the first proxy has processed the request, it sends it in a proxy format to the Vital Security Scanning Server which then processes the request (identifying the user, authenticating the user if required and finding the user s policy) and if the content is allowed, the Scanning Server issues a new request to the original destination server. 3. The returning traffic is processed again by the Scanning Server (the Scanning Server is the originator of the session) and only after processing does it send the traffic to the first proxy, which forwards it to the end-user after the first proxy has processed the traffic. Page 7
11 4.3 ICAP Redirection The Internet Content Adaption Protocol (ICAP) is a protocol that provides basic redirection to HTTP traffic. Many organizations may already implement a caching solution, where the cache server supports ICAP redirection (for example, Blue Coat). If the cache server supports ICAP redirection, the Vital Security Web Appliance can be installed in ICAP mode, without the need to change the existing network topology. ICAP is a client server protocol, which requires both ICAP client and ICAP server in order to operate properly. Finjan s Vital Security Web Appliance can be installed as an ICAP Server. An ICAP server is a server that accepts ICAP requests arriving from an ICAP Client (for example, Blue Coat s cache server). An ICAP client can redirect HTTP traffic (or portion of the traffic) to an ICAP server for additional processing, before sending the traffic to the Internet Basic ICAP Mode with a single Scanning Server Using ICAP, the client has to configure their browser settings to work with a proxy server, which is the ICAP client s IP. Once the ICAP client processes the request (or reply) it forwards it to the Scanning Server in ICAP format. Figure 7: Scanning Sever in ICAP Mode Basic Load Balancing in ICAP Mode In addition to the basic ICAP capabilities described in section Basic ICAP Mode with a single Scanning Server, an ICAP Client can redirect traffic to multiple Scanning Servers, and thereby add the high availability functionality to the network as well as scalability. The topology, as described in Figure 8 shows an ICAP client with multiple Scanning Servers. In such a topology, the Scanning Servers must have the same configuration. Configuration of both ICAP modes (REQMOD and RESPMOD) is required. Page 8
12 Figure 8: Basic Load Balancing in ICAP Mode Advantages and Disadvantages of ICAP The advantages of using the ICAP topologies are as follows: Easy deployment an existing proxy scan be easily configured to use the Scanning Servers as ICAP Server without any impact on the endusers. Control over content organization with specific needs can increase performance by configuring their ICAP client to only send certain files for scanning by the ICAP Server. The disadvantages of using the ICAP topologies are as follows: The ICAP topologies have similar security disadvantages of having a downstream Proxy. Most ICAP clients are Caching Servers so it s possible that an item which was already cached will be served to a non-authorized user of a different security policy. When ICAP is implemented, there is the need to scan each transaction twice once in REQMOD and another in RESPMOD. This adds an additional two hops to the traffic flow. Traffic originating from the ICAP Client the Scanning Servers, must be treated differently and must be excluded from the ICAP treatment, in case it uses the same interface to connect to the internet ICAP Redirection vs. Proxy Chain Mode Both ICAP redirection and Proxy Chain Mode can be used in existing networks with minimal topology changes, however, Proxy Chain Mode is preferred over ICAP redirection for the following reasons: Page 9
13 Protocol independent: although the ICAP protocol is RFC based (RFC 3507) and respected by Finjan Vital Security Web Appliance, some vendors may not respect the RFC and have interoperability issues with ICAP implementation. Ease of Configuration: most proxy servers allow the administrator to configure the next proxy by simply configuring the next proxy IP address and port, while ICAP configuration request knowledge in the ICAP protocol, as well as configuring the REQMOD and RESPMOD. Debug-ability: It is much easier to debug native HTTP than debug ICAP traffic. In case system administrator has to debug the entire system, it is easier to: Read capture files of HTTP traffic. Configure a user to work directly with the Scanning Server and bypass the proxy server in order to identify the source of the problem. Number of hops: When working with ICAP Redirection, there are an additional two hops for each transaction. Traffic flow is as follows: The user send the traffic to the proxy server (1), the proxy server redirects the traffic to the Scanning Server (2), the Scanning Server scans the traffic and responds to the proxy (3), the proxy sends the request to the Internet (4) and the reply (5) is forwarded via ICAP to the Scanning Server (6) which scans the traffic and replies to the proxy (7), which then sends the traffic to the user (8). Figure 9: Traffic Flow with ICAP Redirection Page 10
14 When working in Proxy Chain Mode, the traffic flow is as follows: The users send the traffic to the proxy server (1), the proxy server forwards the traffic to the next proxy, which is the Scanning Server (2), the Scanning Server scans the request and retrieves the content from the Internet (3). When the traffic arrives from the Internet (4) it is scanned by the Scanning Server, which replies to the Proxy that originally made the request (5). The proxy server receives the traffic from the Scanning Server and sends it to the user (6). Figure 10: Traffic Flow with Proxy Chain Mode NOTE: When deploying in ICAP mode, make sure the Scanning Servers and Policy Server are allowed to access the Internet so they can perform pre-fetching and retrieve updates. If necessary, configure the HTTP devices and update mechanism to use the ICAP Client s address as Proxy for Internet access. ICAP requires configuration of the ICAP modes: REQMOD and RESPMOD. For more information about ICAP configuration and integration with Blue Coat Secure Gateway, refer to the Setup and Configuration Guide, Chapter Authentication Services Enterprise networks are built from different topologies for which different device types and configurations are used. End-user identification and authentication can be performed via various tools, devices, network equipment and through the use of different protocols. The ability to identify the user during the web transaction is crucial in order to isolate threats Page 11
15 and enable policy enforcement with a specific behavior for each user or group. The option to identify and/or authenticate the user is dependent on the network layout, the security rules that are used in the network and the capability to integrate with an external authentication device. There is no common single solution that can fit all organizations and therefore an enterprise solution should be flexible enough to offer support for multiple topologies. Figure 11: Authentication Device Topology In this topology the Scanning Server does not communicate with any of the LAN appliances directly but rather uses the HTTP redirect method as a response to the end-user HTTP request when there is a need to authenticate a user. The Scanning Servers are set up and configured with the overall network topology structure in order to choose the right Authentication Device to redirect to. Once an HTTP request arrives, the Scanning Server uses an identification policy to decide whether and how to identify the user behind this session. If authentication is required, an HTTP redirect response is sent back to the end-user browser with the URL information of the relevant Authentication Device. As a result, the browser issues an HTTP call to the Authentication Device URL. The Authentication Device receives the HTTP request and initiates its own identification policy. In most cases it will issue an authentication challenge while communicating with the end-user browser. It then uses the authentication credentials that are received from the remote browser and authenticates them with the Active Directory which acts as an Authentication Server. The Authentication Device can be configured to work with multiple active directories, even those that are not in a trust relationship. Page 12
16 NOTE: Since authentication requires redirection to the Authentication Device it is supported only for HTTP. In order to authenticate also HTTPS and FTP the Authentication Device must be configured as the HTTPS and FTP proxy. When working with Authentication Device it is assumed that all http user-agents support cookies. Authentication Device cannot be used as a subset of policy server in policy HA topologies. The Scanning Server can also perform Authentication. For more information on Authentication, please refer to the Authentication and Identification Feature Description. The traffic flow is as follows: 1. The user initiates an HTTP connection to a server in the Internet and sends the request to the proxy server, which is the Scanning Server. 2. The Scanning Server replies with HTTP 302 Redirect response to the end-user browser and redirects the end user to the Authentication Device. 3. The end-user then opens a new connection to the Authentication Device, requesting for the original URL. 4. The Authentication Device replies with HTTP 407 Authentication required and close the connection. 5. The end-user then opens a new connection and sends its credentials to the Authentication device. The Authentication device communicates with the AD/LDAP/Authentication server and authenticates the user based on the collected credentials. 6. Once the Authentication process is completed and the user is authentication, the Authentication Device redirects the user, using HTTP 302 Redirect back to the Scanning Server. 4.5 Load Balancing Load Balancing Multiple Scanning Servers in Proxy Mode Using a third party load balancer, it is possible to scale up and add additional Scanning Servers based on network growth and load of the Scanning Servers. Page 13
17 In Figure 12, all the users in the network are configured to work with a proxy server for HTTP (default port 8080), HTTPS (default port 8443) and FTP (default port 8080). The IP address of the proxy server in the user s browser is the Virtual IP of the load balancer. The load balancer has a single farm with all the Scanning Servers in the farm. The default gateway of the Scanning Servers is the internal interface of the load balancer (the Scanning Servers IP address should be part of the same network as the internal interface of the load balancer). The default gateway of the load balancer is the Firewall. The load balancer performs periodical health checks in order to verify that the Scanning Servers are active and available to serve the users. In case of failure of a Scanning Server, the traffic is distributed among the rest of the available Scanning Servers (the users will, however, have to re-establish their connection). In this topology, the load balancer has a redundant load balancer, working in the Vendor s Proprietary Redundancy Protocol mode (VRRP mode). For more information about load balancing, please refer to the Load Balancing Vital Security Scanning Servers Technical Brief. NOTE: The Policy Server must communicate directly with all the Scanning Servers in the network and not via the VIP, therefore, all the Scanning Servers must be configured on the Policy Server. Figure 12: Load Balancing Multiple Scanning Servers in Proxy Mode Load Balancing Multiple Scanning Servers in Transparent Mode Using a third party load balancer, it is possible to scale up and add additional Scanning Servers based on network growth and load of the Scanning Servers. In Figure 13, the users in the network do not have any browser settings and are sending their requests directly to the original web and FTP Page 14
18 servers (HTTPS is not supported in transparent mode). The load balancer, installed in-line, intercepts users traffic and redirects the traffic to the best available server (based on load balancing algorithm). In this topology, the load balancer has a single farm with all the Scanning Servers in the farm. The default gateway of the Scanning Servers is the internal interface of the load balancer (the Scanning Servers IP address should be part of the same network as the internal interface of the load balancer). The default gateway of the load balancer is the Firewall. The load balancer performs periodical health checks in order to verify that the Scanning Servers are active and available to serve the users. In case of failure of a Scanning Server, the traffic is distributed among the rest of the available Scanning Servers (the users will, however, have to re-establish their connection). In this topology, the load balancer has a redundant load balancer, working in Vendor s Proprietary Redundancy Protocol mode (VRRP mode). NOTE: The Policy Server must communicate directly with all the Scanning Servers in the network and not via the VIP, therefore, all the Scanning Servers must be configured on the Policy Server. Figure 13: Load Balancing Multiple Scanning Servers in Transparent Mode The traffic flow is as follows: 1. The user initiates a connection to a server in the Internet (HTTP, HTTPS or FTP) and sends the request to the proxy server, which is a virtual IP address, belonging to the load balancer and represents the cluster of Scanning Servers. 2. Based on the load balancing decision, the Load Balancer changes the original destination IP (the virtual IP) as well as the destination IP address and destination MAC address to the IP and MAC of the selected Scanning Servers. Page 15
19 4.6 NG-8100 Appliance Vital Security Web Appliance NG-8100 is Finjan s real-time web security solution, recommended for enterprises/organizations with up to 250,000+ users. This solution delivers unmatched web security in a high performance, scalable and high availability integrated blade server appliance. NG-8100 utilizes Finjan s patented real-time content inspection technology to secure corporate networks against all types of web-borne attacks, including Spyware, Phishing, Trojans, obfuscated malicious code and other types of malicious content. This solution can be integrated Nortel Networks Layer 2-7 Gigabit Ethernet Switch Module Load Balancer to ensure compliance with the high performance and availability requirements of large enterprise networks. Two main topologies are supported by the NG-8100: Distributed topology using Nortel Layer 2-3 Switch or Cisco Intelligent Gigabit Ethernet Switch Load Balancing of the Scanning Servers using Nortel Layer 4-7 Switch Multiple Scanning Servers for different users groups using the Nortel Layer 2-3 Switch Using the Nortel Layer 2-3 switch or the Cisco Intelligent Gigabit Ethernet switch with the Vital Security NG-8100 series, different users groups can be configured to work with different blades for different Scanning Servers for HTTP, HTTPS and FTP. In case transparency is required, a Layer 4 switch can be used in order to transparently redirect all HTTP and FTP traffic to the Scanning Servers in case of Scanning Server failure. Page 16
20 Figure 14: Multiple Scanning Servers for different users groups using the Nortel Layer 2-3 Switch NOTE: In case of a Scanning Server failure there is no automatic failover. System administrators will have to manually change the proxy settings of the users configured to the failed Scanning Server or to manually replace the failed blade Load Balancing the Scanning Servers using the ICAP Protocol Using the Nortel Layer 2-3 Switch or the Cisco Intelligent Gigabit Ethernet Switch with the Vital Security NG-8100 series, traffic is distributed to the Scanning Server via the ICAP protocol by an ICAP client (such as Blue Coat). In this topology, the Scanning Servers are configured as ICAP servers Load Balancing the Scanning Servers using Nortel Layer 2-7 switch When using the Nortel Layer 2-7 Switch, all the users are configured to send their web traffic (HTTP, HTTPS and FTP) to a virtual IP address, which is managed by the Layer 2-7 Switch. The Layer 2-7 Switch distributes user traffic among the available Scanning Server based on a user defined load balancing algorithm (such as round-robin, least users, etc). In case of Scanning Server failure, users are transparently redirected to another available Scanning Server. Page 17
21 Figure 15: Load Balancing of Scanning Server with Nortel Layer 2-7 Switch Multi-Site Load Balancing using NG-8000 and Nortel Layer 2-7 Switch For large organizations that need to install Scanning Servers in two different sites, this topology provides site redundancy by using Nortel layer 2-7 Switch. In this topology, end users are configured to send their requests to a proxy server, which is a VRRP address, handled by both NG When both NG-8000 are up and running, only one of them is managing all traffic and considered to be the master, which is responsible for the VRRP address. When end users send their requests to the VRRP address, the Nortel layer 2-7 Switch makes a load balancing decision and redirects the end-user to one of the Scanning Servers, based on the load balancing algorithm. In case all Scanning Servers at one of the sites fail, the other Scanning Servers, on the other site are still available to serve the user s requests. NOTE: For this topology, it is mandatory to have layer 2 connectivity between the two locations. Page 18
22 Figure 16: Multi-Site Load Balancing using NG-8000 and Nortel Layer 2-7 Switch 4.7 Web Cache Communication Protocol Given that WCCP allows integration between WCCP enabled routers and switches, using the Vital Security System in transparent mode means that there is no need to configure the end user s browser settings, since the redirection is performed by the WCCP enabled router. The end user sends the request to the original server, and the WCCP enabled router intercepts the request and redirects it to one of the Scanning Servers. The Scanning Server then scans the traffic and creates a new request (using the Scanning Server IP address as the source IP) and sends it to the original server. The introduction of WCCP allows the Vital Security system to support the following topologies Single Router with a Single Scanning Server This topology is the basic WCCP topology. All web traffic is redirected to a single Scanning Server. Based on the router s configuration, traffic will be sent directly to the Internet if the Scanning Server fails. Page 19
23 Figure 17: Single Router and Single Scanning Server Single Router with Multiple Scanning Servers In this topology, multiple Scanning Servers are connected to a single router, and the router load balances traffic (equally) among all the Scanning Servers. Failure in a single Scanning Server does not affect the network since the other Scanning Servers take over and handle traffic. Figure 18: Single Router and Multiple Scanning Servers Multiple Routers with Multiple Scanning Servers In this topology, multiple routers (or switches) are connected to multiple Scanning Servers. Each Scanning Server receives traffic from multiple routers. Page 20
24 Figure 19: Multiple Routers and Multiple Scanning Servers WCCP and Authentication In this topology traffic intercepted by the WCCP enabled router is redirected to the Scanning Server, which in turn redirects the user to the authentication device. After the authentication process is completed, the Scanning Server provides the information to the authenticated user. Figure 20: WCCP and Authentication Device Page 21
25 4.7.5 Mobile Users Protection Protecting mobile users is critical for organizations in order to prevent them from being infected while they are out of the organization s network. When a mobile user is out of the office and his/her laptop is not protected, there is a real danger that the user will get infected. A Trojan can be injected into the user s laptop; data can be stolen from the user and the user may be exposed to many security risks. Vital Security allows protecting mobile users while they are on the move, out of the corporate network, working from their home, traveling, or while connecting to any other unprotected network. In this topology, the user can access the Scanning Server via a VPN connection (or otherwise) to the Scanning Server. The browser is configured to use a proxy server, which is the IP address of the Scanning Server. The user must establish a session (VPN or otherwise) with the firewall prior to the browsing of the Internet. NOTE: When allowing remote users to access the Scanning Server, make sure that the User Access List is configured to allow this connection. Figure 17: VPN Access between the Client and the Firewall Page 22
26 Appendix Topology Summary Placement Topology (assuming placement in DMZ) Simple Proxy mode PC > FW > Finjan > FW > Web Advantages Disadvantages Notes Full Authentication with MS AD Simple to install and manage (proxy.pac; AD-GPO; login scripts) Requires configuration changes on clients User credentials are passed in the DMZ May require load balancers Page 23
27 Placement Topology (assuming placement in DMZ) Proxy Chain Mode (Proxy Ahead or Upstream Proxy) PC > FW > Proxy > Finjan > FW > Web Advantages Disadvantages Notes No configuration changes required on clients Cached objects are downloaded from the Proxy server which minimizes delays (improved performance) Cached content is not subject to the latest security updates, nor to policy changes on Finjan Finjan cannot log access to cached content Depends on proxy to authenticate and pass user ID in http header May not be possible to set different policies for different users/groups of cached objects May require load balancers If a policy regarding valid content changes, Finjan cannot prevent subsequent access to this data Page 24
28 Placement Topology (assuming placement in DMZ) Proxy Chain Mode (Proxy Behind or Downstream Proxy) PC > FW > Finjan > Proxy > FW > Web Advantages Disadvantages Notes Proxy server controls timing and content availability behavior More secure - configuration changes on Finjan will scan any previously cached objects Can forward usernames and IP addresses in http header to proxy (if supported) Finjan has to scan every response - even if cached May require load balancers All accesses to cached content are subject to the logging policy, and are potentially logged by Finjan Vital Security Page 25
29 Placement Topology (assuming placement in DMZ) Transparent Mode PC > FW > Switch > FW > Web Finjan Advantages Disadvantages Notes No special browser configuration is required Transparent to users Must configure Layer 4 router/switch Identification limited to IP Address User authentication requires that the web client application support http redirects and cookies May require load balancers May not work with very old browsers which do not provide host information Agents and other programs that do not work with authentication may be allowed by rule so they won t be blocked Transparency is unidirectional, upstream devices will see Finjan IP Page 26
30 Placement Topology (assuming placement in DMZ) ICAP PC > FW > Proxy > FW > Web Finjan Advantages Disadvantages Notes No configuration changes required on clients Caching good data Inherent load balancing between cluster of Finjan appliances Configuration changes on Finjan may affect cached objects in Proxy There is about an 8% loss due to ICAP protocol overhead, but this can be offset by having the Proxy filter out protocols Finjan doesn t need to process such as streaming video Only Blue Coat and NetCache are supported Page 27
31 Placement Topology (assuming placement in DMZ) Web Cache Communication Protocol PC > FW > WCCP > FW > Web Finjan Advantages Disadvantages Notes No special browser configuration is required Transparent to users Usage of existing equipment Build-in load balancing and failover Must configure router/switch User authentication requires that the web client application support http redirects and cookies Transparency is unidirectional, upstream devices will see Finjan IP The IOS must support WCCP. Page 28
Scanning Server VSOS Updates. for Managed System Update
for Managed System Update Vital Security Release 8.4.3 3rd-Jan-2007 for Managed System Update Copyright 1996-2007. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved.
More informationBIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0
BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web
More informationInformation About NAT
CHAPTER 27 This chapter provides an overview of how Network Address Translation (NAT) works on the adaptive security appliance. This chapter includes the following sections: Why Use NAT?, page 27-1 NAT
More informationConfiguring Request Authentication and Authorization
CHAPTER 15 Configuring Request Authentication and Authorization Request authentication and authorization is a means to manage employee use of the Internet and restrict access to online content. This chapter
More informationConfiguring Caching Services
CHAPTER 8 This chapter describes how to configure conventional caching services (HTTP, FTP [FTP-over-HTTP caching and native FTP caching], HTTPS, and DNS caching) for centrally managed Content Engines.
More informationProduct Guide. McAfee Plugins for Microsoft Threat Management Gateway Software
Product Guide McAfee Plugins for Microsoft Threat Management Gateway 1.4.0 Software COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted,
More informationConfiguring Content Authentication and Authorization on Standalone Content Engines
CHAPTER 10 Configuring Content Authentication and Authorization on Standalone Content Engines This chapter describes how to configure content authentication and authorization on standalone Content Engines
More informationSophos Web Appliance Configuration Guide. Product Version Sophos Limited 2017
Sophos Web Appliance Configuration Guide Product Version 4.3.5 Sophos Limited 2017 ii Contents Sophos Web Appliance Contents 1 Copyrights and Trademarks...1 2 Introduction...2 3 Features...4 4 Network
More informationCounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance
CounterACT 7.0 Quick Installation Guide for a Single Virtual CounterACT Appliance Table of Contents Welcome to CounterACT Version 7.0... 3 Overview... 4 1. Create a Deployment Plan... 5 Decide Where to
More informationPort Mirroring in CounterACT. CounterACT Technical Note
Table of Contents About Port Mirroring and the Packet Engine... 3 Information Based on Specific Protocols... 4 ARP... 4 DHCP... 5 HTTP... 6 NetBIOS... 7 TCP/UDP... 7 Endpoint Lifecycle... 8 Active Endpoint
More informationLoad Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org
Load Balancing Bloxx Web Filter Deployment Guide v1.3.5 Copyright Loadbalancer.org Table of Contents 1. About this Guide...4 2. Loadbalancer.org Appliances Supported...4 3. Loadbalancer.org Software Versions
More informationSophos Web Appliance Configuration Guide. Product Version Sophos Limited 2017
Sophos Web Appliance Configuration Guide Product Version 4.3.2 Sophos Limited 2017 ii Contents Sophos Web Appliance Contents 1 Copyrights and Trademarks...4 2 Introduction...5 3 Features...7 4 Network
More informationLoad Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org
Load Balancing Web Proxies / Filters / Gateways Deployment Guide v1.6.5 Copyright Loadbalancer.org Table of Contents 1. About this Guide...4 2. Loadbalancer.org Appliances Supported...4 3. Loadbalancer.org
More informationTRANSPARENT AUTHENTICATION GUIDE
TRANSPARENT AUTHENTICATION GUIDE Webwasher Web Gateway Security e Version 6.0 and higher www.securecomputing.com Part Number: 86-0947652-A All Rights Reserved, Published and Printed in Germany 2007 Secure
More informationCisco Cloud Web Security
Cisco Cloud Web Security WSA ment Guide Internal Use Only 1 October 2014 Cisco CWS WSA/WSAv ment Guide Contents Introduction... 1 Cloud ment... 1 Additional Redirect Methods... 1... 2 Verify connection
More informationDeployment Scenarios for Standalone Content Engines
CHAPTER 3 Deployment Scenarios for Standalone Content Engines This chapter introduces some sample scenarios for deploying standalone Content Engines in enterprise and service provider environments. This
More informationIBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights
IBM Secure Proxy Advanced edge security for your multienterprise data exchanges Highlights Enables trusted businessto-business transactions and data exchange Protects your brand reputation by reducing
More informationEdgeXOS Platform QuickStart Guide
EdgeXOS Platform QuickStart Guide EdgeXOS Functionality Overview The EdgeXOS platform is a Unified Bandwidth Management device, meaning that it has the ability to support multiple bandwidth management
More informationConfiguring Virtual Servers
3 CHAPTER This section provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE appliance. Note When you use the ACE CLI to configure named
More informationBlue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7
Transparent Proxy Deployments SGOS 6.7 Legal Notice Copyright 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks
More informationIntegrating WX WAN Optimization with Netscreen Firewall/VPN
Application Note Integrating WX WAN Optimization with Netscreen Firewall/VPN Joint Solution for Firewall/VPN and WX Platforms Alan Sardella Portfolio Marketing Choh Mun Kok and Jaymin Patel Lab Configuration
More informationA10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS
DEPLOYMENT GUIDE A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS A10 NETWORKS SSL INSIGHT & FIREWALL LOAD BALANCING SOLUTION FOR SONICWALL SUPERMASSIVE NEXT GENERATION FIREWALLS OVERVIEW This document describes
More informationLoad Balancing Technology White Paper
Load Balancing Technology White Paper Keywords: Server, gateway, link, load balancing, SLB, LLB Abstract: This document describes the background, implementation, and operating mechanism of the load balancing
More informationLoad Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org, Inc
Load Balancing Microsoft Remote Desktop Services Deployment Guide v2.2 Copyright 2002 2017 Loadbalancer.org, Inc Table of Contents About this Guide...4 2. Loadbalancer.org Appliances Supported...4 3. Loadbalancer.org
More informationWCCPv2 and WCCP Enhancements
WCCPv2 and WCCP Enhancements Release 12.0(11)S June 20, 2000 This feature module describes the Web Cache Communication Protocol (WCCP) Enhancements feature and includes information on the benefits of the
More informationLoad Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org
Load Balancing Censornet USS Gateway Deployment Guide v1.0.0 Copyright Loadbalancer.org Table of Contents 1. About this Guide...3 2. Loadbalancer.org Appliances Supported...3 3. Loadbalancer.org Software
More informationWebMarshal v6.x Architecture Guide
WebMarshal v6.x Architecture Guide October, 2007 Contents New WebMarshal v6.x Architecture 2 WebMarshal v6.x Components 3 WebMarshal Content Processing Node 6 Optional SQL Server 7 Workstation Browsers
More informationMcAfee Web Gateway Administration
McAfee Web Gateway Administration Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction to the tasks crucial
More informationVMware Identity Manager Connector Installation and Configuration (Legacy Mode)
VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until
More informationConnect the Appliance to a Cisco Cloud Web Security Proxy
Connect the Appliance to a Cisco Cloud Web Security Proxy This chapter contains the following sections: How to Configure and Use Features in Cloud Connector Mode, on page 1 Deployment in Cloud Connector
More informationCounterACT 7.0 Single CounterACT Appliance
CounterACT 7.0 Single CounterACT Appliance Quick Installation Guide Table of Contents Welcome to CounterACT Version 7.0....3 Included in your CounterACT Package....3 Overview...4 1. Create a Deployment
More informationLoad Balancing with McAfee Network Security Platform
Load Balancing with McAfee Network Security Platform Optimizing intrusion prevention system performance 1 Load Balancing with McAfee Network Security Platform Load Balancing with McAfee Network Security
More informationForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0
ForeScout CounterACT Single CounterACT Appliance Version 8.0 Table of Contents Welcome to CounterACT Version 8.0... 4 CounterACT Package Contents... 4 Overview... 5 1. Create a Deployment Plan... 6 Decide
More informationMcAfee Web Gateway Administration Intel Security Education Services Administration Course Training
McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction
More informationOverview of the Cisco Service Control Value Added Services Feature
CHAPTER 1 Overview of the Cisco Service Control Value Added Services Feature Revised: May 27, 2013, Introduction The VAS feature enables the Cisco SCE platform to access an external expert system for classification
More informationDEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER
DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER Table of Contents Table of Contents Introducing the F5 and Oracle Access Manager configuration Prerequisites and configuration notes... 1 Configuration
More informationEnhancing VMware Horizon View with F5 Solutions
Enhancing VMware Horizon View with F5 Solutions VMware Horizon View is the leading virtualization solution for delivering desktops as a managed service to a wide range of devices. F5 BIG-IP devices optimize
More informationWHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group
WHITE PAPER: BEST PRACTICES Sizing and Scalability Recommendations for Symantec Rev 2.2 Symantec Enterprise Security Solutions Group White Paper: Symantec Best Practices Contents Introduction... 4 The
More informationAll-in one security for large and medium-sized businesses.
All-in one security for large and medium-sized businesses www.entensys.com sales@entensys.com Overview UserGate UTM provides firewall, intrusion detection, anti-malware, spam and content filtering, and
More informationForescout. Configuration Guide. Version 8.1
Forescout Version 8.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationCoordinated Threat Control
Application Note Coordinated Threat Control Juniper Networks Intrusion Detection and Protection (IDP) and Secure Access SSL VPN Interoperability Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale,
More informationIntercepting Web Requests
This chapter contains the following sections: Overview of, on page 1 Tasks for, on page 1 Best Practices for, on page 2 Web Proxy Options for, on page 3 Client Options for Redirecting Web Requests, on
More informationPlanning Your WAAS Network
2 CHAPTER Before you set up your Wide Area Application Services (WAAS) network, there are general guidelines to consider and some restrictions and limitations you should be aware of if you are migrating
More informationForescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1
Forescout Version 1.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationWHITE PAPER. Good Mobile Intranet Technical Overview
WHITE PAPER Good Mobile Intranet CONTENTS 1 Introduction 4 Security Infrastructure 6 Push 7 Transformations 8 Differential Data 8 Good Mobile Intranet Server Management Introduction Good Mobile Intranet
More informationDEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC
DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC OVERVIEW Microsoft SharePoint Server 2016 is a collaboration platform that organizations of all sizes can use to improve the
More informationHigh Availability Deployment
April 18, 2005 Overview Introduction This addendum provides connectivity and configuration task overviews for connecting two M appliances as a high availability (HA) cluster pair. For detailed configuration
More informationSteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)
Internet Communications Made Safe SteelGate Overview SteelGate Overview SteelGate is a high-performance VPN firewall appliance that Prevent Eliminate threats & attacks at the perimeter Stop unauthorized
More informationBCCPP Q&As. Blue Coat Certified Proxy Professional. Pass Blue Coat BCCPP Exam with 100% Guarantee
BCCPP Q&As Blue Coat Certified Proxy Professional Pass Blue Coat BCCPP Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money Back Assurance
More informationPolicing The Borderless Network: Integrating Web Security
Policing The Borderless Network: Integrating Web Security Hrvoje Dogan Consulting Systems Engineer, Security March 16, 2012 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 About Cisco
More informationAventail ST2 SSL VPN New Features Guide
Aventail ST2 SSL VPN New Features Guide Summary of New Features and Functionality for the Aventail ST2 SSL VPN Platform Upgrade Release August, 2006 2006 Aventail Corporation. All rights reserved. Aventail,
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationSophos Mobile. server deployment guide. Product Version: 8.1
Sophos Mobile server deployment guide Product Version: 8.1 Contents About this guide... 1 Sizing considerations... 2 Architecture examples...6 Ports and protocols... 9 Usage scenarios for the standalone
More informationValue Added Services (VAS) Traffic Forwarding
CHAPTER 12 Revised: June 27, 2011, Introduction This chapter provides an overview of VAS traffic forwarding, explaining what is it and how it works. It also explains the various procedures for configuring
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationNetwork Integration Guide Planning
Title page Nortel Application Gateway 2000 Nortel Application Gateway Release 6.3 Network Integration Guide Planning Document Number: NN42360-200 Document Release: Standard 04.01 Date: October 2008 Year
More informationSelftestengine q
Selftestengine 700-281 49q Number: 700-281 Passing Score: 800 Time Limit: 120 min File Version: 18.5 http://www.gratisexam.com/ 700-281 Web Security for Field Engineers Still Valid in Egypt, Passed today
More informationConfiguring NAT for High Availability
Configuring NAT for High Availability Last Updated: December 18, 2011 This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient
More informationInterdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2
Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2 First Published: 2017-11-29 Last Modified: 2017-12-01 Americas Headquarters Cisco Systems,
More informationInterScan Web Security Suite 3 Antivirus and Content Security at the Web Gateway
TM InterScan Web Security Suite 3 Antivirus and Content Security at the Web Gateway TM for LINUX Installation Guide ws Web Security Trend Micro Incorporated reserves the right to make changes to this document
More informationSoftware. Linux. Squid Windows
Proxy Server Introduction A proxy server services client requests by forwarding : the requests to the destination server. The requests appear to come from the proxy server and not from the client. the
More informationEnhancing Exchange Mobile Device Security with the F5 BIG-IP Platform
Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform By the F5 business development team for the Microsoft Global Alliance Version 1.0 Introduction As the use of mobile devices in the
More informationSophos Mobile. server deployment guide. product version: 8.6
Sophos Mobile server deployment guide product version: 8.6 Contents About this guide... 1 Sizing considerations... 2 Architecture examples...6 Ports and protocols... 9 Usage scenarios for the standalone
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationHP Load Balancing Module
HP Load Balancing Module Load Balancing Configuration Guide Part number: 5998-4218 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
More informationBi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] Ken Fritz (PSS)
Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] February 17, 2011 Ken Fritz (PSS) Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of
More informationDeploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2
Deploying VMware Identity Manager in the DMZ JULY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationImplementation Guide - VPN Network with Static Routing
Implementation Guide - VPN Network with Static Routing This guide contains advanced topics and concepts. Follow the links in each section for step-by-step instructions on how to configure the following
More informationVMware AirWatch Certificate Authentication for Cisco IPSec VPN
VMware AirWatch Certificate Authentication for Cisco IPSec VPN For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.
More informationINSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic
Virus Protection & Content Filtering TECHNOLOGY BRIEF Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server Enhanced virus protection for Web and SMTP traffic INSIDE The need
More informationCisco Wide Area Application Services: Secure, Scalable, and Simple Central Management
Solution Overview Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management What You Will Learn Companies are challenged with conflicting requirements to consolidate costly
More informationMicrosoft Unified Access Gateway 2010
RSA SecurID Ready Implementation Guide Partner Information Last Modified: March 26, 2013 Product Information Partner Name Web Site Product Name Version & Platform Product Description Microsoft www.microsoft.com
More informationWorkspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810
Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationPolycom RealPresence Access Director System
Release Notes Polycom RealPresence Access Director System 4.0 June 2014 3725-78700-001D Polycom announces the release of the Polycom RealPresence Access Director system, version 4.0. This document provides
More informationSecurity Assessment Checklist
Security Assessment Checklist Westcon Security Checklist - Instructions The first step to protecting your business includes a careful and complete assessment of your security posture. Our Security Assessment
More informationIntroduction. The Safe-T Solution
Secure Application Access Product Brief Contents Introduction 2 The Safe-T Solution 3 How It Works 3 Capabilities 4 Benefits 5 Feature List 6 6 Introduction As the world becomes much more digital and global,
More informationHySecure Quick Start Guide. HySecure 5.0
HySecure Quick Start Guide HySecure 5.0 Last Updated: 25 May 2017 2012-2017 Propalms Technologies Private Limited. All rights reserved. The information contained in this document represents the current
More informationConfigure WSA to Upload Log Files to CTA System
Configure WSA to Upload Log Files to CTA System Last updated: April 19, 2018 Conventions Introduction Prerequisites Requirements Components Used Configure Configure the Proxy Connect to Active Directory
More informationSecure Web Appliance. SSL Intercept
Secure Web Appliance SSL Intercept Table of Contents 1. Introduction... 1 1.1. About CYAN Secure Web Appliance... 1 1.2. About SSL Intercept... 1 1.3. About this Manual... 1 1.3.1. Document Conventions...
More informationMcAfee Client Proxy Product Guide
McAfee Client Proxy 2.3.5 Product Guide COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone,
More informationClient Proxy interface reference
McAfee Client Proxy 2.3.5 Interface Reference Guide Client Proxy interface reference These tables provide information about the policy settings found in the Client Proxy UI. Policy Catalog On the McAfee
More informationA10 Thunder ADC with Oracle E-Business Suite 12.2 DEPLOYMENT GUIDE
A10 Thunder ADC with Oracle E-Business Suite 12.2 DEPLOYMENT GUIDE Table of Contents 1. Introduction... 2 2 Deployment Prerequisites... 2 3 Oracle E-Business Topology... 3 4 Accessing the Thunder ADC Application
More informationConfigure WSA to Upload Log Files to CTA System
Configure WSA to Upload Log Files to CTA System Last updated: January 30, 2018 Contents Conventions Introduction Prerequisites Requirements Components Used Configure Configure the Proxy Connect to Active
More informationBrocade Virtual Traffic Manager and Parallels Remote Application Server
White Paper Parallels Brocade Virtual Traffic Manager and Parallels Deployment Guide 01 Contents Preface...4 About This Guide...4 Audience...4 Contacting Brocade...4 Internet...4 Technical Support...4
More informationHigh Availability Options
, on page 1 Load Balancing, on page 2 Distributed VPN Clustering, Load balancing and Failover are high-availability features that function differently and have different requirements. In some circumstances
More informationAbout DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios
DPI-SSL About DPI-SSL Configuring Client DPI-SSL Settings Configuring Server DPI-SSL Settings About DPI-SSL About DPI-SSL Functionality Deployment Scenarios Customizing DPI-SSL Connections per Appliance
More informationvrealize Orchestrator Load Balancing
vrealize Orchestrator Load Balancing Configuration Guide Version 7.0.x T E C H N I C A L W H I T E P A P E R M A Y 2 0 1 6 V E R S I O N 1. 0 Table of Contents Introduction... 4 Load Balancing Concepts...
More informationLoad Balancing RSA Authentication Manager. Deployment Guide v Copyright Loadbalancer.org, Inc
Load Balancing RSA Authentication Manager Deployment Guide v1.2.2 Copyright 2002 2017 Loadbalancer.org, Inc Table of Contents 1. About this Guide...3 2. Loadbalancer.org Appliances Supported...3 3. Loadbalancer.org
More informationTECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016
HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016 CONTENTS Introduction... 5 MSM and AP Deployment Options... 5 MSM User Interfaces... 6 Assumptions... 7 Network Diagram...
More informationDisclaimer CONFIDENTIAL 2
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally
More informationInstallation and Configuration Guide
Installation and Configuration Guide h-series 800-782-3762 www.edgewave.com 2001 2011 EdgeWave Inc. (formerly St. Bernard Software). All rights reserved. The EdgeWave logo, iprism and iguard are trademarks
More informationInstalling and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.
Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on
More informationTraining UNIFIED SECURITY. Signature based packet analysis
Training UNIFIED SECURITY Signature based packet analysis At the core of its scanning technology, Kerio Control integrates a packet analyzer based on Snort. Snort is an open source IDS/IPS system that
More informationIntroduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike
Anonymous Application Access Product Brief Contents Introduction 1 The Safe-T Solution 1 How It Works 2-3 Capabilities 4 Benefits 4 List 5-11 Introduction With the move to the digital enterprise, all organizations
More informationCisco NSH Service Chaining Configuration Guide
Cisco NSH Service Chaining Configuration Guide NSH Service Chaining 2 Information About NSH-Service-Chaining 2 How to Configure NSH-Service-Chaining 3 Use Cases for NSH Service Chaining 5 Troubleshooting
More informationWeb Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates
Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates A test commissioned by McAfee, Inc. and performed by AV-Test GmbH Date of the report: December 7 th, 2010 (last
More informationBIG-IQ Centralized Management: ADC. Version 5.0
BIG-IQ Centralized Management: ADC Version 5.0 Table of Contents Table of Contents BIG-IQ Application Delivery Controller: Overview...5 What is Application Delivery Controller?...5 Managing Device Resources...7
More informationDeploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3
Deploying VMware Identity Manager in the DMZ SEPT 2018 VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have
More informationForescout. Quick Installation Guide. Single Appliance. Version 8.1
Forescout Version 8.1 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More information