Installation and Deployment Considerations
While there are certain technical considerations in the installation of NetSpective, a number of scenarios will fall on the general categories depicted in Table 1. This chart can help determine where to place the NetSpective appliance to address various access control or solution cost constraints. Notice that, since NetSpective sets one of its network cards in promiscuous mode, certain considerations will exist in switched environments. In such cases, the traffic destined to a specific gateway should be replicated or mirrored on the port on which the Monitoring NIC of NetSpective is connected.
| Network Layout/Operational Priority | NetSpective Network Location | |
|---|---|---|
| User Control / Maximum User Log Detail | Minimum Cost / Global Control | |
| Single NAT point, Single DMZ | NetSpective behind NAT | Single NetSpective in DMZ |
| 2+ NAT points, Single DMZ | Multiple NetSpectives behind NAT | NetSpective in DMZ |
| 2+NAT points, 2+ DMZ | Multiple NetSpectives behind NAT | Multiple NetSpectives in all access DMZs |
In each case, a tradeoff exists between the network configuration/hardware and the desired policy goal. In general, when user-based policies are employed, an installation in the same subnet as the client machines is called for, whereas global policies are better served when the appliance is deployed in the network upstream of the users.
Special considerations should be kept in mind when caching proxies are used as Internet access gateways. The network depicted uses a caching proxy server with Network Address Translation across its network interfaces. If NetSpective is placed in the network upstream of the NAT point (e.g., common to the external interface of the proxy), the caching proxy will be in a position to fulfill a client request before NetSpective can analyze it. In this case, the cache should be emptied. Even in cases where NetSpective is deployed behind the proxy/NAT point, it will be useful to clean up the proxy cache before installing NetSpective for maximum benefit.
Additionally, a situation may arise in that one gateway does not serve all of the basic protocols that are filtered by NetSpective. For example, a proxy server could be configured to handle HTTP requests, and a firewall handles FTP and NNTP. Through careful mirroring of both the proxy and firewall ports on a switch, NetSpective can be configured to properly work in this case with either a minimal number of appliances (when licensing does not call for more than one NetSpective, for example), or in a redundant fashion.
All contents copyright © 1997-2010 TeleMate.Net Software. All rights reserved.