This chapter provides guidelines that will help you deploy SurfinCheck so that it suites the specific requirements of your organization. It will help you decide where to install SurfinCheck in your network, and determine the security policy required by your organization.
In many typical corporate networks, a Firewall and/or other proxy servers will exist prior to the installation of SurfinCheck.
In general, it is recommended to place the SurfinCheck Server after both the Firewall and any other proxy server, so that the SurfinCheck Server is the closest to the end-user machines.
SurfinCheck uses the source IP address of a client request to determine the appropriate security policy for the respective client user. This means that for such chaining of multiple proxies to function properly, all proxies must support IP forwarding.
You configure SurfinCheck to connect to a proxy server using the Proxy Settings tab in the Devices window.
A proxy server that is located between the clients and SurfinCheck Server might cause a problem. Consider the following scenario, involving two clients with different security policies accessing SurfinCheck via the same proxy server:
A workaround for this problem is to assign a separate proxy server for each group of users with the same security policy.
In case a of a proxy server that does not support user authentication, you can assign the group's security policy to the proxy server as if it were a user. This way SurfinCheck will select the correct policy even if the original IP address of the user is masked by the proxy.
If your organization requires an extra secure environment, it is recommended that you place the SurfinCheck Server in a protected area of the network such as a demilitarized zone or a private network segment.
SurfinCheck's response time is mainly influenced by the number of clients accessing the server.
To support a corporate network with a large number of clients, you can deploy multiple SurfinCheck Servers to balance the load. All servers can access the same database or multiple synchronized databases. This is illustrated in the next section.
This configuration uses a single SurfinCheck Server.
Note: a group of client browsers having the same
security policy may be connected to a local proxy server. This
proxy is then connected to the SurfinCheck Server as a single
client.
This configuration uses multiple SurfinCheck Servers to distribute the client load.
SurfinCheck allows you to enforce different security policies for departments and individual users within your organization. For example, you could define a rigid security policy blocking all Java applets for the Accounting department while defining a more permissive policy for developers.
It is recommended that you determine what are the security requirements specific to your prior to setting up groups and users.
Specifically, you should consider issues such as: