This article discusses best practices when installing and deploying InterScan Web Security Virtual Appliance (IWSVA).
- IWSVA Installation Overview
- Properly Sizing Your Environment
- Selecting Deployment Method and Redundancy
This installation overview provides a quick reference on the order and key steps to install and configure InterScan Web Security Virtual Appliance (IWSVA) to function with the core scanning, logging, and reporting features
For complete instructions on installing IWSVA, refer to the following KB article:
- Information needed to install InterScan Web Security Virtual Appliance (IWSVA) 6.5
- Migrating to InterScan Web Security Virtual Appliance
To install and configure IWSVA:
- Obtain the latest IWSVA software and documentation set from the Trend Micro Download Center or by purchasing the IWSVA installation disks. You can download IWSVA products and updates from Trend Micro Download Center.
- Register the product to obtain the Activation Codes. These will be required to activate IWSVA and its core modules. Products can be registered at Trend Micro Customer Licensing Portal (CLP).
- Review the IWSVA Customer Sizing Guide and IWSVA Installation Guide to determine the deployment topology and the number of IWSVA units required to support your environment.
- Install the IWSVA application with the Activation Keys obtained from Step 2. Use the Administration > Product License function to perform this task.
- Download any service packs and critical patches that are applicable to the IWSVA product you installed.
Service packs and critical patches are version specific and are cumulative with the latest service pack containing the previous hot fixes and critical patches from the previous service packs. Best practice is to download and install the latest service pack for your IWSVA version and any newer critical patches to bring the IWSVA unit up-to-date.
IWSVA provides operating system updates separately from application service packs. Make sure the latest operating system patch is also downloaded and applied along with the application service pack. Always read the patch's ReadMe file to familiarize yourself with the installation procedure before upgrading your system.
Use the Administration > System Updates functions to perform these tasks.
- Configure the system settings. This includes setting the system date and time, configuring optional network configurations (such as enabling SSH for remote access, PING, optional static routes, etc), defining optional upstream proxy servers, enabling SNMP, and so forth. Use the Administration function to perform these tasks.
- Configure IWSVA to a corporate LDAP server if you need to enforce policies, log events, and report Internet activity based on LDAP users and/or groups. Use the Administration > IWSVA Configuration > User Identification tab to perform this function.
- Review the default settings for the automatic pattern file and scan engine update intervals. Change to meet your needs if necessary. You can also perform a manual update for a newly installed IWSVA system to update the signature files and scan engines. Use the Updates function to perform these tasks.
- Configure log settings and external syslog servers to set the logging granularity and setup any 3rd party logging support. Review the default system log retention option and change to meet your needs if necessary. Use the Logs function to perform these tasks.
- Create policies to monitor and govern Internet traffic. Policies can be defined for the following protocols and traffic types: Application Control, HTTPS, HTTP, Applet & ActiveX, URL Filtering, Access Quota, and FTP. Use the Application Control, HTTP and FTP functions to perform these tasks.
- Define report templates and scheduled reports. Review the default number of scheduled reports to save for your daily, weekly, and monthly reports. If necessary, change to meet your needs. Use the Reports function to complete these tasks.
- Create additional administrator, auditor, or reporter accounts to backup your administrator account and to grant other users access to administrative and reporting functions. Use the Administration > Management Console > Account Administration function to complete this task.
- Backup the IWSVA configuration to keep a copy of the newly created configuration. Use the Administration > Config Backup/Restore function to complete this task.
- Optional installation steps may include the following:
- Customizing the notification messages
- Setting up IWSVA as Central Log/Reporting server
- Registering IWSVA to another IWSVA that is designated as Central Log/Reporting server
- Registering IWSVA to Trend Micro's Control Manager (TMCM) central management system
- Registering IWSVA to DDAN Virtual Analyzer
Before installing IWSVA into your network, you must first determine how many IWSVA servers are required to support your company's user population and Internet activity.
Please refer to the IWSVA Customer Sizing Guide for detailed information on how to calculate the number of IWSVA units needed for your environment.
Things to consider for properly sizing your environment include:
- Number of total users in your company that will access the Internet
- Number of users accessing the Internet simultaneously
- Average number of concurrent sessions used by each active user
- Growth in user population and Internet use
- The type of server hardware being used
- The amount of bandwidth IWSVA needs to scan
- Redundancy and failover
Best Practice Suggestions
- Always size your environment for growth. Trend Micro doesn't recommend sizing your deployment based on current maximum peak loads as internet usage will always grow.
- Architect redundancy into the IWSVA architecture to prevent against single points of failure and to provide roll over during a device failure.
- Redundant architectures must be designed to support your maximum number of users when it fails over to the backup unit or secondary. Otherwise, performance and response time expectations will drop when a unit fails.
IWSVA is one of the most flexible Web gateway security products for deployment options. IWSVA can be deployed in the following topologies:
- Forward Proxy
- Transparent Bridge
- Transparent Bridge for High Availability
- Reverse Proxy
- Simple Transparency
Each deployment mode has its benefits and services a specific need. You should be aware of the advantages and disadvantages of each deployment mode before deciding on how to install the IWSVA product into your network.
If you are considering redundant architectures, you must review and consider the following points:
- WCCP - IWSVA supports the Cisco WCCP protocol to allow you to build load sharing, redundancy, and scalability into your IWSVA architecture. If your routers and/or switches support Cisco WCCP, this is one of the most economical ways to add high availability features. One drawback of WCCP is that it can only redirect popular Internet protocols to the scanning devices efficiently. See the IWSVA ReadMe document for the WCCP versions supported.
- ICAP - IWSVA supports ICAP v1.0 devices to allow you to scan content from popular caching servers. ICAP can also be used to create a scalable architecture through a one-to-many configuration with several IWSVA servers connected to a single cache server. This is a popular option for customers who need to cache web content to reduce bandwidth consumption and to lower Internet latency.
SQUID – Until version 6.5 Service Pack 1, IWSVA bundles the popular open source caching program, called Squid, to offer customers an economical way to cache web content without paying additional licensing fees. With IWSVA 3.1, Squid can be enabled through IWSVA’s CLI interface and is deployable as a downstream proxy or an upstream proxy in relation to IWSVA.
Starting with IWSVA 5.1, basic Squid configuration, reporting and enablement is integrated with the IWSVA 5.1 Web console. Squid is supported in upstream proxy mode with IWSVA 5.1. Squid support is offered through the open source community and is provided by Trend Micro on its Web Gateway products for convenience.
Since version 6.5 Service Pack 2, IWSVA has integrated Apache Traffic Server (ATS) to replace Squid for caching web content for even better performances.
Proxy Pac File - Simple load sharing can be created through a proxy pac file if you are deploying in Forward Proxy mode. Many customers have experienced good results by creating a proxy pac file that routes traffic to a specific IWSVA device based on source IP address or source network. This allows you to manually scale your network and to load share users across many IWSVA servers without any added costs or network complexity.
You can also configure the proxy pac file to return multiple proxy servers to build a simple redundancy solution. Be aware that not all browsers may be able to interpret the multiple proxy server response. If they can't interpret the multiple proxy servers, redundancy will not be possible.
Layer 4 Load Balancing Switches - IWSVA can support external load balancing switches in Forward Proxy Mode using the “simple transparency” feature. Having an external load balancing switch adds additional cost and configuration complexity, but delivers the highest performance and flexibility in terms of redundancy and load sharing.
Commercial load balancers that Trend Micro customers have used successfully include Foundry Networks/Brocade, F5, and Citrix NetScaler. If cost is a consideration, alternative open source software-based load balancers such as Red Hat Enterprise can also provide good scalability and redundancy options.
If installing under VMware, consider using VMware's redundancy and fault tolerant functions to create a robust and scalable solution. These include:
- vSphere Fault Tolerance Services
Be aware that at the time of this writing, vCenter Server 4.x and 5.x support 1 virtual CPU per protected virtual machine and vCenter Server 6.0 supports up to 4 CPUs, depending on licensing.
This allows a full redundant solution to be developed, but offers less performance due to the single CPU limitation on the mentioned vCenter versions.
For more information on setting up a vSphere FT configuration, refer to the Best Practices Guide for Utilizing VMware Fault Tolerance for High Availability document on the VMware web site.
Best Practice Suggestions
- IWSVA uses a hybrid malware scanning architecture that is comprised of cloud-based scanning and on-box scan engines. This solution provides one of the industry's highest detection and prevention rates. Cloud-based scan engines provide proactive detection and blocking services based on reputation services. To ensure fast performance with low latency, you need to provide IWSVA access to a fast and robust DNS architecture. ISP provided DNS servers should not be used as frequent DNS requests made by the IWSVA device may not be adequately supported and may possibly overwhelm the ISP's DNS server.
- IWSVA's internal clock settings should be synchronized with other servers and devices in your security architecture. These include LDAP servers, syslog servers and upstream SIEM devices. If the date and time are mismatched, you may experience improper logging and reporting of critical events. For best results, use the same set of NTP servers to sync the date and time on all devices.
- For high volume installations of more than 3000 users, you should consider dedicating a server to house the Squid caching function (if enabled). During high workloads, IWSVA and Squid will contend for the same disk services. This will affect the cache hit performance as well as IWSVA's reporting performance. One alternative is to use two physical hard disk adapter cards in the same server with two separate disk volumes - one for IWSVA and one for Squid.
- For redundancy and scalability, consider installing more than one instance of IWSVA and using one of the scaling options mentioned in this section to eliminate single points of failure and improve system up time. Alternatively, two IWSVA devices can be installed as cluster pairs in High Availability deployment mode.
- For installations with an upstream proxy, you must properly configure IWSVA’s upstream proxy settings in the Forward Proxy settings and the Update Connection Settings to ensure proper Internet access.
- If you are planning to use IWSVA to protect external facing web servers that customers can access, consider installing a separate instance of IWSVA in reverse proxy mode to protect these web servers. Do not place the external facing web servers behind your corporate IWSVA server that your normal users would go through as this may affect your ability to enforce both customer facing policies and your normal corporate user policies.
- For installations with Transparent Bridge mode on VMWare ESX, the external interface of IWSVA will connect to a virtual switch which binds to a physical network adapter. It is better not to connect any other virtual machine to this virtual switch and leave the virtual machine dedicate for IWSVA usage.
- After installing IWSVA, always check the Trend Micro download site for additional critical patches and/or service packs to ensure that the latest patches are installed.
Patches listed on the IWSVA Download site are listed in chronological order.
Always apply the latest application and OS patches to your specific version. IWSVA service packs are backwardly compatible. That is, the latest service pack will always contain any hot fixes and patches issued prior to the service pack's release date. You do not need to install previous patches before the latest applicable service pack for your product. IWSVA may have the following patch types:
- Application Service Pack - a service pack or patch that is used to update the IWSVA application. The latest service pack will contain all previously released patches.
- OS Service Pack - a service pack or patch that is used to update the operating system and driver files. The latest service pack will contain all previously released patches.
- Critical Patch - a patch that is used to fix an urgent application or OS problem and will not contain previous patches. It is only issued to fix a specific problem.