Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading or Merging Administrators

Upgrading or Merging Administrators
Applies to
*
Websense Web Filter 7.6
*
Websense Web Security 7.6
*
Websense Web Security Gateway 7.6
*
Websense Web Security Gateway Anywhere 7.6
*
Websense Data Security 7.6
*
Websense Email Security Gateway 7.6
*
Websense Email Security Gateway Anywhere 7.6
In this topic
*
Overview
*
admin account
*
Upgrading
*
Upgrading Web Security
*
Upgrading Data Security
*
Upgrading Web Security Gateway Anywhere
*
Merging
Overview
This article discusses what happens to Websense administrator accounts when upgrading from prior-version Web Security or Data Security solutions to version 7.6. It also describes what occurs when version 7.6 administrator accounts are restored from a backup to an existing system that already has administrator accounts configured.
For information about which prior versions are supported for upgrade and the upgrade process, see the version 7.6 Upgrade Center.
admin account
For version 7.6, the default, built-in Global Security Administrator account is named admin. This account has access to all administrative and management functions in the TRITON Unified Security Center. The account replaces the Web Security WebsenseAdministrator and Data Security admin accounts from prior versions.
Upgrading
Upgrading Web Security
When upgrading Web Security solutions to 7.6, Websense administrator accounts are upgraded as described here.
WebsenseAdministrator
This built-in default account is no longer used in version 7.6 TRITON Unified Security Center. Upon upgrade it is replaced by an account named admin which is the built-in default Global Security Administrator account in 7.6 TRITON Unified Security Center.
During installation of version 7.6 TRITON Unified Security Center, you are asked for a password to be used for the admin account.
If a prior-version Websense appliance is running on-appliance TRITON - Web Security, it is upgraded to version 7.6 TRITON Unified Security Center (Web Security module only). In this case, the admin account will be automatically configured to the password of the prior-version WebsenseAdministrator account.
Local accounts
Websense administrator accounts not authenticated against a directory service are referred to as local accounts. Local administrator accounts will appear in the upgraded system, however they must be assigned email addresses. In version 7.6, all administrator accounts must have an email address.
Users will still be able to use these accounts to log in to TRITON Unified Security Center. However, no changes in permissions can be made to them until an email address is specified. Also, without an email address, these accounts cannot use the password recovery feature or receive alerts.
Network accounts
Websense administrator accounts authenticated against a directory service are referred to as network accounts. The directory service used to authenticate network administrator accounts prior to upgrade will be used by version 7.6 TRITON Unified Security Center to authenticate network administrator accounts. Like local administrator accounts, prior-version network administrator accounts do not have email addresses specified. As part of the upgrade process, if the directory service contains an email address for a network administrator account, that address is automatically assigned to it in version 7.6 TRITON Unified Security Center.
 
* 
Important 
Prior to upgrade, if you are using Windows NT Directory to authenticate administrator accounts, configure the system to use a directory service supported in version 7.6 (see Windows NT Directory below).
Windows NT Directory
Prior to upgrade, if Windows NT Directory or Windows NT Directory/Active Directory (Mixed Mode) is used to authenticate network administrator accounts, configure the system to use a directory service supported in version 7.6 (see version 7.6 System Requirements). Do this prior to upgrade.
This process involves selecting a version 7.6-supported directory service as Logon Directory and then replacing each Windows NT-based or Mixed Mode account with one on the new directory service (see TRITON - Web Security Help for instructions on removing and adding accounts).
If this is not done, the accounts will not be usable in version 7.6. They will still appear as Web Security delegated administrators in version 7.6 TRITON Unified Security Center. However, users will be unable to log in with those accounts. Also, those accounts cannot be removed.
Other LDAP Directory
If Web Security has Logon Directory set to Other LDAP Directory—i.e., is configured to authenticate network administrator accounts against Other LDAP Directory instead of Active Directory (Native Mode) or Windows NT Directory/Active Directory (Mixed Mode)—upon upgrade, network administrator accounts will be authenticated against Generic Directory in version 7.6 TRITON Unified Security Center. This occurs even if a directory service supported by version 7.6 TRITON Unified Security Center was the configured directory service prior to upgrade. Note that this does not happen if Active Directory (Native Mode) was the configured Logon Directory prior to upgrade; in that case Active Directory is used post-upgrade.
It is important after upgrade that you verify the configured directory service (log in to the TRITON Unified Security Center and go to TRITON Settings > User Directory). Make any changes necessary.
Upgrading Data Security
When upgrading Data Security solutions to 7.6, Websense administrator accounts are upgraded as described here.
admin
Upon upgrade the prior-version admin account is replaced by the version 7.6 admin account which is the built-in default Global Security Administrator account in 7.6 TRITON Unified Security Center.
During installation of version 7.6 TRITON Unified Security Center, you are asked for a password to be used for the admin account.
Local accounts
Websense administrator accounts not authenticated against a directory service are referred to as local accounts. Local administrator accounts will appear in the upgraded system, however they must be assigned email addresses. In version 7.6, all administrator accounts must have an email address.
Users will still be able to use these accounts to log in to TRITON Unified Security Center. However, no changes in permissions can be made to them until an email address is specified. Also, without an email address, these accounts cannot use the password recovery feature or receive alerts.
Network accounts
Websense administrator accounts authenticated against a directory service are referred to as network accounts. The directory service used to authenticate network administrator accounts prior to upgrade will be used by version 7.6 TRITON Unified Security Center to authenticate network administrator accounts. Like local administrator accounts, prior-version network administrator accounts do not have email addresses specified. As part of the upgrade process, if the directory service contains an email address for a network administrator account, that address is automatically assigned to it in version 7.6 TRITON Unified Security Center.
In version 7.5, Data Security administrator accounts could be authenticated against multiple directory services. Whichever was used as the primary directory service for authentication is used upon upgrade to version 7.6. Version 7.5 administrator accounts authenticated against a non-primary directory service will still appear in version 7.6. However, users will not be able to log in with those accounts until a Data Security Super Administrator configures them to work with the proper directory service.
Upgrading Web Security Gateway Anywhere
Upgrading Web Security Gateway Anywhere involves both Web Security and Data Security administrator accounts. The application upgrade process for Web Security Gateway Anywhere comprises upgrading the Web Security portion to version 7.6 first and then upgrading (and merging) the Data Security portion.
Web Security administrator accounts are upgraded as described in Upgrading Web Security. It is important that local administrator accounts be assigned email addresses before merging Data Security accounts so proper merging can occur.
Next, Data Security administrator accounts are merged with the upgraded Web Security administrator accounts. Note that if a directory service is not configured prior to the merging of Data Security accounts, the primary directory service used by the incoming Data Security accounts will be used by the version 7.6 system.
Merging
When a TRITON backup is restored to a TRITON management server, the administrator accounts it contains must be merged with existing accounts.
Local accounts
TRITON administrator accounts not authenticated against a directory service are referred to as local accounts. If an incoming (from backup restore or upgrade merge) local account matches an existing local account on both name and email address, it is merged with the existing account. The permissions currently defined for the existing account are used.
If an incoming account matches an existing local account on either name or email address, but not both, it is rejected.
If an incoming local account's name matches an existing network account, it is imported but has its name modified by appending @local. For example, an incoming account with name user would be imported into the TRITON Unified Security Center as user@local. A Global Security Administrator or the appropriate Security Administrator must verify renamed accounts and resolve them with existing accounts as necessary.
If an existing modified name is already used, then incremented numbers are also included. For example user@local1, user@local2, and so on.
Network accounts
TRITON administrator accounts authenticated against a directory service are referred to as network accounts. The currently configured directory service is used to resolve incoming accounts. If not directory service is currently configured, then the directory service used by the incoming accounts is used.
Incoming accounts are matched to existing network accounts by LDAP distinguished name. If a match occurs, the account is merged with the existing account. The permissions currently defined for the existing account are used.
If an incoming network account's name matches that of an existing local account, it is imported but has its name modified by appending @network. For example, an incoming account with name user would be imported into the TRITON Unified Security Center as user@network. A Global Security Administrator or the appropriate Security Administrator must verify renamed accounts and resolve them with existing accounts as necessary.
If an existing modified name is already used, then incremented numbers are also included. For example user@network1, user@network2, and so on.

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading or Merging Administrators
(c) 2011 Websense, Inc. All Rights Reserved.