Websense Content Gateway > Preparing to install Websense Content Gateway

Preparing to install Websense Content Gateway

Applies to

Web Security Gateway v7.6

Web Security Gateway Anywhere v7.6

In this topic

Overview

Downloading the installer

Internet connectivity

Security of the Websense Content Gateway machine

Explicit or Transparent Proxying by Websense Content Gateway

System requirements for Websense Content Gateway

Hostname and DNS configuration for Websense Content Gateway

Preparing a cache disk for use by Websense Content Gateway

Preparing for a clustered deployment of Websense Content Gateway

Overview

Before installing Websense Content Gateway (Content Gateway) on a machine, perform the following tasks or consider the following issues.

Downloading the installer

1.	Download the WebsenseCG76Setup_Lnx.tar.gz installer tar archive, from mywebsense.com to a temporary directory.

2.	Create a directory for the tar archive, and then move the archive to the new directory. For example:

mkdir wcg_v76

mv <installer tar archive> wcg_v76

3.	Change to the directory you created in Step 2.

cd wcg_v76

4.	Unpack the tar archive:

tar -xvzf <installer tar archive>s

Internet connectivity

It is recommended that the Content Gateway machine have Internet connectivity before starting the installation procedure.The software will install without Internet connectivity, but Websense license keys (and licensed features) cannot be validated until Internet connectivity is available.

Security of the Websense Content Gateway machine

Consider these security issues prior to installing Websense Content Gateway (Content Gateway):

Physical security

Root permissions

Ports

Physical security

Physical access to the system can be a security risk. Unauthorized users could gain access to the file system, and under more extreme circumstances, examine traffic passing through Content Gateway. It is strongly recommended that the Content Gateway server be locked in an IT closet and that a BIOS password be enabled.

Root permissions

Ensure that root permissions are restricted to a select few persons. This important restriction helps preclude unauthorized access to the Websense Content Gateway file system.

Ports

Websense Content Gateway uses the following ports. They must be open to support the full set of Websense Web Security Gateway features. These are all TCP ports, unless otherwise noted.

Note  If you customized any ports that Websense software uses for communication, replace the default port shown below with the custom port you implemented.

Restrict inbound traffic to as many other ports as possible on the Websense Content Gateway server. In addition, if your subscription does not include certain features, you can restrict inbound traffic to the unneeded ports. For example, if your subscription does not include Websense Data Security, you may choose to restrict inbound traffic to those ports related to Websense Data Security (e.g., 5819, 5820, 5821, and so forth).

 

Port	Function
21	FTP
22	SSH for command-line access
53	DNS
80	HTTP
443	Inbound for transparent HTTPS proxy
2121	FTP
2048	WCCP for transparent proxy (if used)
3130	(UDP) ICP for ICP Cache Hierarchy
5819	Websense Data Security fingerprint detection
5820	Websense Data Security fingerprint synchronization
5821	Websense Data Security fingerprint configuration
5822	Websense Data Security fingerprint configuration
5823	Websense Data Security fingerprint configuration
8070	SSL inbound
8071	SSL Manager interface
8080	Inbound for explicit HTTP and HTTPS proxy
8081	Websense Content Gateway management interface
8083	Autoconfiguration for clustering
8084	Process Manager for clustering
8085	Logging server for clustering
8086	Clustering
8087	Reliable service for clustering
8088	(UDP) Multicast for clustering
8090	HTTPS outbound (between Websense Content Gateway and the SSL outbound proxy)
8880	Websense Data Security configuration
8888	Websense Data Security configuration deployment and system health information
8889	Websense Data Security configuration deployment and system health information
8892	Websense Data Security system logging
9080	Websense Data Security statistics and system health information
9081	Websense Data Security statistics and system health information
9090	Websense Data Security diagnostics
9091	Websense Data Security diagnostics
18303	Websense Data Security local analysis
18404	Websense Data Security remote analysis
55826
55827

IPTables Firewall

If your server is running the Linux IPTables firewall, you must configure the rules in a way that enables Websense Content Gateway to operate effectively. See the IPTables for Content Gateway article in the Websense Technical Library.

Explicit or Transparent Proxying by Websense Content Gateway

Websense Content Gateway (Content Gateway) can be used as an explicit or transparent proxy. This section contains the following topics:

Explicit proxy

Configuring client browsers for explicit proxy

Configuring Internet Explorer 7.0 and later for explicit proxy by Content Gateway

Configuring Firefox 3.x for explicit proxy by Content Gateway

Explicit proxy

Explicit proxy deployment requires directly pointing client Web browsers to Content Gateway for HTTP, or HTTPS, or FTP-over-HTTP traffic. This is accomplished by a using a PAC file, WPAD, or by having the user edit browser settings to point to Content Gateway. Explicit proxy deployment does not require a WCCP-enabled router.

One issue to consider with explicit deployment is that a user can point his or her browser to another destination to bypass Content Gateway. You can address this concern by setting and propagating browser configuration in your organization through Group Policy. For more information about Group Policy, search the Microsoft TechNet Web site at http://technet.microsoft.com. An additional way to mitigate the risk of users bypassing Content Gateway is the use of corporate outbound firewall rules.

Multiple proxies can provide for redundancy using Virtual Router Redundancy Protocol (VRRP). Using a single IP address, requests are sent to an alternate proxy in the event of failure. VRRP is not invoked until there is a failure with one of the proxies. See RFC 3768 for information on VRRP.

Configuring client browsers for explicit proxy

For explicit proxy deployments, you must configure each client browser to send Internet requests to Content Gateway, over the ports that Content Gateway uses for the associated protocol.

The default proxy port in Content Gateway for both HTTP and HTTPS traffic is 8080.

Use the instructions below to configure client browsers manually. Alternatively, use a PAC or WPAD file to configure client browsers.

 

Note  The instructions below are for the most common client browsers. For other client browsers refer to the browser's documentation for instructions on manual explicit proxy configuration.

Configuring Internet Explorer 7.0 and later for explicit proxy by Content Gateway

1.	In Internet Explorer, select Tools > Internet Options > Connections > LAN Settings.

2.	Select Use a proxy server for your LAN.

3.	Click Advanced.

4.	For HTTP, enter the Content Gateway IP address and specify port 8080.

5.	For Secure, enter the Content Gateway IP address and specify port 8080.

6.	Clear Use the same proxy server for all protocols.

7.	Click OK to close each screen in this dialog box.

Configuring Firefox 3.x for explicit proxy by Content Gateway

1.	In Firefox, select Tools > Options > Advanced, and then select the Network tab.

2.	Select Settings.

3.	Select Manual proxy configuration.

4.	For HTTP Proxy, enter the Content Gateway IP address and specify port 8080.

5.	For SSL Proxy, enter the Content Gateway IP address and specify port 8080.

6.	Click OK to close each screen in this dialog box.

Transparent proxy

In transparent deployments, client requests are intercepted and redirected to Content Gateway, without client involvement, via a WCCPv2-enabled router or Layer 4 switch in your network. In multiple-proxy deployment, a WCCPv2-enabled router can also facilitate load balancing among the proxies.

See the Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch, and about the ARM (Adaptive Redirection Module).

Configuring a router for transparent proxy by Content Gateway

For transparent proxy deployment, configure your router to use WCCP v2, which can support both the HTTP and HTTPS protocols. See the Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch and on the ARM (Adaptive Redirection Module).

System requirements for Websense Content Gateway

Hardware

Software

Preparing a cache disk for use by Websense Content Gateway

Hardware

 

CPU	Quad-core running at 2.8 GHz or faster
Memory	4 GB
Disk space	2 disks: 100 GB for the operating system, Websense Content Gateway, and temporary data.
	147 GB for caching If caching will not be used, this disk is not required. The caching disk: Should have minimum size of 2 GB, maximum 147 GB for optimal performance Must be a raw disk, not a mounted file system (for instructions on creating a raw disk from a mounted file system.) Must be dedicated Must not be part of a software RAID Should be, for best performance, a 10K RPM SAS disk on a controller that has at least 64MB of write-through cache
Network Interfaces	2

To support transparent proxy deployments

Router

Must support WCCP v2. A Cisco router must run IOS 12.2 or later. Client machines, the destination Web server, and Websense Content Gateway must reside on different subnets.

—or— Layer 4 switch

You may use a Layer 4 switch rather than a router. To support WCCP, a Cisco switch requires the EMI or IP services image of the 12.2SE IOS release (or later). Websense Content Gateway must be Layer 2 adjacent to the switch. The switch must be able to rewrite the destination MAC address of frames traversing the switch. The switch must be able to match traffic based on the layer 4 protocol port (i.e., TCP port 80).

Software

Linux operating system

Websense Content Gateway version 7.6 is certified on Red Hat Enterprise Linux 5 series, updates 3, 4, 5, or 6 base or Advanced Platform (32-bit only), and the corresponding CentOS version (number corresponds to the Red Hat version).

Although not certified, Websense, Inc. provides "best effort" support for newer versions of Red Hat Enterprise Linux. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion unless the issue is deemed a Red Hat Enterprise Linux-specific issue, at which point you must contact Red Hat directly for assistance.

 

Note  Red Hat Enterprise Linux 6 series is not supported at this time.

Only kernels shipped with the above Linux versions are supported by Websense Content Gateway. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:

/bin/uname -r

 

PAE (Physical Address Extension)-enabled kernel required

By default, Red Hat Enterprise Linux 5, update 3 and later has PAE enabled. If you are running the non-PAE kernel, reboot with the PAE-enabled kernel before installing Websense Content Gateway.

RPM compat-libstdc++-33-3.2.3-47.3.i386.rpm (or higher version of this package)

To display a list of RPMs installed on your system with the string "compat-libstdc" in their name, enter the command:

rpm -qa |grep compat-libstdc

libgdbm.so.2 required

RPM krb5-workstation-*.rpm

This must be the version of the krb5-workstation RPM that is bundled with your version of Red Hat Enterprise Linux.

To display a list of RPMs installed on your system with the string "krb5-workstation" in their name, enter the command:

rpm -qa |grep krb5-workstation

GNU C library (glibc) version 2.5-42 or later

Note that Red Hat Enterprise Linux 5, update 3 ships with glibc version 2.5-34. Be sure to update it to version 2.5-42 or later.

Example command to update this library (running as root): yum update glibc.

SELinux set to permissive or disabled

Important  If SELinux is enabled, set it to permissive or disable it before installing Websense Content Gateway.

Websense Web filtering components

(Websense Web Security Gateway, Websense Web Security, Websense Web Filter)

Version 7.6

Important  Websense filtering software must be installed prior to Websense Content Gateway. When the filtering software is installed, Websense Content Gateway must be specified as the integration product. See Web Security Gateway (software-based), Web Security All, or Web Security Gateway Anywhere (software-based).

Integration with Websense Data Security

Version 7.6 (to take advantage of the co-located Data Security policy engine)

The order of installation does not matter. Websense Data Security may be installed before or after Websense Content Gateway.

Any version can be used via the ICAP interface. See the Content Gateway Manager Help for configuration instructions.

Web browsers

Websense Content Gateway is configured and maintained with a Web-based user interface called the Content Gateway Manager. Content Gateway Manager supports the following Web browsers:

Internet Explorer 7, 8, and 9

Mozilla Firefox 3 and later

 

Note  The browser restrictions mentioned above apply only to the Content Gateway Manager and not to client browsers proxied by Websense Content Gateway.

Hostname and DNS configuration for Websense Content Gateway

Configure a hostname for the Websense Content Gateway (Content Gateway) machine and also configure DNS name resolution. Complete these steps on the machine on which you will install Content Gateway.

1.	Configure the hostname:

hostname <host>

where <host> is the name you are assigning this machine.

Important  The hostname must be 15 characters or less.

2.	Update the HOSTNAME entry in the /etc/sysconfig/network file:

HOSTNAME=<host>

where <host> is the same as in Step 1.

3.

Specify the IP address to associate with the hostname in the /etc/hosts file. This should be static, and not served by DHCP. The proxy uses this IP address in features such as transparent authentication and hierarchical caching. This must be the first line in the file. Do not delete the second line in the file (the one that begins with 127.0.0.1).

xxx.xxx.xxx.xxx <FQDN> <host>

127.0.0.1 localhost.localdomain localhost

where <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomain(s)>.<top-level domain>)—for example, myhost.example.com—and <host> is the same as in Step 1.

4.	Configure DNS in the /etc/resolv.conf file.

search <subdomain1>.<top-level domain> <subdomain2>.<top-level domain> <subdomain3>.<top-level domain>

nameserver xxx.xxx.xxx.xxx

nameserver xxx.xxx.xxx.xxx

This example demonstrates that more than one domain can be listed on the search line. Listing several domains may have an impact on performance, because each domain is searched until a match is found. Also, this example shows a primary and secondary nameserver being specified.

5.	Gather this information:

Default gateway (or other routing information)

List of your company's DNS servers and their IP addresses

DNS domains to search, such as internal domain names. Include any legacy domain names that your company might have acquired.

List of additional firewall ports to open beyond SSH (22) and the proxy ports (8080-8090). See Ports.

Preparing a cache disk for use by Websense Content Gateway

For Websense Content Gateway to operate as a caching proxy, it must have access to at least one raw disk. Otherwise, Content Gateway can function as a proxy only.

To create a raw disk for the proxy cache when all disks have a mounted file system:

Note  This procedure is necessary only if you want to use a disk already mounted to a file system as a cache disk for Content Gateway. Perform this procedure before installing Content Gateway.

Warning  Do not use an LVM (Logical Volume Manager) volume as a cache disk.

Warning  The Content Gateway installer will irretrievably clear the contents of cache disks.

1.	Enter the following command at the prompt to examine which file systems are mounted on the disk you want to use for the proxy cache:

df -k

2.	Open the file /etc/fstab and comment out or delete the file system entries for the disk.

3.	Save and close the file.

4.	Enter the following command for each file system you want to unmount:

umount <file_system>

where <file_system> is the file system you want to unmount.

When the Content Gateway installer prompts you for a cache disk, select the raw disk you created.

Note  It is possible to add cache disks after Content Gateway is installed. For instructions, see the Content Gateway Manager Help.

Preparing for a clustered deployment of Websense Content Gateway

If you plan to deploy multiple, clustered instances of Websense Content Gateway (Content Gateway):

Find the name of the network interface you want to use for cluster communication. This must be a dedicated interface.

Find or define a multicast group IP address.

Enter the following at a command line to define the multicast route:

route add <multicast.group address>/32 dev <interface_name>

where <interface_name> is the name of the interface used for cluster communication. For example:

route add 224.0.1.37/32 dev eth1

Websense Content Gateway > Preparing to install Websense Content Gateway