Websense Content Gateway > Preparing to install Websense Content Gateway
|
Before installing Websense Content Gateway (Content Gateway) on a machine, perform the following tasks or consider the following issues.
1. Download the WebsenseCG76Setup_Lnx.tar.gz installer tar archive, from mywebsense.com to a temporary directory.
2. Create a directory for the tar archive, and then move the archive to the new directory. For example:mv <installer tar archive> wcg_v76tar -xvzf <installer tar archive>sIt is recommended that the Content Gateway machine have Internet connectivity before starting the installation procedure.The software will install without Internet connectivity, but Websense license keys (and licensed features) cannot be validated until Internet connectivity is available.Physical access to the system can be a security risk. Unauthorized users could gain access to the file system, and under more extreme circumstances, examine traffic passing through Content Gateway. It is strongly recommended that the Content Gateway server be locked in an IT closet and that a BIOS password be enabled.Ensure that root permissions are restricted to a select few persons. This important restriction helps preclude unauthorized access to the Websense Content Gateway file system.Websense Content Gateway uses the following ports. They must be open to support the full set of Websense Web Security Gateway features. These are all TCP ports, unless otherwise noted.
If you customized any ports that Websense software uses for communication, replace the default port shown below with the custom port you implemented.Restrict inbound traffic to as many other ports as possible on the Websense Content Gateway server. In addition, if your subscription does not include certain features, you can restrict inbound traffic to the unneeded ports. For example, if your subscription does not include Websense Data Security, you may choose to restrict inbound traffic to those ports related to Websense Data Security (e.g., 5819, 5820, 5821, and so forth).
HTTPS outbound (between Websense Content Gateway and the SSL outbound proxy) Websense Data Security configuration deployment and system health information Websense Data Security configuration deployment and system health information If your server is running the Linux IPTables firewall, you must configure the rules in a way that enables Websense Content Gateway to operate effectively. See the IPTables for Content Gateway article in the Websense Technical Library.Websense Content Gateway (Content Gateway) can be used as an explicit or transparent proxy. This section contains the following topics:Explicit proxy deployment requires directly pointing client Web browsers to Content Gateway for HTTP, or HTTPS, or FTP-over-HTTP traffic. This is accomplished by a using a PAC file, WPAD, or by having the user edit browser settings to point to Content Gateway. Explicit proxy deployment does not require a WCCP-enabled router.One issue to consider with explicit deployment is that a user can point his or her browser to another destination to bypass Content Gateway. You can address this concern by setting and propagating browser configuration in your organization through Group Policy. For more information about Group Policy, search the Microsoft TechNet Web site at http://technet.microsoft.com. An additional way to mitigate the risk of users bypassing Content Gateway is the use of corporate outbound firewall rules.Multiple proxies can provide for redundancy using Virtual Router Redundancy Protocol (VRRP). Using a single IP address, requests are sent to an alternate proxy in the event of failure. VRRP is not invoked until there is a failure with one of the proxies. See RFC 3768 for information on VRRP.For explicit proxy deployments, you must configure each client browser to send Internet requests to Content Gateway, over the ports that Content Gateway uses for the associated protocol.Use the instructions below to configure client browsers manually. Alternatively, use a PAC or WPAD file to configure client browsers.
The instructions below are for the most common client browsers. For other client browsers refer to the browser's documentation for instructions on manual explicit proxy configuration.
1.
2. Select Use a proxy server for your LAN.
3. Click Advanced.
4. For HTTP, enter the Content Gateway IP address and specify port 8080.
5. For Secure, enter the Content Gateway IP address and specify port 8080.
6. Clear Use the same proxy server for all protocols.
7. Click OK to close each screen in this dialog box.
1.
2. Select Settings.
3. Select Manual proxy configuration.
4. For HTTP Proxy, enter the Content Gateway IP address and specify port 8080.
5. For SSL Proxy, enter the Content Gateway IP address and specify port 8080.
6. Click OK to close each screen in this dialog box.In transparent deployments, client requests are intercepted and redirected to Content Gateway, without client involvement, via a WCCPv2-enabled router or Layer 4 switch in your network. In multiple-proxy deployment, a WCCPv2-enabled router can also facilitate load balancing among the proxies.See the Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch, and about the ARM (Adaptive Redirection Module).For transparent proxy deployment, configure your router to use WCCP v2, which can support both the HTTP and HTTPS protocols. See the Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch and on the ARM (Adaptive Redirection Module).
100 GB for the operating system, Websense Content Gateway, and temporary data.
Should have minimum size of 2 GB, maximum 147 GB for optimal performance
Must be a raw disk, not a mounted file system (for instructions on creating a raw disk from a mounted file system.)
Must not be part of a software RAID
Should be, for best performance, a 10K RPM SAS disk on a controller that has at least 64MB of write-through cache
Client machines, the destination Web server, and Websense Content Gateway must reside on different subnets. To support WCCP, a Cisco switch requires the EMI or IP services image of the 12.2SE IOS release (or later).The switch must be able to rewrite the destination MAC address of frames traversing the switch.The switch must be able to match traffic based on the layer 4 protocol port (i.e., TCP port 80).
Websense Content Gateway version 7.6 is certified on Red Hat Enterprise Linux 5 series, updates 3, 4, 5, or 6 base or Advanced Platform (32-bit only), and the corresponding CentOS version (number corresponds to the Red Hat version).
Although not certified, Websense, Inc. provides "best effort" support for newer versions of Red Hat Enterprise Linux. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion unless the issue is deemed a Red Hat Enterprise Linux-specific issue, at which point you must contact Red Hat directly for assistance.
Red Hat Enterprise Linux 6 series is not supported at this time.
Only kernels shipped with the above Linux versions are supported by Websense Content Gateway. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:
By default, Red Hat Enterprise Linux 5, update 3 and later has PAE enabled. If you are running the non-PAE kernel, reboot with the PAE-enabled kernel before installing Websense Content Gateway.
To display a list of RPMs installed on your system with the string "compat-libstdc" in their name, enter the command:This must be the version of the krb5-workstation RPM that is bundled with your version of Red Hat Enterprise Linux.
To display a list of RPMs installed on your system with the string "krb5-workstation" in their name, enter the command:
Note that Red Hat Enterprise Linux 5, update 3 ships with glibc version 2.5-34. Be sure to update it to version 2.5-42 or later.
If SELinux is enabled, set it to permissive or disable it before installing Websense Content Gateway.
Version 7.6
Websense filtering software must be installed prior to Websense Content Gateway. When the filtering software is installed, Websense Content Gateway must be specified as the integration product. See Web Security Gateway (software-based), Web Security All, or Web Security Gateway Anywhere (software-based).The order of installation does not matter. Websense Data Security may be installed before or after Websense Content Gateway.
Any version can be used via the ICAP interface. See the Content Gateway Manager Help for configuration instructions.
Websense Content Gateway is configured and maintained with a Web-based user interface called the Content Gateway Manager. Content Gateway Manager supports the following Web browsers:
The browser restrictions mentioned above apply only to the Content Gateway Manager and not to client browsers proxied by Websense Content Gateway.Configure a hostname for the Websense Content Gateway (Content Gateway) machine and also configure DNS name resolution. Complete these steps on the machine on which you will install Content Gateway.hostname <host>where <host> is the name you are assigning this machine.
2. Update the HOSTNAME entry in the /etc/sysconfig/network file:HOSTNAME=<host>
3. Specify the IP address to associate with the hostname in the /etc/hosts file. This should be static, and not served by DHCP. The proxy uses this IP address in features such as transparent authentication and hierarchical caching. This must be the first line in the file. Do not delete the second line in the file (the one that begins with 127.0.0.1).where <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomain(s)>.<top-level domain>)—for example, myhost.example.com—and <host> is the same as in Step 1.
4. Configure DNS in the /etc/resolv.conf file.search <subdomain1>.<top-level domain> <subdomain2>.<top-level domain> <subdomain3>.<top-level domain>nameserver xxx.xxx.xxx.xxxnameserver xxx.xxx.xxx.xxxThis example demonstrates that more than one domain can be listed on the search line. Listing several domains may have an impact on performance, because each domain is searched until a match is found. Also, this example shows a primary and secondary nameserver being specified.
DNS domains to search, such as internal domain names. Include any legacy domain names that your company might have acquired.
For Websense Content Gateway to operate as a caching proxy, it must have access to at least one raw disk. Otherwise, Content Gateway can function as a proxy only.
This procedure is necessary only if you want to use a disk already mounted to a file system as a cache disk for Content Gateway. Perform this procedure before installing Content Gateway.
Do not use an LVM (Logical Volume Manager) volume as a cache disk.
The Content Gateway installer will irretrievably clear the contents of cache disks.
1. Enter the following command at the prompt to examine which file systems are mounted on the disk you want to use for the proxy cache:umount <file_system>
It is possible to add cache disks after Content Gateway is installed. For instructions, see the Content Gateway Manager Help.
Find the name of the network interface you want to use for cluster communication. This must be a dedicated interface.
Websense Content Gateway > Preparing to install Websense Content Gateway
|