Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index
Websense Content Gateway > Preparing to install Websense Content Gateway

Before installing Websense Content Gateway (Content Gateway) on a machine, perform the following tasks or consider the following issues.
1.
Download the WebsenseCG76Setup_Lnx.tar.gz installer tar archive, from mywebsense.com to a temporary directory.
mv <installer tar archive> wcg_v76
tar -xvzf <installer tar archive>s
It is recommended that the Content Gateway machine have Internet connectivity before starting the installation procedure.The software will install without Internet connectivity, but Websense license keys (and licensed features) cannot be validated until Internet connectivity is available.
Physical access to the system can be a security risk. Unauthorized users could gain access to the file system, and under more extreme circumstances, examine traffic passing through Content Gateway. It is strongly recommended that the Content Gateway server be locked in an IT closet and that a BIOS password be enabled.
Ensure that root permissions are restricted to a select few persons. This important restriction helps preclude unauthorized access to the Websense Content Gateway file system.
Websense Content Gateway uses the following ports. They must be open to support the full set of Websense Web Security Gateway features. These are all TCP ports, unless otherwise noted.
Note 
If you customized any ports that Websense software uses for communication, replace the default port shown below with the custom port you implemented.
Restrict inbound traffic to as many other ports as possible on the Websense Content Gateway server. In addition, if your subscription does not include certain features, you can restrict inbound traffic to the unneeded ports. For example, if your subscription does not include Websense Data Security, you may choose to restrict inbound traffic to those ports related to Websense Data Security (e.g., 5819, 5820, 5821, and so forth).
Websense Content Gateway (Content Gateway) can be used as an explicit or transparent proxy. This section contains the following topics:
Explicit proxy deployment requires directly pointing client Web browsers to Content Gateway for HTTP, or HTTPS, or FTP-over-HTTP traffic. This is accomplished by a using a PAC file, WPAD, or by having the user edit browser settings to point to Content Gateway. Explicit proxy deployment does not require a WCCP-enabled router.
One issue to consider with explicit deployment is that a user can point his or her browser to another destination to bypass Content Gateway. You can address this concern by setting and propagating browser configuration in your organization through Group Policy. For more information about Group Policy, search the Microsoft TechNet Web site at http://technet.microsoft.com. An additional way to mitigate the risk of users bypassing Content Gateway is the use of corporate outbound firewall rules.
Multiple proxies can provide for redundancy using Virtual Router Redundancy Protocol (VRRP). Using a single IP address, requests are sent to an alternate proxy in the event of failure. VRRP is not invoked until there is a failure with one of the proxies. See RFC 3768 for information on VRRP.
For explicit proxy deployments, you must configure each client browser to send Internet requests to Content Gateway, over the ports that Content Gateway uses for the associated protocol.
Note 
The instructions below are for the most common client browsers. For other client browsers refer to the browser's documentation for instructions on manual explicit proxy configuration.
1.
In Internet Explorer, select Tools > Internet Options > Connections > LAN Settings.
2.
Select Use a proxy server for your LAN.
3.
Click Advanced.
4.
For HTTP, enter the Content Gateway IP address and specify port 8080.
5.
For Secure, enter the Content Gateway IP address and specify port 8080.
6.
Clear Use the same proxy server for all protocols.
7.
Click OK to close each screen in this dialog box.
1.
In Firefox, select Tools > Options > Advanced, and then select the Network tab.
2.
Select Settings.
3.
Select Manual proxy configuration.
4.
For HTTP Proxy, enter the Content Gateway IP address and specify port 8080.
5.
For SSL Proxy, enter the Content Gateway IP address and specify port 8080.
6.
Click OK to close each screen in this dialog box.
In transparent deployments, client requests are intercepted and redirected to Content Gateway, without client involvement, via a WCCPv2-enabled router or Layer 4 switch in your network. In multiple-proxy deployment, a WCCPv2-enabled router can also facilitate load balancing among the proxies.
See the Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch, and about the ARM (Adaptive Redirection Module).
For transparent proxy deployment, configure your router to use WCCP v2, which can support both the HTTP and HTTPS protocols. See the Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch and on the ARM (Adaptive Redirection Module).
*
147 GB for caching
If caching will not be used, this disk is not required.
The caching disk:
*
Should have minimum size of 2 GB, maximum 147 GB for optimal performance
*
Must be a raw disk, not a mounted file system (for instructions on creating a raw disk from a mounted file system.)
*
Must not be part of a software RAID
*
Should be, for best performance, a 10K RPM SAS disk on a controller that has at least 64MB of write-through cache
Client machines, the destination Web server, and Websense Content Gateway must reside on different subnets.
To support WCCP, a Cisco switch requires the EMI or IP services image of the 12.2SE IOS release (or later).
The switch must be able to rewrite the destination MAC address of frames traversing the switch.
The switch must be able to match traffic based on the layer 4 protocol port (i.e., TCP port 80).
*
Websense Content Gateway version 7.6 is certified on Red Hat Enterprise Linux 5 series, updates 3, 4, 5, or 6 base or Advanced Platform (32-bit only), and the corresponding CentOS version (number corresponds to the Red Hat version).
*
Although not certified, Websense, Inc. provides "best effort" support for newer versions of Red Hat Enterprise Linux. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion unless the issue is deemed a Red Hat Enterprise Linux-specific issue, at which point you must contact Red Hat directly for assistance.
Note 
Red Hat Enterprise Linux 6 series is not supported at this time.
*
Only kernels shipped with the above Linux versions are supported by Websense Content Gateway. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:
*
By default, Red Hat Enterprise Linux 5, update 3 and later has PAE enabled. If you are running the non-PAE kernel, reboot with the PAE-enabled kernel before installing Websense Content Gateway.
*
Note that Red Hat Enterprise Linux 5, update 3 ships with glibc version 2.5-34. Be sure to update it to version 2.5-42 or later.
Important 
If SELinux is enabled, set it to permissive or disable it before installing Websense Content Gateway.
*
Version 7.6
Important 
Websense filtering software must be installed prior to Websense Content Gateway. When the filtering software is installed, Websense Content Gateway must be specified as the integration product. See Web Security Gateway (software-based), Web Security All, or Web Security Gateway Anywhere (software-based).
The order of installation does not matter. Websense Data Security may be installed before or after Websense Content Gateway.
*
Websense Content Gateway is configured and maintained with a Web-based user interface called the Content Gateway Manager. Content Gateway Manager supports the following Web browsers:
Note 
The browser restrictions mentioned above apply only to the Content Gateway Manager and not to client browsers proxied by Websense Content Gateway.
Configure a hostname for the Websense Content Gateway (Content Gateway) machine and also configure DNS name resolution. Complete these steps on the machine on which you will install Content Gateway.
where <host> is the name you are assigning this machine.
Important 
2.
Update the HOSTNAME entry in the /etc/sysconfig/network file:
where <host> is the same as in Step 1.
3.
Specify the IP address to associate with the hostname in the /etc/hosts file. This should be static, and not served by DHCP. The proxy uses this IP address in features such as transparent authentication and hierarchical caching. This must be the first line in the file. Do not delete the second line in the file (the one that begins with 127.0.0.1).
xxx.xxx.xxx.xxx <FQDN> <host>
where <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomain(s)>.<top-level domain>)—for example, myhost.example.com—and <host> is the same as in Step 1.
4.
Configure DNS in the /etc/resolv.conf file.
search <subdomain1>.<top-level domain> <subdomain2>.<top-level domain> <subdomain3>.<top-level domain>
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
This example demonstrates that more than one domain can be listed on the search line. Listing several domains may have an impact on performance, because each domain is searched until a match is found. Also, this example shows a primary and secondary nameserver being specified.
*
DNS domains to search, such as internal domain names. Include any legacy domain names that your company might have acquired.
For Websense Content Gateway to operate as a caching proxy, it must have access to at least one raw disk. Otherwise, Content Gateway can function as a proxy only.
Note 
This procedure is necessary only if you want to use a disk already mounted to a file system as a cache disk for Content Gateway. Perform this procedure before installing Content Gateway.
Warning 
Warning 
1.
Enter the following command at the prompt to examine which file systems are mounted on the disk you want to use for the proxy cache:
umount <file_system>
where <file_system> is the file system you want to unmount.
Note 
It is possible to add cache disks after Content Gateway is installed. For instructions, see the Content Gateway Manager Help.
*
Find the name of the network interface you want to use for cluster communication. This must be a dedicated interface.
route add <multicast.group address>/32 dev <interface_name>
where <interface_name> is the name of the interface used for cluster communication. For example:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Websense Content Gateway > Preparing to install Websense Content Gateway