Microsoft ISA Server or Forefront TMG Integration > Installing Web Security to integrate with ISA Server or Forefront TMG
|
Installing Web Security to integrate with ISA Server or Forefront TMGTypically, Web Filter or Web Security is not installed on the same machine as ISA Server. The only Websense component installed on the ISA/TMG Server machine is the ISAPI Filter plug-in. See Web Filter or Web Security and ISA/TMG on separate machines.
Notes
It is a best practice to not install Websense components, except the ISAPI Filter plug-in, on the same machine as ISA Server.
When the ISAPI Filter plug-in is installed, Websense Control Service is installed automatically as well.However, if the machine has sufficient resources, Web Filter or Web Security may be installed on an ISA Server machine. The machine must have sufficient resources or the performance of both Web Filter or Web Security, and ISA Server may be affected.
NotesInstalling Websense components on the same machine as Forefront TMG is not supported. Forefront TMG runs on native 64-bit Windows Server 2008, while other Websense components are currently 32-bit running on Windows on Windows (WoW) subsystem over Windows Server 2008.Typically, Web Filter or Web Security components are installed on machines separate from ISA/TMG. In this case, installation is a two-part process:See Web Filter or Web Security (software-based) for instructions.
Websense Filtering Service must be installed on its machine before installing the ISAPI Filter plug-in on the ISA/TMG machine. When installing Filtering Service, it must be installed as integrated with ISA/TMG.
Port 55933 (Websense Control Service communication port) must be open locally, for the ISAPI Filter plug-in to be installed successfully. If installing other Websense components on the ISA Server machine, see Default ports.Run the Websense installer on the ISA Server machine and choose to install the plug-in only. See Installing the ISAPI Filter plug-in for ISA Server, below.
Do not attempt to install the ISAPI Filter plug-in for ISA Server on Windows Server 2008. This plug-in supports ISA Server 2004 and 2006 only, which are not supported on Windows Server 2008.A separate installer from Websense, referred to as the Forefront TMG plug-in installer, is used to install the ISAPI plug-in for Forefront TMG. See Installing the ISAPI Filter plug-in for Forefront TMG.
The ISAPI Filter plug-in for Forefront TMG is supported on only Windows 2008 R2 and Windows 2008 SP2 (x64). Do not attempt to run the Forefront TMG plug-in installer on any operating system but Windows 2008 R2 or Windows 2008 SP2 (x64).The Websense installer is used to install the Websense ISAPI Filter plug-in on the ISA Server machine. The following procedure is performed on the ISA Server machine.
As part of the installation process, you must stop the Microsoft Firewall service. Depending on your network configuration, doing so may stop network traffic. It is a best practice to perform this installation during a time when such stoppage would least affect your organization. Do not stop the Firewall service until instructed to do so by the installer.
Websense Filtering Service must be installed on its machine before installing the ISAPI Filter plug-in on this machine. When installing Filtering Service, be sure to specify it as integrated with ISA Server.
Port 55933 (Websense Control Service communication port) must be open locally, for the ISAPI Filter plug-in to be installed successfully.See Websense installer for instructions.
5.
6.
7.
8.
9. Follow the instructions in Installing Web Security components to install the ISAPI Filter plug-in.The link above goes to general instructions for installing any Web Security component. In the case of installing the ISAPI Filter plug-in, do the following as you complete the general procedure:
11. You can verify successful installation of the ISAPI Filter plug-in by logging into the ISA Server Management console.In the console, go to Configuration > Add-ins > Web Filters. WsISAFilter should be present in the list of Web Filters.The Forefront TMG plug-in installer is used to install the Websense ISAPI Filter plug-in for Forefront TMG. The following procedure is performed on the Forefront TMG machine.
The ISAPI Filter plug-in for Forefront TMG is supported on only Windows 2008 R2. Do not attempt to run the Forefront TMG plug-in installer on any operating system other than Windows 2008 R2.
As part of the installation process, you must stop the Microsoft Forefront TMG Firewall service (Firewall service). Depending on your network configuration, doing so may stop network traffic. It is a best practice to perform this installation during a time when such stoppage would least affect your organization. Do not stop the Firewall service until instructed to do so by the installer.
Websense Filtering Service must be installed on its machine before installing the ISAPI Filter plug-in on this machine. When installing Filtering Service, be sure to specify it as integrated with Forefront TMG.
Port 55933 (Websense Control Service communication port) must be open locally, for the ISAPI Filter plug-in to be installed successfully.
4.
5. On the Subscription Agreement screen, choose to accept the terms of the agreement and then click Next.
6. On the Filtering Service Communication screen, enter the IP address of the machine on which Filtering Service is installed and the port Filtering Service uses to communicate with integration products and Network Agent (default is 15868). Then click Next.
The port used by Filtering Service to communicate with integration products and Network Agent must be in the range 1024-65535. Filtering Service may have been automatically configured to use a port other than the default 15868. When Filtering Service is installed, if the installation program finds the default port to be in use, it is automatically incremented until a free port is found. To determine what port is used by Filtering Service, check the eimserver.ini file—located in C:\Program Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)—on the Filtering Service machine. In this file, look for the WebsenseServerPort value.Important: Do not modify the eimserver.ini file.
7.
8. On the Pre-Installation Summary screen, verify the information shown.Filtering Plug-in should be listed as the only component to be installed.
9. Click Install to start the installation. An Installing progress screen is displayed. Wait for the installation to complete.
10. When the Stop Microsoft Forefront TMG Firewall Service screen appears, stop the Microsoft Forefront TMG Firewall service (Firewall service) and then click Next.
Leave the Websense installer running as you stop the Firewall service, and then return to the installer to continue installation.To stop the Firewall service, go to the Windows Services management console (Administrative Tools > Services). Right-click Microsoft Forefront TMG Firewall, and then select Stop. When the service has stopped, return to the Websense installer and continue the installation process. The Firewall service may also be stopped from the Forefront TMG management console. See Microsoft's documentation for more information.
When the Firewall service is stopped, Forefront TMG goes into lockdown mode. Depending on your network configuration, network traffic may be stopped. Typically, the Firewall service must be stopped for only a few minutes.
Leave the Websense installer running as you start the Firewall service, and then return to the installer to continue installation.
12. To start the Firewall service, go to the Windows Services management console (Administrative Tools > Services). Right-click Microsoft Forefront TMG Firewall, and then select Start. The Firewall Service may also be started from the Forefront TMG management console. See Microsoft's documentation for more information.On the Installation Complete screen, click Done.
14. You can verify successful installation of the ISAPI Filter plug-in by logging into the Forefront TMG management console.In the console, go to System > Web Filters. WsISAFilter should be present in the list of Web Filters.
1. If the machine has sufficient resources, Websense software may be installed on the same machine as ISA Server. Install the Websense components you want on the other machines (i.e., those other than the ISA Server machine).See Web Filter or Web Security (software-based) for instructions.
Websense Filtering Service must be installed on its machine before installing the ISAPI Filter plug-in on the ISA Server machine. If Filtering Service will be on the ISA Server machine, it can be installed at the same time as ISAPI Filter plug-in. When installing Filtering Service, be sure to specify it as integrated with ISA Server.
If TRITON - Web Security is installed on the same machine as ISA Server, you must manually edit the ISA Server port as both TRITON - Web Security and ISA Server use port 8080 by default. After changing the ISA Server port, you need add it to the HTTP Traffic Managed by Integration list on the Settings > Network Agent > (Network Agent IP address) screen under Advanced Settings in TRITON - Web Security.
1.
d. Follow the installation instructions in Web Filter or Web Security (software-based) to select and install components.On the Select Components screen, be sure to select Filtering Plug-In along with any other Websense components to be installed on the ISA Server machine.
Microsoft ISA Server or Forefront TMG Integration > Installing Web Security to integrate with ISA Server or Forefront TMG
|