Upgrading V-Series Appliance to 7.6It is estimated that installation of this upgrade takes approximately 100 minutes (one V-Series appliance and one Windows server), which includes:Back up your configuration files, log files, and policy databases from the appliance. See the following Solution Center article at www.websense.com/support: "How do I back up and restore the files on my appliance?"To ensure that you retain a copy of all logs, download the Content Gateway logging directory. Depending on their size, older logs may be removed automatically by the upgrade. Note that policy databases and Websense databases are not affected by the upgrade.Service may be disrupted for 50 to 60 minutes while the upgrade is being applied to the V-Series appliance and it restarts. Note that service is not disrupted while the off-box components are upgraded.Make sure Websense administrator accounts authenticated by a directory service have an email address specified in the directory service. In version 7.6, an email address is required for each administrator account (except group accounts). See Upgrading or Merging Administrators for more information.The following Content Gateway configuration settings are not preserved and must be reconfigured post-upgrade:
Proxy user authentication and access control filter (filter.config) configuration settings are not retained. These include:Multiple authentication methods with multiple authentication realms is expanded in version 7.6 and made more powerful with the addition of Integrated Windows Authentication. Multiple authentication realm rules used in 7.5 deployments must be recreated after upgrading to 7.6. Also, if NTLM was configured in 7.5, consider moving to Integrated Windows Authentication.Before upgrading, be prepared to reconfigure user authentication options and proxy filtering rules (often used to bypass authentication). It is recommended that copy your 7.5 filter.config file to a safe location for future reference.You may want to configure these new and enhanced features post-upgrade (for more information, see the Content Gateway Release Notes):
Integrated Windows Authentication (with Kerberos) provides more robust proxy user authentication with Windows Active Directory. If NTLM was a user authentication method in version 7.5, consider moving to Integrated Windows Authentication.
Multiple Realm Authentication is enhanced and now supports multiple authentication rules for multiple authentication realms.
Full clustering is deprecated in version 7.6. Multiple installations of Content Gateway can no longer form a single logical cache. After upgrade, consider configuring Managed clusters.
For deployments that use SSL Manager, SSL clustering is added to share SSL Manager settings among nodes in a cluster. It is configured separately from Managed clustering.If TRITON - Web Security is running on an appliance, the default WebsenseAdministrator user is replaced by a user named admin upon upgrade. The admin user will have the same password the WebsenseAdministrator user had prior to upgrade.The admin user is the new default administrator account for version 7.6. Use it in place of WebsenseAdministrator.Disable on-appliance TRITON - Web Security if both on- and off-appliance instances used in prior versionIf you had both on- and off-appliance instances of TRITON - Web Security running in version 7.5.x, disable the on-appliance instance after upgrading the appliance to version 7.6. To disable the on-appliance TRITON - Data Security:
1. Log on to the Appliance Manager (https://<C interface IP address>:9447/appmng)
2.
3.
4. Click Save.
5. When the process completes successfully, a TRITON Configuration link appears below the Disabled option.Use this link if you want to create a backup of TRITON settings that can be restored to the off-appliance TRITON Unified Security Center:
c. Save the TRITON backup file (EIP_bak.tgz) in a convenient location.
V-Series appliance services are disrupted (not available) while the patch is applied until the V-Series appliance completes its restart, approximately 50 to 60 minutes. It is best to perform the upgrade at a time when service demand is at a minimum.
1. If you have multiple V-Series appliances, read Upgrading multiple V-Series appliances prior to following this procedure.
3. Take all precautions to ensure that power to the V-Series appliance is not interrupted during the upgrade. Power failure can result in operating system and software component corruption.
5. Go to MyWebsense.com and select Downloads tab. Click Get Hotfixes & Patches. Select your appliance model and version.
Upgrade all Websense V-Series appliances to v7.6 before upgrading the Websense software on the Windows servers to v7.6. If your deployment uses several appliances, upgrade the primary appliance first (this is the appliance that hosts the policy source), then the secondaries, and finally the off-box components. See Upgrading multiple V-Series appliances, below.
7. If clustering is enabled in Content Gateway, you'll need to disable it. Log on to the Content Gateway Manager by pointing the browser to https://<IP-address-for-interface-C>:8081 and then:
a. Navigate to Configure > My Proxy > Basic > Clustering.
b.
c. Click Apply.
d. Restart Content Gateway.The user name is: admin.The password was set on your appliance when firstboot was run.
9. Navigate to Administration > Patch Management.
10. Click Browse, and select the v7.6 upgrade file.
11.
12. Click Install to apply the upgrade. It takes 40 to 50 minutes for the upgrade process to complete. During this time proxy services are unavailable to users.
13. When the installation is complete, restart the appliance right away; click Restart Now when prompted. Do not cycle the power.
14. When the appliance has restarted, log on to the Appliance Manager console and verify on the Configuration > General page that the V-Series version is 7.6.In rare cases, when logging in to the Appliance Manager for the first time after upgrade, your browser may show an HTTP Status - Internal Error page. If this occurs, cycle the power to the appliance. Once the appliance has restarted, you should be able to log in.
16. Upgrade all Websense modules running off the appliance (such as TRITON - Web Security and Log Server).See Upgrading Web Security or Web Filter to 7.6.0 for instructions.
17. To confirm that the Windows components were successfully upgraded, log on to TRITON Unified Security Center.When multiple V-Series appliances are deployed on the same network, it is very important that they be upgraded in the prescribed order.Multiple V-Series appliances (1 full policy source, 1 or more user directory and filtering and/or filtering only). Policy Broker and Policy Server run on the primary:
1. Upgrade the full policy source V-Series appliance and immediately restart when the upgrade completes.
2. Sequentially apply the upgrade to all user directory and filtering appliances. Restart each appliance when the upgrade completes.
3. Sequentially apply the upgrade to all filtering only appliances.
Restart each appliance when the upgrade completes.If you have multiple V-Series appliances with full policy source (Policy Broker and Policy Server) located off-appliance
1. Use the version 7.6 Websense installer to upgrade only Policy Broker and Policy Server. See Upgrading Web Security or Web Filter to 7.6.0 for instructions.
2. Apply the v7.6 upgrade to each appliance and immediately restart as each upgrade completes.
3. Use the version 7.6 Websense installer to upgrade remaining off-appliance components. See Upgrading Web Security or Web Filter to 7.6.0 for instructions.Best practice is to upgrade the full policy source appliance first, then the user directory and filtering, then filtering only appliances, and finally the off-appliance Websense components.However, if your site must upgrade a user directory and filtering or filtering only appliance before the full policy source appliance, or if your full policy source appliance is unavailable, is being replaced, or is being re-imaged, then set a user directory and filtering or filtering only appliance (temporarily) to be the full policy source. To do this:
1. On that secondary appliance, in the V-Series console, move to the page Configuration > Web Security Components.
2. After the original full policy source appliance has been upgraded, replaced, or re-imaged, change the upgraded temporary full policy source machine to point to the original full policy source again for its policy information. To do this:
2. On the previously upgraded secondary appliance, in the V-Series console, move to the page Configuration > Web Security Components.
3. For Policy Source, select User directory and filtering or Filtering only and enter the IP address of the primary appliance. Save the setting.
4. Use the version 7.6 Websense installer to upgrade remaining off-appliance components. See Upgrading Web Security or Web Filter to 7.6.0 for instructions.Upgrading clustered appliances to version 7.6 requires a service disruption while each node of the cluster is upgraded.Members of the cluster are upgraded serially, restarted, and then Content Gateway services are stopped until all nodes are upgraded. Then Content Gateway is started on all members of the cluster.
Full clustering is not supported in version 7.6. Prior to upgrading a V-Series appliance, it must be configured to Single Node (i.e., not clustered). After upgrade, you can set the appliance to Management Clustering if you want. However, note that this is a different type of clustering than full clustering. See the Content Gateway Manager Help for more information.
2. After the restart is complete, when all services are available, immediately stop the Content Gateway services.
b.
c.
d. When prompted, click OK to continue.
If Virtual IP is enabled, for a short time there will be an IP address conflict. After Content Gateway services are stopped, the conflict goes away.
b. Navigate to Status > Modules.
c. After upgrading a filtering only V-Series appliance to version 7.6, use TRITON - Web Security to verify your Network Agent local settings. Go to Settings > Network Agent, highlight the Global option, and select the Network Agent IP address (the IP address of the appliance C interface). Then verify:
The Filtering Service IP address.This is usually the IP address of the C interface.
The option selected for If Filtering Service is unavailable (Permit or Block).
The HTTP traffic and Configure this Network Agent instance to ignore traffic... options under Advanced Network Agent Settings.After caching and saving any changes to these settings, select the NIC-2 link in the Network Interface Cards table to open the NIC Configuration page. Verify that:
The Integrations section shows the correct logging and filtering settings.
The Protocol Management include the correct filtering and bandwidth measurement settings.After upgrading, Tunneled Protocol Detection and Rich Internet Scanning become enabled by default (even if they were disabled prior to upgrade). Due to system resources used by these features, they should be disabled if you do not use them.