Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading Websense Content Gateway to 7.6.0

Upgrading Websense Content Gateway to 7.6.0
This section of the Websense Technical Library covers upgrading software-based Websense Content Gateway installations (i.e., not running on a Websense appliance).
Perform an upgrade by running the Content Gateway installer on a machine with a previous version of Content Gateway installed. The installer detects the presence of Content Gateway and upgrades it to the current version.
Important 
The installation location of Content Gateway is made uniform in 7.6. The default location, /opt/WCG, is the actual location of every 7.6 installation post-upgrade. The upgrade process detects installations in other locations and moves the installation to /opt/WCG.
Important:
In 7.6, in explicit proxy deployments, when HTTPS (SSL Manager) is enabled, PAC files and browsers must be configured to send HTTPS traffic to Content Gateway on port 8080. The ipnat.config rule that was used in previous releases to redirect traffic from 8070 to 8080 has been removed.
Note 
Important 
The upgrade from version 7.1 to 7.5 requires a Red Hat Enterprise Linux operating system version upgrade followed by a fresh install of 7.5.
Follow the upgrade procedures documented with each intermediate version. To perform an intermediate upgrade, download the installer package for the intermediate version from the Websense Downloads site:
Important 
When performing intermediate upgrades, be sure to read the Websense Content Gateway Installation Guide and its upgrade supplement for each upgrade version. They contain important information specific to upgrading between particular versions that may not be found in this version of the upgrade supplement.
Due to the timing of Content Gateway releases 7.5.3 and 7.6.0, a small number of 7.5.3 corrections could not be included in 7.6.0. These include:
Before upgrading Content Gateway, make sure the installation machine meets the system recommendations in System requirements for Websense Content Gateway, including hardware specifications, operating system, and browser.
*
If upgrading Red Hat Enterprise Linux, upgrade the operating system before upgrading Content Gateway. The Content Gateway installer installs a version of ARM that is compatible with the current Red Hat kernel version.
*
If configured, disable Virtual IP failover and leave it disabled until all members of the cluster are upgraded and clustering has been re-enabled.
*
If configured, disable clustering and leave clustering disabled until all members of the cluster are upgraded. All cluster members must run the same version of Content Gateway and should, therefore, be upgraded at the same time. When all nodes are upgraded, re-enable clustering and restart Content Gateway (restarting any node causes all nodes to restart).
*
FTP caching. If FTP caching was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
*
ARM Security. If ARM Security was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
*
Congestion Control. If Congestion Control was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
*
ICP Peering. If ICP Peering was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
The following configuration settings are not preserved and must be reconfigured post-upgrade:
Multiple authentication methods with multiple authentication realms is expanded in version 7.6 and made more powerful with the addition of Integrated Windows Authentication. Multiple authentication realm rules used in 7.5 deployments must be recreated after upgrading to 7.6. Also, if NTLM was configured in 7.5, consider moving to Integrated Windows Authentication.
Before upgrading, be prepared to reconfigure user authentication options and proxy filtering rules (often used to bypass authentication). It is recommended that a copy of your 7.5 filter.config file be copied to a safe location for future reference.
*
Integrated Windows Authentication (with Kerberos) provides more robust proxy user authentication with Windows Active Directory. If NTLM was a user authentication method in version 7.5, consider moving to Integrated Windows Authentication.
*
Multiple Realm Authentication is enhanced and now supports multiple authentication rules for multiple authentication realms.
*
Full clustering is deprecated in version 7.6. Multiple installations of Content Gateway can no longer form a single logical cache. During upgrade, Full clusters are automatically converted to Managed clusters (no reconfiguration is necessary). Managed clusters share configuration settings among nodes.
*
For deployments that use SSL Manager, SSL clustering is added to share SSL Manager settings among nodes in a cluster. It is configured separately from Managed clustering.
Websense Content Gateway is the Web proxy component of Websense Web Security Gateway and Websense Web Security Gateway Anywhere. Websense Web Security components must be upgraded prior to upgrading Content Gateway. To upgrade Websense Web Security, run the Websense installer on each machine running Websense Web Security components. Distributed components must be upgraded in a particular order. See Websense Web Security and Websense Web Filter <BN-BookName>Installation Guide.
Warning 
Before you begin, ensure that /tmp has enough free space to hold the existing Content Gateway log files. During the upgrade procedure, the installer temporarily copies log files located in /opt/WCG/logs to /tmp. If the /tmp partition does not have enough available space and becomes full, the upgrade will fail.
If you determine that /tmp does not have enough space, manually move the contents of /opt/WCG/logs to a partition that has enough space and then delete the log files in /opt/WCG/logs. Run the installer to perform the upgrade. When the upgrade is complete, move the log files from the temporary location back to /opt/WCG/logs and delete the files in the temporary location.
For step-by-step instructions, see the Knowledge Base article titled Upgrading can fail if the /tmp partition becomes full.
Also: Snapshots saved in /opt/WCG/config/snapshots are not saved during the upgrade procedure. To preserve your snapshots, manually copy them to a temporary location and copy them back after the upgrade is complete.
Note: /opt/WCG is the version 7.6 installation location.
Important 
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
2.
Disable any currently running firewall on this machine for the duration of the Content Gateway upgrade. Bring the firewall back up after upgrade is complete, opening ports used by Content Gateway.
a.
At a command prompt, enter service iptables status to determine if the firewall is running.
b.
c.
After upgrade, restart the firewall. In the firewall, be sure to open the ports used by Content Gateway on this machine. See Ports for more information.
tar -xvzf <installer tar archive>
Important 
If SELinux is enabled, set it to permissive, or disable it before installing Content Gateway. Do not install or run Content Gateway with SELinux enabled.
5.
In the directory where you unpacked the tar archive, begin the upgrade, and respond to the prompts to configure the application.
Note 
Up to the point that you are prompted to confirm your desire to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall it.
Enter n to quit the installer, and return to the system prompt.
Enter y to continue the upgrade. If you choose to run Content Gateway after receiving this warning, performance may be affected.
7.
Enter y to use previous installation selections.
Enter n to revert to Websense default values, and receive all installation questions and answer them again.
Only WCCP v2 is supported by Content Gateway 7.6. See Content Gateway Manager Help for information about configuring WCCP v2.
12.
If you answered y at Step 10, then you can also leave proxy settings at their current values or revert to Websense default values.
Enter y to keep the proxy settings as they are.
Enter n to restore Websense default settings for the proxy.
13.
The previously installed version of Websense Content Gateway is removed, and the settings and selections you chose to retain are re-used. Wait.
Follow these steps to start the Websense Content Gateway management interface (Content Gateway Manager):
2. Enter the IP address of the Websense Content Gateway server, followed by a colon and the management interface port (8081 for this installation). For example: https://11.222.33.44:8081.
15.
If you answered n at Step 10, the current version of Websense Content Gateway is removed, and a fresh install of 7.6 begins. See Installing Websense Content Gateway for a detailed description of the installation procedure.
Important 
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
In version 7.6, when using Content Gateway with TRITON - Web Security it is not necessary to enter a subscription key. The key is automatically fetched from TRITON - Web Security.
1.
If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
2.
If at the start of the upgrade procedure you manually moved your existing snapshot files to a temporary location, copy them back to /opt/WCG/config/snapshots and delete them from the temporary location.
3.
Register Content Gateway nodes in TRITON - Web Security on the Settings > Content Gateway Access page. Registered nodes add a link to the Content Gateway Manager logon portal and provide a visual system health indicator, a green check mark or a red X icon.
4.
Configure Content Gateway system alerts in TRITON - Web Security. Select Content Gateway system alerts are now sent to TRITON - Web Security (in addition to Content Gateway Manager). To configure which alerts are sent, in TRITON - Web Security go to the Settings > Alerts > System page.
5.
If WCCP v2 was your version 7.5 transparent proxy deployment, it is highly recommended that you familiarize yourself with the new features and review your configuration. See Transparent interception with WCCP v2 devices in Content Gateway Manager Help. WCCP v1 is deprecated.
6.
If Content Gateway user authentication was used, it must be reconfigured. This includes LDAP, RADIUS, NTLM, and multiple realm rules. For an overview of 7.6 features, see Proxy user authentication.
7.
If access control filtering rules (filter.config) were defined, they must be recreated. It will be helpful to work from the file you saved before upgrading, but filtering rules should be recreated in the filter.config rule editor in Content Gateway Manager. See Filtering Rules.


Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading Websense Content Gateway to 7.6.0