Upgrading Websense Content Gateway to 7.6.0This section of the Websense Technical Library covers upgrading software-based Websense Content Gateway installations (i.e., not running on a Websense appliance).Perform an upgrade by running the Content Gateway installer on a machine with a previous version of Content Gateway installed. The installer detects the presence of Content Gateway and upgrades it to the current version.
The installation location of Content Gateway is made uniform in 7.6. The default location, /opt/WCG, is the actual location of every 7.6 installation post-upgrade. The upgrade process detects installations in other locations and moves the installation to /opt/WCG.
Important:In 7.6, in explicit proxy deployments, when HTTPS (SSL Manager) is enabled, PAC files and browsers must be configured to send HTTPS traffic to Content Gateway on port 8080. The ipnat.config rule that was used in previous releases to redirect traffic from 8070 to 8080 has been removed.
Technical papers and documents mentioned in this article are available Websense Technical Library: www.websense.com/library.
The upgrade from version 7.1 to 7.5 requires a Red Hat Enterprise Linux operating system version upgrade followed by a fresh install of 7.5.Follow the upgrade procedures documented with each intermediate version. To perform an intermediate upgrade, download the installer package for the intermediate version from the Websense Downloads site:
When performing intermediate upgrades, be sure to read the Websense Content Gateway Installation Guide and its upgrade supplement for each upgrade version. They contain important information specific to upgrading between particular versions that may not be found in this version of the upgrade supplement.Due to the timing of Content Gateway releases 7.5.3 and 7.6.0, a small number of 7.5.3 corrections could not be included in 7.6.0. These include:Before upgrading Content Gateway, make sure the installation machine meets the system recommendations in System requirements for Websense Content Gateway, including hardware specifications, operating system, and browser.
Upgrade TRITON Unified Security Center and TRITON - Web Security before upgrading Content Gateway. See Upgrading Web Security or Web Filter to 7.6.0.
If upgrading Red Hat Enterprise Linux, upgrade the operating system before upgrading Content Gateway. The Content Gateway installer installs a version of ARM that is compatible with the current Red Hat kernel version.
If configured, disable Virtual IP failover and leave it disabled until all members of the cluster are upgraded and clustering has been re-enabled.
If configured, disable clustering and leave clustering disabled until all members of the cluster are upgraded. All cluster members must run the same version of Content Gateway and should, therefore, be upgraded at the same time. When all nodes are upgraded, re-enable clustering and restart Content Gateway (restarting any node causes all nodes to restart).
FTP caching. If FTP caching was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
ARM Security. If ARM Security was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
Congestion Control. If Congestion Control was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
ICP Peering. If ICP Peering was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.The following configuration settings are not preserved and must be reconfigured post-upgrade:
Proxy user authentication and access control filter (filter.config) configuration settings are not retained. These include:Multiple authentication methods with multiple authentication realms is expanded in version 7.6 and made more powerful with the addition of Integrated Windows Authentication. Multiple authentication realm rules used in 7.5 deployments must be recreated after upgrading to 7.6. Also, if NTLM was configured in 7.5, consider moving to Integrated Windows Authentication.Before upgrading, be prepared to reconfigure user authentication options and proxy filtering rules (often used to bypass authentication). It is recommended that a copy of your 7.5 filter.config file be copied to a safe location for future reference.You may want to configure these new and enhanced features post-upgrade (for more information, see the Release Notes):
Integrated Windows Authentication (with Kerberos) provides more robust proxy user authentication with Windows Active Directory. If NTLM was a user authentication method in version 7.5, consider moving to Integrated Windows Authentication.
Multiple Realm Authentication is enhanced and now supports multiple authentication rules for multiple authentication realms.
Full clustering is deprecated in version 7.6. Multiple installations of Content Gateway can no longer form a single logical cache. During upgrade, Full clusters are automatically converted to Managed clusters (no reconfiguration is necessary). Managed clusters share configuration settings among nodes.
For deployments that use SSL Manager, SSL clustering is added to share SSL Manager settings among nodes in a cluster. It is configured separately from Managed clustering.Websense Content Gateway is the Web proxy component of Websense Web Security Gateway and Websense Web Security Gateway Anywhere. Websense Web Security components must be upgraded prior to upgrading Content Gateway. To upgrade Websense Web Security, run the Websense installer on each machine running Websense Web Security components. Distributed components must be upgraded in a particular order. See Websense Web Security and Websense Web Filter <BN-BookName>Installation Guide.In a Websense-appliance-based deployment, Content Gateway is upgraded when the 7.6 patch is applied.
Before you begin, ensure that /tmp has enough free space to hold the existing Content Gateway log files. During the upgrade procedure, the installer temporarily copies log files located in /opt/WCG/logs to /tmp. If the /tmp partition does not have enough available space and becomes full, the upgrade will fail.If you determine that /tmp does not have enough space, manually move the contents of /opt/WCG/logs to a partition that has enough space and then delete the log files in /opt/WCG/logs. Run the installer to perform the upgrade. When the upgrade is complete, move the log files from the temporary location back to /opt/WCG/logs and delete the files in the temporary location.For step-by-step instructions, see the Knowledge Base article titled Upgrading can fail if the /tmp partition becomes full.Also: Snapshots saved in /opt/WCG/config/snapshots are not saved during the upgrade procedure. To preserve your snapshots, manually copy them to a temporary location and copy them back after the upgrade is complete.Note: /opt/WCG is the version 7.6 installation location.
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
1.
2. Disable any currently running firewall on this machine for the duration of the Content Gateway upgrade. Bring the firewall back up after upgrade is complete, opening ports used by Content Gateway.
a. At a command prompt, enter service iptables status to determine if the firewall is running.
b. If the firewall is running, enter service iptables stop.
c. After upgrade, restart the firewall. In the firewall, be sure to open the ports used by Content Gateway on this machine. See Ports for more information.tar -xvzf <installer tar archive>
If SELinux is enabled, set it to permissive, or disable it before installing Content Gateway. Do not install or run Content Gateway with SELinux enabled.
5. In the directory where you unpacked the tar archive, begin the upgrade, and respond to the prompts to configure the application.The installer will upgrade and, if necessary, move Content Gateway to /opt/WCG. It is installed as root.
Up to the point that you are prompted to confirm your desire to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall it.
6. If your system does not meet the minimum recommended requirements, you receive a warning. For example:Warning: Websense Content Gateway requires at least 2 gigabytes of RAM.Enter n to quit the installer, and return to the system prompt.Enter y to continue the upgrade. If you choose to run Content Gateway after receiving this warning, performance may be affected.
7. Read the subscription agreement. At the following prompt, enter y to continue the upgrade or n to cancel.Copying settings from /opt/WCG to /root/WCG/OldVersions/7.5.0-1143-20110322-131541/...doneCopying SSL Manager settings to /root/WCG/OldVersions/7.5.0-1143-20110322-131541/...done
10. You can either re-use the installation selections you entered during the last install, or provide new answers to all installation prompts:Previous install configuration </root/WCG/Current/WCGinstall.cfg> found.Enter y to use previous installation selections.Enter n to revert to Websense default values, and receive all installation questions and answer them again.
11. The following message appears if Content Gateway is currently configured to use WCCP v1. Press ENTER to proceed.Only WCCP v2 is supported by Content Gateway 7.6. See Content Gateway Manager Help for information about configuring WCCP v2.
12. If you answered y at Step 10, then you can also leave proxy settings at their current values or revert to Websense default values.Enter y to keep the proxy settings as they are.Enter n to restore Websense default settings for the proxy.
13. The previously installed version of Websense Content Gateway is removed, and the settings and selections you chose to retain are re-used. Wait.*COMPLETED* Websense Content Gateway 7.6.0-1166 installation.A log file of this installation process has been written to
/root/WCG/Current/WCGinstall.logFor full operating information, see the Websense Content Gateway Help system.Follow these steps to start the Websense Content Gateway management interface (Content Gateway Manager):2. Enter the IP address of the Websense Content Gateway server, followed by a colon and the management interface port (8081 for this installation). For example: https://11.222.33.44:8081.
15. If you answered n at Step 10, the current version of Websense Content Gateway is removed, and a fresh install of 7.6 begins. See Installing Websense Content Gateway for a detailed description of the installation procedure.
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
17. In version 7.6, when using Content Gateway with TRITON - Web Security it is not necessary to enter a subscription key. The key is automatically fetched from TRITON - Web Security.
1. If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
2. If at the start of the upgrade procedure you manually moved your existing snapshot files to a temporary location, copy them back to /opt/WCG/config/snapshots and delete them from the temporary location.
3. Register Content Gateway nodes in TRITON - Web Security on the Settings > Content Gateway Access page. Registered nodes add a link to the Content Gateway Manager logon portal and provide a visual system health indicator, a green check mark or a red X icon.
4. Configure Content Gateway system alerts in TRITON - Web Security. Select Content Gateway system alerts are now sent to TRITON - Web Security (in addition to Content Gateway Manager). To configure which alerts are sent, in TRITON - Web Security go to the Settings > Alerts > System page.
5. If WCCP v2 was your version 7.5 transparent proxy deployment, it is highly recommended that you familiarize yourself with the new features and review your configuration. See Transparent interception with WCCP v2 devices in Content Gateway Manager Help. WCCP v1 is deprecated.
6. If Content Gateway user authentication was used, it must be reconfigured. This includes LDAP, RADIUS, NTLM, and multiple realm rules. For an overview of 7.6 features, see Proxy user authentication.If NTLM authentication was configured, consider moving to Integrated Windows Authentication. See Integrated Windows Authentication.If multiple realm authentication rules were used in 7.5, you will have to become acquainted with the new feature and recreate your rules. See Multiple realm authentication.
7. If access control filtering rules (filter.config) were defined, they must be recreated. It will be helpful to work from the file you saved before upgrading, but filtering rules should be recreated in the filter.config rule editor in Content Gateway Manager. See Filtering Rules.