Upgrading Websense Content Gateway to v7.6.2This section of the Websense Technical Library covers upgrading software-based Websense Content Gateway installations (i.e., not running on a Websense appliance).Perform an upgrade by running the Content Gateway installer on a machine with a previous version of Content Gateway installed. The installer detects the presence of Content Gateway and upgrades it to the current version.
The installation location of Content Gateway is made uniform in 7.6.2. The default location, /opt/WCG, is the actual location of every 7.6.2 installation post-upgrade. The upgrade process detects installations in other locations and moves the installation to /opt/WCG.
Important:In 7.6.2, in explicit proxy deployments, when HTTPS (SSL Manager) is enabled, PAC files and browsers must be configured to send HTTPS traffic to Content Gateway on port 8080. The ipnat.config rule that was used in previous releases to redirect traffic from 8070 to 8080 has been removed.
Technical papers and documents mentioned in this article are available Websense Technical Library: www.websense.com/library.Follow the upgrade procedures documented with each intermediate version. To perform an intermediate upgrade, download the installer package for the intermediate version from the Websense Downloads site:
When performing intermediate upgrades, be sure to read the Websense Content Gateway Installation Guide and its upgrade supplement for each upgrade version. They contain important information specific to upgrading between particular versions that may not be found in this version of the upgrade supplement.Before upgrading Content Gateway, make sure the installation machine meets the system recommendations in System requirements for Websense Content Gateway, including hardware specifications, operating system, and browser.
Upgrade TRITON Unified Security Center and TRITON - Web Security before upgrading Content Gateway. See Upgrade Websense Software to v7.6.3.
If upgrading Red Hat Enterprise Linux, upgrade the operating system before upgrading Content Gateway. The Content Gateway installer installs a version of ARM that is compatible with the current Red Hat kernel version.
If configured, disable Virtual IP failover and leave it disabled until all members of the cluster are upgraded and clustering has been re-enabled.
If configured, disable clustering and leave clustering disabled until all members of the cluster are upgraded. All cluster members must run the same version of Content Gateway and should, therefore, be upgraded at the same time. When all nodes are upgraded, re-enable clustering and restart Content Gateway (restarting any node causes all nodes to restart).You may want to configure these new and enhanced features post-upgrade (for more information, see the Release Notes):
LDAP authentication on the proxy is now compatible with passwords containing special characters.Websense Content Gateway is the Web proxy component of Websense Web Security Gateway and Websense Web Security Gateway Anywhere. Websense Web Security components must be upgraded prior to upgrading Content Gateway. To upgrade Websense Web Security, run the Websense installer on each machine running Websense Web Security components. Distributed components must be upgraded in a particular order. See Websense Web Security and Websense Web Filter Installation Guide.In a Websense-appliance-based deployment, Content Gateway is upgraded when the 7.6.2 patch is applied.
Snapshots saved in /opt/WCG/config/snapshots are not saved during the upgrade procedure. To preserve your snapshots, manually copy them to a temporary location and copy them back after the upgrade is complete.Note: /opt/WCG is the version 7.6.2 installation location.
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
1.
2. Disable any currently running firewall on this machine for the duration of the Content Gateway upgrade. Bring the firewall back up after upgrade is complete, opening ports used by Content Gateway.
a. At a command prompt, enter service iptables status to determine if the firewall is running.
b. If the firewall is running, enter service iptables stop.
c. After upgrade, restart the firewall. In the firewall, be sure to open the ports used by Content Gateway on this machine. See Ports for more information.tar -xvzf <installer tar archive>
If SELinux is enabled, set it to permissive, or disable it before installing Content Gateway. Do not install or run Content Gateway with SELinux enabled.
5. In the directory where you unpacked the tar archive, begin the upgrade, and respond to the prompts to configure the application.The installer will upgrade and, if necessary, move Content Gateway to /opt/WCG. It is installed as root.
Up to the point that you are prompted to confirm your desire to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall it.
6. If your system does not meet the minimum recommended requirements, you receive a warning. For example:Warning: Websense Content Gateway requires at least 2 gigabytes of RAM.Enter n to quit the installer, and return to the system prompt.Enter y to continue the upgrade. If you choose to run Content Gateway after receiving this warning, performance may be affected.
7. Read the subscription agreement. At the following prompt, enter y to continue the upgrade or n to cancel.Copying settings from /opt/WCG to /root/WCG/OldVersions/7.6.0-1185-20110905-145233/...doneCopying SSL Manager settings to /root/WCG/OldVersions/7.6.0-1185-20110905-145233/...done
10. You can either re-use the installation selections you entered during the last install, or provide new answers to all installation prompts:Previous install selections </root/WCG/Current/WCGinstall.cfg> found.Enter y to use previous installation selections.Enter n to revert to Websense default values, and receive all installation questions and answer them again.
11. If you answered y at Step 10, then you can also leave proxy settings at their current values or revert to Websense default values.Enter y to keep the proxy settings as they are.Enter n to restore Websense default settings for the proxy.
12. The previously installed version of Websense Content Gateway is removed, and the settings and selections you chose to retain are re-used. Wait.*COMPLETED* Websense Content Gateway 7.6.2-1224 installation.A log file of this installation process has been written to
/root/WCG/Current/WCGinstall.logFor full operating information, see the Websense Content Gateway Help system.Follow these steps to start the Websense Content Gateway management interface (Content Gateway Manager):2. Enter the IP address of the Websense Content Gateway server, followed by a colon and the management interface port (8081 for this installation). For example: https://11.222.33.44:8081.
14. If you answered n at Step 10, the current version of Websense Content Gateway is removed, and a fresh install of 7.6.2 begins. See the Websense Content Gateway chapter of this document for a detailed description of the installation procedure.
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
16. In version 7.6.2, when using Content Gateway with TRITON - Web Security it is not necessary to enter a subscription key. The key is automatically fetched from TRITON - Web Security.
1. If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
2. If at the start of the upgrade procedure you manually moved your existing snapshot files to a temporary location, copy them back to /opt/WCG/config/snapshots and delete them from the temporary location.
3. Register Content Gateway nodes in TRITON - Web Security on the Settings > Content Gateway Access page. Registered nodes add a link to the Content Gateway Manager logon portal and provide a visual system health indicator, a green check mark or a red X icon.
4. Configure Content Gateway system alerts in TRITON - Web Security. Select Content Gateway system alerts are now sent to TRITON - Web Security (in addition to Content Gateway Manager). To configure which alerts are sent, in TRITON - Web Security go to the Settings > Alerts > System page.
5. If Content Gateway user authentication was used, it must be reconfigured. This includes LDAP, RADIUS, NTLM, and multiple realm rules. For an overview of 7.6.x features, see Proxy user authentication.If NTLM authentication was configured, consider moving to Integrated Windows Authentication. See Integrated Windows Authentication.
6. If access control filtering rules (filter.config) were defined, they must be recreated. It will be helpful to work from the file you saved before upgrading, but filtering rules should be recreated in the filter.config rule editor in Content Gateway Manager. See Filtering Rules.