This article discusses what happens to Websense administrator accounts when upgrading from prior-version Web Security or Data Security solutions to version 7.6. It also describes what occurs when version 7.6 administrator accounts are restored from a backup to an existing system that already has administrator accounts configured.
For version 7.6, the default, built-in Global Security Administrator account is named admin. This account has access to all administrative and management functions in the TRITON Unified Security Center. The account replaces the Web Security
WebsenseAdministrator and Data Security
admin accounts from prior versions.
This built-in default account is no longer used in version 7.6 TRITON Unified Security Center. Upon upgrade it is replaced by an account named
admin which is the built-in default Global Security Administrator account in 7.6 TRITON Unified Security Center.
If a prior-version Websense appliance is running on-appliance TRITON - Web Security, it is upgraded to version 7.6 TRITON Unified Security Center (Web Security module only). In this case, the
admin account will be automatically configured to the password of the prior-version
WebsenseAdministrator account.
Websense administrator accounts not authenticated against a directory service are referred to as
local accounts. Local administrator accounts will appear in the upgraded system, however they must be assigned email addresses. In version 7.6, all administrator accounts must have an email address.
Users will still be able to use these accounts to log in to TRITON Unified Security Center. However, no changes in permissions can be made to them until an email address is specified. Also, without an email address, these accounts cannot use the password recovery feature or receive alerts.
Websense administrator accounts authenticated against a directory service are referred to as
network accounts. The directory service used to authenticate network administrator accounts prior to upgrade will be used by version 7.6 TRITON Unified Security Center to authenticate network administrator accounts. Like local administrator accounts, prior-version network administrator accounts do not have email addresses specified. As part of the upgrade process, if the directory service contains an email address for a network administrator account, that address is automatically assigned to it in version 7.6 TRITON Unified Security Center.
Prior to upgrade, if Windows NT Directory or Windows NT Directory/Active Directory (Mixed Mode) is used to authenticate network administrator accounts, configure the system to use a directory service supported in version 7.6 (see version 7.6
System Requirements).
Do this prior to upgrade.
This process involves selecting a version 7.6-supported directory service as Logon Directory and then replacing each Windows NT-based or Mixed Mode account with one on the new directory service (see TRITON - Web Security Help for instructions on removing and adding accounts).
If this is not done, the accounts will not be usable in version 7.6. They will still appear as Web Security delegated administrators in version 7.6 TRITON Unified Security Center. However, users will be unable to log in with those accounts. Also, those accounts cannot be removed.
If Web Security has Logon Directory set to Other LDAP Directory—i.e., is configured to authenticate network administrator accounts against
Other LDAP Directory instead of
Active Directory (Native Mode) or
Windows NT Directory/Active Directory (Mixed Mode)—upon upgrade, network administrator accounts will be authenticated against
Generic Directory in version 7.6 TRITON Unified Security Center. This occurs even if a directory service supported by version 7.6 TRITON Unified Security Center was the configured directory service prior to upgrade. Note that this does not happen if
Active Directory (Native Mode) was the configured Logon Directory prior to upgrade; in that case Active Directory is used post-upgrade.
It is important after upgrade that you verify the configured directory service (log in to the TRITON Unified Security Center and go to
TRITON Settings >
User Directory). Make any changes necessary.
Upon upgrade the prior-version admin account is replaced by the version 7.6
admin account which is the built-in default Global Security Administrator account in 7.6 TRITON Unified Security Center.
Websense administrator accounts not authenticated against a directory service are referred to as
local accounts. Local administrator accounts will appear in the upgraded system, however they must be assigned email addresses. In version 7.6, all administrator accounts must have an email address.
Users will still be able to use these accounts to log in to TRITON Unified Security Center. However, no changes in permissions can be made to them until an email address is specified. Also, without an email address, these accounts cannot use the password recovery feature or receive alerts.
Websense administrator accounts authenticated against a directory service are referred to as
network accounts. The directory service used to authenticate network administrator accounts prior to upgrade will be used by version 7.6 TRITON Unified Security Center to authenticate network administrator accounts. Like local administrator accounts, prior-version network administrator accounts do not have email addresses specified. As part of the upgrade process, if the directory service contains an email address for a network administrator account, that address is automatically assigned to it in version 7.6 TRITON Unified Security Center.
In version 7.5, Data Security administrator accounts could be authenticated against multiple directory services. Whichever was used as the primary directory service for authentication is used upon upgrade to version 7.6. Version 7.5 administrator accounts authenticated against a non-primary directory service will still appear in version 7.6. However, users will not be able to log in with those accounts until a Data Security Super Administrator configures them to work with the proper directory service.
Upgrading Web Security Gateway Anywhere involves both Web Security and Data Security administrator accounts. The application upgrade process for Web Security Gateway Anywhere comprises upgrading the Web Security portion to version 7.6 first and then upgrading (and merging) the Data Security portion.
Web Security administrator accounts are upgraded as described in Upgrading Web Security. It is important that local administrator accounts be assigned email addresses before merging Data Security accounts so proper merging can occur.
Next, Data Security administrator accounts are merged with the upgraded Web Security administrator accounts. Note that if a directory service is not configured prior to the merging of Data Security accounts, the primary directory service used by the incoming Data Security accounts will be used by the version 7.6 system.
When a TRITON backup is restored to a TRITON management server, the administrator accounts it contains must be merged with existing accounts.
TRITON administrator accounts not authenticated against a directory service are referred to as
local accounts. If an incoming (from backup restore or upgrade merge) local account matches an existing local account on both name and email address, it is merged with the existing account. The permissions currently defined for the existing account are used.
If an incoming local account's name matches an existing network account, it is imported but has its name modified by appending
@local. For example, an incoming account with name
user would be imported into the TRITON Unified Security Center as
user@local. A Global Security Administrator or the appropriate Security Administrator must verify renamed accounts and resolve them with existing accounts as necessary.
TRITON administrator accounts authenticated against a directory service are referred to as
network accounts. The currently configured directory service is used to resolve incoming accounts. If not directory service is currently configured, then the directory service used by the incoming accounts is used.
Incoming accounts are matched to existing network accounts by LDAP distinguished name. If a match occurs, the account is merged with the existing account. The permissions currently defined for the existing account are used.
If an incoming network account's name matches that of an existing local account, it is imported but has its name modified by appending
@network. For example, an incoming account with name
user would be imported into the TRITON Unified Security Center as
user@network. A Global Security Administrator or the appropriate Security Administrator must verify renamed accounts and resolve them with existing accounts as necessary.