Installing and Deploying Websense Endpoint Clients > Deploying Websense endpoints

Deploying Websense endpoints

Applies to

Data Security v7.6.3 and beyond

Web Security v7.6.2 and beyond

Web Security Gateway v7.6.2 and beyond

Web Security Gateway Anywhere v7.6.2 and beyond

In this topic

Creating installation packages

Deployment options

Endpoint software is configured and packaged before it is distributed to endpoint devices (client machines).

If you have both Web and data security solutions, packages are customized according to your needs and created using the Websense Endpoint Package Builder. The package builder can create 32- and 64-bit Windows packages for all 3 types of Websense endpoints, as well as Linux packages for Data Endpoint.

The package builder can be found in the directory where you install Websense Data Security: C:\Program Files\Websense\Data Security\client\WebsenseEndpointPackageBuilder.exe by default.

If you do not subscribe to Data Security, you do not need to use the package builder to deploy the Web filtering endpoints. Rather:

You can download the Web Endpoint package by logging onto TRITON - Web Security and navigating to the Settings > Hybrid Configuration > Hybrid User Identification page.

You can install the Remote Filtering Client Pack by running the TRITON Unified Installer and selecting the Custom installation option for Web Security.

Creating installation packages

 

Note  If you have existing versions of Data Endpoint or Remote Filtering Client, uninstall them before deploying the new installation packages.

1.	Go to Start > Programs > Websense > Data Security > Endpoint Package Builder.

2.	Click Next, and then accept the terms of the subscription agreement.

3.	The Select Components screen appears:

Select one or more endpoint solutions to install. You can create packages for both Websense Data Endpoint and one Web filtering solution, but cannot select both Web filtering solutions.

4.	The Installation Platform and Security screen appears:

a.	Select the operating systems used by the endpoint devices that you will be protecting:

Windows 32-bit

Windows 64-bit

Linux (applies to Data Endpoint only)

b.	For security purposes, anyone who tries to modify or uninstall endpoint software is prompted for a password. Enter a password that administrators can use for this purpose.

For Data Endpoint, once the endpoint client contacts the endpoint server, this password is overwritten with the password specified by a TRITON administrator. Administrators can set this password on the General tab under Settings > General > System > Endpoint.

If no password is specified, every user is able to uninstall the endpoint software from their computer.

Click Show characters to display the password characters while you type.

c.	Sometimes when users cannot modify or uninstall the endpoint software, they try to delete the directory where the software is installed.

Click Protect installation directory from modification or deletion if you do not want users to be able to perform these functions.

d.	Click Next when you're done.

5.	The Installation Path screen appears:

Specify the directory where you want endpoint software installed on each endpoint device. The endpoint software must be installed in a directory path that contains only English characters.

Use default location: The endpoint software is installed in a default directory: \Program Files\Websense\Websense Endpoint (Windows) or /opt/websense/LinuxEndpoint (Linux).

Use this location: Manually specify the installation path for the endpoint software. Environment variables are supported.

6.	Click Next. The screens that appear next depend on the endpoint clients you chose. See:

Websense Data Endpoint

Websense Web Endpoint

Remote Filtering Client

Websense Data Endpoint

1.	If you chose Websense Data Endpoint, the Server Connection screen appears:

IP address or host name: Provide the IP address or host name of the Data Security server that endpoint machines should use to retrieve initial profile and policy information. (Once configured, endpoints retrieve policy and profile updates from the endpoint server defined in their profiles.)

Receive automatic updates for data endpoints: When new versions of Data Endpoint are released, you may upgrade the software on each endpoint—this can be done via GPO or SMS—or you can configure automatic updates on this screen.

To automate endpoint software updates:

a.	Prepare a server with the latest updates on it (see "Automatic Updates for Websense data endpoints" for details).

b.	Select Receive automatic updates for data endpoints.

c.	Specify the URL of the server you created. (It cannot be secure http (https).)

d.	Indicate how often you want endpoint machines to check for updates.

2.	Click Next and the Client Settings screen appears:

Complete the fields as follows:

 

User interface mode	Select from the following 2 options: Interactive: A user interface is displayed on all endpoint machines. Users know when files have been contained and have the option to save them to an authorized location. Stealth: The Websense Data Endpoint user interface is not displayed to the user. Note that reinstallation is required to switch user interface modes.
Installation Mode	Applies to Windows only. Select from the following 2 options: Full: Installs the endpoint with full policy monitoring and blocking capabilities upon a policy breach. All incidents are reported in the TRITON Console. Endpoints that are installed in Full Mode require a reboot. Discovery Only: Configures the endpoint to run discovery analysis but not DLP. Discovery Only installation does not require a reboot.
Installation Language	Select the default local language for the client user interface and the messages that are displayed to the user. Note: The language used for displaying messages (English, Russian and German) can be changed via TRITON - Data Security, but the language displayed in the user interface (buttons, captions, fields, etc.) can only be set during packaging.

3.	Click Next. If you chose no other endpoints, skip to Global settings for instructions. Otherwise, move to Websense Web Endpoint or Remote Filtering Client.

Websense Web Endpoint

1.	If you chose Websense Web Endpoint, the Proxy Settings screen appears:

Specify the URL for the proxy PAC file. This file defines how Web browsers chooses an appropriate proxy for fetching a given URL. The standard proxy PAC file URL for hybrid filtering is:

2.	http://hybrid-web.global.blackspider.com:8082/proxy.pacClick Next, and the Save Installation Package screen appears. See Global settings for instructions on configuring this screen.

Remote Filtering Client

1.	If you chose Remote Filtering Client, the Internal Connections screen appears:

Enter connection information for the Remote Filtering Server to which this client should attempt to connect first.

IP address or host name: Internal IP address or FQDN for the primary Remote Filtering Server machine.

Port: Internal communication port on the primary Remote Filtering Server that can be accessed only from inside the network firewall. This must be the same port entered in the Internal Communication Port field when this Remote Filtering Server was installed.

 

Note  If Remote Filtering Client is on a laptop that is used both inside and outside the network firewall, this allows Websense software to determine where the machine is located and filters it appropriately.

2.	Click Next and the External Connections screen appears:

IP address or host name: Externally visible IP address or fully qualified domain name (FQDN) of the primary Remote Filtering Server machine.

 

Important  You must use the same address format (either IP address or FQDN) as when you installed this Remote Filtering Server.

Port: Externally accessible port used to communicate with the primary Remote Filtering Server. This must match the external port number entered when installing the primary Remote Filtering Server.

3.	Click Next and the Trusted Sites screen appears:

On this screen, you can specify URLs or domains that should not be filtered.

a.	Click Add.

b.	In the dialog box that appears, enter a URL or a regular expression specifying a set of URLs. Any regular expression adhering to ISO/IEC TR 19768 (within the character-number limit) is valid.

c.

Click OK.

To edit a URL or regular expression, select it and then click Edit.

To remove a URL or regular expression, select it and then click Remove.

4.	Click Next and the Client Settings screen appears:

 

Complete the fields as follows:

 

Notify users when HTTPS or FTP traffic is blocked	For HTTP traffic, custom block pages are shown inside users' browser windows when traffic is blocked. Select this option if you want users to receive a pop-up message for blocked HTTPS or FTP traffic. If you enable this option, specify the time the pop-up message should remain visible to the user.
Pass phrase	Enter and confirm your pass phrase. The pass phrase you enter must be the same one used when you installed the Remote Filtering Server. This pass phrase is used to connect the Remote Filtering Client with the server.
Language	Select the default local language for the client user interface and the messages that are displayed to the user.

5.	Click Next, and the Save Installation Package screen appears. See Global settings for instructions on configuring this screen.

Global settings

1.	When you're done configuring your endpoint selections, the Save Installation Package screen appears:

In the Save location field, provide the directory path where you want the endpoint packages to be stored before they are deployed to client machines. Either manually enter a path or click Browse to find the location.

2.	Click Finish.

You'll see a system message if the package is created successfully. If the creation of the package fails, you'll see an error message. If this happens, contact Websense Technical Support for assistance.

3.

Click OK.

Once the packaging tool has finished, the packages are created in the designated path. Refer to Deployment options for instructions on distributing the package to the endpoint devices.

Deployment options

There are 3 ways to distribute the endpoint software:

Manually on each endpoint machine

Using System Center Configuration Manager (SCCM) or Systems Management Server (SMS)

Automatically

 

Important  At the completion of any deployment, you must restart the endpoint to complete the installation.

1.	Manually on each endpoint machine. Windows packages contain a single executable file: WebesenseEndpoint_32bit.exe or WebesenseEndpoint_64bit.exe. This file is a self-extracting archive.

Linux packages (Data Endpoint only) contain 2 installers with the same functionality:

LinuxEndpoint_SFX_installer_el4 - should be used with Red Hat Enterprise Linux version 4.x.

LinuxEndpoint_SFX_installer_el5 - should be used with Red Hat Enterprise Linux version 5.x.

To install Data Endpoint software on a Linux computer, copy the correct installer to the machine and run it as root. No reboot is necessary. The endpoint software starts automatically.

2.	Using System Center Configuration Manager (SCCM) or Systems Management Server (SMS) for Windows environments that use these Microsoft tools to manage the computers in their networks. See "Creating and distributing Websense endpoints using SCCM or SMS" for details.

3.	Automatically (applies to updates only).

For information on deploying Web Endpoint updates automatically, see Enabling automatic updates for Web Endpoint.

To deploy Data Endpoint updates automatically, you must create an update server that hosts endpoint installation packages. See "Automatic Updates for Websense data endpoints" for details.

You must also select Receive automatic updates for data endpoints on the Websense Endpoint Package Builder "Server Connections" screen. On this same screen, specify the URL of the server you created and indicate how often you want endpoint machines to check for updates (every 2 hours by default).

When configured properly, your update server pushes software updates out to endpoint machines and installs the packages in the background silently.

 

Note  If you want to change the components installed on a data endpoint with components of the same version (for example, switch from a data and web endpoint combination to a data only endpoint), you must use the package builder to generate a new package and use one of the other deployment options to deploy it. You cannot use the auto-update feature to update endpoints with the same version.

You can confirm that the Web Endpoint or Data Endpoint is installed and running on a machine as follows:

For Web Endpoint, go to Start > Control Panel > Administrative Tools > Services. Check that Websense SaaS Service is present in the Services list, and is started.

When the Data Endpoint is installed in interactive mode, an icon () appears on the endpoint machine's task bar. Click the icon for status information. (No icon shows in stealth mode.)

For information on endpoint software system requirements, see Endpoint solution system requirements.

If you plan to deploy multiple endpoint solutions (data and Web) on the same machine, see Multiple agent limitations before proceeding.

Enabling automatic updates for Web Endpoint

Once you have deployed your endpoint package to end users, Web Endpoint can be updated for some or all of your hybrid filtering users directly from the hybrid service. If you use the Data Endpoint auto-update feature for endpoints with both data and Web capabilities, however, endpoints receive updates from your auto-update server instead.

To enable automatic Web Endpoint updates to client machines:

1.	Go to the Settings > Hybrid Configuration > Hybrid User Identification page in TRITON - Web Security.

2.	Mark Enable installation and update of Web Endpoint on client machines.

This defines whether automatic updates are deployed to the client machines that you specify. If you uncheck this option at a later date, no further automatic updates occur. However, the installed endpoint software continues to run until it is uninstalled from the client machines.

3.	Mark Automatically update endpoint installations when a new version is released.

4.	Click OK to cache your changes. Changes are not implemented until you click Save All.

 

Note  At the completion of an endpoint update, you must restart the endpoint for the updates to take effect.

Note that while a Web Endpoint update is taking place (which can take several minutes), end users are unable to browse, but are shown a Web page explaining that the update is occurring. This page continues to retry the requested Web page every 10 seconds until the endpoint software has finished updating. The request is then submitted, and either the page or a block page is displayed.

Installing and Deploying Websense Endpoint Clients > Deploying Websense endpoints