Custom Deployment > Installing Data Security Components

Installing Data Security Components

Applies to

Data Security v7.6

Installing Data Security components

Notes If you are installing version 7.6 Data Security components as part of an upgrade process from a prior-version, start at step Step 3 below. To install Printer agent, use the WebsenseDataSecurityPrinterAgent.zip package instead of the Websense installer. See Installing the printer agent for more information. A separate installer is used to install 64-bit TMG or SMTP Agents. See Installing the 64-bit SMTP agent or Installing the TMG agent for more information.

1.	It is assumed you have already launched the Websense installer and chosen the Custom installation type. If not, see Deployment.

Note  If you plan to install a Data Security agent (for example, Printer Agent, ISA Agent, and so forth) TRITON Unified Security Center, with the Data Security module enabled, must already be installed in your network. See Creating a TRITON Management Server.

2.	On the Custom Installation screen, click the Install link for Data Security.

 

Note  To install a Protector, a separate installer is used. See Installing the protector.

3.	The Websense Data Security Installer is launched. On the Welcome screen, click Next to begin Data Security installation.

Note  If the .NET 2.0 server is not found on this machine, the Data Security Installer installs it. You may need access to the Windows installation disc or image.

4.	In the Destination Folder screen, specify the folder into which to install Data Security components.

The default destination is C:\Program Files or Program Files (x86)\Websense\Data Security. If you have a larger drive, it is used instead. Large removable drives may be detected by the system as a local drive and used as the default. Do not install on removable media.

Important  The full installation path must use only ASCII characters. Do not use extended ASCII or double-byte characters.

Note  Regardless of what drive you specify, you must have a minimum of 0.5 GB of free disk space on the C: drive. This is because Data Security installs components into the Windows "inetpub" folder on C:.

5.	In the Select Components screen, select the components you want to install on this machine.

 

Note  If there is insufficient RAM on this machine for Data Security Management Server components, a message appears. Click OK to dismiss the message. You are allowed to proceed with the installation. However, it is a best practice to only install if you have sufficient RAM.

Not all Data Security components may be available in the Select Components screen. Which components are available depends on the operating system of the machine and applications detected by the Data Security Installer. For example, if a print server is found, then Printer Agent will be available for installation.

Note  A TRITON management server already has a Data Security Server installed (if you chose the Data Security module of the TRITON Unified Security Center). Install Data Security Server on other machines only if you want secondary Data Security Servers.

Crawler Agent: scans networks transparently to locate confidential documents and data on endpoints, laptops and servers. It also performs fingerprinting, and scans databases as well as documents.

Printer Agent: enables integration between printer servers and the Data Security Server intercepting print jobs from the printer spooler. Websense recommends you install the printer agent on a dedicated print server.

Note  To install Printer Agent, you must download and extract WebsenseDataSecurityPrinterAgent.zip prior to running the Websense installer. See Detecting the printer driver.

SMTP Agent: enables integration between the SMTP Server and the Data Security Server enabling analysis of all external email, before forwarding it to the mail gateway.

ISA Agent: receives all Web connections from Microsoft ISA Server and enables the Data Security Server to analyze them. Note that ISA Agent requires 1 GB free disk space on the ISA Server machine. The installer will not allow you to install ISA Agent if available space is less.

TMG Agent: receives all Web connections from Microsoft Forefront TMG and enables the Data Security Server to analyze them.

Use the drop-down menu next to each component to select whether it will be installed.

Notes: Do not install a Data Security Server on a Microsoft Exchange or ISA Server in a production environment. ISA Server and Exchange Server consume so many system resources, Websense recommends you keep the Data Security Server separate. Do not install any Data Security component on a domain controller. If you are installing a supplemental Data Security Server, you cannot also install ISA Agent on the same machine. It is not a best practice to install the Printer Agent or ISA/TMG Agent on the same machine as a Data Security Server in production environments.

Will be installed on local hard drive: selects the item for installation.

Entire feature will be installed on local hard drive: if an item has sub-items, selecting this option chooses all sub-items for installation.

Entire feature will be unavailable: deselects an item for installation; it will not be installed. If an item has sub-items, all sub-items will be deselected. Deselected items show a red X next to them.

If you have selected Crawler Agent for installation, the following message may appear:

Data Security Discovery Agent works with a sepcific version of WinPcap.
The installation has detected that your WinPcap version is <version>
In order to proceed with this installation, WinPcap version 4.0.0.1040 needs to be installed and will replace yours.
Click Yes to proceed or Click No to preserve your WinPcap version and deselect the Discovery Agent Feature to continue with the installation.

"Discovery Agent" refers to Crawler Agent. The particular version of WinPcap mentioned in this message must be in place to install Crawler Agent. Note that after installation of Crawler Agent you can install a different version of WinPcap. Crawler Agent should continue to work properly.

6.	Which components are selected for installation determines which remaining installer screens appear. In the remaining steps, follow only the instructions that apply to the components you have selected.

7.	Use the options on the Import Data From Previous Version screen to restore data from a backup of a previous-version Data Security Server if necessary.

Select the Load Data From Backup check box and then use the Browse button to specify the location of the backup data you want restored.

For more information about backups, see the TRITON - Data Security Help.

Note  If you are upgrading a prior-version of Data Security, select Load data from previous version and then use the Browse button to specify the location of the data exported when you ran the export script at the beginning of the upgrade process.

8.	If your SQL Server database is on a remote machine, you are prompted for the name of a temporary folder. This screen defines where Data Security should store temporary files during archive processing as well as system backup and restore.

Archiving lets you manage the size of your incident database and optimize performance. Backup lets you safeguard your policies, forensics, configuration, data, fingerprints, encryption keys, and more.

If you do not plan to archive incidents or perform system backup and restore, you do not need to fill out this screen.

Before proceeding, create a folder in a location that both the database and TRITON management server can access. (The folder must exist before you click Next.) On average, this folder will hold 10 GB of data, so choose a location that can accommodate this.

v7.6.0 to v7.6.2

On the Temporary Archive Folder screen, complete the fields as follows:

 

Important  The Temporary Archive Folder screen affects system backup and restore as well as incident archiving.

Enable incident archiving: Check this box if you plan to archive old or aging incidents or perform system backup. This box does not appear when you run the installer in Modify mode and perform a disaster recovery restore operation.

SQL Server Access: Enter the path that the SQL Server should use to access the temporary folder. For best practice, it should be a remote Universal Naming Convention (UNC) path, but local and shared network paths are supported. For example: c:\folder or \\10.2.1.1.\folder.

Data Security Management Security Access: Enter the UNC path that the management server should use to access the temporary folder. For example: \\10.2.1.1.\folder. Enter a user name and password for a user who is authorized to access this location and optionally a domain.

v7.6.3 and beyond

On the Temporary Folder Location screen, complete the fields as follows:

Enable incident archiving and system backup: Check this box if you plan to archive old or aging incidents and perform system backup or restore. This box does not appear when you run the installer in Modify mode and perform a disaster recovery restore operation.

From SQL Server: Enter the path that the SQL Server should use to access the temporary folder. For best practice, it should be a remote UNC path, but local and shared network paths are supported. For example: c:\folder or \\10.2.1.1.\folder.

From TRITON Management Server: Enter the UNC path the management server should use to access the temporary folder. For example: \\10.2.1.1.\folder. Enter a user name and password for a user who is authorized to access this location.

 

Important  For all 7.6.x versions, the account used to access the SQL Server must have BACKUP DATABASE permissions to communicate with the installer. If it does not, an error results when you click Next.

To grant this permission, issue the following T-SQL commands on the SQL Server instance:

USE master

GRANT BACKUP DATABASE TO <user>

GO

After installation of Data Security components, you can revoke this permission:

USE master

REVOKE BACKUP DATABASE TO <user>

GO

9.	Starting with v7.6.3, if a Lotus Notes client is detected on this machine, the Lotus Domino Connections screen appears.

If you plan to perform fingerprinting or discovery on your Domino server, complete the information on this page.

 

Important  Before you complete the information on this screen, make sure that you: Create at least one user account with administrator privileges for the Domino environment. (Read permissions are not sufficient.) Be sure that the Lotus Notes installation is done for "Anyone who uses this computer." Connect to the Lotus Domino server from the Lotus Notes client.

a.	On the Lotus Domino Connections page, select the check box labeled Use this machine to scan Lotus Domino servers.

b.	In the User ID file field, browse to one of the authorized administrator users, then navigate to the user's user.id file.

 

Note  Select a user that has permission to access all folders and Notes Storage Format (NSF) files of interest, otherwise certain items may not be scanned.

c.	In the Password field, enter the password for the authorized administrator user.

10.	If installing Printer Agent, the Print Processor Destination(s) screen appears.

This screen is for information only; there are no options to select. The displayed list contains the names of all cluster nodes on which the Printer Agent is installed. Make sure that all nodes holding print spooler resources are listed.

11.	If installing Printer Agent, the Optical Character Recognition screen appears.

The Optical Character Recognition (OCR) service that is bundled with the Data Security software begins installation of the OCR service. Once the OCR service finishes installation, the OCR screen is displayed.

Section	Description
OCR Analysis Threshold	Per printed page: This parameter limits dynamically (according to the number of pages) the total time that the OCR can extract text from the printed job. In case of a timeout, the content analysis will be performed only on the extracted text that took place before the timeout. (Default value: 3 sec.; Range: 1-60 sec.) No more than nn seconds: This number is a static overall limit to the total time that the OCR can extract text from the printed job. In case of a timeout, the content analysis will be performed only on the extracted text that took place before the timeout. (Default value: 300 sec.; Range: 1-3600 sec.)
OCR Accuracy	Running the OCR in accurate mode results in higher latency. Administrators can set the size of jobs that will be executed in the most accurate OCR mode (small jobs do not produce high latency, so it is reasonable to use better accuracy). In most cases, lower OCR quality is sufficient and provides good results. Keep in mind that the average OCR Analysis per printed page limit is ignored for small documents, but the entire print job limit is still adhered to. (Default value: 5 pages)

Optionally, you can change the default values defined for the OCR Analysis Threshold and the OCR Accuracy.

12.	If installing Data Security Server, the Fingerprinting Database screen appears.

To choose a location other than the default shown, use the Browse button.

13.	If installing SMTP Agent, the Virtual SMTP Server screen appears.

In the Select Virtual Server list, select the IIS virtual SMTP server that should be bound to the Data Security SMTP Agent. SMTP Agent will monitor traffic that goes through this virtual server. If there multiple SMTP servers listed, the SMTP Agent should typically be bound to Inbound.

14.	In the Server Access screen, select the IP address to identify this machine to other Websense components.

15.	In the Register with the Data Security Server screen specify the location and log on credentials to a Data Security Server.

FQDN is the fully-qualified domain name of a machine.

If you are installing a secondary Data Security Server, enter the location and log on credentials for the TRITON Unified Security Center machine.

If you are installing an agent, enter the location and log on credentials for the TRITON Unified Security Center machine.

16.	In the Local Administrator screen, enter a user name and password as instructed on-screen.

17.	In the Installation Confirmation screen, if all the information entered is correct, click the Install button to begin installation.

 

Installation may seem to take a long time. Unless a specific error or failure message appears, allow the installer to proceed.

If the following message appears, click Yes to continue the installation:

Data Security needs port 80 free.
In order to proceed with this installation, DSS will free up this port.
Click Yes to proceed OR click No to preserve your settings.

Clicking No cancels the installation.

A similar message for port 443 may appear. Click Yes to continue or No to cancel the installation.

18.	Once installation is complete, the Installation Complete screen appears to inform you that your installation is complete. Click Finish.

19.	Additionally, a Printer Agent Configuration screen may appear.

a.	Select a printer from the list and click OK.

A red exclamation point indicates that a printer has settings that are incompatible with the printer agent. The printer agent is unable to monitor traffic for printers that are configured with incompatible settings, for example, "Print directly to printer." Hover the mouse over a problematic printer for details in a tooltip.

You can still select an incompatible printer. If you do, the following message appears:

The Websense Printer Agent is unable to monitor traffic when one or more printers are configured with incompatible settings. Do you wish Websense to correct the settings?

Click Yes. The settings are automatically modified to accommodate the printer agent.

b.	Once installation is complete, the printers you selected appear as policy resources in the TRITON - Data Security module of the TRITON Unified Security Center (navigate to Main > Configuration > Resources). See Accessing the TRITON Unified Security Center.

c.	To complete the process, click Deploy in TRITON - Data Security.

20.	Once installation is complete, the Installation Successful screen appears to inform you that your installation is complete.

Custom Deployment > Installing Data Security Components