Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

The protector is an essential component of Websense Data Security, providing monitoring and blocking capabilities, preventing data loss and leaks of sensitive information. Using PreciseID technology, the protector can be configured to accurately monitor sensitive information-in-transit on any port.
The protector works in tandem with the Data Security server. The Data Security server provides advanced analysis capabilities, while the protector sits on the network, intercepts traffic and can either monitor or block the traffic, as needed. The protector supports analysis of SMTP, HTTP, FTP, plain text, IM traffic (e.g., Yahoo, MSN, chat, and file transfer). The protector is also an integration point for third-party solutions that support ICAP.
If you want to monitor SMTP traffic, the protector is your best choice. You configure a span port to be connected to the protector. This span contains your SMTP traffic.
We do not recommend that you use both options for the same traffic, although some companies prefer monitoring one point and enforcing policies on another, due to differences in network traffic content and load.
If you want to monitor or transparently block HTTP traffic, you can use the protector to do so, or you can integrate Data Security with Websense Content Gateway or another Web proxy.
If you want to monitor FTP, plain text, or IM traffic, you should use the protector. Note that the protector cannot block traffic on these channels. You can block FTP using Websense Content Gateway (as a DLP agent) or other Web proxy that buffers FTP and supports ICAP.
The first decision that needs to be made when installing a protector is its location on the network. You can deploy the protector in SPAN/mirror port mode or in inline mode.
Most data-loss detection devices can be connected off the network, enabling them to sniff network traffic and monitor breaches. This monitoring method is useful because it does not interfere with traffic; however, it also does not enable the loss-prevention system to prevent (block) data losses—only to note and report them. In addition to monitoring mode, you can connect the Websense Protector to the network directly in the path of the traffic, enabling traffic to be blocked, quarantined and even terminated before it reaches its destination.
In both inline/bridge and SPAN/mirror port topology, Websense Data Security can be integrated with Web proxies. Blocking and monitoring modes are both available.
In SPAN/mirror port mode, the protector is connected off the network via the SPAN/mirror port of a switch, which enables the protector to sniff traffic and receive a copy for monitoring purposes, or via a SPAN/mirror device. In SPAN/mirror port mode, traffic is monitored and analyzed, but cannot be blocked. Note that the protector can also be connected to a TAP device.
The following diagram depicts the Websense device connected to the network via a mirror port on a switch, transparently monitoring network traffic.
In inline/bridge mode, configure the protector as a layer-2 switch directly in the path of your organization's traffic. In this configuration, the data security device functions passively, monitoring the traffic (as in monitoring mode), or actively, blocking traffic as necessary.
When using the Websense Protector in inline mode, the hardware and software failsafe mechanism is available only when using the certified bypass-server adapter NIC.
Connect the eth0 interface of the protector and the Data Security server to the LAN for management purposes, or use the port set while running the installation wizard.
If you are planning to use one of these modes, when executing the Data Security Protector wizard, make sure the time, date and time zone are precise, and map eth0 to verify it is located on the main board. Connect eth0 of the protector to the LAN.
In inline network configuration, the protector can monitor or block traffic. Monitoring bridge mode monitors traffic. SMTP MTA and HTTP Active Bridge modes have both monitoring and blocking options.
In inline monitoring mode, the protector actually sits in the data path on the network—however, data is monitored and not blocked. This mode is particularly useful during the setup phase, when testing the protector to make sure configuration is accurate and network-appropriate, before enabling blocking capabilities on the network.
In inline blocking mode (also known as active bridge mode), the protector sits in the data path on the network. All traffic that traverses the protector is analyzed either locally by the policy engine resident on the protector, or by a Data Security server if load balancing is set up.
The policy engine applies all policies as necessary before determining whether traffic is forwarded to its original destination. If data is detected that is supposed to be blocked, it is quarantined by the protector and does not reach its destinations. All traffic that does not match a policy and is not considered suspicious by the policy engine is forwarded by the protector to its original destination.
Make sure that firewalls or other access control devices on your network do not block ports used by the protector to communicate with the Data Security server (see Default ports).
In some cases, incoming traffic from the Internet and outgoing traffic to the Internet are on separate links. In this case, the mirror port must be configured to send traffic from both links to the protector. The protector needs to have access to the Data Security Management Server and vice versa.
You access the installation wizard for your protector through a command line interpreter (CLI). To install the protector software, do the following:
If you have purchased the Websense V5000 G2 Data Security Appliance (v7.6.3 and later), follow the instructions on its quick start poster to rack, cable, and power on the appliance.
The protector software is provided on an ISO image. Download the image, WebsenseDataSecurityProtector76x.iso, from MyWebsense and burn it to a CD.
An installer page appears. If you are using a regular keyboard and screen, type kvm and press Enter. If you are using a serial console, press Enter. The machine is automatically restarted.
When the protector CLI opens for the first time, logging in as admin automatically opens the installation wizard. On subsequent attempts, type "wizard" at the command prompt to access the wizard.
You have the option to install the Websense protector software or mobile agent software. Type P for Protector. Choose this mode whether you are deploying the protector inline or in a SPAN/mirror port configuration. For more information on deploying the protector inline, see Deploying in inline configuration. For more information on deploying the protector in a SPAN/mirror port configuration, see Deploying in SPAN/mirror port configuration.
When the wizard requires data entry, it prompts you. In some cases, a default setting is provided (shown within brackets [ ]). If the default setting is acceptable, press <Enter> to keep the default value.
Each time the installation wizard opens, the end-user license agreement appears. Use the page-down/ scroll /space keys to read/scroll to the end of the agreement. Carefully read the license agreement, and when prompted, type yes to accept the license agreement.
Type in and confirm a new password for the "admin" account. For security reasons, it is best practice to change the default password.
Type in and confirm a new Root ("root") Password (mandatory). The root account provides full access to the device and should be used carefully.
A list of available network interfaces (NICs) appears. In this step, choose the NIC for use by the Data Security Management Server, SSH connections, and logging onto the protector (eth0 by default). All other NICs will be used for intercepting traffic.
To help you identify which NIC to use, the wizard can simulate traffic for 0-60 seconds and cause LEDs to blink on that port. This does not work for all hardware and drivers.
Type the IP prefix of this NIC. This is the subnet mask in abbreviated format (number of bits in the subnet mask). The default is 24 (
Type a broadcast address for the NIC. The installation wizard will provide a calculated value, which is normally the desired one.
Type the IP address of the default gateway to be used to access the network. If the IP address of the Data Security server is not on the same subnet as the protector, a default gateway is required to tell the protector how to communicate with the Data Security server.
Optionally, type the domain name of the network into which the protector was added. The domain name set here will be used by the Data Security server when defining the protector's parameters.
Optionally, type the IP address of the domain name server (DNS) that will service this protector. A DNS will allow access to other network resources using their names instead of their IP addresses.
In this step, a secure channel will be created connecting the protector to a Data Security Server. This can be the Data Security Management Server or a supplemental server, depending on your set up.
Type the IP address or FQDN of the Data Security Server. Note that this must be the IP address identified when you installed the server machine. It cannot be a secondary IP address.
In the Data Security module of TRITON Unified Security Center, verify that the Websense Protector is no longer pending and that the icon displays its active status. Refresh the browser.
Click Deploy.
To begin monitoring the network for sensitive information loss, you must perform some configuration in the TRITON - Data Security user interface. See the TRITON Unified Security Center Help system for instructions on logging on.
Once logged on, navigate to Settings > Deployment > System Modules and double-click the installed protector.
Supply additional configuration parameters needed by the Websense Data Security Server to define policies for unauthorized traffic.
When you are done, make sure the protector does not have the status Disabled or Pending. You can view its status by looking at the System Modules page.
Bypass can be used in the event that the Bypass Server Adapter NIC was ordered with the protector; it enables transparent failover in the event of protector failure. When Bypass is enabled, if the protector malfunctions or is powered off, traffic will transparently pass through the protector to the external network. (Bypass mode is relevant only to the inline/bridge network topology.)
Only certified Bypass Server Adapter NIC cards are tested and guaranteed to properly bypass the protector in the unlikely event of product failure.
When a certified Bypass Server Adapter NIC dual or quad network card is available on the protector, it's possible to enable the protector's bypass mode. Bypass is a failsafe mechanism that shorts the protector in the unlikely event of device failure, enabling all network traffic to pass transparently through the protector to the network.
You configure bypass mode in the TRITON - Data Security user interface. Select Settings > Configuration > System Modules. Select the protector, then navigate to the Networking tab and select Enable bypass mode. Refer to the TRITON - Data Security Help system for more details.
By default, Bypass Mode is enabled. This means that when either a software or hardware problem occurs that causes the protector to malfunction, the protector will automatically be bypassed and the (unanalyzed) traffic will continue to pass to the outside network. If Bypass is disabled, when a malfunction occurs all traffic will be blocked and won't reach its intended destination.
Select Settings > Deployment > System Modules.
Select Force bypass.
Click OK twice.
Click Deploy.
If you are experiencing network problems, you can verify that problems are not within the Data Security software, by setting Manual Bypass to On and noting if problems persist.