Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index
Preparing for Installation

*
This section contains information about procedures to perform or things to consider before installing Websense components. The All section applies to all installations, the remaining sections apply to particular products.
Do not install any Websense components on a Domain Controller (DC) machine. Before installing any Websense module or product, see the following sections.
In addition to the space required by the Websense installer itself, further disk space is required on the main Windows drive (i.e., the drive on which Windows is installed; typically C) to accommodate for temporary files to be extracted to this drive as part of the installation process. For information on minimum disk space requirements, see Hardware requirements.
On Windows systems, make sure all Microsoft updates have been applied. There should be no pending updates, especially any requiring a restart of the system.
The Websense installer is the main installer for Websense products. Use it to install TRITON Unified Security Center; Web Security, Data Security, and Email Security components; and SQL Server 2008 R2 Express. The Websense installer is also used to upgrade most prior-version components.
Download the Websense installer (WebsenseTRITON76Setup.exe) from mywebsense.com.
If you have previously run the Websense installer on a machine, you may be able to start it from the Windows Start menu without having to extract files again. See Keeping installer files. If you chose to keep installer files, start the installer by selecting Start > All Programs > Websense > Websense TRITON Setup.
Use the Linux version of the Web Security installer to install Web Security components on Linux. Download the WebsenseWeb76Setup_Lnx.tar.gz package from mywebsense.com.
If you are distributing Websense components across different machines in your network, synchronize the clocks on all machines where a Websense component is installed. It is a good practice to point the machines to the same Network Time Protocol server.
Note 
If you are installing components that will work with a Websense V-Series appliance, you must synchronize the machine's system time to the appliance's system time.
Disable any antivirus on the machine prior to installing Websense components. Be sure to re-enable antivirus after installation. Certain Websense files should be excluded from antivirus scans to avoid performance issues; see Excluding Websense Files from Antivirus Scans.
Microsoft released a hotfix for Windows Server 2003 to address an issue with large installers. When launching the Websense installer on unpatched systems, you may receive one of the following messages:
.NET Framework version 2.0 or higher is required to run the Websense installer. .NET 2.0, if not already installed, is available from Microsoft (www.microsoft.com). Note that .NET 3.5 SP1 is required to install SQL Server Express; see .NET Framework 3.5 SP1.
Note 
Selecting the Keep installation files option allows you to restart the Websense installer (from the Windows Start menu) without having to extract the files again. Note that the files occupy approximately 2 GB of disk space.
No underscores in FQDN
The use of an underscore character in an FQDN is not a supported Internet Engineering Task Force (IETF) standard, an official Internet standard, that Websense complies with.
Note 
In addition to the general preparation actions (see All), see the following if you will be installing TRITON Unified Security Center.
If you want to run SQL Server on the same machine as the TRITON Unified Security Center, it is a best practice to only use SQL Server 2008 R2 Express installed by the Websense installer. For a remote (i.e., not on the same machine) SQL Server, you can use any of the supported versions (see System Requirements)
If you choose to install SQL Server yourself on the same machine as the TRITON Unified Security Center, be sure to not install SQL Server Reporting Services, which can interfere with the operation of Data Security management components.
.NET Framework version 3.5 SP1 is required to install SQL Server 2008 R2 Express. Although the Websense installer will automatically install this when you choose to install SQL Server 2008 R2 Express, it is a best practice to install it prior to running the Websense installer.
Note 
Windows Installer 4.5 is required to install SQL Server 2008 R2 Express. Although the Websense installer will automatically install this when you choose to install SQL Server 2008 R2 Express, it is a best practice to install it prior to running the Websense installer.
Windows PowerShell 1.0 is required to install SQL Server 2008 R2 Express. On Windows Server 2008 R2, PowerShell is installed by default. PowerShell is available from Microsoft (www.microsoft.com). Note that the Websense installer will automatically install this if you choose to install SQL Server 2008 R2 Express.
If you will use SQL Server 2008 R2 Express to store and maintain Web Security data, you must log in to the machine as a domain user when installing it (i.e., log in to the machine as a domain user prior to running the Websense installer). Service Broker, which is installed as part of SQL Server 2008 R2 Express, must be able to authenticate itself against a domain. Logging in as a domain user when running the installer makes sure Service Broker is installed to run as the domain user.
In addition to the general preparation actions (see All), see the following if you will be installing Web Filter, Web Security, Web Security Gateway, or Web Security Gateway Anywhere components.
To download the Websense Master Database and enable filtering, each machine running Websense Filtering Service must be able to access the download servers at:
Make sure that these addresses are permitted by all firewalls, proxy servers, routers, or host files that control the URLs that Filtering Service can access.
Websense components are typically distributed across multiple machines. Additionally, some components access network directory services or database servers. To install Websense components, it is a best practice to log in to the machine as a user with domain administration privileges. Otherwise, components may not be able to properly access remote components or services.
Important 
If you plan to install SQL Server 2008 R2 Express and will use it to store and maintain Web Security data, you must log in as a domain user when installing it (i.e., log in to the machine as a domain user prior to running the Websense installer).
Disable any firewall on the machine prior to installing Websense components. Be sure to disable it before starting the Websense installer and then re-enable it after installation. Open ports as required by the Websense components you have installed.
Note 
The Websense installer adds two inbound rules to the public profile of Windows Firewall. Ports 9443 and 19448 are opened for Websense EIP Infra - TRITON Central Access. These ports must be open to allow browsers to connect to the TRITON Unified Security Center. Also, additional rules may be added to Windows Firewall when installing Websense Data Security components.
See Default ports for more information about ports used by Websense components.
To install Websense software on a Windows Server 2008 machine, the Computer Browser Service must be running (note: on most machines you will find it disabled by default).
If you are installing Network Agent, ensure that the Network Agent machine can monitor all client Internet requests, and then responses to those requests.
If you install Network Agent on a machine that cannot monitor client requests, basic HTTP filtering (stand-alone installation only) and features such as protocol management and Bandwidth Optimizer cannot work properly.
Important 
Do not install Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software. Do not install any Websense components on a Domain Controller (DC).
The network interface card (NIC) that you designate for use by Network Agent during installation must support promiscuous mode. Promiscuous mode allows a NIC to listen to IP addresses other than its own. If the NIC supports promiscuous mode, it is set to that mode by the Websense installer during installation. Contact your network administrator or the manufacturer of your NIC to see if the card supports promiscuous mode.
On Linux, do not choose a NIC without an IP address (stealth mode) for Network Agent communications.
Note 
If you install Network Agent on a machine with multiple NICs, after installation you can configure Network Agent to use more than one NIC. See the Network Configuration topic in the TRITON - Web Security Help for more information.
After installation, you can run the Network Traffic Detector to test whether the selected NIC can see the appropriate Internet traffic. See the Network Configuration topic in the TRITON - Web Security Help for instructions.
If Network Agent is installed on a Linux machine, using one network interface card (NIC) for blocking and another NIC for monitoring, make sure that either:
*
The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
*
You delete the routing table entry for the monitoring NIC.
If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.
Note 
Before installing, if SELinux is enabled, set it to permissive or disable it and restart the machine.
If Websense software is being installed on a Linux machine on which a firewall is active, shut down the firewall before running the installation.
2.
Enter service iptables status to determine if the firewall is running.
3.
Important 
Do not install Websense Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software. See Network Agent. Do not install any Websense components on a Domain Controller (DC).
Before installing to a Linux machine, make sure the hosts file (by default, in
/etc) contains a hostname entry for the machine, in addition to the loopback address. (Note: you can check whether a hostname has been specified in the hosts file by using the hostname -f command.)
where <host> is the name you are assigning this machine.
2.
Update the HOSTNAME entry in the /etc/sysconfig/network file:
where <host> is the same as in Step 1.
3.
In the /etc/hosts file, specify the IP address to associate with the hostname. This should be static, and not served by DHCP. Do not delete the second line in the file (the one that begins with 127.0.0.1).
<IP address> <FQDN> <host>
where <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomain(s)>.<top-level domain>)—for example, myhost.example.com—and <host> is the same as in Step 1.
Important 
The hostname entry you create in the hosts file must be the first entry in the file.
Websense software supports only TCP/IP-based networks. If your network uses both TCP/IP- and non-IP-based network protocols, only users in the TCP/IP portion of the network are filtered.
1.
c.
Select Delivery > Outbound Connections, then set the port to 10025.
d.
Select Delivery > Advanced, then set the Smart host to [127.0.0.1].
Recommended: For increased security, you can change the relay settings for the Inbound mail server to only allow relay mail from your Mail Server's IP. The relay settings are under Access > Relay > Only the list below.
Recommended: For increased security, you can change the relay settings for the Outbound mail server to only relay mail from itself (127.0.0.1 as well as any IPs assigned to the server). If you plan on using this as the release or notification gateway, make sure you also allow relaying from the Data Security Management Server. The relay settings are under Access > Relay > Only the list below.
Optional: If your next-hop MTA requires Transport Layer Security (TLS), you can enable and configure the options under Delivery > Outbound Security.
The servers running the Data Security software can be set as part of a domain or as a separate workgroup. If you have multiple servers or want to perform run commands on file servers in response to discovery, we recommend you make the server(s) part of a domain.
However, strict GPOs may interfere and affect system performance, and even cause the system to halt. Hence, when putting Data Security servers into a domain, it is advised to make them part of organizational units that don't enforce strict GPOs.
Also, certain real-time antivirus scanning can downgrade system efficiency, but that can be relieved by excluding some directories from that scanning (see Excluding Websense Files from Antivirus Scans). Please contact Websense Technical Support for more information on enhancing performance.
ISA Agent requires 1 GB free disk space on the ISA Server machine. The installer will not allow you to install ISA Agent if available space is less.


Go to the table of contents Go to the previous page Go to the next page Go to the index
Preparing for Installation