This section contains information about procedures to perform or things to consider before installing Websense components. The
All section applies to all installations, the remaining sections apply to particular products.
Do not install any Websense components on a Domain Controller (DC) machine. Before installing any Websense module or product, see the following sections.
In addition to the space required by the Websense installer itself, further disk space is required on the main Windows drive (i.e., the drive on which Windows is installed; typically C) to accommodate for temporary files to be extracted to this drive as part of the installation process. For information on minimum disk space requirements, see
Hardware requirements.
On Windows systems, make sure all Microsoft updates have been applied. There should be no pending updates, especially any requiring a restart of the system.
The Websense installer is the main installer for Websense products. Use it to install TRITON Unified Security Center; Web Security, Data Security, and Email Security components; and SQL Server 2008 R2 Express. The Websense installer is also used to upgrade most prior-version components.
If you have previously run the Websense installer on a machine, you may be able to start it from the Windows
Start menu without having to extract files again. See
Keeping installer files. If you chose to keep installer files, start the installer by selecting
Start >
All Programs >
Websense >
Websense TRITON Setup.
If you are distributing Websense components across different machines in your network, synchronize the clocks on all machines where a Websense component is installed. It is a good practice to point the machines to the same Network Time Protocol server.
Disable any antivirus on the machine prior to installing Websense components. Be sure to re-enable antivirus after installation. Certain Websense files should be excluded from antivirus scans to avoid performance issues; see
Excluding Websense Files from Antivirus Scans.
Microsoft released a hotfix for Windows Server 2003 to address an issue with large installers. When launching the Websense installer on unpatched systems, you may receive one of the following messages:
.NET Framework version 2.0 or higher is required to run the Websense installer. .NET 2.0, if not already installed, is available from Microsoft (www.microsoft.com). Note that .NET 3.5 SP1 is required to install SQL Server Express; see
.NET Framework 3.5 SP1.
Selecting the Keep installation files option allows you to restart the Websense installer (from the Windows Start menu) without having to extract the files again. Note that the files occupy approximately 2 GB of disk space.
The use of an underscore character in an FQDN is not a supported Internet Engineering Task Force (IETF) standard, an official Internet standard, that Websense complies with.
In addition to the general preparation actions (see All), see the following if you will be installing TRITON Unified Security Center.
If you want to run SQL Server on the same machine as the TRITON Unified Security Center, it is a best practice to only use SQL Server 2008 R2 Express installed by the Websense installer. For a remote (i.e., not on the same machine) SQL Server, you can use any of the supported versions (see
System Requirements)
If you choose to install SQL Server yourself on the same machine as the TRITON Unified Security Center, be sure to
not install SQL Server Reporting Services, which can interfere with the operation of Data Security management components.
.NET Framework version 3.5 SP1 is required to install SQL Server 2008 R2 Express. Although the Websense installer will automatically install this when you choose to install SQL Server 2008 R2 Express, it is a best practice to install it prior to running the Websense installer.
Windows Installer 4.5 is required to install SQL Server 2008 R2 Express. Although the Websense installer will automatically install this when you choose to install SQL Server 2008 R2 Express, it is a best practice to install it prior to running the Websense installer.
Windows PowerShell 1.0 is required to install SQL Server 2008 R2 Express. On Windows Server 2008 R2, PowerShell is installed by default. PowerShell is available from Microsoft (www.microsoft.com). Note that the Websense installer will automatically install this if you choose to install SQL Server 2008 R2 Express.
If you will use SQL Server 2008 R2 Express to store and maintain Web Security data, you must log in to the machine as a domain user when installing it (i.e., log in to the machine as a domain user prior to running the Websense installer). Service Broker, which is installed as part of SQL Server 2008 R2 Express, must be able to authenticate itself against a domain. Logging in as a domain user when running the installer makes sure Service Broker is installed to run as the domain user.
In addition to the general preparation actions (see All), see the following if you will be installing Web Filter, Web Security, Web Security Gateway, or Web Security Gateway Anywhere components.
To download the Websense Master Database and enable filtering, each machine running Websense Filtering Service must be able to access the download servers at:
Websense components are typically distributed across multiple machines. Additionally, some components access network directory services or database servers. To install Websense components, it is a best practice to log in to the machine as a user with domain administration privileges. Otherwise, components may not be able to properly access remote components or services.
Disable any firewall on the machine prior to installing Websense components. Be sure to disable it before starting the Websense installer and then re-enable it after installation. Open ports as required by the Websense components you have installed.
|
|
The Websense installer adds two inbound rules to the public profile of Windows Firewall. Ports 9443 and 19448 are opened for Websense EIP Infra - TRITON Central Access. These ports must be open to allow browsers to connect to the TRITON Unified Security Center. Also, additional rules may be added to Windows Firewall when installing Websense Data Security components.
|
See Default ports for more information about ports used by Websense components.
To install Websense software on a Windows Server 2008 machine, the Computer Browser Service must be running (note: on most machines you will find it disabled by default).
If you install Network Agent on a machine that cannot monitor client requests, basic HTTP filtering (stand-alone installation only) and features such as protocol management and Bandwidth Optimizer cannot work properly.
|
|
Do not install Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software. Do not install any Websense components on a Domain Controller (DC).
|
The network interface card (NIC) that you designate for use by Network Agent during installation must support
promiscuous mode. Promiscuous mode allows a NIC to listen to IP addresses other than its own. If the NIC supports promiscuous mode, it is set to that mode by the Websense installer during installation. Contact your network administrator or the manufacturer of your NIC to see if the card supports promiscuous mode.
On Linux, do not choose a NIC without an IP address (stealth mode) for Network Agent communications.
After installation, you can run the Network Traffic Detector to test whether the selected NIC can see the appropriate Internet traffic. See the
Network Configuration topic in the TRITON - Web Security Help for instructions.
|
|
The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
|
|
|
You delete the routing table entry for the monitoring NIC.
|
If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.
|
2.
|
Enter service iptables status to determine if the firewall is running.
|
|
|
Do not install Websense Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software. See Network Agent. Do not install any Websense components on a Domain Controller (DC).
|
Before installing to a Linux machine, make sure the hosts file (by default, in
/etc) contains a hostname entry for the machine, in addition to the loopback address. (Note: you can check whether a hostname has been specified in the
hosts file by using the
hostname -f command.)
where <host> is the name you are assigning this machine.
where <host> is the same as in
Step 1.
|
3.
|
In the /etc/hosts file, specify the IP address to associate with the hostname. This should be static, and not served by DHCP. Do not delete the second line in the file (the one that begins with 127.0.0.1).
|
where <FQDN> is the fully-qualified domain name of this machine (i.e., <
host>.<
subdomain(s)>.<
top-level domain>)—for example, myhost.example.com—and <
host> is the same as in
Step 1.
Websense software supports only TCP/IP-based networks. If your network uses both TCP/IP- and non-IP-based network protocols, only users in the TCP/IP portion of the network are filtered.
|
c.
|
Select Delivery > Outbound Connections, then set the port to 10025.
|
|
d.
|
Select Delivery > Advanced, then set the Smart host to [127.0.0.1].
|
Recommended: For increased security, you can change the relay settings for the Inbound mail server to only allow relay mail from your Mail Server's IP. The relay settings are under
Access > Relay > Only the list below.
Recommended: For increased security, you can change the relay settings for the Outbound mail server to only relay mail from itself (127.0.0.1 as well as any IPs assigned to the server). If you plan on using this as the release or notification gateway, make sure you also allow relaying from the Data Security Management Server. The relay settings are under
Access > Relay > Only the list below.
The servers running the Data Security software can be set as part of a domain or as a separate workgroup. If you have multiple servers or want to perform run commands on file servers in response to discovery, we recommend you make the server(s) part of a domain.
However, strict GPOs may interfere and affect system performance, and even cause the system to halt. Hence, when putting Data Security servers into a domain, it is advised to make them part of organizational units that don't enforce strict GPOs.
Also, certain real-time antivirus scanning can downgrade system efficiency, but that can be relieved by excluding some directories from that scanning (see
Excluding Websense Files from Antivirus Scans). Please contact Websense Technical Support for more information on enhancing performance.
Deployment and Installation Center
