Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading V-Series Appliance to 7.6

Upgrading V-Series Appliance to 7.6
Applies to
*
V5000 and V10000 with Web Security Gateway v7.6
*
V5000 and V10000 with Web Security Gateway Anywhere v7.6
In this topic
*
Versions supported for upgrade
*
Estimated time to complete upgrade
*
Preparing for the upgrade
*
Upgrade instructions
*
Upgrading multiple V-Series appliances
*
Upgrading clustered appliances
*
Post-upgrade activities
Versions supported for upgrade
The following appliance versions can be directly upgraded to version 7.6:
*
7.5
*
7.5.1
*
7.5.2
*
7.5.3
Prior versions must be upgraded to one of the above versions prior to upgrading to version 7.6.
Estimated time to complete upgrade
It is estimated that installation of this upgrade takes approximately 100 minutes (one V-Series appliance and one Windows server), which includes:
*
10 minutes to download the upgrade file
*
10 minutes to back up the V-Series files
*
40 to 50 minutes to run the upgrade
*
10 minutes to restart the V-Series and verify that the upgrade was successful
*
5 minutes to download the version 7.6 Websense installer
*
10 to 15 minutes to run the installer to upgrade the off-box components
*
5 minutes to restart the Windows server and verify that the upgrade was successful
Preparing for the upgrade
Before upgrading, perform the following tasks or be aware of the following issues.
Back up configuration and settings
Back up your configuration files, log files, and policy databases from the appliance. See the following Solution Center article at www.websense.com/support: "How do I back up and restore the files on my appliance?"
Download Content Gateway logs
To ensure that you retain a copy of all logs, download the Content Gateway logging directory. Depending on their size, older logs may be removed automatically by the upgrade. Note that policy databases and Websense databases are not affected by the upgrade.
Service disruption during upgrade
Service may be disrupted for 50 to 60 minutes while the upgrade is being applied to the V-Series appliance and it restarts. Note that service is not disrupted while the off-box components are upgraded.
Restart required
At completion of the V-Series upgrade, you must restart the appliance.
Websense administrator accounts
Make sure Websense administrator accounts authenticated by a directory service have an email address specified in the directory service. In version 7.6, an email address is required for each administrator account (except group accounts). See Upgrading or Merging Administrators for more information.
Content Gateway changes
Several Content Gateway changes and enhancements require consideration prior to appliance upgrade.
Configuration settings not preserved
The following Content Gateway configuration settings are not preserved and must be reconfigured post-upgrade:
*
Proxy user authentication and access control filter (filter.config) configuration settings are not retained. These include:
*
LDAP, RADIUS, NTLM, and multiple realm rules
*
All filtering rules (filter.config)
Multiple authentication methods with multiple authentication realms is expanded in version 7.6 and made more powerful with the addition of Integrated Windows Authentication. Multiple authentication realm rules used in 7.5 deployments must be recreated after upgrading to 7.6. Also, if NTLM was configured in 7.5, consider moving to Integrated Windows Authentication.
Before upgrading, be prepared to reconfigure user authentication options and proxy filtering rules (often used to bypass authentication). It is recommended that copy your 7.5 filter.config file to a safe location for future reference.
New features to configure after upgrade
You may want to configure these new and enhanced features post-upgrade (for more information, see the Content Gateway Release Notes):
*
Explicit proxy deployments can configure multiple inbound ports.
*
Transparent proxy deployments with WCCP have more configuration options.
*
Integrated Windows Authentication (with Kerberos) provides more robust proxy user authentication with Windows Active Directory. If NTLM was a user authentication method in version 7.5, consider moving to Integrated Windows Authentication.
*
Multiple Realm Authentication is enhanced and now supports multiple authentication rules for multiple authentication realms.
*
Full clustering is deprecated in version 7.6. Multiple installations of Content Gateway can no longer form a single logical cache. After upgrade, consider configuring Managed clusters.
*
For deployments that use SSL Manager, SSL clustering is added to share SSL Manager settings among nodes in a cluster. It is configured separately from Managed clustering.
For more, see Content Gateway Post upgrade activities.
admin password
If TRITON - Web Security is running on an appliance, the default WebsenseAdministrator user is replaced by a user named admin upon upgrade. The admin user will have the same password the WebsenseAdministrator user had prior to upgrade.
The admin user is the new default administrator account for version 7.6. Use it in place of WebsenseAdministrator.
Disable on-appliance TRITON - Web Security if both on- and off-appliance instances used in prior version
If you had both on- and off-appliance instances of TRITON - Web Security running in version 7.5.x, disable the on-appliance instance after upgrading the appliance to version 7.6. To disable the on-appliance TRITON - Data Security:
1.
Log on to the Appliance Manager (https://<C interface IP address>:9447/appmng)
2.
Under Configuration, select Web Security Components.
3.
Under TRITON - Web Security, select Disabled.
4.
Click Save.
The disabling process may take several minutes. Wait for it to complete.
5.
When the process completes successfully, a TRITON Configuration link appears below the Disabled option.
Use this link if you want to create a backup of TRITON settings that can be restored to the off-appliance TRITON Unified Security Center:
a.
Click the backup file link that is displayed below the Disabled button.
b.
If a certificate error is displayed, click the continue or accept option to start the download.
c.
Save the TRITON backup file (EIP_bak.tgz) in a convenient location.
Upgrade instructions
* 
Important 
V-Series appliance services are disrupted (not available) while the patch is applied until the V-Series appliance completes its restart, approximately 50 to 60 minutes. It is best to perform the upgrade at a time when service demand is at a minimum.
1.
If you have multiple V-Series appliances, read Upgrading multiple V-Series appliances prior to following this procedure.
2.
If your appliances are clustered, see Upgrading clustered appliances.
3.
Take all precautions to ensure that power to the V-Series appliance is not interrupted during the upgrade. Power failure can result in operating system and software component corruption.
4.
Back up appliance configuration and settings. See Back up configuration and settings.
5.
Restart the appliance (in Appliance Manager: Status > Modules > Restart Appliance).
See the Appliance Manager Help for more information.
6.
Download the upgrade patch:
Go to MyWebsense.com and select Downloads tab. Click Get Hotfixes & Patches. Select your appliance model and version.
* 
Important 
Upgrade all Websense V-Series appliances to v7.6 before upgrading the Websense software on the Windows servers to v7.6. If your deployment uses several appliances, upgrade the primary appliance first (this is the appliance that hosts the policy source), then the secondaries, and finally the off-box components. See Upgrading multiple V-Series appliances, below.
7.
If clustering is enabled in Content Gateway, you'll need to disable it. Log on to the Content Gateway Manager by pointing the browser to https://<IP-address-for-interface-C>:8081 and then:
a.
Navigate to Configure > My Proxy > Basic > Clustering.
b.
In the Cluster Type area, select Single Node.
c.
Click Apply.
d.
Restart Content Gateway.
8.
Log on to the V-Series console by pointing a browser to:
https://<IP-address-for-interface-C>:9447/appmng/
The user name is: admin.
The password was set on your appliance when firstboot was run.
9.
Navigate to Administration > Patch Management.
10.
Click Browse, and select the v7.6 upgrade file.
11.
Click Upload. After a few seconds, the upgrade is listed in the Uploaded patches list.
12.
Click Install to apply the upgrade. It takes 40 to 50 minutes for the upgrade process to complete. During this time proxy services are unavailable to users.
13.
When the installation is complete, restart the appliance right away; click Restart Now when prompted. Do not cycle the power.
14.
When the appliance has restarted, log on to the Appliance Manager console and verify on the Configuration > General page that the V-Series version is 7.6.
In rare cases, when logging in to the Appliance Manager for the first time after upgrade, your browser may show an HTTP Status - Internal Error page. If this occurs, cycle the power to the appliance. Once the appliance has restarted, you should be able to log in.
15.
If you have multiple appliances, upgrade them all, repeating Step 8 - Step 14 for each.
16.
Upgrade all Websense modules running off the appliance (such as TRITON - Web Security and Log Server).
See Upgrading Web Security or Web Filter to 7.6.0 for instructions.
17.
To confirm that the Windows components were successfully upgraded, log on to TRITON Unified Security Center.
Upgrading multiple V-Series appliances
When multiple V-Series appliances are deployed on the same network, it is very important that they be upgraded in the prescribed order.
Best practice for upgrade sequence if full policy source is on V-Series appliance
Multiple V-Series appliances (1 full policy source, 1 or more user directory and filtering and/or filtering only). Policy Broker and Policy Server run on the primary:
1.
Upgrade the full policy source V-Series appliance and immediately restart when the upgrade completes.
2.
Sequentially apply the upgrade to all user directory and filtering appliances. Restart each appliance when the upgrade completes.
3.
Sequentially apply the upgrade to all filtering only appliances.
Restart each appliance when the upgrade completes.
4.
After all appliances have been upgraded, upgrade off-box components.
Best practice for upgrade sequence if full policy source is not on V-Series appliance
If you have multiple V-Series appliances with full policy source (Policy Broker and Policy Server) located off-appliance
1.
Use the version 7.6 Websense installer to upgrade only Policy Broker and Policy Server. See Upgrading Web Security or Web Filter to 7.6.0 for instructions.
2.
Apply the v7.6 upgrade to each appliance and immediately restart as each upgrade completes.
3.
Use the version 7.6 Websense installer to upgrade remaining off-appliance components. See Upgrading Web Security or Web Filter to 7.6.0 for instructions.
If the full policy source appliance is down or unavailable
Best practice is to upgrade the full policy source appliance first, then the user directory and filtering, then filtering only appliances, and finally the off-appliance Websense components.
However, if your site must upgrade a user directory and filtering or filtering only appliance before the full policy source appliance, or if your full policy source appliance is unavailable, is being replaced, or is being re-imaged, then set a user directory and filtering or filtering only appliance (temporarily) to be the full policy source. To do this:
1.
On that secondary appliance, in the V-Series console, move to the page Configuration > Web Security Components.
2.
For Policy Source, select Full policy source. Save the setting.
3.
Upgrade this appliance to version 7.6 and restart it.
After the original full policy source appliance has been upgraded, replaced, or re-imaged, change the upgraded temporary full policy source machine to point to the original full policy source again for its policy information. To do this:
1.
Upgrade the primary appliance and restart it.
2.
On the previously upgraded secondary appliance, in the V-Series console, move to the page Configuration > Web Security Components.
3.
For Policy Source, select User directory and filtering or Filtering only and enter the IP address of the primary appliance. Save the setting.
4.
Use the version 7.6 Websense installer to upgrade remaining off-appliance components. See Upgrading Web Security or Web Filter to 7.6.0 for instructions.
Upgrading clustered appliances
Upgrading clustered appliances to version 7.6 requires a service disruption while each node of the cluster is upgraded.
Members of the cluster are upgraded serially, restarted, and then Content Gateway services are stopped until all nodes are upgraded. Then Content Gateway is started on all members of the cluster.
 
* 
Important 
Full clustering is not supported in version 7.6. Prior to upgrading a V-Series appliance, it must be configured to Single Node (i.e., not clustered). After upgrade, you can set the appliance to Management Clustering if you want. However, note that this is a different type of clustering than full clustering. See the Content Gateway Manager Help for more information.
1.
Follow the Upgrade instructions.
2.
After the restart is complete, when all services are available, immediately stop the Content Gateway services.
a.
Log on to the Appliance Manager.
b.
Navigate to Status > Modules.
c.
In the Websense Content Gateway area, click Stop Services.
d.
When prompted, click OK to continue.
 
* 
Note 
If Virtual IP is enabled, for a short time there will be an IP address conflict. After Content Gateway services are stopped, the conflict goes away.
3.
Repeat steps 1 and 2 for every node in the cluster.
4.
When all nodes have been upgraded, start the Content Gateway services on each node.
a.
Log on to the Appliance Manager.
b.
Navigate to Status > Modules.
c.
In the Websense Content Gateway area, click Start Services.
Post-upgrade activities
*
Perform the Content Gateway Post upgrade activities.
*
Verify Network Agent settings
*
Check Tunneled Protocol Detection and Rich Internet Scanning settings
Verify Network Agent settings
After upgrading a filtering only V-Series appliance to version 7.6, use TRITON - Web Security to verify your Network Agent local settings. Go to Settings > Network Agent, highlight the Global option, and select the Network Agent IP address (the IP address of the appliance C interface). Then verify:
*
The Filtering Service IP address.This is usually the IP address of the C interface.
*
The option selected for If Filtering Service is unavailable (Permit or Block).
*
The HTTP traffic and Configure this Network Agent instance to ignore traffic... options under Advanced Network Agent Settings.
After caching and saving any changes to these settings, select the NIC-2 link in the Network Interface Cards table to open the NIC Configuration page. Verify that:
*
The Integrations section shows the correct logging and filtering settings.
*
The Protocol Management include the correct filtering and bandwidth measurement settings.
Be sure to cache and save any changes.
Check Tunneled Protocol Detection and Rich Internet Scanning settings
After upgrading, Tunneled Protocol Detection and Rich Internet Scanning become enabled by default (even if they were disabled prior to upgrade). Due to system resources used by these features, they should be disabled if you do not use them.
 

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading V-Series Appliance to 7.6
(c) 2011 Websense, Inc. All Rights Reserved.