Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading Websense Content Gateway to 7.6.0

Upgrading Websense Content Gateway to 7.6.0
Applies to
*
Content Gateway v7.5, v7.6.0
*
Web Security Gateway v7.5, v7.6.0
In this topic
*
Overview
*
Versions supported for upgrade
*
Preparing for the upgrade
*
Upgrading Websense Content Gateway
*
Post upgrade activities
Overview
This section of the Websense Technical Library covers upgrading software-based Websense Content Gateway installations (i.e., not running on a Websense appliance).
Perform an upgrade by running the Content Gateway installer on a machine with a previous version of Content Gateway installed. The installer detects the presence of Content Gateway and upgrades it to the current version.
 
* 
Important 
The installation location of Content Gateway is made uniform in 7.6. The default location, /opt/WCG, is the actual location of every 7.6 installation post-upgrade. The upgrade process detects installations in other locations and moves the installation to /opt/WCG.
 
* 
Important:
In 7.6, in explicit proxy deployments, when HTTPS (SSL Manager) is enabled, PAC files and browsers must be configured to send HTTPS traffic to Content Gateway on port 8080. The ipnat.config rule that was used in previous releases to redirect traffic from 8070 to 8080 has been removed.
 
* 
Note 
Technical papers and documents mentioned in this article are available Websense Technical Library: www.websense.com/library.
Versions supported for upgrade
Direct upgrades to version 7.6 are supported from version 7.5 and higher of Content Gateway.
Upgrades from versions prior to 7.5 require intermediate upgrades:
*
version 7.0 > version 7.1 > version 7.5 > version 7.6
 
* 
Important 
The upgrade from version 7.1 to 7.5 requires a Red Hat Enterprise Linux operating system version upgrade followed by a fresh install of 7.5.
Follow the upgrade procedures documented with each intermediate version. To perform an intermediate upgrade, download the installer package for the intermediate version from the Websense Downloads site:
www.websense.com/MyWebsense/Downloads/
 
* 
Important 
When performing intermediate upgrades, be sure to read the Websense Content Gateway Installation Guide and its upgrade supplement for each upgrade version. They contain important information specific to upgrading between particular versions that may not be found in this version of the upgrade supplement.
Upgrading from version 7.5.3
Due to the timing of Content Gateway releases 7.5.3 and 7.6.0, a small number of 7.5.3 corrections could not be included in 7.6.0. These include:
*
Hotix 1 - NTLM: prompt for credentials when user is outside configured domain
*
Portions of hotfix 6 - proxy chaining; LDAP authentication; mobile users
*
Hotfixes after hotfix 6 (none as of commercial release of 7.6)
Preparing for the upgrade
*
System requirements
*
Preparing for installation
*
Upgrading distributed components
System requirements
Before upgrading Content Gateway, make sure the installation machine meets the system recommendations in System requirements for Websense Content Gateway, including hardware specifications, operating system, and browser.
Preparing for installation
Summary:
*
Read the Websense Content Gateway v7.6 Release Notes and these upgrade instructions
*
Upgrade TRITON Unified Security Center and TRITON - Web Security before upgrading Content Gateway. See Upgrading Web Security or Web Filter to 7.6.0.
*
If upgrading Red Hat Enterprise Linux, upgrade the operating system before upgrading Content Gateway. The Content Gateway installer installs a version of ARM that is compatible with the current Red Hat kernel version.
*
If configured, disable Virtual IP failover and leave it disabled until all members of the cluster are upgraded and clustering has been re-enabled.
*
If configured, disable clustering and leave clustering disabled until all members of the cluster are upgraded. All cluster members must run the same version of Content Gateway and should, therefore, be upgraded at the same time. When all nodes are upgraded, re-enable clustering and restart Content Gateway (restarting any node causes all nodes to restart).
Deprecated in 7.6
These features are deprecated in version 7.6:
*
WCCP v1.
*
Full clustering. See the entry for Full clustering in Configuration settings not preserved, below
*
FTP caching. If FTP caching was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
*
ARM Security. If ARM Security was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
*
Congestion Control. If Congestion Control was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
*
ICP Peering. If ICP Peering was enabled in your 7.5 configuration, it is disabled during upgrade. The configuration option is removed from 7.6 Content Gateway Manager.
Configuration settings not preserved
The following configuration settings are not preserved and must be reconfigured post-upgrade:
*
Proxy user authentication and access control filter (filter.config) configuration settings are not retained. These include:
*
LDAP, RADIUS, NTLM, and multiple realm rules
*
All filtering rules (filter.config)
Multiple authentication methods with multiple authentication realms is expanded in version 7.6 and made more powerful with the addition of Integrated Windows Authentication. Multiple authentication realm rules used in 7.5 deployments must be recreated after upgrading to 7.6. Also, if NTLM was configured in 7.5, consider moving to Integrated Windows Authentication.
Before upgrading, be prepared to reconfigure user authentication options and proxy filtering rules (often used to bypass authentication). It is recommended that a copy of your 7.5 filter.config file be copied to a safe location for future reference.
New features to configure after upgrade
You may want to configure these new and enhanced features post-upgrade (for more information, see the Release Notes):
*
Explicit proxy deployments can configure multiple inbound ports.
*
Transparent proxy deployments with WCCP have more configuration options.
*
Integrated Windows Authentication (with Kerberos) provides more robust proxy user authentication with Windows Active Directory. If NTLM was a user authentication method in version 7.5, consider moving to Integrated Windows Authentication.
*
Multiple Realm Authentication is enhanced and now supports multiple authentication rules for multiple authentication realms.
*
Full clustering is deprecated in version 7.6. Multiple installations of Content Gateway can no longer form a single logical cache. During upgrade, Full clusters are automatically converted to Managed clusters (no reconfiguration is necessary). Managed clusters share configuration settings among nodes.
*
For deployments that use SSL Manager, SSL clustering is added to share SSL Manager settings among nodes in a cluster. It is configured separately from Managed clustering.
Upgrading distributed components
Websense Content Gateway is the Web proxy component of Websense Web Security Gateway and Websense Web Security Gateway Anywhere. Websense Web Security components must be upgraded prior to upgrading Content Gateway. To upgrade Websense Web Security, run the Websense installer on each machine running Websense Web Security components. Distributed components must be upgraded in a particular order. See Websense Web Security and Websense Web Filter <BN-BookName>Installation Guide.
Upgrading Websense Content Gateway
Complete these steps to upgrade Content Gateway on a server in a software-base deployment.
In a Websense-appliance-based deployment, Content Gateway is upgraded when the 7.6 patch is applied.
Before you begin, be sure to read Preparing to install Websense Content Gateway.
* 
Warning 
Before you begin, ensure that /tmp has enough free space to hold the existing Content Gateway log files. During the upgrade procedure, the installer temporarily copies log files located in /opt/WCG/logs to /tmp. If the /tmp partition does not have enough available space and becomes full, the upgrade will fail.
If you determine that /tmp does not have enough space, manually move the contents of /opt/WCG/logs to a partition that has enough space and then delete the log files in /opt/WCG/logs. Run the installer to perform the upgrade. When the upgrade is complete, move the log files from the temporary location back to /opt/WCG/logs and delete the files in the temporary location.
For step-by-step instructions, see the Knowledge Base article titled Upgrading can fail if the /tmp partition becomes full.
Also: Snapshots saved in /opt/WCG/config/snapshots are not saved during the upgrade procedure. To preserve your snapshots, manually copy them to a temporary location and copy them back after the upgrade is complete.
Note: /opt/WCG is the version 7.6 installation location.
 
* 
Important 
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
/opt/WCG/config/internal/no_cop
If the file exists, remove it and restart Content Gateway:
/opt/WCG/WCGAdmin start
1.
To upgrade to Websense Content Gateway version 7.6, start by downloading the installer. Go to: www.websense.com/MyWebsense/Downloads/
2.
Disable any currently running firewall on this machine for the duration of the Content Gateway upgrade. Bring the firewall back up after upgrade is complete, opening ports used by Content Gateway.
For example, if you are running IPTables:
a.
At a command prompt, enter service iptables status to determine if the firewall is running.
b.
If the firewall is running, enter service iptables stop.
c.
After upgrade, restart the firewall. In the firewall, be sure to open the ports used by Content Gateway on this machine. See Ports for more information.
3.
Unpack the Content Gateway installer tar archive:
tar -xvzf <installer tar archive>
 
* 
Important 
If SELinux is enabled, set it to permissive, or disable it before installing Content Gateway. Do not install or run Content Gateway with SELinux enabled.
4.
Make sure you have root permissions:
su root
5.
In the directory where you unpacked the tar archive, begin the upgrade, and respond to the prompts to configure the application.
./wcg_install.sh
 
The installer will upgrade and, if necessary, move Content Gateway to /opt/WCG. It is installed as root.
 
* 
Note 
Up to the point that you are prompted to confirm your desire to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall it.
6.
If your system does not meet the minimum recommended requirements, you receive a warning. For example:
Warning: Websense Content Gateway requires at least 2 gigabytes of RAM.
 
Do you wish to continue [y/n]?
 
Enter n to quit the installer, and return to the system prompt.
Enter y to continue the upgrade. If you choose to run Content Gateway after receiving this warning, performance may be affected.
7.
Read the subscription agreement. At the following prompt, enter y to continue the upgrade or n to cancel.
Do you accept the above agreement [y/n]? y
8.
When asked, choose to replace the existing version of Content Gateway with the 7.6 version.
WCG version 7.5.0-nnnn was found.
Do you want to replace it with version 7.6.0-nnnn [y/n]? y
9.
Existing settings and logs are copied to backup files and stored. For example:
Stopping Websense Content Gateway processes...done
 
Copying settings from /opt/WCG to /root/WCG/OldVersions/7.5.0-1143-20110322-131541/...done
 
Copying SSL Manager settings to /root/WCG/OldVersions/7.5.0-1143-20110322-131541/...done
 
Moving log files from /opt/WCG/logs to /tmp/wcg_tmp/logs/...done
 
10.
You can either re-use the installation selections you entered during the last install, or provide new answers to all installation prompts:
Previous install configuration </root/WCG/Current/WCGinstall.cfg> found.
 
Use current installation selections [y/n]?
Enter y to use previous installation selections.
Enter n to revert to Websense default values, and receive all installation questions and answer them again.
11.
The following message appears if Content Gateway is currently configured to use WCCP v1. Press ENTER to proceed.
WCCP will be disabled as WCCP v1 is obsolete.> ENTER
Only WCCP v2 is supported by Content Gateway 7.6. See Content Gateway Manager Help for information about configuring WCCP v2.
12.
If you answered y at Step 10, then you can also leave proxy settings at their current values or revert to Websense default values.
Restore settings after install [y/n]?
Enter y to keep the proxy settings as they are.
Enter n to restore Websense default settings for the proxy.
13.
The previously installed version of Websense Content Gateway is removed, and the settings and selections you chose to retain are re-used. Wait.
*COMPLETED* Websense Content Gateway 7.6.0-1166 installation.
A log file of this installation process has been written to
/root/WCG/Current/WCGinstall.log
 
For full operating information, see the Websense Content Gateway Help system.
 
Follow these steps to start the Websense Content Gateway management interface (Content Gateway Manager):
------------------------------------------------------------
1. Start a browser.
2. Enter the IP address of the Websense Content Gateway server, followed by a colon and the management interface port (8081 for this installation). For example: https://11.222.33.44:8081.
3. Log on using username admin and the password you chose earlier.
 
A copy of the CA public key used by the Manager is located in /root/WCG/.
14.
The upgrade is now complete, and the proxy software is running.
If you chose to revert to Websense default proxy settings, be sure to configure any custom options.
15.
If you answered n at Step 10, the current version of Websense Content Gateway is removed, and a fresh install of 7.6 begins. See Installing Websense Content Gateway for a detailed description of the installation procedure.
16.
Check Content Gateway status with:
/opt/WCG/WCGAdmin status
All services should be running. These include:
Content Cop
Websense Content Gateway
Content Gateway Manager
Websense Download Service
Analytics Server
 
 
* 
Important 
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
/opt/WCG/config/internal/no_cop
If the file exists, remove it and restart Content Gateway:
/opt/WCG/WCGAdmin start
17.
Perform the post-installation steps described in Post upgrade activities and in Initial Configuration.
Post upgrade activities
In version 7.6, when using Content Gateway with TRITON - Web Security it is not necessary to enter a subscription key. The key is automatically fetched from TRITON - Web Security.
1.
If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
2.
If at the start of the upgrade procedure you manually moved your existing snapshot files to a temporary location, copy them back to /opt/WCG/config/snapshots and delete them from the temporary location.
3.
Register Content Gateway nodes in TRITON - Web Security on the Settings > Content Gateway Access page. Registered nodes add a link to the Content Gateway Manager logon portal and provide a visual system health indicator, a green check mark or a red X icon.
4.
Configure Content Gateway system alerts in TRITON - Web Security. Select Content Gateway system alerts are now sent to TRITON - Web Security (in addition to Content Gateway Manager). To configure which alerts are sent, in TRITON - Web Security go to the Settings > Alerts > System page.
5.
If WCCP v2 was your version 7.5 transparent proxy deployment, it is highly recommended that you familiarize yourself with the new features and review your configuration. See Transparent interception with WCCP v2 devices in Content Gateway Manager Help. WCCP v1 is deprecated.
6.
If Content Gateway user authentication was used, it must be reconfigured. This includes LDAP, RADIUS, NTLM, and multiple realm rules. For an overview of 7.6 features, see Proxy user authentication.
If NTLM authentication was configured, consider moving to Integrated Windows Authentication. See Integrated Windows Authentication.
If multiple realm authentication rules were used in 7.5, you will have to become acquainted with the new feature and recreate your rules. See Multiple realm authentication.
7.
If access control filtering rules (filter.config) were defined, they must be recreated. It will be helpful to work from the file you saved before upgrading, but filtering rules should be recreated in the filter.config rule editor in Content Gateway Manager. See Filtering Rules.

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index
Upgrading Websense Content Gateway to 7.6.0
(c) 2011 Websense, Inc. All Rights Reserved.