Deployment and Installation Center
Websense TRITON Enterprise v7.6.x


Note 
If you have already completed the appliance set up steps provided in the Websense V-Series Getting Started guide, skip to Installing off-appliance or optional components now.
The Quick Start poster, which comes in the shipping box with your appliance, shows you all items included in each Websense appliance shipping box. The 2-page Quick Start explains how to set up the hardware and shows how to connect the cables to the appliance and to your network.
Network interfaces C, P1, E1, and E2 (if used) must be able to access a DNS server. These interfaces typically have continuous access to the Internet. Essential databases are downloaded from Websense servers through these interfaces.
*
Ensure that interfaces C, P1, E1, and E2 (if used) are able to access the download servers at download.websense.com. (As an alternative, some sites configure the P1 proxy interface to download the Websense Master Database as well as other security updates. In that situation, interface C does not require Internet access.)
*
Make sure the above address is permitted by all firewalls, proxy servers, routers, or host files controlling the URLs that the C, P1, E1, and E2 (if used) interfaces can access.
After hardware setup, connect directly to the appliance through the serial port or the monitor and keyboard ports. For serial port activation, use:
The first time you start a Websense appliance, a brief script (firstboot) prompts you to supply settings for the network interface labeled C and a few other general items. You can run the script again if you want to examine your settings or change settings. You can also change settings through the Appliance Manager (user interface) after firstboot has been executed.
Gather the following information before running the script. Some of this information may have been written down on the Quick Start during hardware setup.
                                       
*
E1 or P1 to download antispam and antivirus database updates from Websense
Configuring these interfaces to access the Internet for database downloads is done through the Appliance Manager and through the TRITON Unified Security Center. See the Appliance Manager Help for information about configuring the interfaces. See the TRTION - Web Security and - Email Security Help for information about configuring database downloads.
Note 
To configure the appliance, connect through the serial port or the keyboard/video ports and complete the firstboot script. For serial port activation, use:
3.
When asked if you want to begin, enter yes to launch the firstboot activation script.
4.
At the first prompt, select Web and Email Security mode.
After the activation script has been completed successfully, use the Logon Portal to access the Appliance Manager. To reach the Logon Portal, open a supported browser, and enter this URL in the address bar:
After completing the initial configuration required by the firstboot script, use the Appliance Manager to configure important settings for network interfaces P1, P2, N, E1, and E2 (P2, N, and E2 are optional).
While the E1/E2 and P1/P2 interfaces can be bonded to each other if the V10000 G2 runs in either Web Security only or Email Security only modes, they cannot be bonded when the appliance is in Web and Email Security mode.
If you use the P2 interface, the P1 interface is bound to eth0, and the P2 interface is bound to eth1. Keep this in mind when you configure Websense Content Gateway. For example, suppose you are using a transparent proxy deployment, and the P1 interface is connected to a WCCPv2 router. In this case, you must configure Websense Content Gateway to use eth0 for WCCP communications (in Content Gateway Manager, see Configure > Networking > WCCP, General tab).
Be sure that interface C can access the NTP server. If interface C does not have Internet access, you can install an NTP server locally on a subnet that can be accessed by interface C.
If you use both P1 and P2, the default gateway is automatically assigned to P2 (which is bound to eth1). To ensure that outbound packets can reach the Internet, do not locate the IP addresses of P1 and P2 in the same subnet.
Choose interface for transporting blocking information for non-HTTP and non-HTTPS traffic
If interface N transports blocking information, N must be connected to a bidirectional span port
Default gateway for network interface N
Required only if network interface N carries blocking information
If you use both E1 and E2, the default gateway and DNS configuration are shared by both.
Follow these steps to enable default proxy caching, and Web and email filtering. See the Appliance Manager Help for detailed instructions on any field or area, or for information about other available settings.
2.
Log on with the user name admin and the password set during initial appliance configuration.
3.
In the left navigation pane, click Configuration > System.
4.
Under Time and Date:
*
Automatically synchronize with an NTP server: select this option to use a Network Time Protocol server. Specify up to three NTP servers. Use of an NTP server is recommended, to ensure that database downloads and time-based policies are handled precisely.
*
Manually set time and date: select this option to enter a system time and date yourself.
c.
Click Save in the Time and Date area.
5.
In the left navigation pane, click Configuration > Network Interfaces.
6.
Under Websense Content Gateway Interfaces, configure the P1 and P2 (optional) interfaces.
a.
Select P1 only or P1 and P2.
If you choose P1 only, enter configuration information (IP address, subnet mask, default gateway, DNS IP addresses) under P1.
If you choose P1 and P2, enter configuration information under both P1 and P2. Note that default gateway and DNS configuration (under Shared Setting) are shared between both P1 and P2.
b.
Click Save in the Websense Content Gateway Interfaces area when you are done.
Important 
When you use the P2 interface, the P1 interface is bound to eth0, and the P2 interface is bound to eth1. Keep this in mind when you configure Websense Content Gateway.
For example, suppose you are using transparent proxy, and the P1 interface is connected to the WCCPv2 router. In this case, you must configure Websense Content Gateway to use eth0 for WCCPv2 communications (in Content Manager, see Configure > Networking > WCCP, General tab).
Alternatively, you could use both P1 and P2 such that P1 handles inbound traffic and P2 handles outbound traffic. To enable this configuration, be sure to set appropriate routing rules for P1 and P2 on the Configuration > Routing page. For example, you might set outbound traffic to go through P2.
Additionally, you can use P1 as a communication channel for multiple Content Gateway servers in a cluster. In this scenario, P1 should not be used for outbound traffic. For additional information on clusters, see the Content Gateway Manager Help.
7.
Under Network Agent Interface (N), configure the N interface.
The N interface is used by the Network Agent module. It must be connected to a span (or mirror) port on a switch allowing it to monitor the Internet requests going through the switch. (Note: be sure to configure the switch so the span port is monitoring all the ports carrying the traffic of interest; see your switch manufacturer's documentation for configuration instructions). For non-HTTP/HTTPS protocols, the N interface can also be used to send block information to enforce policy.
Note 
The appliance does not send block messages to users who are blocked from non-HTTP and non-HTTPS protocols.
a.
Under Send blocking information for non-HTTP/HTTPS traffic via, select whether non-HTTP/HTTPS blocking information is sent via the C or N interface.
b.
Enter IP address, subnet mask, default gateway (only if you select interface N for sending blocking information), and DNS IP addresses for the N interface.
c.
Click Save in the Network Agent Interface (N) area.
8.
Under Websense Email Security Gateway Interfaces (E1 and E2), configure the E1 and E2 (optional) interfaces.
a.
Select whether E1 only or both E1 and E2 are used.
If you choose E1 only, enter configuration information (IP address, subnet mask, default gateway, DNS IP addresses) under E1.
If you choose E1 and E2, enter configuration information under both E1 and E2. Note that default gateway and DNS configuration (under Shared Setting) are shared between both E1 and E2.
b.
Click Save in the Websense Email Security Gateway Interfaces (E1 and E2) area when you are done.
a.
In the left navigation pane, click Configuration > Routing.
b.
Under Static Routes, use the Add/Import button to specify customized, static routes.
c.
Under Module Routes, use the Add button to specify non-management Web Security or Email Security traffic through the C interface.
d.
For either static or module routes, use the Delete button to remove existing routes, if necessary.
Note 
An existing route cannot be edited. If you want to edit a route, delete it and then use the Add/Import (static) or Add (module) button to specify the route with the changes you want.
a.
In the left navigation pane, click Configuration > Web Security Components.
*
Choose Full policy source if Websense Policy Broker and Policy Database for your deployment will run on the appliance being configured. (Only one appliance in the network runs these two components, as well as the other filtering components.) Policy Server must also be run on the full policy source appliance; Policy Server can run in multiple locations.
Note 
If Policy Broker runs on an appliance, only on-appliance instances of Policy Server can communicate with Policy Broker. In this case, Policy Server cannot be installed off-appliance. If Policy Broker is installed off-appliance, however, both on-appliance and off-appliance instances of Policy Server can communicate with it.
*
Choose User directory and filtering if the appliance currently being configured is not the location of the policy information, but will run Policy Server and User Service. Then, enter the IP address of the server that is used as the full policy source—a machine running Policy Broker. (If the full policy source is another appliance, enter the IP address of its C network interface.)
*
Choose Filtering only if the appliance being configured will not run any policy components. (There are some disadvantages to this reduced role, as explained in the Appliance Manager help system.) Then, enter the IP address of the server that is used as the policy source—a machine running Policy Server. The policy source can also be another appliance in full policy source or user directory and filtering mode. In this case, enter the IP address of the appliance's C network interface.
11.
Click Save.
12.
Click Log Off, at the top right, when you are ready to log off Appliance Manager.