Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Deployment and Installation Center > Preparing for installation
Preparing for installation
Deployment and Installation Center | Web, Data, and Email Security Solutions | Version 7.8.x
Applies to:                                         
In this topic                                       
*
Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.8.x
*
Data Security, v7.8.x
*
Email Security Gateway and Email Security Gateway Anywhere, v7.8.x
*
V-Series Appliances, v7.8.x
*
All Websense TRITON solutions
*
TRITON Unified Security Center
*
Web Security
*
Data Security
All Websense TRITON solutions
Before installing any Websense TRITON solution, make sure that you have completed all of the preparations noted below:
Windows-specific considerations
*
Make sure all Microsoft updates have been applied. There should be no pending updates, especially any requiring a restart of the system.
*
In addition to the space required by the Websense installer itself, roughly 2 GB of disk space is required on the Windows installation drive (typically C) to accommodate temporary files extracted as part of the installation process.
For information on disk space requirements, see Hardware requirements.
*
The TRITON Unified Installer requires the following versions of .NET Framework, depending on your operating system version:
*
Windows Server 2008 R2: Use version 2.0 or higher. If .NET 2.0 is not already installed, it is available from www.microsoft.com.
*
Windows Server 2012: Version 3.5 is required. If .NET 3.5 is not already installed, it can be added via Server Manager.
Note that .NET Framework 3.5 must be installed before adding any language packs to the operating system (as noted in the following article from Microsoft: http://download.microsoft.com/download/D/1/0/D105DCF6-AC6C-439D-8046-50C5777F3E2F/microsoft-.net-3.5-deployment-considerations.docx).
*
Both .NET Framework 2.0 and 3.5 SP1 are required if you are installing SQL Server Express.
Getting the Websense software installers
The TRITON Unified Installer is used to install or upgrade the TRITON management server, Web Security solutions, Data Security solutions, Email Security management and reporting components, and SQL Server 2008 R2 Express on supported Windows servers.
There are separate installers for installing Web Security components and Content Gateway on supported Linux servers.
Download the Windows and Linux installers from mywebsense.com.
*
The TRITON Unified Installer executable is named WebsenseTRITON784Setup.exe. Double-click it to start the installation process.
If you have previously run the Websense installer on a machine, and you selected the Keep installation files option, you can restart the installer without extracting all of the files a second time.
*
Windows Server 2012: Go to the Start screen and click the Websense TRITON Setup icon.
*
Windows Server 2008 R2: Go to Start > All Programs > Websense > Websense TRITON Setup.
Note that the files occupy approximately 2 GB of disk space.
*
The Web Security Linux installer is WebsenseWeb784Setup_Lnx.tar.gz.
*
The Content Gateway installer is WebsenseCG784_Lnx.tar.gz.
Domain Admin privileges
Websense components are typically distributed across multiple machines. Additionally, some components access network directory services or database servers. To perform the installation, it is a best practice to log in to the machine as a user with domain admin privileges. Otherwise, components may not be able to properly access remote components or services.
 
* 
Important 
If you plan to install SQL Server 2008 R2 Express and will use it to store and maintain Web Security data, log in as a domain user to run the TRITON Unified Installer.
Synchronizing clocks
If you are distributing Websense components across different machines in your network, synchronize the clocks on all machines where a Websense component is installed. It is a good practice to point the machines to the same Network Time Protocol server.
 
* 
Note 
If you are installing components that will work with a Websense V-Series appliance, you must synchronize the machine's system time to the appliance's system time.
Antivirus
Disable any antivirus on the machine prior to installing Websense components. Be sure to re-enable antivirus after installation. Certain Websense files should be excluded from antivirus scans to avoid performance issues; see Excluding Websense files from antivirus scans.
No underscores in FQDN
Do not install Websense components on a machine whose fully-qualified domain name (FQDN) contains an underscore. The use of an underscore character in an FQDN is inconsistent with Internet Engineering Task Force (IETF) standards.
 
* 
Note 
Further details of this limitation can be found in the IETF specifications RFC-952 and RFC-1123.
Disable UAC and DEP
Before beginning the installation process, disable User Account Control (UAC) and Data Execution Prevention (DEP) settings, and make sure that no Software Restriction Policies will block the installation.
TRITON Unified Security Center
In addition to the other general preparation actions described in this section:
*
Do not install the TRITON Unified Security Center on a domain controller machine.
*
If you want to run Microsoft SQL Server on the TRITON management server, use the Websense installer to install SQL Server 2008 R2 Express.
If you are using a remote installation of SQL Server, you can use any of the supported versions (see System requirements for this version).
SQL Server 2008 R2 Express
The following third-party components are required to install Microsoft SQL Server 2008 R2 Express. Although the Websense installer will install these components automatically if they are not found, it is a best practice to install the components first, before running the Websense installer.
*
.NET Framework 3.5 SP1
Because the installer requires .NET 2.0, both .NET 2.0 and 3.5 SP1 are required if you are installing SQL Server Express.
*
Windows Installer 4.5
*
Windows PowerShell 1.0
PowerShell is available from Microsoft (www.microsoft.com).
If you will use SQL Server 2008 R2 Express to store and maintain Web Security data, log in to the machine as a domain user to run the Websense installer. This ensures that Service Broker, installed as part of SQL Server 2008 R2 Express, can authenticate itself against a domain (required).
Web Security
In addition to the general preparation actions (above), Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere components have the following additional requirements.
Filtering Service Internet access
To download the Websense Master Database and enable policy enforcement, each machine running Websense Filtering Service must be able to access the download servers at:
*
download.websense.com
*
ddsdom.websense.com
*
ddsint.websense.com
*
portal.websense.com
*
my.websense.com
Make sure that these addresses are permitted by all firewalls, proxy servers, routers, or host files that control the URLs that Filtering Service can access.
Firewall
Disable any firewall on the machine prior to installing Websense components. Be sure to disable it before starting the Websense installer and then re-enable it after installation. Open ports as required by the Websense components you have installed.
 
* 
Note 
The Websense installer adds two inbound rules to the public profile of Windows Firewall. Ports 9443 and 19448 are opened for TRITON Infrastructure. These ports must be open to allow browsers to connect to the TRITON Unified Security Center. Also, additional rules may be added to Windows Firewall when installing Websense Data Security components.
See Websense TRITON Enterprise default ports for more information about ports used by Websense components.
Computer Browser Service
To run User Service or DC Agent on a supported Windows server, the Computer Browser Service must be running.
*
On most machines, the service is disabled by default.
*
If the service is stopped, the installer will attempt to enable and start it. If this fails, the component installs and starts, but users are not identified until you enable and start the Computer Browser service.
Network Agent
If you are installing Network Agent, ensure that the Network Agent machine is positioned to be able to monitor and respond to client Internet requests.
In standalone installations (which do not include Content Gateway or a third-party integration product), if you install Network Agent on a machine that cannot monitor client requests, basic policy enforcement and features such as protocol management and Bandwidth Optimizer cannot work properly.
 
* 
Important 
Do not install Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software.
The network interface card (NIC) that you designate for use by Network Agent during installation must support promiscuous mode. Promiscuous mode allows a NIC to listen to IP addresses other than its own. If the NIC supports promiscuous mode, it is set to that mode by the Websense installer during installation. Contact your network administrator or the manufacturer of your NIC to see if the card supports promiscuous mode.
On Linux, do not choose a NIC without an IP address (stealth mode) for Network Agent communications.
 
* 
Note 
If you install Network Agent on a machine with multiple NICs, after installation you can configure Network Agent to use more than one NIC. See the "Network Configuration" topic in the Web Security Help for more information.
Network Agent using multiple NICs on Linux
If Network Agent is installed on a Linux machine, using one network interface card (NIC) for blocking and another NIC for monitoring, make sure that either:
*
The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
*
You delete the routing table entry for the monitoring NIC.
If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.
Installing on Linux
Most Web Security components can be installed on Linux. If you are installing on Linux complete the instructions below.
SELinux
Before installing, if SELinux is enabled, disable it or set it to permissive.
Linux firewall
If Websense software is being installed on a Linux machine on which a firewall is active, shut down the firewall before running the installation.
1.
Open a command prompt.
2.
Enter service iptables status to determine if the firewall is running.
3.
If the firewall is running, enter service iptables stop.
4.
After installation, restart the firewall. In the firewall, be sure to open the ports used by Websense components installed on this machine. See Websense TRITON Enterprise default ports.
 
* 
Important 
Do not install Websense Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software. See Network Agent.
Hostname
If, during the installation, you receive an error regarding the /etc/hosts file, use the following information to correct the problem. For versions prior to 7.8.2, use this information to edit your /etc/hosts file prior to running the installer.
When installing to a Linux machine, the hosts file (by default, in /etc) should contain a hostname entry for the machine, in addition to the loopback address. (Note: you can check whether a hostname has been specified in the hosts file by using the hostname -f command.)
To configure hostname:
1.
Set the hostname:
hostname <host>
Here, <host> is the name you are assigning this machine.
2.
Also update the HOSTNAME entry in the /etc/sysconfig/network file:
HOSTNAME=<host>
3.
In the /etc/hosts file, specify the IP address to associate with the hostname. This should be static, and not served by DHCP. Do not delete the second line in the file, the one that begins with 127.0.0.1 (the IPv4 loopback address). And do not delete the third line in the file, the on that begins ::1 (the IPv6 loopback address).
<IP address> <FQDN> <host>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
Here, <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomains>.<top-level domain>)—for example, myhost.example.com—and <host> is the name assigned to the machine.
 
* 
Important 
The hostname entry you create in the hosts file must be the first entry in the file.
TCP/IP only
Websense software supports only TCP/IP-based networks. If your network uses both TCP/IP- and non-IP-based network protocols, only users in the TCP/IP portion of the network are filtered.
Data Security
See below for information about preparing to install Data Security components.
Do not install Data Security Server on a DC
Do not install Data Security Server on a domain controller (DC) machine.
Domain considerations
The servers running the Data Security software can be set as part of a domain or as a separate workgroup. If you have multiple servers or want to perform run commands on file servers in response to discovery, we recommend you make the server or servers part of a domain.
However, strict GPOs may interfere and affect system performance, and even cause the system to halt. Hence, when putting Data Security servers into a domain, it is advised to make them part of organizational units that don't enforce strict GPOs.
Also, certain real-time antivirus scanning can downgrade system efficiency, but that can be relieved by excluding some directories from that scanning (see Excluding Websense files from antivirus scans). Please contact Websense Technical Support for more information on enhancing performance.

Go to the table of contents Go to the previous page Go to the next page
Deployment and Installation Center > Preparing for installation
Copyright 2016 Forcepoint LLC. All rights reserved.