Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
v7.8.2 Release Notes for Websense® Content Gateway : New in Websense Content Gateway v7.8.2
New in Websense Content Gateway v7.8.2
Topic 60087 | Web Security Gateway and Gateway Anywhere | 13-Mar-2014
Content Gateway stability and performance were the focus of v7.8.2. This release also includes responses to customer issues and support for the lastest operating systems and browsers.
Platform Support
Content Gateway runs on 64-bit platforms only.
 
* 
Important 
If you are planning to upgrade to version 7.8.2, and Content Gateway is currently hosted on a 5-series version of Red Hat Enterprise Linux, you must upgrade the operating system upgrade to Red Hat Enterprise Linux 6-series as part of the Content Gateway upgrade process. Red Hat Enterprise Linux 6.4 or 6.5 is recommended.
See Upgrading Websense Web Security solutions to find your upgrade procedure, which includes operating system upgrade instructions.
Content Gateway is certified on:
*
Red Hat Enterprise Linux 6 series, 64-bit, Basic Server
*
Kernel version for 6.5: 2.6.32-431
*
Kernel version for 6.4: 2.6.32-358
*
V-Series appliances
Content Gateway is supported on:
*
Red Hat Enterprise Linux 6 series, 64-bit, Basic Server
*
Kernel version for 6.3: 2.6.32-279
*
Kernel version for 6.2: 2.6.32-220
*
Kernel version for 6.1: 2.6.32-131
*
Kernel version for 6.0: 2.6.32-71
*
The corresponding CentOS versions, including updates 3 and 4 (CentOS version numbers have a one-to-one correspondence with Red Hat Enterprise Linux version numbers)
Only kernels listed above are certified or supported. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:
/bin/uname -r
Websense, Inc. provides "best effort" support for the version of Red Hat Enterprise Linux and CentOS listed above. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion until the issue is deemed a Red Hat Enterprise Linux- or CentOS-specific issue, at which point you must contact Red Hat directly for assistance.
Websense recommends that the Red Hat Enterprise Linux version that will host Content Gateway be updated to the latest patch before running the version 7.8.2 Content Gateway installer.
Websense also recommends that Red Hat Enterprise Linux systems that host Content Gateway be registered with Red Hat Network and kept up-to-date with the latest security patches.
 
* 
Important 
You can update packages on your Red Hat Enterprise Linux installations and patch kernels if the underlying kernel upgrade does not change the kernel ABI.
 
* 
Important 
Content Gateway is designed to run on a dedicated machine and is not guaranteed to be compatible with other server applications installed on the same machine.
For a complete description of platform requirements, see Hardware requirements and Operating system and software requirements.
Improved IWA support for load balanced environments
Although IWA with a load balancer is supported in custom configured v7.7.3 deployments (Websense Technical Support assisted in these configurations), IWA with a load balancer is not supported in v7.8.1. Support is again provided in v7.8.2.
 
* 
Important 
After upgrade to v7.8.2 check and, if necessary, rejoin IWA domains.
With Websense Content Gateway, Integrated Windows Authentication (IWA) uses the Kerberos protocol, with NTLM fallback.
In a load balanced environment, because the clients point to a FQDN that does not match the Content Gateway hostname, they receive a Kerberos ticket that Content Gateway cannot decrypt.
Normally, Content Gateway would be configured to share the hostname of the load balancer, but this is not possible when the load balancer requires hostname resolution (as with DNS-based load balancing).
In these cases, Content Gateway must be configured to use a custom keytab that corresponds to the load balancer's hostname for decryption.
Samba's implementation of Kerberos prevents this, because it requires keytab entries to match the service's hostname.
Starting in v7.8.2, this can be addressed with a 3-step solution.
 
* 
Important 
If your Content Gateway instances reside on a Websense appliance, contact Websense Technical Support for assistance with this procedure.
*
Step 1: Add the custom SPN to the Kerberos domain (Active Directory) under the account object that Content Gateway used to join the domain.
You can use the following command at the Windows command prompt:
setspn -A <SPN> <content_gateway_hostname>
*
Step 2: Edit the keytab principals parameter in smb.conf.
The parameter's value specifies a custom SPN entry. Samba rejects SPN entries that do not match the hostname of the service server.
The Kerberos decryption process now also matches against the custom SPNs in smb.conf, in the case that default matching fails.
Specify the custom SPN in smb.conf as follows:
keytab principals = HTTP/<custom SPN>.<domain>@<JOINED REALM>
This prompts Content Gateway to attempt decryption with a keytab entry that matches the above hostname.
You must restart Content Gateway for the change to go into effect.
*
Step 3: Add the keytab entry via Samba.
The parameter in the file smb.conf enables the use of a specific custom SPN, but the Samba update is necessary to complete the configuration.
1.
To create a custom SPN entry in the keytab file, navigate to:
/opt/WCG/contrib/samba/jails/<joined realm>
2.
Enter the chroot command.
3.
Run the following command:
net ads keytab add <custom SPN>@<joined realm> -U <domain user>
A password prompt appears. If authentication is succesful, the custom SPN is added into the keytab file.
4.
Windows caches clients' authentication. To ensure that all previous authentication is cleared, restart any clients that might have connected before this change was made.
Note that if the Content Gateway machine leaves and rejoins the domain, /opt/WCG/contrib/samba/jails/<joined realm> gets wiped and recreated, so Samba must be reconfigured.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
v7.8.2 Release Notes for Websense® Content Gateway : New in Websense Content Gateway v7.8.2
Copyright 2016 Forcepoint LLC. All rights reserved.