The Quick Start poster, which comes in the shipping box with your appliance, shows you all items included in each Websense appliance shipping box. The 2-page Quick Start explains how to set up the hardware and shows how to connect the cables to the appliance and to your network.
Network interface C and the proxy interface (typically P1) must be able to access a DNS server. Both interfaces typically have continuous access to the Internet. Essential databases are downloaded from Websense servers through these interfaces.
The first time you start a Websense appliance, a brief script (firstboot) prompts you to supply settings for the network interface labeled C and a few other general items. You can run the script again if you want to examine your settings or change settings. You can also change settings through the Appliance Manager (browser-based management application) after firstboot has been executed.
|
|
|
|
|
|
|
|
|
Configuring these interfaces to access the Internet for database downloads is done through the Appliance Manager and through the TRITON Unified Security Center. See the Appliance Manager Help for information about configuring the interfaces. See the TRTION - Web Security Help for information about configuring database downloads.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
After the activation script has been completed successfully, use the Logon Portal to access the Appliance Manager. To reach the
Logon Portal, open a supported browser, and enter this URL in the address bar:
The Appliance Manager is the Web-based configuration interface for the appliance. Through it you can view system status, configure network and communication settings, and perform general appliance administration tasks.
After completing the initial configuration required by the firstboot script, use the Appliance Manager to configure important settings for network interfaces N and P1 (and optionally P2), which are used for communications by Network Agent and Websense Content Gateway. Appliance models V10000 and V10000 G2 also offer expansion interfaces (E1 and E2) that can be bonded with P1 and P2, respectively, either for load balancing or standby. Note that on a V5000 G2, there are no E1 and E2 interfaces.
If you use the P2 interface, the P1 interface is bound to eth0, and the P2 interface is bound to eth1. Keep this in mind when you configure Websense Content Gateway. For example, suppose you are using a transparent proxy deployment, and the P1 interface is connected to a WCCP router. In this case, you must configure Websense Content Gateway to use eth0 for WCCP communications (in Content Gateway Manager, see
Configure > Networking > WCCP, General tab).
Be sure that interface C can access the NTP server. If interface C does not have Internet access, you can install an NTP server locally on a subnet that can be accessed by interface C.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If both P1 and P2 are used, the default gateway is automatically assigned to whichever interface is in the same subnet with it. If both P1 and P2 are in the same subnet, the default gateway is automatically assigned to P2 (which is bound to eth1).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Choose interface for transporting blocking information for non-HTTP and non-HTTPS traffic. (interface C or interface N)
|
|
|
|
|
|
|
|
|
|
|
Default gateway for network interface NRequired only if network interface N carries blocking information
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TRITON Unified Security Center can run on this appliance or on a separate Windows server. By default it is enabled to run on the appliance. During the setup procedure below you will decide where it should run.
|
|
Follow these steps to enable default proxy caching and filtering. See the Appliance Manager Help for detailed instructions on any field or area, or for information about other available settings.
|
|
Automatically synchronize with an NTP server: select this option to use a Network Time Protocol server. Specify up to three NTP servers. Use of an NTP server is recommended, to ensure that database downloads and time-based policies are handled precisely.
|
|
c.
|
Click Save in the Time and Date area.
|
|
6.
|
Under Websense Content Gateway Interfaces, configure the P1 and P2 (optional) interfaces.
|
If you choose P1 and P2, enter configuration information under both P1 and
P2. Note that default gateway and DNS configuration (under
Shared Setting) are shared between both P1 and P2.
|
b.
|
Click Save in the Websense Content Gateway Interfaces area when you are done.
|
Alternatively, you could use both P1 and P2 such that P1 handles inbound traffic and P2 handles outbound traffic. To enable this configuration, be sure to set appropriate routing rules for P1 and P2 on the
Configuration > Routing page. For example, you might set outbound traffic to go through P2.
Additionally, you can use P1 as a communication channel for multiple Content Gateway servers in a cluster. In this scenario, P1 cannot be used for outbound traffic. For additional information on clusters, see the Content Gateway Manager Help.
|
7.
|
Under Network Agent Interface (N), configure the N interface.
|
The N interface is used by the Network Agent module. It must be connected to a span (or mirror) port on a switch allowing it to monitor Internet requests going through the switch. (Note: be sure to configure the switch so the span port is monitoring all the ports carrying the traffic of interest; see your switch manufacturer's documentation for configuration instructions). For non-HTTP/HTTPS protocols, the N interface can also be used to send block information to enforce policy.
|
a.
|
Under Send blocking information for non-HTTP/HTTPS traffic via, select whether non-HTTP/HTTPS blocking information is sent via the C or N interface.
|
|
c.
|
Click Save in the Network Agent Interface (N) area.
|
|
8.
|
Under Expansion Interfaces (E1 and E2), choose whether to bond to P1 and P2 interfaces. (This applies to the V10000 and V10000 G2 only; E1 and E2 interfaces are not present on the V5000 G2.)
|
Interfaces E1 and E2 can be cabled to your network and then bonded through software configuration to P1 and P2 (the Websense Content Gateway interfaces). If you choose to bond the interfaces, E1 must be bonded to P1 and E2 to P2. No other pairing is possible.
You can choose to bond or not bond each Websense Content Gateway interface (P1 and P2) independently. You do not have to bond at all. You do not have to bond both. Also, you can choose different bonding modes for P1 and P2 (e.g., P1/E1 could be
Active/Standby while P2/E2 could be
Load balancing).
|
a.
|
Under E1, select the check box for Bond to P1 interface.
|
|
|
Active/Standby: Select this for failover. P1 is active, and E1 is in standby mode. Only if the primary interface fails would its bonded interface (E1) become active.
|
|
|
Load balancing: Select this for load balancing. If your switch or router supports load balancing, then traffic to and from the primary interface is balanced between the primary interface (P1) and its bonded interface (E1).
|
|
c.
|
Click Save in the Expansion Interfaces (E1 and E2) area.
|
Follow the instruction above for bonding E1 to P1, substituting E2 in place of E1 and P2 in place of P1. Make sure P2 is enabled. Otherwise the
E2 options will be inactive. (See
Step 6 for instructions on activating P2.)
|
|
Choose Full policy source if Websense Policy Broker and Policy Database for your deployment will run on the appliance being configured. (Only one appliance in the network runs these two components, as well as the other filtering components.) Policy Server must also be run on the full policy source appliance; Policy Server can run in multiple locations.
|
|
|
If Policy Broker runs on an appliance, only on-appliance instances of Policy Server can communicate with Policy Broker. In this case, Policy Server cannot be installed off-appliance. If Policy Broker is installed off-appliance, however, both on-appliance and off-appliance instances of Policy Server can communicate with it.
|
|
|
Choose User directory and filtering if the appliance currently being configured is not the location of the policy information, but will run Policy Server and User Service. Then, enter the IP address of the machine running Policy Broker (i.e., the policy source). The policy source can be another appliance that is running in full policy source mode. In this case, enter the IP address of that appliance's C network interface.
|
|
|
Choose Filtering only if the appliance being configured will not run any policy components. (There are some disadvantages to this reduced role, as explained in the Appliance Manager help system.) Then, enter the IP address of the machine serving as policy source, which in this case is a machine running Policy Server. The policy source can also be another appliance running in either full policy source or user directory and filtering mode. In this case, enter the IP address of that appliance's network interface C.
|
|
b.
|
Under TRITON - Web Security, select Off.
|
Web Security Gateway Anywhere requires both the Web and Data Security modules of the TRITON Unified Security Center. TRITON Unified Security Center must be installed off the appliance.
|
12.
|
Click Log Off, at the top right, when you are ready to log off Appliance Manager.
|
Deployment and Installation Center
