Go to the table of contents Go to the previous page Go to the next page
Installing Websense Content Gateway > Preparing to install Websense Content Gateway
Preparing to install Websense Content Gateway
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
 
Before installing Websense Content Gateway (Content Gateway) on a machine, perform the following tasks and consider the following issues.
Downloading the installer
1.
Download the WebsenseCG77Setup_Lnx.tar.gz installer tar archive, from mywebsense.com to a temporary directory.
For version 7.7.x the name is: WebsenseCG77xSetup_Lnx.tar.gz
2.
mkdir wcg_v77
mv <installer tar archive> wcg_v77
3.
cd wcg_v77
4.
tar -xvzf <installer tar archive>
Internet connectivity
It is recommended that the Content Gateway machine have Internet connectivity before starting the installation procedure. The software will install without Internet connectivity, but analytic database updates cannot be performed until Internet connectivity is available.
Security of the Content Gateway machine
Consider these security issues prior to installing Content Gateway:
*
*
*
Physical security
Physical access to the system can be a security risk. Unauthorized users could gain access to the file system, and under more extreme circumstances, examine traffic passing through Content Gateway. It is strongly recommended that the Content Gateway server be locked in an IT closet and that a BIOS password be enabled.
Root permissions
Ensure that root permissions are restricted to a select few persons. This important restriction helps preclude unauthorized access to the Websense Content Gateway file system.
Ports
For a list of default ports, see Content Gateway ports. They must be open to support the full set of Websense Web Security Gateway features.
 
Note 
Restrict inbound traffic to as few other ports as possible on the Websense Content Gateway server. In addition, if your subscription does not include certain features, you can restrict inbound traffic to the unneeded ports. For example, if your subscription does not include Websense Data Security, you may choose to restrict inbound traffic to those ports related to Websense Data Security.
IPTables Firewall
If your server is running the Linux IPTables firewall, you must configure the rules in a way that enables Content Gateway to operate effectively. See the IPTables for Content Gateway article in the Websense Technical Library.
Explicit or Transparent Proxy
Content Gateway can be used as an explicit or transparent proxy. This section contains the following topics:
*
*
*
*
Explicit proxy
Explicit proxy deployment requires directly pointing client Web browsers (And other client applications) to Content Gateway for HTTP, and optionally, HTTPS and FTP traffic. This is accomplished by a using a PAC file, WPAD, or by having the user edit browser settings to point to Content Gateway.
One issue to consider with explicit deployment is that a user can point his or her browser to another destination to bypass Content Gateway. You can address this by setting and propagating browser configuration in your organization through Group Policy, a Windows Server feature. For more information about Group Policy, search the Microsoft TechNet Web site at http://technet.microsoft.com. An additional way to mitigate the risk of users bypassing Content Gateway is the use of corporate outbound firewall rules.
Multiple proxies can provide for redundancy using Virtual Router Redundancy Protocol (VRRP). Using a single IP address, requests are sent to an alternate proxy in the event of failure. VRRP is not invoked until there is a failure with one of the proxies. See RFC 3768 for information on VRRP.
Configuring client browsers for explicit proxy
For explicit proxy deployments, you must configure each client browser to send Internet requests to Content Gateway, over the ports that Content Gateway uses for the associated protocol.
The default proxy port in Content Gateway for both HTTP and HTTPS traffic is 8080. The default port for FTP is 2121.
Use the instructions below to configure client browsers manually. Alternatively, use a PAC or WPAD file to configure client browsers.
 
Note 
Configuring Internet Explorer 8.0 and later for explicit proxy
1.
In Internet Explorer, select Tools > Internet Options > Connections > LAN Settings.
2.
Select Use a proxy server for your LAN.
3.
Click Advanced.
4.
For HTTP, enter the Content Gateway IP address and specify port 8080.
5.
For Secure, enter the Content Gateway IP address and specify port 8080.
6.
Clear Use the same proxy server for all protocols.
7.
Click OK to close each screen in this dialog box.
Configuring Firefox 5.x for explicit proxy
1.
In Firefox, select Tools > Options > Advanced, and then select the Network tab.
2.
Select Settings.
3.
Select Manual proxy configuration.
4.
For HTTP Proxy, enter the Content Gateway IP address and specify port 8080.
5.
For SSL Proxy, enter the Content Gateway IP address and specify port 8080.
6.
Click OK to close each screen in this dialog box.
Transparent proxy
In transparent proxy deployments, client requests are intercepted and redirected to Content Gateway, without client involvement, via a WCCPv2-enabled router or Layer 4 switch in your network. In a multiple-proxy (cluster) deployment, a WCCP v2-enabled router also supports load distribution among proxies.
See Content Gateway Manager Help for additional information on configuring a WCCPv2-enabled router or a Layer 4 switch, and about the ARM (Adaptive Redirection Module).
System requirements for Websense Content Gateway
*
*
*
Hardware
 
*
Must not be part of a software RAID
To support transparent proxy deployments
Software
Content Gateway version 7.7.3 and 7.7.4 are certified on all of the Red Hat Enterprise Linux versions that 7.7.0 is certified on, plus:
*
Content Gateway version 7.7.0 is certified on:
*
*
*
Although not certified, Websense, Inc. provides "best effort" support for newer versions of Red Hat Enterprise Linux. Under "best effort" support, Websense Technical Support makes a best effort to troubleshoot cases in standard fashion unless the issue is deemed a Red Hat Enterprise Linux-specific issue, at which point you must contact Red Hat directly for assistance.
Only kernels shipped with the above Linux versions are supported by Websense Content Gateway. Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:
/bin/uname -r
For more information on installing on Red Hat Enterprise Linux, see Requirements for Red Hat Enterprise Linux.
Websense Web filtering components
Versions must match. When version 7.7.0 of Content Gateway is used, TRITON – Web Security must be version 7.7.0. When version 7.7.4 is used, TRITON – Web Security must be version 7.7.4.
 
Important 
Integration with Websense Data Security
Content Gateway v 7.7.0 must be used with Data Security v7.7.0 to take advantage of the co-located Data Security policy engine.
Content Gateway v7.7.3, v7.7.4, and beyond must work with Data Security v7.7.3.
The order of installation does not matter. Websense Data Security may be installed before or after Content Gateway.
Any v7.7.x version of Content Gateway can be used via the ICAP interface. See Content Gateway Manager Help for configuration instructions.
Web browsers
Content Gateway is configured and maintained with a Web-based user interface called the Content Gateway Manager. Content Gateway Manager supports the following Web browsers:
*
*
*
 
Note 
Hostname and DNS configuration for Content Gateway
Configure a hostname for the Content Gateway machine and also configure DNS name resolution. Complete these steps on the machine on which you will install Content Gateway.
1.
hostname <hostname>
where <hostname> is the name you are assigning this machine.
 
Important 
2.
Update the HOSTNAME entry in the /etc/sysconfig/network file:
HOSTNAME=<hostname>
where <hostname> is the same as in Step 1.
3.
Specify the IP address to associate with the hostname in the /etc/hosts file. This should be static and not served by DHCP. The proxy uses this IP address in features such as transparent authentication and hierarchical caching. This must be the first line in the file. Do not delete the second and third lines (the ones that begin with "127.0.0.1" and "::1", respectively).
xxx.xxx.xxx.xxx <FQDN> <hostname>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
<FQDN> is the fully-qualified domain name of this machine
(i.e., <hostname>.<subdomain(s)>.<top-level domain>).
For example: myhost.example.com
<hostname> is the same name specified in Step 1.
Do not reverse the order of the FQDN and hostname.
4.
Configure DNS in the /etc/resolv.conf file.
search <subdomain1>.<top-level domain> <subdomain2>.<top-level domain> <subdomain3>.<top-level domain>
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
This example demonstrates that more than one domain can be listed on the search line. Listing several domains may have an impact on performance, because each domain is searched until a match is found. Also, this example shows a primary and secondary nameserver being specified.
5.
*
*
*
*
Preparing a cache disk for use by Websense Content Gateway
For Websense Content Gateway to operate as a caching proxy, it must have access to at least one raw disk. Otherwise, Content Gateway can function as a proxy only.
To create a raw disk for the proxy cache when all disks have a mounted file system:
 
Note 
Warning 
Warning 
1.
df -k
2.
3.
4.
umount <file_system>
where <file_system> is the file system you want to unmount.
When the Content Gateway installer prompts you for a cache disk, select the raw disk you created.
 
Note 
Preparing for a clustered deployment of Websense Content Gateway
If you plan to deploy multiple, clustered instances of Websense Content Gateway (Content Gateway):
*
*
Note 
where <interface_name> is the name of the interface used for cluster communication. For example:

Go to the table of contents Go to the previous page Go to the next page
Installing Websense Content Gateway > Preparing to install Websense Content Gateway
Copyright 2016 Forcepoint LLC. All rights reserved.