Go to the table of contents Go to the previous page Go to the next page
Deploying Websense endpoints
Deployment and Installation Center | Web and Data Security Solutions | Version 7.7.x
 
There are different methods for configuring and packaging endpoint client software depending on which endpoint client or combination of clients you are using:
*
When the Windows version of Web Endpoint is installed by itself on client machines, use the endpoint package provided on the Settings > Hybrid Configuration > Hybrid User Identification page in TRITON - Web Security.
*
*
See the TRITON - Web Security Help for more information about downloading and deploying Web Endpoint.
*
*
The combined installation package (a single executable file) is used to deploy both endpoint clients to user machines.
*
The Endpoint Package Builder is a Windows utility that can be used to create 32- and 64-bit Windows packages for Remote Filtering Client, Web Endpoint, and Data Endpoint. It can also be used to create Linux packages for Data Endpoint and Mac OS X packages for Web Endpoint.
*
*
The package builder can be found in the following directories:
*
C:\Program Files or Program Files (x86)\Websense\Web Security\DTFAgent\RemoteFilteringAgentPack\
*
C:\Program Files or Program Files (x86)\Websense\Data Security\client\
Creating installation packages
 
Note 
1.
*
On any Windows server that includes Web Security components, navigate to C:\Program Files or Program Files (x86)\Websense\Web Security\DTFAgent\RemoteFilteringAgentPack and double-click WECfg.exe.
If you don't want to run the package builder on the server machine, copy the executable to another Windows machine (server or workstation) and run the executable there.
*
On the Data Security Management Server machine, navigate to Start > All Programs > Websense > Data Security > Endpoint Package Builder.
The Websense Endpoint Package Builder utility extracts required files and launches.
2.
On the Select Components screen, select one or more endpoint clients to configure. You can create packages for both Websense Data Endpoint and one Web Security endpoint client, but you cannot select both Remote Filtering Client and Web Endpoint at the same time.
Also select a language for the client components.
In the TRITON Console, you can change the language used for displaying messages to Data Endpoint users, but the language displayed in the user interface (buttons, captions, fields, etc.) can only be set during packaging.
Click Next when you're done.
3.
On the Installation Platform and Security screen, select the operating system or systems for which you want to create an installation package, create the administrator password that will be used to uninstall or modify endpoint client software, and configure anti-tampering settings. When you are finished, click Next.
*
*
For Web Endpoint and Data Endpoint, once the endpoint client contacts the server, this password is overwritten with the password specified by a TRITON administrator.
*
*
Web Endpoint: Go to Settings > Hybrid Configuration > Hybrid User Identification, then enter and confirm an anti-tampering password.
If no password is specified, every user is able to uninstall the endpoint software from their computer.
Click Show characters to display the password characters while you type.
*
Click Protect installation directory from modification or deletion if you do not want users to be able to perform these functions.
4.
On the Installation Path screen, specify the directory to use for installing endpoint software on each endpoint device. The directory path must contain only English characters.
Note that this screen does not appear if you are creating only a Mac OS X endpoint package. On Mac OS X machines, the endpoint is installed in the
/Applications directory.
*
Use default location: The endpoint software is installed in a default directory: \Program Files\Websense\Websense Endpoint (Windows) or /opt/websense/LinuxEndpoint (Linux).
*
Use this location: Manually specify the installation path for the endpoint software. Environment variables are supported.
5.
Click Next. The screens that appear next depend on the endpoint clients you chose. See:
*
*
*
Websense Data Endpoint
1.
IP address or hostname: Provide the IP address or host name of the Data Security server that endpoint machines should use to retrieve initial profile and policy information. (Once configured, endpoints retrieve policy and profile updates from the endpoint server defined in their profiles.)
Receive automatic updates for Data Endpoint machines: When new versions of Data Endpoint are released, you may upgrade the software on each endpoint—this can be done via GPO or SMS—or you can configure automatic updates on this screen.
To automate endpoint software updates:
a.
Prepare a server with the latest updates on it (see "Automatic Updates for Websense data endpoints" for details).
b.
Select Receive automatic updates for Data Endpoint machines.
c.
d.
2.
Click Next and the Client Settings screen appears:
Complete the fields as follows:
 
*
Interactive: A user interface is displayed on all endpoint machines. Users know when files have been contained and have the option to save them to an authorized location.
*
Stealth: The Websense Data Endpoint user interface is not displayed to the user.
*
Full: Installs the endpoint with full policy monitoring and blocking capabilities upon a policy breach. All incidents are reported in the TRITON Console.
Endpoints that are installed in Full Mode require a reboot.
*
Discovery Only: Configures the endpoint to run discovery analysis but not DLP. Discovery Only installation does not require a reboot.
3.
Click Next. If you chose no other endpoints, skip to Global settings for instructions. Otherwise, move to Websense Web Endpoint or Remote Filtering Client.
Websense Web Endpoint
1.
If you chose Websense Web Endpoint, use the Proxy Settings screen to specify the URL of the hybrid PAC file.
The PAC file defines how Web browsers choose an appropriate proxy for fetching a given URL. The standard proxy PAC file URL for hybrid filtering is:
http://pac.hybrid-web.global.blackspider.com:8082/proxy.pac
2.
Click Next to continue to the Save Installation Package screen. See Global settings for configuration instructions.
Remote Filtering Client
1.
If you chose Remote Filtering Client, use the Internal Connections screen to list internal connection details for each Remote Filtering Server instance to which the clients will attempt to connect. When you are finished, click Next.

*
IP address or hostname: Internal IP address or FQDN for the Remote Filtering Server machine.
*
Port: Internal communication port on the Remote Filtering Server that can be accessed only from inside the network firewall. This must be the same port entered in the Internal Communication Port field when this Remote Filtering Server was installed.
Because some machines, like laptops, may travel in and out of your organization's network, Remote Filtering Client uses this internal connection information to determine whether it is within or outside the network. This ensures that the machine is not double filtered (by both internal Web Security components and remote filtering software).
2.
On the External Connections screen, provide external connection details for each Remote Filtering Server that may handle requests for Remote Filtering Client instances. When you are finished, click Next.
*
IP address or hostname: Externally visible IP address or fully qualified domain name (FQDN) of the primary Remote Filtering Server machine.
 
Important 
*
Port: Externally accessible port used to communicate with the primary Remote Filtering Server. This must match the external port number entered when installing the primary Remote Filtering Server.
*
Clear the Log user Internet activity check box to avoid recording Internet request data for machines running Remote Filtering Client. By default, Internet activity handled by Remote Filtering Client is logged for use in Web Security reporting tools.
This is the information that Remote Filtering Client uses to pass Internet requests to Remote Filtering Server when the client machine (endpoint device) is outside the network.
3.
On the Trusted Sites screen, enter any URLs or domains that should be always permitted by Remote Filtering Client. Requests for these URLs or domains are not forwarded to Remote Filtering Server, and are not logged (do not appear in reports). When you are finished, click Next.
*
To define a trusted site, click Add, then enter a URL or a regular expression. Any regular expression adhering to ISO/IEC TR 19768 (within the character-number limit) is valid. When you are finished, click OK.
*
*
4.
Use the Client Settings screen to configure blocking behavior, the pass phrase used to encrypt communication with Remote Filtering Server, and the display language for client components. When you are finished, click Next.
 
*
Select Notify users when HTTPS or FTP traffic is blocked to display a pop-up message on client machines for blocked HTTPS or FTP traffic. If you enable this option, also specify how long the pop-up message remains visible to the user.
*
Enter and confirm the Pass phrase used to encrypt communication with Remote Filtering Server. This must be the same pass phrase that you created during Remote Filtering Server installation.
*
5.
When you click Next, the Save Installation Package screen appears. See Global settings for instructions on configuring this screen.
Global settings
1.
When you're done configuring your endpoint selections, use the Save Installation Package screen to enter a directory path to use for storing the installation package before it is deployed to client machines.
Either manually enter a path or click Browse to find the location.
2.
Click Finish.
You'll see a system message if the package is created successfully. If the creation of the package fails, you'll see an error message. If this happens, contact Websense Technical Support for assistance.
3.
Once the packaging tool has finished, the packages are created in the designated path. Refer to Deployment options for instructions on distributing the package to the endpoint devices.
Deployment options
 
Important 
There are a few ways to distribute the endpoint software:
*
See Deploying endpoint clients manually.
*
See Creating and distributing Websense endpoints using SCCM or SMS for details.
*
*
The GPO command for deploying Web Endpoint is displayed on the Settings > Hybrid Configuration > Hybrid User Identification page in TRITON - Web Security. Note that the command includes a WSCONTEXT parameter that is required to ensure that your organization's policies are applied to user requests.
See Manually deploying Web Endpoint for Windows in the TRITON - Web Security Help for details.
*
*
*
See Installing Mac endpoints with Remote Desktop for details.
You can also enable Web Endpoint and Data Endpoint automatic updates to ensure that endpoint client software is kept current after the initial deployment. See:
*
*
To confirm that Web Endpoint or Data Endpoint is installed and running on a machine:
*
For Web Endpoint, go to Start > Control Panel > Administrative Tools > Services. Check that Websense SaaS Service is present in the Services list, and is started.
*
For information on endpoint software system requirements, see Endpoint solution system requirements.
If you plan to deploy multiple endpoint solutions (data and Web) on the same machine, see Multiple agent limitations before proceeding.
Deploying endpoint clients manually
Windows
Windows packages contain a single executable file: WebesenseEndpoint_32bit.exe or WebesenseEndpoint_64bit.exe.
First copy this self-extracting executable file to the client machine, then:
*
*
WebsenseEndpoint_64bit.exe /v"WSCONTEXT=<token>"
Here, <token> is the WSCONTEXT value displayed in the GPO command string on the Settings > Hybrid Configuration > Hybrid User Identification page in TRITON - Web Security.
All arguments passed via the /v parameter must be enclosed in straight quotes, as shown in the example.
If you are upgrading an existing endpoint client on the Windows machine, and the old client has an anti-tampering password, you must provide the old password when you run the new installation package. For example:
WebsenseEndpoint_32bit.exe /v"XPSWD=<password>"
Here, "<password>" is the anti-tampering password used by the previous-version endpoint client. All arguments passed via the /v parameter must be enclosed in straight quotes, as shown in the example.
Note that if you are upgrading Web Endpoint and Data Endpoint together, you must provide both the XPSWD and WSCONTEXT arguments. For example:
WebsenseEndpoint_64bit.exe /v"XPSWD=<password> WSCONTEXT=<token>"
Linux
Linux packages (Data Endpoint only) contain 2 installers with the same functionality:
*
LinuxEndpoint_SFX_installer_el4 - use with Red Hat Enterprise Linux version 4.x.
*
LinuxEndpoint_SFX_installer_el5 - use with Red Hat Enterprise Linux version 5.x.
To install Data Endpoint software on a Linux computer, copy the correct installer to the machine and run it as root. No reboot is necessary. The endpoint software starts automatically.
Enabling automatic updates for Data Endpoint
To deploy Data Endpoint updates automatically, you must create an update server that hosts endpoint installation packages. See "Automatic Updates for Websense data endpoints" for details.
You must also select Receive automatic updates for data endpoints on the Websense Endpoint Package Builder "Server Connections" screen. On this same screen, specify the URL of the server you created and indicate how often you want endpoint machines to check for updates (every 2 hours by default).
When configured properly, your update server pushes software updates out to endpoint machines and installs the packages in the background silently.
 
Note 
Enabling automatic updates for Web Endpoint
Once you have deployed your endpoint package to end users, Web Endpoint can be updated for some or all of your hybrid filtering users directly from the hybrid service. If you use the Data Endpoint auto-update feature for endpoints with both data and Web capabilities, however, endpoints receive updates from your auto-update server instead.
To enable automatic Web Endpoint updates to client machines:
1.
Go to the Settings > Hybrid Configuration > Hybrid User Identification page in TRITON - Web Security.
2.
Mark Enable installation and update of Web Endpoint on client machines.
This defines whether automatic updates are deployed to the client machines that you specify. If you uncheck this option at a later date, no further automatic updates occur. However, the installed endpoint software continues to run until it is uninstalled from the client machines.
3.
Mark Automatically update endpoint installations when a new version is released.
4.
Click OK to cache your changes. Changes are not implemented until you click Save All.
 
Note 
Note that while a Web Endpoint update is taking place (which can take several minutes), end users are unable to browse, but are shown a Web page explaining that the update is occurring. This page continues to retry the requested Web page every 10 seconds until the endpoint software has finished updating. The request is then submitted, and either the page or a block page is displayed.

Go to the table of contents Go to the previous page Go to the next page
Copyright 2016 Forcepoint LLC. All rights reserved.