Upgrading Content Gateway to v7.7.x

Deployment and Installation Center | Web Security Solutions | Version 7.6.x and earlier

Applies to:

In this topic

Web Security Gateway and Web Security Gateway Anywhere
v7.6.x and earlier

System requirements

Upgrading distributed components

Versions supported for upgrade

Preparing to upgrade

Upgrading Websense Content Gateway

Post-upgrade activities

This section provides upgrade instructions for software-based Websense Content Gateway installations. Upgrading Content Gateway on a V-Series appliance is handled by the V-Series upgrade (patch) process. See Upgrading V-Series Appliances to v7.7.

Perform an upgrade by running the Content Gateway installer on a machine with a previous version of Content Gateway installed. The installer detects the presence of Content Gateway and upgrades it to the current version. See Versions supported for upgrade.


	Note Technical papers and documents mentioned in this article are available in the Websense Technical Library.

System requirements

Before upgrading Content Gateway, make sure the installation machine meets the system recommendations in System requirements for Websense Content Gateway, including hardware specifications, operating system, and browser.

Upgrading distributed components

Websense Content Gateway is the Web proxy component of Websense Web Security Gateway and Websense Web Security Gateway Anywhere. Websense Web Security components must be upgraded prior to upgrading Content Gateway. To upgrade Websense Web Security, run the Websense installer on each machine running Websense Web Security components. Distributed components must be upgraded in a particular order. See Upgrading Websense Web Security Solutions.

Versions supported for upgrade

Direct upgrade to Content Gateway version 7.7.x is supported from version 7.6.x and higher. Upgrades from versions prior to v7.6.x require intermediate upgrades:

version 7.0/7.1 > version 7.5 > version 7.6 > version 7.7

Follow the upgrade procedures documented with each intermediate version.

Important

When performing intermediate upgrades, be sure to read the Websense Content Gateway Installation Guide and its upgrade supplement for each upgrade version. They contain important information specific to upgrading between versions that may not be found in this version of the upgrade supplement.

For example, the upgrade from version 7.1 to 7.5 requires a Red Hat Enterprise Linux operating system version upgrade followed by a fresh install of v7.5.

See:

Version 7.5 Content Gateway Installation Guide

Version 7.6 Content Gateway Installation Guide

To perform an intermediate upgrade, download the installer package for the intermediate version from the Websense Downloads site.

Upgrading from version 7.6.5

Due to the timing of Content Gateway releases 7.6.5 and 7.7.0, an enhancement to the user authentication Fail Open feature that was introduced in 7.6.5 was not included in 7.7.0. The enhancement is included in version 7.7.3 and 7.7.4.

The Fail Open option is used to allow requests to proceed to Web Security when user authentication fails. For more information, see New in version 7.6.5.

On upgrade to 7.7.3 or 7.7.4, the 7.6.x Fail Open setting is retained, as expect.

The setting of the option on upgrade to 7.7.0 is:

7.6.5 "Disabled" is set to 7.7.0 "Disabled"

7.6.5 "Enabled only for critical services failures" is set to 7.7.0 "Enabled"

7.6.5 "Enabled for all authentication failures, including incorrect password" is set to 7.7.0 "Enabled"

Preparing to upgrade

Read the Release Notes for the version you are upgrading to:

7.7.0 Release Notes

7.7.3 Release Notes

7.7.4 Release Notes

Read the upgrade instructions (this document)

Upgrade TRITON Unified Security Center and TRITON - Web Security before upgrading Content Gateway. See Upgrading Websense Web Security Solutions.

If you are upgrading Red Hat Enterprise Linux version 5 to version 6, see Upgrading Red Hat Enterprise Linux during Content Gateway upgrade.

Configuration settings not preserved

The following configuration settings are not preserved and must be reconfigured post-upgrade:

Integrated Windows Authentication (IWA) Settings.


	Note Make a record of current IWA Settings prior to upgrade to be restored during Post-upgrade activities. For more information, see Integrated Windows Authentication in Content Gateway Manager Help.

New features to configure after upgrade

You may want to configure the following new and enhanced features post-upgrade.

With Multiple Realm Authentication rules, the User-Agent and Cookie Mode caching options.

For more information, see 7.7.3 Release Notes.

Support for IPv6. To enable, go to Configure > My Proxy > Basic > General.

For more information, see 7.7.0 Release Notes.

Upgrading Websense Content Gateway

Complete these steps to upgrade Content Gateway on a server in a software-based deployment.

If you plan to upgrade from Red Hat Enterprise Linux 5 to Red Hat Enterprise Linux 6, see Upgrading Red Hat Enterprise Linux during Content Gateway upgrade.

If you plan to remain on Red Hat Enterprise Linux 5, see Upgrading from Content Gateway v7.6.x to v7.7.x.


	Important Upgrade TRITON Unified Security Center and TRITON - Web Security to v7.7 prior to upgrading the operating system or Content Gateway. See Upgrading Websense Web Security Solutions.

Upgrading Red Hat Enterprise Linux during Content Gateway upgrade

Version 7.7.0 runs on Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.0, 6.1, and 6.2, 64-bit, Basic Server. Version 7.7.3 and later support update 6.3, 64-bit, Basic Server.

Upgrading from a 32-bit to 64-bit operating system creates a change in system architecture that requires a specific upgrade sequence to maintain Content Gateway configuration settings.

Use the following sequence to upgrade Content Gateway 7.6.x on Red Hat Enterprise Linux 5 32-bit, to Content Gateway v7.7.x on Red Hat Enterprise Linux 6 64-bit:

Upgrade to Content Gateway 7.7.x. See Upgrading from Content Gateway v7.6.x to v7.7.x.

Using a special backup utility, create a backup of Content Gateway v7.7.x and save it in a trusted location on the network:

cd ~/WCG/Current/

./wcg_config_utililty.sh create WCGbackup

This creates a backup, WCGbackup.tar.gz, in the current directory.

Copy WCGbackup.tar.gz to a reliable location on the network where it can easily be retrieved after the operating system upgrade.

If you are upgrading Red Hat Enterprise Linux on this machine, uninstall Content Gateway. See Uninstalling Content Gateway. Continue with Step 7.

If you want to keep the current machine as a fallback option, power down the computer and disconnect it from the network. Install Red Hat Enterprise Linux on another machine and continue with Step 7.


	Note If you want to revert to the original machine, reconnect it to the network and power up. Content Gateway 7.7.x will re-register with TRITON – Web Security. If you want to repurpose the machine, do not reconnect it to the network until after you have uninstalled Content Gateway and assigned the machine a new IP address and hostname.

Using the same hostname, ethernet interface, and IP address used with Red Hat Enterprise Linux 5, install Red Hat Enterprise Linux 6. Updates 6.0, 6.1, and 6.2 are supported with 7.7.0. Content Gateway 7.7.3 and later support update 6.3.

Note

Content Gateway is designed to run on Red Hat Enterprise Linux, Basic Server package. This is the default installation configuration and must be confirmed.

For more information on installing Red Hat Enterprise Linux 6, see:

Red Hat Enterprise Linux 6 Installation Guide

Required libraries in Red Hat Enterprise Linux 6

Install Content Gateway. See Installing Websense Content Gateway.

Copy WCGbackup.tar.gz, that was saved in step 4, to:

~/WCG/Current/

10.

Restore the configuration archive. As root:

cd ~/WCG/Current/

./wcg_config_utility.sh restore WCGbackup.tar.gz

Upgrading from Content Gateway v7.6.x to v7.7.x

This section describes how to upgrade Content Gateway version 7.6.x to v7.7.x on your Red Hat Enterprise Linux 5 installation.


	Note If you are upgrading to Red Hat Enterprise Linux 6, see Upgrading Red Hat Enterprise Linux during Content Gateway upgrade.

Upgrading Content Gateway on a V-Series appliance is handled by the V-Series upgrade (patch) process. See Upgrading V-Series Appliances to v7.7.

Before you begin, be sure to read Preparing to install Websense Content Gateway.


	Warning Before you begin, ensure that /tmp has enough free space to hold the existing Content Gateway log files. During the upgrade procedure, the installer temporarily copies log files located in /opt/WCG/logs to /tmp. If the /tmp partition does not have enough available space and becomes full, the upgrade will fail. If you determine that /tmp does not have enough space, manually move the contents of /opt/WCG/logs to a partition that has enough space and then delete the log files in /opt/WCG/logs. Run the installer to perform the upgrade. When the upgrade is complete, move the log files from the temporary location back to /opt/WCG/logs and delete the files in the temporary location. For step-by-step instructions, see the Knowledge Base article titled Upgrading can fail if the /tmp partition becomes full. Note: /opt/WCG is the version 7.6 installation location.

Acquire root permissions:

su root

If you are upgrading from versions 7.6.0 only:

If configured, disable clustering and leave disabled until all members of the cluster are upgraded.

If configured, disable Virtual IP failover and leave it disabled until all members of the cluster are upgraded and re-enabled.

Disable any currently running firewall on this machine for the duration of the Content Gateway upgrade. Bring the firewall back up after upgrade is complete, opening ports used by Content Gateway.

For example, if you are running IPTables:

At a command prompt, enter service iptables status to determine if the firewall is running.

If the firewall is running, enter service iptables stop.

After upgrade, restart the firewall. In the firewall, be sure to open the ports used by Content Gateway on this machine. See Websense TRITON Enterprise default ports for more information.

Download the Content Gateway version 7.7.x installer from mywebsense.com and save it to a temporary directory. For example:

mkdir wcg_v77

mv <installer tar archive> wcg_v77

Unpack the Content Gateway installer tar archive:

cd wcg_v77

tar -xvzf <installer tar archive>


	Important If SELinux is enabled, set it to permissive, or disable it before installing Content Gateway. Do not install or run Content Gateway with SELinux enabled.

In the directory where you unpacked the tar archive, start the installation/upgrade script.

./wcg_install.sh

Respond to the prompts.

Content Gateway is installed and runs as root.


	Note Up to the point that you are prompted to confirm your intent to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall it.

If your system does not meet the minimum recommended requirements, you receive a warning. For example:

Warning: Websense Content Gateway requires at least 2 gigabytes of RAM.

Do you wish to continue [y/n]?

Enter n to quit the installer, and return to the system prompt.

Enter y to continue the upgrade. If you choose to run Content Gateway after receiving this warning, performance may be affected.

Read the subscription agreement. At the following prompt, enter y to accept the agreement and continue the upgrade, or n to cancel.

Do you accept the above agreement [y/n]? y

When asked, choose to replace the existing version of Content Gateway with the 7.7.x version.

WCG version 7.6.n-nnnn was found.

Do you want to replace it with version 7.7.x-nnnn [y/n]? y

10.

Existing settings and logs are copied to backup files and stored. For example:

Stopping Websense Content Gateway processes...done

Copying settings from /opt/WCG to /root/WCG/OldVersions/7.6.0-1143-20110322-131541/...done

Copying SSL Manager settings to /root/WCG/OldVersions/7.6.0-1143-20110322-131541/...done

Moving log files from /opt/WCG/logs to /tmp/wcg_tmp/logs/...done

11.

You can either re-use the installation selections you entered during the last install, or provide new answers to all installation prompts:

Previous install configuration </root/WCG/Current/WCGinstall.cfg> found.

Use current installation selections [y/n]?

Enter y to use previous installation selections.

Enter n to revert to Websense default values, and receive all installation questions and answer them again.

12.

If you answered y at Step 11, then you can also leave proxy settings at their current values or revert to Websense default values.

Restore settings after install [y/n]?

Enter y to keep the proxy settings as they are.

Enter n to restore Websense default settings for the proxy.

13.

If you answered n at Step 11, the current version of Websense Content Gateway is removed, and a fresh install of 7.7.x begins. See Installing Websense Content Gateway for a detailed description of the installation procedure.

14.

The previously installed version of Websense Content Gateway is removed, and the settings and selections you chose to retain are re-used. Wait.

*COMPLETED* Websense Content Gateway 7.7.0-1200 installation.

A log file of this installation process has been written to
/root/WCG/Current/WCGinstall.log

For full operating information, see the Websense Content Gateway Help system.

Follow these steps to start the Websense Content Gateway management interface (Content Gateway Manager):

------------------------------------------------------------

1. Start a browser.

2. Enter the IP address of the Websense Content Gateway server, followed by a colon and the management interface port (8081 for this installation). For example: https://11.222.33.44:8081.

3. Log on using username admin and the password you chose earlier.

A copy of the CA public key used by the Manager is located in /root/WCG/.

15.

The upgrade is now complete, and the proxy software is running.

If you chose to revert to Websense default proxy settings, be sure to configure any custom options.

16.

Check Content Gateway status with:

/opt/WCG/WCGAdmin status

All services should be running. These include:

Content Cop

Websense Content Gateway

Content Gateway Manager

Analytics Server


	Important If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for: /opt/WCG/config/internal/no_cop If the file exists, remove it and start Content Gateway: /opt/WCG/WCGAdmin start

17.

Refresh the browser cache when logging in to Content Gateway Manager for the first time after upgrade by pressing Shift+F5. The Content Gateway Manager user interface has an updated look and feel for version 7.7 and the old .css files may need to be flushed from your browser cache.

18.

Perform the post-installation steps described in Post-upgrade activities and in Initial Configuration for All Websense Modules.

Post-upgrade activities

In version 7.7.x, when using Content Gateway with TRITON - Web Security, it is not necessary to enter a subscription key. The key is automatically fetched from TRITON - Web Security.

If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.

Register Content Gateway nodes in TRITON - Web Security on the Settings > Content Gateway Access page. Registered nodes add a link to the Content Gateway Manager logon portal and provide a visual system health indicator, a green check mark or a red X icon.

Configure Content Gateway system alerts in TRITON - Web Security. Select Content Gateway system alerts are now sent to TRITON - Web Security (in addition to Content Gateway Manager). To configure which alerts are sent, in TRITON - Web Security go to the Settings > Alerts > System page.

If you were using Integrated Windows Authentication (IWA), re-enable it and join Content Gateway to the Windows Domain. Configure IWA using the settings you recorded prior to upgrade. See Configuring Integrated Windows Authentication in Content Gateway Manager Help.

If you upgraded from version 7.6.0 and disabled clustering at the start of the upgrade process, re-enable clustering after all members of the cluster are upgraded and restart Content Gateway (restarting any node causes all nodes to restart).

If you upgraded from version 7.6.0 and disabled Virtual IP failover at the start of the upgrade process, re-enable Virtual IP failover after all members of the cluster are upgraded and clustering has been re-enabled.

If Web Security Gateway Anywhere and Data Security are deployed together and upgraded to version 7.7, you must remove stale entries of Content Gateway instances registered in Data Security system modules. From the TRITON Console, go to Data Security > Settings > Deployment > System Modules and delete instances that display an old version number.

If Web Security Gateway Anywhere and Data Security are deployed together and configured to use the on-box policy engine, and then reconfigured during upgrade or later to use the ICAP interface, the Content Gateway instance must be deleted from the list of Data Security system modules or the deployment will fail. Go to the Data Security > Settings > Deployment > System Modules page, click on the affected Content Gateway instance to open its Details page, click Delete and then Deploy.

Complete support for GRE Return Method with WCCP is added in version 7.7.

If WCCP with GRE is already configured, the existing configuration continues to function as it did in v7.6.x. Note that Content Gateway Manager will produce an alarm suggesting that you update your configuration. Updating the configuration migrates the configuration to the new GRE support infrastructure. You do not have to change your configuration unless you want to add the GRE Return Method.


	Important If you are using WCCP with Cisco ASA, after the upgrade your configuration continues to perform as it did with v7.6.x. There is no need to change your configuration after upgrade. In version 7.7.0, should you need to reconfigure Content Gateway to work with your ASA device, set the Forward and Return Method to L2. This forces Content Gateway to negotiate the correct supported method. In version 7.7.3 and beyond, should you need to reconfigure Content Gateway to work with your ASA device, access the Service group settings and select ASA Firewall from the Special Device Profile drop down box instead of individually selecting the GRE forward and return methods. This automatically selects the Packet Forward Method and Packet Return Method and sets some proxy internals.

10.

If you use SSL Manager to process HTTPS traffic, the Root CA should be imported into all affected clients.

In v7.7 (and beginning with v7.6.5), the Content Gateway default Root CA presented to clients is signed with SHA-1. In prior versions, the Root CA was signed with MD5.

It is strongly recommended that all instances of Content Gateway use the same Root CA, and that for best security the signature algorithm be SHA-1.


	Note Client connections may fail (depending on specific browser behavior) if the client sees a certificate generated by an unknown Root CA.

The best practice is to replace the Websense default Root CA with your organization's Root CA signed by SHA-1 or stronger. See Internal Root CA in Content Gateway Help.