|
|||
![]() |
In addition, to support transparent proxy deployments:
|
At the beginning of the upgrade procedure, the installer checks to see if the partition that hosts /opt has enough space to hold a copy of the existing Content Gateway log files (copied to /opt/WCG_tmp/logs). If there's not enough space, the installer prints an error message and quits.
In this situation, if you want to retain the log files you must copy the contents of /opt/WCG/logs to a location that has enough space, and then delete the log files in /opt/WCG/logs.
When the upgrade is complete, move the files from the temporary location back to /opt/WCG/logs and delete the files in the temporary location.
|
If you have multiple Content Gateway instances deployed in a cluster, you do not have to disable clustering or VIP (if used). As each member of the cluster is upgraded it will rejoin the cluster.
|
b.
|
Navigate to the Configure > My Proxy > Basic page.
|
c.
|
Disable Web DLP.
|
d.
|
Return to the Configure > My Proxy > Basic page.
|
e.
|
Enable the new Web DLP option.
|
g.
|
Navigate to the Configure > Security > Web DLP page and confirm that automatic registration was successful. If it was not, confirm that the Data module of management console is running as expected.
|
a.
|
At a command prompt, enter service iptables status to determine if the firewall is running.
|
b.
|
If the firewall is running, enter service iptables stop.
|
c.
|
4.
|
Use the Downloads tab of the My Account page at forcepoint.com to download the Content Gateway version 8.5.x installer, and save it to a temporary directory. For example, place it in:
|
Up to the point that you are prompted to confirm your intent to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall.
|
9.
|
Read the subscription agreement. At the prompt, enter y to accept the agreement and continue the upgrade, or n to cancel.
|
13.
|
If you answered y at Step 11, then you can also leave proxy settings at their current values or revert to default values (which perform a fresh install!).
|
If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
|
1.
|
If at the start of the upgrade process you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
|
2.
|
Register Content Gateway nodes in Forcepoint Security Manager on the Web > Settings > Content Gateway Access page.
|
3.
|
Configure Content Gateway system alerts on the Settings > Alerts > System page in the Security Manager.
|
a.
|
5.
|
If you use proxy user authentication, review the settings on the Global Authentication Options page (Configure > Security > Access Control > Global Configuration Options).
|
6.
|
If you use IWA user authentication, confirm that the AD domain is still joined. Go to Monitor > Security > Integrated Windows Authentication. If it is not joined, rejoin the domain. Go to Configure > Security > Access Control > Integrated Windows Authentication.
|
7.
|
If you use Rule-Based Authentication, review your configuration. Go to Configure > Security > Access Control.
|
a.
|
Check the Domains page.
|
![]() |
Go to the Authentication Rules page and enter the editor.
|
![]() |
Check that the expected domain is in the Auth Sequence list.
|
![]() |
Go to Configure > My Proxy > Basic, ensure that Web DLP: Integrated on-box is enabled, and click Apply.
|
![]() |
Next to Integrated on-box, click the Not registered link. This opens the Configure > Security > Web DLP registration screen.
|
![]() |
Click Register. If registration is successful, a message confirms the result and prompts you to restart Content Gateway. If registration fails, an error message indicates the cause of failure. Correct the problem and perform the registration process again.
|
b.
|
d.
|
Click Deploy.
|
10.
|
If web and data protection products were deployed together and configured to use the on-box policy engine, and then reconfigured during upgrade or later to use the ICAP interface, the Content Gateway instance may need to be deleted from the list of Forcepoint DLP system modules or the deployment will fail. Go to the Data > Settings > Deployment > System Modules page, click on the affected Content Gateway instance to open its Details page, click Delete and then Deploy.
|
![]() |
Send authentication to parent proxy, configured on the Configure > My > Proxy > Basic > General page
|
![]() |
X-Forwarded-For, enabled on the Configure > Perotocols > HTTP > Privacy
|
14.
|
The Tunnel Skype option on the Configure > Protocols > HTTPS page of Content Gateway Manager was removed in v8.3. Variables stored in the records.config file that apply to Skype are removed during upgrades from v8.1 and v8.2.
|
15.
|
The settings on the Configure > Networking > Connection Management > Low Memory Mode page of Content Gateway manager was removed in v8.3. Corresponding variables stored in the records.config file are removed by upgrades from v8.1 and v8.2.
|
16.
|
If LOW encryption cipher suites was previously selected on the Configure > SSL > Decryption/Encryption > Inbound or Outbound pages of Content Gateway manager, upgrades from v8.1 or v8.2 will change the setting to MEDIUM. LOW is no longer a valid option on those pages.
|
17.
|
During upgrades from v8.1 or v8.2, the Enable the certificate verification engine on the Configure > SSL > Validation > General page of Content Gateway manager will be changed to ON for any customer who does not already have the feature enabled.
|
![]() |
The Network Address Translation (NAT) section of the Configure > Networking > ARM > General page has been renamed to Redirection Rules to better reflect the contents of the table.
|
![]() |
Be inserted after Forecepoint rules.
|
22.
|
For customers who have purchased the v8.5 Protected Cloud Apps feature, the setting for Parent Proxy on the Configure > Content Routing > Hierarchies page of Content Gateway Manager will be enabled. If you previously enabled and configured Parent Proxy and later disabled the option, the configured settings will be used and should be updated as necessary.
|
23.
|
With v8.5, the option of TLSv1 on the Configure > SSL > Decryption/Encryption page (Inbound and Outbound tabs) and on the Configure > Security > FIPS page of Content Gateway Manager is no longer a default selection. Options for TLSv1.1 and TLSv1.2 are added and enabled by default.
|
30.
|
The Session Cache section, previously available on Configure > SSL > Decryption / Encryption > Outbound have been removed in v8.5.4 to avoid Content Gateway restarts. Upgrades to v8.5.4 will automatically disable these options if they had been previously enabled.
|