Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Automatic Updates for Forcepoint One Endpoint (Forcepoint DLP Endpoint)
Automatic Updates for Forcepoint One Endpoint (Forcepoint DLP Endpoint)
Updated: 18-Jan-2019
Endpoint auto-update is a feature that lets a network server push a Forcepoint DLP Endpoint or Forcepoint One Endpoint installation package to endpoint machines and silently install the package in the background. By doing so, the network server controls the version of the endpoint running on endpoint machines.
Note that the endpoint auto-update feature does not support the initial deployment of the agent — it only supports existing agents. In addition, auto-update:
*
*
 
Note 
This document is divided into two sections:
*
*
The first section describes how to set up a server to work with the auto-update feature. The second section helps you understand the workflow of the endpoint auto-update process, how the endpoint and update server communicate with each other, and how you can add flexibility to the endpoint auto-update feature with different parameters.
Configuring the auto-update server
The steps provided in this section need to be performed only once. Once this setup is completed, you do not need to repeat this process.
To set up the auto-update system:
1.
2.
3.
4.
5.
Installing the Web server
The Forcepoint One Endpoint performs automatic updates regularly by checking with a Web server to determine if they are at the most current version. If the Forcepoint One Endpoint is not up to date, they try to download a new package from the Web server and install it.
Your Web server can be any server in your network. For best practice, it should be on a different machine than your servers — such as the management server and secondary Forcepoint DLP servers. This optimizes performance of the servers and preserves them for future upgrades. It also gives you the flexibility to choose the port numbers, the hardware, and the operating system, as well as the security hardening mechanisms to be used, without the risk of collision with Forcepoint components.
You can choose any Web server software that meets your needs and configure it on your machine and network, as long as it meets the following requirements:
*
*
*
Therefore, a server that supports 1,200 endpoints should expect 10 requests per minute (1,200 per 120 minutes). When a new package is available, each request can result in a 100 MB file transfer.
Note that endpoints retry their communication attempts if the server cannot handle the load.
*
*
This document provides instructions on how to use 3 common types of Web servers and provides sample installation instructions for each. See Configuring your Web server below for details.
Copying server-side foundation files
When your server is ready, you need to copy the Endpoint Update Server Kit to your Web server machine and unzip the files. To do so:
1.
2.
Locate the zip file Endpoint Update Server Kit.zip under the installation folder (%DSS_HOME%).
3.
4.
EP_UPDATE_ROOT should now contain the following subfolders:
*
*
*
*
 
Note 
Configuring your Web server
To configure your Web server, follow these basic steps:
1.
Choose a scripts folder to use from EP_UPDATE_ROOT (either scripts_windows or scripts_linux).
2.
Create a virtual directory called /EPUpdate that is CGI-enabled, and is linked to EP_UPDATE_ROOT/scripts.
3.
Create another virtual directory called /EPPackages that links to EP_UPDATE_ROOT/data.
Note that each Web server installation has different configuration steps. Listed below are steps for the 3 most common Web servers:
*
*
*
Apache HTTPD on Windows
1.
Rename the EP_UPDATE_ROOT/scripts_windows folder to scripts (EP_UPDATE_ROOT/scripts).
2.
Edit the configuration file EP_UPDATE_ROOT/conf/httpd.conf with a text editor and replace the string ${EP_UPDATE_ROOT} with the actual value of EP_UPDATE_ROOT.
Important: Use forward slash (/) characters to separate folders. Do not use back slash characters (\).
3.
Locate the text file, httpd.conf, in the Apache-HTTPD installation folder. Edit the file and append a single line at its end:
include EP_UPDATE_ROOT/conf/httpd.conf
4.
For additional information, refer to the installation instructions provided on the Apache Web site for compiling and installing on Windows.
Apache HTTPD on Linux
1.
Rename the EP_UPDATE_ROOT/scripts_linux folder to scripts (EP_UPDATE_ROOT/scripts).
2.
Run the following command to make sure EP_UPDATE_ROOT/scripts/update has execute permissions:
chmod +x EP_UPDATE_ROOT/scripts/update
3.
If your Linux server is running SELinux (Security Enhanced Linux), use the semanage or the chcon command to label the file-type EP_UPDATE_ROOT/scripts/update as httpd_sys_content_t. To do this, run the following commands as a Linux root user:
*
*
/sbin/restorecon EP_UPDATE_ROOT/scripts/update
4.
Edit the configuration file EP_UPDATE_ROOT/conf/httpd.conf with a text editor, and replace the string ${EP_UPDATE_ROOT} with the actual value of EP_UPDATE_ROOT.
5.
Edit the file /etc/httpd/conf/httpd.conf, and append a single line at its end:
include EP_UPDATE_ROOT/conf/httpd.conf
6.
For additional information, see the installation instructions provided on the Apache Web site.
Microsoft IIS on Windows Server 2016
1.
Open the Control Panel, select Administrative Tools, then click Internet Information Services (IIS) to open the IIS Manager.
2.
a.
Right-click an empty area in the right pane, select Add, and fill in the following values:
*
ISAPI or CGI path: EP_UPDATE_ROOT\scripts_windows\update.bat
*
Description: Forcepoint One Endpoint Auto-Update
b.
Check the option Allow extension path to execute.
c.
3.
4.
Right-click the site, choose Add Virtual Directory, and enter the following details:
*
Alias: EPUpdate
*
Physical path: EP_UPDATE_ROOT\scripts_windows
5.
Click on the newly created EPUpdate virtual folder in the left pane, and double-click Handler Mappings in the right pane.
6.
Right-click an empty area in the right pane, choose Add Module Mapping, and enter the following values:
*
Request path: update.bat
*
Module: CgiModule
*
*
Name: Forcepoint One Endpoint Auto-Update
7.
Right-click anywhere on the site, select the option Add Virtual Directory, and enter the following details:
*
Alias: EPPackages
*
Physical path: EP_UPDATE_ROOT\data
For additional information, refer to the installation instructions provided on the IIS Web site.
Deploying the initial endpoint package on your endpoint machines
Use the Forcepoint Endpoint Package Builder to create an initial installation package, then deploy this installation package to your endpoint machines. For more information on deploying Forcepoint Endpoint, see the Endpoint Installation and Deployment Guide.
 
Important 
*
The wepsvc service must be running on the endpoint machine for auto-update to run properly.
Deploying an endpoint package on the auto-update server
Follow these steps to deploy a new package using the auto-update mechanism.
1.
Use the endpoint package builder to create a new package. The package builder generates a folder with several installation packages, one per each version of the operating system.
Note: If you plan to use auto-update frequently, make sure that new packages point to an auto-update server. This option is configured on the Server Connection screen in the package builder:
a.
Select the Receive automatic software updates option.
b.
In the URL field, set up a URL for automatic updates:
*
*
If you have installed an IIS server, the URL should be
http://<server:port>/EPUpdate/update.bat
c.
In the How often should endpoint clients check for updates field, set up a schedule for how often the endpoint machines should check for updates. Forcepoint recommends setting this option 10 minutes.
2.
a.
cd %DSS_HOME%
 
Note 
b.
python EP_Prepare_Package4Update.py <Path-to-folder-with-packages>
where <Path-to-folder-with-packages> is the location of the Forcepoint Endpoint package created in the previous step.
After running this command, a new subfolder called .private is created inside the folder with the generated package. This subfolder contains metadata about the package.
3.
Copy the entire contents of the generated package folder (along with the .private folder containing the metadata) to the Web server machine (into EP_UPDATE_ROOT/data). For example, the Win32 installation will be located in EP_UPDATE_ROOT/data/FORCEPOINT-ONE-ENDPOINT-x32.exe.
Be aware that if you copy an older endpoint package to the Web server (inadvertently or otherwise), the endpoint machine will download and install the older version.
4.
The executable files in the EP_UPDATE_ROOT/data folder, as well as the metadata file in the .private folder, need to be renamed from FORCEPOINT-ONE-ENDPOINT to WebsenseEndpoint:
*
*
*
*
 
Now your server is ready. Whenever there is a new Forcepoint One Endpoint release, copy the updated release binaries to your auto-update server, and the endpoints will update at the next scheduled time.
 
Important 
Auto-update workflow for advanced configuration
Read this section to understand the workflow of the endpoint auto-update process, how the endpoint and update server communicate with each other, and how you can add flexibility to the endpoint auto-update feature.
The endpoint machines check the management server for configuration updates to the data endpoint profile.
This is how the endpoint auto-update process works:
1.
2.
3.
4.
a.
b.
How the endpoint and update server communicate
When the endpoint sends a GET request URL to the auto-update server, the URL contains many pre-defined parameters.
For example:
<UpdateServer URL= "http://download.forcepoint.com/update" />
GET /update?Bits=64bit&Platform=Windows&Domain=forcepoint.com&User=
EPUser&SID=xxxxxx&LocalVersion=7.6.1218&LocalDSSVersion=
7.6.3.16&ProtocalVersion=1.2&WSCookie=4f3h&DLP=Yes&WEB=
Yes&RF=No&CI=No HTTP/1.1
Host: download.forcepoint.com
These parameters provide local information about the endpoint machine. The table below lists the parameters in the GET request URL sent by the endpoint and their description:
Similarly, when the auto-update server returns a string in XML-like format, it also includes many pre-defined parameters. For example:
<?xml version="1.0" encoding="utf-8" ?>
<UpdateServer>
<CurrentVersion="7.6.1219">
<CurrentDSSVersion="7.6.3.17">
<CheckSum="A15BCDE9393288EFACDB3493827ABEFD">
<URL="http://download.forcepoint.com/upgrade/installpackage_1219.exe">
<IncludeEP="Yes">
<IncludeDSS="Yes">
</UpdateServer>
The table below provides descriptions of the elements in the XML-like file returned by the auto-update server:
Depending on the response of the update server, endpoints can retrieve the install package and install it silently.
 
 
© 2019 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners.
 

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Automatic Updates for Forcepoint One Endpoint (Forcepoint DLP Endpoint)
Copyright 2019 Forcepoint LLC. All rights reserved.