Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Automatic Updates for Endpoint DLP Software
Automatic Updates
for Endpoint DLP Software
Topic 41102 / Updated: 11-Dec-2014
Endpoint auto-update is a feature that lets a network server push an endpoint installation package to client machines and silently install the package in the background. By doing so, the network server controls the version of the endpoint running on client machines.
Note that the endpoint auto-update feature does not support the initial deployment of the agent — it only supports existing agents. In addition, it does not apply to Linux or Mac endpoints. It works only with Windows endpoint clients.
This document is divided into two sections:
*
*
The first section describes how to set up a server to work with the auto-update feature. The second section helps you understand the work flow of the endpoint auto-update process, how the endpoint and update server communicate with each other, and how you can add flexibility to the endpoint auto-update feature with different parameters.
Configuring the auto-update server
The steps provided in this section need to be performed only once. Once this setup is completed, you do not need to repeat this process.
To set up the auto-update system, follow these steps:
1.
2.
3.
4.
5.
Installing Web server
The endpoints that perform automatic updates regularly check with a Web server to determine if they are at the most current version. If the endpoints are not up to date, they try to download a new package from the Web server and install it.
Your Web server can be any server in your network. For best practice, it should be on a different machine than your Websense servers— such as the TRITON management server and secondary TRITON AP-DATA servers. This optimizes performance of the Websense servers and preserves them for future upgrades. It also gives you the flexibility to choose the port numbers, the hardware and operating system, as well as the security hardening mechanisms to be used, without the risk of collision with Websense components.
You can choose any Web server software that meets your needs and configure it on your machine and network, as long as it meets the following requirements:
*
*
*
Therefore, a server that supports 1,200 endpoints should expect 10 requests per minute (1200 per 120 minutes). When a new package is available, each request can result in a 100 MB file transfer.
Note that endpoints retry their communication attempts if the server can't handle the load.
*
*
Later, this document provides instructions on how to use 3 different types of Web servers and provides sample installation instructions for each. See Configuring your Web server below for details.
Copying server-side foundation files
When your server is ready, you need to copy the Endpoint Update Server Kit to your Web server machine and unzip the files. To do so:
1.
2.
Locate the zip file Endpoint Update Server Kit.zip under the installation folder (%DSS_HOME%).
3.
4.
EP_UPDATE_ROOT should now contain the following subfolders:
*
*
*
*
Configuring your Web server
To configure your Web server, follow these basic steps:
1.
Choose a scripts folder to use from EP_UPDATE_ROOT (either scripts_windows or scripts_linux).
2.
Create a virtual directory called /EPUpdate that is CGI-enabled, and is linked to EP_UPDATE_ROOT/scripts.
3.
Create another virtual directory called /EPPackages that links to EP_UPDATE_ROOT/data.
Note that each Web server installation has different configuration steps. Listed below are steps for the 3 most common Web servers:
*
*
*
Apache HTTPD on Windows
a.
Rename the EP_UPDATE_ROOT/scripts_windows folder to scripts (EP_UPDATE_ROOT/scripts).
b.
Edit the configuration file EP_UPDATE_ROOT/conf/httpd.conf with a text editor and replace the string ${EP_UPDATE_ROOT} with the actual value of EP_UPDATE_ROOT.
Important: Use forward slash (/) characters to separate folders. Do not use back slash characters (\).
c.
Locate the text file, httpd.conf, in the Apache-HTTPD installation folder. Edit the file and append a single line at its end:
include EP_UPDATE_ROOT/conf/httpd.conf
d.
For additional information, refer to the installation instructions provided on the Apache Web site for compiling and installation on Windows.
Apache HTTPD on Linux
a.
Rename the EP_UPDATE_ROOT/scripts_linux folder to scripts (EP_UPDATE_ROOT/scripts).
b.
Run the following command to make sure EP_UPDATE_ROOT/scripts/update has execute permissions:
chmod +x EP_UPDATE_ROOT/scripts/update
c.
If your Linux server is running SELinux (Security Enhanced Linux), use the semanage or the chcon command to label the file-type EP_UPDATE_ROOT/scripts/update as httpd_sys_content_t. To do this, run the following commands as a Linux root user:
*
*
/sbin/restorecon EP_UPDATE_ROOT/scripts/update
d.
Edit the configuration file EP_UPDATE_ROOT/conf/httpd.conf with a text editor, and replace the string ${EP_UPDATE_ROOT} with the actual value of EP_UPDATE_ROOT.
e.
Edit the file /etc/httpd/conf/httpd.conf, and append a single line at its end:
include EP_UPDATE_ROOT/conf/httpd.conf
f.
For additional information, see the Installation instructions provided on the Apache Web site.
Microsoft IIS 7.x on Windows 2008 or Server 2008 R2
1.
Click Start, point to Administrative Tools, and then click Server Manager to open the IIS Manager.
2.
a.
Right-click an empty area in the right pane, select Add, and fill in the following values:
*
ISAPI or CGI path: EP_UPDATE_ROOT\scripts_windows\update.bat
*
Description: TRITON AP-ENDPOINT DLP Auto-Update
b.
Check the option, Allow Extension path to execute.
c.
3.
4.
Right-click the site, choose Add Virtual Directory, and enter the following details:
*
Alias: EPUpdate
*
Physical path: EP_UPDATE_ROOT\scripts_windows
5.
Click on the newly created EPUpdate virtual folder in the left pane, and double-click on Handler Mappings in the right pane.
6.
Right-click an empty area in the right pane, choose Add Module Mapping, and enter the following values:
*
Request Path: update.bat
*
Module: CgiModule
*
*
Name: TRITON AP-ENDPOINT DLP Auto-Update
7.
Right-click anywhere on the site, select the option Add Virtual Directory, and enter the following details:
*
Alias: EPPackages
*
Physical path: EP_UPDATE_ROOT\data
For additional information, refer to the installation instructions provided for Windows Server 2008 or Windows Server 2008 R2 on the IIS Web site.
Deploying the initial endpoint package on your endpoint clients
Use the Websense Endpoint package builder to create an initial installation package for your endpoints. You must deploy this installation package to your endpoint clients yourself, based on your preference, such as Active Directory GPO or Microsoft SMS.
*
*
*
*
See the Endpoint Installation and Deployment Guide for instructions on using the endpoint package builder.
 
Important 
Deploying an endpoint package on the auto-update server
Follow these steps to deploy a new package using the auto-update mechanism.
a.
Use the endpoint package builder to create a new package, exactly like you created the initial one. The package builder generates a folder with several installation packages, one per each version of the operating system.
Note: If you plan to use auto-update frequently, make sure that new packages point to an auto-update server.
b.
On the TRITON management server, open a command prompt and change to the %DSS_HOME% directory:
cd %DSS_HOME%
Run the following command (in a single line):
"%DSS_HOME%\python" "%DSS_HOME%\EP_Prepare_Package4Update.py" Path-to-folder-with-packages
This command creates a new subfolder called .private inside the folder with the generated package. This subfolder contains metadata about the package.
c.
Copy the entire contents of the generated package folder (along with the metadata) to the Web server machine (into EP_UPDATE_ROOT/data). For example, the win32 installation will be located in EP_UPDATE_ROOT/data/WebsenseEndpoint_32bit.exe.
Be aware that if you copy an older endpoint package to the Web server (inadvertantly or otherwise), the endpoints will download and install the older version.
Now your server is ready. Whenever there is a new TRITON AP-ENDPOINT DLP release, copy the updated release binaries to your auto-update server, and the endpoints will update at the next scheduled time.
 
Important 
Auto-update workflow for advanced configuration
Read this section to understand the work flow of the endpoint auto-update process, how the endpoint and update server communicate with each other, and how you can add flexibility to the endpoint auto-update feature.
The endpoint client machines check the management server for configuration updates to the data endpoint profile.
This is how the endpoint auto-update process works:
1.
2.
3.
4.
a.
b.
How the endpoint and update server communicate
When the endpoint sends a GET request URL to the auto-update server, the URL contains many pre-defined parameters.
For example:
<UpdateServer URL=http://download.websense.com/update" />
GET /update?Bits=64bit&Platform=Windows&Domain=websense.com&User=
EPUser&SID=xxxxxx&LocalVersion=7.6.1218&LocalDSSVersion=
7.6.3.16&ProtocalVersion=1.2&WSCookie=4f3h&DLP=Yes&WEB=
Yes&RF=No&CI=No HTTP/1.1
Host: download.websense.com
These parameters provide local information about the client machine. Given below is a list of parameters in the GET request URL sent by the endpoint and their description:
Similarly, when the auto-update server returns a string in XML-like format, it also includes many pre-defined parameters. For example,
<?xml version="1.0" encoding="utf-8" ?>
<UpdateServer>
<CurrentVersion="7.6.1219">
<CurrentDSSVersion="7.6.3.17">
<CheckSum="A15BCDE9393288EFACDB3493827ABEFD">
<URL="http://download.websense.com/upgrade/installpackage_1219.exe">
<IncludeEP="Yes">
<IncludeDSS="Yes">
</UpdateServer>
Given below is a description of the elements in the XML-like file returned by the auto-update server:
Depending on the response of the update server, endpoints can retrieve the install package and install it silently.
 

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Automatic Updates for Endpoint DLP Software
Copyright 2016 Forcepoint LLC. All rights reserved.