WWS Installation Guide

I nstal l at i on Gui de
v7. 5
Websense
Web Securi t y
Websense Web Fi l t er
19962010, Websense, Inc.
10240 Sorrento Valley Rd., San Diego, CA 92121, USA
All rights reserved.
Published 2010
Printed in the United States of America and Ireland
The products and/or methods of use described in this document are covered by U.S. Patent Numbers 5,983,270; 6,606,659; 6,947,985; 7,185,015;
7,194,464 and RE40,187 and other patents pending.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-
readable form without prior consent in writing from Websense, Inc.
Every effort has been made to ensure the accuracy of this manual. However, Websense, Inc., makes no warranties with respect to this
documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Websense, Inc., shall not be liable for
any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein.
The information in this documentation is subject to change without notice.
Trademarks
Websense is a registered trademark of Websense, Inc., in the United States and certain international markets. Websense has numerous other
unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.
Microsoft, Windows, Windows NT, Windows Server, Windows Vista and Active Directory are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
Sun, Sun Java System, and all Sun Java System based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc., in
the United States and other countries.
Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds in the United
States and other countries.
Novell, Novell Directory Services, eDirectory, and ZENworks are trademarks or registered trademarks of Novell, Inc., in the United States and
other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Pentium, Xeon, and Core2 are registered trademarks of Intel Corporation.
This product includes software developed by the Apache Software Foundation (www.apache.org).
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property
of their respective manufacturers.
WinPcap
Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy).
Copyright (c) 2005 - 2009 CACE Technologies, Davis (California).
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Installation Guide 3
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Other related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Websense components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How Websense filtering works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Steps for a successful Websense software deployment . . . . . . . . . . . . . . . . . . . . 10
Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2 Installation Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Websense installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Installation flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Before installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Planning and gathering required information . . . . . . . . . . . . . . . . . . . . . . . . . 15
Synchronizing clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Computer Browser service (Windows Server 2008). . . . . . . . . . . . . . . . . . . . 17
Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Remote filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Websense Network Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Network interface card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Remote control utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Preparing to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Typical installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Installation procedure: typical installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Installing individual components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installation procedure: any component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Modifying an installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Adding components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Removing components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Stopping and starting Websense services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Manually stopping and starting services (Windows) . . . . . . . . . . . . . . . . . . . 85
Manually stopping and starting services (Linux) . . . . . . . . . . . . . . . . . . . . . . 85
Stopping principal components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4 Websense Web Security and Websense Web Filter
Contents
Chapter 3 Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring Websense Apache services for trusted connection . . . . . . . . . . . . . 90
Starting TRITON - Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring firewalls or routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Working with Windows Server 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Turning on the Computer Browser service . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Identifying Filtering Service by IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Creating and running the script for Logon Agent . . . . . . . . . . . . . . . . . . . . . . . . 95
Prerequisites for running the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Websense user map and persistent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Deployment tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring Network Agent to use multiple NICs. . . . . . . . . . . . . . . . . . . . . . . 102
Appendix A Configuring Stealth Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configuring for Stealth Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Appendix B Planning for Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Installing reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Installation concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
SQL Server/MSDE installation error messages . . . . . . . . . . . . . . . . . . . . . . . . . 109
Database version error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Collation and case-sensitivity error messages. . . . . . . . . . . . . . . . . . . . . . . . 110
Database creation error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Installing with MSDE 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Installing with SQL Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring Microsoft SQL Server user roles . . . . . . . . . . . . . . . . . . . . . . . 113
Appendix C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
TRITON - Web Security cannot be accessed . . . . . . . . . . . . . . . . . . . . . . . . 115
Where can I find download and error messages? . . . . . . . . . . . . . . . . . . . . . 116
I am having trouble running the installer on a Linux machine . . . . . . . . . . . 116
I forgot my WebsenseAdministrator password. . . . . . . . . . . . . . . . . . . . . . . 117
The Master Database does not download . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Policy Server fails to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Network Agent on Linux fails to start with stealth mode NIC. . . . . . . . . . . 117
Windows 98 computers are not being filtered as expected. . . . . . . . . . . . . . 118
Network Agent cannot communicate with Filtering Service after it has been
reinstalled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
A General Exception error occurs while installing on Linux . . . . . . . . . . . . 118
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
1
Introduction
Installation and setup information in this guide applies to both Websense Web
Security and Websense Web Filter.
Instructions are included for downloading and extracting installation files, and starting
and running the installer.
This guide also includes instructions for:
Installing individual components, page 37
Configuring Stealth Mode, page 103
Planning for Reporting, page 105
Troubleshooting, page 115
Receiving Technical Support, page 11
Websense software can be integrated with your firewall, proxy server, caching
application, or network appliance (such third-party products are referred to as
integration products). Or it can run without an integration (referred to as a stand-alone
installation or deployment).
Using this guide
This guide is the main source of information for installing Websense software. By
itself, it describes a stand-alone installation.
Note
In this guide, Websense software refers to both Websense
Web Security and Websense Web Filter, unless specifically
stated otherwise.
Introduction
Installation Guide supplements provide additional information for specific installation
scenarios. There are supplements for integrating Websense software with the
following products:
A Universal Integrations supplement is also available for supported integrations that
do not have a specific supplement.
Upgrading Websense Web Security Software contains instructions on upgrading from
a previous version of Websense software.
These supplements and other installation documents are available from the Websense
Knowledge Base at: www.websense.com/docs/.
When using one of the supplements, read it before this guide. It contains specific
instructions about choices to make while following the general installation procedures
described in this guide.
After installing Websense software, refer to the TRITON - Web Security Help for
setup and configuration information.
Other related documentation
See the Deployment Guide for Websense Web Security Solutions before installing
the Web filtering components for deployment best practices, configuration
recommendations, and hardware and software requirements.
Use the Installation Organizer for Websense Web Security Solutions to record IP
addresses, port numbers, keys, passwords, and other information needed during
installation.
These documents are available from the Websense Documentation Web site:
www.websense.com/docs/
Cisco products Microsoft ISA Server and Forefront TMG
Citrix products Squid Web Proxy Cache
Check Point products
Introduction
Websense components
Websense software is made up of several components that work together to provide
user identification, Internet filtering, and reporting capabilities. Not all components
are required to deploy the software.
Required components
Policy Broker: Manages requests from Websense components for policy and
general configuration information.
Policy Database: Stores Websense software settings and policy information. This
database is installed with Policy Broker, and cannot be installed separately.
Policy Server: Identifies and tracks the location and status of other Websense
components. Stores configuration information specific to a single Policy Server
instance. Communicates configuration data to Filtering Service, for use in
filtering Internet requests.
Filtering Service: Interacts with your integration product and Network Agent to
filter Internet requests. Filtering Service either permits the Internet request or
sends an appropriate block message to the user.
TRITON - Web Security: Configuration, management, and reporting interface to
Websense software.
Apache2Websense: Apache Web Server providing underlying functions required
for Investigative Reports and client-browser communication in TRITON - Web
Security.
ApacheTomcatWebsense: Apache Tomcat service that hosts the management
and reporting user interfaces of TRITON - Web Security.
User Service: Communicates with your networks directory services to allow you
to apply filtering policies based on users, groups, domains, and organizational
units.
Network Agent (required for stand-alone deployment only): In a stand-alone
deployment, Network Agent manages the filtering of all protocols, including
HTTP, HTTPS, and FTP.
Network Agent detects network activity to support the bandwidth filtering and
protocol management features, and to log the number of bytes transferred.
In an integrated deployment, Network Agent is optional. In this case, Network
Agent manages the Internet protocols that are not managed by your integration
product. Network Agent can also be used to detect HTTP network activity and
instruct Filtering Service to log this information.
Usage Monitor: Tracks users Internet activity and sends alerts to Websense
administrators when configured threshold values are exceeded.
Websense Master Database: A downloadable list of millions of categorized
Internet sites. Protocol definitions are also included in this database.
Websense Control Service: Tracks the installation, configuration, and removal of
Websense components and services. This service should be left running at all
times.
Introduction
Optional user identification components
DC Agent: With Microsoft Windows
directory services to transparently identify

users so that Websense software can filter them according to particular policies
assigned to users or groups.
Logon Agent: Works with the Websense logon application (LogonApp.exe) to
transparently identify users as they log on to Windows domains.
RADIUS Agent: Works through a RADIUS Server to transparently identify users
and groups who access your network using a dial-up, Virtual Private Network
(VPN), Digital Subscriber Line (DSL), or other remote connection.
eDirectory Agent: Works with Novell
eDirectory to transparently identify

users so that Websense software can filter them according to particular policies
assigned to users or groups.
Optional filtering components
Remote Filtering Server: Provides Web filtering for clients located outside your
organizations network firewall or Internet gateway. The Remote Filtering Server
should be installed inside the outermost firewall, but in the DMZ outside the
firewall protecting the rest of the corporate network.
Remote Filtering Client: Is installed on client machines, such as laptop
computers, that are used outside of the organizations network firewall or Internet
gateway. This component connects with a Remote Filtering Server to filter the
remote computers.
Optional reporting component
The following Windows-only component is required to enable the reporting features
of TRITON - Web Security (including charts, presentation reports, and investigative
reports). Before this component can be installed, Microsoft SQL Server or Microsoft
SQL Server Desktop Edition (MSDE) must be installed.
Log Server: Sends records of Internet activity to the Log Database. It also sends
category names, protocol names, and risk class names from the Master Database
to the Log Database.
Integration component
Filtering plug-in: Enables communication between supported firewalls, proxy
servers, caching applications, or network appliances and Filtering Service. See the
Installation Guide Supplement for your integration product for more information.
Note
Not all supported integration products require a filtering
plug-in. Only Microsoft ISA Server and Forefront TMG;
Citrix Presentation Server and XenApp; and Squid Web
Proxy Cache require plug-ins.
Introduction
Interoperability components
The following components allow communication and synchronization between Web
and data security components, and between on-premises components and the hybrid
service in Websense Web Security Gateway Anywhere deployments.
Linking Service: Enables communication between Websense filtering software
and Websense Data Security. Linking Service gives Data Security access to user
name information from User Service and URL categorization information from
Filtering Service.
Directory Agent: Collates user and group information for use by the hybrid
service.
Sync Service: Communicates policy and user information to the hybrid service.
Retrieves log data for reporting from the hybrid service.
How Websense filtering works
Websense software has a flexible, policy-based filtering approach to Internet request
filtering. You create and apply filtering policies, which then determine the types of
Web sites and Internet applications clients can access.
Websense software can be integrated with your firewall, proxy server, caching
application, or network appliance, or can run as a stand-alone product.
In an integrated environment, the integration product receives the clients
Internet request, and then queries Websense Filtering Service to determine
whether the request should be blocked or permitted.
In a stand-alone environment, Websense Network Agent detects the clients
Internet request, and then queries Filtering Service to determine whether the
request should be blocked or permitted.
Filtering policies are applied to clients. In all environments, clients can be computers
(identified by IP address) or networks (identified by IP address range). If you
configure Websense software to communicate with a supported directory service,
clients can also be users, groups and domains/organizational units (referred to
collectively as directory clients).
When a client requests a Web site, Websense Filtering Service identifies which policy
currently applies, and which categories have the Block, Confirm, or Quota action
applied by that policy. (More information about the Permit, Block, Confirm, and
Quota actions is available in the TRITON - Web Security Help.)
Next, Filtering Service checks the Websense Master Database to find out how the
requested site is categorized. If the category is blocked (or has the Confirm or Quota
action applied), Filtering Service sends a block page to the client.
Websense Network Agent makes it possible to filter protocols other than HTTP, such
as those used by instant messaging, streaming media, and file sharing applications.
Network Agent also enables Bandwidth Optimizer functionality, which makes it
possible to filter HTTP and non-HTTP access based on bandwidth usage.
Introduction
Steps for a successful Websense software deployment
Follow these steps to simplify and streamline the installation process.
1. Plan the deployment. Websense components can be deployed in many
combinations. The optimal deployment for your organization depends on your
network layout and the expected volume of Internet requests. Consult the
Deployment Guide for Websense Web Security Solutions for guidelines and
considerations.
2. Complete the Installation Organizer for Websense Web Security Solutions. This
worksheet, available from the Websense Knowledge Base, ensures that you have
gathered the IP addresses, port numbers, keys, passwords, and other information
needed during installation.
3. Install Websense filtering components. Follow your deployment plan to
distribute Websense software components appropriately. See Chapter 2:
Installation Procedures.
4. Install Log Server on a Windows machine to enable the reporting features of
TRITON - Web Security.
Microsoft SQL Server or MSDE is required by Log Server. See the Deployment
Guide for Websense Web Security Solutions for which versions of SQL Server and
MSDE are supported by Log Server.
5. Perform initial setup tasks. Post-installation setup tasks are described in
Chapter 3: Initial Setup.
For detailed information about post-installation setup and configuration tasks, refer to
the TRITON - Web Security Help.
If this is your first time using Websense software, the New User Quick Start tutorial,
accessed via TRITON - Web Security, provides a streamlined overview of the key
tasks and concepts, with examples.
Note
If you are integrating Websense software with a product
that requires a Websense filtering plug-in, be sure to install
the plug-in on each machine running the integration
product. Filtering Service must be installed in the network
before the plug-in. For more information, see the
Installation Guide supplement for your integration
product.
Introduction
Technical Support
Technical information about Websense software and services is available 24 hours a
day at www.websense.com/support/, including:
the latest release information
the searchable Websense Knowledge Base
Support Forums
Support Webinars
show-me tutorials
product documents
answers to frequently asked questions
Top Customer Issues
in-depth technical papers
For additional questions, click the Contact Support tab at the top of the page.
If your issue is urgent, please call one of the offices listed below. You will be routed to
the first available technician, who will gladly assist you.
For less urgent cases, use our online Support Request Portal at ask.websense.com.
For faster phone response, please use your Support Account ID, which you can find
in the Profile section at MyWebsense.
Location Contact information
North America +1-858-458-2940
France Contact your Websense Reseller. If you cannot
locate your Reseller: +33 (0) 1 5732 3227
Germany Contact your Websense Reseller. If you cannot
UK Contact your Websense Reseller. If you cannot
Rest of Europe Contact your Websense Reseller. If you cannot
Middle East Contact your Websense Reseller. If you cannot
Africa Contact your Websense Reseller. If you cannot
Australia/NZ Contact your Websense Reseller. If you cannot
Introduction
For telephone requests, please have ready:
Websense subscription key
Access to the Websense management console.
Access to the machine running reporting tools and the database server (Microsoft
SQL Server or MSDE)
Familiarity with your networks architecture, or access to a specialist
Asia Contact your Websense Reseller. If you cannot
locate your Reseller: +86 (10) 5884 4200
Latin America
and Caribbean
+1-858-458-2940
Location Contact information
2
Installation Procedures
Use the procedures that follow to install or remove Websense software components
together or individually.
In general, even in smaller networks, it is recommended that you install filtering and
reporting components on separate machines.
Typical installation describes how to install all filtering components and,
optionally, reporting components at the same time. There are two types of typical
installation available in the installer: Filtering and Management and Filtering,
Management, and Reporting (Windows only).
Installing individual components describes how to install one or more components
on a machine, without installing all filtering components together. Install
individual components by selecting the Custom installation type in the installer.
Removing components describes how to remove one or all Websense software
components on a machine.
If you are integrating Websense filtering software with another product, combine the
steps provided here with the instructions in the applicable Installation Guide
supplement.
The documents referenced in this chapter are available from the Documentation
section of the Websense Knowledge Base (www.websense.com/docs/).
Websense installers
Separate installers are available for Windows and Linux versions of Websense Web
Security and Websense Web Filter.
An additional installer is required for the Websense Content Gateway component (a
key part of a Websense Web Security Gateway installation). See the Websense Content
Gateway Installation Guide for instructions.
Installation flow
The following diagram provides an overview of the Websense Web Security or
Websense Web Filter installation process as a whole.
When you integrate Websense software with some third-party products, additional
steps may be required. See the Installation Guide supplement for your integration
product for more information.
Before installing
Effective planning simplifies your installation; eliminates the need to stop and restart
the process because you do not know the information requested by the installer; and
reduces post-installation problems. The following are tasks you should complete or
information you should know before starting the installation.
Planning and gathering required information
Deployment Guide
Use the Deployment Guide for Websense Web Security Solutions before starting your
installation to make sure that the installation machines meet or exceed system
requirements, and that Websense components are distributed appropriately.
You can install the core filtering components on the same machine, or distribute them
across multiple machines, even with different operating systems. Multiple instances of
some components can be distributed across multiple machines.
If you plan to distribute your Websense components, run the installer on each
machine, and select the Custom installation option. For instructions, see Installing
individual components, page 37.
Installation Organizer
Certain IP addresses, port numbers, keys, passwords, and similar information are
requested during the installation. Use the Installation Organizer for Websense Web
Security Solutions to find and record this information before starting your installation.
This document is located in the Documentation > Planning, Installation and Upgrade
folder in the Websense Knowledge Base (www.websense.com/docs/).
Synchronizing clocks
If you are distributing Websense components across different machines in your
network, synchronize the clocks on all machines where a Websense component is
installed. It is a good practice to point the machines to the same Network Time
Protocol server.
Note
If you are installing TRITON - Web Security or Log
Server on a machine to work with a Websense V-Series
appliance, you must synchronize the machines system
time to the appliances system time.
Installing on Linux
SELinux
Before installing, if SELinux is enabled, set it to permissive (using the setenforce
command) and restart the machine.
Linux firewall
If Websense software is being installed on a Linux machine on which a firewall is
active, shut down the firewall before running the installation.
1. Open a command prompt.
2. Enter service iptables status to determine if the firewall is running.
3. If the firewall is running, enter service iptables stop.
4. After installation, restart the firewall. In the firewall, be sure to open the ports
used by Websense components installed on this machine. See Ports below for
more information.
Hostname
Before installing to a Linux machine, make sure the hosts file (by default, in
/etc) contains a hostname entry for the machine, in addition to the loopback address.
(Note: you can check whether a hostname has been specified in the hosts file by using
the hostname -f command.)
To configure hostname:
1. Set the hostname:
hostname <host>
where <host> is the name you are assigning this machine.
2. Update the HOSTNAME entry in the /etc/sysconfig/network file:
HOSTNAME=<host>
where <host> is the same as in Step 1.
Important
Do not install Websense Network Agent on a machine
running a firewall. Network Agent uses packet capturing
that may conflict with the firewall software. See Websense
Network Agent, page 18.
3. In the /etc/hosts file, specify the IP address to associate with the hostname. This
should be static, and not served by DHCP. Do not delete the second line in the file
(the one that begins with 127.0.0.1).
<IP address> <FQDN> <host>
127.0.0.1 localhost.localdomain localhost
where <FQDN> is the fully-qualified domain name of this machine (i.e.,
<host>.<subdomain(s)>.<top-level domain>)for example,
myhost.example.comand <host> is the same as in Step 1.
Computer Browser service (Windows Server 2008)
To install Websense software on a Windows Server 2008 machine, the Computer
Browser service must be running (note: on most machines you will find it disabled by
default).
Ports
Websense software components use certain ports by default to communicate with each
other and the Internet. Configure any firewall protecting this machine to allow
communication on these ports. For a list of default ports, search the Websense
Knowledge Base (http://kb.websense.com) for Websense software default ports.
Remote filtering
To filter clients outside the network firewall, you must install Remote Filtering
components using the Custom installation option. For instructions, see the Remote
Filtering Software technical paper, located in the Documentation > Planning,
Installation and Upgrade folder in the Websense Knowledge Base
(www.websense.com/docs/).
Important
The hostname entry you create in the hosts file must be the
first entry in the file.
Note
Only 32-bit Windows Server 2008 (x86) is supported by
Websense software. 64-bit Windows Server 2008 (x64) is
not supported (except by the Websense ISAPI Filter plug-
in for Microsoft Forefront TMG and Control Service). See
the Deployment Guide for Websense Web Security
Solutions for specific information about the operating
systems supported by each component.
Websense Network Agent
If you are installing Network Agent, ensure that the Network Agent machine can
monitor all client Internet requests, and the responses to those requests.
If you install Network Agent on a machine that cannot monitor client requests, basic
HTTP filtering (stand-alone installation only) and features such as protocol
management and Bandwidth Optimizer cannot work properly. For more information
about positioning the Network Agent machine in your network, see the Network
Agent chapter in the Deployment Guide for Websense Web Security Solutions.
Network interface card
The network interface card (NIC) that you designate for use by Network Agent during
installation must support promiscuous mode. Promiscuous mode allows a NIC to
listen to IP addresses other than its own. If the NIC supports promiscuous mode, it is
set to that mode by the Websense installer during installation. Contact your network
administrator or the manufacturer of your NIC to see if the card supports promiscuous
mode.
On Linux, do not choose a NIC without an IP address (stealth mode) for Network
Agent communications.
After installation, you can run the Network Traffic Detector to test whether the
selected NIC can see the appropriate Internet traffic. See the Network Configuration
topic in the TRITON - Web Security Help for instructions.
Important
Do not install Network Agent on a machine running a
firewall. Network Agent uses packet capturing that may
conflict with the firewall software.
The only exception is a blade server or appliance with
separate processors or virtual processors to support
Network Agent and the firewall software.
Note
If you install Network Agent on a machine with multiple
NICs, after installation you can configure Network Agent
to use more than one NIC. See the Network Configuration
topic in the TRITON - Web Security Help for more
information.
Internet access
To download the Websense Master Database and enable filtering, each machine
running Websense Filtering Service must be able to access the download servers at:
download.websense.com
ddsdom.websense.com
ddsint.websense.com
portal.websense.com
my.websense.com
Make sure that these addresses are permitted by all firewalls, proxy servers,
routers, or host files that control the URLs that Filtering Service can access.
Remote control utilities
Installation of Websense software with a remote control utility such as Terminal
Services is not supported.
Preparing to install
1. Log on to the installation machine with administrative privileges:
Linux: log on as root.
Windows: log on with domain and local administrator privileges. If you will
install Log Server, the installation machine must be joined to the same domain
as the database engine machine.
Using administrative privileges at installation ensures that User Service (and,
optionally, DC Agent and Logon Agent) is able to apply user-based filtering. If
necessary, you can apply administrator privileges after installation (see
Troubleshooting > User Identification in TRITON - Web Security Help).
If you will use a Windows trusted connection to communicate with the database
engine to access the Websense Log Database, your logon account must also be a
trusted account on the database engine machine with proper database privileges.
Specify this same account in the Database Information screen (Step b, page 29)
when choosing to use Windows trusted connection to access the Log Database.
2. Close all applications and stop any antivirus software.
3. On Linux, create a setup directory for the installer files. For example:
/root/Websense_setup
4. Download the Websense Web Security or Websense Web Filter installer package
from mywebsense.com:
WebsenseWeb75Setup.exe (Windows)
WebsenseWeb75Setup_Lnx.tar.gz (Linux)
On Linux, place the installer tar archive in the setup directory you created.
5. Extract the installer files.
Windows: Double-click the downloaded file, and click Run when prompted.
The installer usually starts automatically.
The installer files are extracted to a temporary directory (by default,
C:\Documents and Settings\<user name>\Local Settings\Temp
\<generated name>.tmp). Once the installer has completed, this directory
is deleted. You can retain these extracted files, for example to perform script-
based installations, by copying the contents of the temporary directory
(including all sub-directories) to another location. Launching setup.exe starts
the installer.
Linux: In the setup directory, enter the following commands to uncompress
and extract files:
gunzip WebsenseWeb75Setup_Lnx.tar.gz
tar xvf WebsenseWeb75Setup_Lnx.tar
This places the following files into the setup directory:
6. After extraction, the installation program starts automatically in Windows. It must
be started manually in Linux.
If the installation program is not running:
Windows: Download the installer package (WebsenseWeb75Setup.exe)
again. The initial download may not have completed successfully and resulted
in a corrupted package. If double-clicking the re-downloaded installer
package does not start the installer, delete all files from the %temp%
directory (accessible by clicking Windows Start, selecting Run, and then
entering %temp%) and then double-click the installer package again. If, at
this point, the installer still does not start contact Websense Technical
Support.
Linux: Use the following command to run the installation program from the
setup directory:
./install.sh -g
This launches a GUI-based installer and is available on English version of
Linux only. A text-only, command-line version can be launched by omitting
the -g switch:
./install.sh
File Description
install.sh Installation program
Setup.bin Archive file containing installation files and documents
Note
If the installation program displays error messages that it is
having difficulty locating other machines, disable any
firewall running on the installation machine.
7. See Typical installation, page 21 or Installing individual components, page 37 for
instructions on installation options.
Typical installation
When you select a typical installation, all core Websense filtering components are
installed together. You are also given the option to install one or more transparent
identification agents, used to apply user-based filtering without prompting users for
logon information. See the Deployment Guide for more information about Websense
software components, and about combining the transparent identification agents.
Which components are included in a typical installation depends on the operating
system of the installation machine, as explained below. For a list of supported
operating system versions, see the Deployment Guide.
If Websense software is integrated with another product, additional components may
be installed. The Installation Guide supplement for your integration product (available
from the Documentation > Planning, Installation and Upgrade folder of the Websense
Knowledge Base) provides more information.
You also can install Websense software as a stand-alone product. Complete
instructions are provided in this Installation Guide.
If you want to select which components are installed, see Installing individual
components, page 37.
Windows
The following core components are installed as part of a typical installation:
Policy Broker Filtering Service
Policy Database User Service
Policy Server Network Agent
TRITON - Web Security (includes
required third-party components Apache
HTTP Server and Apache Tomcat)
Usage Monitor
Transparent identification agents (optional)
DC Agent
Logon Agent
eDirectory Agent
RADIUS Agent
Log Server (generally installed separately from filtering components)
Linux
The following core components are installed as part of a typical Linux installation.
In order to enable the reporting features of TRITON - Web Security in a Linux
deployment, the Log Server component (which is Windows-only) must also be
installed on a Windows machine in the network.
Installation procedure: typical installation
1. Make sure that you have followed the steps in Preparing to install, page 19:
Log on to the installation machine with appropriate permissions.
Close all applications and stop any antivirus software.
Download and start the installer, if needed.
Policy Broker Filtering Service
Policy Database User Service
Policy Server Network Agent
TRITON - Web Security (includes the
required third-party component Apache
Tomcat)
Usage Monitor
Transparent identification agents (optional)
Logon Agent
eDirectory Agent
RADIUS Agent
Important
The installation supplement for your integration product
contains additional information required to install and
configure Websense software to run with your firewall,
proxy server, caching application, or network appliance.
Where indicated, refer to the supplement while performing
the following procedures.
Note
To cancel the command-line Linux installer, press Ctrl-C.
However, do not cancel the installer after the Pre-
Installation Summary screen, as it is installing
components. In this case allow the installation to complete
and then uninstall the unwanted components.
2. On the Introduction screen, click Next.
3. On the Subscription Agreement screen, choose to accept the terms of the
agreement and then click Next.
4. On the Installation Type screen, select an installation type and then click Next:
Filtering and Management: Installs Filtering Service, Policy Broker, Policy
Server, TRITON - Web Security, User Service, Usage Monitor, and Network
Agent together on the same machine. The installer gives you the option of
installing the following transparent identification agents: DC Agent
(Windows only), eDirectory Agent, Logon Agent, and RADIUS Agent.
This installation type is appropriate for:
Small networks (less than 500 users, or less than 25 Internet requests per
second)
Medium networks (500-2500 users or 25-125 Internet requests per
second), on a dedicated machine.
For larger or distributed networks, select the Custom installation type instead.
Note
These instructions refer to installer screens. In the
command-line Linux installer, prompts are displayed that
correspond to each screen. Instructions for a screen also
apply to the corresponding command-line prompt. The
main difference is how options are selected. Rather than
clicking items in a screen, you will enter menu-item
numbers or characters.
Note
This installation type does not include remote filtering
components, which provides filtering for remote users
outside the network firewall. After installing core
components, install remote filtering components on
another machine, using a Custom installation.
Note
If you are installing on an ISA Server machine, you can
select Filtering and Management only if ISA Server is
used as a proxy server and not firewall. This type of
installation includes Websense Network Agent which
should not be installed on a machine running a firewall. If
you want to install Websense components on this machine
select the Custom installation type. Be sure not to install
Network Agent. See Installing individual components,
page 37.
Filtering, Management, and Reporting: Available for Windows only.
Recommended only for evaluation or very small networks. Installs all
filtering, management, and reporting components on a single machine.
This installation type is appropriate for:
Non-production, evaluation environments
Small networks (less than 500 users, or less than 25 Internet requests per
second), on a dedicated machine.
For larger or distributed networks, select Custom installation type instead.
Custom: Allows you to choose individual Websense components to install.
This installation type is suggested for:
Large networks (2500-10000 users or 125-500 Internet requests per
second)
Enterprise networks (10000-25000 users or 500-1250 Internet requests per
second)
Very large enterprise networks (more than 25000 users or more than 1250
Internet requests per second)
Note
If you are installing on a Citrix machine, do not select this
installation type. Only the Citrix Integration Service (i.e.,
filtering plug-in) should be installed on a Citrix machine,
using the Custom installation type.
Note
Like Filtering and Management, this installation type does
not include remote filtering components. See the note
above, under Filtering and Management, for more
information.
Important
Make sure the database engine is running before installing
reporting components.
Note
If you are installing on a Citrix machine, do not select this
installation type. Only the Citrix Integration Service (i.e.,
filtering plug-in) should be installed on a Citrix machine,
using the Custom installation type.
Distributed enterprise networks (users distributed across regional offices
or networks, connected together via the Internet)
If you select this installation type, skip to Installing individual components, page
37 now.
5. On the WebsenseAdministrator Password screen, enter a password for the
WebsenseAdministrator user and then click Next.
It is a best practice to enter a password that is very strong (at least 8-characters
long, containing all of the following: uppercase characters, lowercase characters,
numbers, and symbols).
WebsenseAdministrator is the default TRITON - Web Security user with
unconditional Super Administrator privileges (access to all administrative
functions). This account cannot be removed and its permissions cannot be
changed. When logging on to TRITON - Web Security for the first time, do so as
WebsenseAdministrator.
6. On the Multiple Network Cards screen, select the IP address of the network
interface card (NIC) to be used by Websense software on this machine.
This is the NIC that will be used to send block pages when a user requests filtered
content.You will specify later whether this NIC is also used by Websense Network
Agent to monitor Internet traffic and send protocol block messages.
Note
In these types of environments, Websense components are
typically distributed across different machines in the
network. Multiple instances of certain components are also
installed to handle processing load. Run this installation
program on each machine, select the Custom installation
type, and install particular components. For information
about distributing components, see the Deployment Guide
for Websense Web Security Solutions.
Important
Do not lose this password. Only other Super Administrator
users can reset the WebsenseAdministrator password. If no
other Super Administrator users exist, you must visit
MyWebsense (www.mywebsense.com) and enter your
subscription key to reset the password. For more
information, see TRITON - Web Security Help.
Note
This screen appears even if the machine does not have
multiple NICs. In this case, only one NIC is listed.
Note
If the selected NIC will be used by Network Agent, it must
support promiscuous mode.
7. If you are installing on Windows Server 2008 (the screens mentioned here appear
only if Windows Server 2008 is detected by the installation program):
a. On the Active Directory screen, indicate whether you are using Active
Directory to authenticate users in your network and then click Next.
b. If you select Yes, the Computer Browser Service screen appears if the
Computer Brower service is not currently running. Choose whether to start
this service and then click Next.
The Computer Browser service is a Windows utility that must be set to
Automatic and Start in the Windows Services dialog box for Websense
components to communicate with Active Directory.
If you choose not to have the installer start the service, or if the installer is
unable to start it, you must start it manually after installation. If you use
Active Directory 2008 to authenticate users, you must also start the Computer
Browser service on the Active Directory machine.
See Turning on the Computer Browser service, page 94.
8. On the Integration Option screen, indicate whether this is a stand-alone or
integrated installation, and then click Next.
Stand-alone: Websense software will not be integrated with a third-party
product. Websense Network Agent monitors all Internet requests and sends
them to Websense Filtering Service. Network Agent also sends block
messages to users attempting to access filtered content. If you select this
option, skip to step Step 11 now.
Integrated with another application or device: Websense software is
installed in integrated mode, ready to integrate with a third-party firewall,
proxy server, cache, or network appliance, referred to as an integration
product (for example, Microsoft ISA Server or Cisco PIX Firewall).The
integration product queries Websense Filtering Service to determine whether
to allow Internet requests. Filtering Service sends block pages, if necessary, to
users attempting to access filtered content. In an integrated environment,
Websense Network Agent is used only to filter requests on Internet protocols
not managed by the integration product (for example, protocols for instant
messaging). Network Agent sends block messages and alerts when necessary.
Refer to the Installation Supplement for your integration product for
additional steps and information.
Note
If you choose to start the Computer Browser service now,
make sure the Computer Browser service is enabled on
this machine. In most cases, it is disabled by default. The
installer will attempt to start the service and configure it to
start up automatically from now on. If the service is
disabled, the installer will be unable to start it.
9. If you selected Integrated with another application or device in the previous
step, the Select Integration screen appears. Select your integration product and
then click Next.
10. The Filtering Plug-In screen appears if you selected any of these in the previous
step:
Citrix
Microsoft Internet Security and Acceleration Server (ISA Server)
Squid Web Proxy Cache (Linux only)
Select options as described below and then click Next.
If you selected Citrix, you can choose only one of the options in the Filtering
Plug-In screen:
Yes, install the plug-in on this machine: This option installs only the
filtering plug-in on this machine. Any other Websense components are not
installed. Select this option if this machine is a Citrix server. No Websense
components, except the plug-in should be installed on a Citrix machine.
Websense Filtering Service must be installed already (on a separate
machine). You must supply the IP address of the Filtering Service machine
and the integration communication port Filtering Service listens to. Note:
Filtering Service must have been installed in integrated mode, with Citrix
selected as the integration product.
If Filtering Service has not been installed yet, cancel this installation.
Install Filtering Service on another machine and then return to this
machine to install the filtering plug-in using a Custom installation (see
Installing individual components, page 37). Be sure to install Filtering
Service in integrated mode, selecting Citrix as the integration product.
No, install the other selected components, but not the plug-in: This
option installs all selected Websense components, but not the filtering
plug-in. Select this option only if this is not a Citrix machine. Websense
software will be installed in integrated mode, ready to integrate with
Citrix. On the Citrix machine, install the plug-in using a Custom
installation (see Installing individual components, page 37).
Note
If you select Check Point as the integration product, the
Network Agent and Firewalls screen appears when you
click Next on the Select Integrations screen. Network
Agent should not be installed on the Check Point machine
(unless the machine has separate processors or virtual
processors to separately support Network Agent and the
firewall software). Network Agent uses packet capturing
that may conflict with the firewall software. Choosing to
not install Network Agent does not affect installation of
the other Websense components, they will still be installed.
If you selected Microsoft ISA Server or Squid Web Proxy Cache, you can choose
either or both of the options in the Filtering Plug-In screen:
plug-in on this machine. Enter the IP address and port for Websense
Filtering Service. (If you are integrating with Microsoft Forefront TMG,
do not select this option. The plug-in for Forefront TMG is installed using
a separate installer. See Installation Guide Supplement for use with
Microsoft ISA Server or Forefront TMG.)
Install other selected components: This option installs all selected
Websense components, but not the plug-in. Note: Selecting this option
installs Websense software in integrated mode, ready to integrate with
Microsoft ISA Server or Squid Web Proxy Cache (whichever you
selected).
11. If you selected Squid Web Proxy Cache as the integration product, the Squid
Configuration screen appears. Enter paths to the squid.conf and squid executable
files.
The installation program will verify the path to squid.conf. A default path is
automatically entered. Enter a different path if necessary or click Browse to
navigate to the location. This path must be verified for the installation to continue.
(Note: the path must include the file name.)
Additionally, you must provide the path to the Squid executable so the installation
program can shut it down to continue the installation.
12. On the Network Card Selection screen, select the network interface card (NIC)
to be used by Websense Network Agent and then click Next.
Note
To install both the plug-in and core Websense components,
you must select both of the above options. When you
select Install other selected components, the Filtering
Service IP address and Port boxes are greyed out because
you do not need to specify them; Filtering Service is being
installed on this machine.
Note
The installer will automatically start Squid Web Proxy
Cache once installation is complete.
Note
This is the NIC that Websense Network Agent will use to communicate with other
Websense software components. All enabled NICs with an IP address are listed.
You may select multiple NICs. After installation, use TRITON - Web Security to
configure how Network Agent will use each selected NIC (for more information,
see TRITON - Web Security Help).
On Linux, NICs without an IP address are also listed. Do not choose a NIC
without an IP address.
After installation, you can configure Network Agent to use NICs without an IP
address to monitor Internet requests.
See Appendix A, Configuring Stealth Mode.
13. The following screens appear only if you are installing Websense reporting
components:
a. Database Engine: This screen appears only if a supported database engine
(SQL Server or MSDE) is not detected on this machine. If a supported
database engine is installed on another machine in the network, select
Connect to an existing database engine and then click Next.
If a supported database engine is not available, use the knowledge base link
for more information about installing the free MSDE database, select Exit the
installation program, and then click Next. The installation program is
cancelled. After installing and configuring a supported database engine, run
this installer again.
b. Database Information: Enter the hostname or IP address of the machine on
which a supported database engine is running. If a supported database engine
is detected on this machine, its IP address is already entered by default. To use
a database engine on a different machine, enter its IP address instead.
After entering the IP address of the database engine machine, choose how to
connect to the database:
Trusted connection: use a Windows account to log into the database.
Enter the domain\username and password of a trusted account with local
administration privileges on the database machine. If you are using MSDE,
Note
For Network Agent to operate, this machine must be
connected to a bi-directional span port (or mirror port) on a
switch or hub that processes the network traffic to be
monitored.
Note
Reporting components can be installed on a Windows
machine only.
Note
For supported versions of SQL Server and MSDE, see the
Deployment Guide for Websense Web Security Solutions.
it is a best practice to connect using a database account rather than trusted
connection. If TRITON - Web Security is installed on a Linux machine,
use a database account, rather than trusted connection, to connect to the
database
If you choose trusted connection, be sure to configure the
Apache2Websense and ApacheTomcatWebsense services, after
installation, to log on as the trusted account specified here in the
Database Information screen. See Configuring Websense Apache
services for trusted connection, page 90.
If your organization uses ISA Server and a Windows trusted connection
will be used to access the Log Database, remote SQL logging (on ISA
Server) may need to be enabled and communication on the internal
network allowed. See Enabling Remote SQL Logging on ISA Server, page
108.
Database account: use a SQL Server account to log into the database.
Enter the user name and password for a SQL Server account that has
administrative access to the database. The SQL Server password cannot be
blank, or begin or end with a hyphen (-). It is a best practice to connect to
your database engine using a database account rather than a trusted
connection.
c. Log Database Location: Accept the default location for the Log Database, or
select a different location. Then, click Next.
If the database engine is on this machine, the default location is the Websense
directory (C:\Program Files\Websense). If the database engine is on
another machine, the default location is C:\Program Files\Microsoft
SQL Server on that machine.
Important
The account you specify for trusted connection here must
be the same as that used to log onto this machine (Step 1,
page 19).
Note
The database engine must be running to install Websense
reporting components. The installer will test for a
connection to the specified database engine when you click
Next on the Database Information screen. The installer
cannot proceed unless a successful connection can be
made.
It is a best practice to use the default location. If you want to create the Log
Database in a different location (or if you already have a Log Database in a
different location), enter the path to the database files. The path entered here is
understood to refer to the machine on which the database engine is located.
d. Optimize Log Database Size: The options on this screen allow you to control
the size of the Log Database, which can grow quite large. Select either or both
of the following options and then click Next.
Log Web page visits: Enable this option to log a record of each Web page
requested rather than each separate file included in the Web page request. This
creates a smaller database and allows faster reporting. Deselect this option to
log a record of each separate file that is part of a Web page request, including
images and advertisements. This results in more precise reports, but creates a
much larger database and causes reports to generate more slowly.
Consolidate requests: Enable this option to combine Internet requests that
share the same value for all of the following elements, within a certain
interval of time (1 minute, by default):
Domain name (for example: www.websense.com)
Category
Keyword
Action (for example: Category Blocked)
User/workstation
14. On the Filtering Feedback screen, select whether you want Websense software to
send feedback to Websense, Inc. to improve accuracy and then click Next.
Choosing to allow feedback to Websense, Inc. helps improve the accuracy of
Websense software for all customers. The feedback consists of any URLs that
could not be categorized by Websense software. Such uncategorized URLs are
evaluated by Websense, Inc. If warranted, they are investigated in more detail and
put into an appropriate category. The Websense Master Database is updated with
this information. When your Websense software downloads the updated database,
it will be able to categorize those URLs and filter them according to the policies
you have set.
Important
The directory you specify for the Log Database must
already exist. The installer cannot create a new directory.
Important
No information about users or your network is collected.
The information is only about the visited URLs
themselves. Only uncategorized URLs and the frequency
of requests to them are collected. Uncategorized intranet
URLs are not included in feedback.
15. On the Transparent User Identification screen, select whether to use Websense
transparent identification agents to identify users and then click Next. This allows
Websense software to apply user- or group-based filtering policies without
prompting users for logon information.
If Websense software is integrated with a third-party product (firewall, proxy
server, cache, or network appliance) providing user authentication, a transparent
identification agent may not be necessary. For more information, see the
Websense installation supplement for your integration product.
To transparently identify remote users accessing the network via VPN, use
Websense RADIUS Agent. Later in this installation process, you will be given the
option to install RADIUS Agent.
It is possible to run multiple instances of the same transparent identification agent,
or certain combinations of different transparent identification agents, in a
network. (Note, however, you cannot run both DC Agent and eDirectory Agent, or
Logon Agent and eDirectory Agent, in the same network.) To install another
instance of a transparent identification agent or a different transparent
identification agent, run this installation program on the other machine and use the
Custom installation type. For information about multiple instances or
combinations of transparent identification agents, see the Transparent
Identification of Users technical paper.
Use DC Agent to identify users logging on to Windows domains (Windows
only): This option installs Websense DC Agent on this machine. DC Agent
queries domain controllers and client machines at preset intervals to identify
users currently logged on.
Use Logon Agent to identify users logging on to local machines: This
option installs Websense Logon Agent on this machine. Logon Agent
identifies users as they log onto Windows domains. Logon Agent is for use
with Windows-based client machines on a network that uses Active Directory
or Windows NT Directory.
To use Logon Agent, you must modify the Group Policy on domain
controllers so it launches a logon application (LogonApp.exe) as part of the
logon script. Client machines must use NTLM (v1 or v2) when authenticating
users (NTLMv1 only, in the case of Windows Server 2008; see note below).
Note
You can later choose to enable or disable feedback (the
feedback mechanism is known as WebCatcher) using the
Log Server Configuration utility. For more information,
see Log Server Configuration Help.
Note
Do not use DC Agent in a network that already includes
eDirectory Agent.
For instructions on configuring domain controllers and client machines to use
Logon Agent, see Creating and running the script for Logon Agent, page 95.
Use both DC Agent and Logon Agent (Windows only): This option installs
both DC Agent and Logon Agent on this machine. Running both agents may
increase the accuracy of identification in some networks. If DC Agent is
unable to identify certain users (for example, if it is unable to communicate
with a domain controller due to network bandwidth or security restrictions),
they would still be identified by Logon Agent at log on.
Use eDirectory Agent to identify users logging on via Novell eDirectory
Server: This option installs eDirectory Agent on this machine. Use this agent
for a network using Novell eDirectory. eDirectory Agent queries the
eDirectory Server at preset intervals to identify users currently logged on.
Do not install a transparent identification agent now: Select this option if
Websense software will be integrated with a third-party product that
provides user authentication.
You plan to install a transparent identification agent on another machine.
You do not want different filtering policies applied to users or groups.
Note
Do not use Logon Agent in a network that already includes
eDirectory Agent.
Note
If using Logon Agent with a Windows Server 2008
domain controller, client machines must be configured to
use NTLMv1 when authenticating a user. To do this,
modify the security policy so Network security: LAN
Manager authentication level is set to Send NTLM
response only. This can be done on each individual client
machine by modifying the local security policy, or on all
machines in a domain by modifying the security policy of
a Group Policy Object. For instructions, see Prerequisites
for running the logon script, page 96.
Note
Do not use eDirectory Agent in a network that already
includes DC Agent or Logon Agent.
You want users to be prompted for logon information when they open a
browser to access the Internet.
16. On the Directory Service Access screen, specify an account to be used by User
Service, DC Agent, or Logon Agent for transparent identification.
Enter the domain, user name, and password of an account that is a member of the
Domain Admins group on the domain controller. This must be the domain
controller for the users you wish to apply user- or group-based filtering policies to.
The user identification components User Service, DC Agent, or Logon Agent (if
installed) use this account to query the domain controller for user information.
If you choose not to specify a Domain Admin account now (by leaving the fields
blank), you can specify it after installation:
On Linux, specify a Domain Admin account to be used by Users Service,
TRITON - Web Security. For more information, see Troubleshooting > User
Identification in TRITON - Web Security Help.
On Windows, configure the Websense User Service, Websense DC Agent (if
installed), and Websense Logon Agent (if installed) services to Log on as a
Domain Admin user, using the Windows Services dialog box:
a. Start the Windows Services dialog box (typically, Start > Administrative
Tools > Services).
b. Right-click Websense User Service and select Properties.
c. In the service properties dialog box, select the Log On tab.
d. Under Log on as, select This account and enter the domain\username and
password (twice) of the trusted account you specified during installation.
e. Click OK.
Note
When integrated with Cisco products, Websense software
cannot use Cisco Secure Access Control Server (ACS) for
user authentication for more than 1 user domain. If there
are multiple user domains, use a transparent identification
agent instead.
Note
User Service is included in a typical installation (i.e.,
Filtering and Management or Filtering, Management,
and Reporting), which is why this screen appears even if
you have not chosen to install DC Agent or Logon Agent.
Note
User information on domain controllers trusted by the
domain controller in question will also be accessible.
f. A message appears informing you the account you specified has been
granted the Log On As A Service right. Click OK.
g. A message appears informing you the new logon name will not take effect
until you stop and restart the service. Click OK.
h. Click OK to exit the service properties dialog box.
i. Right-click Websense User Service and select Restart.
j. Repeat this procedure (from Step b) for Websense DC Agent and
Websense Logon Agent, if they are installed.
17. On the RADIUS Agent screen, select Install RADIUS Agent if you have remote
users that are authenticated by a RADIUS server and then click Next. This allows
Websense software to apply user- or group-based filtering policies on these
remote users without prompting for logon information.
18. On the Installation Directory screen, accept the default installation path, or click
Choose to specify another path, and then click Next.
The installation path must be absolute (not relative). The default installation
path is:
Windows: C:\Program Files\Websense\
Linux: /opt/Websense/
The installer creates this directory if it does not exist.
The installer compares the installations system requirements with the machines
resources.
Insufficient disk space prompts an error message. The installer closes when
you click OK.
Insufficient RAM prompts a warning message. The installation continues
when you click OK. To ensure optimal performance, increase your memory to
the recommended amount.
19. On the Pre-Installation Summary screen, verify the information shown.
The summary shows the installation path and size, and the components to be
installed.
20. Click Next to start the installation. An Installing progress screen is displayed.
Wait for the installation to complete.
Important
The full installation path must use only ASCII characters.
Do not use extended ASCII or double-byte characters.
Note
If you are using the command-line Linux installer, do not
cancel (Ctrl-C) the installer after the Pre-Installation
Summary screen, as it is installing components. In this
case, allow the installation to complete and then uninstall
the unwanted components.
21. If you chose to install the ISA Server filtering plug-in, the Stop Microsoft
Firewall Service screen appears. Do the following:
a. Stop the Microsoft Firewall service and then click Next.
To stop the Firewall service, go to the Windows Services management
console (Administrative Tools > Services). Right-click Microsoft Firewall,
and then select Stop. When the service has stopped, return to the Websense
installer and continue the installation process. The Firewall Service may also
be stopped from the ISA Server Management console or Command Prompt
(using the command net stop fwsrv). See Microsofts documentation for
more information.
b. When the following message appears, start the Microsoft Firewall service and
then click OK:
The Websense ISAPI Filter has been configured, you can now start the
Microsoft Firewall Service.
22. To start the Firewall service, go to the Windows Services management console
(Administrative Tools > Services). Right-click Microsoft Firewall, and then
select Start.The Firewall Service may also be started from the ISA Server
Management console or Command Prompt (using the command net start
fwsrv). See Microsofts documentation for more information.
23. On the Installation Complete screen, click Done.
24. If you stopped your antivirus software, restart it.
Note
Leave the Websense installer running as you stop the
Microsoft Firewall service. Then return to the installer and
click Next to continue installation.
Important
In order to correctly install the ISA Server filtering
plug-in, the Microsoft Firewall Service must be stopped.
Installation of the plug-in files and registration of the
plug-in in the system registry cannot occur while the
Microsoft Firewall Service has certain files locked.
Stopping the Microsoft Firewall Service unlocks these
files.
Important
When the Microsoft Firewall service is stopped, ISA
Server goes into lockdown mode. Depending on your
network configuration, network traffic may be stopped.
Typically, the Firewall service needs to be stopped for only
a few minutes as the ISA Server filtering plug-in is
installed and configured.
25. If you stopped a firewall running on a Linux machine, open a command shell and
enter:
service iptables start
To determine whether the firewall is running, enter:
service iptables status
26. If your network uses Active Directory 2008 to authenticate users, you must enable
and start the Windows Computer Browser service on the Active Directory
machine.
See Working with Windows Server 2008, page 93, for instructions. See Chapter 3:
Initial Setup for important setup information.
See the appropriate Installation Guide supplement for any additional setup
instructions for your integration product.
Installing individual components
The Custom installation option allows you to distribute Websense components across
multiple machines, in the combinations best suited to your environment.
Remote Filtering components can be installed only through a custom installation. See
the Remote Filtering Software technical paper (available from the Documentation >
Planning, Installation and Upgrade folder in the Websense Knowledge Base) for
more information.
Note
If you want to change the location of a Websense
component, or add a component, run the Websense
installer again and select the appropriate option. The
installer detects the presence of Websense components and
offers the option of adding components.
Important
The following three components must be installed in this
order (and before any other components):
1. Policy Broker
2. Policy Server
3. Filtering Service
If you select all three to be installed at the same time, they
are installed in the correct order. After these three
components, all other Websense components can be
installed in any order.
Multiple instances of some components may be needed, depending on your network
configuration and the volume of Internet traffic. Components can be installed on both
Windows and Linux machines, unless otherwise noted. Check the Deployment Guide
for Websense Web Security Solutions before beginning an installation to determine the
best way to distribute components for your network.
You can use the Custom installation type to install additional instances of certain
components after having performed a Filtering and Management or Filtering,
Management, and Reporting installation.
Installation procedure: any component
Use these steps to install any Websense software component. The sections that follow
provide additional, component-specific details.
1. Make sure that you have followed the steps in Preparing to install, page 19:
Log on to the installation machine with appropriate permissions.
Close all applications and stop any antivirus software.
Download and start the installer, if needed.
2. If no Websense components have been installed on this machine:
a. On the Introduction screen, click Next.
b. On the Subscription Agreement screen, choose to accept the terms of the
agreement and then click Next.
c. On the Installation Type screen, select Custom and then click Next.
Important
There must be only one instance of Policy Broker in an
entire deployment.
Note
These instructions refer to installer screens. In the
command-line Linux installer, prompts are displayed that
correspond to each screen. Instructions for a screen also
apply to the corresponding command-line prompt. The
main difference is how options are selected. Rather than
clicking items in a screen, you will enter menu-item
numbers or characters.
Note
To cancel the command-line Linux installer, press Ctrl-C.
However, do not cancel the installer, after the Pre-
Installation Summary screen, as it is installing
components. In this case allow the installation to complete
and then uninstall the unwanted components.
3. If there are Websense components already installed on this machine, the Add
Components screen appears.
Select Install additional components on this machine and then click Next.
4. On the Select Components screen, select components to install and then click
Next.
5. If you are installing on Windows Server 2008 (the screens mentioned here appear
only if Windows Server 2008 is detected by the installation program):
a. On the Active Directory screen, indicate whether you are using Active
Directory to authenticate users in your network and then click Next.
b. If you select Yes, the Computer Browser Service screen appears if the
Computer Brower service is not currently running. Choose whether to start
this service and then click Next.
The Computer Browser service is a Windows utility that must be set to
Automatic and Start in the Windows Services dialog box for Websense
components to communicate with Active Directory.
Browser service on the Active Directory machine.
Browser service on the Active Directory machine. See Turning on the
Computer Browser service, page 94.
6. See the following sections for component-specific installation instructions, and
then return to this procedure.
Note
If you choose to start the Computer Browser service now,
make sure the Computer Browser service is enabled on
this machine. In most cases, it is disabled by default. The
installer will attempt to start the service and configure it to
start up automatically from now on. If the service is
disabled, the installer will be unable to start it.
Policy Broker, page 42 eDirectory Agent, page 61
Policy Server, page 43 RADIUS Agent, page 62
Filtering Service, page 44 Logon Agent, page 63
Network Agent, page 48 Filtering Plug-in, page 65
Usage Monitor, page 51 Remote Filtering Client Pack, page 67
TRITON - Web Security, page 52 Remote Filtering Server, page 68
Log Server, page 54 Linking Service, page 72
User Service, page 57 Sync Service, page 74
DC Agent, page 59 Directory Agent, page 76
7. On the Installation Directory screen, accept the default installation path, or click
Choose to specify another path, and then click Next.
The installation path must be absolute (not relative). The default installation
path is:
Windows: C:\Program Files\Websense\
Linux: /opt/Websense/
The installer creates this directory if it does not exist.
The installer compares the installations system requirements with the machines
resources.
Insufficient disk space prompts an error message. The installer closes when
you click OK.
Insufficient RAM prompts a warning message. The installation continues
when you click OK. To ensure optimal performance, increase your memory to
the recommended amount.
8. On the Pre-Installation Summary screen, verify the information shown.
The summary shows the installation path and size, and the components to be
installed.
9. Click Next to start the installation. An Installing progress screen is displayed.
Wait for the installation to complete.
10. If you chose to install the ISA Server filtering plug-in, the Stop Microsoft
Firewall Service screen appears. Do the following:
Important
The full installation path must use only ASCII characters.
Do not use extended ASCII or double-byte characters.
Note
If you are using the command-line Linux installer, do not
cancel (Ctrl-C) the installer after the Pre-Installation
Summary screen, as it is installing components. In this
case, allow the installation to complete and then uninstall
the unwanted components.
a. Stop the Microsoft Firewall service and then click Next.
To stop the Firewall service, go to the Windows Services management
and then select Stop. When the service has stopped, return to the Websense
installer and continue the installation process. The Firewall Service may also
be stopped from the ISA Server Management console or Command Prompt
(using the command net stop fwsrv). See Microsofts documentation for
more information.
b. When the following message appears, start the Microsoft Firewall service and
then click OK:
The Websense ISAPI Filter has been configured, you can now start the
Microsoft Firewall Service.
To start the Firewall service, go to the Windows Services management
and then select Start.The Firewall Service may also be started from the ISA
Server Management console or Command Prompt (using the command net
start fwsrv). See Microsofts documentation for more information.
11. On the Installation Complete screen, click Done.
See the appropriate Installation Guide supplement for any additional setup
instructions for your integration product.
Note
Leave the Websense installer running as you stop the
Microsoft Firewall service. Then return to the installer and
click Next to continue installation.
Important
In order to correctly install the ISA Server filtering plug-
in, the Microsoft Firewall Service must be stopped.
Installation of the plug-in files and registration of the plug-
in in the system registry cannot occur while the Microsoft
Firewall Service has certain files locked. Stopping the
Microsoft Firewall Service unlocks these files.
Important
When the Microsoft Firewall service is stopped, ISA
Server goes into lockdown mode. Depending on your
network configuration, network traffic may be stopped.
Typically, the Firewall service needs to be stopped for only
a few minutes as the ISA Server filtering plug-in is
installed and configured.
Policy Broker
Policy Broker manages policy and configuration information required by other
Websense components. The Policy Database is installed with Policy Broker to store
this information.
Policy Broker is listed as a component you can install it if is not found on this
machine. It might, however, be installed on another machine. If it has been installed
already on another machine, do not install it on this machine.
When Policy Broker is selected, the following screen appears during installation:
WebsenseAdministrator Password
Enter a password for the WebsenseAdministrator user and then click Next.
It is a best practice to enter a password that is very strong (at least 8-characters
long, containing all of the following: uppercase characters, lowercase
characters, numbers, and symbols).
WebsenseAdministrator is the default TRITON - Web Security user with
unconditional Super Administrator privileges (access to all administrative
functions). This account cannot be removed and its permissions cannot be
changed. When logging on to TRITON - Web Security for the first time, do so
as WebsenseAdministrator.
Important
There can be only one instance of Policy Broker in the
entire deployment. Policy Broker must be installed first,
before any other Websense component. If you select other
components to install along with Policy Broker, they will
be installed in the proper order.
Important
Do not lose this password. Only other Super Administrator
users can reset the WebsenseAdministrator password. If no
other Super Administrator users exist, you must visit
MyWebsense (www.mywebsense.com) and enter your
subscription key to reset the password. For more
information, see the TRITON - Web Security Help.
Policy Server
To install Policy Server, Policy Broker must already be installed either on this
machine or another machine in the network. If Policy Broker is not installed already,
you may choose to install both it and Policy Server at the same time.
In a very large network, or a network with a large volume of Internet traffic, you may
need multiple Policy Server instances, on separate machines. All instances must
connect to the same Policy Broker.
If multiple Policy Servers are installed, each must be installed before the other
components with which it communicates.
When you install Websense components on a separate machine from Policy Server,
the installer asks for the Policy Server location and port number. The default port is
55806. The same port must be entered for each component that connects to this Policy
Server.
When Policy Server is selected, the following screen appears during installation:
Policy Broker Connection
Enter the IP address of the machine on which Policy Broker is installed and
the port Policy Broker uses to communicate with other Websense components
(default is 55880). If it is installed on this machine, enter its IP address (actual
address, not loopback).
The communication port must be in the range 1024-65535. Policy Broker may
have been automatically configured to use a port other than the default 55880
for communication with other Websense components. When Policy Broker is
installed, if the installation program finds the default port to be in use, it is
automatically incremented until a free port is found. To determine what port is
used by Policy Broker, check the BrokerService.cfg filelocated in
C:\Program Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)on the Policy Broker machine. In this file,
look for the listen_port value.
Important
entire deployment. If Policy Broker is already installed on
another machine, specify its location when asked by the
installer. Do not install another instance of Policy Broker
on this machine.
Note
Typically, Policy Server is installed on the same machine
as Filtering Service. See Filtering Service, page 44.
Important
Do not modify the BrokerService.cfg file.
If Policy Broker is not installed yet, anywhere in your network, you must
install it before installing Policy Server (or any other components). To install
it on this machine, click Previous and select Policy Broker in addition to
already selected components. To install it on another machine, run this
installation program on that machine.
Filtering Service
To install Filtering Service, Policy Server must already be installed either on this
machine or another machine in the network. If Policy Server is not installed already,
you can select it to be installed at the same time as Filtering Service. Typically, Policy
Server is installed on the same machine as Filtering Service.
Depending on the size of the network or volume of Internet traffic, multiple Filtering
Service instances may be needed. It is a best practice to have a maximum of ten
Filtering Services per Policy Server.
Filtering Service must be installed before Network Agent, filtering plug-in, and
Linking Service.
When Filtering Service is selected for installation, the following screens appear during
installation:
Policy Server Connection
This screen appears if Policy Server is not found on this machine and is not
currently selected for installation. It is assumed Policy Server is installed on
another machine. Enter the IP address of the machine and the port Policy
Server uses to communicate with other Websense components (default is
55806).
The port used by Policy Server to communicate with other Websense
components must be in the range 1024-65535. Policy Server may have been
automatically configured to use a port other than the default 55806. When
Policy Server is installed, if the installation program finds the default port to
be in use, it is automatically incremented until a free port is found. To
determine what port is used by Policy Server, check the websense.ini
Note
The following three components must be installed in this
order (and before any other components):
1. Policy Broker
2. Policy Server
3. Filtering Service
If you select all three to be installed at the same time, they
are installed in the correct order. After these three
components, all other Websense components can be
installed in any order.
filelocated in C:\Program Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)on the Policy Server machine. In this file,
look for the PolicyServerPort value.
If Policy Server is not installed yet, anywhere in your network, you must
install it before installing Filtering Service. To install it on this machine, click
Previous and select Policy Server in addition to already selected
components. To install it on another machine, run this installation program on
that machine (prior to installing components on this machine).
Integration Option screen
Indicate whether this is a stand-alone or integrated installation, and then click
Next.
Stand-alone: Websense software will not be integrated with a third-party
product. Websense Network Agent monitors all Internet requests and
sends them to Websense Filtering Service. Network Agent also sends
block messages to users attempting to access filtered content.
Integrated with another application or device: Websense software is
installed in integrated mode, ready to integrate with a third-party firewall,
proxy server, cache, or network appliance, referred to as an integration
product (for example, Microsoft ISA Server or Cisco PIX Firewall).The
integration product queries Websense Filtering Service to determine
whether to allow Internet requests. Filtering Service sends block pages, if
necessary, to users attempting to access filtered content. In an integrated
environment, Websense Network Agent is used only to filter requests on
Internet protocols not managed by the integration product (for example,
protocols for instant messaging). Network Agent sends block messages
and alerts when necessary. Refer to the Installation Supplement for your
integration product for additional steps and information.
Select Integration
Important
Do not modify the websense.ini file.
Note
In a stand-alone environment, Network Agent must be
installed (either on this machine or a networked machine).
See Network Agent, page 48.
Note
In an integrated environment, Network Agent is optional.
This screen appears if you selected Integrated with another application or
device in the Integration Option screen (see above). Select your integration
product and then click Next.
Network Agent and Firewalls
This screen appears if you select Check Point as the integration product on the
Select Integration screen and you have chosen Network Agent as a
component to install (in addition to Filtering Service).
Network Agent should not be installed on the Check Point machine (unless
the machine has separate processors or virtual processors to separately
support Network Agent and the firewall software). Network Agent uses
packet capturing that may conflict with the firewall software. Choosing to not
install Network Agent does not affect installation of the other Websense
components, they will still be installed.
Filtering Plug-In
This screen appears if you selected any of these in the Select Integration
screen:
Citrix
Microsoft Internet Security and Acceleration Server (ISA Server)
Squid Web Proxy Cache (Linux only)
Select options as described below and then click Next.
If you selected Citrix, you can choose only one of the options in the Filtering
Plug-In screen:
filtering plug-in on this machine. Any other selected Websense
components are not installed. Select this option if this machine is a Citrix
server. No Websense components, except the plug-in should be installed
on a Citrix machine.
Websense Filtering Service must be installed already (on a separate
machine). You must supply the IP address of the Filtering Service machine
and the integration communication port Filtering Service listens to. Note:
Filtering Service must have been installed in integrated mode, with Citrix
selected as the integration product.
If Filtering Service has not been installed yet, cancel this installation.
Install Filtering Service on another machine and then return to this
machine to install the filtering plug-in using a Custom installation (see
Installing individual components, page 37). Be sure to install Filtering
Service in integrated mode, selecting Citrix as the integration product.
No, install the other selected components, but not the plug-in: This
option installs all selected Websense components, but not the filtering
plug-in. Select this option only if this is not a Citrix machine. Select this
option to install Websense software in integrated mode, ready to integrate
with Citrix. On the Citrix machine, install the plug-in using a Custom
installation (see Installing individual components, page 37).
If you selected Microsoft ISA Server or Squid Web Proxy Cache, you can
choose either or both of the options in the Filtering Plug-In screen:
filtering plug-in on this machine. Enter the IP address and port for
Websense Filtering Service. (If you are integrating with Microsoft
Forefront TMG, do not select this option. The plug-in for Forefront TMG
is installed using a separate installer. See Installation Guide Supplement
for use with Microsoft ISA Server or Forefront TMG.)
Install other selected components: This option installs all selected
Websense components, but not the plug-in. Note: Selecting this option
installs Websense software in integrated mode, ready to integrate with
Microsoft ISA Server or Squid Web Proxy Cache (whichever you
selected).
Squid Configuration
This screen appears if you selected Squid Web Proxy Cache as the integration
product. Enter paths to the squid.conf and squid executable files.
navigate to the location. This path must be verified for the installation to
continue. (Note: the path must include the file name.)
Additionally, you must provide the path to the Squid executable so the
installation program can shut it down to continue the installation.
Filtering Feedback
Select whether you want Websense software to send feedback to Websense,
Inc. to improve accuracy and then click Next.
could not be categorized by Websense software. Such uncategorized URLs
are evaluated by Websense, Inc. If warranted, they are investigated in more
detail and put into an appropriate category. The Websense Master Database is
Note
To install both the plug-in and selected Websense
components, you must select both of the above options.
When you select Install other selected components, the
Filtering Service IP address and Port boxes are greyed
out because you do not need to specify them; Filtering
Service is being installed on this machine.
Note
updated with this information. When your Websense software downloads the
updated database, it will be able to categorize those URLs and filter them
according to the policies you have set.
Network Agent
Install Network Agent on a machine that can see the Internet requests from the
internal network as well as the Internet response to those requests. By connecting to a
span or mirror port on a router or switch, Network Agent can monitor all Internet
requests.
In busy networks, filtering performance improves if Network Agent is installed on a
separate machine from Policy Broker, Policy Server, and Filtering Service. See the
Deployment Guide for Websense Web Security Solutions for more information.
To share the load, multiple Network Agents can be installed on separate machines,
with each one monitoring a separate IP-address range. The ranges combine to cover
the entire network, but must not overlap. Overlapping ranges result in double logging of
Important
Note
Important
Do not install Network Agent on a machine:
Running Microsoft ISA Server.
Running a firewall. Network Agent uses packet
capturing that may conflict with the firewall
software. The only exception is a blade server or
appliance with separate processors or virtual
processors to separately support Network Agent
and the firewall software.
Internet activity. If the entire network is not covered by instances of Network Agent,
some machines are not filtered and their Internet traffic not logged.
IP-address ranges for Network Agent are configured in TRITON - Web Security, after
installation. See the Network Configuration topic in the TRITON - Web Security Help
for instructions.
Network Agent can be installed at the same time as Policy Server and Filtering
Service. If Network Agent is installed on a separate machine, Filtering Service and
Policy Server must be running before you install Network Agent. The installation
cannot proceed if Policy Server and Filtering Service cannot be located.
When Network Agent is selected, the following screens appear during installation.
(After installation, configure Network Agent for use in your network. See the Network
Configuration topic in the TRITON - Web Security Help for instructions.)
55806).
Note
It is a best practice to have no more than 4 Network Agent
instances per Filtering Service instance.
Important
If you install Network Agent on a machine that cannot
monitor the targeted traffic, Websense features such as
protocol management and Bandwidth Optimizer cannot
perform as expected.
Important
install it before installing Network Agent. To install it on this machine, click
Filtering Service Communication
Enter the IP address of the machine on which Filtering Service is installed and
the port Filtering Service uses to communicate with integration products and
Network Agent (default is 15868). If Filtering Service is installed on this
machine, enter the IP address of this machine (note: actual IP address, not the
loopback address, 127.0.0.1).
The port used by Filtering Service to communicate with integration products
and Network Agent must be in the range 1024-65535. Filtering Service may
have been automatically configured to use a port other than the default 15868.
When Filtering Service is installed, if the installation program finds the
default port to be in use, it is automatically incremented until a free port is
found. To determine what port is used by Filtering Service, check the
eimserver.ini filelocated in C:\Program Files\Websense\bin
(Windows) or /opt/Websense/bin (Linux)on the Filtering Service
machine. In this file, look for the WebsenseServerPort value.
If Filtering Service is not installed yet, anywhere in your network, you must
install it before installing Network Agent. To install it on this machine, click
Previous and select Filtering Service in addition to already selected
that machine (prior to installing Network Agent on this machine).
Network Card Selection
Select the network interface card (NIC) to be used by Network Agent and
then click Next.
This is the NIC that Network Agent will use to communicate with other
Websense software components. All enabled NICs with an IP address are
listed.
Important
Do not modify the eimserver.ini file.
Note
Note
For Network Agent to operate, this machine must be
connected to a bi-directional span port (or mirror port) on a
switch or hub that processes the network traffic to be
monitored.
You may select multiple NICs. After installation, use TRITON - Web Security
to configure how Network Agent will use each selected NIC (for more
information, see the TRITON - Web Security Help).
On Linux, NICs without an IP address are also listed. Do not choose a NIC
without an IP address.
After installation, you can configure Network Agent to use NICs without an
IP address to monitor Internet requests. See Appendix A, Configuring Stealth
Mode.
Filtering Feedback
Select whether you want Websense software to send feedback to Websense,
Inc. to improve accuracy and then click Next.
could not be categorized by Websense software. Such uncategorized URLs
are evaluated by Websense, Inc. If warranted, they are investigated in more
detail and put into an appropriate category. The Websense Master Database is
updated with this information. When your Websense software downloads the
updated database, it will be able to categorize those URLs and filter them
according to the policies you have set.
Usage Monitor
Usage Monitor tracks users Internet activity and sends alerts when Internet activity
for particular URL categories or protocols reaches configured threshold limits. Each
Policy Server should have a separate Usage Monitor.
When Usage Monitor is selected, the following screens appear during installation.
(After installation, use TRITON - Web Security to configure Usage Monitor to send
usage alerts. See the Alerting topic in the TRITON - Web Security Help for more
information.)
Important
Note
55806).
install it before installing Usage Monitor. To install it on this machine, click
TRITON - Web Security
TRITON - Web Security is the administration and reporting interface to Websense
Web Security and Websense Web Filter.
In most environments, it is a best practice to install TRITON - Web Security on a
separate machine from the Filtering Service and Network Agent. In Windows
environments, TRITON - Web Security and Log Server are typically installed
together, which helps to minimize the impact of report processing on Internet filtering.
See the Deployment Guide for Websense Web Security Solutions for a list of supported
operating systems and deployment recommendations.
When TRITON - Web Security is selected, the following screen appears during
installation.
Important
55806).
install it before installing TRITON - Web Security. To install it on this
machine, click Previous and select Policy Server in addition to already
selected components. To install it on another machine, run this installation
program on that machine (prior to installing components on this machine).
For instructions to launch TRITON - Web Security, see Configuring Websense Apache
services for trusted connection, page 90.
In any environment that includes reporting:
If TRITON - Web Security and Log Server are installed on different
machines, open TRITON - Web Security and verify the Log Server location
on the Settings > Logging page.
If TRITON - Web Security and Log Server are installed on the same
(Windows) machine, make sure that the machine IP address, rather than
localhost, appears on the Settings > Logging page.
See the TRITON - Web Security Help for more information.
For more information about installing reporting functions, see Appendix B, Planning
for Reporting.
Important
Note
TRITON - Web Security and Policy Server do not need to
run on the same operating system (for example, one can run
on a Linux machine while the other runs on a Windows
machine).
Log Server
Log Server receives records of Internet filtering activity and sends them to the Log
Database, which is installed on a database engine. Typically, Log Server is installed on
the same machine as TRITON - Web Security (see TRITON - Web Security, page 52).
In most environments, it is a best practice to install Log Server (and TRITON - Web
Security) on a machine separate from Filtering Service or Network Agent.
The supported database engines are:
Microsoft SQL Server 2008
Microsoft SQL Server 2005 - recommended
Microsoft SQL Server Desktop Edition (MSDE) - suitable for smaller networks
MSDE is not supported on Windows 2008 machines.
See the Deployment Guide for Websense Web Security Solutions for specific service
pack requirements for these database engines.
To be able to install Log Server, the database engine must be running.
If you install Log Server on a machine separate from TRITON - Web Security, stop
and restart the ApacheTomcatWebsense and Apache2Websense services after
installation. These services are on the TRITON - Web Security machine.
Note
Log Server can be installed only on a Windows machine.
Note
Log Server must be installed before you can see charts on
the Status > Today and Status > History pages, or run
presentation or investigative reports.
Important
When Log Server is not installed on the TRITON - Web
Security machine, you must stop and restart the Apache
services on the TRITON - Web Security machine before
creating scheduled jobs in presentation reports. You will be
unable to create scheduled jobs until the services are
restarted.
When Log Server is selected, the following screens appear during installation:
55806).
install it before installing Log Server.
Database Engine
This screen appears only if a supported database engine (SQL Server or
MSDE) is not detected on this machine. If a supported database engine is
installed on another machine in the network, select Connect to an existing
database engine and then click Next.
If a supported database engine is not available, use the knowledge base link
for more information about installing the free MSDE database, select Exit the
installation program, and then click Next. The installation program is
cancelled. After installing and configuring a supported database engine, run
this installer again.
Important
Note
Typically, Policy Server is installed on a separate machine
(along with Filtering Service) from Log Server.
Note
For supported versions of SQL Server and MSDE, see the
Deployment Guide for Websense Web Security Solutions.
Database Information
Enter the hostname or IP address of the machine on which a supported
database engine is running. If a supported database engine is detected on this
machine, its IP address is already entered by default. To use a database engine
on a different machine, enter its IP address instead.
After entering the IP address of the database engine machine, choose how to
connect to the database:
Trusted connection: use a Windows account to log into the database.
Enter the user name and password of a trusted account with local
administration privileges on the database machine. Note that the trusted
account you specify here should be the same as that with which you logged
onto this machine before starting the Websense installer (Step 1, page 19).
If you are using MSDE, it is a best practice to connect using a database
account rather than trusted connection.
Database account: use a SQL Server account to log into the database.
Enter the user name and password for a SQL Server account that has
administrative access to the database. The SQL Server password cannot be
blank, or begin or end with a hyphen (-). It is a best practice to connect to
your database engine using a database account rather than a trusted
connection.
Important
If you choose trusted connection, be sure to configure the
Apache2Websense and ApacheTomcatWebsense services,
after installation, to log on as the trusted account specified
here in the Database Information screen. See Configuring
Websense Apache services for trusted connection, page 90.
Note
If TRITON - Web Security is installed on a Linux
machine, the Log Database must be on a SQL Server
instance supporting database account authentication (i.e.,
mixed mode). Trusted connection authentication cannot be
used in this case.
Note
The database engine must be running to install Websense
reporting components. The installer will test for a
connection to the specified database engine when you click
Next on the Database Information screen. The installer
cannot proceed unless a successful connection can be
made.
Log Database Location
Accept the default location for the Log Database files, or select a different
location. Then, click Next.
If the database engine is on this machine, the default location is the Websense
directory (C:\Program Files\Websense). If the database engine is on
another machine, the default location is C:\Program Files\Microsoft
SQL Server on that machine.
It is a best practice to use the default location. If you want to create the Log
Database files in a different location (or if you already have Log Database
files in a different location), enter the path to them. The path entered here is
understood to refer to the machine on which the database engine is located.
Optimize Log Database Size
The options on this screen allow you to control the size of the Log Database,
which can grow quite large. Select either or both of the following options and
then click Next.
Log Web page visits: Enable this option to log a record of each Web page
requested rather than each separate file included in the Web page request. This
creates a smaller database and allows faster reporting. Deselect this option to
log a record of each separate file that is part of a Web page request, including
images and advertisements. This results in more precise reports, but creates a
much larger database and causes reports to generate more slowly.
Consolidate requests: Enable this option to combine Internet requests that
share the same value for all of the following elements, within a certain
interval of time (1 minute, by default):
Domain name (for example: www.websense.com)
Category
Keyword
Action (for example: Category Blocked)
User/workstation
User Service
User Service is generally installed on the same machine as Policy Server. If you are
installing User Service on a separate machine, the installer asks you to identify the
Policy Server machine. There must be only one User Service for each Policy Server.
When installing User Service, log on with local administrator (Windows) or root
(Linux) privileges. This ensures that User Service has the permissions it needs to
enable user-based filtering. Administrator privileges can also be configured after
installation. See the Troubleshooting > User Identification topic in the TRITON -
Web Security Help for instructions.
Important
The directory you specify for the Log Database files must
already exist. The installer cannot create a new directory.
After installation, follow the instructions in the User Identification section of the
TRITON - Web Security Help to configure how Websense software identifies
directory clients (users, groups, etc.).
When User Service is selected, the following screens appear during installation:
55806).
install it before installing User Service. To install it on this machine, click
Note
If User Service is installed on a Linux machine and
Network Agent is used for protocol filtering, be sure to
install the Samba client (v2.2.8a or later) on the User
Service machine so that protocol block messages can be
displayed on Windows computers.
Important
Note
Typically, User Service is installed on the same machine as
Policy Server.
Directory Service Access:
Enter the domain, user name, and password of an account that is a member of
the Domain Admins group on the domain controller. This must be the domain
controller for the users you wish to apply user- or group-based filtering
policies to. User Service uses this account to query the domain controller for
user information.
If you choose not to specify a Domain Admin account now (by leaving the fields
blank), you can specify it after installation:
On Linux, specify a Domain Admin account to be used by Users Service,
TRITON - Web Security. For more information, see Troubleshooting >
User Identification in TRITON - Web Security Help.
On Windows, configure the Websense User Service service to Log on as
a Domain Admin user, using the Windows Services dialog box:
a. Start the Windows Services dialog box (typically, Start >
Administrative Tools > Services).
b. Right-click Websense User Service and select Properties.
d. Under Log on as, select This account and enter the
domain\username and password (twice) of the trusted account you
specified during installation.
e. Click OK.
g. A message appears informing you the new logon name will not take
effect until you stop and restart the service. Click OK.
i. Right-click Websense User Service and select Restart.
DC Agent
DC Agent is a Websense transparent identification agent used in networks that
authenticate users with a Windows directory service.
In a large network, you can install multiple DC Agents to provide ample space for
files that are continually populated with user information. See the Deployment Guide
Note
Note
DC Agent can be installed only on a Windows machine.
for Websense Web Security Solutions and the Transparent Identification of Users
technical paper for more information.
Do not install DC Agent on the same machine as eDirectory Agent, because this can
cause conflicts. Also, do not use DC Agent in a network in which eDirectory Agent is
used.
If Websense software is integrated with a third-party product (firewall, proxy server,
cache, or network appliance) providing user authentication, a transparent
identification agent may not be necessary. For more information, see the Websense
installation supplement for your integration product.
When DC Agent is selected, the following screens appear during installation:
55806).
Directory Service Access
policies to. DC Agent uses this account to query the domain controller for
user information.
Important
Note
If you choose not to specify a Domain Admin account now (by leaving the
fields blank), you can specify it after installation by configuring the Websense
DC Agent service to Log on as a Domain Admin user, using the Windows
Services dialog box:
Tools > Services).
b. Right-click Websense DC Agent and select Properties.
e. Click OK.
i. Right-click Websense DC Agent and select Restart.
After installation, follow the instructions in the User Identification topic in the
TRITON - Web Security Help to configure Websense software to use DC Agent to
identify users without prompting them for logon information.
eDirectory Agent
Websense eDirectory Agent works with Novell eDirectory to identify users
transparently so that Websense software can filter them according to policies assigned
to users or groups.
Do not install eDirectory Agent on the same machine as DC Agent or Logon Agent,
because this can cause conflicts. Also, do not use eDirectory Agent in a network in
which DC Agent or Logon Agent is used.
If Websense software is integrated with a third-party product (firewall, proxy server,
cache, or network appliance) providing user authentication, a transparent
identification agent may not be necessary. For more information, see the Websense
installation supplement for your integration product.
When eDirectory Agent is selected, the following screen appears:
55806).
TRITON - Web Security Help to configure Websense software to use eDirectory
Agent to identify users without prompting them for logon information.
RADIUS Agent
RADIUS Agent enables Websense software to provide user and group filtering by
transparently identifying users who access your network using a dial-up, Virtual
Private Network (VPN), Digital Subscriber Line (DSL), or other remote connection.
The agent can be used in conjunction with either Windows- or LDAP-based directory
services.
When RADIUS Agent is selected, the following screen appears during installation:
55806).
Important
=
Important
TRITON - Web Security Help to configure Websense software to use RADIUS Agent
to identify users without prompting them for logon information.
Logon Agent
Logon Agent is a Websense transparent identification agent that detects users as they
log on to Windows domains in your network. It is for use with Windows-based client
machines on a network that uses Active Directory or Windows NT Directory.
Do not install Logon Agent on the same machine as eDirectory Agent, because this
can cause conflicts. Also, do not use Logon Agent in a network in which eDirectory
Agent is used.
To use Logon Agent, you must modify the Group Policy on domain controllers so it
launches a logon application (LogonApp.exe) as part of the logon script. Client
machines must use NTLM (v1 or v2) when authenticating users (NTLMv1 only, in the
case of Windows Server 2008; see note below). For instructions on configuring
domain controllers and client machines to use Logon Agent, see Creating and running
the script for Logon Agent, page 95.
Logon Agent can be run with DC Agent if some of the users in your network are not
being authenticated properly. If DC Agent is unable to identify certain users (for
example, if it is unable to communicate with a domain controller due to network
bandwidth or security restrictions), they would still be identified by Logon Agent at
log on.
Note
If using Logon Agent with a Windows Server 2008
domain controller, client machines must be configured to
use NTLMv1 when authenticating a user. To do this,
modify the security policy so Network security: LAN
Manager authentication level is set to Send NTLM
response only. This can be done on each individual client
machine by modifying the local security policy, or on all
machines in a domain by modifying the security policy of
a Group Policy Object. For instructions, see Prerequisites
for running the logon script, page 96.
When Logon Agent is selected, the following screens appear during installation:
selected for installation at the same time as Logon Agent. It is assumed Policy
Server is installed on another machine. Enter the IP address of the machine
and the port Policy Server uses to communicate with other Websense
components (default is 55806).
Directory Service Access
policies to. Logon Agent uses this account to query the domain controller for
user information.
If you choose not to specify a Domain Admin account now (by leaving the
fields blank), you can specify it after installation by configuring the Websense
Logon Agent service to Log on as a Domain Admin user, using the Windows
Services dialog box:
Tools > Services).
b. Right-click Websense Logon Agent and select Properties.
Important
Note
e. Click OK.
i. Right-click Websense Logon Agent and select Restart.
TRITON - Web Security Help to configure Websense software to use Logon Agent to
identify users without prompting them for logon information.
Filtering Plug-in
A filtering plug-in is required for Websense software to integrate with the following
integration products:
Microsoft ISA Server
Citrix Presentation Server or XenApp
Squid Web Proxy Cache
The filtering plug-in is installed on the integration product machine itself. Select this
component only if you are running the installer on the integration product machine.
Filtering Service must already be installed in order to install a filtering plug-in. If this
is a Citrix machine, Filtering Service should be installed on a different machine. If this
is an ISA Server or Squid Web Proxy Cache machine, Filtering Service may be
installed on a different machine or this machine.
Note
The filtering plug-in for Microsoft Forefront TMG is
installed using a separate installer. See Installation Guide
Supplement for use with Microsoft ISA Server or Forefront
TMG.
Note
Other supported integration products do not require a
filtering plug-in.
When Filtering Plug-in is selected, the following screens appear during installation:
loopback address, 127.0.0.1).
The port used by Filtering Service to communicate with integration products
and Network Agent must be in the range 1024-65535. Filtering Service may
have been automatically configured to use a port other than the default 15868.
When Filtering Service is installed, if the installation program finds the
default port to be in use, it is automatically incremented until a free port is
found. To determine what port is used by Filtering Service, check the
eimserver.ini filelocated in C:\Program Files\Websense\bin
(Windows) or
/opt/Websense/bin (Linux)on the Filtering Service machine. In this
file, look for the WebsenseServerPort value.
install it before installing a filtering plug-in. To install it on this machine, click
that machine (prior to installing the plug-in on this machine).
Select Integration
Select your integration product and then click Next.
Squid Configuration
This screen appears if you selected Squid Web Proxy Cache as the integration
product. Enter paths to the squid.conf and squid executable files, and then
click Next.
navigate to the location. This path must be verified for the installation to
continue. (Note: the path must include the file name.)
Important
Important
When installing Filtering Service, be sure to do so as
integrated with the integration product.
Additionally, you must provide the path to the Squid executable so the
installation program can shut it down to continue the installation.
Remote Filtering Client Pack
This option installs an MSI installer package (by default: C:\Program Files\
Websense\DTFAgent\RemoteFilteringAgentPack\NO_MSI\CPMClient.msi) to be
used to deploy the Remote Filtering Client to user machines. The Remote Filtering
Client Pack can be installed only on Windows machines.
The Remote Filtering Client allows filtering on machines when they are outside the
network. It can be deployed to Windows machines only.
The Remote Filtering Client can be deployed by copying the MSI installer package to
user machines or using a third-party deployment tool. See the Remote Filtering
Software technical paper (available in the in the Documentation > Planning,
Installation and Upgrade folder of the Websense Knowledge Base) for instructions.
Before deploying the Remote Filtering Client on Windows Vista machines, make sure
User Account Control (UAC) is disabled and that you are logged on to the machine as
a local administrator.
When Remote Filtering Client Pack is selected, the following screens appear during
installation:
Enter the IP address of the machine on which Policy Server is installed and
the port Policy Server uses to communicate with other Websense components
(default is 55806).
Note
Note
If installing Remote Filtering Server (see page 68) on a
Windows machine, install Remote Filtering Client Pack
along with it. However, do not deploy the Remote Filtering
Client on the machine. Simply install the Remote Filtering
Client pack so you can deploy it from the Remote Filtering
Server machine.
install it before installing Remote Filtering Client Pack.
Remote Filtering Server
Remote Filtering Server provides Web filtering for machines such as laptops that are
located outside the network firewall. A remote computer must be running the Remote
Filtering Client to be filtered by the Remote Filtering Server.
Remote Filtering Server is installed on a separate, dedicated machine with the same
installer used for other Websense components. Ideally, it should be installed behind
the outermost network firewall, but in the DMZ outside the firewall that protects the
rest of the network.
During the installation, Remote Filter Server connects to ports 40000, 15868, 15871,
55880, and 55806 on the machine or machines running Policy Server, Policy Broker,
and Filtering Service. Also, Policy Server uses port 55825 to communicate with the
Remote Filtering machine.
If a firewall is installed between Remote Filtering Server and these other components,
open these ports on the firewall. After the installation is complete, ports 15868, 15871,
55880 must remain open.
Remote Filtering Server may be installed on a Windows or Linux machine. If this is a
Windows machine, install Remote Filtering Client Pack (see page 67) along with
Remote Filtering Server. This installs an MSI installer package that can be used to
deploy the Remote Filtering Client to target user machines.
When Remote Filtering Server is selected, the following screens appear during
installation:
Enter the IP address of the machine on which Policy Server is installed and
the port Policy Server uses to communicate with other Websense components
(default is 55806).
Important
Important
Deploy the Remote Filtering Client to user machines but
do not deploy it to this (Remote Filtering Server) machine.
install it before installing Remote Filtering Service.
Remote Filtering Server Communication
The external IP address or host name of the firewall or gateway must be
visible from outside the network. If you enter a host name, it must be in the
form of a fully-qualified domain name: <machine name>.<domain name>
The external communication port can be any free port in the range 10-65535
on this machine. This port receives HTTP/HTTPS/FTP requests from external
Remote Filtering Client machines (i.e. user machines, running Remote
Filtering Client, outside the network). The default is 80. If a Web server is
running on this machine, it may be necessary to use a different port.
Important
Important
Remember whether you entered an IP address or a host
name here. When installing the Remote Filtering Client on
user machines, you must enter this address in the same
form (IP address or domain name).
Note
It is a best practice to use IP addresses, rather than host
names, unless you are confident of the reliability of your
DNS servers. If host names cannot be resolved, Remote
Filtering Clients will be unable to connect to the Remote
Filtering Server.
Note
The external network firewall or gateway must be
configured to route traffic, typically via PAT or NAT, from
Remote Filtering Client machines to the internal IP
address of this machine.
The internal communication port can be any free port in the range 1024-
65535 on this machine. The default is 8800. This is the port to which remote
client heartbeats are sent to determine whether a client machine is inside or
outside the network. The external network firewall must be configured to
block traffic on this port. Only internal network connections should be
allowed to this port.
For more information, see the Remote Filtering Software technical paper.
Remote Filtering Pass Phrase
The pass phrase can be any length. This pass phrase is combined with
unpublished keys to create an encrypted authentication key (shared secret) for
secure client/server communication.
If you want this instance of Remote Filtering Server to function as a backup
(secondary or tertiary) server for a primary Remote Filtering Server, you must
enter the same pass phrase used when installing the primary Remote Filtering
Server.
The pass phrase must include only ASCII characters but cannot include
spaces. Do not use extended ASCII or double-byte characters.
You must use this pass phrase when you install the Remote Filtering Client on
user machines that will connect to this Remote Filtering Server.
Important
Record this pass phrase and keep it in a safe place. If it is
lost or forgotten, Websense software cannot be used to
retrieve it.
Filtering Service Information for Remote Filtering
Internal IP address: Enter the actual IP address of the Filtering Service
machine to be used by this instance of Remote Filtering Server.
Filtering port and Block page port: The filtering port is used by Filtering
Service to communicate with other Websense components. The block page
port is used by Filtering Service to send block pages to client machines.
These ports must be in the range 1024-65535. These ports must be open on
any firewall between the Remote Filtering Server and Filtering Service.
Filtering Service may have been automatically configured to use ports
other than the default 15868 (filtering port) and 15871 (block page port).
When Filtering Service is installed, the installation program checks
whether these default ports are already in use on that machine. If either is
already in use, the port is automatically incremented until a free port is
found.
To find the ports used by Filtering Service, check the eimserver.ini
filelocated in C:\Program Files\Websense\bin (Windows) or /
opt/Websense/bin (Linux)on the Filtering Service machine. Look
for the WebsenseServerPort (filtering port) and BlockMsgServerPort
(block page port) values.
Translated IP address: Use this box to provide the translated IP address
of Filtering Service if it is behind a network-address-translating device.
You must check A firewall or other network device performs address
translation between Remote Filtering Server and Filtering Service to
activate this box.
See the Remote Filtering Software technical paper (available in the in the
Documentation > Planning, Installation and Upgrade folder of the Websense
Knowledge Base) for information on installing, configuring, and using remote
filtering.
Important
Linking Service
Websense Linking Service makes it possible for Websense Data Security to access
user information and URL categorization details from Websense Web Security.
When installing Linking Service separately, be sure that Filtering Service, User
Service, and a transparent identification agent (DC Agent, Logon Agent, or RADIUS
Agent) are already installed and running.
When Linking Service is selected, the following screens appear during installation:
selected for installation at the same time as Linking Service. It is assumed
Policy Server is installed on another machine. Enter the IP address of the
machine and the port Policy Server uses to communicate with other Websense
components (default is 55806).
install it before installing Linking Service. To install it on this machine, click
Previous and select Policy Server in addition to Linking Service. To install
it on another machine, run this installation program on that machine (prior to
installing components on this machine).
Important
loopback address, 127.0.0.1)
install it before installing Linking Service. To install it on this machine, click
that machine (prior to installing Linking Service on this machine).
Note
The port used by Filtering Service to communicate with
integration products and Network Agent must be in the
range 1024-65535. Filtering Service may have been
automatically configured to use a port other than the
default 15868. When Filtering Service is installed, if the
installation program finds the default port to be in use, it is
automatically incremented until a free port is found. To
determine what port is used by Filtering Service, check the
eimserver.ini filelocated in C:\Program
Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)on the Filtering Service
machine. In this file, look for the WebsenseServerPort
value.
Important: Do not modify the eimserver.ini file.
Sync Service
Sync Service communicates policy and reporting data to the hybrid service. To install
Sync Service, Policy Server must already be installed on this machine or a networked
machine. Typically, Sync Service is installed on the same machine as Log Server.
When Sync Service is selected, the following screens appear during installation:
55806).
Important
There must be only one instance of Sync Service in an
entire deployment of Websense Web Security Gateway
Anywhere. See the Deployment Guide for Websense Web
Security Solutions for more information.
Note
If you have a distributed logging deployment (e.g., central
office with Log Server and Log Database, branch offices
with their own instances of Log Server that send data to
the central office) be sure to install Sync Service so it
communicates with the central Log Server instance and not
one of the branch instances. Hybrid logging data cannot be
passed to the central Log Server instance by branch
instances.
Important
install it before installing Sync Service. To install it on this machine, click
Policy Broker Connection
This screen appears if Policy Broker is not found on this machine and not
currently selected for installation. It is assumed Policy Broker is installed on
Broker uses to communicate with other Websense components (default is
55880).
The configuration port must be in the range 1024-65535. Policy Broker may
have been automatically configured to use a port other than the default 55880
for communication with other Websense components. When Policy Broker is
installed, if the installation program finds the default port to be in use, it is
automatically incremented until a free port is found. To determine what port is
used by Policy Broker, check the BrokerService.cfg filelocated in
C:\Program Files\Websense\bin (Windows) or
/opt/Websense/bin (Linux)on the Policy Broker machine. In this file,
look for the listen_port value.
If Policy Broker is not installed yet, anywhere in your network, you must
install it before installing Policy Server. To install it on this machine, click
Previous and select Policy Broker in addition to already selected
Important
Do not modify the BrokerService.cfg file.
Important
entire deployment. Policy Broker must be installed first,
before any other Websense component. If you select other
components to install along with Policy Broker, they will
be installed in the proper order.
Directory Agent
Directory Agent collates user and group information for use by the hybrid service. To
install Directory Agent, Policy Server must already be installed on this machine or a
networked machine.
Typically, only one instance of Directory Agent should be installed in an entire
deployment. It is possible, however, to install multiple Directory Agent instances but
specific configuration is necessary for them to operate properly. For more information
see the TRITON - Web Security Help.
When Directory Agent is selected, the following screen appears during installation:
55806).
install it before installing Directory Agent. To install it on this machine, click
Important
If you are installing components as part of a Websense
Web Security Gateway Anywhere deployment with a V-
Series appliance, you typically should not install Directory
Agent on a separate machine. Directory Agent is already
installed on the appliance.
Important
Modifying an installation
Adding components
To add Websense components to a machine on which other Websense components are
already installed, run the Websense installer on it again. The installer detects the
presence of Websense components and allows you to choose components to add by
initiating a custom installation. See Installing individual components, page 37, for
instructions on running a custom installation to add components.
Adding components to a filtering plug-in only machine
The following integration products require a Websense filtering plug-in:
Microsoft ISA Server
Citrix Presentation Server or XenApp
Squid Web Proxy Cache
If you installed only the filtering plug-in on an integration product machine, you
cannot directly add components to it. The add component process requires certain
additional Websense files to be present. During the original installation of the filtering
plug-in, these additional files were not installed to minimize the installation size on
the machine.
To add components to a machine on which a filtering plug-in is installed as the only
Websense component, uninstall the plug-in (see Removing components, page 78) and
then run the Websense installer again to install the components you want. Be sure to
Note
You cannot add current version components to a machine
that has prior version components installed. The prior
version components must be upgraded first. The installer
will detect the presence of prior-version components and
allow you to upgrade them. See the Upgrading Websense
Web Security Software guide.
Note
No other Websense components, other than Citrix
Integration Service (i.e. the filtering plug-in) and Control
Service, should be installed on a Citrix machine. Do not
add components to it. Note: Control Service is
automatically installed when you install Citrix Integration
Service.
select the filtering plug-in as one of the components to install when re-running the
installer.
Adding components to a Remote Filtering Server machine
No additional Websense components should be installed on a Remote Filtering Server
machine.
Removing components
Websense components are removed using the Websense uninstaller. You can remove
individual components or all components on a machine.
Policy Broker and the Policy Server associated with the components you want to
remove must be running when you remove Websense components. Policy Server
keeps track of the location of the components associated with it. It must be running so
it is aware when a component has been removed. Policy Broker and Policy Server
may be running on different machines than the one from which you are removing
components.
Components should be removed in a particular order because of certain dependencies
(see Removal order below). If you are removing all components on a machine, make
sure you move any custom files you want preserved beforehand (see Preserving
custom data, page 80). Also, refer to the Installation Guide supplement for your
integration product for any integration-specific requirements.
Removal instructions are slightly different depending on the operating system. The
instructions begin on page 81 for Windows and page 83 for Linux.
Note
Do not install Websense Network Agent on an ISA Server
machine, unless ISA Server is used as a proxy only and not
firewall.
Important
No other Websense components may be added to a
Microsoft Forefront TMG machine. Forefront TMG runs
on Windows Server 2008 (x64). No Websense component
(other than the ISAPI Filter plug-in and Control Service) is
supported on 64-bit operating systems. Do not attempt to
run the Websense installer on a Windows Server 2008
(x64) machine.
Removal order
When removing a particular component, it is important to remove any dependent
components first.
Component dependencies are shown in the following diagram (note: not all Websense
components are included; only those with removal dependencies are shown).
The dependency hierarchy goes from top-down, with dependent components below
the component they depend on. For example, if you want to remove Filtering Service,
any associated Network Agent, Remote Filtering Server, and Filtering plug-in
instances must be removed first. Likewise, to remove Policy Server, you must first
remove any instances of the components below it in the diagram.
It is important to note that these dependencies apply to distributed components as
well.The uninstaller will notify you of dependent components on the same machine.
However, it cannot notify you of dependent components on other machines. You must
be sure to remove any dependent components on other machines before removing a
component on this machine. For example, to remove the Policy Server instance shown
in Figure 2 (left-side illustration), you must first remove Network Agent and then
Policy Broker
Policy Server
Filtering Service
User Service Usage Manager
Linking Service
Transparent D agent*
Sync Service Directory Agent
Network Agent Remote Filtering Server Filtering plug-in**
* DC Agent, Logon Agent, eDirectory Agent, or RADUS Agent
** Microsoft SAP Filter, Citrix ntegration Service, or Squid redirector plug-in
Log Server
Figure 1 Removal dependencies
Filtering Service on the two machines dependent on the Policy Server. The numbers in
the right-side illustration indicate the proper order of removal.
Notice that each Network Agent is removed before its associated Filtering Service,
which is required by the component dependencies (Figure 1, page 79). Also, it does
not matter which Filtering Service and Network Agent pair is removed before the
otherjust both pairs must be removed prior to removing the Policy Server.
Preserving custom data
If you have data or files you created yourself in the Websense directory (default:
C:\Program Files\Websense in Windows; /opt/Websense in Linux) or in sub-
directories of the Websense directory, copy them to another location before running
the uninstaller to remove all Websense components. The uninstallation process may
remove these files.
Figure 2 Removing distributed components example
Note
If you have saved reports you want to retain after
uninstalling all components, copy them from the
ReportingOutput directory (under the Websense
directory). The report files are of the following types:
*.pdf, *.xls, or *.zip (for HTML files).
Files of the following types are not removed by the uninstaller if they are located in
the Websense directory itself:
*.zip
*.mdb
*.mdf
*.ndf
*.ldf
*.bak
The above file types are protected from removal only in the Websense directory itself.
They may be removed if they reside in a sub-directory of the Websense directory.
There are two sub-directories, however, that are protected from removal. Files in the
Websense backup directory (default: C:\Program Files\Websense\backup in Windows;
/opt/Websense/backup in Linux), if it exists, will not be removed by the uninstaller.
Also, if the Log Database files reside in a sub-directory of the Websense directory,
they will not be removed.
Windows
1. Log on with local administrator privileges.
2. Close all applications (except Websense software; see the next step) and stop any
antivirus software.
Notes
Before removing components, use the Websense
Backup Utility to make a backup of Websense
configuration and initialization files. See the TRITON
- Web Security Help for instructions.
If you are removing components from a Windows
Server 2008 machine, log in as the built-in
administrator, or run the uninstall program with
elevated (full administrator) privileges.
After uninstalling components, you may be prompted
to restart the machine.
3. Make sure Websense software is running. The Websense uninstaller looks for
Policy Server during the removal process.
4. Open the Windows Add or Remove Programs dialog box (Start > Settings >
Control Panel > Add or Remove Programs).
5. Select Websense Web Security / Websense Web Filter from the list of installed
applications.
6. Click Change/Remove to launch the Websense uninstaller.
Wait for the uninstaller to start. A list of installed components appears.
7. Select the components you want to remove and then click Next.
If Policy Server is not running, a message indicates removing Websense
components may require communication with Policy Server.
a. Cancel the uninstaller.
b. Restart Policy Server from the Windows Services dialog box.
c. Restart this process at Step 4.
Warning
Do not remove Websense components without the
associated Policy Server running. Policy Server keeps
track of Websense configuration and component locations.
If Policy Server is not running, files for the selected
components are still removed, but configuration
information is not updated for those components.
Problems could occur later if you attempt to reinstall these
components.
Warning
When removing components separately, always remove all
other components, then Policy Server, and finally Policy
Broker.
Do not remove Policy Server before any component other
than Policy Broker. Removing Policy Server cuts off
communication with the remaining Websense components
and requires the reinstallation of those components.
Note
If you are removing Filtering Service, all associated
Network Agents must have already been removed. If you
try to remove Network Agent after its associated Filtering
Service has been removed, the uninstaller cannot stop
Network Agent and an error message is displayed.
8. The components selected for removal are listed. Click Next.
If you are uninstalling Network Agent after Policy Server has already been
removed, expect the process to take several minutes. Network Agent is
successfully uninstalled, although no progress notification is displayed.
9. A completion message indicates that components have been removed. Click Next.
10. Select a restart option and click Next to exit Setup.
The machine must be restarted to complete the removal process.
12. If you remove an integration plug-in, you may need to restart the integration
product. See the Installation Guide supplement for your integration product.
Linux
1. Log on as root.
2. Close all applications (except Websense software; see the next step) and stop any
antivirus software.
3. Make sure Websense software is running. The Websense uninstaller looks for
Policy Server during the removal process.
Note
Before removing components, use the Websense Backup
Utility to back up Websense configuration and
initialization files. See the TRITON - Web Security Help
for instructions.
Warning
Do not remove Websense components without the
associated Policy Server running. Policy Server keeps
track of Websense configuration and component locations.
If Policy Server is not running, files for the selected
components are still removed, but configuration
information is not updated for those components.
Problems could occur later if you attempt to reinstall these
components.
4. Run the uninstall program from the Websense installation directory (/opt/
Websense by default):
./uninstall.sh
A GUI version is available on English versions of Linux. To run it, enter:
./uninstall.sh -g
The installer detects the installed Websense components and lists them.
5. Select the components you want to remove, and choose Next.
If Policy Server is not running, a message tells you that removing Websense
components may require communication with Policy Server
a. Cancel the uninstaller.
b. Open a command shell and go to the Websense directory (/opt/Websense, by
default).
c. Enter the following command to start Websense services:
./WebsenseAdmin start
d. Restart this process at Step 4.
6. A list shows the components selected for removal. Choose Next.
If you are uninstalling Network Agent on a remote machine after removing Policy
Server, expect the process to take several minutes. Network Agent is successfully
uninstalled, although no progress notification is displayed.
7. A completion message indicates that components have been removed. Exit the
installer.
9. If you remove an integration plug-in, you may need to restart the integration.
Check the Installation Guide supplement for your integration product.
Warning
When removing components separately, always remove all
other components, then Policy Server, and finally Policy
Broker.
Do not remove Policy Server before any component other
than Policy Broker. Removing Policy Server cuts off
communication with the remaining Websense components
and requires the reinstallation of those components.
Note
If you are removing Filtering Service, all associated
Network Agents must have already been removed. If you
try to remove Network Agent after its associated Filtering
Service has been removed, Setup cannot stop Network
Agent and an error message is displayed.
Stopping and starting Websense services
By default, Websense services are configured to start when the machine starts.
Occasionally, you may need to stop or start a Websense service. For example,
Filtering Service must be stopped and started after customizing default block
messages.
Manually stopping and starting services (Windows)
Use the Windows Services dialog box to stop and start one or more Websense
services:
1. Open the Windows Services dialog box (Start > Programs > Administrative
Tools > Services).
2. Right-click a service name, and then select Start, Stop, or Restart. Restart stops
the service, then restarts it again immediately from a single command.
Refer to Stopping or starting individual services, page 86, for the correct order to
use when stopping or starting multiple Websense services.
Manually stopping and starting services (Linux)
Stop, start, or restart Websense services (daemons) from the command line on a Linux
machine.
Restarting stops a daemon, then restarts it immediately from a single command. If
Websense components are spread across multiple machines, be sure that Policy
Broker and the Policy Database are stopped last and started first. See Stopping or
starting individual services, page 86, for the preferred stopping and starting order.
There are two scripts to stop and start Websense services:
WebsenseAdmin: can stop, start, or restart all Websense components together.
Note
When Filtering Service is started, CPU usage can be 90%
or more for several minutes while the Websense Master
Database is loaded into local memory.
Warning
Do not use the taskkill command to stop Websense
services. This may corrupt the services.
WebsenseDaemonControl: can stop or start individual components.
Stopping, starting, or restarting all services
1. Go to the Websense installation directory (/opt/Websense/, by default).
2. Use the following commands to stop, start, or restart all Websense services in the
correct order:
./WebsenseAdmin stop
./WebsenseAdmin start
./WebsenseAdmin restart
3. View the running status of all Websense services with the following command:
./WebsenseAdmin status
Stopping or starting individual services
1. Go to the Websense installation directory (/opt/Websense/, by default).
2. Enter the following command: ./WebsenseDaemonControl.
A list of installed components is displayed, showing whether each process is
running or stopped.
3. Enter the letter associated with a component to start or stop the associated process.
To refresh the list, enter R.
4. When you are finished, enter Q or X to exit the tool.
Warning
Do not use the kill command to stop Websense services.
This may corrupt the services.
Stopping principal components
When stopping individual components on Windows machines, or when stopping
components spread across multiple machines, stop the optional components first, and
then the principal components, ending with the following, in the order shown:
1. Websense Network Agent
2. Websense Filtering Service
3. Websense User Service
4. Websense Policy Server
5. Websense Policy Broker
6. Websense Policy Database
When starting services, reverse this order. It is especially important that you begin
with the following services, in the order shown:
1. Websense Policy Database
2. Websense Policy Broker
3. Websense Policy Server
Also remember that if you are stopping and starting services on the TRITON - Web
Security machine, you may need to stop or start the Apache services used to host
TRITON - Web Security and its reporting tools:
Apache2Websense
ApacheTomcatWebsense
3
Initial Setup
After your installation is complete, review the following setup requirements and
complete the steps that apply to your environment.
All sites
Configure your firewall or Internet router to allow Websense software to
download the Websense Master Database (see Configuring firewalls or routers,
page 92). This is required to enable filtering.
If using Windows trusted connection to access the Log Database, configure the
Websense Apache services for trusted connection (see Configuring Websense
Apache services for trusted connection, page 90).
Launch TRITON - Web Security (see Configuring Websense Apache services for
trusted connection, page 90), and then follow the instructions in the New User
Quick Start tutorial to enter your subscription key and start downloading the
Websense Master Database.
Depending on your integration product, you may need to configure Internet
browsers on user computers. See the Installation Guide supplement for your
integration for instructions.
If you install certain components on Windows Server 2008, or if your network
uses Active Directory 2008 to authenticate users, you may need to perform some
additional configuration steps (see Working with Windows Server 2008, page 93).
Block pages
If Filtering Service is installed on a machine with multiple NICs, configure
Websense software to identify the Filtering Service machine by its IP address
rather than host name so that block pages can be sent to users. See Identifying
Filtering Service by IP address, page 95, for instructions.
Network Agent
If you installed Network Agent, use the Network Traffic Detector to test whether
Network Agent can see the Internet activity that you want it to monitor. See the
Network Configuration topic in TRITON - Web Security Help for instructions.
If you installed Network Agent on a machine with multiple NICs, you can
configure the agent to use more than one NIC to monitor and block requests. See
the Network Configuration topic in TRITON - Web Security Help for more
Initial Setup
information. To configure a stealth mode NIC for monitoring, see Appendix A:
Configuring Stealth Mode.
All Windows computers being filtered must have the Messenger Service enabled
to receive protocol block messages from Network Agent. See the Protocol Block
Messages topic in TRITON - Web Security Help for instructions.
Transparent identification of users
If you installed Logon Agent, create a logon script for your users that identifies
them transparently as they log on to a Windows domain. See Creating and
running the script for Logon Agent, page 95, for instructions.
If you were unable to grant User Service, DC Agent, or Logon Agent
administrator privileges during installation, do so now to ensure that they will
function correctly. For instructions, see the Troubleshooting > User Identification
topic on changing User Service, DC Agent, and Logon Agent service permissions
in TRITON - Web Security Help.
Remote Filtering
If you installed the optional Remote Filtering components, some configuration is
required. For instructions, see the Remote Filtering Software technical paper,
located in the Planning, Installation and Upgrade folder under Documentation on
the Websense Support Portal, www.websense.com/docs.
Configuring Websense Apache services for trusted
connection
If, during installation of Websense software, you chose to use a trusted connection to
access the Log Database, you must configure the Apache2Websense and
ApacheTomcatWebsense services to log on using the trusted account specified during
installation. These services are located on the machine on which TRITON - Web
Security is installed.
To configure the service to use the trusted account:
1. Open the Windows Services dialog (Start > Administrative Tools > Services).
2. In the list of services, right-click Apache2Websense and select Properties.
3. In properties dialog box that appears, select the Log On tab.
4. Under Log on as, select This account and enter the domain\username and
password of the trusted account.
5. Click OK.
6. Repeat this process (from Step 2) for the ApacheTomcatWebsense service.
Initial Setup
Starting TRITON - Web Security
TRITON - Web Security is the central configuration and management interface used
to customize filtering behavior, monitor Internet usage, generate Internet usage
reports, and manage Websense software configuration and settings. This Web-based
tool runs on these supported browsers:
Microsoft Internet Explorer 7 or 8
Mozilla Firefox 3.0.x - 3.5.x
Although it is possible to launch TRITON - Web Security using some other browsers,
use the supported browsers to receive full functionality and proper display of the
application.
To launch TRITON - Web Security, do one of the following:
If installed on Windows, go to the installation machine and double-click the
TRITON - Web Security desktop icon, or go to Start > Programs > Websense >
At any machine in the network, open a supported browser and enter the following
address:
https://<IP address>:9443/mng/
Substitute the IP address of the TRITON - Web Security machine.
If you are unable to connect to TRITON - Web Security on the default port, refer to
the knownports.properties file on the TRITON - Web Security machine (located by
default in the C:\Program Files\Websense\bin or /opt/Websense/bin/ directory) to
verify the port.
On Windows machines, look for the APACHE_HTTPS= value.
On Linux machines, look for the TOMCAT_HTTPS= value.
If you are using the correct port, and are still unable to connect to TRITON - Web
Security from a remote machine, make sure that your firewall allows communication
on that port.
An SSL connection is used for secure, browser-based communication with TRITON -
Web Security. This connection uses a security certificate issued by Websense, Inc.
Because the supported browsers do not recognize Websense, Inc., as a known
Certificate Authority, a certificate error is displayed the first time you launch TRITON
- Web Security from a new browser. To avoid seeing this error, you can install or
permanently accept the certificate within the browser. See the Websense Knowledge
Base for instructions.
Note
On Linux, use Firefox 3.5.x for access to all reporting
features in TRITON - Web Security.
Initial Setup
Once the security certificate has been accepted, the TRITON Unified Security Center
logon page is displayed in the browser window. Log on as WebsenseAdministrator
with the password that you created during the installation.
When you have logged on to TRITON - Web Security, be sure to enter your
subscription key and download the Master Database.
1. In the left navigation pane, click the Settings tab.
2. Open the Account page, and then enter your subscription key.
3. When you are finished making changes, click OK. Changes are not implemented
until you click Save All.
4. In the left navigation tab, click the Main tab.
5. Open the Today page, and then click the Database Download button at the top.
6. Verify that the Master Database download is in progress. If not, click Update.
Configuring firewalls or routers
For Internet connectivity, TRITON - Web Security may require authentication through
a proxy server or firewall for HTTP traffic. To allow Websense Master Database
downloads, configure the proxy or firewall to accept clear text or basic authentication.
See the proxy server or firewall documentation for configuration instructions. See
TRITON - Web Security Help for instructions on running the Websense Master
Database download.
If you have integrated Websense software with another product or device, see the
Installation Guide supplement for your integration for more information.
Important
A partial version of the Master Database is installed with
your Websense software on each Filtering Service
machine. This partial database is used to enable basic
filtering functionality from the time you enter your
subscription key. You must download the full database for
complete filtering to occur. See the TRITON - Web
Security Help for additional information.
Initial Setup
Working with Windows Server 2008
If you install certain components on Windows Server 2008, or if your network uses
Active Directory 2008 to authenticate users, be aware of the issues listed below. In
some cases, additional configuration steps are required.
If you run Websense User Service on Windows Server 2008, and your network
uses a Windows NT Directory or Active Directory (Mixed Mode), Websense User
Service must run as an account that has administrative privileges on the directory.
This means that the User Service machine must be joined to the domain before
performing the installation.
See the Troubleshooting section of the TRITON - Web Security Help for
instructions on checking and changing the User Service account. Look for the
topic on changing DC Agent, Logon Agent, and User Service permissions.
If you run Websense User Service, DC Agent, or Logon Agent on Windows
Server 2008, the Windows Computer Browser service on that machine must be
running. If it was not started during installation, see Turning on the Computer
Browser service, page 94.
If Websense User Service is installed on Windows Server 2008, protocol block
messages and popup usage alerts cannot be displayed at client machines.
If your network uses Active Directory 2008 to authenticate users, the Windows
Computer Browser service on that machine must be running. See Turning on the
Computer Browser service, page 94.
If you run Websense User Service on Windows Server 2008, Network Agent
cannot send protocol block messages to users. The protocol requests are blocked,
but no message is displayed.
In addition, usage alert popup messages cannot be displayed to users. The alerts
are generated, and other notification methods function normally.
All Websense tools and utilities installed on Windows Server 2008, and text
editors used to modify Websense configuration files (such as websense.ini), must
be run as the local administrator. Otherwise, you may be prevented from running
the tool or the changes you make may not be implemented.
1. Open Windows Explorer to the bin subdirectory in the Websense installation
directory (the default installation directory is C:\Program Files\Websense).
Note
Websense components support only the 32-bit version of
Windows Server 2008 (x86). An exception to this is the
Websense ISAPI Filter plug-in for Forefront TMG, which
is supported on 64-bit Windows Server 2008 (x64) only.
Initial Setup
2. Right-click the relevant executable file, and then click Properties. Following
is a list of files for which this should be done.
wsbackup.exe for Websense Backup and Restore
logserverconfig.exe for the Log Server Configuration utility
executable for any text editor used to modify a Websense configuration file
(such as websense.ini)
3. In the Compatibility tab, under Privilege Level, select Run this program as
an administrator. Then, click OK.
On Windows Server 2008, the Windows Firewall is turned on by default, and
Microsoft recommends that it not be turned off.
Check the Websense Knowledge Base for a list of ports that Websense
components use for communication. These ports may need to be opened on
the Windows Firewall to enable necessary Websense communication.
If you are installing User Service, DC Agent, or Logon Agent, note that the
Windows Firewall must be turned off for the Computer Browser service to
start.
Turning on the Computer Browser service
Websense Setup offers the option to turn on the Computer Browser service during
installation of the following components on Windows Server 2008.
Websense User Service
Websense DC Agent
Websense Logon Agent
If you chose not to have it started, or the installer was not successful, you must turn on
the service manually.
In addition, if your network uses Active Directory 2008 to authenticate users, the
Windows Computer Browser service must be running on the Active Directory
machine. Note that the Windows Firewall must be turned off in order for the
Computer Browser service to start.
Perform the following procedure on each machine running an affected component:
1. Make sure that Windows Network File Sharing is enabled.
a. Go to Start > Control Panel > Network and Sharing Center.
b. In the Sharing and Discovery section, set File Sharing to On.
2. Go to Control Panel > Administrative Tools > Services.
3. Double-click Computer Browser to open the Properties dialog box.
4. Set the Startup type to Automatic.
5. Click Start.
6. Click OK to save your changes and close the Services dialog box.
7. Repeat these steps on each machine running Windows Server 2008 and an
affected component.
Initial Setup
Identifying Filtering Service by IP address
When Websense software blocks an Internet request, the browser is redirected to a
block page hosted by Filtering Service. The block page URL takes the form:
http://<FilteringServiceNameorIPAddress>:<MessagePort>/cgi-
bin/blockpage.cgi?ws-session=#########
If Filtering Service is installed on a machine with multiple NICs, and Filtering Service
is identified by machine host name rather than IP address, users could receive a blank
page rather than a block page.
If you have an internal domain name server (DNS), enter the Filtering Service
machines IP address as a resource record in your DNS. See your DNS
documentation for instructions.
If you do not have an internal DNS:
1. On the Filtering Service machine, go to the Websense bin directory (by
default, C:\Program Files\Websense\bin or opt/Websense/bin).
2. Make a backup copy of eimserver.ini in another directory.
3. Open the original eimserver.ini file in a text editor.
4. In the [WebsenseServer] section, enter the following command:
BlockMsgServerName=<IP address>
Here, <IP address> is the IP address of the Filtering Service machine.
5. Save the file.
6. Restart the Filtering Service. See Stopping and starting Websense services,
page 85.
Creating and running the script for Logon Agent
If you installed Websense Logon Agent, you must create a logon script for clients that
identifies them to Websense software when they log on to a Windows domain. The
Websense Logon application, LogonApp.exe, provides a user name and IP address to
the Logon Agent each time a Windows client connects to a Windows Active Directory
or a Windows NT directory service.
Important
Do not use the loopback address 127.0.0.1.
Initial Setup
During Logon Agent installation, the logon application and script files are placed in
the Websense bin directory (by default, C:\Program Files\Websense\bin in Windows
or /opt/Websense/bin in Linux).
LogonApp.exe (Windows only): The Websense executable that communicates
user information to the Logon Agent.
Logon.bat: The batch file containing sample logon and logout scripts.
LogonApp_ReadMe.txt: A summary of the procedures for creating and running
the Websense logon script and optional logout script.
See Logon Agent, page 63, for installation instructions.
Prerequisites for running the logon script
Logon Agent requires running the logon application on Windows machines.
If the logon script runs the logon application in persistent mode, configure your
Active Directory server not to run scripts synchronously.
Be sure that all computers can connect to the shared drive on the domain
controller containing logon.bat and LogonApp.exe. You must copy both of these
files from the machine running Logon Agent to both the logon and logout
directories on the domain controller.
To determine if a Windows machine has access to the domain controller, run the
following command from a command prompt:
net view /domain:<domain name>
The TCP/IP NetBIOS Helper Service must be running on each Windows 2000,
Windows XP, Windows Vista, Windows Server 2003, and Windows NT client
machine that is identified by Logon Agent.
The logon application on client machines must use NTLM authentication to
communicate with Logon Agent. By default, Windows Vista machines use
NTLMv2.
To change this setting globally, for all machines in the network, modify the default
domain Group Policy Object (GPO) to require use of NTLM authentication:
1. On the domain controller machine, go to Start > Run, and then enter mmc.
2. In the Microsoft Management Console, go to File > Add/Remove Snap-In,
and then click Add.
3. Select Group Policy Management Editor, and then click Add.
4. Select the default GPO (for example, Default domain policy), and then click
Finish.
5. Click Close and then OK to close the open dialog boxes.
6. In the navigation pane of the Console window, expand the Computer
Configuration > Policy > Windows Settings > Security Settings > Local
Policies node, and then select Security Options.
7. In the content pane, select Network Security: LAN Manager
authentication level, and change the setting to Send NTLM response only.
Initial Setup
8. Save and close the Console file.
To change this setting on individual Windows Vista machines, change the default
setting for Network security: LAN Manager authentication level as follows:
1. Open the Windows Local Security Settings window. See the Windows
online Help for assistance.
2. Go to Security Settings > Local Policy > Security Options, and double-
click Network security: LAN Manager authentication level.
3. In the Properties dialog box that appears, select Send NTLM response only.
Websense user map and persistent mode
When Logon Agent identifies a user, the user name and IP address are stored in a user
map. The length of time this information is stored without reverification depends on
whether the logon application is running in persistent mode or non-persistent mode. If
LogonApp.exe is running in persistent mode, the update time interval is configured in
In non-persistent mode, user map information is created at logon and is not updated.
The use of non-persistent mode creates less traffic between Websense software and
the clients in your network.
In Active Directory, you can use a logout script to clear the logon information from
the Websense user map before the interval defined in TRITON - Web Security. See
Task 1: Prepare the scripts, page 98, for more information.
For detailed information about configuring Logon Agent in TRITON - Web Security,
see the User Identification topic in TRITON - Web Security Help.
Deployment tasks
Task 1: Prepare the scripts
Edit the parameters in the sample script file (Logon.bat) to suit your network.
Task 2: Configure the scripts to run
You can run your logon script from a Windows Active Directory or Windows NT
directory service using group policies.
The Websense executable and logon batch file must be moved to a shared drive on
the domain controller that is visible to all clients. If you use Active Directory, you
also can create and deploy an optional logout batch file on the shared drive.
Task 3: Configure Logon Agent in TRITON - Web Security
After the logon scripts and application have been deployed, configure Logon
Agent in TRITON - Web Security.
Initial Setup
Task 1: Prepare the scripts
A batch file, called Logon.bat, is installed with Logon Agent in the Websense bin
directory (by default, C:\Program Files\Websense\bin or /opt/Websense/bin).
This file contains instructions for using the scripting parameters, and two sample
scripts: a logon script that runs the logon application (LogonApp.exe), and a logout
script. The logout script removes user information from the Websense user map when
the user logs out. Only Active Directory can use both types of scripts.
Script parameters
Construct a logon or logout script using the samples provided and the parameters in
the table below.
The required portion of the logon script is:
LogonApp.exe http://<server>:<port>
This command runs LogonApp.exe in persistent mode (the default).
Note
You can edit the sample, or create a new batch file
containing a single command.
Parameter Description
<server> IP address or name of the Websense Logon Agent machine. This
entry must match the machine address or name entered in
TRITON - Web Security in Task 3.
<port> The port number used by Logon Agent (default 15880).
/NOPERSIST Causes the logon application to send user information to the
Logon Agent at logon only. The user name and IP address are
communicated to the server at logon and remain in the Websense
user map until the users data is automatically cleared at a
predefined time interval. The default user entry expiration is 24
hours, and can be changed in TRITON - Web Security.
If the NOPERSIST parameter is omitted, LogonApp.exe operates
in persistent mode, residing in memory on the domain server and
updating the Logon Agent with the user names and IP addresses
at predefined intervals. The default interval is 15 minutes, and
can be changed in TRITON - Web Security.
/COPY Copies the logon application to the %USERPROFILE%\Local
Settings\Temp directory on users machines, where it is run by
the logon script from local memory. This optional parameter
helps to prevent your logon script from hanging.
COPY can be used only in persistent mode.
Initial Setup
Examples
The sample logon script sends user information to the Logon Agent at logon only. The
information is not updated during the users session (NOPERSIST). The information
is sent to port 15880 on the server identified by IP address 10.2.2.95.
LogonApp.exe http://10.2.2.95:15880 /NOPERSIST
With Active Directory you have the option to clear the logon information for each user
as soon as the user logs out. (This option is not available with Windows NTLM.)
Create a companion logout script in a different batch file, and place it into a different
directory than the logon script.
Copy the logon batch file and rename it Logout.bat. Edit the script to read:
LogonApp.exe http://10.2.2.95:15880 /NOPERSIST /LOGOUT
Task 2: Configure the scripts to run
You can configure your logon script to run with a group policy on Active Directory or
on Windows NT Directory. The logout script only runs with Active Directory.
Active Directory
If your network uses Windows 98 client machines, go to the Microsoft Web site for
assistance.
1. Make sure your environment meets the conditions described in Prerequisites for
running the logon script, page 96.
2. On the Active Directory machine, go to the Windows Control Panel and select
Administrative Tools > Active Directory Users and Computers.
/VERBOSE Debugging parameter that must be used only at the direction of
Technical Support.
/LOGOUT Used only in an optional logout script, this parameter removes the
users logon information from the Websense user map when the
user logs off. If you use Active Directory, this parameter can
clear the logon information from the user map before the interval
defined for Logon Agent has elapsed.
Use this optional parameter in a logout script in a different batch
file than the one containing the logon script. See the Examples
below.
Parameter Description
Note
The following procedures are specific to Microsoft
operating systems and are provided here as a courtesy.
Websense, Inc., cannot be responsible for changes to these
procedures or to the operating systems that employ them.
For more information, see the links provided.
Initial Setup
3. Right-click the domain, and then select Properties.
4. On the Group Policy tab, click New and create a policy called Websense Logon
Script.
5. Double-click the new policy or click Edit.
6. In the tree structure displayed, expand User Configuration.
7. Go to Windows Settings > Scripts (Logon/Logoff).
8. In the right pane, double-click Logon.
9. Click Show Files to open this policys logon script folder in Windows Explorer.
10. Copy two files into this folder:
Logon.bat, your edited logon batch file
LogonApp.exe, the application
11. Close the Explorer window.
12. Click Add in the Logon Properties dialog box.
13. Enter Logon.bat in the Script Name field or browse for the file.
14. Leave the Script Parameters field empty.
15. Click OK twice to accept the changes.
16. (Optional) If you have prepared a logout script, repeat Step 6 through Step 15.
Choose Logoff at Step 8, and use your logout batch file when you are prompted to
copy or name the batch file.
17. Close the Group Policy Object Editor dialog box.
18. Click OK in the domain Properties dialog box to apply the script.
19. Repeat this procedure on each domain controller in your network, as needed.
For additional information about deploying logon scripts to users and groups in Active
Directory, go to the Microsoft TechNet site (technet2.microsoft.com/), and search for
the exact phrase: Logon Scripts How To.
Note
You can determine if your script is running as intended by
configuring your Websense software for manual
authentication. If transparent authentication with Logon
Agent fails for any reason, users are prompted for a user
name and password when opening a browser. Ask your
users to notify you if this problem occurs.
To enable manual authentication, see the User
Identification topic in the TRITON - Web Security Help.
Initial Setup
Windows NT directory or Active Directory (mixed mode)
1. Make sure your environment meets the conditions described in Prerequisites for
running the logon script, page 96.
2. Copy the Logon.bat and LogonApp.exe files from the Websense installation
directory on the Logon Agent machine (by default, C:\Program
Files\Websense\bin or /opt/Websense/bin) to the netlogon share directory on the
domain controller machine.
C:\WINNT\system32\Repl\Import\Scripts
Depending on your configuration, you may need to copy these files to other
domain controllers in the network to run the script for all your users.
3. In the Control Panel of the domain controller, select Administrative Tools > User
Manager for Domains.
4. Select the users for whom the script must be run, and double-click to edit the user
properties.
5. Click Profile.
6. Enter the path to the logon batch file in the User Profile Path field (see Step 2).
7. Enter Logon.bat in the Logon Script Name field.
8. Click OK.
9. Repeat this procedure on each domain controller in your network, as needed.
Task 3: Configure Logon Agent in TRITON - Web Security
After the logon/logout scripts and the logon application have been deployed and
configured on the domain controllers, you must enable authentication in TRITON -
Web Security. See the User Identification > Logon Agent topic in the TRITON - Web
Security Help for instructions.
Note
You can determine if your script is running as intended by
configuring your Websense software to use manual
authentication when transparent identification fails. If
transparent authentication with Logon Agent fails for any
reason, users are prompted for a user name and password
when opening a browser. Ask your users to notify you if
this problem occurs.
To enable manual authentication, see the User
Identification topic in the TRITON - Web Security Help.
Initial Setup
Configuring Network Agent to use multiple NICs
Each Network Agent must use at least one designated NIC, but is capable of using
multiple NICs. Network Agent can use one NIC for monitoring traffic, and another
NIC to send blocking information.
See the Deployment Guide for Websense Web Security Solutions for more information,
and the TRITON - Web Security Help for configuration instructions.
A
Configuring Stealth Mode
Websense software can inspect all packets with a monitoring NIC (network interface
card) that has been configured for stealth mode. A NIC in stealth mode has no IP
address and cannot be used for communication. Security and network performance are
improved with this configuration. Removing the IP address prevents connections to
the NIC from outside resources and stops unwanted broadcasts.
Configuring for Stealth Mode
If Network Agent is configured to use a stealth-mode NIC, the installation machine
must have multiple NICs. If Network Agent is installed on a separate machine, a
second, TCP/IP-capable interface (i.e., it is not in stealth mode) must be configured to
communicate with Websense software for filtering and logging.
During installation, stealth-mode interfaces do not display as a choice for Websense
communications. Make sure you know the configuration of all the interfaces in the
machine before attempting an installation.
Stealth mode for the Network Agent interface is supported on Windows and Linux.
Important
On Linux, stealth mode NICs appear together with TCP/
IP-capable interfaces and must not be selected for
communication.
Configuring Stealth Mode
Windows
Configure a NIC for stealth mode as follows.
1. Go to Start > Settings > Network and Dial-up Connection to display a list of all
the interfaces active in the machine.
2. Select the interface you want to configure.
3. Select File > Properties.
A dialog box displays the NIC connection properties.
4. Clear the Internet Protocol (TCP/IP) checkbox.
5. Click OK.
Linux
To configure a NIC for stealth mode in Linux, disable the Address Resolution
Protocol (ARP), which breaks the link between the IP address and the MAC address
of the interface. Run the following commands, replacing <interface> with the NICs
name, for example, eth0.
To configure a NIC for stealth mode, run this command:
ifconfig <interface> -arp up
To return the NIC to normal mode, run this command:
ifconfig <interface> arp up
Important
Network Agent can work with a stealth mode NIC only if
the interface retains its old IP address in the Linux system
configuration file, /etc/sysconfig/network-scripts/ifcfg-
<adapter name>.
B
Planning for Reporting
Although TRITON - Web Security can be installed on either a Windows or a Linux
machine, Log Server must be installed on Windows to enable the reporting features of
Websense software.
Before Log Server can be installed, one of the following supported database engines
must be installed and running:
Microsoft SQL Server 2005 SP2 or SP3 - recommended
Microsoft SQL Server Desktop Edition (MSDE) 2000 SP4 - suitable for smaller
networks
MSDE is not supported on Windows 2008.
See the Deployment Guide for Websense Web Security Solutions for specific database
engine version and service pack information
See the Microsoft documentation for Microsoft SQL Server and MSDE installation
instructions.
If you do not have a database engine, and do not plan to host the database on a
Windows 2008 machine, you can download and install MSDE for free. Refer to the
Websense Knowledge Base for a download link and further instructions. Search for
the exact phrase: Installing MSDE with Websense software, version 7.
To enable reporting functionality in a Windows environment, install both TRITON -
Web Security and Log Server on Windows machines. If you install the components on
separate machines, install TRITON - Web Security first.

Installing reporting
Reporting can be installed when other Websense components are installed, or it can be
installed separately. See Chapter 2: Installation Procedures, for instructions.
Keep in mind that if you plan to use a Windows trusted connection to communicate
with the database engine, the logon account used to run the installer must also be a
trusted account with local administration privileges on the database machine.
If you are installing Websense software for evaluation purposes, or if you are
running in a very small network, use the Filtering, Management, and Reporting
option to install all filtering and reporting components at the same time.
In all but the smallest networks, TRITON - Web Security and Log Server should
be installed on a separate machine from filtering components to improve
performance. See the Deployment Guide for more information.
If TRITON - Web Security is already installed, run the installer on the reporting
machine and select a Custom installation. When prompted, select Log Server as
the component to install.
To install both TRITON - Web Security and Log Server on the same machine,
select a Custom installation. When prompted, select TRITON - Web Security
and Log Server from the component list.
Follow the installer prompts and provide the information requested. See Installing
individual components, page 37, for installing components separately.
Installation concerns
Installation options vary, based on which components you install and where you place
them.
The installer verifies that the database engine is configured appropriately for use with
Websense reporting and displays an error if it encounters a problem. See SQL Server/
MSDE installation error messages, page 109, for information about possible error
messages and instructions for addressing them.
Note
The Websense Log Database name for version 7.5 is
wslogdb70. Every time the database rolls over, a new
database partition is created, and a number is appended to
the end (for example, wslogdb70_1). This number
increments each time.
Be sure you do not have an existing database with this
name, otherwise the installation fails. For troubleshooting,
see SQL Server/MSDE installation error messages, page
109.
Collation and case-sensitivity
To provide highly accurate reports, Websense reporting tools use case-insensitive
collation functions for database searches.
If your Microsoft SQL Server or MSDE instance uses case-sensitive collation (which
may be required by other applications using the database engine), reporting
components cannot be installed.
To resolve this issue, install another SQL Server instance that uses case-insensitive
settings (see Collation and case-sensitivity error messages, page 110), and then run
the installer again.
Database engine location
When the installer asks for the location of the database engine:
If the database is installed on the current machine, and the machine has only one
NIC, you can enter Localhost.
If you installed SQL Server with an instance name other than the default
(MSSQLServer), include the instance name when you enter the IP address of the
SQL Server machine:
<IP address>\<instancename>
For example:
10.200.1.1\ReporterSql
Database location and access
When the installer requests a location and access method for the Log Database, keep
in mind that:
PathCreate a path to the database before installing Log Server. Problems can
occur during installation if the path does not exist, and Log Server and SQL
Server are on different machines.
Disk spaceMake sure there is enough free disk space (at least 3 GB) on the
specified drive for the Log Database, including space for future growth.
Depending on the number of users and your network setup, your Log Database
can grow very rapidly.
Access via SQL database accountEnter the user name and password for a
SQL Server account that has administrative access to the database. This is the
recommended method.
Note
The SQL Server password cannot begin or end with a
hyphen (-), or be blank.
Access via Windows trusted connectionUses a Windows account to log on to
the database. This account must be a trusted account with local administration
privileges on the database machine. It is a best practice to not use Windows
trusted connection with MSDE.
If your organization uses ISA Server and a Windows trusted connection will be
used to access the Log Database, remote SQL logging (on ISA Server) may need
to be enabled and communication on the internal network allowed. See Enabling
Remote SQL Logging on ISA Server below.
Enabling Remote SQL Logging on ISA Server
If a Windows trusted connection will be used to access the Log Database and your
organization uses ISA Server, it may be necessary to enable remote SQL logging.
This is necessary if Websense Log Server and SQL Server are on separate
machines. In this case, if remote logging is not enabled, data cannot be sent to the
Log Database. To enable remote SQL Logging:
1. Start the ISA Server Management console.
2. In the console tree (in the left panel), click Firewall Policy for your ISA Server
machine.
3. On the Tasks pane (to the right), under System Policy Tasks, click Edit System
Policy.
4. In the System Policy Editor dialog box, under Configuration Groups, select
Logging, and then Remote Logging (SQL).
5. On the General tab, make sure Enable this configuration group is selected (i.e.,
check mark is present).
6. On the To tab, make sure the rule applies to the internal network on which SQL
Server resides.
7. Click OK to accept your changes and return to the main console window.
Important
If TRITON - Web Security is installed on a Linux
machine, the Log Database must be on a SQL Server
instance supporting database account authentication (i.e.,
mixed mode). Trusted connection authentication cannot be
used in this case.
Note
These instructions are for ISA Server 2006. The process is
similar for ISA Server 2004 and Forefront TMG. Refer to
Microsofts documentation for more information.
SQL Server/MSDE installation error messages
Before installing Websense reporting component, the installer checks your SQL
Server or MSDE configuration. If any problems are found, an error message is
displayed. Common problems and solutions are described in the sections that follow.
To avoid the need to stop and restart the installation, configure SQL Server before
running the installer.
Database version error messages
To install Websense reporting components (Log Server), the installation machine must
be able to access a supported database engine:
Microsoft SQL Server 2005 SP2 - recommended
Microsoft SQL Server Desktop Edition (MSDE) 2000 SP4 - suitable for smaller
networks
MSDE is not supported on Windows 2008.
If you have an older version of SQL Server or MSDE, upgrade the database engine
before running the Websense installer. (SQL Express is not supported.)
MSDE is free (but not supported on Windows 2008). The database size limit for
MSDE is 2 GB.
If a database engine is not found during installation, refer to the Websense
Knowledge Base for a download link and further instructions. Search for the
exact phrase: Installing MSDE with Websense software, version 7.
SQL Server is available from Microsoft. Check the Microsoft Web site for
purchase information, and installation or upgrade documentation.
If you try to install Log Server with an unsupported Microsoft SQL Server or MSDE
version, or without access to a supported database engine, an error message appears.
The installer terminates and does not install reporting components.
Install a supported database engine, and make sure it is running. Then, run the
Websense installer again.
Finding the database engine version
SQL Server
1. Navigate to the SQL Server \90\tools\binn directory.
2. Launch the SQLCMD.EXE utility.
3. Enter the following commands:
select @@ version
go
The database version information will be displayed
4. Enter the following to close the utility:
exit
MSDE
1. Navigate to the SQL directory, in the Websense installation directory (C:\Program
Files\Websense\SQL, by default).
2. Open a command prompt in this directory and enter the following command:
osql
3. In the osql utility that launches, enter the same commands as for SQL Server,
described above.
Collation and case-sensitivity error messages
Websense reporting tools use case-insensitive collation functions for database
searches to provide highly accurate reports. If your Microsoft SQL Server instance
uses case-sensitive collation, reporting components cannot be installed. This problem
generally occurs if other applications are using the same instance of SQL Server.
To resolve this issue, install another SQL Server instance that uses case-insensitive
settings. During installation, the Collation Settings dialog box provides options from
which to select the correct setting.
You can check (but not change) the case setting of SQL Server via SQL Enterprise
Manager:
1. Make sure you have administrator access to SQL Server.
2. Open the SQL Server Enterprise Manager: Start > Programs > Microsoft SQL
Server > Enterprise Manager.
3. If you are running SQL Server 2005:
a. In the navigation pane, click the appropriate server IP address.
b. Right-click, and select Properties > General.
c. Select Collation Settings in the content pane, and review the setting. For
example:
4. The collation string looks like this:
SQL_LATIN1_General_CP1_C?_AS
CS indicates the collation setting is case-sensitive.
CI indicates the collation setting is case-insensitive.
SQL_LATIN1_General_CP1_CS_AS
5. Click OK to close the Properties dialog box, and then close SQL Server
Enterprise Manager.
6. If the collation setting is case-sensitive, install a new instance of SQL Server with
the default case-insensitive setting.
Database creation error messages
Reporting component installation requires both the database creation rights associated
with the dbcreator role and SQL Agent permissions. In SQL Server 2005, add the
SQL Agent permissions separately (Configuring Microsoft SQL Server user roles,
page 113).
Whether you plan to use a SQL Server account or a Windows trusted connection to
access databases, the account must have the appropriate rights.
Setting database creation rights, page 111
Using osql utility to set database creation rights, page 111
In addition, if you are using a trusted connection, the account used to run the installer
must be a trusted account with local administration privileges on the database
machine.
Setting database creation rights
1. Log on or connect to the Microsoft SQL Server machine with administrative
rights.
2. If you are using SQL Server 2005, open the SQL Server Management Studio
(Start > Programs > SQL Server 2005 > SQL Server Management Studio).
a. In the navigation pane, expand the Security > Server Roles node.
b. Right-click dbcreator and then select Properties.
3. Click Add. The Select Logins dialog box appears.
4. In the Enter the object names to select box, enter the name of the login to which
you want to grant the database creation role (or use the Browse button to select
from a list of logins).
5. Click OK.
6. Verify login you want is listed under Role Members and then click OK.
7. Close SQL Server Management Studio.
Using osql utility to set database creation rights
On the MSDE machine:
1. Open the Windows Services dialog box and verify that the MSDE instance is
running.
2. Open a Windows command prompt (Start > Run > cmd).
3. To connect to the named instance of MSDE using Windows Authentication (a
trusted connection), enter the following command:
osql -E -S servername\instancename
In the above command:
for servername, substitute the actual name of the MSDE Server.
for instancename, substitute the actual name of the MSDE instance.
4. Verify the prompt in the command prompt window is 1>. This shows you are
connected to the MSDE server.
5. Enter the following command to grant rights for database creation.
1> EXEC sp_addsrvrolemember N'user_logon',N'dbcreator'
2> GO
Replace user_logon with the account being assigned database creation rights.
6. Check the results. An entry of 0 in the command prompt window indicates
success.
7. Enter EXIT to close the osql utility.
8. Run the Websense installer again.
Installing with MSDE 2000
If the proper version of MSDE is not installed, refer to the Websense Knowledge
Base for a download link and further instructions. Search for the exact phrase:
Installing MSDE with Websense software, version 7.
Note
If the prompt is not 1>:
Verify that MSDE is running.
Verify that the service and instance names are
correct.
Run the command in Step 3 again.
Note
If you are replacing a previous MSDE installation or
changing from an English to a non-English MSDE version,
you must uninstall the previous version before installing
the new version.
Important
You must restart the MSDE machine before installing Log
Server.
Installing with SQL Server
Microsoft SQL Server must be purchased separately. If it has not been installed in
your network, see Microsoft documentation for system requirements and installation
instructions. See the Deployment Guide for Websense Web Security Solutions for
which versions of SQL Server are supported.
1. Install SQL Server according to Microsoft instructions, if needed.
2. Make sure SQL Server is running.
3. Make sure SQL Server Agent is running.
4. Obtain the SQL Server logon ID and password for a SQL Server Administrator, or
for an account that has rights to create, modify, and delete databases and tables.
You need this logon ID and password when you install Websense components.
5. Restart the SQL Server machine after installation, and then install Log Server on
an appropriate machine (see Installation procedure: any component, page 38).
6. Make sure the Log Server machine and the TRITON - Web Security machine can
recognize and communicate with SQL Server.
7. Install the SQL Server client tools on the Log Server and TRITON - Web Security
machines. Run the SQL Server installation program, and select Connectivity
Only when asked what components to install.
8. Restart the machine after installing the connectivity option. See Microsoft SQL
Server documentation for details.
Configuring Microsoft SQL Server user roles
Microsoft SQL Server defines SQL Server Agent roles that govern accessibility of the
job framework. The SQL Server Agent jobs are stored in the SQL Server msdb
database.
To install Websense Log Server successfully, the user account that owns the Websense
database must have membership in one of the following roles in the msdb database:
SQLAgentUserRole
SQLAgentReader Role
SQLAgentOperator Role
The SQL user account must also be a member of the dbcreator fixed server role.
Use Microsoft SQL Server Management Studio to grant the database user account the
necessary permissions to successfully install Log Server.
Note
You must restart the machine after installing Microsoft
SQL Server and before installing Log Server.
1. On the SQL Server machine, go to Start > Programs > Microsoft SQL Server
2005 or 2008 > Microsoft SQL Server Management Studio.
2. Select the Object Explorer tree, and then go to select Security > Logins.
3. Select the login account to be used during the installation.
4. Right-click the login account and select Properties for this user.
5. Select User Mapping and do the following:
a. Select msdb in database mapping.
b. Grant membership to one of these roles:
SQLAgentUserRole
SQLAgentReader Role
SQLAgentOperator Role
c. Click OK to save your changes.
6. Select Server Roles, and then select dbcreator. The dbcreator role is created.
7. Click OK to save your changes.
C
Troubleshooting
This appendix provides troubleshooting information for the following installation and
initial configuration issues:
TRITON - Web Security cannot be accessed, page 115
Where can I find download and error messages?, page 116
I am having trouble running the installer on a Linux machine, page 116
I forgot my WebsenseAdministrator password, page 117
The Master Database does not download, page 117
Policy Server fails to install, page 117
Network Agent on Linux fails to start with stealth mode NIC, page 117.
Windows 98 computers are not being filtered as expected, page 118
Network Agent cannot communicate with Filtering Service after it has been
reinstalled, page 118
A General Exception error occurs while installing on Linux, page 118
For issues not related to installation or communication between Websense software
components, see the TRITON - Web Security Help.
For other possible solutions, see the Websense Knowledge Base (kb.websense.com).
If you still need to contact Technical Support, see Technical Support, page 11.
TRITON - Web Security cannot be accessed
When you attempt to access TRITON - Web Security, a browser error message states
the page cannot be found.
TRITON - Web Security requires access to certain ports for operation. Depending on
your environment, you may use the default ports, or configure alternative ports during
installation. If there is a firewall between the browser machine and the TRITON - Web
Security machine, and that firewall blocks any of the required ports, TRITON - Web
Security may not work properly. The firewall must be configured to allow
communication on these ports.
Refer to the Websense Knowledge Base for a list of default port numbers. Search for
the exact phrase default port numbers.
Troubleshooting
The port TRITON - Web Security listens on may have been changed to something
other than the default during installation. This occurs if the installer finds the default
port already in use. To find what port TRITON - Web Security is listening on, check
the knownports.properties file; see page 91.
Where can I find download and error messages?
To find error or status messages related to Master Database downloads and other key
Websense software events:
On Windows machines, use the Event Viewer (Start > Programs > Administrative
Tools > Event Viewer).
On Windows or Linux machines, check the Websense.log file, located in the
Websense bin directory (C:\Program Files\Websense\bin or /opt/Websense/bin, by
default).
The Websense.log file is updated whenever there are errors to record, and can be
viewed in a standard text editor. This file is located on the Policy Server machine.
I am having trouble running the installer on a Linux machine
If Websense software is being installed on a Linux machine that is running a firewall,
shut down the firewall before running the installer.
1. In the command shell, enter the following command to determine if the firewall is
running:
2. If the firewall is running, enter the following command:
service iptables stop
Remember to restart the firewall when the installation is complete.
1. Enter the command:
service iptables start
2. To verify that the firewall is running, enter the command:
Important
Do not install Network Agent on a machine running a
firewall. Network Agent uses packet capturing that may
conflict with the firewall software.
The only exception is a blade server or appliance with
separate processors or virtual processors to support
Network Agent and the firewall software.
Troubleshooting
I forgot my WebsenseAdministrator password
Log on to MyWebsense.com and use the v7.5 Password Reset tool to set a new
WebsenseAdministrator password.
The Master Database does not download
The disk partition on the Filtering Service machine may be too small to accommodate
the Websense Master Database. Increase the size of the partition to 3 GB.
If that does not resolve the issue, there may be problems with the subscription key,
Internet access, or restriction applications that prevent database downloads.
See the TRITON - Web Security Help for troubleshooting instructions.
Policy Server fails to install
If you attempt to install Websense software on a machine with insufficient resources
(RAM or processor speed), Policy Server may fail to install.
Certain applications (such as print services) can bind up the resources that the installer
needs to install Policy Server. If Policy Server fails to install, the installer exits.
If you receive the error message: Could not install current service: Policy Server:
Install Websense software on a different machine. See the Deployment Guide for
system recommendations.
Stop all memory-intensive services running on the machine and then run the
installer again.
Network Agent on Linux fails to start with stealth mode NIC
This problem can be caused by either of the following:
IP address removed from Linux configuration file
Network Agent can work with a stealth mode NIC only if the interface retains its old
IP address in the Linux system configuration file. Network Agent does not start if you
have bound it to a NIC configured for stealth mode, and then removed the IP address
of the NIC from the Linux configuration file (/etc/sysconfig/network-scripts/
ifcfg-<adapter name>).
An interface without an IP address does not appear in the list of adapters displayed in
the Websense installer or in TRITON - Web Security, and is unavailable to use. To
reconnect Network Agent to the NIC, restore the IP address in the configuration file.
Troubleshooting
Stealth mode NIC selected for Websense communications in Linux
NICs configured for stealth mode in Linux are displayed in the Websense installer as
choices for communications. If you have accidently selected a stealth mode NIC for
communications, Network Agent cannot start, and Websense services cannot work.
1. Go to the Websense bin directory on the Network Agent machine (/opt/Websense/
bin, by default) and open the websense.ini file in a text editor.
2. Change the value of LocalServerIP to the IP address of a NIC in normal mode.
3. Navigate to the Websense directory (/opt/Websense/, by default) and run the
following command:
./WebsenseAdmin restart
Windows 98 computers are not being filtered as expected
If you are running DC Agent for user identification, your Windows 98 computer
machine names must not contain any spaces. Blank spaces in the machine name could
prevent DC Agent from receiving a user name when an Internet request is made from
that computer. Check the machine names of any Windows 98 computers experiencing
filtering problems and remove any spaces you find.
Network Agent cannot communicate with Filtering Service after
it has been reinstalled
When Filtering Service has been uninstalled and reinstalled, Network Agent does not
automatically update the internal identifier (UID) for the Filtering Service.
See the Network Configuration topic in TRITON - Web Security Help for more
information.
A General Exception error occurs while installing on Linux
As the installer is configuring Policy Server, an error message is displayed with a
value of null. After you press Enter, a message states that the installation completed
successfully.
To resolve this problem:
1. To stop all Websense services, navigate to the Websense directory and run the
following command:
./WebsenseAdmin stop
2. Navigate to the root directory, and then use the following command to remove the
/opt/Websense directory:
rm -fr /opt/Websense
If you were installing Websense software in another directory, substitute the
appropriate directory name.
Troubleshooting
3. Navigate to the /etc directory and use the following command to delete the
Websense file:
rm /etc/Websense
4. Kill all Websense processes:
a. Locate all processes that include Websense in their name:
ps -ef | grep Websense
b. Also locate the BrokerService and postgres processes. If Remote Filtering
Server is installed on the machine, include SecureWISPProxyApp, as well.
c. Run kill -9 on all of these processes used by Websense software.
5. Run this command:
hostname -f
If the value comes back as unknown hostname, modify the hosts file:
a. Enter a line like this:
ipaddress mymachinename.mydomain.com mymachinename
Here, ipaddress is the machine's IP address, and mymachinename and
mydomain are the machines name and domain.
To find the IP address, run this command: ifconfig
b. Save the hosts file.
6. Run the hostname command:
hostname mymachinename.mydomain.com
7. Restart the network service:
service network restart
8. Run the Websense installer again.
Troubleshooting
Index
A
accessing TRITON - Web Security, 91
Active Directory
running logon script from, 99100
Address Resolution Protocol (ARP), 104
Apache2Websense
defined, 7
ApacheTomcatWebsense
defined, 7
authentication
RADIUS Agent, 62
B
Bandwidth Optimizer, 7, 9, 18, 49
basic authentication, 92
block page URL, 95
bytes transferred, 7
C
clear text, 92
components, 7
adding, 38
removing, 78
creation rights
database
setting with OSQL utility, 111
customer support, 11
D
database
creation error messages, 111
creation rights
setting with OSQL utility, 111
engine location, 107
location, 107
SQL Server
setting creation rights, 111
database download, See Master Database
download
DC Agent
defined, 8
installing separately
Windows, 5961
required privileges for, 19
deployment
task list, 10
Directory Agent
defined, 9
directory path for installation
Linux, 35, 40
Windows, 35, 40
DNS server, 95
documentation
product guides and applicability, 6
Websense documentation Web site, 6
domain administrator privileges, 19, 57
download
extracting installation files, 20
E
eDirectory Agent
defined, 8
installing separately, 61
eimserver.ini file
identifying Filtering Service for block
page URL, 95
engine
database engine location, 107
error messages
case-sensitivity, 110
collation, 110
database version, 109
installation, 109
location of, 116
table creation, 111
Index
F
filtering plug-in
defined, 8
Filtering Service
defined, 7
identifying for block page URL, 95
I
installation
Custom option, 15
DC Agent
Windows, 5961
eDirectory Agent, 61
Logon Agent, 63
Network Agent
Windows, 4849
RADIUS Agent, 62
Remote Filtering Server, 68
separate machine, 3772
TRITON - Web Security, 52
Usage Monitor
Windows, 51
installing
concerns, 106
with MSDE 2000, 112
with SQL Server, 113
IP addresses
defining ranges for Network Agent, 48
disabling for stealth mode, 104
stealth mode, 103
L
launching TRITON - Web Security, 91
Linking Service
defined, 9
Linux
error messages, 116
removing components, 8384
starting and stopping Websense
services, 8586
Log Database, 19
Log Server
defined, 8
Logon Agent
defined, 8
LogonApp.exe
configuring to run
Active Directory, 99100
Windows NTLM, 101
location of, 96
script for, 9899
M
MAC address, 104
Master Database
description of, 7
download
failure, 117
Master Database download
error message location, 116
messages
case-sensitivity errors, 110
collation error messages, 110
database creation errors, 111
database version errors, 109
installation error messages, 109
modifying an installation, 7783
MSDE
database version error messages, 109
installing with MSDE 2000, 112
N
Network Agent
bandwidth optimizer, 18, 49
defined, 7
installing separately
Windows, 4849
network interface card, 102
on firewall machine, 16, 18, 116
protocol management, 49
stealth mode NIC, 103104
network interface cards (NIC)
configuring for stealth mode
Linux, 104
Windows, 104
installation tips, 18
O
OSQL utility
database
Index
P
password, forgotten, 117
Policy Broker
defined, 7
Policy Database
defined, 7
Policy Server
defined, 7
failure to install, 117
Protocol Management, 7, 18, 49
R
RADIUS Agent
defined, 8
Remote Filtering Client
defined, 8
Remote Filtering Server
defined, 8
installing, 68
removing components
Linux, 8384
Windows, 8183
Reporting
components, 8
installation concerns, 106
running TRITON - Web Security, 91
S
setup
block page URL, 95
SQL Enterprise Manager
database
SQL Express, not supported, 109
SQL Server
database
setting creation rights with Enterprise
Manager, 111
database version error messages, 109
installing with, 113
stealth mode
configuring
Linux, 104
Windows, 104
definition, 103
problems with NIC, 117118
using with Network Agent, 103
Sync Service
defined, 9
T
technical support, 11
TRITON - Web Security, 91
defined, 7
launching, 91
trusted connection, 19
U
Usage Monitor
defined, 7
User Service
defined, 7
required privileges, 19, 57
W
Websense communications
selecting a NIC for, 103
Websense Control Service
defined, 7
Websense Master Database, See Master
Database
Websense services
manually stopping, 85
starting and stopping
Linux, 8586
Windows, 85
Websense software
components, 7
Websense Web Filter
components
overview, 79
removing, 78
functional overview, 9
initial configuration, 89
Websense Web Filter components,
adding, 38
Websense Web Security
components
overview, 79
removing, 78
Index
components, adding, 38
functional overview, 9
initial configuration, 89
Websense.log, 116
Windows
error messages, 116
installation, 2237
removing components on, 8183
starting and stopping Websense
services, 85
Windows NTLM
running logon script from, 101
Windows trusted connection, 19

WWS Installation Guide

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

WWS Installation Guide

Caricato da

Copyright:

Formati disponibili

I nstal l at i on Gui de

directory services to transparently identify

eDirectory to transparently identify

Potrebbero piacerti anche