Transcription

Upgrade Instructions: Web Securityand Web FilterUpgrade Instructions Web Security and Web Filter Version 7.8.xThese instructions describe how to upgrade Websense Web Security and Web Filterserver components (Windows or Linux) from v7.6.x or v7.7.x to v7.8.x.They also describe how to install Websense appliance-based components from v7.7.xto v7.8.x. If you have a v7.6.x Web Security or Web Filter deployment that includesappliance-based components, see Instructions for upgrading to v7.7.x for the steps toperform before upgrading to v7.8.x.Note that the following operating systems are no longer supported in v7.8.x. If you areusing one of these operating systems, you must migrate your operating system beforeupgrading to v7.8.x, as outlined below:v7.6.xRed Hat EnterpriseLinux 41.2.3.4.Migrate to Red Hat Enterprise Linux 5.Upgrade to v7.7.x on the new platform.Migrate to Red Hat Enterprise Linux 6.Upgrade to v7.8.x on the new platform.v7.6.xWindows 20031. Migrate to Windows 2008 R2.2. Upgrade to v7.8.x.v7.7.xRed Hat EnterpriseLinux 51. Migrate to Red Hat Enterprise Linux 6.2. Upgrade to v7.8.x on the new platform.v7.7.xWindows 2008 (32bit)1. Migrate to Windows 2008 R2.2. Upgrade to v7.8.x on the new platform.To perform a migration and incremental upgrade, see: Migration instructions for upgrading to v7.7.x (Find links to detailed instructionsat the bottom of the page, under the table.)Instructions for upgrading to v7.7.xMigration instructions for upgrading to v7.8.x (Find links to detailed instructionsat the bottom of the page, under the table.)The upgrade process is designed for a properly functioning Websense Web Security orWeb Filter deployment. Upgrading does not repair a non-functional system.Upgrade Instructions 1

Upgrade Instructions: Web Security and Web FilterBeginning with v7.8.4, you have the option to upgrade your Web Security deploymentincrementally, rather than upgrading all machines and components at the same time.This allows you to upgrade individual Policy Server instances and their dependentcomponents as separate "logical deployments." Policy Server instances that have notbeen upgraded and their dependent components continue to function normally atv7.8.3. Please see the new Incremental Upgrade guide for details.ImportantBefore you start the upgrade process, the SQL ServerAgent jobs associated with the Log Database must bestopped as described in Step 1: Prepare for upgrade, page2. Please coordinate with your database administrator, ifneeded, before beginning the upgrade process.Note that this requirement does not apply to SQL ServerExpress. Step 1: Prepare for upgrade, page 2 Step 2: Prepare appliances for upgrade (appliance-only), page 4 Step 3: Restart services before starting the upgrade, page 6 Step 4: Upgrade the Policy Broker machine, page 7 Step 5: Upgrade additional Policy Server machines, page 11 Step 6: Upgrade additional Filtering Service, Network Agent, and User Servicemachines, page 15 Step 7: Upgrade Websense Log Server, page 19 Step 8: Upgrade the TRITON management server, page 21 Step 9: Upgrade any additional components, page 22Step 1: Prepare for upgradeBefore upgrading Web Security or Web Filter:1. Make sure the installation machine meets the hardware and operating systemrecommendations in System requirements for this version.2. If your Websense software is integrated with a third-party firewall, proxy server,or caching application, make sure that your integration product is supported in thisversion.In v7.8.x, the supported third-party integration products are:ProductVersionsMicrosoft Forefront TMG2008 or laterCisco ASAv8.0 or later2 Websense Web Security Gateway Anywhere

Upgrade Instructions: Web Security and Web FilterProductVersionsCisco RouterIOS v15 or laterCitrix Presentation Server4.5Citrix XenApp5.0, 6.0, or 6.5In addition, Blue Coat appliances can be integrated via the Websense ICAPService.3. Verify that third-party components that work with your Websense software,including your database engine and directory service, are supported. SeeRequirements for Web Security solutions.4. Back up all of your Websense components before starting the upgrade process.See the Backup and Restore FAQ for instructions.The Backup and Restore FAQ includes instructions for backing up both theTRITON infrastructure and Web Security components.On Websense appliances, be sure to perform a full appliance configurationbackup.5. Before upgrading Websense Filtering Service, make sure that the Filtering Servicemachine and the TRITON management server have the same locale settings(language and character set).After the upgrade is complete, Filtering Service can be restarted with any localesettings.6. Back up your current Log Database and stop Log Server.WarningIf database operations are active during upgrade, theWebsense Log Database may be left in an inconsistentstate, rendering it unusable.When this occurs, it can be difficult to fix.Make sure to stop Log Server and the database jobs, asdescribed below, before upgrading the database.a. Back up Web Security reporting databases.Refer to Microsoft documentation for instructions on backing up databases.The Websense Web Security databases are named wslogdb70 (the catalogdatabase), wslogdb70 n (standard logging partition databases), andwslogdb70 amt 1 (threats partition database).b. On the Log Server machine, use the Windows Services tool to stop WebsenseLog Server.7. Stop all database jobs associated with the Web Security Log Database:If you have a full version of Microsoft SQL Server (not Express):a. Log in to the Microsoft SQL Server Management Studio and expand SQLServer Agent Jobs (in Object Explorer).Upgrade Instructions 3

Upgrade Instructions: Web Security and Web Filterb. To disable all currently active Websense SQL Server Agent jobs, right-clickeach of the following jobs and select Disable: Websense ETL Job wslogdb70 Websense AMT ETL wslogdb70 Websense IBT DRIVER wslogdb70 Websense Trend DRIVER wslogdb70 Websense Maintenance Job wslogdb70Disabling the jobs prevents them from executing at the next scheduled time,but does not stop them if a job is in process.Make sure all jobs have completed any current operation beforeproceeding with upgrade.c. After upgrade, remember to enable the disabled jobs to resume normaldatabase operations.If you have SQL Server Express, use the Windows Services tool to restart theMSSQLSERVER service prior to upgrade, in order to ensure that the ServiceBroker jobs are not running.8. If Websense Log Server uses a Windows trusted connection to access the LogDatabase, be sure to log on to the Log Server machine using the trusted account toperform the upgrade. To find out which account is used by Log Server:a. Launch the Windows Services tool.b. Scroll down to find Websense Log Server, then check the Log On Ascolumn to find the account to use.9. If your deployment includes V-Series appliances, continue with the next section(Step 2: Prepare appliances for upgrade (appliance-only), page 4.If you have a software-only deployment, skip to Step 3: Restart services beforestarting the upgrade, page 6.Step 2: Prepare appliances for upgrade (appliance-only)Before applying the 7.8.x patch, perform the following tasks and be aware of thefollowing issues.Apply the v7.7 pre-upgrade hotfixBefore upgrading any Websense appliance to v7.8.x, a v7.7.x hotfix is required.Until the hotfix is installed, it is not possible to download (or upload) the v7.8.xupgrade patch files to the appliance.1. To get the hotfix, in the Appliance manager, go to the Hotfixes tab of theAdministration Patches/ Hotfixes page.2. Enter the name of the hotfix to download and install on the appliance if it’s not inthe drop-down list. For example, if you are upgrading from: v7.7.0, look for APP-7.7.0-0904 Websense Web Security Gateway Anywhere

Upgrade Instructions: Web Security and Web Filter v7.7.3, look for APP-7.7.3-0903. Click Find to locate the hotfix.4. Click Download.When the download is done, the hotfix appears in the table of downloadedhotfixes with the status Ready to install.5. Click Install to apply the hotfix. The installation may temporarily interrupt someservices.6. Click OK to continue. It may take more than 5 minutes to install the hotfix.After the hotfix is installed, manually restart the appliance from the Appliancemanager:1. Navigate to the Status General page.2. Under Appliance Controller, click Restart Appliance.Restarting the appliance takes from 5 to 8 minutes. The appliance has successfullyrestarted when you’re returned to the Appliance manager logon page.Repeat this process for each appliance that you intend to upgrade to v7.8.x.Note that each appliance must be upgraded to v7.8.1 before upgrading to v7.8.2.Network Agent settingsIn the majority of deployments, upgrade preserves all Network Agent settings.However, when the following conditions are true, the upgrade process does notpreserve several Network Agent settings: There is a Filtering only appliance that is configured to get policy informationfrom the Policy Broker machine (either the Full policy source appliance or anoff-appliance software installation).There is an off-appliance Network Agent installation that uses the FilteringService on the Filtering only appliance, and uses the Policy Server on the PolicyBroker machine.When the above conditions are true and the upgrade is performed, the settings for theoff-appliance Network Agent installation are not retained.In this case, record your Network Agent settings (configured in the Web Securitymanager) before performing the upgrade. Go to the Local Settings page for eachNetwork Agent instance (Settings Network Agent agent IP address) and recordall of its settings.The following local settings are not preserved. Filtering Service IP address If Filtering Service is unavailable Proxies and Caches Port MonitoringUpgrade Instructions 5

Upgrade Instructions: Web Security and Web Filter Ignore Port Debug SettingNIC Configuration settings (from the Settings Network Agent NICConfiguration page for each NIC) are also not preserved: Use this NIC to monitor traffic Monitor List Monitor List ExceptionsSave your record where you can easily access it when the upgrade is complete.Disable on-appliance TRITON consoleIn version 7.8.x, the Web Security manager cannot reside on an appliance. Disable theon-appliance TRITON console and create a Windows-based TRITON managementserver before upgrading.Complete instructions can be found in Migrating the Web Security manager off of aWebsense appliance.Step 3: Restart services before starting the upgradeMost Websense services must be running before the upgrade process begins. If anyservice (other than Log Server) is stopped, start it before initiating the upgrade.The installer will stop and start Websense services as part of the upgrade process. Ifthe services have been running uninterrupted for several months, the installer may notbe able to stop them before the upgrade process times out. To ensure the success of the upgrade, manually stop and start all the Websenseservices except Log Server before beginning the upgrade. (Log Server shouldremain stopped, as described in Step 1: Prepare for upgrade, page 2.) Windows: Navigate to the Websense Web Security directory (C:\ProgramFiles (x86)\Websense\Web Security\, by default) and enter the followingcommand:WebsenseAdmin restart Linux: Navigate to the Websense directory (/opt/Websense/, by default) andenter the following command:./WebsenseAdmin restart On Windows machines, if you have configured the Recovery properties of anyWebsense service to restart the service on failure, use the Windows Servicesdialog box to change this setting to Take No Action before upgrading.6 Websense Web Security Gateway Anywhere

Upgrade Instructions: Web Security and Web FilterInternet access during the upgrade processWhen you upgrade, policy enforcement stops when Websense services are stopped.Users have unrestricted access to the Internet until the Websense services arerestarted.The Websense Master Database is removed during the upgrade process. WebsenseFiltering Service downloads a new Master Database after the upgrade is completed.Step 4: Upgrade the Policy Broker machineYou must upgrade the machine that hosts the primary (or standalone) WebsensePolicy Broker first, regardless of which other components on are on the machine.Policy Broker may reside on: A Websense full policy source appliance A Windows Server 2008 R2 or R2 SP1, or 2012 (64-bit) machine A RHEL 6.x machine (64-bit)Any other components on the Policy Broker machine are upgraded along with PolicyBroker.If your configuration includes a primary Policy Broker and one or more replica PolicyBrokers, you must upgrade the primary Policy Broker first. An attempt to upgrade areplica Policy Broker without first upgrading the primary will result in an errormessage. You will be required to exit the upgrade for that machine and upgrade theprimary Policy Broker before continuing.Upgrade replica Policy Brokers after the primary has been upgraded and beforeattempting to upgrade any Policy Servers associated with them. If Policy Server isinstalled on the same machine, it will be upgraded at the same time.Jump to the section with the upgrade instructions for the platform that hosts theprimary (or standalone) Policy Broker: Policy Broker: Appliance upgrade instructions, page 7 Policy Broker: Windows upgrade instructions, page 9 Policy Broker: Linux upgrade instructions, page 10Policy Broker: Appliance upgrade instructionsBefore you begin: Make sure you have finished installing Hotfix 90, as described in the preparationsteps at the start of the upgrade instructions.Log on to the Appliance manager directly, rather than using single sign-on fromthe TRITON console. This avoids potential timeout problems while the upgradepatch is being loaded onto the appliance.Upgrade Instructions 7

Upgrade Instructions: Web S