v6.

Installation Guide
for the
Stand-Alone Edition
Websense Enterprise Installation Guide
©1996–2005, Websense, Inc.
10240 Sorrento Valley Rd., San Diego, CA 92121, USA
All rights reserved.
Published September 22, 2005
Printed in the United States of America
NP33-0003EIM
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine-readable form without prior consent in writing from Websense, Inc.
Every effort has been made to ensure the accuracy of this manual. However, Websense, Inc., makes no warranties with
respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose.
Websense, Inc., shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,
performance, or use of this manual or the examples herein. The information in this documentation is subject to change
without notice.
Trademarks
Websense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain
international markets. Websense has numerous other unregistered trademarks in the United States and internationally. All
other trademarks are the property of their respective owners.
Microsoft, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Sun, Solaris, UltraSPARC, Sun Java System, and all Sun Java System based trademarks and logos are trademarks or
registered trademarks of Sun Microsystems, Inc., in the United States and other countries.
Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus
Torvalds in the United States and other countries.
Novell, Novell Directory Services, eDirectory, and ZENworks are trademarks or registered trademarks of Novell, Inc., in
the United States and other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the U.S. and other
countries.
This product includes software developed by the Apache Software Foundation (http://www.apache.org).
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies
and are the sole property of their respective manufacturers.
WinPcap
Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy).
Copyright (c) 2005 CACE Technologies, Davis (California).
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
• Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Websense Enterprise Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
How Websense Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Deployment Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Chapter 2 Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Websense Enterprise Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Websense Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Solaris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Switched Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
NAT and Network Agent Deployment . . . . . . . . . . . . . . . . . . . . . . .27
Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
User Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
External Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Chapter 3 Upgrading Stand-Alone Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Versions Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Transferring Configuration Data Without Upgrading . . . . . . . . . . . . . . .32
Before You Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Upgrading on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Upgrading on Solaris or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Changing IP Addresses of Installed Components . . . . . . . . . . . . . . . . . .43
Chapter 4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Before Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Stand-Alone Edition 3
Contents

Installing Websense Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Solaris or Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Installing Websense Enterprise Components Separately . . . . . . . . . . . . 72
Windows Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Websense Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Network Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
DC Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Real-Time Analyzer (RTA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Usage Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
RADIUS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
eDirectory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Logon Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Remote Filtering Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Remote Filtering Client Pack. . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Remote Filtering Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Solaris and Linux Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Websense Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Network Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Usage Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
RADIUS Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
eDirectory Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Logon Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Remote Filtering Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Modifying an Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Adding Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Solaris or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Removing Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Solaris or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Repairing an Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Solaris or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Repairing the Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Stopping or Starting Websense Services . . . . . . . . . . . . . . . . . . . . . . . 157
Manually Stopping Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

4 Websense Enterprise
 Contents

Optional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

Principal Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Solaris and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Chapter 5 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Subscription Key and Master Database Download . . . . . . . . . . . . . . . .162
Identifying the Filtering Service for the Block Page URL . . . . . . . . . .166
Displaying Protocol Block Messages . . . . . . . . . . . . . . . . . . . . . . . . . .167
Creating and Running the Script for Logon Agent . . . . . . . . . . . . . . . .168
Prerequisites for Running the Logon Script . . . . . . . . . . . . . . . . . . .168
File Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Deployment Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Preparing the Logon Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Script Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Websense User Map and the Persistent Mode . . . . . . . . . . . . . .170
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Configuring the Logon Script to Run. . . . . . . . . . . . . . . . . . . . . . . .171
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Windows NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Configuring Network Agent to use Multiple NICs . . . . . . . . . . . . . . . .174
Configuring Firewalls or Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Firewall Configuration for Remote Filtering. . . . . . . . . . . . . . . . . . . . .175
Virtual Private Network (VPN) Connections. . . . . . . . . . . . . . . . . .175
Appendix A Stealth Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Configuring for Stealth Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Solaris or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Appendix B Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
I made a mistake during installation . . . . . . . . . . . . . . . . . . . . . . . . . . .182
I forgot my Websense Policy Server password . . . . . . . . . . . . . . . . . . .182
Where can I find download and error messages? . . . . . . . . . . . . . . . . .182
Windows 2000 and 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

Stand-Alone Edition 5
Contents

The Master Database does not download. . . . . . . . . . . . . . . . . . . . . . . 183

Subscription Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Restriction Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Policy Server fails to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
I upgraded Websense, and configured users no longer appear
under Directory Objects in Websense Manager. . . . . . . . . . . . . . . . . . 185
Network Agent fails to start with stealth mode NIC . . . . . . . . . . . . . . 185
IP address removed from Linux configuration file . . . . . . . . . . . . . 185
Stealth mode NIC selected for Websense communications
in Solaris and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Windows 9x workstations are not being filtered as expected . . . . . . . 186
Some users are receiving the Websense Global policy . . . . . . . . . . . . 186
Domain Controller Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
NetBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
User Profile Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Websense Enterprise splash screen is displayed, but installer
does not launch on Windows 2000. . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Network Agent cannot communicate with Filtering Service after
it has been reinstalled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Appendix C Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Websense Technical Services Support Center . . . . . . . . . . . . . . . . . . . 191
Premium Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Support Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Web Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Email Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Telephone Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Customer Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Improving Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

6 Websense Enterprise
CHAPTER 1
Introduction
Thank you for choosing Websense Enterprise®, the leading web filtering
system. Using Websense provides you with a highly effective internet filtering
service.
Websense gives network administrators in business, education, government,
and other enterprises the ability to monitor and control network traffic to
internet sites. In the business setting, Websense Enterprise is an invaluable
tool for minimizing employee downtime due to internet surfing that is not
work related. In addition, Websense helps control the misuse of network
resources and the threat of potential legal action due to inappropriate access.
Websense, Inc. strongly recommends that your users be informed of your
organization’s policies concerning internet access, and that Websense
Enterprise has been installed as a tool for monitoring activity and/or enforcing
your internet use policies.

About this Guide

All installation procedures in this guide apply equally to Websense Enterprise
and Websense Enterprise – Corporate Edition. The same software is installed
for these two products, but the Corporate Edition feature set is enabled only if
you enter a Corporate Edition subscription key. For information about
Corporate Edition features, refer to the Websense Enterprise Administrator’s
Guide.
If you are installing Websense Web Security Suite™, Websense Web Security
Suite – Lockdown Edition™, Websense Web Security Suite – Corporate
Edition, or Websense Web Security Suite Lockdown – Corporate Edition,
read the Websense Web Security Suite Quick Start Guide first. The Quick Start
Guide contains the installation and setup instructions that are specific to the
Web Security Suite products and are not found in any other document. You
can download the Quick Start Guide from: http://www.websense.com/global/
en/SupportAndKB/ProductDocumentation. If you are installing Web
Security Suite as a stand-alone product, the installation and setup information

Stand-Alone Edition 7
Chapter 1: Introduction

provided in this installation guide is required to install the Web Security Suite
components of your Websense Web Security Suite product.

Websense Enterprise Components

The following is a list of Websense Enterprise components. For detailed
information about each of these components, refer to the Websense Enterprise
Administrator’s Guide:
‹ Filtering Service: interacts with the Network Agent to provide web
filtering.
‹ Policy Server: stores all Websense Enterprise configuration information
and communicates this data to other Websense services.
‹ Websense Manager: administrative interface that allows you to
configure and manage Websense functionality through the Policy Server.
Websense Manager is used to define and customize internet access
policies, add or remove clients, configure Policy Server, and much more.
‹ User Service: allows you to apply filtering policies based on users,
groups, domains, and organizational units.
‹ Network Agent: detects all internet activity and checks both URL and
protocol requests with the Filtering Service. Besides its role as a stand-
alone filtering agent, the Network Agent also calculates the number of
bytes transferred and sends a request to the Filtering Service to log this
information.
‹ Usage Monitor: tracks users’ internet activity and sends alerts when
configured threshold values are crossed.
‹ DC Agent: an optional component that transparently identifies users who
authenticate through a Windows® directory service. DC Agent enables
Websense to filter internet requests according to particular policies
assigned to users or groups.
‹ RADIUS Agent: an optional component that works through a RADIUS
Server to transparently identify users and groups who access your
network using a dial-up, Virtual Private Network (VPN), Digital
Subscriber Line (DSL), or other remote connections.
‹ eDirectory Agent: an optional component that works together with
Novell eDirectory to transparently identify users so that Websense can
filter them according to particular policies assigned to users or groups.

8 Websense Enterprise
 Chapter 1: Introduction

‹ Logon Agent: an optional component that works with a Websense client

application (LogonApp.exe) to transparently identify users as they log
on to a Windows domain via client machines. Logon Agent can be used
with a Windows NT-based directory service or with Active Directory,
which is LDAP-based. Logon Agent receives its user information from
the logon application, LogonApp.exe, which must be run by a logon
script in your network.
‹ Real-Time Analyzer (RTA): displays the real-time status of all the traffic
filtered by Websense Enterprise. RTA graphically displays bandwidth
information and shows requests by category or protocol.
‹ Remote Filtering Server: an optional component that provides web
filtering for machines located outside your organization’s network
firewall or internet gateway. In order to be filtered through the Remote
Filtering Server, a remote workstation must be running the Remote
Filtering Client. The Remote Filtering Server is enabled only if you
subscribe to the remote filtering service.
‹ Remote Filtering Client: an optional component installed on client
machines, such as notebook computers, that will be used outside your
organization’s network firewall or internet gateway. This component
connects with a Remote Filtering Server inside the network firewall to
enable web filtering of the remote workstation. The Remote Filtering
Client is enabled only if you subscribe to the remote filtering service.
‹ Websense Master Database: contains a collection of more than
11 million internet sites, each categorized by content. In addition, the
Master Database contains protocols for such things as streaming media,
peer-to-peer file sharing, and instant messaging.
‹ Websense Enterprise Reporter: a separate program available free of
charge with Websense Enterprise. Its Log Server component records
internet activity on your network. Using this log information, Reporter
can generate a wide variety of reports and charts depicting your network’s
internet usage trends. These reports can be used to refine internet filtering
strategies, helping to maximize network resources and employee
productivity. Refer to the Websense Enterprise Reporter documentation
for installation and configuration procedures.
‹ Websense Enterprise Explorer: a web-based reporting application
available free of charge with Websense Enterprise. Explorer provides a
customizable view into the Log Database. It displays summary
information, as well as specific detail about users’ internet activity. Refer
to the Websense Enterprise Explorer Administrator’s Guide for
installation and configuration procedures.

Stand-Alone Edition 9
Chapter 1: Introduction

‹ Websense Enterprise Explorer for Unix: a web-based reporting

application available free of charge with Websense Enterprise. Explorer
for Unix provides the same functionality as Websense Enterprise
Explorer, but for UNIX-based operating systems. Refer to the Websense
Enterprise Explorer Administrator’s Guide for installation and
configuration procedures.

How Websense Works

Websense Enterprise is the engine by which content filtering is enforced. With
its flexible, policy-based filtering approach, Websense allows you to apply
different filtering policies to different clients (users, groups, domains/
organizational units, workstations, or networks).
When the Network Agent detects an internet request from a client, it queries
Websense Enterprise to find out whether the requested site should be blocked
or not. To make this determination, Websense consults the policy assigned to
the client. Each policy delineates specific time periods during the week and lists
the category sets that are in effect during those time periods. After it determines
which categories are blocked, Websense Enterprise consults its comprehensive
database of internet addresses (URLs). If the site is assigned to a blocked
category, the Filtering Service sends a block page to the requesting
workstation before the requested site can be returned from the internet. The
Network Agent then instructs the workstation browser not to accept the
requested site when it is returned from the internet. At the same time, it
instructs the server at the requested internet site not to send any more
information.
Websense Enterprise filters network applications that use TCP-based protocols
and measures bandwidth usage of UDP-based messages as well. If an initial
internet request is made with TCP, and the request is blocked by Websense
Enterprise, all subsequent UDP traffic will also be blocked. UDP protocols such
as RTSP and RTP are monitored and logged by Websense Enterprise.
The Quota feature is an alternative to full blocking. It gives employees time
each day to visit sites in categories you deem appropriate. Quotas can be a
powerful tool for internet access management. Quotas help you control how
much time your employees spend on personal surfing and the types of sites
they are able to access. For more information, refer to your Websense
Enterprise Administrator's Guide.

10 Websense Enterprise
 Chapter 1: Introduction

With the Protocol Management feature, Websense Enterprise can filter

internet protocols other than HTTP. This includes protocols, applications, or
other data transfer methods such as those used for instant messaging,
streaming media, file sharing, file transfer, internet mail, and various other
network or database operations.
If you have purchased Bandwidth Optimizer, Websense Enterprise can filter
internet sites, protocols, or applications based on available network bandwidth.
You can specify filtering settings to limit user access to sites, protocols, or
applications based on bandwidth usage.
If you have purchased the Instant Messaging (IM) Attachment Manager, you
can configure Websense Enterprise to restrict file attachment sending and file
sharing with IM clients. This feature enhances the default IM controls in
Websense Enterprise by allowing you to permit certain IM traffic while
blocking the transfer of attachments by those IM clients.

Deployment Tasks
The following sequence is recommended for installing Websense Enterprise
and configuring it to filter internet traffic with the Network Agent.
1. Plan the Websense deployment: Websense components can be deployed
in various combinations depending upon the size and architecture of your
network. Deciding what Websense components to install and where to put
them is your first task. The information required to make this decision can
be found in the Websense Enterprise Deployment Guide. For an overview
of basic deployment in a small network (< 500 users), see Chapter 2:
Network Configuration.
2. Install Websense: Once you have decided how to deploy Websense on
your network, you must install the selected components and perform
initial setup tasks. Refer to Chapter 4: Installation for the installation
procedures for each operating system.

Stand-Alone Edition 11
Chapter 1: Introduction

12 Websense Enterprise
CHAPTER 2
Network Configuration
Websense Enterprise components can be installed in a number of possible
configurations, depending upon the nature of your network and your filtering
requirements. To determine the appropriate deployment for your network, and
for a complete list of system requirements, please refer to the Websense
Enterprise Deployment Guide.
The information in this chapter provides an overview of where Websense
Enterprise components can be installed to help you determine the relationship
of Websense components to one another.

Websense Enterprise Components

When deciding how to deploy Websense Enterprise components in your
network, consider the following installation dependencies:
‹ Filtering Service: typically installed on the same machine as the Policy
Server and may be installed on the same machine as the Websense
Manager. The Filtering Service can be installed on a different operating
system than the Policy Server, as long as they are properly configured to
communicate with each other. This is an unusual deployment. The
Filtering Service installs on Windows, Solaris, and Linux. You can install
a maximum of 10 Filtering Services for each Policy Server if they employ
quality network connections. For additional information, refer to the
Websense Enterprise Deployment Guide.
‹ Policy Server: typically installed on the same machine as the Filtering
Service, but may be installed on a separate machine, depending upon the
configuration of your network. There must be only one Policy Server
installed for each logical installation. An example would be a Policy Server
that delivers the same policies and categories to each machine in a subnet.
The Policy Server installs on Windows, Solaris, and Linux.

Stand-Alone Edition 13
Chapter 2: Network Configuration

‹ Websense Manager: may be installed on the same machine as the Policy

Server, and/or on one or more different machines in your network. The
Websense Manager machine needs network access to the Policy Server
machine, but the two machines do not need to have the same operating
system. The Websense Manager installs on Windows and Solaris.
‹ User Service: installed in networks using a directory service for
authentication. User Service is unnecessary if you intend to filter and log
internet requests based on client workstation IP addresses only. User
Service can be installed on the same operating systems supported by the
Policy Server and is typically installed on the same machine; however,
you may install User Service on a different operating system than the
Policy Server. If the Policy Server is installed on Linux, for example, you
can install User Service separately on a Windows machine. User Service
installs on Windows, Solaris, and Linux.

IMPORTANT
i
You can have only one User Service installation for each
Policy Server in your network.

For systems providing multilingual support, User Service produces

correct results for one locale only. The locale of the Policy Server
determines the language it supports for directory services. Organizations
with multilingual support requirements must install the product suite
(User Service, Policy Server, and the Filtering Service) for each supported
language on machines configured for that language.
‹ Network Agent: Network Agent installs on Windows, Solaris, and
Linux. When planning the deployment of the Network Agent consider the
following:
„ The Network Agent must be able to directly see 2-way internet traffic
from your internal network to filter and log effectively. Make sure
your network configuration routes both the internet request from the
workstation and the response from the internet back to the
workstation past the Network Agent. For the best performance, install
the Network Agent on a dedicated machine, connected to an
unmanaged, unswitched hub that is located between an external
router and your network. See Switched Environments, page 24 if you
are installing Network Agent in a network that employs switches.

14 Websense Enterprise
 Chapter 2: Network Configuration

„ For small to medium sized organizations, the Network Agent can be

installed on the same server machine as the other Websense
Enterprise components, assuming that the server meets the minimum
system requirements. For larger organizations, you may want to put
the Network Agent on a separate, dedicated server to increase the
amount of traffic that can be managed.
„ On larger networks, you may need to install multiple Network Agents
and assign them to monitor various IP address ranges in your network.
Make sure that the IP address ranges for each instance of the Network
Agent do not overlap. This will result in double logging. Deploy the
Network Agents so that they can filter the entire network. Partial
deployment will result in incomplete filtering by protocol and
bandwidth, and incomplete basic HTTP filtering, as well as the loss
of log data from network segments not watched by the Network
Agent. For instructions on defining IP address ranges for multiple
Network Agents, refer to the Websense Enterprise Administrator’s
Guide.
„ Avoid deploying the Network Agent across different LANs. If you
install an instance of Network Agent on 192.x.x.x and configure it to
communicate with a Filtering Service on 10.x.x.x through a variety of
switches and routers, communication may be slowed enough to
prevent the Network Agent from blocking an internet request in time.
„ Do not install the Network Agent on a machine running any type of
firewall. The Network Agent uses a packet capturing utility which
may not work properly when installed on a firewall machine.
‹ Usage Monitor: typically installed on the same machine as the Policy
Server, but may be installed on a separate machine in your network that
has access to the Policy Server machine. The Usage Monitor installs on
Windows, Solaris, and Linux.

IMPORTANT
i
You can have only one installation of Usage Monitor for
each Policy Server in your network.

‹ Real-Time Analyzer (RTA): can be installed on the same machine as the

Filtering Service or on a separate machine. The Real-Time Analyzer
installs on Windows only.
Real-Time Analyzer (RTA) can be memory and CPU demanding,
depending on desired system settings and network load conditions, so it

Stand-Alone Edition 15
Chapter 2: Network Configuration

should not be installed on real-time critical machines. See the Websense

Enterprise Deployment Guide for more information.

IMPORTANT
i
You can have only one installation of RTA for each Policy
Server in your network.

You must have one of the following web servers installed on the machine
where you plan to install RTA:
„ Apache Web Server
„ Microsoft IIS

NOTE
If you do not have one of the supported web servers on
your system, the Websense Enterprise installer will offer
you the option of installing the Apache Web Server.

For information about supported versions of these web servers, see the
Websense Enterprise Deployment Guide.
‹ DC Agent: installed in networks using a Windows directory service
(NTLM-based or Active Directory). DC Agent can be installed on any
Windows server in the network, either on the same machine as other
Websense components, or on a different machine. DC Agent installs on
Windows only.
„ For small to medium networks, it is recommended that you install
only one DC Agent per domain. If you have a large, distributed
network with many domain controllers on the same domain, you can
install multiple DC Agents. Installing DC Agent on the domain
controller machine is not recommended. DC Agent can be installed
on any network segment as long as NetBIOS is allowed between the
DC Agent and the domain controllers. Setting up the DC Agent in the
DMZ is not recommended.
„ You may install DC Agent and the RADIUS Agent together on the
same machine or on separate machines in your network.
„ DC Agent and eDirectory Agent can be installed in the same network,
but cannot be active at the same time. Websense Enterprise does not
support communication with Windows and Novell directory services
simultaneously.

16 Websense Enterprise
 Chapter 2: Network Configuration

„ If DC Agent is not identifying all your users as anticipated, you may

install Logon Agent as well to improve user authentication in your
network. For example, this might be necessary in a network that uses
Windows 98 workstations. DC Agent uses workstation polling to get
user information from workstations as they make internet requests;
however, polling cannot retrieve user information from a Windows 98
workstation.
„ If you are installing DC Agent, be sure that the machine names of any
Windows 9x workstations in your network do not contain any spaces.
This situation could prevent DC Agent from receiving a user name
when an internet request is made from that workstation.
For configuration information, refer to the User Identification chapter in
the Websense Enterprise Administrator’s Guide. For detailed deployment
information, refer to the white paper titled Transparent Identification of
Users in Websense Enterprise found on the Websense website at: http://
www.websense.com/global/en/SupportAndKB/ProductDocumentation.
‹ RADIUS Agent: can be installed on the same machine as Websense
Enterprise or installed on a separate machine in your network. You may
install multiple RADIUS Agents on the same network, each configured to
communicate with the Filtering Service. RADIUS Agent can be used in
conjunction with either Windows- or LDAP-based directory services. You
can install RADIUS Agent and eDirectory Agent on the same machine or
on separate machines in your network. The RADIUS Agent installs on
Windows, Solaris, and Linux from a Custom installation only.
For configuration information, refer to the User Identification chapter in
the Websense Enterprise Administrator’s Guide. For detailed deployment
information, refer to the white paper titled Transparent Identification of
Users in Websense Enterprise found on the Websense website at: http://
www.websense.com/global/en/SupportAndKB/ProductDocumentation.
‹ eDirectory Agent: can be installed on the same machine as Websense
Enterprise or installed on a separate machine in your network. You can
install multiple eDirectory Agents on the same network, each configured
to communicate with the Filtering Service.You can install eDirectory and
RADIUS Agent on the same machine or on separate machines in your
network. The eDirectory Agent can be installed in the same network as
DC Agent or Logon Agent, but cannot be active at the same time, since
Websense Enterprise does not support communication with Windows and
Novell directory services simultaneously. The eDirectory Agent installs
on Windows, Solaris, and Linux.

Stand-Alone Edition 17
Chapter 2: Network Configuration

For configuration information, refer to the User Identification chapter in

the Websense Enterprise Administrator’s Guide. For detailed deployment
information, refer to the white paper titled Transparent Identification of
Users in Websense Enterprise found on the Websense website at: http://
www.websense.com/global/en/SupportAndKB/ProductDocumentation.
‹ Logon Agent: can be installed on the same machine as Websense
Enterprise or installed on a separate machine in your network. Logon
Agent may be installed together with DC Agent to improve the accuracy
of user authentication in your network. The Logon Agent runs on
Windows, Linux, or Solaris, and works together with the User Service
and Filtering Service. Logon Agent can be used with a Windows NT-
based directory service or with Active Directory, which is LDAP-based.
LogonApp.exe, the client application that passes user logon
information to Logon Agent, runs only on Windows client machines. You
must create a logon script to run LogonApp.exe in your network; refer
to Creating and Running the Script for Logon Agent, page 168 for
instructions. Logon Agent and eDirectory Agent can be installed in the
same network, but cannot be active at the same time, since Websense
Enterprise does not support communication with Windows and Novell
directory services simultaneously.
For configuration information, refer to the User Identification chapter in
the Websense Enterprise Administrator’s Guide. For detailed deployment
information, refer to the white paper titled Transparent Identification of
Users in Websense Enterprise found on the Websense website at: http://
www.websense.com/global/en/SupportAndKB/ProductDocumentation.
‹ Remote Filtering components
The Remote Filtering components are required only if you want to enable
web filtering on user workstations located outside your organization’s
network firewall or internet gateway. They can be installed from a
Custom installation only.

NOTE
To enable the Remote Filtering components, you must
subscribe to the remote filtering service.

„ Remote Filtering Server: should be installed on a separate,

dedicated machine. This machine must be able to communicate with
the Filtering Service and with Remote Filtering Clients on user

18 Websense Enterprise
 Chapter 2: Network Configuration

workstations that may be used both inside and outside the network
firewall. The Remote Filtering Server installs on Windows, Linux,
and Solaris.
The Remote Filtering Server automatically detects whether clients are
inside or outside of the network firewall. If it determines that a client
is inside the firewall, the user is filtered just like other internal clients.
Remote Filtering is only activated if the client is outside the firewall.
If desired, you can install secondary and tertiary Remote Filtering
Servers to provide failover protection for the primary Remote
Filtering Server. If a Remote Filtering Client on a remote workstation
cannot connect with the primary Remote Filtering Server, it will try to
connect with the secondary, then the tertiary, then the primary again,
and so on.
• Install only one primary Remote Filtering Server for each Filtering
Service in your network.
• Do not install the Remote Filtering Server on the same machine as
the Filtering Service or Network Agent.
• The Remote Filtering Server machine does not have to be joined
to a domain.
Remote Filtering components are not included in the deployment
diagrams provided in this chapter. For deployment information and
network diagrams, see the Remote Filtering section in the Websense
Enterprise Deployment Guide.
„ Remote Filtering Client: can be installed on user machines that you
want to filter outside the network firewall. To deploy this client
application, you can use the provided installer, called the Remote
Filtering Client Pack, and a third-party deployment tool. A Remote
Filtering Client must be able to communicate with a Remote Filtering
Server inside the network firewall to enable web filtering on the
remote workstation. The Remote Filtering Client Pack and the
Remote Filtering Client install only on Windows.
Remote Filtering components are not included in the deployment
diagrams provided in this chapter. For detailed deployment
information and network diagrams, see the Remote Filtering section
in the Websense Enterprise Deployment Guide.

IMPORTANT
i
Do not install the Remote Filtering Client on a Remote
Filtering Server machine.

Stand-Alone Edition 19
Chapter 2: Network Configuration

‹ Websense Enterprise Reporting components: installed on a separate

machine from the Filtering Service, except when evaluating Websense
Enterprise. The Log Server receives and saves information on internet
requests filtered by Websense Enterprise. Reporter and Explorer then use
this information to create reports on users’ internet activity. See the
Websense Enterprise Reporting documentation for installation and
administrative information.

NOTE
To generate reports properly, you must use the same
version of Websense Enterprise and the Websense
Enterprise Reporting Tools.

Websense Deployment
Websense Enterprise components can be installed on a dedicated server
machine as emphasized in this guide or widely distributed across a network on
various operating systems. In some cases, Websense Enterprise can be installed
on the same machine as your integration product, if the machine has adequate
resources. Wherever you decide to deploy Websense Enterprise, make sure that
the installation machine can handle the expected traffic load.
The following network diagrams represent common configurations that are
intended for smaller networks and are maximized for efficiency. The network
architecture in this guide may not be suitable for your network, particularly if
your network contains 500 or more users. For larger, distributed networks,
and detailed deployment recommendations, refer to the Websense Enterprise
Deployment Guide. System requirements are also listed in the Websense
Enterprise Deployment Guide.
In environments with a large number of workstations, installing multiple
instances of Filtering Service for load balancing purposes may be appropriate.
Some load balancing configurations, however, permit the same user to be
filtered by different Filtering Services, depending on the current load. For
instructions on how to configure Websense for multiple Filtering Service
installations, refer to the Websense Enterprise Administrator’s Guide.

20 Websense Enterprise
 Chapter 2: Network Configuration

Windows
If you decide to deploy all the Websense Enterprise components on the same
Windows machine, make sure the machine has sufficient resources to handle
the load. Refer to the Websense Enterprise Deployment Guide for detailed
system requirements. Remember that the machine on which the Network
Agent is installed must be in a position in your network to monitor all internal
internet traffic.
Do not install Websense Enterprise and Websense Enterprise Reporting
components together on the same machine, or on a machine running a
firewall. Filtering and logging functions are CPU intensive and could cause
serious operating system errors. Install Websense Enterprise and Websense
Enterprise Reporting components on separate machines inside the network,
where they will not have to compete for resources. The exception to this is
when Websense Enterprise is being evaluated on a small network or segment
of a larger network. For information about how to deploy each of the
Websense Enterprise Reporting Tools in your network, see your Websense
Enterprise Reporting documentation and the Websense Enterprise
Deployment Guide.

Stand-Alone Deployment in a Windows Environment

Stand-Alone Edition 21
Chapter 2: Network Configuration

Linux
In a Linux deployment, you can install the Filtering Service, Policy Server,
User Service, Usage Monitor, and Network Agent on the same machine, or
distribute these components in your network. You must install the Websense
Manager on a Windows or Solaris machine that has network access to the
Filtering Service. Real-Time Analyzer and Websense Enterprise Reporter
must be installed on Windows machines. For information about how to deploy
each of the Websense Enterprise Reporting Tools in your network, see your
Websense Enterprise Reporting documentation and the Websense Enterprise
Deployment Guide.

Stand-Alone Deployment in a Linux Environment

22 Websense Enterprise
 Chapter 2: Network Configuration

Solaris
In a Solaris deployment, you can install the Filtering Service, Policy Server,
User Service, Usage Monitor, Network Agent, and Websense Manager on the
same machine, or distribute these components in your network. You can
install eDirectory Agent or RADIUS Agent on the Websense Enterprise
machine or on a separate Windows machine. Real-Time Analyzer and
Websense Enterprise Reporter must be installed on Windows machines. For
information about how to deploy each of the Websense Enterprise Reporting
Tools in your network, see your Websense Enterprise Reporting
documentation and the Websense Enterprise Deployment Guide.

Stand-Alone Deployment in a Solaris Environment

Stand-Alone Edition 23
Chapter 2: Network Configuration

Switched Environments
In a switched environment, configure a switch to use mirroring or 2-way port
spanning, so that the Network Agent can detect internet requests from all the
workstations.

NOTE
Contact your switch vendor to determine if your switch is
capable of mirroring or port spanning and to learn how to
implement the correct configuration.

The following network diagrams represent the logical relationship of network

elements in a switched environment and are not intended to reflect the actual
deployment of Websense Enterprise.

Basic Deployment in a Switched Environment

24 Websense Enterprise
 Chapter 2: Network Configuration

Switched Environment with a Remote Office Connection

On a large network, you may need to install multiple Network Agents and
assign them to monitor various IP address ranges in your network. If you install
multiple Network Agents, consider the following:
‹ Do not assign overlapping IP address ranges. If the IP ranges overlap,
network bandwidth measurements will not be accurate, and bandwidth-
based filtering will not be applied correctly.

Stand-Alone Edition 25
Chapter 2: Network Configuration

‹ Deploy the Network Agents so that they can filter the entire network.
Partial deployment will result in incomplete filtering by protocol and
bandwidth, as well as the loss of log data from network segments not
watched by the Network Agent.

Multiple Network Agents in a Switched Environment

26 Websense Enterprise
 Chapter 2: Network Configuration

NAT and Network Agent Deployment

The use of Network Address Translation (NAT) on internal routers can
prevent the Network Agent from identifying the source IP addresses of client
machines making internet requests. If you are deploying the Network Agent
to monitor traffic from multiple subnets after it passes through such a router,
you must disable NAT, or the Network Agent will see the IP address of the
router’s external interface as the source of the request. An alternative would
be to install the Network Agent on a machine located between the NAT router
and the clients to be monitored. See the Websense Enterprise Deployment
Guide for more information.

Directory Services
If your environment includes a directory service, Websense allows you to
filter internet requests based on individual policies assigned to directory
objects. Directory objects identified in a directory service can be added to
Websense and assigned specific policies, using the Websense Manager.
Websense can communicate with the following directory services:
‹ Windows NTLM-based directories
‹ Windows Active Directory
‹ Sun™ Java System Directory Server
‹ Novell Directory Services/eDirectory
For information about supported versions of these directory services, see the
Websense Enterprise Deployment Guide. For information about configuring
directory service access, see the Websense Enterprise Administrator’s Guide.

NOTE
Websense Enterprise can communicate with your directory
service whether it runs on the same operating system as
Websense or on a different system.

Filtering can be based on individual user, group, and domain/organizational

unit policies, providing that Websense is able to identify the user making an
internet request. The authentication method you configure must allow
Filtering Service to obtain directory object information from a Windows or
LDAP directory. For information about accessing LDAP and Windows
directories, see the Websense Enterprise Administrator’s Guide.

Stand-Alone Edition 27
Chapter 2: Network Configuration

Internet requests can be filtered based on policies assigned to individual

directory objects after the following tasks have been accomplished:
‹ If you are using the Sun Java System Directory Server or Novell
Directory Services/eDirectory:
1. Enable the appropriate directory service within Websense.
2. Enable Websense to identify users transparently with Novell by
installing and configuring the Websense eDirectory Agent.
3. Enable Websense manual authentication so that if Websense is unable
to identify users transparently, it will prompt users to manually
authenticate.
Detailed instructions for each of these tasks can be found in the User
Identification chapter in the Websense Enterprise Administrator’s Guide.
‹ If you are using a Windows NTLM-based directory or Active Directory:
1. Configure the Windows directory service within Websense.
2. Enable Websense to identify users transparently by installing and
configuring the Websense DC Agent and/or Logon Agent.
3. Enable manual authentication within Websense so that if Websense is
unable to identify users transparently, it will prompt users to manually
authenticate.
Detailed instructions for each of these tasks can be found in the User
Identification chapter in the Websense Enterprise Administrator’s Guide.
The Websense transparent identification feature allows Websense to filter
internet requests from users in a Windows or Novell directory service, without
prompting users to manually authenticate. Websense Enterprise can
transparently identify users in a Windows domain if the Websense DC Agent
and/or Logon Agent is installed. In networks using a Novell directory service,
you can transparently identify users by installing the Websense eDirectory
Agent.
Once the Websense Filtering Service is configured to communicate with the
transparent identification agent (DC Agent, Logon Agent, or eDirectory
Agent), the agent obtains user information from the directory service and
sends the information to the Filtering Service. When the Filtering Service
receives the IP address of a machine making an internet request, the Filtering
Service matches the address with the corresponding user name provided by
the transparent identification agent. This allows Websense to transparently
identify users whenever they open a browser that sends an internet request to.

28 Websense Enterprise
 Chapter 2: Network Configuration

For information about transparent identification and the Websense DC Agent,

Logon Agent, and eDirectory Agent, please see the Websense Enterprise
Administrator’s Guide.

System Requirements
Refer to the Websense Enterprise Deployment Guide for a complete list of
system requirements for installation of Websense Enterprise components in
your network.
All Websense Enterprise components, with the exception of the optional
remote filtering components, can run on the same Windows machine or can be
distributed on separate Windows, Solaris, or Linux machines. Not all
Websense Enterprise components are supported on all three operating
systems, but components can be installed on machines with the same or
different operating systems. For example, Websense Manager is not supported
on Linux, but a Websense Manager installed on a Windows or Solaris
machine can configure a Policy Server installed on a Windows, Solaris, or
Linux machine. See the Websense Enterprise Deployment Guide for a list of
supported operating systems for each Websense Enterprise component.
Such factors as network size, network configuration, and internet traffic
volume can affect the ability of Websense Enterprise to filter internet requests.
Refer to the Websense Enterprise Deployment Guide for hardware
requirements for your network. If you plan to install Websense Enterprise
components on a machine that has high CPU demands, make sure that the
machine has sufficient resources to accommodate all the software loaded on it.
User Workstations
Websense filtering is based on protocols, not on the operating system of the
user workstation being filtered.
To be filtered by Websense, internet traffic from a user workstation must be
directly monitored by the Network Agent.

External Resources
Websense Enterprise relies on certain external resources to function properly
in your network. Make sure that the following network elements can
adequately support the filtering efforts of Websense Enterprise.

Stand-Alone Edition 29
Chapter 2: Network Configuration

‹ TCP/IP: Websense Enterprise supports TCP/IP-based networks only. If

your network uses both TCP/IP and non-TCP protocols, only those users
on the TCP/IP portion of your network will be filtered by Websense
Enterprise.
‹ DNS server: If IP addresses are not sent to the Websense Filtering
Service together with a URL request, a DNS server can be used to resolve
the URL into an IP address. Websense Enterprise or your integration
product (where applicable) require efficient DNS performance. Make sure
your DNS servers are fast enough to support Websense Enterprise
filtering without becoming overloaded.
‹ Directory services: The Websense Filtering Service can be configured
with policies based on user and group names. The Filtering Service
queries the directory service to identify users and their associated groups
as specified in a policy. Although these users and group relationships are
cached by Websense, directory service machines must have the resources
to rebuild the cache rapidly when the Websense Filtering Service requests
user information.
‹ Network efficiency: Connectivity to resources such as DNS and
directory services is critical to the Websense Filtering Service. Network
latency must be minimized if the Filtering Service is to perform
efficiently. Excessive delays under high load circumstances can affect the
performance of the Filtering Service and may cause lapses in filtering.
Make sure your network is configured for efficient communication
between Websense Enterprise and its external resources.

30 Websense Enterprise
CHAPTER 3
Upgrading Stand-Alone Systems
This chapter contains procedures for upgrading a previous version of
Websense Enterprise to version 6.1. Before upgrading Websense Enterprise,
make sure your system meets the system requirements listed in the Websense
Enterprise Deployment Guide and in the previous chapter.
The Websense Enterprise installer will upgrade all the Websense Enterprise
components detected on the installation machine. If the installer detects
remote installations of any Websense Enterprise components, the user is
prompted to upgrade these components as well.
Upgrades to the Websense Enterprise v6.1 Stand-Alone Edition are supported
from version 5.2 or higher of the Stand-Alone Edition. Websense Enterprise
version 5.2 or higher refers to the following versions:
‹ 5.2
‹ 5.5.x
The installer will configure v6.1 components to use the same network
interface cards (NIC) for Websense communications and the Network Agent
that are used by the earlier version. The installer will also automatically assign
the same port numbers to the v6.1 Websense Enterprise components that the
existing Websense Enterprise components use.
You can download the Websense Master Database during the upgrade, or
continue without downloading the database. The download can be performed
any time after the upgrade by using the Websense Manager.

Versions Supported
Direct upgrades from v5.2 or higher are supported. If you are running
Websense Enterprise v5.1, 5.0.1, or 5.0, an upgrade to v6.1 requires two steps.
You must upgrade your earlier version to v5.2 first, and then perform a v6.1
upgrade. The v5.2 installer for your operating system is available from:
‹ Windows: http://www.websense.com/download/v5.2/
WebsenseEnterprise_5.2.exe

Stand-Alone Edition 31
Chapter 3: Upgrading Stand-Alone Systems

‹ Solaris: http://www.websense.com/download/v5.2/
WebsenseEnterprise_5.2_Slr.tar.gz
‹ Linux: http://www.websense.com/download/v5.2/
WebsenseEnterprise_5.2_Lnx.tar.gz
If you are running Websense Enterprise v4.4.1 or earlier, you must upgrade to
v5.0 first. The v5.0 installer for your operating system is available from:
‹ Windows: http://www.websense.com/download/v5.0/
WebsenseEIM_5.0.exe
‹ Solaris: http://www.websense.com/download/v5.0/
WebsenseEIM_Slr_5.0.tar.gz
‹ Linux: http://www.websense.com/download/v5.0/
WebsenseEIM_Lnx_5.0.tar.gz

Transferring Configuration Data Without Upgrading

The recommended path for upgrading Websense Enterprise is through the
normal upgrade process, in which all configuration data from the earlier
version is retained in the new version. In some cases, however, you may
decide that an upgrade of your production system is undesirable. Your
network policy may not permit upgrades to the production system, or you may
want to move Websense Enterprise to a larger machine to accommodate
increased network traffic.
If running a normal upgrade is not an option, you can use either of two
procedures that will transfer configuration data from the production system to
a freshly installed version of Websense Enterprise. These procedures require a
test environment and may involve several cycles of installation and upgrade.

WARNING
!
Do not attempt to upgrade an earlier version of Websense
Enterprise by copying the config.xml file into a v6.1
system. Configuration files from earlier versions are not
compatible with v6.1.

For detailed instructions on converting to v6.1 without upgrading, refer to the

white paper entitled Transferring Configuration Settings to a v6.1 System
Without Upgrading located at: http://www.websense.com/global/en/
SupportAndKB/ProductDocumentation.

32 Websense Enterprise
 Chapter 3: Upgrading Stand-Alone Systems

Before You Upgrade

‹ Backing up files: Before upgrading to a new version of Websense
Enterprise, we recommend that you perform a full system backup as a
fallback strategy. This will allow you to restore your current production
system with a minimum of downtime should you encounter any problems
with the upgrade. At a minimum, you should back up the latest Websense
Enterprise configuration file and the initialization files. To back up these
files, stop the Filtering Service and copy the config.xml file, the
websense.ini file, and the eimserver.ini file from the
Websense\bin folder to a safe location.
‹ Non-English language versions: If you are currently running a non-
English language version of Websense Enterprise, upgrading your system
will convert it to English. To convert your system back to the previous
non-English language version, you must install the v6.1 Language Pack,
released separately from Websense Enterprise. Installation instructions
are provided with the Language Pack product.
‹ Upgrading distributed components: To upgrade your system, you must
run the Websense Enterprise installer on each machine on which a
Websense component resides. The installer detects all Websense
Enterprise components and upgrades them accordingly.

WARNING
!
Always run the installer on the Policy Server machine first.

‹ Usage Monitor: When you upgrade a machine that has version 5.2 or
5.5.x of the Policy Server installed, the installer will add the new Usage
Monitor component in addition to upgrading the Policy Server to
version 6.1. The Usage Monitor tracks users’ internet activity and sends
alerts when configured threshold values are crossed. Beginning with
Websense Enterprise 6.1, the Usage Monitor is included in a Typical
installation.
‹ Reporting: To properly generate reports, you must use the same version
of Websense Enterprise and the Websense Enterprise Reporting Tools.
‹ Websense services: Websense services must be running when the
upgrade process begins. Setup will stop and start these services as
necessary during the upgrade. If these services have been running
uninterrupted for several months, however, Setup may not be able to stop
them before the upgrade process times out. To ensure the success of the

Stand-Alone Edition 33
Chapter 3: Upgrading Stand-Alone Systems

upgrade, manually stop and restart all the Websense services before
beginning the upgrade.
‹ Matching locales: When upgrading a Filtering Service that is installed on
a different machine from Websense Manager, you must upgrade the
Filtering Service to v6.1 in the same locale environment (language and
character set) as the v5.2 or v5.5.x Websense Manager.
„ When upgrading on Solaris or Linux, log on to the Filtering Service
machine with the locale appropriate to the Websense Manager.
„ When upgrading Filtering Service v5.2 or v5.5.x on Windows, open
Control Panel > Regional Options and change the locale to match
that of the Websense Manager machine before beginning the upgrade.
Once the upgrade is complete, the Websense services can be restarted
with any locale setting.
‹ Network interface card (NIC): The NIC that you use for Network Agent
must be in promiscuous mode. Contact the manufacturer of your card to
see if it supports promiscuous mode.
‹ Web server: To install Real-Time Analyzer (RTA) you must have either
Microsoft IIS or Apache installed. If neither supported web server is
detected, the installer gives you the option to install the Apache Web
Server or continue the upgrade without installing RTA.

Upgrading on Windows
All Websense Enterprise v5.2 or higher Stand-Alone systems on Windows
can be upgraded to the v6.1 Stand-Alone Edition.
Before upgrading to a new version of Websense Enterprise, we recommend
that you perform a full system backup as a fallback strategy. This will allow
you to restore your current production system with a minimum of downtime
should you encounter any problems with the upgrade.
At a minimum, be sure you have backed up the following files before
proceeding:
‹ websense.ini
‹ eimserver.ini
‹ config.xml

34 Websense Enterprise
 Chapter 3: Upgrading Stand-Alone Systems

IMPORTANT
i
If your Websense services have been running
uninterrupted for several months, the installer may have
difficulty stopping them. To prevent the upgrade process
from timing out and failing, stop the services manually and
restart them again before beginning the upgrade.

To upgrade from Websense Enterprise v5.2 or v5.5.x to v6.1:

1. Close all Websense Managers anywhere in the network that connect to the
Policy Server you are upgrading.
2. Log on to the installation machine with domain and local administrator
privileges.
If you are upgrading User Service and DC Agent, this will assure that
they have administrator privileges on the domain.

IMPORTANT
i
User Service and DC Agent must have administrator
privileges on the network to retrieve user login information
from the domain controller. Without this information,
Websense Enterprise cannot filter by users and groups. If
you cannot install these components with such privileges,
you may configure administrator privileges for these
services after installation in the Properties dialog box for
Windows services.

3. Close all open applications on the installation machine, and stop any
antivirus software.

WARNING
!
Be sure to close the Windows Event Viewer, or the
upgrade may fail.

Stand-Alone Edition 35
Chapter 3: Upgrading Stand-Alone Systems

4. Run one of the following Websense Enterprise installers:

„ Web download: Download one of the following packages from
http://www.my.websense.com/download to a folder on the
installation machine and double-click to extract the installer files.
• Online installer: The online installer package (Setup61.exe)
contains only the installer files. The necessary product files are
downloaded from the website as needed after product selections
have been made.
• Offline installer: The offline installer
(Websense61Setup.exe) is much larger than the online
package and contains all the files needed to upgrade Websense
Enterprise components. Use this package only if you experience
difficulties upgrading Websense with the online installer.
„ Product CD: Run WebsenseStart.exe from the Websense
Enterprise v6.1 product CD (\WebsenseStart) to launch the
installer start screen. Select a Websense product installation to extract
the installer files.
The file will run automatically if autorun is enabled. The product CD
contains all the files needed to upgrade Websense Enterprise
components.
A screen displays instructions for extracting the setup program.

Installer Download Extraction Screen

a. Click Browse to select a destination folder, or type in a path.

36 Websense Enterprise
 Chapter 3: Upgrading Stand-Alone Systems

If the path you enter does not exist, the installer will create it for
you.

IMPORTANT
i
Do not extract the installer files to a folder on your
desktop. This may prevent the Real-Time Analyzer from
receiving the IP address of the Policy Server machine.
Accept the default location of C:\temp or select another
appropriate folder.

b. Click Extract to begin decompressing the files.

If Websense Enterprise installation files already exist in that
location, you may choose to overwrite the existing files.
A progress bar shows the status of the extraction, and the view
pane scrolls a list of the files as they are decompressed.
Setup.exe runs automatically after the files are decompressed.
c. Double-click on the file and follow the steps for the online
installer.
5. Follow the on-screen instructions and click Next to advance through the
welcome screen and the subscription agreement.
Setup detects the Websense Enterprise components from your earlier
version and asks you how you want to proceed. You can upgrade the
current system or exit the installer.
6. Select Upgrade and click Next.
A list of currently running Websense services from the earlier version is
displayed. A message explains that the installer must stop these services
before the installation can proceed.
7. Click Next to continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.

Stand-Alone Edition 37
Chapter 3: Upgrading Stand-Alone Systems

„ If the installation machine has less than the recommended amount of

memory, the installation will continue. To ensure the best
performance of the components you are installing, you should
upgrade your machine’s memory to the recommended amount.
A summary screen is displayed, listing the installation path, installation
size, and the components that will be installed.
8. Click Next to begin the upgrade.
If you are using the online installer, the Download Manager progress bar
is displayed, tracking the progress of the installer download. When the
appropriate files have been downloaded, Setup stops the Websense
services and begins installation.
An installation progress bar is displayed while the installer upgrades your
system and restarts the Websense services.
„ If you are using the Apache Web Server, you must restart it before
using the Real-Time Analyzer on your upgraded system. Setup asks if
you want to restart Apache now or wait until later. Select Yes or No
and click Next to continue.
„ The Websense Enterprise upgrade converts all non-English language
systems to English. When a non-English language system is upgraded,
the installer displays a message advising you that the Websense
Enterprise Language Pack is available for converting your upgraded
system to any of the supported non-English languages. The Language
Pack is free and can be downloaded from http://www.websense.com/
global/en. Click Next to continue.
„ Setup asks if you want to download the Websense Master Database
now or at a later time using the Websense Manager. Select a database
download option and click Next.

NOTE
Because of its size, the database can take up to 20 minutes
to download and decompress.

If you have chosen to download the database now, the database is

downloaded and decompressed. When the database download is
complete, a message appears announcing the status of the download.
Click Next to continue.
A message announcing the success of the installation is displayed.

38 Websense Enterprise
 Chapter 3: Upgrading Stand-Alone Systems

9. Click Next to continue.

„ If you have upgraded DC Agent, a dialog box appears advising you
that the machine must be restarted to complete the installation. Select
a restart option and click Finish to exit the installer.
„ If DC Agent was not upgraded, but you have upgraded Real-Time
Analyzer and/or Websense Manager, the installer displays a screen
asking if you want to launch either of those applications. By default,
both are selected. Clear the checkbox of the component you do not
want to launch and click Finish.
„ If neither DC Agent, Real-Time Analyzer, nor Websense Manager
were upgraded, no further action is required and you can click Finish
to exit the installer.
10. If you stopped your antivirus software, be sure to start it again.

Upgrading on Solaris or Linux

The Websense installer can upgrade version 5.2 or higher of Stand-Alone
Websense Enterprise systems.
Before upgrading to a new version of Websense Enterprise, we recommend
that you perform a full system backup as a fallback strategy. This will allow
you to restore your current production system with a minimum of downtime
should you encounter any problems with the upgrade.
At a minimum, be sure you have backed up the following files before
proceeding:
‹ websense.ini
‹ eimserver.ini
‹ config.xml

IMPORTANT
i
If your Websense services have been running uninter-
rupted for several months, the installer may have difficulty
stopping them. To prevent the upgrade process from tim-
ing out and failing, stop the services manually and restart
them again before beginning the upgrade.

Stand-Alone Edition 39
Chapter 3: Upgrading Stand-Alone Systems

To upgrade from Websense Enterprise v5.2 or v5.5.x to v6.1:

1. Close all Websense Managers anywhere in the network that connect to the
Policy Server you are upgrading.
2. Log on to the installation machine as the root user.
3. Close all open applications on the installation machine, and stop any
antivirus software.
4. Create a setup directory.
For example: /root/Websense_setup
5. Download the appropriate installer file from http://
www.my.websense.com/download to the setup directory, or copy the
installer file from the Websense Enterprise CD to the setup directory:
„ Solaris: Websense61Setup_Slr.tar.gz
„ Linux: Websense61Setup_Lnx.tar.gz
6. Enter the following command to unzip the installer file:
gunzip <download file name>
For example: gunzip Websense61Setup_Slr.tar.gz
7. Expand the file into its components with the following command:
tar xvf <unzipped file name>
For example: tar xvf Websense61Setup_Lnx.tar
This places the following files into the installation directory:

File Description
install.sh Installation program.
Setup Archive file containing related installation files and
documents.
Documentation Release Notes: An HTML file containing release
notes and last minute information about Websense.
Read this file with any supported browser.

8. Run the installation program from the setup directory with the following
command:
./install.sh
To run the GUI version of the installer, use the following command:
./install.sh -g

40 Websense Enterprise
 Chapter 3: Upgrading Stand-Alone Systems

If you are using a non-English based system, the installer will display an
error message advising you that the GUI version is not supported.
The upgrade sequence is as follows:
„ Upgrade option: The installer detects the earlier version of the
Filtering Service and gives you the choice of upgrading the existing
installation or exiting Setup. Be sure to close any Websense Managers
connected to this Policy Server before continuing. Select Upgrade
and press Enter.
„ Websense services: A list of currently running Websense services
from the earlier version is displayed. A message explains that the
installer must stop these services before the upgrade can proceed.
„ Protocol block messages: Setup advises you that you must install the
Samba client (v2.2.8a and higher) to display block messages on
Windows workstations blocked by Protocol Management. You may
continue installing Websense and download the Samba client later. To
download the Samba client, go to the Sun freeware website at:
http://www.sunfreeware.com

NOTE
The Samba client is not required for protocol blocking to
occur. This software controls the display of protocol
blocking messages only.

„ Browser location on Solaris: If the Websense Manager is being

upgraded on Solaris, you must provide the installer with the location of
Netscape.
„ System requirements check: The installer compares the system
requirements for the installation you have selected with the resources
of the installation machine. If the machine has inadequate disk space
or memory, separate warnings are displayed.
• If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
• If the installation machine has less than the recommended amount
of memory, the installation can continue. To ensure the best
performance of the components you are installing, you should
upgrade your machine’s memory to the recommended amount.

Stand-Alone Edition 41
Chapter 3: Upgrading Stand-Alone Systems

„ Installation summary: A summary list is displayed, showing the

installation path, installation size, and the components to be
upgraded. Press Enter to begin the upgrade.
„ File download: If you are using the online installer, the Download
Manager indicates the progress of the file download from Websense.
After the files are downloaded, the installer stops all Websense
services.
„ Upgrade: An installation progress bar is displayed while the installer
upgrades your system and restarts the Websense services.
„ Language Pack: The Websense Enterprise upgrade converts all non-
English language systems to English. When a non-English language
system is upgraded, the installer displays a message advising you that
the Websense Enterprise Language Pack is available for converting
your upgraded system to any of the supported non-English languages.
The Language Pack is free and can be downloaded from http://
www.websense.com/global/en.
„ Master Database Download: Setup asks if you want to download
the Websense Master Database now or at a later time using the
Websense Manager. Select a database download option and press
Enter.

NOTE
Because of its size, the database can take up to 20 minutes
to download and decompress.

If you have chosen to download the database now, the database is

downloaded and decompressed. When the database download is
complete, a message appears announcing the status of the download.
Select Next to continue.
A message announcing the success of the installation is displayed.
9. Select Next to continue.
„ If you have not upgraded the Websense Manager, you are ready to
select Finish and exit the installer.
„ If you are upgrading the Websense Manager (Solaris GUI mode only),
the installer asks if you want to launch the Websense Manager. By
default, the Manager is selected for launch. Select Finish when you are
ready to exit the installer.
10. If you stopped your antivirus software, be sure to start it again.

42 Websense Enterprise
 Chapter 3: Upgrading Stand-Alone Systems

Changing IP Addresses of Installed Components

Websense Enterprise handles most IP address changes automatically, without
any interruption in internet filtering. Changes to the IP address of the machine
running the Policy Server result in notification of the change being broadcast
to Websense Enterprise components on other machines. In some cases,
however, services need to be restarted or configurations updated after
changing an IP address. For a full discussion of the IP address change process,
refer to the Websense Enterprise Administrator’s Guide.

Stand-Alone Edition 43
Chapter 3: Upgrading Stand-Alone Systems

44 Websense Enterprise
CHAPTER 4
Installation
This chapter contains instructions for a new installation of the Websense
Enterprise components. In addition to installation procedures, instructions are
provided for modifying an installation, including adding, removing, and
repairing installed components.

Before Installing

Please read the following information before installing Websense Enterprise.

‹ Non-English language versions: Websense Enterprise v6.1 installs in
English only. Language Packs for converting systems to non-English
language versions are released separately from Websense Enterprise.
Installation instructions are provided with the Language Pack product.
‹ Reporting: To properly generate reports, you must use the same version
of Websense Enterprise and the Websense Enterprise Reporting Tools.
‹ Deployment: You can install the main Websense Enterprise components
together on the same machine or distribute them on separate machines,
depending upon the available operating systems and the size of your
network. If you plan to distribute your Websense Enterprise components
on separate machines in your network, run the installer on each machine
and select the Custom installation option.
You can install the Filtering Service, Policy Server, User Service, Usage
Monitor, and Websense Manager on machines with different operating
systems. For example, you can install Websense Manager on a Windows
machine and use it to configure a Policy Server running on a Linux
machine.
To determine the appropriate deployment of Websense components in
your environment, be sure to read the Websense Enterprise Deployment
Guide before beginning installation.

Stand-Alone Edition 45
Chapter 4: Installation

‹ Remote filtering: If you want to install the optional Remote Filtering

components to filter workstations located outside the network firewall,
you must run the Websense Enterprise installer and select a Custom
installation. Refer to Installing Websense Enterprise Components
Separately, page 72 for information.
‹ Network Interface Card (NIC): The NIC that you designate for use by
Network Agent during installation must support promiscuous mode.
Promiscuous mode allows a NIC to listen to IP addresses other than its
own. (Contact the manufacturer of your card to see if it supports
promiscuous mode.) If the card supports promiscuous mode, it will be set
to that mode by the Websense installer during installation.

NOTE
If you install Network Agent on a machine with multiple
NICs, you can configure Network Agent after installation
to use more than one NIC. See Configuring Network Agent
to use Multiple NICs, page 174 for more information.

‹ Web server: To install Real-Time Analyzer (RTA) you must have either
Microsoft IIS or Apache Web Server installed. If neither supported web
server is detected, the installer gives you the option to install the Apache
Web Server or continue the installation without installing RTA.
‹ Internet access: For the Websense Master Database download to occur
during installation, the machine running the Websense Filtering Service
must have internet access to the download servers at the following URLs:
„ download.websense.com
„ ddsdom.websense.com
„ ddsint.websense.com
„ portal.websense.com
„ my.websense.com
Make sure that these addresses are permitted by all firewalls, proxy
servers, routers, or host files that control the URLs that the Filtering
Service can access.
‹ Enabling Java interfaces: If you are installing any Websense Enterprise
components on a Windows 2000 Server machine, you must install
DirectX to launch the Java-based GUI installer. If DirectX is not present,
you can only install Websense components in the console mode. To

46 Websense Enterprise
 Chapter 4: Installation

enable the console installer in Windows 2000, refer to the procedure in

the troubleshooting topic Websense Enterprise splash screen is displayed,
but installer does not launch on Windows 2000, page 188.
If you have performed a console installation on a Windows 2000 Server
machine without DirectX, you must install the Websense Manager on a
Solaris machine or on a Windows machine capable of displaying a Java
interface.

Installing Websense Enterprise

This section provides separate instructions for installing Websense Enterprise
components on each operating system.

Windows
Follow the procedures in this section to install Websense Enterprise on a
Windows machine. These procedures are for a Typical installation, in which
the main Websense Enterprise components are installed on the same machine.
If you plan to distribute the main Websense Enterprise components on
separate machines in your network, you must install the Policy Server first.
Only the Websense Manager can be installed before the Policy Server has
been successfully installed. To install components separately, run the
Websense Enterprise installer on each machine and select a Custom
installation. For instructions on installing Websense components separately,
refer to Installing Websense Enterprise Components Separately, page 72.
If you decide to change the location of a Websense component, add a
component, or remove a component, run the Websense Enterprise installer
again on the machine you want to modify and select the appropriate option.
The installer detects the presence of Websense components and offers you
options for modifying your installation. For information about adding or
removing Websense components, refer to Adding Components, page 133 and
Removing Components, page 147.
To install Websense Enterprise on a Windows machine:
1. Log on to the installation machine with domain and local administrator
privileges.

Stand-Alone Edition 47
Chapter 4: Installation

If you are installing User Service and DC Agent, this will assure that they
have administrator privileges on the domain.

IMPORTANT
i
User Service and DC Agent must have administrator
privileges on the network to retrieve user login information
from the domain controller. Without this information,
Websense Enterprise cannot filter by users and groups. If
you cannot install these components with such privileges,
you may configure administrator privileges for these
services after installation in the Properties dialog box for
Windows services.

2. Close all applications and stop any antivirus software.

3. Run one of the following Websense Enterprise installers:
„ Web download: Download one of the following packages from http:/
/www.websense.com/global/en/downloads to a folder on the
installation machine and double-click to extract the installer files.
• Online installer: The online installer package (Setup61.exe)
contains only the installer files. The necessary product files are
downloaded from the website as needed after product selections
have been made.
• Offline installer: The offline installer
(Websense61Setup.exe) is much larger than the online
package and contains all the files needed to install Websense
Enterprise components. Use this package only if you experience
difficulties installing Websense with the online installer.
„ Product CD: Run WebsenseStart.exe from the Websense
Enterprise v6.1 product CD (\WebsenseStart) to launch the
installer start screen. Select a Websense product installation to extract
the installer files.
The file will run automatically if autorun is enabled. The product CD
contains all the files needed to install Websense Enterprise
components.
A screen displays instructions for extracting the setup program.

48 Websense Enterprise
 Chapter 4: Installation

Installer Download Extraction Screen

a. Click Browse to select a destination folder, or type in a path.

If the path you enter does not exist, the installer will create it for
you.

IMPORTANT
i
Do not extract the installer files to a folder on your
desktop. This may prevent the Real-Time Analyzer from
receiving the IP address of the Policy Server machine.
Accept the default location of C:\temp or select another
appropriate folder.

b. Click Extract to begin decompressing the files.

If Websense Enterprise installation files already exist in that
location, you may choose to overwrite the existing files.
A progress bar shows the status of the extraction, and the view
pane scrolls a list of the files as they are decompressed.
Setup.exe runs automatically after the files are decompressed.
4. Click Next on the welcome screen and follow the on-screen instructions
through the subscription agreement.
You are asked to select a Websense product to install.

Stand-Alone Edition 49
Chapter 4: Installation

Websense Product Selection Screen

5. Select Websense Enterprise and click Next.

You are offered a choice of two setup types.

Setup Type Dialog Box

50 Websense Enterprise
 Chapter 4: Installation

„ Typical: installs Filtering Service, Policy Server, Websense Manager,

User Service, Usage Monitor, Network Agent, and Real-Time
Analyzer automatically. The installer asks you if you want to install a
transparent identification agent on the same machine.
„ Custom: allows you to choose individual Websense Enterprise
components to install. Use this option to install Websense components
on separate machines in your network. For more information, see
Installing Websense Enterprise Components Separately, page 72.
6. Select Typical and click Next.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address appear in a list.

Network Interface Card Selection Screen

7. Select the card to use for Websense Enterprise communication and click
Next.
The installer asks if you want to run Websense Enterprise in the Stand-
Alone filtering mode or integrate it with a firewall, proxy server, or
network appliance.

Stand-Alone Edition 51
Chapter 4: Installation

Integration Option Screen

8. Select Stand-alone and click Next.

Setup displays the Websense Subscription Key dialog box.

Subscription Key Options

„ I have a Websense subscription key: If you have a valid

subscription key, select this option and enter your key. You will be

52 Websense Enterprise
 Chapter 4: Installation

given the option to download the Websense Master Database during

installation. This will enable Websense Enterprise to begin filtering
immediately.
„ I do not wish to use a key at this time: Select this option to continue
the installation without entering a key. You will not be given the
option to download the Websense Master Database during
installation. You can download the Master Database after installation
by entering a valid key in the Websense Manager. Refer to
Subscription Key and Master Database Download, page 162 for
instructions.
You can request a 30-day evaluation key at any time by going to:
http://www.websense.com/global/en/Downloads/KeyRequest.
9. Click Next to continue.
The installer checks your system for a supported web server (Apache Web
Server or IIS) for the Real-Time Analyzer and takes the following action:
„ If both supported web servers are detected, a dialog box appears
asking you to choose one server for the RTA instance.
„ If one of the supported servers is detected, the installer continues. No
notification appears.
„ If neither supported web server is detected, the installer gives you the
option to install the Apache Web Server or continue the installation
without installing RTA.

RTA Web Server Dialog Box

Stand-Alone Edition 53
Chapter 4: Installation

If you select the Apache Web Server installation option, the Websense
installer starts the Apache installer and exits without installing any
Websense Enterprise components. You must restart your computer
after installing the Apache Web Server and run the Websense
Enterprise installer again to install Websense.

NOTE
Apache Web Server documentation is installed in HTML
format in the docs/manual/ directory. The latest
version can be found at: http://httpd.apache.org/docs-2.0/.

10. Select a web server installation option and click Next to continue.
If you are installing the Real-Time Analyzer and are using IIS as your
web server, you are prompted to select the name of the website in the IIS
Manager under which the installer should create a virtual directory. The
default value is Default Web Site, which is correct in most instances.

Virtual Directory Selection

11. If you have renamed the default website in the IIS Manager or are using a
language version of Windows other than English, select the proper
website from the names in the drop-down list, and then click Next to
continue.

54 Websense Enterprise
 Chapter 4: Installation

The installer offers you the option of testing your machine’s visibility to
internet traffic. The machine on which the Network Agent is installed
must be able to monitor 2-way employee internet traffic to filter correctly.

IMPORTANT
i
If you install the Network Agent on a machine that cannot
monitor targeted internet traffic, some features, such as
Dynamic Protocol Management, IM Attachment Manager,
and Bandwidth Optimizer, will not perform as expected.

Network Agent Visibility Test Screen

You are given the following three options:

„ Test Traffic Visibility: This selection launches the utility that tests
the visibility of internet traffic from the installation machine.
„ Continue installation: If you have tested the interface and know that
the installation machine has the necessary internet traffic visibility,
you may select this option and continue the installation.
„ Exit Setup: If you determine that the installation machine cannot see
the appropriate internet traffic, select this option to exit Setup. Select
another machine for installation, reposition the current machine in the
network, or replace the NIC. Remember that the NIC must have an IP
address for Network Agent to function.

Stand-Alone Edition 55
Chapter 4: Installation

12. Click Test Traffic Visibility to check the visibility of internet traffic from
the installation machine.
The Traffic Visibility Test utility appears.

Traffic Visibility Test Tool

Field Description
Network Card Name of the network interface card (NIC) to test.
Active cards on the installation machine appear in
this list. Cards without an IP address will not appear
in this list.
Networks Tested Displays the netmasks that are being tested. You
may use the defaults provided or add your own.
These netmasks can reside in different network
segments depending upon the IP address ranges to
be filtered.
IP Address Count Number of IP addresses for which traffic is detected
during the test of a Network.
Detail Lists all the IP addresses in the network from which
internet traffic is being detected.

56 Websense Enterprise
 Chapter 4: Installation

a. From the Network Card drop-down list, select the network interface
card (NIC) that you want to use for the Network Agent.
b. If the network you want to test with the NIC does not appear in the
default list, click Add Network.
The Add Network dialog box
appears.
c. Enter a new netmask value in the
Network ID field.
The subnet mask defaults to
255.0.0.0 and changes
appropriately as the netmask is defined.
d. Click OK to return to the Traffic Visibility Test dialog box.
Your new network appears in the list.
e. Click Start Test to begin testing the all the networks in the list.
The counter in the IP Address Count column should begin recording
internet traffic immediately from the networks listed. The counter
increments each time the NIC detects an individual IP address from the
target network in a passing packet. The activity bar at the bottom of the
dialog box indicates that a test is in progress. If the count for a
network remains at zero or is very low, the selected NIC cannot see
the traffic it is supposed to monitor.
f. If the Network Agent is unable to see the desired traffic, perform one
or both of the following tasks:
• If the installation machine has multiple NICs, select a different
card to test.
• Resolve network configuration issues to make sure that the NIC
can see the desired traffic. This might involve connecting to a
different router or configuring for port spanning in a switched
environment. See Chapter 2: Network Configuration for
deployment information. You may continue the installation
without installing Network Agent and reconfigure your network
later, or make the necessary changes and retest immediately.
g. Click Stop Test when you are ready to continue installation.
h. Click Close to exit the traffic visibility test screen.

Stand-Alone Edition 57
Chapter 4: Installation

13. Select Continue installation if you are sure that your NIC is able to
monitor all targeted internet traffic. Select Exit Setup if the appropriate
traffic is not visible.
14. Click Next to continue.
If a screen appears asking you to select the network interface card (NIC)
that you want to use for capturing traffic. All network interface cards
enabled in the machine appear in a list.
15. If the machine has multiple NICs, select the card to use for Network
Agent.
16. Click Next to continue.
Setup asks you to select an initial filtering option.
„ Yes: configures Websense Enterprise to filter internet traffic
immediately after installation, based on a predefined default policy.
„ No: configures Websense Enterprise to monitor internet traffic only,
while permitting all internet requests. Select this option and install
one or more of the Websense Enterprise Reporting Tools if you want
to evaluate your network traffic before applying internet filtering.

Initial Filtering Option Screen

17. Select an initial filtering option and click Next to continue.

Setup displays the Transparent User Identification screen, allowing you to
select how Websense Enterprise will identify users:

58 Websense Enterprise
 Chapter 4: Installation

„ eDirectory Agent: Select this option to install the eDirectory Agent

to authenticate users transparently with Novell eDirectory Service.
„ DC Agent: Select this option to install DC Agent to authenticate
users transparently with a Windows-based directory service.
„ Logon Agent: Select this option to install the Logon Agent to
authenticate users transparently when they log on to the domain.
Logon Agent receives its user information from an application called
LogonApp.exe that must be run by a logon script in your network.
Refer to Creating and Running the Script for Logon Agent, page 168
for instructions.
„ DC Agent and Logon Agent: Select this option to install DC Agent
and the Logon Agent to authenticate users transparently. This can
increase the accuracy of user identification in some networks.
„ None: This option does not install a Websense transparent
identification agent.

NOTE
You can also configure manual authentication in the
Websense Manager after installation and initial setup.
Refer to your Websense Enterprise Administrator’s Guide
for instructions.

Transparent User Identification Options

Stand-Alone Edition 59
Chapter 4: Installation

18. Select a transparent identification method and click Next to continue.

If you select DC Agent for installation, Setup asks you to provide a user
name and a password with administrative privileges on the domain. If you
attempt to install DC Agent without providing access to directory
information, you will be unable to identify users transparently. Enter the
domain and user name, followed by the network password for an account
with domain privileges, and click Next to continue.
A dialog box appears, asking you to select an installation folder for the
Websense Enterprise components.
19. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
20. Click Next to start the installation.
„ If you are using the online installer, the Download Manager progress
bars are displayed as Setup downloads the appropriate installer files
from Websense. Installation begins automatically when the necessary
files have been downloaded.
If you provided the installer with a valid subscription key when prompted,
Setup asks if you want to download the Websense Master Database now
or at a later time using the Websense Manager.

60 Websense Enterprise
 Chapter 4: Installation

Master Database Download Selection

21. Select a database download option and click Next.

If you have chosen to download the Master Database now, a progress bar
appears. Because of its size, the database can take up to 20 minutes to
download and decompress.

Master Database Download Progress

Stand-Alone Edition 61
Chapter 4: Installation

When the database download is complete, a message appears advising you

that the database has been successfully downloaded. Click Next to
continue.
A message announcing the success of the installation is displayed.
22. Click Next to continue.
„ If you have installed DC Agent, a dialog box appears advising you
that the machine must be restarted to complete the installation. Select
a restart option and click Finish to exit the installer.
„ If DC Agent was not installed, but you have installed Real-Time
Analyzer and/or Websense Manager, the installer displays a screen
asking if you want to launch either of those applications. By default,
both are selected. Clear the checkbox of the component you do not
want to launch and click Finish.
„ If neither DC Agent, Real-Time Analyzer, nor Websense Manager
were installed, no further action is required and you can click Finish
to exit the installer.

Application Launcher

23. If you stopped your antivirus software, be sure to start it again.

24. See Chapter 5: Initial Setup to perform post installation tasks.

62 Websense Enterprise
 Chapter 4: Installation

NOTE
If you decide to change the location of a Websense
component, add functionality, or repair a component, run
the Websense installer again on the machine you want to
modify and select the appropriate option. The installer
detects the presence of Websense Enterprise components
and offers you options for modifying your installation. For
instructions, refer to Modifying an Installation, page 133.

Solaris or Linux
Follow the procedures in this section to install Websense Enterprise on a
Solaris or Linux machine. These procedures are for a Typical installation, in
which the main Websense Enterprise components are installed on the same
machine.
If you plan to distribute the main Websense Enterprise components on
separate machines in your network, you must install the Policy Server first.
Only the Websense Manager can be installed before the Policy Server has
been successfully installed. To install components separately, run the
Websense Enterprise installer on each machine and select a Custom
installation. For instructions on installing Websense components separately,
refer to Installing Websense Enterprise Components Separately, page 72.
If you decide to change the location of a Websense component, add a
component, or remove a component, run the Websense Enterprise installer
again on the machine you want to modify and select the appropriate option.
The installer detects the presence of Websense components and offers you
options for modifying your installation. For information about adding or
removing Websense components, refer to Adding Components, page 133 and
Removing Components, page 147.
You may install the following Websense Enterprise components together on
the same machine:
‹ Filtering Service
‹ Policy Server
‹ User Service
‹ Websense Manager (Solaris only)
‹ Network Agent

Stand-Alone Edition 63
Chapter 4: Installation

‹ eDirectory Agent
‹ Logon Agent
‹ Usage Monitor
You can install the Websense Manager after you finish installing the main
Websense Enterprise components. The Websense Manager is not supported
on Linux, and must be installed on either a Windows machine or a Solaris
machine. See Installing Websense Enterprise Components Separately, page
72 for instructions on installing individual Websense components.
To install Websense Enterprise on a Solaris or Linux machine:
1. Log on to the installation machine as the root user.
2. Close all applications and stop any antivirus software.
3. Create a setup directory.
For example: /root/Websense_setup
4. Download the installer file for your operating system from http://
www.websense.com/global/en/downloads, or copy it from the Websense
Enterprise CD and save it to the setup directory.
„ Solaris: Websense61Setup_Slr.tar.gz
„ Linux: Websense61Setup_Lnx.tar.gz
5. Enter the following command to unzip the file:
gunzip <download file name>
For example: gunzip Websense61Setup_Slr.tar.gz
6. Expand the file into its components with the following command:
tar xvf <unzipped file name>
For example: tar xvf Websense61Setup_Lnx.tar
This places the following files into the installation directory:

File Description
install.sh Installation program.
Setup Archive file containing related installation files and
documents.
Documentation Release Notes: An HTML file containing release
notes and last minute information about Websense.
Read this file with any supported browser.

64 Websense Enterprise
 Chapter 4: Installation

7. Run the installation program from the setup directory with the following
command:
./install.sh
To run the GUI version of the installer, use the following command:
./install.sh -g
If you are using a non-English based system, the installer will display an
error message advising you that the GUI version is not supported.
The installer sequence is as follows:
„ Installation type: You are asked to select an installation type:
• Typical: installs Filtering Service, Policy Server, User Service,
and Usage Monitor together on the same machine. The installer
gives you the option of installing Network Agent, eDirectory
Agent, and the Logon Agent. The Websense Manager is installed
automatically on Solaris.
• Custom: allows you to install individual Websense Enterprise
components. You can use this option to install components on
separate machines in your network. For more information, see
Installing Websense Enterprise Components Separately, page 72
Select Typical to install the listed Websense components.
„ Network Interface Card selection: If the installation machine is
multihomed, all enabled network interface cards (NICs) appear in a
list. Select the card to use for Websense Enterprise communication.

IMPORTANT
i
Make sure you select a NIC in normal mode (cards with an
IP address). Interface cards configured for stealth mode
will appear in this list as well. If you select a stealth mode
NIC for Websense communications, Websense services
will not work.

„ Integration option: Select Stand-alone to install the Network Agent

as the internet filtering component of Websense Enterprise.

Stand-Alone Edition 65
Chapter 4: Installation

„ Port numbers: The installer automatically assigns default port

numbers to the Policy Server and to the Filtering Service. If either of
the default ports is in use, you will be required to select an alternate
port. The range of valid port numbers is from 1024 to 65535.

NOTE
Remember the port numbers if you change them from the
defaults. You will need them when installing other
Websense components.

„ Subscription key: Setup can download the Websense Master

Database during installation if you provide a valid subscription key or
evaluation key. This will enable Websense to begin filtering
immediately.
• I have a Websense subscription key: If you have a valid
subscription key, select this option and enter your key when
prompted. You will be given the option to download the Websense
Master Database during installation.
• I do not wish to use a key at this time: Select this option if you
want to continue the installation without entering a key. You will
not be given the option to download the Websense Master
Database during installation. You can download the Master
Database after installation by entering your key in the Websense
Manager. Refer to Subscription Key and Master Database
Download, page 162 for instructions.
To request a 30-day evaluation key, go to:
http://www.websense.com/global/en/Downloads/KeyRequest
„ Network Agent: Install Network Agent or test the visibility of
internet traffic from this machine.

IMPORTANT
i
The machine on which the Network Agent is installed
must be able to monitor 2-way employee internet traffic
for Network Agent to function properly. If you install the
Network Agent on a machine that cannot monitor targeted
internet traffic, Dynamic Protocol Management,
Bandwidth Optimizer, and IM Attachment Manager will
not perform as expected.

66 Websense Enterprise
 Chapter 4: Installation

You are given the following three options:

• Test Traffic Visibility: launches the utility that tests the visibility
of internet traffic from the installation machine.
• Continue installation: If you have tested the interface and know
that the installation machine has the necessary internet traffic
visibility, you may select this option and continue the installation.
• Exit Setup: If you determine that the installation machine cannot
see the appropriate internet traffic, select this option to exit Setup.
Select another machine for installation, reposition the current
machine in the network, or replace the NIC. Remember that the
NIC must have an IP address for Network Agent to function.
To check the visibility of internet traffic from the installation
machine:
a. Select Test Traffic Visibility.
b. Select the network interface card (NIC) that you want to use for
the Network Agent and continue to the next pane. Active cards on
the installation machine appear in this list, including NICs
without IP addresses (stealth mode).
A default list of networks (netmasks) to test appears. You may
use the defaults provided or add your own. These netmasks can
reside in different network segments depending upon the IP
address ranges to be filtered.
c. If the network you want to test with the NIC does not appear in
the default list, select Add Network.
– Enter a new netmask value in the Network ID field.
The subnet mask defaults to 255.0.0.0 and changes
appropriately as the netmask is defined.
– Select Redisplay to return to the options list.
Your new network appears in the list.
d. Select Remove a Network to delete a network from the list.
e. Select Start Test to begin testing all the networks in the list.
The counter in the IP Address Count column should begin
recording internet traffic immediately from the networks listed.
The counter increments each time the NIC detects an individual
IP address from the target network in a passing packet. The

Stand-Alone Edition 67
Chapter 4: Installation

activity bar at the bottom of the pane indicates that a test is in

progress. If the count for a network remains at zero or is very low,
the selected NIC cannot see the traffic it needs to monitor.
f. If the Network Agent is unable to see the desired traffic, perform
one or both of the following tasks:
– If the installation machine has multiple NICs, select a different
card to test.
– Resolve network configuration issues to make sure that the NIC
can see the desired traffic. This might involve connecting to a
different router or configuring for port spanning in a switched
environment. See Chapter 2: Network Configuration for
deployment information. You may continue the installation
without installing Network Agent and reconfigure your
network later, or make the necessary changes and retest
immediately.
g. Select Exit Tool when you are ready to continue installation.
h. Select Continue installation if you are sure that your NIC is able
to monitor all targeted internet traffic.
i. Select Exit Setup if the appropriate traffic is not visible. If
Network Agent cannot see the necessary traffic, you must either
reposition the machine in the network or select another machine
on which to install the Network Agent.
„ Network Interface Card (NIC) selection: If the installation machine
has multiple network interface cards, all enabled cards appear in a list.
Select the NIC that you tested successfully for network visibility. Cards
configured for stealth mode will appear on this list.
„ Initial filtering options: Websense Enterprise can be configured to
filter internet traffic immediately after installation, based on a
predefined default policy, or to monitor internet traffic only. Select
Yes to filter traffic initially, or No if you want to evaluate your
network traffic before applying any type of filtering. You must install
one or more of the Websense Enterprise Reporting Tools to report on
network activity.
„ Transparent user identification: Select one of the following:
• eDirectory Agent: Select this option to install the eDirectory
Agent to authenticate users transparently through Novell
eDirectory Server.

68 Websense Enterprise
 Chapter 4: Installation

• Logon Agent: Select this option to install the Logon Agent to

authenticate Windows users transparently when they log on to the
domain. Logon Agent receives its user information from an
application called LogonApp.exe that must be run by a logon
script in your network. Refer to Creating and Running the Script
for Logon Agent, page 168 for instructions.
• None: This option does not install a Websense transparent
identification agent.

NOTE
You can configure manual authentication in the Websense
Manager after installation and initial setup.

„ Protocol block messages: Setup advises you that you must install the
Samba client (v2.2.8a and higher) to display block messages on
Windows workstations blocked by Protocol Management. You may
continue installing Websense and download the Samba client later. To
download the Samba client, go to the Sun freeware website at:
http://www.sunfreeware.com

NOTE
The Samba client is not required for protocol blocking to
occur. This software controls the display of protocol
blocking messages on client machines only.

„ Web browser: For Solaris installations, you must provide the full
path to the web browser you want to use when viewing online help.
This information is requested only when you choose a Typical
installation or are installing Websense Manager separately.
„ Directory path: This is the path to the installation directory where
Websense will create the /opt/Websense directory. If this
directory does not already exist, the installer will create it
automatically.

IMPORTANT
i
The full installation path must use ASCII characters only.

Stand-Alone Edition 69
Chapter 4: Installation

„ System requirements check: The installer compares the system

requirements for the installation you have selected with the resources
of the installation machine. If the machine has inadequate disk space
or memory, separate warnings are displayed.
• If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
• If the installation machine has less than the recommended amount
of memory, the installation can continue. To ensure the best
performance of the components you are installing, you should
upgrade your machine’s memory to the recommended amount.
„ Installation summary: A summary list appears, showing the
installation path, installation size, and the components you have
selected.
8. Press Enter to begin the installation.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
The installer creates the /opt/Websense directory, and the /opt/
Websense/Manager directory if you installed Websense Manager
(Solaris only). It also sets up the necessary files, including /etc/
rc3.d/S11WebsenseAdmin, which enables Filtering Service to start
automatically each time the system starts.
„ If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used
unless Network Agent is installed on a machine with direct access to
internet traffic. Select Next to continue.
„ Master Database Download: If you provided a valid subscription
key when prompted, Setup asks if you want to download the
Websense Master Database now or at a later time using the Websense
Manager. Select a database download option and press Enter.

NOTE
Because of its size, the database can take up to 20 minutes
to download and decompress.

70 Websense Enterprise
 Chapter 4: Installation

If you have chosen to download the database now, the database is

downloaded and decompressed. When the database download is
complete, a message appears advising you of the status of the
download. Select Next to continue.
A message announcing the success of the installation is displayed.
9. Select Next to continue.
„ If you have not installed the Websense Manager, you are ready to
select Finish and exit the installer.
„ If you are installing the Websense Manager (Solaris GUI mode only),
the installer displays a screen asking if you want to launch the
Websense Manager. By default, the Manager is selected for launch.
Select Finish when you are ready to exit the installer.
10. If you stopped your antivirus software, be sure to start it again.
11. If you did not install the Websense Manager on this machine, you must
install it on a separate Windows or Solaris machine in your network.
Follow the instructions under Installing Websense Enterprise Components
Separately, page 72.

NOTE
If you decide to change the location of a Websense
component, add functionality, or repair a component, run
the Websense installer again on the machine you want to
modify and select the appropriate option. The installer
detects the presence of Websense Enterprise components
and offers you options for modifying your installation. For
instructions, refer to Modifying an Installation, page 133.

Stand-Alone Edition 71
Chapter 4: Installation

Installing Websense Enterprise Components Separately

All Websense Enterprise components can be installed separately using the
Custom feature of the Websense installer. Your environment may require you
to install the Websense Manager and some of the optional components apart
from the Websense Filtering Service. You can install these components alone
or together on remote machines in your network. This section describes the
procedures for installing the following Websense components on separate
machines in your network:

NOTE
When installing Websense components, you must always
install the Policy Server first. Only the Websense Manager
can be installed before the Policy Server has been
successfully installed.

‹ Websense Manager: Websense Manager can be installed on Windows and

Solaris operating systems and can connect to a Policy Server on the same
operating system or on a different operating system. Websense Manager is
not supported on Linux.
‹ Network Agent: Network Agent can be installed on Windows, Solaris,
and Linux machines and must be able to see all internet traffic, both
inbound and outbound.
‹ DC Agent: DC Agent runs on Windows only and is installed in networks
using a Windows directory service (NTLM-based or Active Directory).
To retrieve user information from the domain controller, DC Agent must
be installed with domain administrator privileges on the network.
‹ Real-Time Analyzer (RTA): RTA installs on Windows only. You can
have only one instance of RTA for each Policy Server in your network.
‹ Usage Monitor: Usage Monitor installs on Windows, Solaris, and Linux.
You can have only one instance of Usage Monitor for each Policy Server
in your network.
‹ RADIUS Agent: RADIUS Agent installs on Windows, Solaris, and Linux.
This optional component is only available through a Custom installation.
RADIUS Agent can be used in conjunction with either Windows- or
LDAP-based directory services; it works together with a RADIUS client
and RADIUS server to identify users logging on from remote locations.

72 Websense Enterprise
 Chapter 4: Installation

‹ eDirectory Agent: eDirectory Agent installs on Windows, Solaris, and

Linux, and is installed in networks that use Novell eDirectory to identify
users.
‹ Logon Agent: Logon Agent installs on Windows, Solaris, and Linux.
Logon Agent receives user information at logon from a client application
called LogonApp.exe, which must be run by a logon script.
Instructions for creating and running this logon script in your network can
be found in Creating and Running the Script for Logon Agent, page 168.
LogonApp.exe runs only on Windows client machines.

NOTE
The installation of these Websense components in the
presence of other Websense components requires fewer
steps. Setup searches for existing Websense initialization
files and automatically uses this configuration information
to locate the Policy Server and Filtering Service in the
network.

‹ Remote Filtering components:

The Remote Filtering components—Remote Filtering Server and Remote
Filtering Client Pack—are required only if you want to enable web
filtering on user workstations located outside your organization’s network
firewall. These optional components are only available through a Custom
installation.

NOTE
To enable the Remote Filtering components, you must
subscribe to the remote filtering service.

„ Remote Filtering Server: The Remote Filtering Server installs on

Windows, Solaris, and Linux. It must be able to communicate with
the Websense Filtering Service and with the Remote Filtering Clients
installed on user workstations.
„ Remote Filtering Client Pack: The Remote Filtering Client Pack is
an installer used to deploy the Remote Filtering Client to Windows
workstations that will be used outside the network firewall. The
Remote Filtering Client Pack installs on Windows only.

Stand-Alone Edition 73
Chapter 4: Installation

If you want to install the Websense Enterprise core components individually

in a distributed environment, refer to the Websense Enterprise Deployment
Guide for information that will help you decide how to best deploy the
components in your environment.

Windows Procedures
The steps in this section are common to all separate installations of Websense
Enterprise components on Windows. Start here to download and run the
Websense installer, and then refer to the appropriate sections for the
component-specific procedures.
To install components separately on Windows:
1. Log on to the installation machine with local administrator privileges.

IMPORTANT
i
If you are installing DC Agent, log on with domain
administrator privileges. DC Agent must have
administrator privileges on the network to retrieve user
login information from the domain controller. Without this
information, Websense Enterprise cannot filter by users
and groups. If you cannot install DC Agent with such
privileges, you may configure administrator privileges for
it after installation in the Properties dialog box for
Windows services.

2. Close all applications and stop any antivirus software.

3. Run one of the following Websense Enterprise installers:
„ Web download: Download one of the following packages from http:/
/www.websense.com/global/en/downloads to a folder on the
installation machine and double-click to extract the installer files.
• Online installer: The online installer package (Setup61.exe)
contains only the installer files. The necessary product files are
downloaded from the website as needed after product selections
have been made.

74 Websense Enterprise
 Chapter 4: Installation

• Offline installer: The offline installer

(Websense61Setup.exe) is much larger than the online
package and contains all the files needed to install Websense
Enterprise components. Use this package only if you experience
difficulties installing Websense with the online installer.
„ Product CD: Run WebsenseStart.exe from the Websense
Enterprise v6.1 product CD (\WebsenseStart) to launch the
installer start screen. Select a Websense product installation to extract
the installer files.
The file will run automatically if autorun is enabled. The product CD
contains all the files needed to install Websense Enterprise
components.
A screen displays instructions for extracting the setup program.

Installer Download Extraction Screen

a. Click Browse to select a destination folder, or type in a path.

If the path you enter does not exist, the installer will create it for
you.

Stand-Alone Edition 75
Chapter 4: Installation

IMPORTANT
i
Do not extract the installer files to a folder on your
desktop. This may prevent the Real-Time Analyzer from
receiving the IP address of the Policy Server machine.
Accept the default location of C:\temp or select another
appropriate folder.

b. Click Extract to begin decompressing the files.

If Websense Enterprise installation files already exist in that
location, you may choose to overwrite the existing files.
A progress bar shows the status of the extraction, and the view
pane scrolls a list of the files as they are decompressed.
Setup.exe runs automatically after the files are decompressed.
4. Click Next on the welcome screen and follow the on-screen instructions
through the subscription agreement.
You are asked to select a Websense product to install.

Websense Product Selection Screen

5. Select Websense Enterprise and click Next.

You are offered a choice of two setup types.

76 Websense Enterprise
 Chapter 4: Installation

Setup Type Dialog Box

6. Select Custom and click Next.

7. To continue, proceed to the appropriate component section below.

Websense Manager
When you install Websense Enterprise on Linux, you must install the Websense
Manager on a separate Windows or Solaris machine in your network. Use the
following procedure to install the Websense Manager on a Windows machine.
1. Download and start the Windows installer using the procedure in
Windows Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select Websense Manager and click Next.
A dialog box appears, asking you to select an installation directory for the
Websense Manager.
3. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:

Stand-Alone Edition 77
Chapter 4: Installation

„ If the installation machine has insufficient disk space, the selected

components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
4. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
When the installation is finished, a message appears advising you that the
procedure was successful.
5. Click Next to continue.
The installer displays a screen asking if you want to launch the Websense
Manager. By default, the Manager is selected for launch.
6. Make a selection, and click Finish.
7. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.

Network Agent
Network Agent must be able to monitor 2-way internet traffic from the
internal network. Install Network Agent on a machine that can see the internet
requests from the internal network as well as the internet response to the
requesting workstations.
If this installation is part of a multiple deployment of the Network Agent (for
load balancing purposes), you must be sure that the IP address ranges for each
instance of the Network Agent do not overlap. This will result in double
logging. Deploy the Network Agents so that they can filter the entire network.
Partial deployment will result in incomplete filtering by protocol and

78 Websense Enterprise
 Chapter 4: Installation

bandwidth, and incomplete basic HTTP filtering, as well as the loss of log
data from network segments not watched by the Network Agent. For
instructions on defining IP address ranges for multiple Network Agents, refer to
the Websense Enterprise Administrator’s Guide. For detailed information about
deploying Network Agent, refer to the Websense Enterprise Deployment Guide.
Do not install the Network Agent on a machine running any type of firewall.
The Network Agent uses a packet capturing utility which may not work
properly when installed on a firewall machine.
If you are attempting to install the Network Agent on a machine on which the
Filtering Service and Policy Server are already installed, refer to the
procedures in Adding Components, page 133.

IMPORTANT
i
The Websense Filtering Service and the Policy Server
must be installed and running prior to installing the
Network Agent, or installed at the same time as the
Network Agent. The installer asks for the IP addresses and
port numbers of these components and will not install the
Network Agent if the Policy Server and Filtering Service
cannot be located.

To install the Network Agent on a Windows machine:

1. Download and start the Windows installer using the procedure in
Windows Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select Network Agent and click Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

Stand-Alone Edition 79
Chapter 4: Installation

3. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address appear in a list.
4. Select the card you want Network Agent to use to communicate and click
Next.
The installer displays the Network Agent installation screen and offers
you the option of testing your machine’s visibility to internet traffic. The
machine on which the Network Agent is installed must be able to monitor
2-way employee internet traffic for Network Agent to filter properly.

IMPORTANT
i
If you install the Network Agent on a machine that cannot
monitor targeted internet traffic, some features, such as
Dynamic Protocol Management and Bandwidth Optimizer,
will not perform as expected.

Network Agent Installation Screen

You are given the following three options:

„ Test Traffic Visibility: This selection launches the utility that tests
the visibility of internet traffic from the installation machine.

80 Websense Enterprise
 Chapter 4: Installation

„ Continue installation: If you know that the installation machine has

the necessary internet traffic visibility, you may select this option and
continue the installation without conducting the visibility test.
„ Exit Setup: If you determine that the installation machine cannot see
the appropriate internet traffic, select this option to exit Setup. Select
another machine for installation, reposition the current machine in the
network, or replace the NIC. Remember that the NIC must have an IP
address for Network Agent to function.
5. Click Test Traffic Visibility to check the visibility of internet traffic from
the installation machine.
The Traffic Visibility Test tool appears.

Traffic Visibility Test Tool

Stand-Alone Edition 81
Chapter 4: Installation

Field Description
Network Card Name of the network interface card (NIC) to test.
Active cards on the installation machine appear in
this list. Cards without an IP address will not appear
in this list.
Networks Tested Displays the netmasks that are being tested. You
may use the defaults provided or add your own.
These netmasks can reside in different network
segments depending upon the IP address ranges to
be filtered.
IP Address Count Number of IP addresses for which traffic is detected
during the test of a Network.
Detail Lists all the IP addresses in the network from which
internet traffic is being detected.

a. From the Network Card drop-down list, select the network interface
card (NIC) that you want to use for the Network Agent.
b. If the network you want to test with the NIC does not appear in the
default list, click Add Network.
The Add Network dialog box
appears.
c. Enter a new netmask value in
the Network ID field.
The subnet mask defaults to
255.0.0.0 and changes
appropriately as the netmask is defined.
d. Click OK to return to the Traffic Visibility Test dialog box.
Your new network appears in the list.
e. Click Start Test to begin testing all the networks in the list.
The counter in the IP Address Count column should begin recording
internet traffic immediately from the networks listed. The counter
increments each time the NIC detects an individual IP address from
the target network in a passing packet. The activity bar at the bottom
of the dialog box indicates that a test is in progress.
If the count for a network remains at zero or is very low, the selected
NIC cannot see the traffic it is supposed to monitor.

82 Websense Enterprise
 Chapter 4: Installation

f. If the Network Agent is unable to see the desired traffic, perform one
or both of the following tasks:
• If the installation machine has multiple NICs, select a different
card to test.
• Resolve network configuration issues to make sure that the NIC
can see the desired traffic. This might involve connecting to a
different router or configuring for port spanning in a switched
environment. See Chapter 2: Network Configuration for
deployment information.
g. Click Stop Test when you are ready to continue installation.
h. Click Close to exit the traffic visibility test screen.
6. Continue with the installation or exit Setup.
„ Select Continue installation if you are sure that your NIC is able to
monitor all targeted internet traffic.
„ Select Exit Setup if the visibility test fails. You must either reposition
the machine in the network, select another machine on which to
install the Network Agent, or install a different NIC.
7. Click Next to continue.
The installer asks you if this machine is running a firewall. Network
Agent cannot function properly on a machine running a firewall.
8. Select Yes or No, and then click Next to continue.
„ Select Yes if you are attempting to install Network Agent on a
firewall machine, and Setup will close. Install the Network Agent on
a machine that is not running a firewall.
„ Select No if the installation machine is not being used as a firewall.
Installation will continue.
If the installation machine has multiple network interface cards (NICs), a
screen appears asking you to select the network interface card (NIC) that
you want to use for capturing traffic. All network interface cards enabled
in the machine appear in a list.
9. If presented with a list, select the desired card and click Next to continue.

Stand-Alone Edition 83
Chapter 4: Installation

Setup asks you to identify the machine on which the Websense Filtering
Service is installed.

IMPORTANT
i
The communication port (15868) in this dialog box is the
default port number used by the installer to install the
Filtering Service. If you installed the Filtering Service
using a different port number, enter that port in this dialog
box.

10. Enter the IP address of the Filtering Service machine, and the port number
if different from the default, and then click Next.
Setup asks you to select an installation folder for the Websense Enterprise
components.
11. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
12. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
When the installer is finished, a message appears advising you that the
procedure was successful.
13. Click Finish to exit the installer.

84 Websense Enterprise
 Chapter 4: Installation

14. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
15. Configure Network Agent for use in your network. Refer to the Network
Agent chapter of the Websense Enterprise Administrator’s Guide for
instructions.

DC Agent
The Websense DC Agent installs on Windows only and is used in networks
that authenticate users with a Windows directory service (NTLM-based or
Active Directory). If you installed Websense Enterprise on a Windows
machine, you were prompted to install the DC Agent. If you did not install it
together with the Filtering Service at that time, and if you need to authenticate
through a Windows-based directory service, you can install DC Agent with
the following procedure.
If your network is large, you may benefit from installing DC Agent on
multiple machines. This way, you will have ample space for DC Agent files
that are continually populated with user information. For additional
information about how to deploy DC Agent, refer to Websense Enterprise
Components, page 13.
To install DC Agent on a Windows machine:
1. Download and start the Windows installer using the procedure in
Windows Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select DC Agent and click Next.
If the installation machine is multihomed, all enabled network interface
cards appear in a list.
3. Select the card you want DC Agent to use to communicate and click
Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

Stand-Alone Edition 85
Chapter 4: Installation

4. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
The installer asks you to provide a user name and a password with
administrative privileges on the domain. If you attempt to install DC
Agent without providing access to directory information, DC Agent will
be unable to identify users transparently.
5. Enter the domain and user name, followed by the network password for
an account with domain privileges, and then click Next.
Setup asks you to select an installation folder for the Websense Enterprise
components.
6. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
7. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
A message appears advising you that the procedure was successful.
8. Click Next to continue.

86 Websense Enterprise
 Chapter 4: Installation

A dialog box appears advising you that the machine must be restarted to
complete the installation.
9. Select a restart option and click Finish to exit the installer.
10. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
11. Configure User Service to communicate with DC Agent by following the
instructions in the User Identification chapter of the Websense Enterprise
Administrator’s Guide.

Real-Time Analyzer (RTA)

RTA graphically displays bandwidth usage information and shows requests by
category or protocol. RTA installs on Windows only. You can have only one
instance of RTA for each Policy Server in your network.
To install RTA on a Windows machine:
1. Download and start the Windows installer using the procedure in Windows
Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select Real-Time Analyzer and click Next.
If the installation machine is multihomed, all enabled network interface
cards appear in a list.
3. Select the card you want RTA to use to communicate and click Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

4. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
The installer checks your system for a supported web server (Apache Web
Server or IIS) for the Real-Time Analyzer and takes the following action:

Stand-Alone Edition 87
Chapter 4: Installation

„ If both supported web servers are detected, a dialog box appears

asking you to choose one server for RTA.
„ If one of the supported servers is detected, the installer continues. No
notification appears.
„ If neither supported web server is detected, the installer gives you the
option to install the Apache Web Server or continue the installation
without installing RTA.

RTA Web Server Dialog Box

If you select the Apache Web Server installation option, the Websense
installer starts the Apache installer and exits without installing any
Websense Enterprise components. You must restart your computer
after installing the Apache Web Server and run the Websense
Enterprise installer again to install Websense.

NOTE
Apache Web Server documentation is installed in HTML
format in the docs/manual/ directory. The latest
version can be found at: http://httpd.apache.org/docs-2.0/.

5. Select a web server installation option and click Next to continue.

88 Websense Enterprise
 Chapter 4: Installation

If you are using IIS as your web server, you are prompted to select the
name of the website in the IIS Manager under which the installer should
create a virtual directory. The default value is Default Web Site, which is
correct in most instances.

Virtual Directory Selection

6. If you have renamed the default website in the IIS Manager or are using a
language version of Windows other than English, select the proper
website from the names in the drop-down list, and then click Next to
continue.
Setup asks you to select an installation folder for the Websense Enterprise
components.
7. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.

Stand-Alone Edition 89
Chapter 4: Installation

„ If the installation machine has less than the recommended amount of

memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
8. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
A message appears advising you that the procedure was successful.
9. Click Next to continue.
The application launcher screen appears asking if you want to start the
Real-Time Analyzer. By default, Real-Time Analyzer is selected for
launch.

Application Launcher

90 Websense Enterprise
 Chapter 4: Installation

10. Make a selection and click Finish to exit the installer.

NOTE
Before you can access Real-Time Analyzer and other
Websense Reporting Tools, you must first log on to
Websense Manager and configure user permissions. See
the Websense Enterprise Administrator’s Guide for more
information.

11. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.

Usage Monitor
Usage Monitor tracks users’ internet activity and sends alerts when internet
activity for particular URL categories or protocols reaches threshold limits
you have configured. You can have only one instance of Usage Monitor for
each Policy Server in your network.
To install Usage Monitor on a Windows machine:
1. Download and start the Windows installer using the procedure in Windows
Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select Usage Monitor and click Next.
If the installation machine is multihomed, all enabled network interface
cards appear in a list.
3. Select the card you want Usage Monitor to use to communicate and click
Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

Stand-Alone Edition 91
Chapter 4: Installation

4. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
Setup asks you to select an installation folder for the Websense Enterprise
components.
5. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
6. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
A message appears advising you that the procedure was successful.
7. Click Finish to exit the installer.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
9. In the Websense Manager, configure the Usage Monitor to send Usage
Alerts by selecting Server > Settings > Alerts and Notifications. See the
Websense Enterprise Administrator’s Guide for details.

92 Websense Enterprise
 Chapter 4: Installation

RADIUS Agent
The Websense RADIUS Agent allows you to integrate your Websense
filtering policies with authentication provided by a RADIUS server. RADIUS
Agent enables Websense Enterprise to identify users transparently who access
your network using a dial-up, Virtual Private Network (VPN), Digital
Subscriber Line (DSL), or other remote connection.
To install the RADIUS Agent on a Windows machine:
1. Download and start the Windows installer using the procedure in Windows
Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select RADIUS Agent and click Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

3. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address appear in a list.
4. Select the card you want RADIUS Agent to use to communicate and click
Next.
Setup asks you to select an installation folder for the Websense Enterprise
components.
5. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:

Stand-Alone Edition 93
Chapter 4: Installation

„ If the installation machine has insufficient disk space, the selected

components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
6. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
When the installer is finished, a message appears advising you that the
procedure was successful.
7. Click Finish to exit the installer.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
9. Configure the RADIUS Agent, and configure your environment for
RADIUS Agent. See the User Identification chapter in the Websense
Enterprise Administrator’s Guide for instructions.

eDirectory Agent
The Websense eDirectory Agent works together with Novell eDirectory to
identify users transparently so that Websense can filter them according to
particular policies assigned to users or groups.
To install the eDirectory Agent on a Windows machine:
1. Download and start the Windows installer using the procedure in
Windows Procedures, page 74.

94 Websense Enterprise
 Chapter 4: Installation

2. Following the Custom installation path brings you to the component

selection screen. Select eDirectory Agent and click Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

3. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address appear in a list.
4. Select the card you want eDirectory Agent to use to communicate and
click Next.
Setup asks for the Novell eDirectory name and password.
5. Enter the full distinguished name and a valid password, and then click
Next to continue.
Setup asks you to select an installation folder for the Websense Enterprise
components.
6. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.

Stand-Alone Edition 95
Chapter 4: Installation

A summary list appears, showing the installation path, installation size,

and the components that will be installed.
7. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
When the installer is finished, a message appears advising you that the
procedure was successful.
8. Click Finish to exit the installer.
9. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
10. Configure the eDirectory Agent and Novell eDirectory by following the
instructions in the User Identification chapter of the Websense Enterprise
Administrator’s Guide.

Logon Agent
The Websense Logon Agent detects users as they log on to Windows domains
in your network via client machines. The Logon Agent receives logon
information from LogonApp.exe, a separate client application that runs
only on Windows client machines, and must be run by a logon script. For
information about setting up this script in your network, refer to Creating and
Running the Script for Logon Agent, page 168.
Logon Agent can be run together with DC Agent if some of the users in your
network are not being authenticated properly. This might happen if your
network uses Windows 98 workstations, which do not permit DC Agent to
poll users for their identification when they make an internet request.
To install the Logon Agent on a Windows machine:
1. Download and start the Windows installer using the procedure in Windows
Procedures, page 74.

96 Websense Enterprise
 Chapter 4: Installation

2. Following the Custom installation path brings you to the component

selection screen. Select Logon Agent and click Next.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

3. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then click Next.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address appear in a list.
4. Select the card you want Logon Agent to use to communicate and click
Next.
Setup asks you to select an installation folder for the Websense Enterprise
components.
5. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
6. Click Next to start the installation.

Stand-Alone Edition 97
Chapter 4: Installation

If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Click Next to continue.
When the installer is finished, a message appears advising you that the
procedure was successful.
7. Click Finish to exit the installer.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
9. Set up the required logon script by following the instructions is Creating
and Running the Script for Logon Agent, page 168.
10. Configure Logon Agent to communicate with client workstations and the
Filtering Service by following the instructions in the User Identification
chapter of the Websense Enterprise Administrator’s Guide.

Remote Filtering Server

The Remote Filtering Server provides web filtering for user workstations
located outside the network firewall. In order to be filtered through the
Remote Filtering Server, a remote workstation must be running the Remote
Filtering Client. (For Remote Filtering Client installation instructions, see
Remote Filtering Client, page 105.)

NOTE
To enable the Remote Filtering components, you must
subscribe to the remote filtering service.

The Remote Filtering Server should be installed on a separate, dedicated

machine. This machine must be able to communicate with the Websense
Filtering Service and with the remote workstations outside the network
firewall. The Remote Filtering Server machine does not have to be joined to a
domain.

98 Websense Enterprise
 Chapter 4: Installation

To provide failover capability for the primary Remote Filtering Server, you
can install secondary and tertiary Remote Filtering Servers. Each Remote
Filtering Client can be configured to connect with a primary, secondary, and
tertiary Remote Filtering Server. If the primary server is unavailable, the
client will attempt to connect with the secondary, then the tertiary, then the
primary again, and so on.

IMPORTANT
i
Install only one primary Remote Filtering Server for each
Filtering Service in your network. Do not install the
Remote Filtering Server on the same machine as the
Filtering Service or Network Agent.

To install the Remote Filtering Server on a Windows machine:

1. Download and start the Windows installer using the procedure in Windows
Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select Remote Filtering Server and click Next.
If the installation machine is multihomed, all enabled network interface
cards appear in a list.
3. Select the card you want the Remote Filtering Server to use to
communicate with other Websense components inside the network
firewall, and click Next.
Remote Filtering Clients must be able to connect to the Remote Filtering
Server, both from inside and from outside the internet gateway or network
firewall. Setup asks you to provide connection information for this
machine.

Stand-Alone Edition 99
Chapter 4: Installation

Remote Filtering Server Communication

4. In the External IP or Hostname field, enter an IP address or machine

name (in the form of a fully qualified domain name) that is visible from
outside the firewall.
5. In the External Communication Port field, enter a port number (from
10 to 65535) that is not in use, and that is accessible from outside the
network firewall.

IMPORTANT
i
The port entered as the External Communication Port
must be opened on your network firewall to accept
connections from Remote Filtering Clients on
workstations located outside the firewall. For more
information, see Firewall Configuration for Remote
Filtering, page 175.

100 Websense Enterprise

 Chapter 4: Installation

6. In the Internal Communication Port field, enter a port number (from

1024 to 65535) that is not in use, and that is accessible only from inside
the network firewall.

IMPORTANT
i
Be sure that your network firewall is configured to block
connections to the Internal Communication Port from
workstations located outside the firewall. For more
information, see Firewall Configuration for Remote
Filtering, page 175.

7. Click Next to continue.

Setup asks you to enter a pass phrase of any length for the Remote
Filtering Server. This pass phrase will be combined with unpublished
keys to create an encrypted authentication key (shared secret) for secure
client/server communication.

Encryption Pass Phrase

8. Before selecting a pass phrase, consider the following requirements:

„ If Websense Client Policy Manager (CPM) is already installed in your
network, you must enter the same pass phrase used when installing
CPM.

Stand-Alone Edition 101

Chapter 4: Installation

„ If you install Websense Client Policy Manager (CPM) in your

network in the future, you must use the pass phrase you enter in this
screen.
„ If you want this installation of the Remote Filtering Server to function
as a backup (secondary or tertiary) server for a primary Remote
Filtering Server, you must enter the same pass phrase used when
installing the primary Remote Filtering Server.
„ The pass phrase must include only ASCII characters.
„ You must use the pass phrase you enter in this screen when you install
the Remote Filtering Clients that will connect with this server. (See
Remote Filtering Server Connection Information, page 107.)
9. Enter and confirm your pass phrase.

IMPORTANT
i
Be sure to record your pass phrase and keep it in a safe
place, as you will not be able to retrieve it from the
Websense system later.

10. Click Next to continue.

Setup asks you to identify the machine on which the Websense Filtering
Service is installed.

IMPORTANT
i
The communication port (15868) in this dialog box is the
default port number used by the installer to install the
Filtering Service. If you installed the Filtering Service
using a different port number, enter that port in this dialog
box.

11. Enter the IP address of the Filtering Service machine, and the port number
if different from the default, and then click Next.
Setup asks you to select an installation folder for the Websense Enterprise
components.
12. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.

102 Websense Enterprise

 Chapter 4: Installation

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
13. Click Next to start the installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
Since the Network Agent was not installed on this machine, a message
reminds you that Protocol Management and Bandwidth Optimizer cannot
be used unless Network Agent is installed on a machine with direct access
to internet traffic. Click Next to continue.
A message appears advising you that the procedure was successful.
14. Click Finish to exit the installer.
15. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.

IMPORTANT
i
Make sure that Network Agent is not filtering http
requests going to or from the Remote Filtering Server
machine.
For information about configuring Network Agent, see the
Network Agent chapter in the Websense Enterprise
Administrator’s Guide.

Stand-Alone Edition 103

Chapter 4: Installation

Remote Filtering Client Pack

The Remote Filtering Client Pack is an installer package that allows you to
install the Remote Filtering Client. Once you have this installer package, you
can use it to deploy the Remote Filtering Client on Windows workstations
(see Remote Filtering Client, page 105). The Remote Filtering Client Pack
can be installed on Windows machines only.

NOTE
To enable the Remote Filtering components, you must
subscribe to the remote filtering service.

To install the Remote Filtering Client Pack on a Windows machine:

1. Download and start the Windows installer using the procedure in
Windows Procedures, page 74.
2. Following the Custom installation path brings you to the component
selection screen. Select Remote Filtering Client Pack and click Next.
Setup asks you to select an installation folder for the Remote Filtering
Client Pack.
3. Accept the default path (C:\Program Files\Websense) or click
Browse to locate another installation folder, and then click Next to
continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed:
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the components that will be installed.
4. Click Next to start the installation.

104 Websense Enterprise

 Chapter 4: Installation

If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
If the Network Agent was not installed on this machine, a message
reminds you that Protocol Management and Bandwidth Optimizer cannot
be used unless Network Agent is installed on a machine with direct access
to internet traffic. Click Next to continue.
A message appears advising you that the procedure was successful.
5. Click Finish to exit the installer.
6. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
7. If you accepted the default installation path in Step 3, the Remote
Filtering Client Pack can be found in the following location:
C:\Program Files\Websense\bin\
RemoteFilteringAgentPack\NO_MSI\CPMClient.msi
8. Use the Remote Filtering Client Pack to install the Remote Filtering
Client on user workstations that you want to filter when they are outside
the network firewall. See Remote Filtering Client, page 105 for details.

Remote Filtering Client

The Remote Filtering Client is installed on workstations that will be used
outside the network firewall. This component connects with a Remote
Filtering Server located inside the network firewall to enable web filtering on
the remote workstation. The Remote Filtering Client installs on Windows
only.

NOTE
To enable the Remote Filtering components, you must
subscribe to the remote filtering service.

The Remote Filtering Client can be installed in two ways:

‹ Manual installation: Use the Remote Filtering Client Pack to manually
install the Remote Filtering Client on an individual workstation. See
Manual Installation of Remote Filtering Client, page 106 for information.

Stand-Alone Edition 105

Chapter 4: Installation

‹ Automatic deployment with third-party tool: Use the Remote Filtering

Client Pack and a third-party deployment tool to automatically deploy the
Remote Filtering Client to user workstations. See Deploying Remote
Filtering Client with Third-Party Deployment Tool, page 110 for
information.

WARNING
!
Do not install the Remote Filtering Client on:
‹ Machines running Windows 2000, Service Pack 2 or
earlier. The installation will fail. See the Websense
Enterprise Deployment Guide for information about
system requirements.
‹ Machines where you installed the Remote Filtering
Server. A Remote Filtering Client running on the same
machine as the Remote Filtering Server will
eventually cause remote filtering to fail.

Manual Installation of Remote Filtering Client

To manually install the Remote Filtering Client on a Windows workstation:
1. Make sure that the Remote Filtering Server with which this client will
connect has been installed on a separate machine. See Remote Filtering
Server, page 98 for Windows installation instructions; see Remote
Filtering Server, page 129 for Solaris and Linux installation instructions.
2. Install the Remote Filtering Client Pack on the workstation. See Remote
Filtering Client Pack, page 104 for instructions.
3. Double-click the CPMClient.msi file. If you selected the default
installation path of C:\Program Files\Websense, this file will be
located at:
C:\Program Files\Websense\bin\
RemoteFilteringAgentPack\NO_MSI\CPMClient.msi
The InstallShield Wizard for Remote Filtering Client will open.
4. Click Next to continue.

106 Websense Enterprise

 Chapter 4: Installation

Remote Filtering Clients must be able to connect with a Remote Filtering

Server from outside your organization’s internet gateway or firewall. You
are asked to provide connection information for the Remote Filtering
Servers that this client will use for web filtering.

Remote Filtering Server Connection Information

The Remote Filtering Client must be configured to connect with a

primary Remote Filtering Server. If optional secondary and tertiary
Remote Filtering Servers were installed to provide failover capability for
the primary server, the Remote Filtering Client must be configured to
connect with these as well. The Remote Filtering Client will attempt to
connect with the primary Remote Filtering Server first, then the
secondary, then the tertiary, then the primary again, and so on.
5. In the Primary Remote Filtering Server section of the screen, enter
connection information for the Remote Filtering Server that you want this
client to attempt to connect with first:

Stand-Alone Edition 107

Chapter 4: Installation

„ Enter the externally visible IP address or fully qualified domain name

(FQDN) of the primary Remote Filtering Server machine in the
External IP or Domain Name field.

IMPORTANT
i
You must use the same external address in the same
address format—IP address or FQDN—that you entered
when you installed this Remote Filtering Server. That is, if
you entered an IP address in the External IP or
Hostname field when installing the Remote Filtering
Server, you must enter the same IP address in this field. If
you entered a machine name in the form of a fully
qualified domain name (FQDN), you must enter the same
FQDN here.

„ In the Port field to the right of the External IP or Domain Name

field, enter the port number for the externally visible port used to
communicate with the primary Remote Filtering Server from outside
the network firewall. This must be the same port entered in the
External Communication Port field when this Remote Filtering
Server was installed.
„ Enter the internal IP address or machine name of the primary Remote
Filtering Server machine in the Internal IP or Hostname field.
„ In the Port field to the right of the Internal IP or Hostname field,
enter the port number for the internal communication port on the
primary Remote Filtering Server that can only be accessed from
inside the network firewall. This must be the same port entered in the
Internal Communication Port field when this Remote Filtering
Server was installed.

NOTE
If the Remote Filtering Client is on a notebook computer
that is used both inside and outside the network firewall,
this port allows Websense to determine where the machine
is located and filter it appropriately. The machine will be
filtered in the same way as an internal client when it is
used inside the organization’s network firewall, and by the
Remote Filtering Service when it is used remotely.

108 Websense Enterprise

 Chapter 4: Installation

6. If you have installed the optional secondary and tertiary Remote Filtering
Servers to provide failover protection for the primary Remote Filtering
Server, enter connection information for these servers in the Secondary
Remote Filtering Server and Tertiary Remote Filtering Server
sections of the screen.
7. In the Encryption and Authentication section, do one of the following:
„ Select Passphrase and enter the same pass phrase that was entered in
the Pass Phrase field during installation of the primary Remote
Filtering Server. (The secondary and tertiary Remote Filtering
Servers must have the same pass phrase as their primary Remote
Filtering Server.)
-OR-
„ Select Encrypted Key and enter the encrypted key (shared secret)
created from the pass phrase and unpublished Remote Filtering
Server keys. The encrypted key can be found in the WSSEK.dat file
on the Remote Filtering Server machine. If you selected the default
installation path, this file will be located at:
C:\Program Files\Websense\bin\WSSEK.dat
on Windows machines, and
/opt/Websense/bin/WSSEK.dat
on Solaris and Linux machines.
8. Click Next to continue.
9. Click Install to begin installation.
When the installer is finished, a message appears advising you that the
procedure was successful.
10. Click Finish to exit the installer.

Stand-Alone Edition 109

Chapter 4: Installation

Deploying Remote Filtering Client with Third-Party Deployment Tool

Before deploying the Remote Filtering Client to user workstations, make sure
that the Remote Filtering Server with which these clients will connect has
been installed on a separate machine. See Remote Filtering Server, page 98
for Windows installation instructions; see Remote Filtering Server, page 129
for Solaris and Linux installation instructions.
To obtain the installer for the Remote Filtering Client, install the Remote
Filtering Client Pack on a Windows machine (see Remote Filtering Client
Pack, page 104 for instructions). If you selected the default installation path
of C:\Program Files\Websense, the installer is placed in the
following location:
C:\Program Files\Websense\bin\
RemoteFilteringAgentPack\NO_MSI\CPMClient.msi
To deploy the Remote Filtering Client to Windows workstations, use this
installer with a third-party deployment tool, such as Microsoft® Systems
Management Server (SMS) or Novell® ZENworks®.
Command Line Parameters for Remote Filtering Client Installation
This section provides the command line parameters required to deploy the
Remote Filtering Client using a third-party deployment tool.
Remote Filtering Clients are installed on user workstations or notebook
computers that are used outside your organization’s internet gateway or
firewall. These machines must be able to connect with a Remote Filtering
Server that is located inside the internet gateway or firewall.
Each Remote Filtering Client must be configured to connect with a primary
Remote Filtering Server. If optional secondary and tertiary Remote Filtering
Servers were installed to provide failover capability for the primary server, the
Remote Filtering Client must be configured to connect with these as well. The
Remote Filtering Client will attempt to connect with the primary Remote
Filtering Server first, then the secondary, then the tertiary, then the primary
again, and so on.
‹ The following parameters must be configured to allow the Remote
Filtering Client to communicate with the primary Remote Filtering
Server:

110 Websense Enterprise

 Chapter 4: Installation

„ PRIMARY_WISP_ADDRESS=<external IP address or
FQDN of primary Remote Filtering Server>
The externally visible address for the primary Remote Filtering
Server machine, as entered in the External IP or Hostname field
when the primary Remote Filtering Server was installed.

IMPORTANT
i
This must be the same external address in the same
address format—IP address or FQDN—that was entered
when this Remote Filtering Server was installed. That is, if
you entered an IP address in the External IP or
Hostname field when installing the Remote Filtering
Server, you must enter the same IP address here. If you
entered a machine name in the form of a fully qualified
domain name (FQDN), you must enter the same FQDN
here.

„ PRIMARY_WISP_PORT=<external port number of

primary Remote Filtering Server>
The port number for the externally visible port used to communicate
with the primary Remote Filtering Server from outside the network
firewall. This must be the same port entered in the External
Communication Port field when this Remote Filtering Server was
installed.
„ PRIMARY_INTERNAL_WISP_ADDRESS=<internal IP
address or FQDN of primary Remote Filtering
Server>
The internal address, visible from inside the network firewall, for the
machine on which the primary Remote Filtering Server is installed.
„ PRIMARY_INTERNAL_WISP_PORT=<internal port
number of primary Remote Filtering Server>
The port number for the internal communication port on the primary
Remote Filtering Server that can only be accessed from inside the
network firewall. This must be the same port entered in the Internal
Communication Port field when the Remote Filtering Server was
installed.
‹ If secondary and tertiary Remote Filtering Servers have been installed,
use the following parameters to configure communication with them:

Stand-Alone Edition 111

Chapter 4: Installation

„ SECONDARY_WISP_ADDRESS=<external IP address or
FQDN of secondary Remote Filtering Server>
„ SECONDARY_WISP_PORT=<external IP address or
FQDN of secondary Remote Filtering Server>
„ SECONDARY_INTERNAL_WISP_ADDRESS=<internal IP
address or FQDN of secondary Remote Filtering
Server>
„ SECONDARY_INTERNAL_WISP_PORT=<internal IP
address or FQDN of secondary Remote Filtering
Server>
„ TERTIARY_WISP_ADDRESS=<external IP address or
FQDN of tertiary Remote Filtering Server>
„ TERTIARY_WISP_PORT=<external IP address or
FQDN of tertiary Remote Filtering Server>
„ TERTIARY_INTERNAL_WISP_ADDRESS=<internal IP
address or FQDN of tertiary Remote Filtering
Server>
„ TERTIARY_INTERNAL_WISP_PORT=<internal IP
address or FQDN of tertiary Remote Filtering
Server>
These addresses and port numbers must match those entered during
installation of the Remote Filtering Servers, as noted above for the
primary Remote Filtering Server.
‹ PATH=<installation path>
Directory where the Remote Filtering Client will be installed on each
client workstation. If this parameter is not specified, the default
installation path is C:\PROGRAM FILES\Websense\WDC, and the
WDC directory is hidden by default.
‹ PASSPHRASE=<pass phrase for Remote Filtering
Server>
The Pass Phrase entered when the primary Remote Filtering Server was
installed. Note that all Remote Filtering Servers in the same failover
group (primary, secondary, and tertiary) must have the same pass phrase.
‹ REBOOT=YES | NO | PROMPT | IF_NEEDED_PROMPT
This parameter defines whether the client workstation is automatically
restarted after the Remote Filtering Client is installed (or uninstalled).
Values for this parameter are:
„ YES: Machines are restarted; users are not prompted to restart.

112 Websense Enterprise

 Chapter 4: Installation

„ NO: Machines are not restarted, and users are not prompted to restart.
„ PROMPT: Users are prompted to restart their machines.
„ IF_NEEDED_PROMPT: Users are prompted to restart their machines
only if it is required. (Default.)

IMPORTANT
i
You must restart the workstation after installing the
Remote Filtering Client if:
‹ The workstation’s operating system is Windows 2000.
‹ Check Point® VPN-1® is running on the workstation.
You must always restart the workstation after uninstalling
the Remote Filtering Client.

‹ /qn
Switch for quiet installation mode. When you use this option, Remote
Filtering Client will install without displaying any information to the user
at the workstation. If you do not use /qn, the installer launches in
interactive mode and installation dialog boxes display to the user during
installation. Most organizations choose the quiet mode, as interactive
deployment has little value.
Syntax
The following is an example of the command line syntax used to install the
Remote Filtering Client with a third-party deployment tool. Replace the
variables in angle brackets with appropriate values for your network.
msiexec /i cpmclient.msi PASSPHRASE=<pass phrase
for Remote Filtering Server>
PRIMARY_WISP_ADDRESS=<external IP Address or FQDN
of primary Remote Filtering Server>
PRIMARY_WISP_PORT=<external port number of
primary Remote Filtering Server>
PRIMARY_INTERNAL_WISP_ADDRESS=<internal IP
address or host name of primary Remote Filtering
Server> PRIMARY_INTERNAL_WISP_PORT=<internal port
number of primary Remote Filtering Server>
REBOOT=<reboot parameter> /qn

Stand-Alone Edition 113

Chapter 4: Installation

For example, the installation command might look like this:

msiexec /i cpmclient.msi PASSPHRASE=2gbatfm
PRIMARY_WISP_ADDRESS=63.16.200.232
PRIMARY_WISP_PORT=80
PRIMARY_INTERNAL_WISP_ADDRESS=10.218.5.60
PRIMARY_INTERNAL_WISP_PORT=9000 REBOOT=NO /qn
The following is the actual command that can be used to uninstall the Remote
Filtering Client:
msiexec.exe /x - {14D74337-01C2-4F8F-B44B-
67FC613E5B1F} /qn

Solaris and Linux Procedures

The steps in this section are common to all separate installations of Websense
Enterprise components on Solaris or Linux. Start here to download and run
the Websense installer, and then refer to the appropriate sections for the
component-specific procedures.
To install components separately on Solaris or Linux:
1. Log on to the installation machine as the root user.
2. Close all applications and stop any antivirus software.
3. Create a setup directory for the installer files.
For example: /root/Websense_setup
4. Download the installer file from http://www.websense.com/global/en/
downloads, or copy it from the Websense Enterprise CD and save it to the
setup directory.
„ Solaris: Websense61Setup_Slr.tar.gz
„ Linux: Websense61Setup_Lnx.tar.gz
5. Enter the following command to unzip the installer file:
gunzip <download file name>
For example: gunzip Websense61Setup_Slr.tar.gz
6. Expand the file into its components with the following command:
tar xvf <unzipped file name>
For example: tar xvf Websense61Setup_Lnx.tar

114 Websense Enterprise

 Chapter 4: Installation

This places the following files into the setup directory:

File Description
install.sh Installation program
Setup Archive file containing related installation files and
documents.
Documentation Release Notes: An HTML file containing release
notes and last minute information about Websense.
Read this file with any supported browser.

7. Run the installation program from the setup directory with the following
command:
./install.sh
To run the GUI version of the installer, use the following command:
./install.sh -g
If you are using a non-English based system, the installer will display an
error message advising you that the GUI version is not supported.
8. Select Custom when asked what type of installation you want.
9. To continue, proceed to the appropriate component section.

Websense Manager
When you install Websense Enterprise on Linux, you must install the Websense
Manager on a separate Windows or Solaris machine in your network. Use the
following procedure to install the Websense Manager on a Solaris machine.
1. Download and start the Solaris installer using the procedure in Solaris
and Linux Procedures, page 114.
2. Following the Custom installation path brings you to a list of components
to install. Select Websense Manager and press Enter.
Setup asks you for the location of your web browser.
3. Provide the full path to the web browser to use when viewing online help.
The installer asks you to provide a path to the installation directory where
Websense Enterprise will create the Websense directory.
4. Provide a path to the installation directory, or accept the default
installation directory (/opt/Websense).

Stand-Alone Edition 115

Chapter 4: Installation

If this directory does not already exist, the installer creates it

automatically.

IMPORTANT
i
The full installation path must use only ASCII characters.

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary list appears, showing the installation path, installation size,
and the component (Websense Manager) you have selected.
5. Press Enter to begin installing the Websense Manager.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic. Press Enter to continue.
A message appears advising you that the installation has been successful.
6. Press Enter to continue.
If you are installing in GUI mode, the installer displays a screen asking if
you want to launch the Websense Manager. By default, the Manager is
selected for launch.
7. Make a selection, and select Finish to exit the installer.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.

116 Websense Enterprise

 Chapter 4: Installation

Network Agent
You can install Network Agent on a Solaris or Linux machine separate from
the Filtering Service. Network Agent must be able to monitor 2-way internet
traffic from the internal network. Install Network Agent on a machine that can
see the internet requests from the internal network as well as the internet
response to the requesting workstations.
If this installation is part of a multiple deployment of the Network Agent (for
load balancing purposes), you must be sure that the IP address ranges for each
instance of the Network Agent do not overlap. This will result in double
logging. Deploy the Network Agents so that they can filter the entire network.
Partial deployment will result in incomplete filtering by protocol and
bandwidth, and incomplete basic HTTP filtering, as well as the loss of log
data from network segments not watched by the Network Agent. For
instructions on defining IP address ranges for multiple Network Agents, refer to
the Websense Enterprise Administrator’s Guide. For detailed information about
deploying Network Agent, refer to the Websense Enterprise Deployment Guide.
Do not install the Network Agent on a machine running any type of firewall.
The Network Agent uses a packet capturing utility which may not work
properly when installed on a firewall machine.
If you are attempting to install the Network Agent on a machine on which the
Filtering Service and Policy Server are already installed, refer to the
procedures in Adding Components, page 133.

IMPORTANT
i
The Websense Filtering Service and the Policy Server
must be installed and running prior to installing the
Network Agent, or installed at the same time as the
Network Agent. The installer asks for the IP addresses and
port numbers of these components and will not install the
Network Agent if the Policy Server and Filtering Service
cannot be located.

1. Download and start the installer using the procedure in Solaris and Linux
Procedures, page 114.
2. Following the Custom installation path brings you to a list of components
to install. Select Network Agent and press Enter.

Stand-Alone Edition 117

Chapter 4: Installation

If the installation machine is multihomed, all enabled network interface

cards (NICs) with an IP address are displayed.
3. Select the card you want Network Agent to use to communicate and press
Enter.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

4. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then press Enter.
The installer gives you the opportunity to test your machine’s visibility to
internet traffic with the Traffic Visibility Test Tool. The machine on
which the Network Agent is installed must be able to monitor 2-way
employee internet traffic for Network Agent to filter properly.

IMPORTANT
i
If you install the Network Agent on a machine that cannot
monitor targeted internet traffic, some features, such as
Dynamic Protocol Management and Bandwidth Optimizer,
will not perform as expected.

You are given the following three options:

„ Test Traffic Visibility: This selection launches the utility that tests
the visibility of internet traffic from the installation machine.
„ Continue installation: If you know that the installation machine has
the necessary internet traffic visibility, you may select this option and
continue the installation without testing the visibility of the interfaces.
„ Exit Setup: If you determine that the installation machine cannot see
the appropriate internet traffic, select this option to exit Setup. Select
another machine for installation, reposition the current machine in the
network, or replace the NIC. Remember that the NIC must have an IP
address for Network Agent to function.

118 Websense Enterprise

 Chapter 4: Installation

5. Select Test Traffic Visibility to check the visibility of internet traffic

from the installation machine.
a. Select the network interface card (NIC) that you want to use for
the Network Agent and continue to the next pane. Active cards on
the installation machine appear in this list, including NICs
without IP addresses (stealth mode).
A default list of networks (netmasks) to test appears. You may
use the defaults provided or add your own. These netmasks can
reside in different network segments depending upon the IP
address ranges to be filtered.
b. If the network you want to test with the NIC does not appear in
the default list, select Add Network.
– Enter a new netmask value in the Network ID field.
The subnet mask defaults to 255.0.0.0 and changes
appropriately as the netmask is defined.
– Select Redisplay to return to the options list.
Your new network appears in the list.
c. Select Remove a Network to delete a network from the list.
d. Select Start Test to begin testing all the networks in the list.
The counter in the IP Address Count column should begin
recording internet traffic immediately from the networks listed.
The counter increments each time the NIC detects an individual
IP address from the target network in a passing packet. The
activity bar at the bottom of the pane indicates that a test is in
progress. If the count for a network remains at zero or is very low,
the selected NIC cannot see the traffic it needs to monitor.
e. If the Network Agent is unable to see the desired traffic, perform
one or both of the following tasks:
– If the installation machine has multiple NICs, select a different
card to test.
– Resolve network configuration issues to make sure that the NIC
can see the desired traffic. This might involve connecting to a
different router or configuring for port spanning in a switched
environment. See Chapter 2: Network Configuration for
deployment information. You may continue the installation

Stand-Alone Edition 119

Chapter 4: Installation

without installing Network Agent and reconfigure your

network later, or make the necessary changes and retest
immediately.
f. Select Exit Tool when you are ready to continue installation.
g. Select Continue installation if you are sure that your NIC is able
to monitor all targeted internet traffic.
h. Select Exit Setup if the appropriate traffic is not visible. If
Network Agent cannot see the necessary traffic, you must either
reposition the machine in the network or select another machine
on which to install the Network Agent.
Setup asks if Network Agent is being installed on a machine that is being
used as a firewall.
6. Make sure that the installation machine is not being used as a firewall
before continuing.

IMPORTANT
i
Network Agent cannot function properly on a machine
running a firewall.

„ Select No if the installation machine is not being used as a firewall.

Installation will continue.
„ Select Yes if you are attempting to install Network Agent on a
firewall machine, and Setup will exit. Install the Network Agent on a
machine that is not running a firewall.
If the installation machine has multiple network interface cards (NICs),
all enabled cards are displayed in a list.
7. Select the NIC that you tested successfully for network visibility.
Setup asks you for the IP address and filter port number for the machine
on which the Filtering Service is installed.

IMPORTANT
i
The filter port (15868) in this dialog box is the default port
number used by the installer to install the Filtering Service.
If you installed the Filtering Service using a different port
number, enter that port in this dialog box.

120 Websense Enterprise

 Chapter 4: Installation

8. Enter the IP address of the Websense Filtering Service.

Setup displays the path it will create to the Websense installation
directory. For example, /opt/Websense.
9. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary of all the components that will be installed appears.
10. Press Enter to accept this installation configuration and to begin
installing Websense Enterprise.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
11. Exit the installer when the success message appears.
12. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
13. Configure Network Agent for use in your network. Refer to the Network
Agent chapter of the Websense Enterprise Administrator’s Guide for
instructions.

Stand-Alone Edition 121

Chapter 4: Installation

Usage Monitor
Usage Monitor tracks users’ internet activity and sends alerts when internet
activity for particular URL categories or protocols reaches threshold limits
you have configured. You can have only one instance of Usage Monitor for
each Policy Server in your network.
To install Usage Monitor on Solaris or Linux:
1. Download and start the installer using the procedure in Solaris and Linux
Procedures, page 114.
2. Following the Custom installation path brings you to a list of components
to install. Select Usage Monitor and press Enter.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address are displayed.
3. Select the card you want Usage Monitor to use to communicate and press
Enter.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

4. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then press Enter.
Setup displays the path it will create to the Websense installation
directory. For example, /opt/Websense.
5. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

122 Websense Enterprise

 Chapter 4: Installation

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary of all the components that will be installed appears.
6. Press Enter to begin installation.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic.
7. Exit the installer when the success message appears.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
9. In the Websense Manager, configure the Usage Monitor to send Usage
Alerts by selecting Server > Settings > Alerts and Notifications. See the
Websense Enterprise Administrator’s Guide for details.

RADIUS Agent
The Websense RADIUS Agent allows you to integrate your Websense
filtering policies with authentication provided by a RADIUS server. The
RADIUS Agent enables Websense Enterprise to identify users transparently
who access your network using a dial-up, Virtual Private Network (VPN),
Digital Subscriber Line (DSL), or other remote connection.
To install the RADIUS Agent on Solaris or Linux:
1. Download and start the installer using the procedure in Solaris and Linux
Procedures, page 114.

Stand-Alone Edition 123

Chapter 4: Installation

2. Following the Custom installation path brings you to a list of components

to install. Select RADIUS Agent and press Enter.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address are displayed.
3. Select the card you want RADIUS Agent to use to communicate and press
Enter.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

4. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then press Enter.
Setup displays the path it will create to the Websense installation
directory. For example, /opt/Websense.
5. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary of all the components that will be installed appears.

124 Websense Enterprise

 Chapter 4: Installation

6. Press Enter to begin installation.

If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic.
7. Exit the installer when the success message appears.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.
9. Configure the RADIUS Agent, and configure your environment for
RADIUS Agent. See the User Identification chapter in the Websense
Enterprise Administrator’s Guide for instructions.

eDirectory Agent
The Websense eDirectory Agent works together with Novell eDirectory to
identify users transparently so that Websense can filter requests according to
particular policies assigned to users or groups.
To install the eDirectory Agent on Solaris or Linux:
1. Download and start the installer using the procedure in Solaris and Linux
Procedures, page 114.
2. Following the Custom installation path brings you to a list of components
to install. Select eDirectory Agent and press Enter.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

3. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then press Enter.

Stand-Alone Edition 125

Chapter 4: Installation

If the installation machine is multihomed, all enabled network interface

cards (NICs) with an IP address are displayed.
4. Select the card you want eDirectory Agent to use to communicate and
press Enter.
Setup asks for the Novell eDirectory name and password.
5. Enter the full distinguished name and a valid password, and then press
Enter to continue.
Setup displays the path it will create to the Websense installation
directory. For example, /opt/Websense.
6. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary of all the components that will be installed appears.
7. Press Enter to begin installation.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic.
8. Exit the installer when the success message appears.

126 Websense Enterprise

 Chapter 4: Installation

9. If you stopped your antivirus software, remember to start it again after

Websense components have been installed.
10. Configure the eDirectory Agent and Novell eDirectory by following the
instructions in the User Identification chapter of the Websense Enterprise
Administrator’s Guide.

Logon Agent
The Websense Logon Agent detects users as they log on to Windows domains
in your network via client machines. The Logon Agent receives logon
information from LogonApp.exe, a separate client application that runs
only on Windows client machines, and must be run by a logon script. For
information about setting up this script in your network, refer to Creating and
Running the Script for Logon Agent, page 168.
Logon Agent can be run together with DC Agent if some of the users in your
network are not being authenticated properly. This might happen if your
network uses Windows 98 workstations, which do not permit DC Agent to
poll users for their identification when they make an internet request.
To install the Logon Agent on a Solaris or Linux system:

NOTE
LogonApp.exe, the client application that passes user
logon information to Logon Agent, runs only on Windows
client machines.

1. Download and start the installer using the procedure in Solaris and Linux
Procedures, page 114.
2. Following the Custom installation path brings you to the component
selection screen. Select Logon Agent and press Enter.
Setup asks you to identify the machine on which the Policy Server is
installed.

IMPORTANT
i
The configuration port (55806) in this dialog box is the
default port number used by the installer to install the
Policy Server. If you installed the Policy Server using a
different port number, enter that port in this dialog box.

Stand-Alone Edition 127

Chapter 4: Installation

3. Enter the IP address of the Policy Server machine, and the port number if
different from the default, and then press Enter.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address appear in a list.
4. Select the card you want Logon Agent to use to communicate and click
Next.
Setup displays the path it will create to the Websense installation
directory. For example, /opt/Websense.
5. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary of all the components that will be installed appears.
6. Press Enter to begin installation.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic.
7. Exit the installer when the success message appears.
8. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.

128 Websense Enterprise

 Chapter 4: Installation

9. Set up the required logon script by following the instructions is Creating

and Running the Script for Logon Agent, page 168.
10. Configure Logon Agent to communicate with client workstations and the
Filtering Service by following the instructions in the User Identification
chapter of the Websense Enterprise Administrator’s Guide.

Remote Filtering Server

The Remote Filtering Server provides web filtering for user workstations
located outside the network firewall. In order to be filtered through the
Remote Filtering Server, a remote workstation must be running the Remote
Filtering Client. (For Remote Filtering Client installation instructions, see
Remote Filtering Client, page 105.)

NOTE
To enable the Remote Filtering components, you must
subscribe to the remote filtering service.

The Remote Filtering Server should be installed on a separate, dedicated

machine. This machine must be able to communicate with the Websense
Filtering Service and with the remote workstations outside the network
firewall. The Remote Filtering Server machine does not have to be joined to a
domain.
To provide failover capability for the primary Remote Filtering Server, you
can install secondary and tertiary Remote Filtering Servers. Each Remote
Filtering Client can be configured to connect with a primary, secondary, and
tertiary Remote Filtering Server. If the primary server is unavailable, the
client will attempt to connect with the secondary, then the tertiary, then the
primary again, and so on.

IMPORTANT
i
Install only one primary Remote Filtering Server for each
Filtering Service in your network. Do not install the
Remote Filtering Server on the same machine as the
Filtering Service or Network Agent.

To install the Remote Filtering Server on Solaris or Linux:

Stand-Alone Edition 129

Chapter 4: Installation

1. Download and start the installer using the procedure in Solaris and Linux
Procedures, page 114.
2. Following the Custom installation path brings you to a list of components
to install. Select Remote Filtering Server and press Enter.
If the installation machine is multihomed, all enabled network interface
cards (NICs) with an IP address are displayed.
3. Select the card you want the Remote Filtering Server to use to
communicate with other Websense components inside the network
firewall, and press Enter.
Remote Filtering Clients must be able to connect to the Remote Filtering
Server, both from inside and from outside the internet gateway or network
firewall. Setup asks you to provide connection information for this
machine.
4. In the External IP or Hostname field, enter an IP address or machine
name (in the form of a fully qualified domain name) that is visible from
outside the firewall.
5. In the External Communication Port field, enter a port number (from
10 to 65535) that is not in use, and that is accessible from outside the
network firewall.

IMPORTANT
i
The port entered as the External Communication Port
must be opened on your network firewall to accept
connections from Remote Filtering Clients on
workstations located outside the firewall. For more
information, see Firewall Configuration for Remote
Filtering, page 175.

6. In the Internal Communication Port field, enter a port number (from

1024 to 65535) that is not in use, and that is accessible only from inside
the network firewall.

IMPORTANT
i
Be sure that your network firewall is configured to block
connections to the Internal Communication Port from
workstations located outside the firewall. For more
information, see Firewall Configuration for Remote
Filtering, page 175.

130 Websense Enterprise

 Chapter 4: Installation

7. Press Enter to continue.

Setup asks you to enter a pass phrase of any length for the Remote
Filtering Server. This pass phrase will be combined with unpublished
keys to create an encrypted authentication key (shared secret) for secure
client/server communication.
8. Before selecting a pass phrase, consider the following requirements:
„ If Websense Client Policy Manager (CPM) is already installed in your
network, you must enter the same pass phrase used when installing
CPM.
„ If you install Websense Client Policy Manager (CPM) in your
network in the future, you must use the pass phrase you enter in this
screen.
„ If you want this installation of the Remote Filtering Server to function
as a backup (secondary or tertiary) server for a primary Remote
Filtering Server, you must enter the same pass phrase used when
installing the primary Remote Filtering Server.
„ The pass phrase must include only ASCII characters.
„ You must use the pass phrase you enter in this screen when you install
the Remote Filtering Clients that will connect with this server. (See
Remote Filtering Server Connection Information, page 107.)
9. Enter and confirm your pass phrase.

IMPORTANT
i
Be sure to record your pass phrase and keep it in a safe
place, as you will not be able to retrieve it from the
Websense system later.

10. Press Enter to continue.

Setup asks you to identify the machine on which the Websense Filtering
Service is installed.

IMPORTANT
i
The communication port (15868) in this dialog box is the
default port number used by the installer to install the
Filtering Service. If you installed the Filtering Service
using a different port number, enter that port in this dialog
box.

Stand-Alone Edition 131

Chapter 4: Installation

11. Enter the IP address of the Filtering Service machine, and the port number
if different from the default, and then press Enter.
Setup displays the path it will create to the Websense installation
directory: /opt/Websense.
12. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary of all the components that will be installed appears.
13. Press Enter to begin installation.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
Since the Network Agent was not installed on this machine, a message
reminds you that Protocol Management and Bandwidth Optimizer cannot
be used unless Network Agent is installed on a machine with direct access
to internet traffic.
14. Exit the installer when the success message appears.
15. If you stopped your antivirus software, remember to start it again after
Websense components have been installed.

132 Websense Enterprise

 Chapter 4: Installation

IMPORTANT
i
Make sure that Network Agent is not filtering http
requests going to or from the Remote Filtering Server
machine.
For information about configuring Network Agent, see the
Network Agent chapter in the Websense Enterprise
Administrator’s Guide.

Modifying an Installation
If you decide to change the location of a Websense Enterprise component or
modify your Websense Enterprise installation, run the installer again on the
machine you want to modify and select the appropriate option. The installer
detects the presence of Websense components and offers you the following
installation options:
‹ Integrate with a firewall, proxy server, or network appliance.

NOTE
For information about converting a Stand-Alone
installation to an integrated system, refer to the Upgrade
chapter of the Websense installation guide for your
integration product.

‹ Add Websense components.

‹ Remove Websense components.
‹ Repair existing Websense components.

Adding Components
After installing Websense Enterprise, you may want to add components to
change the configuration of Websense in your network. The following
procedures assume that the Filtering Service, Policy Server, Websense
Manager (Solaris and Windows only), and User Service are already installed,
and that the remaining components, supported on your operating system, are
going to be added. If you are adding remote components, the installer will ask
you for the location of the Policy Server.

Stand-Alone Edition 133

Chapter 4: Installation

Windows
To add Websense Enterprise components in a Windows environment:

NOTE
Before adding new components, we recommend that you
perform a full system backup as a fallback strategy. This
will allow you to restore your current system with a
minimum of downtime, should you decide to do so.

1. Log on to the installation machine with local administrator privileges.

IMPORTANT
i
If you are installing DC Agent, log on with domain
administrator privileges. DC Agent must have
administrator privileges on the network to retrieve user
login information from the domain controller. Without this
information, Websense Enterprise cannot filter by users
and groups. If you cannot install these components with
such privileges, you may configure administrator
privileges for these services after installation in the
Properties dialog box for Windows services.

2. Close all applications and stop any antivirus software.

3. Run one of the following Websense Enterprise installers:
„ Web download: Download one of the following packages from http:/
/www.websense.com/global/en/downloads to a folder on the
installation machine and double-click to extract the installer files.
• Online installer: The online installer package (Setup61.exe)
contains only the installer files. The necessary product files are
downloaded from the website as needed after product selections
have been made.
• Offline installer: The offline installer
(Websense61Setup.exe) is much larger than the online
package and contains all the files needed to install Websense
Enterprise components. Use this package only if you experience
difficulties installing Websense with the online installer.

134 Websense Enterprise

 Chapter 4: Installation

„ Product CD: Run WebsenseStart.exe from the Websense

Enterprise v6.1 product CD (\WebsenseStart) to launch the
installer start screen. Select a Websense product installation to extract
the installer files.
The file will run automatically if autorun is enabled. The product CD
contains all the files needed to install Websense Enterprise
components.
A screen displays instructions for extracting the setup program.

Installer Download Extraction Screen

a. Click Browse to select a destination folder, or type in a path.

If the path you enter does not exist, the installer will create it for
you.

IMPORTANT
i
Do not extract the installer files to a folder on your
desktop. This may prevent the Real-Time Analyzer from
receiving the IP address of the Policy Server machine.
Accept the default location of C:\temp or select another
appropriate folder.

b. Click Extract to begin decompressing the files.

Stand-Alone Edition 135

Chapter 4: Installation

If Websense Enterprise installation files already exist in that

location, you may choose to overwrite the existing files.
A progress bar shows the status of the extraction, and the view
pane scrolls a list of the files as they are decompressed.
Setup.exe runs automatically after the files are decompressed.
4. Click Next on the welcome screen.
A dialog box appears asking you what action you want to take with the
Websense components the installer has detected on the machine.
5. Select Add Websense components and click Next.
Setup displays a product selection screen.

Websense Product Selection Screen

6. Select Websense Enterprise and click Next to continue.

The installer displays a list of components not currently installed on the
installation machine.

136 Websense Enterprise

 Chapter 4: Installation

Component Selection Screen

7. Select the components you want to install and click Next.

If you are installing the Real-Time Analyzer and are using IIS as your
web server, you are prompted to select the name of the website in the IIS
Manager under which the installer should create a virtual directory. The
default value is Default Web Site, which is correct in most instances.

Virtual Directory Selection

Stand-Alone Edition 137

Chapter 4: Installation

8. If you have renamed the default website in the IIS Manager or are using a
language version of Windows other than English, select the proper
website from the names in the drop-down list, and then click Next to
continue.
If you are installing Network Agent, the installer displays a screen
describing the features enabled by the Network Agent and offers you the
option of testing your machine’s visibility to internet traffic. The machine
on which the Network Agent is installed must be able to monitor 2-way
employee internet traffic for Network Agent to filter properly.

IMPORTANT
i
If you install the Network Agent on a machine that cannot
monitor targeted internet traffic, some features, such as
Dynamic Protocol Management and Bandwidth Optimizer,
will not perform as expected.

Network Agent Visibility Test Screen

You are given the following three options:

„ Test Traffic Visibility: This selection launches the utility that tests
the visibility of internet traffic from the installation machine.

138 Websense Enterprise

 Chapter 4: Installation

„ Install Network Agent: installs the Network Agent without

conducting the traffic visibility test. Use this option if you know that
the installation machine has the necessary internet traffic visibility.
„ Do not install Network Agent: allows you to continue the Websense
Enterprise installation without installing the Network Agent.
9. Click Test Traffic Visibility to check the visibility of internet traffic from
the installation machine.
The Traffic Visibility Test utility appears.

Traffic Visibility Test Tool

Field Description
Network Card Name of the network interface card (NIC) to test.
Active cards on the installation machine appear in
this list. Cards without an IP address will not appear
in this list.
Networks Tested Displays the netmasks that are being tested. You
may use the defaults provided or add your own.
These netmasks can reside in different network
segments depending upon the IP address ranges to
be filtered.

Stand-Alone Edition 139

Chapter 4: Installation

Field Description
IP Address Count Number of IP addresses for which traffic is detected
during the test of a Network.
Detail Lists all the IP addresses in the network from which
internet traffic is being detected.

a. From the Network Card drop-down list, select the network interface
card (NIC) that you want to use for the Network Agent.
b. If the network you want to test with the NIC does not appear in the
default list, click Add Network.
The Add Network dialog box
appears.
c. Enter a new netmask value in
the Network ID field.
The subnet mask defaults to
255.0.0.0 and changes
appropriately as the netmask is defined.
d. Click OK to return to the Traffic Visibility Test dialog box.
Your new network appears in the list.
e. Click Start Test to begin testing all the networks in the list.
The counter in the IP Address Count column should begin recording
internet traffic immediately from the networks listed. The counter
increments each time the NIC detects an individual IP address from
the target network in a passing packet. The activity bar at the bottom
of the dialog box indicates that a test is in progress.
If the count for a network remains at zero or is very low, the selected
NIC cannot see the traffic it is supposed to monitor.
f. If the Network Agent is unable to see the desired traffic, perform one
or both of the following tasks:
• If the installation machine has multiple NICs, select a different
card to test.
• Resolve network configuration issues to make sure that the NIC
can see the desired traffic. This might involve connecting to a
different router or configuring for port spanning in a switched
environment. See the Websense Enterprise Deployment Guide for
detailed deployment information. You may continue the

140 Websense Enterprise

 Chapter 4: Installation

installation without installing Network Agent and reconfigure

your network later, or make the necessary changes and retest
immediately.
g. Click Stop Test when you are ready to continue installation.
h. Click Close to exit the traffic visibility test screen.
10. Continue with the installation.
„ Select Install Network Agent if you are sure that your NIC is able to
monitor all targeted internet traffic. This will install the Network Agent.
„ Select Do not install Network Agent to continue the Websense
Enterprise installation without installing the Network Agent.
11. Click Install Network Agent to continue.
The installer asks you if this machine is running a firewall. Network
Agent cannot function properly on a machine running a firewall.
12. Select Yes or No and click Next to continue.
„ Select No if the installation machine is not being used as a firewall.
Installation will continue.
„ Select Yes if you are attempting to install Network Agent on a
firewall machine, and Setup will exit. Install the Network Agent on a
machine that is not running a firewall.
If the installation machine has multiple network interface cards (NICs),
Setup asks you to select the NIC that you want to use for capturing traffic.
All network interface cards enabled in the machine appear in a list.
13. Select the desired card and click Next to continue.
If you are installing DC Agent, the installer asks you to provide a user
name and a password with administrative privileges on the domain. If you
attempt to install DC Agent without providing access to directory
information, you will be unable to identify users transparently.

Stand-Alone Edition 141

Chapter 4: Installation

Directory Access for DC Agent

14. Enter the domain and user name, followed by the network password for
an account with domain privileges, and click Next to continue.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, separate warnings are
displayed.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended amount.
A summary screen appears, listing the installation path, the installation
size, and the components that will be installed.
15. Click Next to begin installation.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.

142 Websense Enterprise

 Chapter 4: Installation

If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic.
A message appears advising you that the installation was successful.
16. Click Next to continue.
„ If you have installed DC Agent, a dialog box appears advising you
that the machine must be restarted to complete the installation. Select
a restart option and click Finish to exit the installer.
„ If DC Agent was not installed, but you have installed Real-Time
Analyzer and/or Websense Manager, the installer displays a screen
asking if you want to launch either of those applications. By default,
both are selected. Clear the checkbox of the component you do not
want to launch and click Finish.

NOTE
Before you can access Real-Time Analyzer and other
Websense Reporting Tools, you must first log on to
Websense Manager and configure user permissions. See
the Websense Enterprise Administrator’s Guide for more
information.

„ If neither DC Agent, Real-Time Analyzer, nor Websense Manager

were installed, no further action is required and you can click Finish
to exit the installer.
17. If you stopped your antivirus software, be sure to start it again.

Solaris or Linux
To add Websense Enterprise components in a Solaris or Linux environment:

NOTE
Before adding new components, we recommend that you
perform a full system backup as a fallback strategy. This
will allow you to restore your current system with a
minimum of downtime, should you decide to do so.

1. Log on to the installation machine as the root user.

Stand-Alone Edition 143

Chapter 4: Installation

2. Close all applications and turn off any antivirus software.

3. Run the installation program for your operating system from the directory
where it resides using the following command:
./install.sh
Run the GUI version of the installer with the following command:
./install.sh -g
If you are using a non-English based system, the installer will display an
error message advising you that the GUI version is not supported.
The installer detects the currently installed Websense Enterprise
components and asks you what action you want to take.
4. Select Add Websense components.
The installer displays a list of components not currently installed on the
installation machine.
5. Select the components you want to install.
If you have selected Network Agent to install, you are given the
opportunity to test your machine’s visibility to internet traffic. The
machine on which the Network Agent is installed must be able to monitor
2-way employee internet traffic for Network Agent to filter properly.

IMPORTANT
i
If you install the Network Agent on a machine that cannot
monitor targeted internet traffic, Dynamic Protocol
Management and Bandwidth Optimizer, will not perform
as expected.

You are given the following three options:

„ Test Traffic Visibility: This selection launches the utility that tests
the visibility of internet traffic from the installation machine.
„ Install Network Agent: This option installs Network Agent without
conducting the traffic visibility test. Use this option if you know that
the installation machine has the necessary internet traffic visibility.
„ Do not install Network Agent: Continue the Websense Enterprise
installation without installing the Network Agent.
6. Select Test Traffic Visibility to check the visibility of internet traffic
from the installation machine.

144 Websense Enterprise

 Chapter 4: Installation

a. Select the network interface card (NIC) that you want to use for the
Network Agent and continue to the next pane. Active cards on the
installation machine appear in this list, including NICs without IP
addresses (stealth mode).
A default list of networks (netmasks) to test appears. You may use the
defaults provided or add your own. These netmasks can reside in
different network segments depending upon the IP address ranges to
be filtered.
b. If the network you want to test with the NIC does not appear in the
default list, select Add Network.
• Enter a new netmask value in the Network ID field.
• The subnet mask defaults to 255.0.0.0 and changes appropriately
as the netmask is defined.
• Select Redisplay to return to the options list.
Your new network appears in the list.
c. Select Remove a Network to delete a network from the list.
d. Select Start Test to begin testing all the networks in the list.
The counter in the IP Address Count column should begin recording
internet traffic immediately from the networks listed. The counter
increments each time the NIC detects an individual IP address from
the target network in a passing packet. The activity bar at the bottom
of the pane indicates that a test is in progress. If the count for a
network remains at zero or is very low, the selected NIC cannot see
the traffic it needs to monitor.
e. If the Network Agent is unable to see the desired traffic, perform one
or both of the following tasks:
• If the installation machine has multiple NICs, select a different
card to test.
• Resolve network configuration issues to make sure that the NIC
can see the desired traffic. This might involve connecting to a
different router or configuring for port spanning in a switched
environment. See Chapter 2: Network Configuration for
deployment information. You may continue the installation
without installing Network Agent and reconfigure your network
later, or make the necessary changes and retest immediately.
f. Select Exit Tool when you are ready to continue installation.

Stand-Alone Edition 145

Chapter 4: Installation

g. Select Continue installation if you are sure that your NIC is able to
monitor all targeted internet traffic.
h. Select Exit Setup if the appropriate traffic is not visible. If Network
Agent cannot see the necessary traffic, you must either reposition the
machine in the network or select another machine on which to install
the Network Agent.
7. Select a Network Agent installation option and press Enter to continue
with the Websense Enterprise installation.
„ Firewall installation warning: Network Agent cannot function
properly on a machine running a firewall. Select Yes or No when
asked if Network Agent is being installed on a machine that is being
used as a firewall.
• Select No if the installation machine is not being used as a
firewall. Installation will continue.
• Select Yes if you are attempting to install Network Agent on a
firewall machine, and Setup will exit. Install the Network Agent
on a machine that is not running a firewall.
„ Network Interface Card (NIC) selection: If the installation machine
has multiple network interface cards, Setup displays a list of all
enabled cards. Select the NIC that you tested successfully for network
visibility. Cards without an IP address will not appear in this list.
„ Installation directory: Setup displays the path to the directory where
the existing Websense components are installed. The default is
/opt/Websense. Accept this default or create another directory.

IMPORTANT
i
The full installation path must use only ASCII characters.

„ System requirements check: The installer compares the system

requirements for the installation you have selected with the resources
of the installation machine. If the machine has inadequate disk space
or memory, separate warnings are displayed.
• If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
• If the installation machine has less than the recommended amount
of memory, the installation can continue. To ensure the best
performance of the components you are installing, you should
upgrade your machine’s memory to the recommended amount.

146 Websense Enterprise

 Chapter 4: Installation

„ Installation summary: A summary list appears, showing the

installation path, installation size, and the components you have
selected.
8. Press Enter to accept this installation configuration and to begin
installing the displayed Websense Enterprise components.
If you are using the online installer, the Download Manager copies the
appropriate installer files from Websense. Installation begins
automatically when the necessary files have been downloaded.
If the Network Agent was not installed, a message reminds you that
Protocol Management and Bandwidth Optimizer cannot be used unless
Network Agent is installed on a machine with direct access to internet
traffic.
9. Exit the installer when the success message appears.
10. If you stopped your antivirus software, be sure to start it again.

Removing Components
After installing Websense Enterprise or any of its components, you may want
to remove installed components to change the configuration of Websense in
your network.

IMPORTANT
i
The Policy Server service must be running to uninstall any
Websense Enterprise components. To remove the Policy
Server, you must also remove all the other components
installed on the machine.

Windows
If you have run the Websense installer recently and have not restarted the
machine, you must do so before attempting to remove any components.

NOTE
Before removing components, we recommend that you
perform a full system backup as a fallback strategy.

Stand-Alone Edition 147

Chapter 4: Installation

To remove installed Websense Enterprise components in a Windows

environment:
1. Log on to the installation machine with local administrator privileges.
2. Close all applications and stop any antivirus software.
3. Go to the Windows Add or Remove Programs dialog box:
„ Windows 2003: Select Start > Control Panel > Add or Remove
Programs.
„ Windows 2000: Select Start > Settings > Control Panel, and then
double-click Add/Remove Programs.
4. Select Websense from the list of installed applications.

Add/Remove Programs Control Panel, Windows 2000

5. Click Change/Remove to launch the Websense uninstaller.

There may be a delay of several seconds while the Websense uninstaller
starts.
A list of installed components appears.

148 Websense Enterprise

 Chapter 4: Installation

Remove Components Screen

By default, all components are checked for removal.

6. If you want to keep a component, remove the check mark from the box
next to it. When all of the components you want to uninstall are checked,
click Next to continue.
If the Policy Server is not running, a dialog box appears advising you that
removing Websense Enterprise components may require communication
with the Policy Server. You may exit the installer to restart the Policy Server
or continue uninstalling the selected components.

IMPORTANT
i
If the Policy Server is not running, the files for the selected
components will be removed, but not the information
about the components recorded in the config.xml file.
This could cause problems if you decide to add these
components again at a later date.

A summary list of the components you have selected to remove appears.

7. Click Next to begin uninstalling the components.

Stand-Alone Edition 149

Chapter 4: Installation

If you are uninstalling Network Agent on a remote machine after

removing the Policy Server, expect the process to take several minutes.
Network Agent will be successfully uninstalled, although no progress
notification will be displayed.
A completion messages advises you when the procedure is finished.
8. Click Next to continue.
A dialog box appears advising you that the machine must be restarted to
complete the uninstall process.
9. Select a restart option and click Finish to exit the installer.
10. If you stopped your antivirus software, be sure to start it again.

Solaris or Linux
To remove installed components on a Solaris or Linux machine:

NOTE
Before removing components, we recommend that you
perform a full system backup as a fallback strategy.

1. Log on to the installation machine as the root user.

2. Close all applications and stop any antivirus software.
3. Run the following program from the Websense directory
(/opt/Websense):
./uninstall.sh
Run the GUI version of the installer with the following command:
./uninstall.sh -g
If you are using a non-English based system, the installer will display an
error message advising you that the GUI version is not supported.
The installer detects the currently installed Websense Enterprise
components and displays a list of installed components.
4. Make sure that only the components you want to remove are selected for
removal.
5. Press Enter to remove the selected components.

150 Websense Enterprise

 Chapter 4: Installation

„ Policy Server status: If the Policy Server is not running, a dialog box
appears advising you that removing Websense Enterprise components
may require communication with the Policy Server. You may exit the
installer to restart the Policy Server or continue uninstalling the
selected components.
The files for the selected components will be removed, but not the
information about the components recorded in the config.xml
file. This could cause problems if you decide to add these components
again at a later date.

WARNING
!
Do not uninstall the Policy Server without uninstalling all
of the Websense components. Removing the Policy Server
will sever communication with the remaining Websense
components and will require the reinstallation of those
components.

„ Summary list: A summary list of the components you have selected

to remove appears.
„ Network Agent: If you are uninstalling Network Agent on a remote
machine after removing the Policy Server, expect the process to take
several minutes. Network Agent will be successfully uninstalled,
although no progress notification will be displayed.
„ Completion: A completion message advises you when the procedure
is finished.
6. Exit the installer.
7. If you stopped your antivirus software, be sure to start it again.

Repairing an Installation
If a component fails to install properly, or is not performing normally, you can
run the installer again and repair the installation. This procedure does not
troubleshoot components, but merely replaces missing files.

NOTE
If you want to repair (reinstall) a Policy Server in a
distributed environment, see Repairing the Policy Server,
page 155 for instructions.

Stand-Alone Edition 151

Chapter 4: Installation

Windows
To repair your Websense Enterprise installation in a Windows environment:

NOTE
Before repairing components, we recommend that you
perform a full system backup as a fallback strategy.

1. Log on to the installation machine with domain and local administrator

privileges.
If you are repairing User Service and DC Agent, this will assure that they
have administrator privileges on the domain.

IMPORTANT
i
User Service and DC Agent must have administrator
privileges on the network to retrieve user login information
from the domain controller. Without this information,
Websense Enterprise cannot filter by users and groups. If
you cannot install these components with such privileges,
you may configure administrator privileges for these
services after installation in the Properties dialog box for
Windows services.

2. Back up the following files to a safe location:

„ config.xml
„ websense.ini
„ eimserver.ini
3. Close all applications and stop any antivirus software.

WARNING
!
Be sure to close the Windows Event Viewer, or the repair
may fail.

4. Run the Websense Enterprise installer.

5. Click Next on the welcome screen.

152 Websense Enterprise

 Chapter 4: Installation

The installer detects the current Websense Enterprise installation and asks
you if you want to integrate your Stand-Alone installation with a firewall,
proxy server, or network appliance, or add, remove, or repair components.
6. Select Repair existing Websense components and click Next.
Setup advises you that it will repair the current installation by reinstalling
the existing Websense components and asks if you want to continue.
7. Select Yes and click Next.
A list of currently running Websense services appears. The message
explains that the installer will stop these services before installation.
8. Click Next to begin installation.
A progress message appears while the installer shuts down Websense
services.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory, warnings are displayed in
separate screens.
„ If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
„ If the installation machine has less than the recommended amount of
memory, the installation will continue. To ensure the best
performance of the components you are installing, you should
upgrade your machine’s memory to the recommended amount.
If you are using the online installer, the Download Manager progress bars
are displayed as Setup downloads the appropriate installer files from
Websense. Installation begins automatically when the necessary files have
been downloaded.
A message appears, advising you that the installation has been successful.
9. Click Next to continue.
„ If you have repaired DC Agent, a dialog box appears advising you
that the machine must be restarted to complete the installation. Select
a restart option and click Finish to exit the installer.
„ If DC Agent was not repaired, but you have repaired Real-Time
Analyzer and/or Websense Manager, the installer displays a screen
asking if you want to launch either of those applications. By default,
both are selected. Clear the checkbox of the component you do not
want to launch and click Finish.

Stand-Alone Edition 153

Chapter 4: Installation

„ If neither DC Agent, Real-Time Analyzer, nor Websense Manager

were repaired, no further action is required and you can click Finish
to exit the installer.
10. If you stopped your antivirus software, be sure to start it again.

Solaris or Linux
To repair Websense Enterprise components on a Solaris or Linux system:

NOTE
Before repairing components, we recommend that you
perform a full system backup as a fallback strategy.

1. Log on to the installation machine as the root user.

2. Close all applications and stop any antivirus software.
3. Run the installation program from the directory where it resides:
./install.sh
Run the GUI version of the installer with the following command:
./install.sh -g
If you are using a non-English based system, the installer will display an
error message advising you that the GUI version is not supported.
The installer detects the currently installed Websense Enterprise
components and asks you what action you want to take.
4. Select Repair existing Websense components and press Enter to
advance through the procedure.
„ Repair feature: The installer advises you that it will repair the
current installation by reinstalling the existing Websense components.
„ Websense services: A list of currently running Websense services
appears. The message explains that the installer will stop these
services before continuing with the installation.
„ Browser location: If you are repairing the Websense Manager on
Solaris, Setup prompts you for the location of the browser.
„ System requirements: The installer compares the system
requirements for the installation you have selected with the resources
of the installation machine. If the machine has inadequate disk space
or memory, separate warnings are displayed.

154 Websense Enterprise

 Chapter 4: Installation

• If the installation machine has insufficient disk space, the selected

components cannot be installed, and the installer will quit.
• If the installation machine has less than the recommended amount
of memory, the installation will continue. To ensure the best
performance of the components you are installing, you should
upgrade your machine’s memory to the recommended amount.
„ Services restarted: The Websense services are restarted after the
files are reinstalled.
A completion messages advises you when the procedure is finished.
5. Exit the installer.
„ If you have not repaired the Websense Manager, you are ready to
select Finish and exit the installer.
„ If you have repaired the Websense Manager (Solaris GUI mode only),
the installer displays a screen asking if you want to launch the
Websense Manager. By default, the Manager is selected for launch.
Select Finish when you are ready to exit the installer.
6. If you stopped your antivirus software, be sure to start it again.

Repairing the Policy Server

It may become necessary to repair (reinstall) the Policy Server in a distributed
environment. Unless this is done correctly, communication with components
installed on separate machines will be broken.
To repair the Policy Server and preserve the connection between distributed
components:

NOTE
Before repairing components, we recommend that you
perform a full system backup as a fallback strategy.

1. Stop the Policy Server. Refer to Stopping or Starting Websense Services,

page 157 for instructions.

Stand-Alone Edition 155

Chapter 4: Installation

2. Make a backup copy of the config.xml file and put it in a safe location.

NOTE
If you cannot make a backup copy of the current
configuration file due to a system crash or other hardware
problems, you can use the most recent backup copy of the
file saved to a shared network drive to restore the system.

3. Restart the Policy Server.

4. Stop the services of the distributed Websense Enterprise components on
the individual machines. Refer to Stopping or Starting Websense Services,
page 157 for instructions.
5. Close all open applications on the Policy Server machine, and stop any
antivirus software.
6. Run the Websense Enterprise installer on the Policy Server machine.
The installer detects Websense Enterprise and asks you what action you
want to take with the installed components.
7. Select Repair existing Websense components when prompted.
For specific instructions, refer to Repairing an Installation, page 151.
8. When the installer is finished repairing the system, exit the installer and
stop the newly installed Policy Server.
9. Replace the config.xml file created by the repair procedure with your
backup copy.
10. Restart the Policy Server.
11. If you stopped your antivirus software, be sure to start it again.
12. Restart the services of the remote Websense Enterprise components.
13. Reload the Websense Master Database, which was removed during the
repair process.

156 Websense Enterprise

 Chapter 4: Installation

Stopping or Starting Websense Services

By default, Websense services are configured to start automatically when the
computer is started.
Occasionally you may need to stop or start a Websense service. For example,
you must stop the Filtering Service whenever you edit the websense.ini
file, and after customizing default block messages.

NOTE
When the Filtering Service is started, CPU usage can be
90% or more for several minutes while the Websense
Master Database is loaded into local memory.

Manually Stopping Services

Certain Websense Enterprise components must be stopped and started in a
prescribed order. Optional components may be stopped and started in any order.

Optional Components
You can manually start or stop these Websense services in any order.
‹ eDirectory
‹ RADIUS Agent
‹ DC Agent
‹ Real-Time Analyzer
‹ Logon Agent
‹ Usage Monitor
‹ Remote Filtering Server

Principal Components
You must stop the following components in the order indicated. Always start or
stop optional components before stopping any of the components on this list.
1. Network Agent
2. Filtering Service
3. User Service
4. Policy Server

Stand-Alone Edition 157

Chapter 4: Installation

When restarting Websense services, reverse the order, starting with the Policy
Server first.

Windows
Stop, start, or restart a Websense service by using the Services dialog box.
Restarting stops the service, then restarts it again immediately from a single
command.
To stop or start Websense services on a Windows 2000 or 2003 machine:
1. From the Control Panel, select Administrative Tools > Services.
2. Scroll down the list of available services and select a Websense service.

Windows 2000 Services List

158 Websense Enterprise

 Chapter 4: Installation

Windows 2003 Services List

3. From the Action menu, select Start, Stop, or Restart or click one of the
control buttons in the toolbar (Stop , Start , or Restart  ).
Restart stops the service, then restarts it again immediately from a single
command.

WARNING
!
DO NOT use the taskkill command to stop Websense
services. This procedure may corrupt the services.

Solaris and Linux

You can stop, start, or restart Websense services from a command line on a
Solaris or Linux machine. Restarting stops the services, then restarts them
again immediately from a single command.
1. Go to the /Websense directory.
2. Use the following commands to stop, start, or restart all Websense
services in the correct order:
„ ./WebsenseAdmin stop
„ ./WebsenseAdmin start

Stand-Alone Edition 159

Chapter 4: Installation

„ ./WebsenseAdmin restart
3. View the running status of all Websense services with the following
command:
./WebsenseAdmin status

WARNING
!
DO NOT use the kill -9 command to stop Websense
services. This procedure may corrupt the services.

160 Websense Enterprise

CHAPTER 5
Initial Setup
This chapter provides initial setup and configuration procedures for preparing
Websense Enterprise to filter in the Stand-Alone configuration.
After installing Websense Enterprise, you must perform the following tasks to
complete the setup process.
‹ If you did not download the Websense Master Database during
installation, you must use the Websense Manager and your Websense
subscription key to download the database. See Subscription Key and
Master Database Download, page 162 for instructions.
‹ If the Filtering Service is installed on a multihomed machine, identify the
Filtering Service by its IP address in your network so that Websense block
messages can be sent to users. See Identifying the Filtering Service for the
Block Page URL, page 166 for instructions.
‹ All workstations being filtered must have the Messenger Service enabled
to receive protocol block messages. See Displaying Protocol Block
Messages, page 167 for instructions.
‹ If the Logon Agent was installed, you must create a logon script for your
users that will identify them transparently as they log on to a Windows
domain. See Creating and Running the Script for Logon Agent, page 168
for instructions.
‹ If the Network Agent was installed on a machine with multiple Network
Interface Cards (NICs), you can configure Network Agent to use more
than one NIC. See Configuring Network Agent to use Multiple NICs, page
174.
‹ Configure your firewall or internet router appropriately. See Configuring
Firewalls or Routers, page 175 for instructions.
‹ If the optional Remote Filtering components were installed, some
additional firewall configuration is required to ensure that remote users
are filtered correctly. See Firewall Configuration for Remote Filtering,
page 175 for instructions.
For additional configuration information, refer to the Websense Enterprise
Administrator’s Guide.

Stand-Alone Edition 161

Chapter 5: Initial Setup

Subscription Key and Master Database Download

The Websense Master Database is the basis for filtering and is updated daily
by default. It is downloaded from a remote database server so that your
version is the most current.
For the database download to occur, the machine running the Websense
Filtering Service must have internet access to the download servers at the
following URLs:
‹ download.websense.com
‹ ddsdom.websense.com
‹ ddsint.websense.com
‹ portal.websense.com
‹ my.websense.com
Make sure that these addresses are permitted by all firewalls, proxy servers,
routers, or host files that control the URLs that the Filtering Service can
access.
If you did not enter a subscription key to download the Master Database
during installation, follow the instructions below to enter your key and
download the Master Database now.

NOTE
If you have just upgraded Websense Enterprise, your
subscription key was retained by the installer and these
steps are not necessary.

To download the Master Database:

1. Open Websense Manager on any machine where it is installed.
„ Windows: Select Start > Programs > Websense > Websense
Manager.
„ Solaris: Go to the Websense/Manager directory and enter:
./start_manager
2. For a first-time installation, if Policy Server was not installed with
Websense Manager, the Add Policy Server dialog box appears the first
time you open Websense Manager.

162 Websense Enterprise

 Chapter 5: Initial Setup

a. Enter the IP address or machine name of the machine on which you

installed the Policy Server, and the configuration port established
during installation (default is 55806).
b. Click OK. The Policy Server machine’s IP address or machine name
appears beside a server icon in the Manager’s navigation pane.
3. Double-click the icon of the Policy Server in the navigation pane.
For a first-time installation, the Set Websense Password dialog box
appears.
4. Set a password (between 4 and 25 characters) for the Policy Server.

NOTE
Retain this password. It must be entered when you connect
to this Policy Server from this or any other Websense
Manager, or after the Policy Server is stopped and
restarted.

5. Click OK.
The Settings dialog box appears.

NOTE
If you have entered a subscription key previously, you
must select Server > Settings to display the Settings
dialog box with Database Download selected.

Stand-Alone Edition 163

Chapter 5: Initial Setup

Settings Dialog Box

6. Enter your alphanumeric key in the Subscription key field.

NOTE
The Subscribed network users and Subscribed remote
users fields show a value of 0 until the database is
successfully downloaded.

7. If your network requires authentication to an upstream proxy server or

firewall to reach the internet and download the Websense Master
Database, perform the following procedure:
a. Check Use authentication.
b. Be sure to configure the upstream proxy server or firewall to accept
clear text or basic authentication (for Websense to download the
Master Database).
c. Enter the User name required by the upstream proxy server or
firewall to download the Master Database.
d. Enter the Password required by the upstream proxy server or firewall.

164 Websense Enterprise

 Chapter 5: Initial Setup

8. If your network requires that browsers use an upstream proxy server to

reach the internet, the same proxy settings used by the browser must be
used for downloading the Websense Master Database. Establish the proxy
settings for the database download as follows:
a. Check Use proxy server.
b. Identify the upstream proxy server or firewall by entering the
machine’s IP address or machine name in the Server field.
Supported machine name formats are as follows:
• Windows: 7-bit ASCII and UTF-8 characters. The DNS server
must be able to recognize UTF-8 characters and resolve the name
into an IP address. Do NOT use a machine name that has extended
ASCII or double-byte characters.
• Solaris or Linux: 7-bit ASCII only.

NOTE
If Websense Enterprise is installed on a proxy server
machine in your network, do not enter that IP address in
your proxy settings. Use localhost instead.

c. Enter the Port of the upstream proxy server or firewall (default is

8080).
9. Click OK.
10. Click Done in the Saving Data dialog box.
Websense automatically contacts the Websense database server and
begins downloading the Master Database. The status of the download is
displayed in the Database Download dialog box.
The first time the subscription key is entered, the following website
appears:
http://www.my.websense.com
The my.websense.com site provides access to technical assistance
customized for your particular version of Websense Enterprise, your
operating system, and your integration product.

Stand-Alone Edition 165

Chapter 5: Initial Setup

11. Click Close in the Database Download dialog box when the download is
complete.

NOTE
After downloading the Master Database or updates to the
Master Database, and when the Filtering Service is started,
CPU usage can be 90% or more while the database is
loaded into local memory.

Identifying the Filtering Service for the Block Page URL

When Websense blocks an internet request, the browser is redirected by
default to a block message page hosted by the Filtering Service. The format of
the block page URL typically takes the form:
http://<WebsenseServerIPAddress>:<MessagePort>/cgi-bin/
blockpage.cgi?ws-session=#########
If the Filtering Service is installed on a multihomed machine (with two or
more network interface cards), you must identify the Filtering Service by its
IP address in your network so that Websense Enterprise block messages can
be sent to users. If the Filtering Service machine name, rather than the IP
address, is contained in the block page URL, the users could see a blank page
instead of the block message.
Use one of the following methods to identify the Filtering Service by IP address:
‹ If you have an internal DNS server, associate the machine name of the
Filtering Service machine with its correct (typically internal) IP address
by entering the IP address as a resource record in your DNS server. See
your DNS server documentation for instructions.
‹ If you do not have internal DNS, add an entry to the eimserver.ini
file by following these instructions:
1. Go to the Websense\bin folder on the Filtering Service machine.
2. Open the eimserver.ini file in a text editor.
3. In the [WebsenseServer] area, enter the following command on
a blank line:
BlockMsgServerName=<IP address>

166 Websense Enterprise

 Chapter 5: Initial Setup

where <IP address> is the correct (typically internal) IP address

of the machine running Filtering Service.

IMPORTANT
i
Do not use the loopback address 127.0.0.1.

4. Save the file.

5. Stop and then restart the Filtering Service (see Stopping or Starting
Websense Services, page 157).

Displaying Protocol Block Messages

Websense Enterprise will filter protocol requests normally whether or not
protocol block messages are configured to display on user workstations.
Protocol block messages cannot be displayed on the following workstation
operating systems:
‹ Solaris
‹ Linux
‹ Macintosh

IMPORTANT
i
Windows XP Service Pack 2 will only display protocol
block messages under the following conditions:
‹ The firewall function must be disabled.
‹ The Windows Messenger service must be started.

For users to view protocol block messages in Windows NT, Windows 2000,
and Windows 2003:
‹ Make sure that the User Service has administrator privileges. Refer to
your operating system documentation for instructions on changing
privileges for Windows Services.
‹ Make sure the Messenger Service is enabled on each client workstation
that is being filtered. If you have activated protocol management in
Websense Enterprise, check the Windows Services dialog box to see if

Stand-Alone Edition 167

Chapter 5: Initial Setup

the Messenger Service is running. If your company policy requires the

Messenger Service to be disabled, you should advise your users that
certain protocols will be blocked without notification.
To view protocol block messages on a Windows 98 machine, you must start
winpopup.exe, found in the Windows directory of your local drive. You
can start this application from a command prompt or configure it to start
automatically by copying it into the Startup folder. For instructions on how to
do this, refer to your operating system documentation.

Creating and Running the Script for Logon Agent

If you have installed Websense Enterprise Logon Agent, you must create a
logon script for your users that will identify them transparently as they log on
to a Windows domain. Identification is accomplished by the Websense
LogonApp.exe application which provides a user name to the Logon
Agent each time a Windows client machine connects to an Active Directory
or a Windows NTLM directory service.

Prerequisites for Running the Logon Script

Make the following network preparations so that the Websense logon script
can execute properly on user Windows workstations:
‹ Be sure that all workstations can connect to the shared drive on the
domain controller where the script and LogonApp.exe will be placed.
To determine if a workstation has access to the domain controller, run the
following command from a Windows command prompt:
net view /domain:<domain name>
‹ NetBIOS for TCP/IP must be enabled. In Windows 98, TCP/IP NetBIOS
is enabled by default.
‹ The TCP/IP NetBIOS Helper service must be running on each client
machine that will be identified by Logon Agent. This service runs on
Windows 2000, Windows XP, Windows 2003, and Windows NT.

File Location
All relevant files are located in the \Websense\bin folder on the Logon
Agent machine:
‹ LogonApp.exe: the Websense executable

168 Websense Enterprise

 Chapter 5: Initial Setup

‹ Logon.bat: batch file containing sample logon scripts

‹ LogonApp_ReadMe.txt: a summary of the procedures for creating
and running the Websense logon script

Deployment Tasks
To deploy LogonApp.exe with a logon script, perform the following tasks:
Task 1: Prepare the logon script: Edit the parameters in the sample script
file (Logon.bat) to suit your needs. This file contains two sample
scripts: a logon script and a logout script. If you plan to use both
types of scripts, you will need two separate .bat files with different
names.
Task 2: Configure the script to run: You can run your logon script from
Active Directory or Windows NTLM directory services using group
policies. This requires you to move the Websense executable and
logon batch file to a shared drive on the domain controller that is
visible to all user workstations.

Preparing the Logon Script

A batch file, called Logon.bat, is installed with Logon Agent in the
\Websense\bin folder. This file contains some instructions for using the
scripting parameters, and two sample scripts: a logon script that will run
LogonApp.exe; and a logout script that will remove user information from
the Websense user map when the user logs out.

Script Parameters
Using the samples provided, construct a script for your users that employs the
parameters in the following table. The required portion of the script is:
LogonApp.exe http://<server>:15880
This command will run LogonApp.exe in persistent mode (the default),
which will send user information to the Logon Agent at predefined intervals.

NOTE
You can edit the sample, or create a new batch file
containing a single command.

Stand-Alone Edition 169

Chapter 5: Initial Setup

Parameter Description
<server> IP address or name of the machine running the Logon Agent.
Port number The port number used by Logon Agent defaults to 15880 but may
be edited if a different port is in use.
/COPY Copies the LogonApp.exe application to the users’ machines,
where it is run by the logon script from local memory. By default,
the application is copied into the %USERPROFILE%\Local
Settings\Temp folder. Copy can be used only in the persistent
mode.
/NOPERSIST Sends information to the Logon Agent only at logon. No updates
are sent during the user’s session.
If this parameter is not present, LogonApp.exe will operate in
the persistent mode. In this mode, LogonApp.exe will reside in
memory where it will update the Logon Agent at predefined
intervals (defaults to 15 minutes). PERSIST is the default
behavior for the logon script.
Refer to the Websense Enterprise Administrator’s Guide for
details on configuring the Logon Agent via the Websense
Manager.
/VERBOSE Debugging parameter that must be used only at the direction of
Technical Support.
/LOGOUT Removes the logon information from the Websense user map
when the user logs off. Use of this parameter requires a second
script.

Websense User Map and the Persistent Mode

User identification provided at logon by LogonApp.exe is stored in the
Websense user map. This information is updated periodically if
LogonApp.exe is run in persistent mode. The update time interval for the
persistent mode and the interval at which the user map is cleared of logon
information are configured in the Logon Agent tab of the Settings dialog box
in the Websense Manager. In Active Directory, if you decide to clear the logon
information from the Websense user map before the interval defined in the
Manager, you can create an accompanying logout script. You cannot
configure a logout script with Windows NTLM.

170 Websense Enterprise

 Chapter 5: Initial Setup

In the non-persistent mode, information in the user map is created at logon

and is not updated. The use of the non-persistent mode creates less traffic
between Websense and the workstations in your network than does the
persistent mode.
For detailed information on configuring Logon Agent in the Websense
Manager, refer to the Websense Enterprise Administrator’s Guide.

Examples
The following are examples of commands for a logon script and the
accompanying logout script that might be run in Active Directory. The logout
script must be run from a separate batch file.
‹ Logon script: The following script sends user information to the Logon
Agent at logon only. User information is not updated during the user’s
session.
LogonApp.exe http://10.2.2.95:15880 /NOPERSIST
‹ Logout script: The accompanying logout script would be written as:
LogonApp.exe http://10.2.2.95:15880 /NOPERSIST
/LOGOUT

Configuring the Logon Script to Run

You can configure your logon script to run with a group policy on Active
Directory or on a Windows NTLM directory service.

NOTE
The following procedures are specific to Microsoft
operating systems and are provided here as a courtesy.
Websense cannot be responsible for changes to these
procedures or to the operating systems that employ them.
For more information, refer to the links provided.

Active Directory
If your network uses Windows 98 client machines, refer to: http://
www.microsoft.com/windows2000/server/evaluation/news/bulletins/
adextension.asp for assistance.

Stand-Alone Edition 171

Chapter 5: Initial Setup

To configure a logon script using Active Directory:

1. Make sure your environment meets the conditions described in
Prerequisites for Running the Logon Script, page 168.
2. From the Start menu on the Active Directory machine, select Settings >
Control Panel > Administrative Tools > Active Directory Users and
Computers.
3. Right-click the domain and select Properties.
The domain Properties dialog box appears.
4. Select the Group Policy tab.
5. Click New and create a policy called Websense Logon Script.
6. Double-click your new policy or click Edit to edit the policy.
The Group Policy Object Editor dialog box appears.
7. In the tree structure displayed, expand User Configuration.
8. Expand the Windows Settings structure.
9. Select Scripts (Logon/Logoff).
10. In the right pane, double-click Logon.
11. In the Logon Properties dialog box displayed, click Show Files to open
the logon script folder for this policy.
The folder opens in a Windows Explorer window.
12. Copy the logon script you edited (logon.bat) and LogonApp.exe
into this folder.
13. Close the Explorer window and click Add in the Logon Properties
dialog box.
The Add a Script dialog box appears.
14. Enter the file name of the script (logon.bat) in the Script Name field
or browse for the file.
Leave the Script Parameters field empty.
15. Click OK twice to accept the changes.
16. Close the Group Policy Object Editor dialog box.
17. Click OK in the domain Properties dialog box to apply the script.
18. Repeat this procedure on each domain controller in your network as
needed.

172 Websense Enterprise

 Chapter 5: Initial Setup

NOTE
You can determine if your script is running as intended by
configuring Websense Enterprise for manual
authentication. If transparent authentication with Logon
Agent fails for any reason, users will be prompted for a
user name and password. Advise your users to notify you
if this occurs. For instructions on enabling manual
authentication, refer to the Websense Enterprise
Administrator’s Guide.

For additional information about deploying logon and logout scripts to users
and groups in Active Directory, please refer to:
http://www.microsoft.com/resources/documentation/WindowsServ/
2003/standard/proddocs/en-us/Default.asp?url=/resources/
documentation/WindowsServ/2003/standard/proddocs/en-us/
sag_assign_LScripts_user_AD.asp

Windows NTLM
To configure the Websense logon script in Windows NTLM:
1. Make sure your environment meets the conditions described in
Prerequisites for Running the Logon Script, page 168.
2. Copy the Logon.bat and LogonApp.exe files from the
\Websense\bin folder on the Logon Agent machine to the netlogon
share directory on the domain controller machine.
C:\WINNT\system32\Repl\Import\Scripts
Depending upon your configuration, you may need to copy these files to
other domain controllers in the network to run the script for all your users.
3. In the Control Panel of the domain controller, select Administrative
Tools > User Manager for Domains.
4. Select the users for whom the script must be run and double-click to edit
the user properties.
The User Properties dialog box appears.
5. Click Profile.
The User Environment Profile dialog box appears.

Stand-Alone Edition 173

Chapter 5: Initial Setup

6. Enter the path to the script in the User Profile Path field (from Step 2).
7. Enter the name of the logon script (logon.bat) in the Logon Script
Name field.
8. Click OK.
9. Repeat this procedure on each domain controller in your network as
needed.

NOTE
You can determine if your script is running as intended by
configuring Websense Enterprise for manual
authentication. If transparent authentication with Logon
Agent fails for any reason, users will be prompted for a
user name and password. Advise your users to notify you
if this occurs. For instructions on enabling manual
authentication, refer to the Websense Enterprise
Administrator’s Guide.

For additional information about creating and deploying logon scripts to users
in Windows NTLM, please refer to:
http://windows.about.com/library/weekly/aa031200a.htm

Configuring Network Agent to use Multiple NICs

Each Network Agent instance must use at least one designated NIC. However,
Network Agent is capable of using multiple NICs. If you installed Network
Agent on a machine with multiple NICs, you can configure it to use different
NICs for different purposes. For example, you can configure Network Agent
to use one NIC for monitoring traffic, and another to send blocking
information to Filtering Service.
For instructions on configuring Network Agent to use additional NICs, refer
to the Network Agent chapter in the Websense Enterprise Administrator’s
Guide.

174 Websense Enterprise

 Chapter 5: Initial Setup

Configuring Firewalls or Routers

If internet connectivity of the Websense Manager requires authentication
through a proxy server or firewall for HTTP traffic, the proxy or firewall must
be configured to accept clear text or basic authentication to enable the
Websense Master Database download.

Firewall Configuration for Remote Filtering

Remote Filtering is an optional Websense service that allows you to filter user
workstations located outside your organization’s network firewall. If you
installed the Remote Filtering components, some firewall configuration is
necessary to enable web filtering on remote workstations.
The network firewall and any additional firewalls located between the
Remote Filtering Server machine and the remote workstations should be
configured as follows:
‹ Open the Remote Filtering Server’s External Communication Port on
these firewalls to accept connections from Remote Filtering Clients on
workstations located outside the network firewall.
‹ Block connections to the Remote Filtering Server’s Internal
Communication Port from workstations located outside the network
firewall.
Refer to the documentation for your firewall product for configuration
information.

Virtual Private Network (VPN) Connections

If your organization allows remote users to connect through a network-based
Virtual Private Network (VPN), additional firewall configuration is required
to ensure that these users are always filtered.
Remote users who connect through the VPN and access the internet via the
network gateway or firewall are filtered through the Filtering Service in the
same way as internal users. However, VPN connections can allow remote
users to access the internet via alternate gateways, a procedure commonly
known as Split Tunnelling. To ensure that VPN users who access the internet
via alternate gateways will be filtered by the Remote Filtering Server, you
must set up a rule on your organization’s network firewall. This rule will
block communication between the Remote Filtering Client on the remote

Stand-Alone Edition 175

Chapter 5: Initial Setup

workstation and the Internal Communication Port on the Remote Filtering

Server. To set up this rule:
‹ Determine the IP address range assigned to users accessing your network
through the VPN.
‹ Apply a rule to block communication from that IP address range to the
Remote Filtering Server’s Internal Communication Port.
Refer to the documentation for your firewall product for details about
setting up a rule on that type of firewall.

176 Websense Enterprise

APPENDIX A
Stealth Mode
In some cases, it might be desirable to configure the Network Agent to inspect
all packets with a network interface card (NIC) that has been configured for
stealth mode. A NIC in stealth mode has no IP address and cannot be used for
communication. The advantages for this type of configuration are security and
network performance. Removing the IP address prevents connections to the
interface from outside and stops unwanted broadcasts.

Configuring for Stealth Mode

If the Network Agent is configured for a stealth mode NIC, the installation
machine must be multihomed. In remote installations of Network Agent, a
second, TCP/IP-capable interface must be configured to communicate with
Websense Enterprise for filtering and logging purposes.
Stealth mode NICs display normally during Network Agent installation. You
may test a stealth mode NIC for traffic visibility and select it for Network
Agent to use to monitor internet traffic. When installing on Windows, stealth
mode interfaces do not display as a choice for Websense Enterprise
communications.

IMPORTANT
i
In Solaris and Linux, stealth mode NICs appear together
with TCP/IP-capable interfaces and must not be selected
for communication.

Make sure you know the configuration of all the interfaces in the machine
before attempting an installation.

Stand-Alone Edition 177

Appendix A: Stealth Mode

Windows
Stealth mode for the Network Agent interface is supported for Windows 2000
and 2003.
To configure a NIC for stealth mode:
1. From the Start menu, select Settings > Network and Dial-up
Connection.
A list of all the interfaces active in the machine is displayed.
2. Select the interface you want to configure.
3. Select File > Properties or right-click and select Properties from the
pop-up menu.
A dialog box displays the connections properties of the interface you have
chosen.

Interface Connections Properties

4. Clear the Internet Protocol (TCP/IP) checkbox.

5. Click OK.

178 Websense Enterprise

 Appendix A: Stealth Mode

Solaris or Linux
To configure a NIC for stealth mode in Solaris or Linux, you must disable the
Address Resolution Protocol (ARP), which severs the link between the IP
address and the MAC address of the interface.

Solaris
‹ To configure a NIC for stealth mode, run the following from a command
prompt:
ifconfig <interface> plumb -arp up
‹ To return the NIC to a normal mode, run the following from a command
prompt:
ifconfig <interface> plumb arp up

Linux
‹ To configure a NIC for stealth mode, run the following from a command
prompt:
ifconfig <interface> -arp up
‹ To return the NIC to a normal mode, run the following from a command
prompt:
ifconfig <interface> arp up

IMPORTANT
i
The Network Agent can work with a stealth mode NIC
only if the interface retains its old IP address in the Solaris
or Linux system configuration file.

Stand-Alone Edition 179

Appendix A: Stealth Mode

180 Websense Enterprise

APPENDIX B
Troubleshooting
You may encounter a situation while installing and configuring Websense
Enterprise that is not addressed in the previous chapters. This appendix
troubleshoots installation and integration configuration issues that have been
called in to Websense Technical Support. Please check this chapter for
information about the problem you are having before you contact Technical
Support. For issues not related to installation or communication between
Websense Enterprise and your integration, refer to your Websense Enterprise
Administrator’s Guide.
If you still need to contact Technical Support, please see Appendix C:
Technical Support for contact information. The situations addressed in this
chapter are as follows:
‹ I made a mistake during installation.
‹ I forgot my Websense Policy Server password.
‹ Where can I find download and error messages?
‹ The Master Database does not download.
‹ Policy Server fails to install.
‹ I upgraded Websense, and configured users no longer appear under
Directory Objects in Websense Manager.
‹ Network Agent fails to start on Linux with stealth mode NIC.
‹ Windows 9x workstations are not being filtered as expected.
‹ Some users are receiving the Websense Global policy.
‹ Websense Enterprise splash screen is displayed, but installer does not
launch on Windows 2000.
‹ Network Agent cannot communicate with Filtering Service after it has
been reinstalled.

Stand-Alone Edition 181

Appendix B: Troubleshooting

I made a mistake during installation

Run the installation program again. Setup will detect the current installation
and allow you to Add, Remove, or Repair Websense Enterprise components.
The Repair option does not troubleshoot the installation, but merely reinstalls
the files it detects.

NOTE
On Windows, you may need to restart the machine before
running Setup again.

Refer to Modifying an Installation, page 133 for instructions.

I forgot my Websense Policy Server password

Contact Websense Technical Support for assistance. You can find contact
information in Appendix C: Technical Support.

Where can I find download and error messages?

Windows 2000 and 2003

Check the Windows Application Event log or Websense.log
(Websense\bin) for any listings about the database download as well as
other error or status messages. Access the Application Event log by choosing
Start > Settings > Control Panel > Administrative Tools > Event Viewer.
Expand the Event Viewer tree and click Application Log.

182 Websense Enterprise

 Appendix B: Troubleshooting

The Master Database does not download

There are several reasons why you might have difficulty receiving Websense
Master Database downloads.

Subscription Key
Verify that the subscription key is entered correctly and has not expired. Open
the Settings dialog box, and go to the Database Download screen.
‹ Compare the key you received via email or in the Websense Enterprise
package to the key in the Subscription key field (the key is not case
sensitive) and correct any errors. You must click OK to close the Settings
dialog box before the key takes effect and enables the database download.
‹ Check the date shown in the Key expires field. If this date has passed,
contact Websense, Inc. to renew your subscription.

Internet Access
The machine running the Filtering Service must have access to the internet via
HTTP, and must be able to receive incoming transmissions.
To verify internet access on the Websense Filtering Service machine:
1. Determine whether Websense is accessing the internet through a proxy
server by checking the Database Download screen of the Settings dialog
box in Websense Manager.
2. If a proxy server is being used, open a web browser (either Internet
Explorer or Netscape).
3. Configure the browser to access the internet with the same proxy settings
as those shown in the Settings dialog box.
4. Request one of the following addresses:
http://download.websense.com
http://asia.download.websense.com
http://europe.download.websense.com
„ If you reach the site, the Websense logo appears, along with a
message indicating that it will redirect you to the Websense home
page. This means that the Filtering Service’s proxy settings are
correct, and the Filtering Service should have appropriate HTTP
access for downloading.

Stand-Alone Edition 183

Appendix B: Troubleshooting

„ If you are not able to reach the download site, and the system requires
proxy information, the Filtering Service proxy settings must be
corrected.
„ If no proxy information is required, use the nslookup command (at
the command prompt) with the address of your download site to make
sure the Filtering Service machine is able to resolve the download
location to an IP address. For example:
nslookup asia.download.websense.com
If this does not return an IP address, you must set up the machine
running Filtering Service to access a DNS server.
If you need assistance, contact Websense Technical Support (see
Appendix C: Technical Support for information).
5. If Websense must access the internet through an upstream firewall or
proxy server that requires authentication, check the following:
„ The correct user name and password must be entered in the Database
Download screen of the Settings dialog box. Verify spelling and
capitalization.
„ The firewall or proxy server must be configured to accept clear text or
basic authentication.

Restriction Applications
Some restriction applications, such as virus scanners or size-limiting
applications, can interfere with database downloads. Disable the restrictions
relating to the Filtering Service machine and the Websense download location.

Policy Server fails to install

If you attempt to install Websense Enterprise on a machine with insufficient
resources (RAM or processor speed), the Policy Server may fail to install.
Certain applications (such as print services) can bind up the resources that
Setup needs to install the Policy Server. If the Policy Server fails to install,
Setup must quit. If you receive the error message: Could not install current
service: Policy Server, during installation, take one of the following actions:
‹ Install Websense Enterprise on a different machine. See System
Requirements, page 29 for minimum installation requirements.
‹ Stop all memory-intensive services running on the machine before
attempting another Websense Enterprise installation.

184 Websense Enterprise

 Appendix B: Troubleshooting

I upgraded Websense, and configured users no longer appear

under Directory Objects in Websense Manager
If you are using Active Directory as your Directory Service, you may find that
user names disappear from the list of directory objects in Websense Manager
when you upgrade Websense. This will happen if your user names include
characters that are not part of the UTF-8 character set.
To support LDAP 3.0, the Websense installer changes the character set from
MBCS to UTF-8 during upgrade, so if your user names include non-UTF-8
characters, those characters will not be properly recognized. To fix this
problem, try changing the character set back to MBCS.
1. In Websense Manager, go to Server > Settings > Directory Service.
Active Directory (Native Mode) will be selected in the Directories pane
if you are using Active Directory.
2. Click the Advanced Settings button.
3. Click MBCS under Character Set to change the character set from
UTF-8 to MBCS.

Network Agent fails to start with stealth mode NIC

IP address removed from Linux configuration file

The Network Agent can work with a stealth mode NIC only if the interface
retains its old IP address in the Linux system configuration file. If you have
bound the Network Agent to a network interface card configured for stealth
mode, and then removed the IP address of the NIC from the Linux
configuration file (/etc/sysconfig/network-scripts/
ifcfg-<adapter name>), the Network Agent will not start.
An interface without an IP address will not appear in the list of adapters
displayed in the installer or in Websense Manager and will be unavailable for
use. To reconnect Network Agent to the NIC, restore the IP address in the
configuration file.

Stand-Alone Edition 185

Appendix B: Troubleshooting

Stealth mode NIC selected for Websense communications in Solaris

and Linux
Network interface cards configured for stealth mode in Solaris and Linux are
displayed in the Websense Enterprise installer as choices for Websense
communication. If you have inadvertently selected a stealth mode NIC for
communications, the Network Agent will not start, and Websense Enterprise
services will not work.
To correct this problem, open the websense.ini file in /Websense/
bin and change the IP address to that of a NIC in normal mode. Start the
Websense services.

Windows 9x workstations are not being filtered as expected

If you are running DC Agent for user identification, your Windows 9x
workstation machine names must not contain any spaces. This situation could
prevent DC Agent from receiving a user name when an internet request is
made from that workstation. Check the machine names of any Window 9x
workstations experiencing filtering problems and remove any spaces you find.

Some users are receiving the Websense Global policy

A number of reasons exist as to why users are not being filtered as expected;
however, if your network uses Logon Agent to identify users, and if some of
those users are receiving the Websense Global policy instead of their usual
user or group policies, a network problem may exist.
If the Logon Agent logon script fails to execute properly on a workstation,
Websense cannot identify the user to apply the proper policy. Websense will
then apply the Global policy as a default.
The first step is to determine if the settings for the Windows Group Policy
Objects (GPO) are being applied correctly to these workstations. If not, then
this is a network connectivity problem and not a Websense Enterprise
configuration issue.
Proceed with the following network checks:
‹ Check the user machine’s visibility to the domain controller from which
the logon script is being run.

186 Websense Enterprise

 Appendix B: Troubleshooting

‹ Make sure that NetBIOS is enabled on the machine.

‹ Make sure the user profile is not blocking the execution of the logon script.

Domain Controller Visibility

To determine is the domain controller is visible to the workstation:
‹ Attempt to map a drive on the client workstation to the domain
controller’s root shared drive. This is the drive from which the logon
script is normally run, and on which LogonApp.exe resides.
‹ Run the following command from a Windows command prompt on the
workstation that is not being identified:
net view /domain:<domain name>
If either of these tests fails, refer to your Windows operating system
documentation for possible solutions. This is a network connectivity problem
and not a Websense Enterprise issue.

NetBIOS
Make sure that NetBIOS for TCP/IP is enabled and that the TCP/IP NetBIOS
Helper service is running on the client machine. If either of these is not
running, the Websense logon script will not execute on the user machine.
The TCP/IP NetBIOS Helper service runs on Windows 2000, Windows XP,
Windows 2003, and Windows NT. In Windows 98, TCP/IP NetBIOS is
enabled by default.
If your network uses Active Directory, and if you have Windows 98 client
machines, refer to the following website for assistance: http://
www.microsoft.com/windows2000/server/evaluation/news/bulletins/
adextension.asp.

User Profile Issues

If the user profile on the local workstation is corrupt, it can prevent the
Websense logon script (as well as the Windows GPO settings) from running.
To eliminate this as a cause:
1. Log on to the workstation as a local administrator.
2. Delete the following directory that contains the user profile:
C:\Documents & Settings\<user name>
3. Restart the machine.

Stand-Alone Edition 187

Appendix B: Troubleshooting

4. Log on as the normal user.

The user profile will be created automatically.
5. Check to make sure the user is being filtered as expected.

Websense Enterprise splash screen is displayed, but installer

does not launch on Windows 2000

This is a software issue with the installation machine which prevents it from
displaying the Java-based Websense installer interface. This problem also
prevents the Websense Manager from launching on this machine.
There are two possible solutions for this problem.
‹ Install DirectX on the installation machine. DirectX is a Windows suite
of application programming interfaces (APIs) that developers use to write
applications for the Windows operating system. The Java based Websense
installer uses these APIs to display its interface, as does the Websense
Manager. If DirectX is not present, neither the Websense installer
interface nor the Websense Manager interface can be displayed.
‹ Run the installer in console mode. You can configure Setup.exe to start
in a Windows command prompt, which will allow you to install
Websense Enterprise in the console mode.
To install Websense Enterprise in console mode:
1. Open the launch.ini file using any text editor.
This file is located on the same level as Setup.exe in the folder where you
unzipped your Websense Enterprise installer.
2. Add the following line to the file:
ARGS=-console –is:javaconsole
3. Save the file and exit.
4. Double-click Setup.exe or run the application from the command line.
The installer starts in the Windows command prompt.
5. Follow the on-screen instructions to install Websense Enterprise.

NOTE
The installation sequence for the console mode is identical
to that of the GUI mode.

188 Websense Enterprise

 Appendix B: Troubleshooting

6. Install the Websense Manager on a Solaris machine or a Windows

machine capable of displaying the Java interface.

Network Agent cannot communicate with Filtering Service

after it has been reinstalled
When the Filtering Service has been uninstalled and reinstalled, the Network
Agent does not automatically update the internal identifier (UID) for the
Filtering Service. After the new installation of the Filtering Service is
complete, the Websense Manager still attempts to query the Filtering Service
using the old UID, which no longer exists.
To re-establish connection to the Filtering Service:
1. Open the Websense Manager.
An error message is displayed stating Network Agent <IP address> is
unable to connect with Filtering Service.
2. Clear the message and select Server > Settings.
The same error message is displayed.
3. Clear the message again and select Network Agent from the Settings
Selections list.
4. Click Local Settings.
5. Select the IP address listed above the NIC for the Network Agent.
6. Click Edit Selection.
The Filtering Service Connection dialog box appears.
7. Select the IP address of the Filtering Service machine from the Server IP
Address drop-down list.
8. Click Finish.
9. Click OK in the Local Settings dialog box.
10. Click OK in the Settings dialog box to save the changes.

Stand-Alone Edition 189

Appendix B: Troubleshooting

190 Websense Enterprise

APPENDIX C
Technical Support
Websense, Inc. is committed to providing excellent service worldwide. Our
goal is to provide professional assistance in the use of our software wherever
you are located.

Websense Technical Services Support Center

Technical information about Websense products is available 24 hours a day on
the internet at:
http://www.websense.com/global/en/SupportAndKB
You will find here the latest release information, Frequently Asked Questions
(FAQs), a Knowledge Base, product documentation, and other information.

Premium Support
Websense offers two premium fee-based support options: Priority One 24x7
Support and Platinum Support.
Priority One 24x7 Support offers extended service 24 hours a day, 7 days a
week, and includes a toll-free number for customers in the U.S.
Platinum Support is our most comprehensive support and education offering.
It includes the advantages of Priority One 24x7 Support as well as a dedicated
support team, highest priority service, and educational opportunities.
For a complete list of Priority One 24x7 and Platinum Support services,
please visit our website at:
http://www.websense.com/global/en/ProductsServices/Services
For additional information, please contact our U.S. Sales Department at
1 800 723 1166 or 1 858 320 8000, or send an email to [email protected].

Stand-Alone Edition 191

Appendix C: Technical Support

For information about the availability of premium support programs for

customers outside the U.S., please contact your local Websense sales office:
http://www.websense.com/global/en/AboutWebsense/ContactUs

Support Options
Websense Technical Support can be requested 24 hours a day, 7 days a week.

Web Portal
You can submit support tickets through the Web Portal 24 hours a day, 7 days
a week. The response time during business hours is approximately 4 hours.
Response to after-hours requests will occur the next business day. Support
tickets can be submitted at:
http://www.websense.com/global/en/SupportAndKB/CreateRequest.

Email Questions
You may email your questions to us at the addresses listed below. Make sure
you include your subscription key. This option is available 24 hours a day, 7
days a week. We will respond during business hours Monday through Friday.
‹ [email protected]—San Diego, California, USA
‹ [email protected]—London, England
‹ [email protected]—Japan (Asia)
Email support can take up to 24 hours for a response. If you need a quicker
turnaround, submit your issues through the Web Portal.

Telephone Assistance
Before you call a Websense Technical Support representative, please be ready
with the following:
‹ Websense subscription key.
‹ Access to the configuration interface for your Websense products.
‹ Access to the machine running the Filtering Service, the Websense
Reporting components, and the database (MSDE or SQL Server).
‹ Permission to access the Websense Log Database.
‹ Familiarity with your network’s architecture, or access to a person who
has this familiarity.

192 Websense Enterprise

 Appendix C: Technical Support

‹ Specifications of the machines running the Filtering Service and the

Websense configuration files.
‹ A list of other applications running on the Filtering Service machine.
For severe problems, additional information may be needed.
Telephone assistance is available during normal business hours Monday
through Friday at the following numbers:
‹ U.S. Technical Services in San Diego, California, USA: 1 858 458 2940
‹ U.K. Technical Services in London, England: +44 (0) 1932 796244

Customer Care
Not sure who to call? Contact Customer Care for assistance with:
‹ General concerns
‹ Subscription key questions or issues
‹ Follow-up on telephone support issues
‹ General service requests
A Customer Care representative can be reached at:
‹ Customer Care U.S. in San Diego, California: 1 866 355 0690 (from the
U.S.only) or 1 858 320 9777, or [email protected]
‹ Customer Care International in Dublin, Ireland: +353 (0) 1 6319360 or
[email protected]

Improving Documentation
Websense, Inc. understands the value of high quality, accurate documentation.
If you have any suggestions for improving the documentation, contact us at
[email protected]. We appreciate your input.

Stand-Alone Edition 193

Appendix C: Technical Support

194 Websense Enterprise

 Index

A config.xml file, 33
Active Directory, 27 customer support, See technical support
running logon script from, 171–173
adding components
D
Linux, 143–147 database download, See Master Database
Solaris, 143–147 download
Windows, 134–143 DC Agent
Address Resolution Protocol (ARP), 179 defined, 8
Apache Web Server deployment of, 16
installing, 53, 87 installation privileges, 35
authentication installing separately, 85–87
directory services, 27–29 required privileges for, 48
User Service, 14 Default Web Site, 54, 89
with RADIUS Agent, 93, 123 deploying Remote Filtering Client
third party tools for, 110
B deployment
Bandwidth Optimizer, 11 component requirements, 13–20
basic authentication, 175 directory services, 27–29
block messages Network Address Translation (NAT), 27
for protocols, 167–168 network requirements, 20–29
block page URL, 166–167 tasks, 11
browser Websense in switched environments, 24–26
path to, 115 directory path for installation, 69, 116
bytes transferred, 8 directory services
general requirements, 30
C supported types, 27–29
DirectX requirement, 188
clear text, 175
DNS server, 30, 166
components
domain administrator privileges, 48, 74, 134
adding, 133–147
domain controller
removing, 147–151
testing for visibility from, 187
repairing, 151–155
config.xml E
cautions about, 32
possible problems with during uninstall, 149 eDirectory Agent
repairing the Policy Server, 156 defined, 8

Stand-Alone Edition 195

Index

deployment of, 17 Solaris, 127–129

installing separately Manager
Linux, 125–127 Linux, 115–116
Solaris, 125–127 Solaris, 115–116
Windows, 94–96 Windows, 77–78
eimserver.ini file, 33 Network Agent
identifying Filtering Service for block page Linux, 117–121
URL, 166 Solaris, 117–121
error messages Windows, 78–85
location of, 182 Policy Server port, 66
evaluation key RADIUS Agent
website for downloading, 53, 66 Linux, 123–125
Solaris, 123–125
F Windows, 93–94
files Real-Time Analyzer, 87–91
backups of when upgrading, 33 Remote Filtering Client, 105–114
Filtering Service Remote Filtering Client Pack, 104–105
defined, 8 Remote Filtering Server, 98–103
deployment of, 13 Linux, 129–132
identifying for block page URL, 166–167 Solaris, 129–132
machine identification, 84, 102, 120, 131 Windows, 98–103
multiple installations of, 20 Usage Monitor
port number, 66 Linux, 122–123
Solaris, 122–123
G Windows, 91–92
Global Websense policy application, 186 Websense Enterprise
Linux, 63–71
I separate Windows machine, 47–62
Solaris, 63–71
IIS Web Server
Windows installer does not launch, 188
detecting, 53, 87
Internet access problems, 183–184
installation
IP addresses
Apache Web Server, 53, 87
changing for installed components, 43
console mode in Windows, 188
defining ranges for Network Agent, 15, 78
Custom option, 45
disabling for stealth mode, 178
DC Agent, 85–87
DNS server resolution, 30
detecting IIS Web Server, 53, 87
multiple network interface cards, 51
eDirectory Agent
overlapping ranges, 25
Linux, 125–127
requirements for Websense
Solaris, 125–127
communication, 65
Windows, 94–96
stealth mode and, 177
Filtering Service port, 66
traffic visibility test, 56
Logon Agent, 96–98
transparent identification for, 28
Linux, 127–129
User Service requirements for, 14

196 Websense Enterprise

 Index

L and virus scanners, 184

Language Pack, 45 during installation
upgrades and, 33 Solaris and Linux, 66, 70
languages Windows, 60–62
locales, 14 during upgrade
launch.ini file, 188 Solaris and Linux, 42
LDAP directory service, 27 Windows, 38
Linux error message location, 182
adding components on, 143–147 failure of, 183–184
removing components on, 150–151 from the Websense Manager, 162–166
repairing components on, 154–155 performing, 162–166
starting and stopping Websense Messenger Service, 167
services, 159–160 mirroring, 24
upgrading Websense Enterprise on, 39–42 modifying an installation, 133–155
Websense Enterprise installation on, 63–71
load balancing, 20
N
locales, 14, 34 NetBIOS, 16
Logon Agent enabling for logon script, 187
defined, 9 Netscape location, 41
deployment of, 18 Network Address Translation (NAT), 27
failure to identify users, 186–188 Network Agent
installing separately bandwidth optimizer, 55, 66, 80, 118
Linux, 127–129 defined, 8
Solaris, 127–129 deployment of, 14
Windows, 96–98 in switched environments, 14, 24
logon script installing separately
domain controller visibility issues, 187 Linux, 117–121
enabling NetBIOS for, 187 Solaris, 117–121
user profile issues, 187 Windows, 78–85
LogonApp.exe multiple installations of, 25
configuring to run Network Address Translation (NAT), 27
Active Directory, 171–173 network interface card, 83, 174
Windows NTLM, 173–174 protocol management, 55, 66, 80, 118, 138,
location of, 168 144
script for, 169–171 stealth mode NIC, 177–179
network efficiency, 30
M network interface cards (NIC)
MAC address, 179 configuring for stealth mode
manual authentication, 28 Solaris or Linux, 179
Master Database Windows, 178
description of, 9 installation tips, 46
reloading when repairing Policy Server, 156 promiscuous mode, 34
Master Database download selecting for Network Agent, 58, 83
Novell Directory Service/eDirectory Agent, 27

Stand-Alone Edition 197

Index

Novell Directory Services/eDirectory launching, 91, 143

Agent, 28 supported web servers for, 53, 87
Remote Filtering Client
P defined, 9
pass phrase for remote filtering, 101, 131 deployment of, 19
password installing
forgotten, 182 manually, 106
Policy Server setting, 163 with third-party tools, 110
proxy server/firewall setting, 164 Remote Filtering Client Pack
Policy Server defined, 73
defined, 8 installing, 104–105
deployment of, 13 Remote Filtering Server
failure to install, 184 defined, 9
machine identification, 79, 87, 91 deployment of, 18
port number, 66 External Communication Port, 100, 108,
repairing, 155–156 111, 130
port numbers firewall configuration for, 175–176
Filtering Service, 84, 102, 120, 131 installing
Policy Server, 79, 87, 91 Linux, 129–132
port spanning, 24 Solaris, 129–132
promiscuous mode, 34 Windows, 98–103
protocol block messages, 167–168 Internal Communication Port, 101, 108,
Protocol Management, 11, 138 111, 130
Samba client requirements pass phrase, 101, 131
Solaris, 41 removing components
proxy server Linux, 150–151
settings for Master Database download, 165 Solaris, 150–151
Windows, 147–150
Q repairing components
quotas, 10 Linux, 154–155
Solaris, 154–155
R Windows, 152–154
Reporting Tools
RADIUS Agent
deployment of components, 20
defined, 8
supported version, 33, 45
deployment of, 17
installing separately S
Linux, 123–125
Solaris, 123–125 Samba client, 69
Windows, 93–94 Solaris, 41
Real-Time Analyzer (RTA) setup
defined, 9 block page URL, 166–167
deployment of, 15 Master Database download, 162–166
installing separately, 87–91 subscription key, 162–166

198 Websense Enterprise

 Index

Solaris on Linux, 39–42

adding components on, 143–147 on Solaris, 39–42
removing components on, 150–151 on Windows, 34–39
repairing components on, 154–155 port numbers assigned, 31
starting and stopping Websense transferring data to fresh install, 32
services, 159 versions supported, 31
upgrading Websense Enterprise on, 39–42 Usage Monitor
Websense Enterprise installation, 63–71 automatic installation during upgrade, 33
stealth mode, 68 defined, 8
configuring deployment of, 15
Solaris or Linux, 179 installing separately
Windows, 178 Linux, 122–123
definition of, 177 Solaris, 122–123
problems with NIC, 185–186 Windows, 91–92
using with Network Agent, 177 user identification, 27–29
subscription key user profile issues with logon script, 187
entering, 162–166 User Service
Master Database download during defined, 8
installation with, 52, 66 deployment of, 14
verification and troubleshooting of, 183 installation privileges, 35
Sun Java System Directory Server, 27, 28 required privileges, 48, 74, 134
switched environments, 14, 24
system requirements, 29 V
workstations, 29 virus scanners, 184

T W
TCP/IP protocol, 30 Web Security Suite, 7
technical support Websense Enterprise
documentation feedback, 193 component configurations, 13–20
email, 192 components
premium support, 191 adding, 133–147
support website, 191 removing, 147–151
telephone assistance, 192 functional overview, 10
Web Portal, 192 installation of
transparent identification, 28 Linux, 63–71
Solaris, 63–71
U Windows, 47–62
upgrading selecting a NIC for communication, 177
distributed component, 33 upgrading, 31–43
general information, 33–34 Websense Enterprise - Corporate Edition, 7
manually restarting services/daemons, 34 Websense Enterprise Reporter, 9
matching locales for components, 34 Websense Manager
NICs assigned, 31 defined, 8
non-English language versions, 33 deployment of, 14

Stand-Alone Edition 199

Index

does not launch, 188 Active Directory, 27, 28

installing separately adding components on, 134–143
Linux, 115–116 error messages, 182
Solaris, 115–116 NTLM-based directories, 27, 28
Windows, 77–78 removing components on, 147–150
Websense Master Database, See Master starting and stopping Websense services, 33,
Database 158–159
Websense services upgrading on, 34–39
manually stopping, 157–158 Websense Enterprise installation, 47–62
starting and stopping Windows NTLM
Linux, 159–160 running logon script from, 173–174
Solaris, 159 Windows XP SP2 and protocol block
Windows, 158–159 messages, 167
stopping before upgrading, 33 winpopup.exe, 168
Websense Web Security Suite, 7 workstations, 29
websense.ini file, 33 WSSEK.dat file, 109
Windows

200 Websense Enterprise