WWS Upgrade Guide
WWS Upgrade Guide
v7.5
Trademarks
Websense is a registered trademark of Websense, Inc., in the United States and certain international markets. Websense has numerous other
unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.
Microsoft, Windows, Windows NT, Windows Server, Windows Vista and Active Directory are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
Sun, Sun Java System, and all Sun Java System based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc., in
the United States and other countries.
Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds in the United
States and other countries.
Novell, Novell Directory Services, eDirectory, and ZENworks are trademarks or registered trademarks of Novell, Inc., in the United States and other
countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Pentium and Xeon are registered trademarks of Intel Corporation.
This product includes software developed by the Apache Software Foundation (www.apache.org).
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property
of their respective manufacturers.
WinPcap
Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy).
Copyright (c) 2005 - 2009 CACE Technologies, Davis (California).
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Contents
Chapter 1
Chapter 2
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configured users do not appear on the Clients page . . . . . . . . . . . . . . . . . . . . . 23
TRITON - Web Security does not launch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
TRITON - Web Security icon still appears as Websense Manager . . . . . . . . . . 24
Contents
Websense
Upgrade instructions
Adding components
For information about upgrading Websense software when integrated with a thirdparty product, refer to the Websense Installation Guide supplement for your
integration product.
Note
In this supplement, the term Websense software is used to
refer to both Websense Web Security and Websense Web
Filter collectively. Either product is named individually if
information pertains to it only.
The following diagram provides an overview of the upgrade process.
version 5.5 > version 6.1 > version 6.3.2 > version 7.1 > version 7.5
Important
After upgrading from version 6.3.2 to 7.1, reboot the
machine before upgrading it to version 7.5.
Configuration and policy settings are preserved across the intermediate upgrades. To
perform an intermediate upgrade, download the installer package for the intermediate
version from the Websense Downloads site:
www.websense.com/MyWebsense/Downloads/
Important
When performing intermediate upgrades, be sure to read
the Websense Web Security and Websense Web Filter
Installation Guide and its upgrade supplement for each
upgrade version. They contain important information
specific to upgrading between particular versions that may
not be found in this version of the upgrade supplement.
System requirements
Before upgrading Websense software, make sure the installation machine meets the
system recommendations in the Deployment Guide for Websense Web Security
Solutions, including hardware specifications, operating system, browser, and database
engine.
Backing up files
Before upgrading to a new version of Websense software, it is a best practice to
perform a full system backup. This makes it possible to restore the current production
system with minimum downtime, if necessary.
Windows: Open a command window (Run > cmd) and navigate to the
Websense bin directory (C:\Program Files\Websense\bin, by default).
Windows:
wsbackup -b -d <directory>
Linux:
./WebsenseTools -b -b -d <directory>
For these commands, <directory> is the path where the backup file will be stored.
The Backup Utility saves the essential Websense software files on the machine on
which it is run, including any custom block pages. A complete list of the files
saved can be found in the v7.x Websense Manager Help.
Repeat this process on all machines on which Websense software is installed, and
make sure that the files are stored in a safe and accessible location.
4. Start the Websense services. The Websense services must be running when you
start the upgrade.
If you customized the charts displayed on the Today page in Websense Manager,
or changed the values of the Time or Bandwidth Estimate options, you must re-do
these customizations on the Today page in the TRITON console for Web Security.
If you have set up Active Directory on the Settings > General > Directory
Services page, you need to re-enter the information after the upgrade.
If you customized the name of the folder used to output scheduled presentation
reports, your customized folder name does not persist after the upgrade to v7.5.
Check the name of this folder inside the file mng.xml in this path: C:\Program
Files\Websense\tomcat\conf\Catalina\. The filename is the value for the
parameter: reportsOutput.
Reporting preferences on the page Settings > Reporting > Preferences do not
persist after an upgrade to v7.5.This includes the SMTP server IP address or
name, the email recipients for scheduled reports, and the Allow self-reporting
check box. Note the values before the upgrade and reset them afterwards.
Navigate to the Manage Custom LDAP Groups page, and note any custom
groups you have set up, based on attributes defined in your directory service. This
option is available only if you have configured Websense software to
communicate with an LDAP-based directory service. After the upgrade to v7.5,
custom LDAP groups created by delegated administrators need to be re-created.
If you customized the HTTPS port value for Websense Manager, the custom value
does not persist after upgrade. To check the value, or to reset the value after the
upgrade:
On the machine where the manager console runs, use the Windows Services
dialog box (Start > Administrative Tools > Services) to stop the
ApacheTomcatWebsense service.
After upgrade, you must manually set the version number to 7.5 (in place of 7.1.1)
in the container \EIMServer\Global\Version\ in the file config.xml. This file is
located by default in the directory C:\Program Files\Websense\bin\.
/opt/Websense/tomcat/conf/Catalina/localhost/
config.xml
websense.ini
eimserver.ini
3. If you have created custom block pages, make a backup copy of the files in the
Websense\BlockPages\en\Custom (Windows) or Websense/BlockPages/en/
Custom (Linux) directory.
4. Save the backup copies to another location.
5. Start the Websense services. The Websense services must be running when you
start the upgrade.
Relocating components
If you want to move any Websense component in your deployment to a different
machine, it is a best practice to do so before upgrading.
Remove the component and then install it on the new machine, using the installer for
your current version. See the Websense Web Security and Websense Web Filter
Installation Guide, for your version, for instructions.
Important
When moving components, make sure the associated
Websense Policy Server is running. Policy Server keeps
track of the location of components in a deployment. See
the Installation Guide, for your version, for more
information.
Once components are distributed to their final locations, run the new version installer
on each machine to upgrade the components to the new version. See Upgrade
instructions, page 16.
Important
In the Windows Services dialog box, if you have set the
Recovery properties of any of the Websense services to
restart the service on failure, you must change this setting
to Take No Action before upgrading.
Matching locales
When upgrading Websense Filtering Service installed on a machine separate from
Websense Manager, you must upgrade Filtering Service in the same locale
environment (language and character set) as Websense Manager.
When upgrading on Linux, log on to the Filtering Service machine with the
locale appropriate to Websense Manager.
After the upgrade is complete, Websense services can be restarted with any locale
setting.
Upgrade instructions
The standard Websense Web Security/Websense Web Filter 7.5 installer (Websense
installer) is also used for upgrades. After it starts, the installer detects when an older
version of the product is installed. The installer also detects which Websense
components are installed and need to be upgraded, and checks the version of the
database engine to ensure it is compatible with the new version of Websense software.
Upgrade order
If Websense components are distributed across multiple machines, they must be
upgraded in the following order due to dependencies between them.
1. Policy Broker
2. Policy Server
3. User Service
4. Filtering Service
5. Network Agent
6. Transparent identification agents
7. Filtering plug-in (on integration product machine)
8. Log Server
9. Websense Manager
If multiple components are installed on a machine, the installer upgrades them in the
proper order.
Upgrade steps
Perform the following procedure on each machine running Websense components.
Important
If Websense components are installed on multiple
machines, see Upgrade order, page 16, for important
information about the required upgrade sequence. All
components that interact in a deployment must be
upgraded to the same version.
1. If you performed an intermediate upgrade from version 6.3.2 to 7.1, and you have
not done so yet, reboot the machine before upgrading from version 7.1 to 7.5.
2. Close all instances of Websense Manager.
3. Log on to the installation machine with administrator privileges:
Linuxlog on as root.
If you are upgrading User Service, DC Agent, or Logon Agent, this ensures that
those components have administrator privileges on the domain.
Important
If you are upgrading Log Server on this machine and it
uses a Windows trusted connection to access the Log
Database, you must log on to this machine using the same
trusted account. See Log Server using trusted connection,
page 12.
4. Perform a full system backup.
If a full backup is not feasible, make backup copies of the websense.ini,
eimserver.ini, and config.xml files, and move them to a different location. These
files are located in the Websense bin directory (C:\Program Files\Websense\bin or
/opt/Websense/bin, by default).
5. Close all applications and stop any antivirus software.
Warning
Be sure to close the Windows Event Viewer, or the
upgrade may fail.
6. On Linux:
a. Check the etc/hosts file. If there is no host name for the machine, add one.
See the Websense Web Security and Websense Web Filter Installation Guide
for instructions.
b. Create a setup directory for the installer files, such as /root/Websense_setup.
Important
If your Websense services have been running
uninterrupted for several months, the installer may have
difficulty stopping them.
To prevent the upgrade process from timing out and
failing, stop the services manually and start them again
before beginning the upgrade. For instructions, see
Stopping or starting Websense services in the Websense
Web Security and Websense Web Filter Installation Guide.
7. Download the installer package for Websense Web Security/Web Filter and start
the installer. See the Websense Web Security and Websense Web Filter
Installation Guide for instructions.
The installer detects any Websense components from an earlier version and asks
how you want to proceed. You can upgrade the current system or exit the installer.
Note
If you want to add components, see Adding components,
page 20.
8. On the Introduction screen, click Next.
Note
These instructions refer to installer screens. In the
command-line Linux installer, prompts are displayed that
correspond to each screen. Instructions for a screen also
apply to the corresponding command-line prompt. The
main difference is how options are selected. Rather than
clicking items in a screen, you will enter menu-item
numbers or characters.
9. On the Subscription Agreement screen, choose to accept the agreement and click
Next.
If you do not accept the agreement, you cannot proceed with the upgrade.
10. On the Websense Upgrade screen, select Start the upgrade and then click Next.
Important
Be sure to close all instances of Websense Manager, on all
machines, before clicking Next.
When you click Next, a Stopping All Services progress message appears.
11. Wait for Websense services to be stopped. The Pre-Upgrade Summary screen
appears when the services have been stopped.
In some cases, the installer may be unable to stop the Websense services. If the
services have not been stopped after approximately 10 minutes, then stop them
manually. You can leave the installer running when you do so. On Windows, use
the Windows Service dialog box to stop the services. On Linux, use the
WebsenseAdmin command. See the Websense Web Security and Websense Web
Filter Installation Guide for instructions. Once you have manually stopped the
services, return to the installer.
12. On the Pre-Upgrade Summary screen, review the list of Websense components
that will be upgraded, and then click Install.
A Websense Web Security is being configured progress message appears.
Wait for the Upgrade Complete screen to appear.
13. Click Done to exit the installer.
14. Reboot the machine.
Important
The machine must be rebooted to complete the upgrade
process.
15. If you stopped your antivirus software, restart it.
16. If you have an integration product installed, check the Installation Guide
Supplement for your integration to see if further upgrade steps are needed.
17. Repeat the upgrade procedure on the each machine running Websense
components, in the recommended order (see Upgrade order, page 16).
All components that interact must be upgraded to the same version.
If you have complete installations in separate locations that do not interact, they
do not have to run the same Websense software version.
18. After all components have been upgraded, launch TRITON - Web Security
(replaces Websense Manager):
On any machine in your network, open a Web browser and enter the
following:
https://<IP address>:9443/mng
Replace <IP address> with the IP address of the TRITON - Web Security
machine.
19. After you start TRITON -Web Security, run the Upgrading User Quick Start
tutorial for an overview of the new features and changes in the current version.
20. Be sure to reset specific custom values if you are Upgrading from v7.1.1.
Adding components
To add components to a machine on which Websense components are already
installed, first upgrade the pre-existing components (see Upgrade instructions, page
16). The first time you run the Websense installer, it will upgrade the existing
components. After upgrading, run the Websense installer again on the same machine.
This time, the installer will ask if you want to add components. See the Installation
Guide for instructions on adding components.
of Policy Broker (more instances of the IP address will be found in the files being
updated).
Websense software handles IP address changes in the background for most other
components, without any interruption to filtering.
In some cases, Websense services need to be restarted or configurations updated after
changing an IP address.
Network Agent settings can be updated in TRITON - Web Security. See the
TRITON - Web Security Help for more information.
Troubleshooting
Although it is possible to launch TRITON - Web Security using some other browsers,
use the supported browsers to receive full functionality and proper display of the
application.
If you are unable to connect to TRITON - Web Security on the default port (9443),
refer to the knownports.properties file on the TRITON - Web Security machine
(located by default in the C:\Program Files\Websense\bin or /opt/Websense/bin/
directory) to verify the port. Look for APACHE_HTTPS= <value>. This is the
configured port for TRITON - Web Security.
Troubleshooting
If you are using the correct port, and are still unable to connect to TRITON - Web
Security from a remote machine, make sure that your firewall allows communication
over that port.
Troubleshooting
Troubleshooting
Index
A
Active Directory, 23
antivirus software, 17, 19
APACHE_HTTPS, 23
Audit Log
version 6.x, 12
instructions, 16
integration product, 16
intermediate upgrades, 7
Internet Explorer, 20, 23
IP addresses
changing for installed components, 20
ISA Server, 14
B
bin directory, 17
block message
custom, 9
Linux
hostname, 13
hosts file, 13
locales
matching, 15
Log Server, 16
Logon Agent, 17
DC Agent, 17
direct upgrade, 7
distributed components
upgrade order, 16
upgrading, 13
domain administrator privileges, 17
Master Database, 11
Microsoft ISA Server, 14
eimserver.ini, 17
Policy Broker, 16
Policy Server, 16
Presentation Server, 14
F
files
backups of when upgrading, 8
filtering plug-in, 14, 16
upgrading, 14
Filtering Service, 16
Firefox, 20, 23
H
hostname
Linux, 13
hosts file, 13
knownports.properties, 23
N
Network Agent, 16, 21
non-functional system, 12
R
remote control utility, 14
Remote Filtering Client, 5
S
Squid Web Proxy Cache, 14
stand-alone installation
filtering stops when upgrading, 11
T
Terminal Services, 14
27
U
upgrade order, 16
upgrading
distributed component, 13
distributed components, 16
filtering plug-in, 14
manually restarting services, 14
non-English language versions, 13
user names
disappearing after upgrade, 23
User Service, 16
UTF-8, 23
28
Websense
V
version
5.5, 7
6.3.2, 7
7.1, 7
prior to 5.5, 7
W
Websense bin directory, 17
Websense Manager, 16, 23
Websense Master Database, 11
Websense services
stopping before upgrading, 14
websense.ini, 17
Windows Desktop cache
refreshing, 24
Windows Event Viewer, 17