Upgrade steps for Windows

Important:

The new Forcepoint F1E cannot be downgraded to the older, conventional version.

If you update to Forcepoint Web Security Endpoint v20.12 and need to downgrade to an earlier version, you must manually remove the new Forcepoint Web Security Endpoint version before you install the older, conventional version.

Option 1: Auto-update

You can auto-update in the following scenarios:
  • Forcepoint Web Security Proxy Connect Endpoint to Forcepoint Web Security Proxy Connect Endpoint
  • Forcepoint Web Security Direct Connect Endpoint to Forcepoint Web Security Direct Connect Endpoint
To auto-update:
  1. Log on to the Web module of the Forcepoint Security Manager.
  2. Go to Settings > Hybrid Configuration > Hybrid User Identification.
  3. Select Automatically update endpoint installations when a new version is released if you want to ensure that your endpoint machines have the latest version when it is available from the hybrid service.
  4. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

The setting is disabled by default, as most organizations like to control the software on the endpoint machines themselves and test newer versions before deploying them. You may want to enable the option after you have tested the new Forcepoint Web Security Endpoint software so all users (including roaming users) get the latest software installed. After they have all updated the software, you can disable updates again.

When Forcepoint Web Security Endpoint software update is taking place (which can take several minutes), end users are unable to browse, and are shown a web page stating that the software is updating. This page continues to retry the requested web page every 10 seconds until the software finishes updating. After the software update is done, the browser shows the requested page correctly if the user is allowed to access this URL, or alternatively shows a block page if access is not allowed.

Note:
  • The wepsvc service must be running on the endpoint machine for auto-update to run properly.
  • You cannot use the auto-update feature in the Web module of the Forcepoint Security Manager to automate updates for a mixed deployment.
  • You cannot use auto-update to upgrade from Forcepoint Proxy Connect Endpoint to Forcepoint Direct Connect Endpoint or Forcepoint Web Security Direct Connect Endpoint to Forcepoint Web Security Proxy Connect Endpoint. You must uninstall the installed version before installing the new version.

Option 2: Create a new endpoint installation package using the Forcepoint Endpoint package builder

Note: If you are installing Forcepoint Web Security Endpoint v20.12 with the new Neo endpoint agent, install Forcepoint Web Security Endpoint before you install Neo.
  1. Download the latest package builder from the Forcepoint Support site:
    1. Log on to the Forcepoint Downloads page.
    2. Go to Forcepoint One Endpoint, select a version, and then download and launch the package builder.
  2. On the Select Endpoint Components screen, select Forcepoint Web Security Endpoint.
  3. Under Forcepoint Web Security Endpoint, select Direct Connect Endpoint or Proxy Connect Endpoint.
  4. Choose Windows 32-bit or Windows 64-bit when prompted.
  5. Deploy the v20.12 package to each endpoint machine using GPO, SMS, or a similar deployment method.

    For more information about deploying Forcepoint Web Security Endpoint, see the Installation and and Deployment Guide for Forcepoint F1E.

    You do not need to uninstall the earlier version of Forcepoint Web Security Endpoint before installing v20.12 if you are upgrading from Forcepoint Web Security Endpoint v8.4.x or later. Versions lower than v8.4 must be upgraded to at least v8.4 or uninstalled before this version is installed.

    Important: If you deploy Forcepoint F1E using GPO, do not restrict access to the command prompt. The Disable the command prompt script processing also? option should be set to No.
  6. Restart the endpoint machine after installation is complete.
    Note: Forcepoint Web Security Direct Connect Endpoint end users must join your organization’s domain on the endpoint machine. If the end user has not joined and connected to your domain, the disposition server test fails.