Prepare Web Filter & Security for upgrade

  • Off-appliance components
  • Appliance components

Off-appliance components

  1. Verify that third-party components, including your database engine and directory service, are supported with Web Filter & Security. See Requirements for web protection solutions.
  2. Back up all of your web protection components before starting the upgrade. See the Backup and Restore FAQ for your version for instructions on backing up both software-based and appliance-based components.

    On the new appliance, in the Appliance Manager perform a Full Appliance Configuration backup and save it to an off-appliance location.

  3. Before upgrading Filtering Service, make sure that the Filtering Service machine and the TRITON management server have the same locale settings (language and character set). After the upgrade is complete, Filtering Service can be restarted with any locale settings.
  4. If your product includes Web DLP features, before upgrading the management server, make sure your Web DLP components are ready for upgrade:

    1. Stop all discovery and fingerprinting tasks.
    2. Route all traffic away from the system.
    3. Ensure that your supplemental fingerprint repositories are fully synchronized with the primary repository.
    4. Make sure all settings are deployed successfully. Log onto the Data Security manager. If the Deploy button is highlighted, click it.
    5. If your organization was supplied with custom file types, change the name of the following files in the policies_store\custom_policies\config_files folder on the management server; otherwise they will be overwritten during upgrade.

      1. Change extractor.config.xml to custom_extractor.config.xml.
      2. Change extractorlinux.config.xml to custom_extractorlinux.config.xml.

        The filenames are case-sensitive.

    6. If custom policies were provided, submit a request for updated versions before proceeding.
  5. When upgrading to v8.3 or later, a new logging partition is added to your Log Database. Please make sure you do not have 70 active partitions (the limit) prior to upgrading. Use the Web > Settings > Reporting > Log Database page of the TRITON Manager to disable at least one active partition prior to upgrading.
  6. Back up your current Log Database and stop Log Server.
    Warning:

    If database operations are active during upgrade, the Log Database may be rendered unusable.

    When this occurs, it can be difficult to fix.

    Make sure to stop Log Server and the database jobs, as described below, before upgrading the database.

    1. Back up your reporting databases.

      Refer to Microsoft documentation for instructions. The databases are named wslogdb70 (the catalog database), wslogdb70_n (standard logging partition databases), and wslogdb70_amt_1 (threats partition database).

    2. On the Log Server machine, use the Windows Services tool to stop Websense Log Server.
  7. It is best to stop all Log Database jobs prior to starting the upgrade, but, before it upgrades the Log Database, the upgrade process will attempt to stop any Log Database jobs not already stopped. If the jobs cannot be stopped, you will need to stop them manually. However, you do not need to exit the installer to do that.

    Stop the Log Database jobs using these steps:

    1. If you have a full version of Microsoft SQL Server (not Express), stop all database jobs as follows. (See below for steps to stop SQL Express jobs.)

      1. Log in to the Microsoft SQL Server Management Studio and expand SQL Server Agent > Jobs (in Object Explorer).
      2. To disable all currently active SQL Server Agent jobs, right-click each of the following jobs and select Disable:
        Websense_ETL_Job_wslogdb70
Websense_AMT_ETL_wslogdb70
Websense_IBT_DRIVER_wslogdb70
Websense_Trend_DRIVER_wslogdb70
Websense_Maintenance_Job_wslogdb70

        Disabling the jobs prevents them from executing at the next scheduled time, but does not stop them if a job is in process.

        Make sure all jobs have completed any current operation before proceeding with upgrade.

      3. After upgrade, verify that the jobs have been enabled. Enable any that were not automatically enabled by the upgrade process. Normal database operations will then resume.

    2. If you have SQL Server Express, stop all database jobs as follows:

      1. Log in to the Microsoft SQL Server Management Studio.
      2. Expand the Databases tree to locate the catalog database (wslogdb70, by default), then expand the catalog database node.
      3. Expand Service Broker > Queues.
      4. Right click dbo.wse_scheduled_job_queue and select Disable Queue.
      5. The upgrade process will re-enable the job queue. After upgrade, verify that the Queue has been enabled.

        Enable it, if necessary, by repeating the process, this time ultimately selecting Enable Queue to resume normal database operations.

      When Log Server is upgraded, the upgrade process first checks the Log Database version and updates the database, if necessary. If you have multiple Log Servers, the database update occurs with the first Log Server upgrade. The database update, including the need to stop the database jobs, is not repeated when additional Log Server instances are upgraded.

  8. If Log Server uses a Windows trusted connection to access the Log Database, be sure to log on to the Log Server machine using the trusted account to perform the upgrade. To find out which account is used by Log Server:

    1. Launch the Windows Services tool.
    2. Scroll down to find Websense Log Server, then check the Log On As column to find the account to use.
      Important: As a result of a change made to avoid a potential vulnerability when a presentation report is included as a link in an email, report links in emails that exist prior to upgrading to v8.3 or later will no longer work.

Content Gateway (TRITON AP-WEB only)

Before upgrading Content Gateway, be aware of the following:

  • Most SSL configuration settings are saved and applied to the upgraded Content Gateway, except for dynamic certificates. Note that:

    • The Incident list is retained. Before upgrading, consider performing maintenance on the Incident list; remove unwanted entries.
    • SSLv2 is not enabled by default. If it is enabled prior to upgrade, the setting is retained.
  • For user authentication, there is one credential cache for both explicit and transparent proxy mode, and one Global Authentication Options page for setting the caching method and Time-To-Live.

    During upgrade, the Cache TTL value is retained from the Transparent Proxy Authentication tab unless the value on the Global Authentication Options tab is not the default. In this case, the customized value is used.

  • If you use Integrated Windows Authentication (IWA), be aware that IWA domain joins should be preserved through the upgrade process. However, in case the joins are dropped, make a record of the settings before starting the upgrade. Log on to the Content Gateway manager and record the IWA settings, including the names of domains to which IWA is joined. Keep this record where it is easily retrieved after the upgrade.

Appliance components

Configure and test access to the appliance command-line interface (CLI)

At the end of the upgrade procedure you will need to log on to the upgraded, v8.5 appliance CLI and perform a small number of tasks.

The v8.5 appliance CLI is accessed in the same way as the existing V-Series CLI. If you haven’t used the V-Series CLI, or haven’t accessed it recently, test your access now and perform any necessary configuration.

SSH access

All V-Series appliances can connect to the CLI with a terminal emulator and SSH. The client machine must be in a network that has a route to the appliance and SSH access must be enabled on the dual-mode appliance in the Appliance Manager.

In the Appliance Manager, check the SSH access setting and, if necessary, enable SSH access.

  1. Log on to the Appliance Manager and go to the Administration > Toolbox page.
  2. In the Appliance Command Line section, enable SSH remote access.

Test SSH access

  1. On a Windows system connect with PuTTY, or similar. On a Mac system connect with Terminal.
  2. Connect to the appliance management interface (C) IP address on port 22.
  3. Log on with the admin credentials.

iDRAC access

Most V-Series models supported by v8.3 have an integrated DELL Remote Access Controller (iDRAC). If you have never worked with the iDRAC, see Using the iDRAC in Forcepoint Appliances Getting Started.

To access the CLI, log on to the iDRAC and go to Overview > Server. In the upper right Virtual Console Preview area, click Launch.

VGA and USB direct connect

Connect a monitor and keyboard directly to the appliance.

Serial port direct connect

Configure a serial connection to a monitor and keyboard. The connection should be set to:
  • 9600 baud rate
  • 8 data bits
  • no parity

Appliance customizations

Important: Customizations are not retained through the upgrade process.

Before upgrading, inventory all customizations and make a plan for restoring any that are required.

Customizations can include:

  • Custom patches
  • Hand updated files
  • Extra packages added by hand
  • Extra files added, binary or configuration

Post-upgrade, Forcepoint Technical Support may be able to help restore some files from your pre-upgrade file system.

SNMP settings

Warning:

Upgrade to v8.3 or later does not preserve SNMP settings.

A fix is in development. Please check the Forcepoint Knowledge Base or contact Technical Support to see if a hotfix is available.

Before upgrading, document your existing SNMP settings for reapplication after upgrade.

Content Gateway logs

If the appliance hosts TRITON AP-WEB (Web Security Gateway / Anywhere), during the upgrade, depending on their size, older Content Gateway logs may be automatically removed to make room for the new version.

To ensure that the current Content Gateway log is retained (content_gateway.out), download it to a location off of the appliance.

  1. In the Appliance Manager, go to Administration > Logs.
  2. Select the Content Gateway module and then Download entire log file.
  3. Click Submit and specify a location to save the file.

Content Gateway Integrated Windows Authentication (IWA) settings

IWA domain joins should be preserved through the upgrade process. However, in case there is an error and IWA domain joins are dropped, make a record of the settings before starting the upgrade. Log on to Content Gateway and record the IWA settings.