Preparing for installation
Applies to: | In this topic |
---|---|
|
|
- Forcepoint DLP v10.1 and later is supported with Forcepoint Web and Email Security v8.5.5.
- Forcepoint DLP v10.0 and later is supported with Forcepoint Web and Email Security v8.5.5.
- Forcepoint DLP v9.0 and later is supported with Forcepoint Web and Email Security v8.5.5.
- Forcepoint DLP v8.7.1 and later is supported with Forcepoint Web and Email Security v8.5.4.
- Forcepoint DLP v8.6 and v8.7 are supported with Forcepoint Web and Email Security v8.5.3.
- Forcepoint DLP v8.5.1 is supported with Forcepoint Web and Email Security v8.5.0.
- Forcepoint DLP v8.5.0 and v8.5.2 are stand-alone versions of that product and cannot be integrated with other Forcepoint products.
All Forcepoint security solutions
Before installing any on-premises Forcepoint security solution, make sure that you have completed all of the preparations noted below:
Windows-specific considerations
- Make sure all Microsoft updates have been applied. There should be no pending updates, especially any requiring a restart of the system.
- In addition to the space required by the installer itself, roughly 2 GB of disk space is required on the Windows installation drive (typically C) to accommodate temporary files extracted as part of the installation process. For information on disk space requirements, see Hardware requirements
- The Forcepoint Security Installer requires .NET Framework v3.5 and v4.5-4.8.
- For Windows server 2008 R2 SP1, you can add .NET 3.5 from Server Manager\Features. Usually, this feature is On by default. You must download .NET 4.5 from the Microsoft site https://docs.microsoft.com/en-us/dotnet/framework/install/guide-for-developers?redirectedfrom=MSDN
- For Windows Server 2012/2012 R2, you can add both .NET 3.5 and .NET 4.5 from Server Manager\Features. Usually, v3.5 is Off by default and v4.5 is On by default. Turn them both on.
Getting the software installers
The Forcepoint Security Installer is used to install or upgrade the Forcepoint management server, web and data protection solutions, email protection management and reporting components, and, with some builds, SQL Server Express, on supported Windows servers.
There are separate installers for installing web protection components on supported Linux servers.
Download the Windows and Linux installers from the My Account section of forcepoint.com.
- The (Windows-only) Forcepoint Security Installer executable is named Forcepoint8xxSetup.exe. Find the version you are installing (v8.5.x, v8.6, v8.7.x, v8.8.x,
v8.9.x, v9.0, v10.0 or v10.1) and double-click it to start the installation process.
If you have previously run the installer on a machine, and you selected the Keep installation files option, you can restart the installer without extracting all of the files a second time.
- In the Start menu, open the Forcepoint folder and select Forcepoint Security Setup (Windows Server 2016 and 2008 R2 SP1).
- Forcepoint DLP does not support Server 2008 R2.
- On the Start screen, click the Forcepoint Security Setup icon (Windows Server 2016 and 2012).
The files occupy approximately 5 GB of disk space.
- In the Start menu, open the Forcepoint folder and select Forcepoint Security Setup (Windows Server 2016 and 2008 R2 SP1).
- The web protection Linux installer is Web85xSetup_Lnx.tar.gz.
- The Content Gateway Linux installer is ContentGateway85xSetup_Lnx.tar.gz.
Local Admin privileges
Synchronizing clocks
If you are distributing components across different machines in your network, synchronize the clocks on all machines where a Forcepoint component is installed. It is a good practice to point the machines to the same Network Time Protocol server.
Antivirus
Disable any antivirus on the machine prior to installing Forcepoint components. Be sure to re-enable antivirus after installation. Certain files should be excluded from antivirus scans to avoid performance issues; see Excluding Forcepoint files from antivirus scans.
No underscores in FQDN
Do not install Forcepoint components on a machine whose fully-qualified domain name (FQDN) contains an underscore. The use of an underscore character in an FQDN is inconsistent with Internet Engineering Task Force (IETF) standards.
Disable UAC and DEP
Before beginning the installation process, disable User Account Control (UAC) and Data Execution Prevention (DEP) settings, and make sure that no Software Restriction Policies will block the installation. The UAC settings can be re-enabled following installation.
Forcepoint Security Manager
- Do not install the Security Manager on a domain controller machine.
- If you want to run Microsoft SQL Server on the Forcepoint management server, use SQL Server Express.
If you are using a remote installation of SQL Server, you can use any of the supported versions (see System requirements for this version.
SQL Server Express
The following third-party components are required to install Microsoft SQL Server Express. Although some versions of the Forcepoint Security Installer will install these components automatically if they are not found, it is a best practice to install the components first, before running the Forcepoint Security Installer.
- .NET Framework 4.6
Because the installer also requires .NET 4.5, both .NET 4.6 are required if you are installing SQL Server Express.
- Windows Installer 4.5
- Windows PowerShell 1.0
PowerShell is available from Microsoft (www.microsoft.com).
If you will use SQL Server to store and maintain data for your web protection solutions, log in to the machine as a domain user to run the Forcepoint Security Installer. This ensures that Service Broker, installed as part of SQL Server, can authenticate itself against a domain (required).
Web protection components
In addition to the general preparation actions (above), Forcepoint Web Security and Forcepoint URL Filtering components have the following additional requirements.
Filtering Service Internet access
To download the Master Database and enable policy enforcement, each machine running Filtering Service must be able to access the download server at download.forcepoint.com.
Make sure that these addresses are permitted by all firewalls, proxy servers, routers, or host files that control the URLs that Filtering Service can access.
Firewall
Disable any firewall on the machine prior to installation. Be sure to disable it before starting the installer, and then re-enable it after installation. Open ports as required by the components you have installed.
See Default ports for on-premises Forcepoint security solutions, for more port-related information.
Computer Browser Service
To run User Service or DC Agent on a supported Windows server, the Computer Browser Service must be running.
- On most machines, the service is disabled by default.
- If the service is stopped, the installer will attempt to enable and start it. If this fails, the component installs and starts, but users are not identified until you enable and start the Computer Browser service.
Network Agent
If you are installing Network Agent, ensure that the Network Agent machine is positioned to be able to monitor and respond to client Internet requests.
In standalone installations (which do not include Content Gateway or a third-party integration product), if you install Network Agent on a machine that cannot monitor client requests, basic policy enforcement and features such as protocol management and Bandwidth Optimizer cannot work properly.
The network interface card (NIC) that you designate for use by Network Agent during installation must support promiscuous mode. Promiscuous mode allows a NIC to listen to IP addresses other than its own. If the NIC supports promiscuous mode, it is set to that mode during installation. Contact your network administrator or the manufacturer of your NIC to see if the card supports promiscuous mode.
On Linux, do not choose a NIC without an IP address (stealth mode) for Network Agent communications.
Network Agent using multiple NICs on Linux
If Network Agent is installed on a Linux machine, using one network interface card (NIC) for blocking and another NIC for monitoring, make sure that either:
- The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
- You delete the routing table entry for the monitoring NIC.
If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.
Installing on Linux
Most web protection components can be installed on Linux. If you are installing on Linux complete the instructions below.
SELinux
Before installing, if SELinux is enabled, disable it or set it to permissive.
Linux firewall
If web protection software is being installed on a Linux machine on which a firewall is active, shut down the firewall before running the installation.
- Open a command prompt.
- Enter
service iptables status
to determine if the firewall is running. - If the firewall is running, enter
service iptables stop
. - After installation, restart the firewall. In the firewall, be sure to open the ports used by components installed on this machine. See Default ports for on-premises Forcepoint security solutions.
Hostname
If, during the installation, you receive an error regarding the /etc/hosts file, use the following information to correct the problem.
hostname -f
command.) To configure hostname:- Set the hostname:
hostname <host>
Here, <host> is the name you are assigning this machine.
- Also update the HOSTNAME entry in the /etc/sysconfig/network file:
HOSTNAME=<host>
- In the /etc/hosts file, specify the IP address to associate with the hostname. This should be static, and not served by DHCP. Do not delete the second line
in the file, the one that begins with 127.0.0.1 (the IPv4 loopback address). And do not delete the third line in the file, the one that begins ::1 (the IPv6 loopback address).
Also, do not add the hostname to the second or third line.
<IP address> <FQDN> <host> 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6
Here, <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomains>.<top-level domain>)—for example, myhost.example.com—and <host> is the name assigned to the machine.
Important: The hostname entry you create in the hosts file must be the first entry in the file.
TCP/IP only
Web protection software supports only TCP/IP-based networks. If your network uses both TCP/IP- and non-IP-based network protocols, only user requests in the TCP/IP portion of the network are managed.
Forcepoint DLP
See below for information about preparing to install Forcepoint DLP components.
Do not install Forcepoint DLP server on a domain controller
Do not install Forcepoint DLP server on a domain controller (DC) machine.
Domain considerations
The servers running Forcepoint DLP can be set as part of a domain or as a separate workgroup. If you have multiple servers or want to perform run commands on file servers in response to discovery, we recommend you make the server or servers part of a domain.
However, strict GPOs may interfere and affect system performance, and even cause the system to halt. Hence, when putting Forcepoint DLP servers into a domain, it is advised to make them part of organizational units that do not enforce strict GPOs.
Also, certain real-time antivirus scanning can downgrade system efficiency, but that can be relieved by excluding some directories from that scanning (see Excluding Forcepoint files from antivirus scans). Please contact Forcepoint Technical Support for more information on enhancing performance.