Installing via the Forcepoint Web Security or Forcepoint URL Filtering All option
- Forcepoint Web Security, v8.5.x
- Forcepoint URL Filtering, v8.5.x
- Download or copy the Forcepoint Security Installer (the Windows installer) to this machine. The installer is available from the My Account page at forcepoint.com, and the installer file is Forcepoint85xSetup.exe.
- Double-click the installer file to launch the Setup program. A progress dialog box appears, as files are extracted. Once files have been extracted, there may be a pause of several seconds before the Welcome screen is displayed.
- On the Welcome screen, click
Start.
The Installer Dashboard remains on screen throughout the installation process.
- On the Subscription Agreement screen, select I accept this agreement and then click Next.
- On the Installation Type screen, select Forcepoint
Web Security or Forcepoint URL Filtering All.
On the second Installation Type screen, select Use the SQL Server database installed on another machine.
- On the Summary screen, click Next to continue the installation.
- Forcepoint Management Infrastructure Setup launches. On the Forcepoint Management Infrastructure Setup Welcome screen, click Next.
- On the Installation Directory screen, specify the location where you want Forcepoint
Management Infrastructure to be installed and then click Next
- To accept the default location (recommended), simply click Next.
- To specify a different location, click Browse.Important: The full installation path must use only ASCII characters. Do not use extended ASCII or double-byte characters.
- On the SQL Server screen, specify the location and connection credentials for a
database server located elsewhere in the network.
- Enter the Hostname or IP address of the SQL Server machine,
including the instance name, if any, and the Port to use for
SQL Server communication.
If you are using a named instance, the instance must already exist.
If you are using SQL Server clustering, enter the virtual IP address of the cluster.
- Specify whether to use SQL Server Authentication (a SQL
Server account) or Windows Authentication (a Windows trusted
connection), then provide the User Name or
Account and its Password.
If you use a trusted account, an additional configuration step is required after installation to ensure that reporting data can be displayed in the Forcepoint Security Manager. See Configuring Apache services to use a trusted connection.
- Click Next. The installer verifies the connection to the
database engine. If the connection test is successful, the next installer screen
appears.
If the test is unsuccessful, the following message appears:
Unable to connect to SQL
Make sure the SQL Server you specified is currently running. If it is running, verify the access credentials you supplied
Click OK to dismiss the message, verify the information you entered, and click Next to try again.
- Enter the Hostname or IP address of the SQL Server machine,
including the instance name, if any, and the Port to use for
SQL Server communication.
- On the Server and Credentials screen, select the IP address of
this machine and specify network credentials to be used by Forcepoint Security Manager.
- Select an IP address for this machine. If this machine has a single network
interface card (NIC), only one address is listed.
Administrators will use this address to access the Security Manager (via a web browser), and components on other machines will use the address to connect to the management server.
- Specify the Server or domain of the user account to be used by Forcepoint Management Infrastructure and Forcepoint Security Manager. The name cannot exceed 15 characters.
- Specify the User name of the account to be used by Security Manager.
- Enter the Password for the specified account.
- Select an IP address for this machine. If this machine has a single network
interface card (NIC), only one address is listed.
- On the Administrator Account screen, enter an email address and
password for the default Security Manager administration account: admin. When you
are finished, click Next.
System notification and password reset information is sent to the email address specified (once SMTP configuration is done; see next step).
It is a best practice to use a strong password as described on screen.
- On the Email Settings screen, enter information about the SMTP
server to be used for system notifications and then click Next.
You can also configure these settings after installation in the Security Manager.Important: If you do not configure an SMTP server now and you lose the admin account password (set on previous screen) before the setup is done in the Security Manager, the “Forgot my password” link on the logon page does not provide password recovery information. SMTP server configuration must be completed before password recovery email can be sent.
- IP address or hostname: IP address or host name of the SMTP server through which email alerts should be sent. In most cases, the default Port (25) should be used. If the specified SMTP server is configured to use a different port, enter it here.
- Sender email address: Originator email address appearing in notification email.
- Sender name: Optional descriptive name that can appear in notification email. This is can help recipients identify this as a notification email from the Security Manager.
- On the Pre-Installation Summary screen, verify the information and then click Next to begin the installation.
- The Installation screen appears, showing installation progress. Wait until all files
have been installed.
If an “Error 1920” message appears, check to see if port 9443 is already in use on this machine. If port 9443 is in use, release it and then click Retry to continue installation.
- On the Installation Complete screen, click Finish.
You are returned to the Installer Dashboard and, after a few seconds, the web protection component installer launches.
- If the Multiple Network Interfaces screen appears, select the NIC to use for inter-component communication, then click Next.
- On the Policy Broker Replication screen, indicate which Policy Broker mode to use. If you aren’t sure, see Managing Policy Broker Replication for assistance.
- On the Active Directory screen, specify whether your network uses Windows Active Directory, then click Next.
- If you are using Active Directory, the Computer Browser screen
may appear. Click Next to have the installer attempt to start the
service.
If the installer is unable to start the service, you must start it after installation.
- On the Integration Option screen, indicate how Filtering
Service will be configured to receive Internet requests for policy enforcement, then
click Next.
- Install Web Security to connect to Content Gateway: Content Gateway is responsible for monitoring Internet requests, forwarding them to Filtering Service, and performing real-time analysis.
- Install Forcepoint Web Security or Forcepoint URL Filtering in standalone mode (no real-time analysis): Network Agent is responsible for monitoring Internet requests and forwarding them to Filtering Service for evaluation. Network Agent also sends block messages.
- Install Forcepoint URL Filtering to integrate with a third-party product or device: A third-party firewall, proxy server, cache, or network appliance (integration product) is responsible for monitoring Internet requests and sending them to Filtering Service for evaluation. You will select your integration product on the next screen.
If you aren’t sure what to select, see Understanding standalone and integrated modes for web protection solutions.
- If you selected “Integrated with another application or device” in the previous step, on the Select Integration screen, select the product you want to integrate with, then click Next.
- On the Network Card Selection screen, select the network
interface card (NIC) that Network Agent should use to monitor Internet activity, then
click Next.
For more information, see Deployment guidelines for Network Agent.
- If the machine does not include a supported version of the Microsoft SQL Server Native
Client and related tools, you are prompted to install the required
components.Depending on your current configuration, the Native Client installer may run silently in the background, or prompt you for input.
- When the Native Client installer runs in the background, you will know the process is complete when the Forcepoint installer continues to the next screen. This may take a few minutes.
- When the Native Client installer runs in the foreground, follow the prompts to complete the installation. Note that if you are prompted to reboot the machine, do not reboot at this point. Instead, complete the Forcepoint software installation first, then reboot.
- On the Log Database Location screen, specify a location (directory path) for your reporting database, then click Next.
- On the Optimize Log Database Size screen, select options for
optimizing the size of log database records, then click Next.
- When Log web page visits is selected (default), one record (or a few records) is created with combined hits and bandwidth data for each website requested, rather than a record for each separate file included in the request. This results in fewer records and therefore smaller databases, allowing for potentially faster report generation and longer storage capacities.
- When Consolidate requests is selected, Internet requests that share the same value for domain name, category, keyword, action (like permit or block) and user/IP address, within a certain interval of time (1 minute, by default), are combined.
- On the Feedback screen, choose whether to send categorization feedback to Forcepoint, then click Next.
- On the Web Security Hybrid Module Components screen, indicate whether to install Sync Service and Directory Agent, then click Next. These services are only used if you have purchased the Web Security Hybrid Module for Forcepoint Web Security.
- On the Transparent User Identification screen, select whether
to use transparent identification agents to identify users and then click
Next.
- Select Use DC Agent to identify users logging on to Windows domains to install DC Agent on this machine. DC Agent polls domain controllers and retrieves information about user logon sessions, and can also poll user machines directly to verify the logged-on user.
- Select Use Logon Agent to identify users logging on to local
machines to install Logon Agent on this machine. Logon Agent provides
the highest level of user identification accuracy by identifying users as they log
on to Windows domains.
Logon Agent works with a logon application that runs via logon script on client machines. For instructions on configuring domain controllers and client machines to use Logon Agent, see the Using Logon Agent for Transparent User Identification technical paper.
Note: Do not use Logon Agent in a network that already includes eDirectory Agent. - Select Use both DC Agent and Logon Agent to use both of the agents that work with Windows Active Directory. When both agents are installed, DC Agent information is used as a backup in the unlikely event that Logon Agent is unable to identify a user.
- Select Use eDirectory Agent to identify users logging on via Novell
eDirectory Server to install eDirectory Agent on this machine.
eDirectory Agent queries the Novell eDirectory Server at preset intervals to
identify users currently logged on.Note: Do not use eDirectory Agent in a network that already includes DC Agent or Logon Agent.
- Select Do not install a transparent identification agent
now if:
- (Forcepoint Web Security) Content Gateway provides user authentication.
- (Forcepoint URL Filtering) A third-party integration product (firewall, proxy
server, cache, or network appliance) provides user authentication.Note: When Forcepoint URL Filtering is integrated with Cisco products, Cisco Secure Access Control Server (ACS) cannot be used for user authentication for more than 1 user domain. If there are multiple user domains, use a transparent identification agent instead.
- You plan to run the transparent identification agent on one or more other machines.
- You do not want different policies applied to users or groups.
- You want all users to be prompted for logon information when they open a browser to access the Internet.
- On the Directory Service Access screen, supply a local and domain administrator account with directory service access permissions.
- On the RADIUS Agent screen, select Install RADIUS Agent if you have remote users that are authenticated by a RADIUS server and then click Next. This allows user- or group-based policies to be enforced for remote users without prompting for logon information.
- On the Pre-Installation Summary screen, verify the information
shown.
The summary shows the installation path and size, and the components to be installed.
- Click Next to start the installation. An Installing progress screen is displayed. Wait for the installation to complete.
- On the Installation Complete screen, click Done.