Preparing for installation

Applies to:	In this topic
Forcepoint Web Security and Forcepoint URL Filtering, v8.5.x Forcepoint DLP, v8.5.x, v8.6.x, v8.7.x, v8.8.x, v8.9.x, v9.0, v10.0 Forcepoint Email Security, v8.5.x Forcepoint appliances, v8.5.x	All Forcepoint security solutions Forcepoint Security Manager Web protection components Forcepoint DLP requirements

Note:

Forcepoint DLP v10.0 and later is supported with Forcepoint Web and Email Security v8.5.5.
Forcepoint DLP v9.0 and later is supported with Forcepoint Web and Email Security v8.5.5.
Forcepoint DLP v8.7.1 and later is supported with Forcepoint Web and Email Security v8.5.4.
Forcepoint DLP v8.6 and v8.7 are supported with Forcepoint Web and Email Security v8.5.3.
Forcepoint DLP v8.5.1 is supported with Forcepoint Web and Email Security v8.5.0.
Forcepoint DLP v8.5.0 and v8.5.2 are stand-alone versions of that product and cannot be integrated with other Forcepoint products.

All Forcepoint security solutions

Before installing any on-premises Forcepoint security solution, make sure that you have completed all of the preparations noted below:

Windows-specific considerations

Make sure all Microsoft updates have been applied. There should be no pending updates, especially any requiring a restart of the system.
In addition to the space required by the installer itself, roughly 2 GB of disk space is required on the Windows installation drive (typically C) to accommodate temporary files extracted as part of the installation process. For information on disk space requirements, see Hardware requirements
The Forcepoint Security Installer requires .NET Framework v3.5 and v4.5-4.8.
- For Windows server 2008 R2 SP1, you can add .NET 3.5 from Server Manager\Features. Usually, this feature is On by default. You must download .NET 4.5 from the Microsoft site https://docs.microsoft.com/en-us/dotnet/framework/install/guide-for-developers?redirectedfrom=MSDN
- For Windows Server 2012/2012 R2, you can add both .NET 3.5 and .NET 4.5 from Server Manager\Features. Usually, v3.5 is Off by default and v4.5 is On by default. Turn them both on.

Getting the software installers

The Forcepoint Security Installer is used to install or upgrade the Forcepoint management server, web and data protection solutions, email protection management and reporting components, and, with some builds, SQL Server Express, on supported Windows servers.

There are separate installers for installing web protection components on supported Linux servers.

Download the Windows and Linux installers from the My Account section of forcepoint.com.

The (Windows-only) Forcepoint Security Installer executable is named Forcepoint8xxSetup.exe. Find the version you are installing (v8.5.x, v8.6, v8.7.x, v8.8.x, v8.9.x or v9.0) and double-click it to start the installation process.
If you have previously run the installer on a machine, and you selected the Keep installation files option, you can restart the installer without extracting all of the files a second time.
- In the Start menu, open the Forcepoint folder and select Forcepoint Security Setup (Windows Server 2016 and 2008 R2 SP1).
  - Forcepoint DLP does not support Server 2008 R2.
- On the Start screen, click the Forcepoint Security Setup icon (Windows Server 2016 and 2012).
  The files occupy approximately 5 GB of disk space.

The web protection Linux installer is Web85xSetup_Lnx.tar.gz.
The Content Gateway Linux installer is ContentGateway85xSetup_Lnx.tar.gz.

Local Admin privileges

Forcepoint components are typically distributed across multiple machines. Additionally, some components access network directory services or database servers. To perform the installation, it is a best practice to log in to the machine as a user with local admin privileges. Otherwise, components may not be able to properly access remote components or services.

Important: If you plan to install SQL Server Express and will use it to store and maintain data for your web protection solution, log in as a domain user to run the Forcepoint Security Installer.

Synchronizing clocks

If you are distributing components across different machines in your network, synchronize the clocks on all machines where a Forcepoint component is installed. It is a good practice to point the machines to the same Network Time Protocol server.

Note: If you are installing components that will work with a Forcepoint appliance, you must synchronize the machine’s system time to the appliance’s system time.

Antivirus

Disable any antivirus on the machine prior to installing Forcepoint components. Be sure to re-enable antivirus after installation. Certain files should be excluded from antivirus scans to avoid performance issues; see Excluding Forcepoint files from antivirus scans.

No underscores in FQDN

Do not install Forcepoint components on a machine whose fully-qualified domain name (FQDN) contains an underscore. The use of an underscore character in an FQDN is inconsistent with Internet Engineering Task Force (IETF) standards.

Note: Further details of this limitation can be found in the IETF specifications RFC-952 and RFC-1123.

Disable UAC and DEP

Before beginning the installation process, disable User Account Control (UAC) and Data Execution Prevention (DEP) settings, and make sure that no Software Restriction Policies will block the installation. The UAC settings can be re-enabled following installation.

Forcepoint Security Manager

In addition to the other general preparation actions described in this section:

Do not install the Security Manager on a domain controller machine.
If you want to run Microsoft SQL Server on the Forcepoint management server, use SQL Server Express.

If you are using a remote installation of SQL Server, you can use any of the supported versions (see System requirements for this version.

SQL Server Express

The following third-party components are required to install Microsoft SQL Server Express. Although some versions of the Forcepoint Security Installer will install these components automatically if they are not found, it is a best practice to install the components first, before running the Forcepoint Security Installer.

.NET Framework 4.6
Because the installer also requires .NET 4.5, both .NET 4.6 are required if you are installing SQL Server Express.
Windows Installer 4.5
Windows PowerShell 1.0
PowerShell is available from Microsoft (www.microsoft.com).

If you will use SQL Server to store and maintain data for your web protection solutions, log in to the machine as a domain user to run the Forcepoint Security Installer. This ensures that Service Broker, installed as part of SQL Server, can authenticate itself against a domain (required).

Web protection components

In addition to the general preparation actions (above), Forcepoint Web Security and Forcepoint URL Filtering components have the following additional requirements.

Filtering Service Internet access

To download the Master Database and enable policy enforcement, each machine running Filtering Service must be able to access the download server at download.forcepoint.com.

Make sure that these addresses are permitted by all firewalls, proxy servers, routers, or host files that control the URLs that Filtering Service can access.

Firewall

Disable any firewall on the machine prior to installation. Be sure to disable it before starting the installer, and then re-enable it after installation. Open ports as required by the components you have installed.

Note: The Forcepoint Security Installer adds two inbound rules to the public profile of Windows Firewall. Ports 9443 and 19448 are opened for the Forcepoint Management Infrastructure. These ports must be open to allow browsers to connect to the Security Manager. Also, additional rules may be added to Windows Firewall when installing Forcepoint DLP components.

See Default ports for on-premises Forcepoint security solutions, for more port-related information.

Computer Browser Service

To run User Service or DC Agent on a supported Windows server, the Computer Browser Service must be running.

On most machines, the service is disabled by default.
If the service is stopped, the installer will attempt to enable and start it. If this fails, the component installs and starts, but users are not identified until you enable and start the Computer Browser service.

Network Agent

If you are installing Network Agent, ensure that the Network Agent machine is positioned to be able to monitor and respond to client Internet requests.

In standalone installations (which do not include Content Gateway or a third-party integration product), if you install Network Agent on a machine that cannot monitor client requests, basic policy enforcement and features such as protocol management and Bandwidth Optimizer cannot work properly.

Important: Do not install Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software.

The network interface card (NIC) that you designate for use by Network Agent during installation must support promiscuous mode. Promiscuous mode allows a NIC to listen to IP addresses other than its own. If the NIC supports promiscuous mode, it is set to that mode during installation. Contact your network administrator or the manufacturer of your NIC to see if the card supports promiscuous mode.

On Linux, do not choose a NIC without an IP address (stealth mode) for Network Agent communications.

Note: If you install Network Agent on a machine with multiple NICs, after installation you can configure Network Agent to use more than one NIC. See the Network Agent Quick Start for more information.

Network Agent using multiple NICs on Linux

If Network Agent is installed on a Linux machine, using one network interface card (NIC) for blocking and another NIC for monitoring, make sure that either:

The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
You delete the routing table entry for the monitoring NIC.

If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.

Installing on Linux

Most web protection components can be installed on Linux. If you are installing on Linux complete the instructions below.

SELinux

Before installing, if SELinux is enabled, disable it or set it to permissive.

Linux firewall

If web protection software is being installed on a Linux machine on which a firewall is active, shut down the firewall before running the installation.

Open a command prompt.
Enter service iptables status to determine if the firewall is running.
If the firewall is running, enter service iptables stop.
After installation, restart the firewall. In the firewall, be sure to open the ports used by components installed on this machine. See Default ports for on-premises Forcepoint security solutions.

Important: Do not install Network Agent on a machine running a firewall. Network Agent uses packet capturing that may conflict with the firewall software. See Network Agent.

Hostname

If, during the installation, you receive an error regarding the /etc/hosts file, use the following information to correct the problem.

When installing to a Linux machine, the hosts file (by default, in /etc) should contain a hostname entry for the machine, in addition to the loopback address. (Note: you can check whether a hostname has been specified in the hosts file by using the hostname -f command.) To configure hostname:

Set the hostname:
hostname <host>

Here, <host> is the name you are assigning this machine.
Also update the HOSTNAME entry in the /etc/sysconfig/network file:
HOSTNAME=<host>
In the /etc/hosts file, specify the IP address to associate with the hostname. This should be static, and not served by DHCP. Do not delete the second line in the file, the one that begins with 127.0.0.1 (the IPv4 loopback address). And do not delete the third line in the file, the one that begins ::1 (the IPv6 loopback address). Also, do not add the hostname to the second or third line.
```
<IP address> <FQDN> <host>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
```
Here, <FQDN> is the fully-qualified domain name of this machine (i.e., <host>.<subdomains>.<top-level domain>)—for example, myhost.example.com—and <host> is the name assigned to the machine.

Important: The hostname entry you create in the hosts file must be the first entry in the file.

TCP/IP only

Web protection software supports only TCP/IP-based networks. If your network uses both TCP/IP- and non-IP-based network protocols, only user requests in the TCP/IP portion of the network are managed.

Forcepoint DLP

See below for information about preparing to install Forcepoint DLP components.

Do not install Forcepoint DLP server on a domain controller

Do not install Forcepoint DLP server on a domain controller (DC) machine.

Domain considerations

The servers running Forcepoint DLP can be set as part of a domain or as a separate workgroup. If you have multiple servers or want to perform run commands on file servers in response to discovery, we recommend you make the server or servers part of a domain.

However, strict GPOs may interfere and affect system performance, and even cause the system to halt. Hence, when putting Forcepoint DLP servers into a domain, it is advised to make them part of organizational units that do not enforce strict GPOs.

Also, certain real-time antivirus scanning can downgrade system efficiency, but that can be relieved by excluding some directories from that scanning (see Excluding Forcepoint files from antivirus scans). Please contact Forcepoint Technical Support for more information on enhancing performance.