Using the Policy Enforcement option to install web components on Linux

Before you begin

Applies to:
  • Forcepoint Web Security, v8.5.x
  • Forcepoint URL Filtering, v8.5.x

Steps

  1. It is assumed you have already downloaded and started the Web Linux installer. If not, see Starting the Web Linux installer for instructions.
  2. If no web protection components have been installed on this machine:
    1. On the Introduction screen, click Next.
    2. On the Subscription Agreement screen, choose to accept the terms of the agreement and then click Next.
    3. If the Multiple Network Cards screen appears, select the IP address of the NIC that web protection components should use for communication. This NIC will also be used to send block pages when a user requests blocked content.
      Important: The installer cannot determine whether IP addresses are valid. It simply lists the currently configured address of each detected NIC. Be sure to verify that the IP address you select is valid in your network. An incorrect IP address will prevent components on this machine from functioning properly.
    4. On the Installation Type screen, select Policy Enforcement and then click Next.
  3. If there are web protection components already installed on this machine, the Add Components screen appears.
    Select Install additional components on this machine and then click Next.

    If there are already components on this machine, you can only perform a custom installation.

    If there are no web protection components already installed, the Policy Broker Replication screen appears. Indicate which Policy Broker mode to use.

    • Select Standalone if this will be the only Policy Broker instance in your deployment.
    • Select Primary, then create a Synchronization password if you will later install additional, replica instances of Policy Broker.

      The password may include between 4 and 300 alphanumeric characters.

      Important: If you are installing the primary Policy Broker, be sure to record the synchronization password. You must provide this password each time you create a Policy Broker replica.
    • Do not select Replica at this stage. You must install a standalone or primary Policy Broker before you can install a replica.
  4. On the Integration Option screen, indicate whether this is a Forcepoint Web Security deployment that uses Content Gateway, a standalone deployment, or an integrated Forcepoint URL Filtering deployment, and then click Next.
    See Understanding standalone and integrated modes for web protection solutions for more information.
  5. If you chose the Forcepoint URL Filtering integrated option, the Select Integration screen appears. Select your third-party integration product, then click Next.
  6. On the Network Card Selection screen, select the NIC that Network Agent should use to communicate with other web protection components, then click Next.
    The list may include NICs that do not have an IP address are also listed. Do not choose a NIC without an IP address.
  7. On the Feedback screen, select whether you want your software to send feedback to Forcepoint to improve accuracy. Then click Next.
  8. On the Web Security Hybrid Module screen, select whether you want to install components that support the hybrid service on this machine, then click Next.
    • Install Web Security Hybrid module components: Select this option to install these components and then check the box for the components (Sync Service and/or Directory Agent) you want to install.
    • Do not install Web Security Hybrid module components: Select this option if you do not have a Web Security Hybrid Module subscription, or if you want to install Sync Service and Directory Agent on another machine.
  9. On the Transparent User Identification screen, select whether to use transparent identification agents to identify users and then click Next. This allows user- or group-based policies to be applied to requests without prompting users for logon information.

    It is possible to run multiple instances of the same transparent identification agent, or certain combinations of different transparent identification agents, in a network. For information about multiple instances or combinations of transparent identification agents, see Combining transparent identification agents section in Deploying transparent identification agents.

    • Use Logon Agent to identify users logging on to local machines: This option installs Logon Agent on this machine. Logon Agent identifies users as they log onto Windows domains. Logon Agent is for use with Windows-based client machines on a network that uses Active Directory or Windows NT Directory.

      To use Logon Agent, you must modify the Group Policy on domain controllers so it launches a logon application (LogonApp.exe) as part of the logon script. Client machines must use NTLM (v1 or v2) when authenticating users.

      See the Using Logon Agent for Transparent User Identification technical paper.

      Note: Do not use Logon Agent in a network that already includes eDirectory Agent.
    • Use eDirectory Agent to identify users logging on via Novell eDirectory Server: This option installs eDirectory Agent on this machine. Use this agent for a network using Novell eDirectory. eDirectory Agent queries the eDirectory Server at preset intervals to identify users currently logged on.
      Note: Do not use eDirectory Agent in a network that already includes DC Agent or Logon Agent.
    • Do not install a transparent identification agent now: Select this option if
      • Content Gateway or a third-party integration product will provide user authentication.
      • You plan to install a transparent identification agent on another machine.
      • You do not want to apply policies to users or groups, and do not want user and group information to appear in reports.
      • You want users to be prompted for logon information when they open a browser to access the Internet.
      Note: When integrated with Cisco products, Forcepoint URL Filtering cannot use Cisco Secure Access Control Server (ACS) for user authentication for more than 1 user domain. If there are multiple user domains, use a transparent identification agent instead.
  10. On the RADIUS Agent screen, select Install RADIUS Agent if you have remote users that are authenticated by a RADIUS server and then click Next. This allows user- or group-based policies to be applied to requests from these remote users without prompting them for logon information.
  11. On the Installation Directory screen, accept the default installation path (/opt/ Websense), or click Choose to specify another path, and then click Next.

    The installation path must be absolute (not relative).

    The installer creates this directory if it does not exist.

    Important: The full installation path must use only ASCII characters. Do not use extended ASCII or double-byte characters.
    The installer compares the installation’s system requirements with the machine’s resources.
    • Insufficient disk space prompts an error message. The installer closes when you click OK.
    • Insufficient RAM prompts a warning message. The installation continues when you click OK. To ensure optimal performance, increase your memory to the recommended amount.
  12. On the Pre-Installation Summary screen, verify the information shown.
    The summary shows the installation path and size, and the components to be installed.
  13. Click Next to start the installation. An Installing progress screen is displayed. Wait for the installation to complete.
    Note: If you are using the command-line Linux installer, do not cancel (Ctrl-C) the installer after the Pre-Installation Summary screen, as it is installing components. In this case, allow the installation to complete and then uninstall the unwanted components.
  14. On the Installation Complete screen, click Done.