Upgrade preparation

Several issues should be considered, and certain steps taken, before beginning an email protection solution upgrade.

Before you begin
  • Verify current deployment. Ensure that your current deployment is functioning properly before you begin the upgrade, and that required network interfaces have reliable connections to Forcepoint components and the Internet. The upgrade process does not repair a non-functioning system.
  • Check the Certified Product Matrix to verify the supported operating systems for your initial and target versions. For example, version 8.5.3 does not support Windows 2008, which may cause errors when attempting to upgrade from a Windows 2008 operating system.
  • Ensure that your existing deployment includes Forcepoint Email Security Solutions before you upgrade. If you have used the custom option to install Forcepoint Email Security, you must install Forcepoint Email Security Solutions as well, for data loss prevention capabilities. Consult the Forcepoint Security Manager Data Security module upgrade procedures, to ensure a smooth upgrade experience. See Upgrading to Forcepoint DLP v8.7.x for details.
  • If you are not already familiar with the preparation required for upgrading off-appliance components, review the requirements before upgrading your appliances.
  • Verify the system requirements for the version to which you are upgrading to ensure your network can accommodate the new features and functions. See System requirements for this version for a detailed description.
  • Prepare Windows components. See Preparing for installation for an explanation of general preparations for upgrading the Windows components in your email protection system.
  • Ensure that your firewall is configured correctly so that the ports needed for proper email protection operation are open. See Forcepoint Email Security ports for information about all email security system default ports, including appliance interface designations and communication direction.
  • Prepare Microsoft Azure virtual network if you are upgrading to Forcepoint Email Security in Azure. See Installing Forcepoint Email Security in Microsoft Azure.
  • Prepare for service disruption during upgrade. Appliance services are not available while the upgrade is applied, continuing until the appliance continues its final restart. Service is not disrupted while the off-box components are upgraded.
  • If you are using link aggregation and plan to enable VLAN support after upgrade, disable link aggregation before enabling VLAN support on the blade or chassis. VLAN is only available on X Series appliances.
  • Ensure you have the most recent hotfix installed for your version. Additionally, ensure that you have the following hotfixes installed or uninstalled, as appropriate.
    • Uninstall the following hotfix:
      • If you have any appliance with Hotfix 200 (Spectre/Meltdown Hotfix) installed, you must uninstall the hotfix before upgrading to v8.5.x. After upgrading, reinstall Hotfix 200 on the new version.
    • Install the following hotfix:
      • If you are a Forcepoint V5000 G2R2 customer upgrading from v8.4 to v8.5.x, you must install 8.4 Appliance Hotfix 101 (APP-8.4.0-101) before upgrading.
  • Back up and remove tomcat log files and remove temporary manager files (optional; recommended to facilitate timely Forcepoint Security Manager upgrade). Use the following steps:
    1. Log onto the Windows server where the Forcepoint Security Manager resides.
    2. Navigate to the following directory:

      C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\logs

    3. Copy C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\logs to another location (for example, to C:\WebsenseBackup\Email), and then delete it in the directory mentioned in step 2.
    4. Navigate to the following directory:

      C:\Program Files (x86)\Websense\Email Security\ESG Manager\tomcat\tempEsgUploadFileTemp

    5. Delete all the downloadFile* files.
  • Inventory all configuration customizations and make a plan for restoring any that are required. Customizations are not retained through the upgrade process. Before your upgrade, contact Forcepoint Technical Support for assistance with validating files from your pre-upgrade file system. Customizations can include:
    • Custom patches
    • Hand updated files
    • Extra packages added
    • Extra files added, binary or configuration
      • Please allow some lead time for Forcepoint Technical Support to complete this validation.
  • Inventory customized HTML notification templates for the Personal Email Manager and Forcepoint Secure Messaging end-user portals. Any customizations you make to notification message templates are lost when upgrading to a new version of Forcepoint Email Security. After upgrade, you will need to reconfigure your customized templates.
  • Back up appliance configuration and settings. It is critical to perform a full appliance configuration backup and save it to a filestore.
    1. Log onto the CLI and elevate to config mode.
    2. To perform an immediate full backup, use:
      create backup now --location filestore_alias [--desc
"<description>"]
    3. Include a unique description to make it easier to identify backup files that may have very similar names and dates.
      Important: Before upgrading a virtual appliance, see Virtual appliance under upgrade instructions section, for important upgrade issues specific to the virtual appliance.
  • Back up DKIM keys and SSL certificates.
    Attention:

    DKIM keys and Personal Email Manager SSL certificates are removed (not transferred) when upgrading to v8.5.4 or v8.5.5.

    • Before beginning your upgrade, export DKIM keys and signing rules from the page Settings > Inbound/Outbound > DKIM Settings. Following the upgrade, re-import the DKIM keys and signing rules.
    • SSL certificates and keys cannot be exported from Personal Email Manager. Ensure that you have the original SSL certificate and key pair available, and use the page Settings > Personal Email > SSL Certificate to import the certificate following the upgrade.
  • If you are using an Always On Availability group with SQL Server, remove the log database from the group prior to starting the upgrade. Re-add the database to the group after the upgrade to synch it.

    See this article for additional information SQL Server Always On High Availability Groups and Forcepoint Email Security.

Encrypted connection to Email Log Database

Starting in version 8.5.4, more stringent connection string and certificate requirements are needed for establishing an encrypted connection with SQL Server. Specifically, the hostname or fully qualified domain name (FQDN) used for the connection string must match the Common Name (CN) field on the certificate that SQL Server is using if you have an encrypted database connection. Not doing so will result in failure to connect.

Before beginning your upgrade, configure your Email Log Database as follows:
  1. On the page Settings > Reporting > Log Database, enter either a hostname or a FQDN in the field Log Database.
  2. In the Log Server Configuration Utility, enter either a hostname or a FQDN for the esglogdb76 system DSN under ODBC Data Sources. See Email Log Server Configuration Utility for additional help with configuring your Log Database.
  3. On the certificate used by SQL Server for encryption, verify that the Common Name field exactly matches the hostname or FQDN that is used in the Log Database settings and esglogdb76 system DSN.
Reminders
  • Immediately following your upgrade, it is necessary to install the latest hotfix for your version. See the Forcepoint Customer Hub downloads menu to download the latest hotfix.
  • All components in your deployment, including those running off-appliance, must run the same version of Forcepoint software, if applicable. Refer to the Release Notes to determine the Forcepoint Security Manager, Forcepoint Web Security, and Forcepoint DLP versions supported with your version of Forcepoint Email Security.
  • Version 8.5.0 was the last supported software release for the V5K G2R2 appliance and the V10K G3R1 appliance. Hardware support will continue to be available throughout End-of-Life for these appliance models. Please refer to the related Tech Alert and the official Product Support Life Cycle matrix for details.
  • The Forcepoint V5000 G2R2 appliance may encounter a memory shortage after upgrading to version 8.2 or later. This issue is the result of newer versions of software requiring additional memory, and was only captured under a heavy load. A DIMM Kit (2 x 8GB) is certified to expand the physical memory of the V5000 G2R2 Appliance. It is now generally available and recommended for V5000 G2R2 deployment moving to versions 8.2 and later. Please contact your sales representatives for purchase information. For more details, see the related Knowledge Base article and the DIMM Kit installation instructions.
  • The upgrade to version 8.3 added the following default elements:
    • Spoofed Email policy filter
    • Spoof policy action
    • Antispoof policy rule
    • “url-analysis” default queue

      If your system currently uses policy elements or a queue with these names, change them before the upgrade process begins, to avoid having duplicate names after the upgrade. The email security system may not function properly with the duplicate names.

  • The upgrade to version 8.4 added the following default elements:
    • Email Attachment policy filter
    • Email Attachment policy action
    • Email Attachment policy rule
    • “attachment” default queue

      If your system currently uses policy elements or a queue with these names, you must change them before the upgrade process begins. The version 8.5.x upgrade process includes a pre-check function that terminates the upgrade if duplicate policy components are detected.

  • New presentation reports were added in version 8.3 for spoofed email and URL analysis data. Examples include:
    • Outbound Spoofed Email Percentage Summary
    • Top Inbound Spoofed Email Sender Domains
    • Top Inbound Recipients of Spoofed Email
    • Top Outbound Embedded URL Categories Detected
    • Outbound Embedded URL Detection Volume Summary

      The upgrade process may not complete successfully if you have existing custom reports with the same names as these reports.