Change the Policy Broker mode

Before you begin

In some instances, it may become necessary to change the mode of a Policy Broker instance after installation. For example:

A deployment uses a single Policy Broker in standalone mode, and the organization wants to switch to a replicated environment.
Note: Policy Broker must reside on Windows or Linux servers, and not on appliances, to enable replication.
The machine hosting the primary Policy Broker has failed and is not immediately recoverable, so administrators want to transform a replica instance into the new primary.
An organization decides that a replicated environment is no longer necessary, and wants to switch the primary Policy Broker to standalone mode and uninstall the replica instances.

To make the change, an administrator must use the PgSetup command from the command line on the Policy Broker machine as follows:

Note: Before changing the mode from replica to standalone or primary, make sure that no one is logged onto the Forcepoint Security Manager.

Steps

Stop all components connected to the Policy Broker instance whose mode you plan to change.
- Windows: Open a command prompt and navigate to the Web Security directory (C:\Program Files or Program Files (x86)\Websense\Web Security\), then enter the following command:
  WebsenseAdmin stop
- Linux: Navigate to the /opt/Websense/ directory and enter the following command:
  ./WebsenseAdmin stop
- Appliance: Stop all web protection modules (for example, Network Agent and Content Gateway).
Navigate to the bin directory on the Policy Broker machine (/opt/Websense/bin/ or C:\Program Files or Program Files (x86)\Websense\Web Security\bin).
If you are on a Linux server, enter the following command:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/Websense/bin
Enter one of the following commands:
- To change a Policy Broker from primary or replica to standalone mode:
  PgSetup -m standalone
  
  Make a note of the token that is displayed when the mode switch is complete. You will need this to update your Policy Server configuration later.
- To change a Policy Broker to primary mode:
  PgSetup -m primary -w <synchronization_password>
  
  All replicas must use this synchronization password to connect to the primary and receive updated policy and configuration data.
  
  Make a note of the token that is displayed when the mode switch is complete. You will need this to update your Policy Server configuration later.
- To change a Policy Broker to replica mode:
  PgSetup -m replica -l <replica_IP_address> -z
  <primary_IP address> -w <synchronization_password>
  
  The replica IP address is the IP address that the primary instance will use to communicate updated policy and configuration information to the replica. The synchronization password must match the one created when the primary Policy Broker was configured.
Note: If changing a Policy Broker from replica mode to primary mode fails, first change from replica to standalone mode and then from standalone to primary mode.
After making the change:
- If you have promoted a replica Policy Broker to a primary instance, see Configure Policy Server to connect to a new primary or standalone Policy Broker.
- If you have changed a standalone Policy Broker to a replica, see Reconfigure Policy Server after a standalone Policy Broker becomes a replica.
To complete the process, restart your web protection services (starting with the Policy Broker machines, then any additional Policy Server machines, then any additional machines with web protection components). Using the commands below ensures that components on each machine are restarted in the correct order.
- Linux: Run the following command from the /opt/Websense/ directory:
  ./WebsenseAdmin restart
- Windows: Run the following command from the C:\Program Files or Program Files (x86)\Websense\Web Security\ folder:
  WebsenseAdmin restart
- Appliance: Start all web protection modules (for example, Network Agent and Content Gateway).