Prepare for installation

Steps

  1. Make sure that the server you intend to use meets or exceeds the requirements listed in the “Content Gateway” section of “Requirements for web protection solutions” in System requirements for this version.
    See Installing on Red Hat Enterprise for additional details on installing on Red Hat Linux.
  2. Configure a hostname for the Content Gateway machine and also configure DNS name resolution. Complete these steps on the machine on which you will install Content Gateway.
    1. Configure a hostname for the machine that is 15 characters or less:

      hostname <hostname>

    2. Update the HOSTNAME entry in the /etc/sysconfig/network file to include the new hostname assigned in the previous step:

      HOSTNAME=<hostname>

    3. Specify the IP address to associate with the hostname in the /etc/hosts file. This should be static and not served by DHCP.

      The proxy uses this IP address in features such as transparent authentication and hierarchical caching. This must be the first line in the file.

      Do not delete the second and third lines (the ones that begin with “127.0.0.1” and “::1”, respectively). Also, do not add the hostname to the second or third line.

      xxx.xxx.xxx.xxx <FQDN> <hostname>
      127.0.0.1 localhost.localdomain localhost
      ::1 localhost6.localdomain6 localhost6

      <FQDN> is the fully-qualified domain name of this machine (for example: myhost.example.com). <hostname> is the same name specified in Step a.

      Do not reverse the order of the FQDN and hostname.

    4. Configure DNS in the /etc/resolv.conf file.

      search <subdomain1>.<top-level domain> <subdomain2>.<top-level domain> <subdomain3>.<top- level domain>

      nameserver xxx.xxx.xxx.xxx

      nameserver xxx.xxx.xxx.xxx

      This example demonstrates that more than one domain can be listed on the search line. Listing several domains may have an impact on performance, because each domain is searched until a match is found. Also, this example shows a primary and secondary nameserver being specified.

    5. Gather this information:
      • Default gateway (or other routing information)
      • List of your company’s DNS servers and their IP addresses
      • DNS domains to search, such as internal domain names. Include any legacy domain names that your company might have.
      • List of additional firewall ports to open beyond SSH (22) and the proxy ports (8080-8090).
  3. For Content Gateway to operate as a caching proxy, it must have access to at least one raw disk. Otherwise, Content Gateway will function as a proxy only.

    To create a raw disk for the proxy cache when all disks have a mounted file system:

    Note: This procedure is necessary only if you want to use a disk already mounted to a file system as a cache disk for Content Gateway. Perform this procedure before installing Content Gateway.
    Warning: Do not use an LVM (Logical Volume Manager) volume as a cache disk.
    Warning: The Content Gateway installer will irretrievably clear the contents of cache disks.
    1. Enter the following command to examine which file systems are mounted on the disk you want to use for the proxy cache:

      df -k

    2. Open the file /etc/fstab and comment out or delete the file system entries for the disk.
    3. Save and close the file.
    4. Enter the following command for each file system you want to unmount:

      umount <file_system>

      When the Content Gateway installer prompts you for a cache disk, select the raw disk you created.

      Note: It is possible to add cache disks after Content Gateway is installed. For instructions, see the Content Gateway Manager Help.
  4. If you plan to deploy multiple, clustered instances of Content Gateway:
    • Find the name of the network interface you want to use for cluster communication. This must be a dedicated interface.
    • Find or define a multicast group IP address.

      If a multicast group IP address has not already been defined, enter the following at a command line to define the multicast route:

      route add <multicast.group address>/32 dev <interface_name>

      Here, <interface_name> is the name of the interface used for cluster communication. For example:

      route add 224.0.1.37/32 dev eth1

  5. It is recommended that the Content Gateway host machine have Internet connectivity before starting the installation procedure. The software will install without Internet connectivity, but analytic database updates cannot be performed until Internet connectivity is available.
  6. Download the ContentGateway85xSetup_Lnx.tar.gz installer tar archive to a temporary directory on the machine that will host Content Gateway.
    To download the Content Gateway installer:
    1. Log on to the Forcepoint Downloads page.
    2. Select Web Security from the Product.
    3. Select Content Gateway from the Product Options.
    4. Click WCG v8.5.x Content Gateway Software from the Installer list.
      Note: Only latest version is available under Installer list. If you want to select the previous versions, then use Click here from Content Gateway.
    5. Click Download in the Product Installer page to download the Content Gateway installer ContentGateway85xSetup_Lnx.tar.gz.

    To unpack the tar archive, use the command:

    tar -xvzf ContentGateway85xSetup_Lnx.tar.gz

  7. Consider the following security issues prior to installing Content Gateway:
    • Physical access to the system can be a security risk. Unauthorized users could gain access to the file system, and under more extreme circumstances, examine traffic passing through Content Gateway. It is strongly recommended that the Content Gateway server be locked in an IT closet and that a BIOS password be enabled.
    • Ensure that root permissions are restricted to a select few persons. This important restriction helps preclude unauthorized access to the Content Gateway file system.
    • For a list of default ports, see the Web tab of the Forcepoint Ports spreadsheet. They must be open to support the full set of Forcepoint Web Security features.
      Note: If you customized any ports that your web protection software uses for communication, replace the default port with the custom port you implemented.

      Restrict inbound traffic to as few other ports as possible on the Content Gateway server. In addition, if your subscription does not include certain features, you can restrict inbound traffic to the unneeded ports. For example, if your subscription does not include the Forcepoint Web Security DLP Module, you may choose to restrict inbound traffic to those ports related to Forcepoint DLP.

    • If your server is running the Linux IPTables firewall, you must configure the rules in a way that enables Content Gateway to operate effectively. See IPTables for Content Gateway.
  8. Content Gateway can be used as an explicit or transparent proxy. For setup considerations for each option, see the Content Gateway explicit and transparent proxy deployments.