Step 1: Prepare for upgrade

Before you begin

Warning: The upgrade process is designed for a properly functioning web protection deployment. Upgrading does not repair a non-functional system.

Before upgrading:

Steps

  1. Make sure the installation machine meets the hardware and operating system recommendations in System requirements for this version.

    In addition with v8.5.3, Forcepoint URL Database enhancements were made that greatly increased the size of the database files. When upgrading to v8.5.3 or v8.5.4 from v8.5 or earlier, the new database files will replace the existing files. Prior to upgrading, confirm there is at least 6 GB of additional free space available on each Filtering Service machine.

  2. Verify that third-party components, including your database engine and directory service, are supported with Forcepoint Web Security. See Requirements for web protection solutions.
  3. Back up all of your Web protection components before starting the upgrade process. See the Backup and Restore FAQ for your version for instructions for backing up both software-based and appliance-based components.

    On appliances, Ensure to perform a full appliance configuration backup.

  4. Before upgrading Filtering Service, make sure that the Filtering Service machine and the management server have the same locale settings (language and character set).

    Once the upgrade is completed, Filtering Service can be restarted with any locale settings.

  5. Before upgrading any Policy Server, make sure that all instances of Multiplexer are enabled and started. This step is required even if you are not integrated with a third-party SIEM solution.
  6. If your product includes the Web Security DLP Module, before upgrading the management server, make sure those components are ready for upgrade:
    1. Stop all discovery and fingerprinting tasks.
    2. Route all traffic away from the system.
    3. Ensure that your supplemental fingerprint repositories are fully synchronized with the primary repository.
    4. Make sure all settings are deployed successfully. Log onto the Data Security manager. If the Deploy button is highlighted, click it.
    5. If your organization was supplied with custom file types, change the name of the following files in the policies_store\custom_policies\config_files folder on the management server; otherwise they will be overwritten during upgrade.
      • Change extractor.config.xml to custom_extractor.config.xml.
      • Change extractorlinux.config.xml to custom_extractorlinux.config.xml.

      The filenames are case-sensitive.

    6. If custom policies were provided, submit a request for updated versions before proceeding.
  7. When upgrading from v8.4 or earlier, a new logging partition is added to your Log Database. Please make sure you do not have 70 active partitions (the limit) prior to upgrading. Use the Web > Settings > Reporting > Log Database page of the Forcepoint Security Manager to disable at least one active partition prior to upgrading.
  8. Back up your current Log Database and stop Log Server.
    Warning:

    If database operations are active during upgrade, the Log Database may be rendered unusable.

    When this occurs, it can be difficult to fix.

    Make sure to stop Log Server and the database jobs, as described below, before upgrading the database.

    1. Back up your reporting databases.

      Refer to Microsoft documentation for instructions. The databases are named wslogdb70 (the catalog database), wslogdb70_n (standard logging partition databases), and wslogdb70_amt_1 (threats partition database).

    2. On the Log Server machine, use the Windows Services tool to stop Websense Log Server.
  9. If you are using an Always On Availability group with SQL Server, remove the log database from the group prior to starting the upgrade. Re-add the database to the group after the upgrade to sync it.
  10. It is best to stop all Log Database jobs prior to starting the upgrade but before it upgrades the Log Database, the upgrade process will attempt to stop any Log Database jobs not already stopped. If the jobs cannot be stopped, you will need to stop them manually. However, you do not need to exit the installer to do that.

    Stop the Log Database jobs using these steps:

    1. If you have a full version of Microsoft SQL Server (not Express), stop all database jobs as follows. (See below for steps to stop SQL Express jobs.)
      • Log in to the Microsoft SQL Server Management Studio and expand SQL Server Agent > Jobs (in Object Explorer).
      • To disable all currently active SQL Server Agent jobs, right-click each of the following jobs and select Disable:

        Websense_ETL_Job_wslogdb70

        Websense_AMT_ETL_wslogdb70

        Websense_IBT_DRIVER_wslogdb70

        Websense_Trend_DRIVER_wslogdb70

        Websense_Maintenance_Job_wslogdb70

        Disabling the jobs prevents them from executing at the next scheduled time, but does not stop them if a job is in process.

        Make sure all jobs have completed any current operation before proceeding with upgrade.

      • After upgrade, verify that the jobs have been to enabled.

        Enable any that were not automatically enabled by the upgrade process. Normal database operations will then resume.

      • Continue with step 9.
    2. If you have SQL Server Express, stop all database jobs as follows:
      • Log in to the Microsoft SQL Server Management Studio.
      • Expand the Databases tree to locate the catalog database (wslogdb70, by default), then expand the catalog database node.
      • Expand Service Broker > Queues.
      • Right click dbo.wse_scheduled_job_queue and select Disable Queue.
      • The upgrade process will re-enable the job queue. After upgrade, verify that the Queue has been enabled.

        Enable it, if necessary, by repeating the process, this time ultimately selecting Enable Queue to resume normal database operations.

    When Log Server is upgraded, the upgrade process first checks the Log Database version and updates the database, if necessary. If you have multiple Log Servers, the database update occurs with the first Log Server upgrade. The database update, including the need to stop the database jobs, is not repeated when additional Log Server instances are upgraded.

  11. If Log Server uses a Windows trusted connection to access the Log Database, be sure to log on to the Log Server machine using the trusted account to perform the upgrade. To find out which account is used by Log Server:
    1. Launch the Windows Services tool.
    2. Scroll down to find Websense Log Server, then check the Log On As column to find the account to use.
  12. If your deployment includes appliances, see this Upgrade Guide for additional information.

    If you have a software-only deployment, skip to Step 3: Prepare to upgrade Content Gateway.

    Important: As a result of a change made to avoid a potential vulnerability, when a presentation report is included as a link in an email, report links in emails that exist prior to upgrading from v8.1 or v8.2 to v8.5 will no longer work.