Web protection components

  1. If the upgrade process involves upgrading multiple Policy Servers that are assigned to the same Policy Broker, and any of them reside on a Microsoft Windows 2016 server, some of the services on all of the Policy Server machines in the deployment that use Windows 2016 may fail to restart at the end of the upgrade process.

    Log on to each Policy Server machine and restart the following services as needed:

    • Websense Event Message Broker
    • Websense Cloud App Service
    • Websense Bridge Service
    • Websense SIEM Connector

    Optionally, reboot each Policy Server machine.

  2. In v8.5, DC Agent was modified to remove the use of SMBv1 for domain discovery.

    During the upgrade, the new DC Agent settings replaced the current configuration. Customers preferring to use SMBv1 can reset the appropriate settings in transid.ini. See Using DC Agent for Transparent User Identification for information.

    In conjunction with this change, the default selection for Domain Discovery, when the feature is enabled on the Settings > General > User Identification > DC Agent page of Forcepoint Manager, is DC Agent.

    In v8.5.3, the Domain Discovery section of the Settings > General > User Identification > DC Agent page was changed to remove the component selections for domain discovery. After upgrading to v8.5.3 or v8.5.4, domain discovery will always be done by DC Agent.

  3. In v8.5, Microsoft SQL Server 2016 Express SP1 replaces Microsoft SQL Server 2008 R2 Express SP2 in v8.5 for new installations. However, SQL Server 2008 R2 Express SP2 will continue to function on upgraded deployments.

    In v8.5.3, Microsoft SQL Server 2017 Express replaces 2016 Express SP1.

  4. Version 8.5 introduces Report Center, a new reporting tool. In organizations that use the delegated administration reporting features, access to Report Center and its tools is defined for each administrator role. The upgrade process assigns the following permissions, based on existing permissions assigned to a given role:
    Existing reporting permission New Report Center permission
    Access presentation reports Access Report Center and Schedule Reports

    Access investigative reports with

    View user names in investigative reports

    		 Access Report Center

    Report on all clients with Access investigative reports,

    View user names in investigative reports, and

    Schedule investigative reports

    		 Access Report Center and Schedule Reports

    Report Center permissions are not automatically assigned for any other combination of existing reporting permissions. See Administrator Help for more information on Report Center and Delegated Administration.

    Version 8.5.3 adds to this list with the addition of View user names and hostnames in reports, which has been added under Access the Report Center. This option allows administrators to view user information when creating or viewing reports. For upgrades to v8.5.3 or v8.5.4:

    • The option will be on for upgrades from v8.5.

      The Schedule Reports option will continue to be enabled if it was enabled in the v8.5 settings.

    • When upgrading from any other version, the value of the option is determined by the current setting for View user names in investigative reports or Access presentation reports. The new option will be enabled for all delegated administrators who previously had permission to view user names in investigative reports or to access presentation reports.

    In addition, some of the existing options were renamed:

    • The Access the Threats dashboard option has been moved and renamed to Access Threat data (Threats dashboard + Report Center).
    • Similarly, Access forensics data in the Threats dashboard has been renamed to Access forensics data.

    Use the new options to allow administrators to view the data in two new tabs for the Detail view of the Transaction Viewer as well as to view the same data in the Threats dashboard.

  5. With v8.5, Active Directory (Mixed Mode) is not supported. When upgrading to v8.5.x, deployments configured to use Active Directory Mixed Mode will be modified to use Active Directory (Native Mode).

    Re-add client information and re-assign clients to existing policies after the upgrade completes.

  6. If an upgrade to v8.5.3 or later involves upgrading services on a Linux server, some of the services on the Linux server may fail to restart. If that happens:
    1. Navigate to /opt/Websense/bin on the Linux server.
    2. Delete all .p12 tiles.
    3. Start all services.

      WebsenseAdmin start

  7. Due to a security enhancement in v8.5.4, if the Use SSL to connect to the Log Database option has been selected on the Web > Settings > Reporting > Log Server page, and the SSL certificate currently in use has not been properly deployed to the SQL Server management server and Log Server machines, is not valid, or has expired, connection between Log Server and the Log Database will fail and data will no longer be forwarded by Log Server. A new certificate will need to be installed on both machines.

    If you use this feature, after upgrading, use the Test Connection option on that same page to confirm continued connectivity.

  8. When upgrading to v8.5.4 or v8.5.5, the internal flag that resets the SIEM Integration feature from the new functionality provided in the v8.4 release of Forcepoint Web Security back to the old functionality in v8.3 and earlier, is reset. This allows all customers to automatically use the improved 8.5.4 SIEM Integration functionality.