Step 10: Upgrade software instances of Content Gateway
Before you begin
Content Gateway runs on web protection full policy source, user directory and filtering, and filtering only appliances (all of which should already have been upgraded at this point).
Content Gateway is supported on:RHELmachines. See the Certified Product Matrix for a list of supported operating systems.
At the beginning of the upgrade procedure, the installer checks to see if the partition that hosts /opt has enough space to hold a copy of the existing Content Gateway log files (copied to /opt/WCG_tmp/logs). If there’s not enough space, the installer prints an error message and quits.
In this situation, if you want to retain the log files you must copy the contents of /opt/WCG/logs to a location that has enough space, and then delete the log files in /opt/WCG/ logs.
When the upgrade is complete, move the files from the temporary location back to /opt/WCG/logs and delete the files in the temporary location.
Steps
-
If your existing web protection solution is deployed with Web DLP or a data protection product:
- Log on to the Content Gateway manager.
- Navigate to the Configure > My Proxy > Basic page.
- Disable Web DLP.
When the upgrade is complete:
- Return to the Configure > My Proxy > Basic page.
- Enable the new Web DLP option.
- Restart Content Gateway.
- Navigate to the Configure > Security > Web DLP page and confirm that automatic registration was successful. If it was not, confirm that the Data module of management console is running as expected.
-
Log on to the Content Gateway Linux host and acquire root permissions:
su root
-
Disable any currently running firewall on this machine for the duration of the upgrade. Bring the firewall back up after the upgrade is complete, opening ports used by Content
Gateway.
For example, if you are running IPTables:
- At a command prompt, enter service iptables status to determine if the firewall is running.
- If the firewall is running, enter service iptables stop.
- After upgrade, restart the firewall. In the firewall, be sure to open the ports used by Content Gateway on this machine. See default ports for more information.Important:
Forcepoint Web Security customers using Red Hat Enterprise Linux or CentOS 7.x must disable firewalld prior to installing Content Gateway.
On the machine where Content Gateway will be installed, execute the following:
systemctl stop firewalld
systemctl disable firewalld
-
Download the Content Gateway version 8.5.x installer and save it to a temporary directory. For example, place it in /tmp/cg_v85.
To download the Content Gateway installer:
- Log on to the Forcepoint Downloads page.
- Select Web Security from the Product.
- Select Content Gateway from the Product Options.
- Click WCG v8.5.x Content Gateway Software from the Installer list.Note: Only latest version is available under Installer list. If you want to select the previous versions, then use Click here from Content Gateway.
- Click Download in the Product Installer page to download the Content Gateway installer ContentGateway85xSetup_Lnx.tar.gz.
-
Unpack the Content Gateway installer tar archive:
cd /tmp/cg_v85tar -xvzf <installer tar archive>Important: If SELinux is enabled, set it to permissive, or disable it before installing Content Gateway. Do not install or run Content Gateway with SELinux enabled.
- If you intend to upgrade Red Hat Enterprise Linux 6.x to a more recent version, perform the upgrade now. See your Red Hat Enterprise Linux documentation.
-
In the directory where you unpacked the tar archive (for example, /tmp/cg_85), start the installation/upgrade script.
./wcg_install.sh
Respond to the prompts.
Content Gateway is installed and runs as root.
Important: Up to the point that you are prompted to confirm your intent to upgrade, you can quit the installer by pressing CTRL+C. If you change your mind after you choose to continue, do not use CTRL+C to stop the process. Instead, allow the installation to complete and then uninstall. -
If your server does not meet the minimum hardware requirements or is missing required operating system packages, you will receive error or warning messages. For example:
Error: Content Gateway v8.5.x on x86_64 requires several packages that are not present on your system. Please install the following packages: <list of packages> If you are connected to a yum repository you can install these packages with the following command: yum install <list of packages> See the Technical Library (www.websense.com/library) for information about the software requirements for x86_64 installation.
To make it easier to install the needed packages, the Content Gateway distribution includes a Linux “rpm” containing the needed packages. To install its contents, ensure that the operating system has access to the Red Hat Linux distribution library (for example the DVD), and enter:
yum install wcg_deps-1-0.noarch.rpm
Upon successful completion, a list of updated packages displays and then the word “Complete!”.
Here is an example of a system resource warning:
Warning: Content Gateway requires at least 6 gigabytes of RAM.
Do you wish to continue [y/n]?
Enter n to end the installation and return to the system prompt.
Enter y to continue the upgrade. You should not install or upgrade on a system that does not meet the minimum requirements. If you choose to run Content Gateway after receiving a system resource warning, performance and stability may be affected.
-
Read the subscription agreement. At the prompt, enter y to accept the agreement and continue the upgrade, or n to cancel.
Do you accept the above agreement [y/n]? y
-
The installer checks for the presence of an existing Content Gateway installation. When asked, choose to replace the existing version with version 8.5.x.
WCG version 8.1.n-nnnn was found.
Do you want to replace it with version 8.5.x-nnnn [y/n]? y
-
Existing settings and logs are copied to backup files and stored. For example:
Stopping Content Gateway processes...done Copying settings from /opt/WCG to /root/WCG/OldVersions/ 8.1.0-1418-PreUpgrade/...done Zipping configuration archive...done Moving log files from /opt/WCG/logs to /opt/WCG_tmp/logs/...done
-
You can either re-use the installation selections you entered during the last install, or provide new answers to all installation prompts, such as admin password, admin email
address, Policy Server IP address, etc.
Previous installation selections </root/WCG/Current/ WCGinstall.cfg> found. Use previous installation selections [y/n]?
Enter y to use previous installation selections.
Enter n to revert to default values, and receive all installation questions and answer them again.
-
If you answered y at Step 12, then you can also leave proxy settings at their current values or revert to default values (which perform a fresh install!).
Restore settings after install [y/n]?
Enter y to keep the proxy settings as they are.
Enter n to restore default settings for the proxy.
CAUTION:If you answer n (no), the current installation of Content Gateway is removed, and a fresh install of 8.5.x begins. See Installation Instructions: Forcepoint Web Security for a detailed description of the installation procedure. This is not an upgrade, but rather a fresh install. -
The previously installed version of Content Gateway is removed, and the settings and selections you chose to retain are re-used. Details of the upgrade process are output to the
screen. Please wait.
*COMPLETED* Content Gateway 8.5.x-nnnn installation. A log file of this installation process has been written to /root/WCG/Current/WCGinstall.log For full operating information, see the Content Gateway Help system. Follow these steps to start the Content Gateway management interface (Content Gateway Manager): 1. Start a browser. 2. Enter the IP address of the Content Gateway server, followed by a colon and the management interface port (8081 for this installation). For example: https:// 11.222.33.44:8081. 3. Log on using username admin and the password you chose earlier.
-
The automated portion of the upgrade is now complete, and the proxy software is running.
If you chose to revert to default proxy settings, be sure to configure any custom options.
-
Check Content Gateway status with:
/opt/WCG/WCGAdmin status
All services should be running. These include:
- Content Cop
- Content Gateway
- Content Gateway Manager
- Analytics Server
Important:If Content Gateway fails to complete startup after upgrade, check for the presence of the no_cop file. Look for:
/opt/WCG/config/internal/no_cop
If the file exists, remove it and start Content Gateway:
/opt/WCG/WCGAdmin start