Content Gateway

Steps

  1. If, at the start of the upgrade process, you manually moved your existing log files to a temporary location, move them back to /opt/WCG/logs and delete the files in the temporary location.
  2. Register Content Gateway nodes in Forcepoint Security Manager on the Web > Settings > Content Gateway Access page.
    Registered nodes add a link to the Content Gateway manager logon portal and provide a visual system health indicator: a green check mark or a red X.
  3. Configure Content Gateway system alerts on the Settings > Alerts > System page in the Security Manager.
    This subset of Content Gateway system alerts can be configured to be sent to administrators, in addition to being displayed in the Content Gateway manager.
  4. If you use SSL support:
    1. If your clients don’t yet use a SHA-256 internal Root CA, create and import a SHA-256 Root CA into all affected clients. See Internal Root CA in Content Gateway Help.
    2. Using the notes you compiled prior to upgrade, rebuild your Static Incident list.
  5. If you use proxy user authentication, review the settings on the Global Authentication Options page (Configure Security > Access Control > Global Configuration Options).
  6. If you use IWA user authentication, confirm that the AD domain is still joined. Go to Monitor > Security > Integrated Windows Authentication. If it is not joined, rejoin the domain. Go to Configure > Security > Access Control > Integrated Windows Authentication.
  7. If you use Rule-Based Authentication, review your configuration. Go to Configure > Security > Access Control.
    1. Check the Domains page.
      • IWA domains that were joined before upgrade should still be joined.
      • LDAP and Legacy NTLM domains should be listed.
    2. Check each rule.
      • Go to the Authentication Rules page and enter the editor.
      • Select each rule and check the configuration.
      • For Multiple Realm Authentication rules that used Cookie Mode Caching, check the cookie list on the Global Authentication Option page.
      • Check that the expected domain is in the Auth Sequence list.
    Important: The Rule-Based Authentication feature is very rich and can satisfy many user authentication requirements. To make best use of it, please refer to Rule-Based Authentication.
  8. If a web protection and data protection solution were deployed together, confirm that Content Gateway has automatically re-registered with the Data module of the Forcepoint Security Manager. If it has not, manually re-register.
    1. Ensure that the Content Gateway and the Security Manager server system clocks are synchronized to within a few minutes.
    2. In the Content Gateway manager:
      • Go to Configure > My Proxy > Basic, ensure that Web DLP: Integrated on-box is enabled, and click Apply.
      • Next to Integrated on-box, click the Not registered link. This opens the Configure > Security > Web DLP registration screen.
      • Enter the IP address of the Security Manager server.
      • Enter a user name and password for logging onto Security Manager. The user must be a Forcepoint DLP administrator with Deploy Settings privileges.
      • Click Register. If registration is successful, a message confirms the result and prompts you to restart Content Gateway. If registration fails, an error message indicates the cause of failure. Correct the problem and perform the registration process again.
  9. If web and data protection products were deployed together and upgraded, you may need to remove stale entries of Content Gateway instances registered in Forcepoint DLP system modules:
    1. Log onto Security Manager.
    2. Select the Data tab and navigate to the Settings > Deployment > Modules page.
    3. Listed are 2 instances of each Content Gateway module registered with the system. Delete the older instances. You can identify these by looking at the version number.
    4. Click Deploy.
  10. If web and data protection products were deployed together and configured to use the on-box policy engine, and then reconfigured during upgrade or later to use the ICAP interface, the Content Gateway instance may need to be deleted from the list of Forcepoint DLP system modules or the deployment will fail. Go to the Data > Settings > Deployment > System Modules page, click on the affected Content Gateway instance to open its Details page, click Delete and then Deploy.
  11. If your explicit proxy deployment was customized to support an external load balancer with IWA user authentication, the configuration is preserved during upgrade. You do not need to re-apply the custom configuration. You should, however, test your deployment to verify that the load balancer is performing as expected.
  12. With v8.2.x, the basic functionality for 2 features was changed slightly:
    • Send authentication to parent proxy, configured on the Configure > My Proxy > Basic > General page.
    • X-Forwarded-For, enabled on the Configure > Protocols > HTTP > Privacy

      In both cases, header values are forwarded only to a configured parent proxy.

      If you are upgrading from v8.1 to v8.5, enabled either of these settings in your previous version, and are expecting header values to be forwarded for all outbound requests, add the appropriate variable to your records.config file (in the /opt/WCG/config directory, by default).

    • To add the user name to outbound requests, add:

      CONFIG proxy.config.http.insert_xua_to_external INT

    • To send X-Forwarded-For header values directly to the Internet, add:

      CONFIG proxy.config.http.insert_xff_to_external INT 1

  13. If you were using v8.1 with custom cipherlist settings using these variables in records.config:

    proxy.config.ssl.server.cipherlist

    proxy.config.ssl.client.cipherlist

    you need to reconfigure the custom settings because these variables were replaced in v8.2.

    • proxy.config.ssl.server.cipherlist_suffix replaces

      proxy.config.ssl.server.cipherlist

    • proxy.config.ssl.client.cipherlist_suffix replaces

      proxy.config.ssl.client.cipherlist

    The non-default cipherlist being used prior to the upgrade are saved as a comment in records.config, where it can be used for reference. Default values for the new variables are put into place during the upgrade and can be reconfigured after the upgrade is complete.

    See Content Gateway Manager Help for more information on how these new variables now work with proxy.config.ssl.server.cipherlist_option and proxy.config.ssl.client.cipherlist_option to create cipher lists.

  14. The Tunnel Skype option on the Configure > Protocols > HTTPS page of Content Gateway Manager was removed in v8.3. Variables stored in the records.config file that apply to Skype are removed during upgrades from v8.1 or v8.2.
  15. The settings on the Configure > Networking > Connection Management > Low Memory Mode page of Content Gateway manager was removed in v8.3. Corresponding variables stored in the records.config file are removed by upgrades from v8.1or v8.2.
  16. If LOW encryption cipher suites was previously selected on the Configure > SSL > Decryption/Encryption > Inbound or Outbound pages of Content Gateway manager, upgrades from v8.1 or v8.2 will change the setting to MEDIUM. LOW is no longer a valid option on those pages.

    The corresponding records.config variables are also updated by the upgrade.

  17. During upgrades from v8.1 or v8.2, the Enable the certificate verification engine on the Configure > SSL > Validation > General page of Content Gateway manager will be changed to ON for any customer who does not already have the feature enabled.
  18. In v8.3 and continued in v8.4 and v8.5, improvements were made to the Adaptive Redirection Module (ARM). The ARM component now utilizes iptables, policy routing, and transparent sockets which are configured during product installation or upgrade.

    The Content Gateway Manager was changed to reflect these improvements.

    • The Network Address Translation (NAT) section of the Configure > Networking > ARM > General page has been renamed to Redirection Rules to better reflect the contents of the table.
    • Text on that page has also been updated.

    To facilitate interception and redirection of traffic:

    • IPTables rules are configured during upgrade.
      • Forcepoint IPTables chains are inserted.
      • Forcepoint IPTables rules are also inserted into existing chains.
      • Forcepoint chains and rules use “NC_” as a prefix for identification purposes.
    • IPTables rules configured outside of Content Gateway Manager must
      • Be inserted after Forecepoint rules.
      • Never be added to Forcepoint chains.
    • Forcepoint chains and rules should never be edited.
    • If customized chains or rules impact the Forcepoint configuration, navigate to /opt/wcg/bin and execute the following to re-establish the Forcepoint IPTables chains and rules:

      netcontrol.sh -r

    For some customers, the GRE Packet Return Method (GRE return) may not be as expected. In all cases, GRE return, as documented by Cisco (see this site), is fully functional. However, tunneling back through a router (enhanced GRE tunnel return) now requires a specific kernel module. Contact Forcepoint Technical Support to enable this functionality.

    To provide more appropriate statistical data for the new ARM, the Bypass Statistics now provide information for:

    • Total Packets Bypassed
    • Packets Dynamically Bypassed
    • DNS Packets Bypassed
    • Packets Shed
  19. A change was made in v8.4 to resolve customer issues with SSL retry logic. The default values for the following records.config variables are reset to 1 during an upgrade from v8.1, v8.2, or v8.3.

    proxy.config.http.connect_attempts_max_retries

    proxy.config.http.connect_attempts_max_retries_dead_server

  20. Automatic updates to the Certificate Authority tree were added to v8.4.

    After upgrading from v8.1, v8.2, or v8.3, when the initial CA tree update occurs, CAs in the customer deployment but not in the 8.5 CA db, any CA that is no longer a root CA, and CAs that are no longer trusted are converted to a private CA. This process also removes expired CAs.

    After the initial update, review the CA tree on the Configure > SSL > Certificates page of Content Gateway manager and remove any certificates that are no longer trusted or may be revoked.

  21. With v8.5, default IPTables include a rule that will drop traffic that is neither HTTP, HTTPS, nor FTP and not forward it through the proxy.

    On upgrade, this feature is disabled by default. To add the rule and not forward traffic that is neither HTTP, HTPTS, nor FTP, add the following to records.config ((located in /opt/WCG/config, by default):

    CONFIG proxy.config.arm.forward_unwanted_traffic INT 0

    After this entry is added and Content Gateway is restarted, an IPTables rule is added and traffic that is neither HTTP, HTTPS, nor FTP will not be forwarded.

  22. For customers who have purchased the v8.5.x Protected Cloud Apps feature, the setting for Parent Proxy on the Configure > Content Routing > Hierarchies page of Content Gateway Manager will be enabled. If you previously enabled and configured Parent Proxy and later disabled the option, the configured settings will be used and should be updated as necessary.
  23. With v8.5.x, the option of TLSv1 on the Configure > SSL > Decryption/ Encryption page (Inbound and Outbound tabs) and on the Configure > Security > FIPS page of Content Gateway Manager is no longer a default selection. Options for TLSv1.1 and TLSv1.2 are added and enabled by default.

    During upgrade, if HTTPS (SSL) was enabled on the Configure > My Proxy > Basic > General page of Content Gateway Manager prior to upgrade, the SSL settings are not changed.

    IF HTTPS (SSL) is enabled after the upgrade, the settings will be handled like a fresh installation of the product and TLSv1.1 and TLSv1.2 will be enabled by default. TLSv1 will not be enabled.

  24. Beginning with v8.5.3, Content Gateway will no longer accept nor download SHA-1 intermediate certificates. SHA-1 certificates that were added by Content Gateway will be removed during an upgrade to v8.5.3 or v8.5.4. Note that SHA-1 certificates that were manually added will not be deleted.

    A new variable was added in v8.5.3 that will disable the automatic adding of new certificates to the certificate database. Upgrades to v8.5.3 or v8.5.4 will add this new parameter to records.config, set to use the default functionality.

    To disable the default functionality edit the following in records.config (located in /opt/WCG/config, by default)

    CONFIG proxy.config.ssl.cert.verify.add_cert_to_database INT 0

    Reset the value to 1 to restore the default functionality.

  25. Version 8.5.3 adds the ability to manually add a dynamic certificate key. Each key requires a passphrase. Both the key and passphrase are stored in the certificates database.
  26. With v8.5.4, a setting has been added to Content Gateway manager that enables authentication of HTTPS requests over HTTPS, using port 4443.

    Open Content Gateway manager and navigate to Configure > Security > Access Control and select Global Authentication Options. A new Redirect Options section contains the Redirect Hostname entry field as well as the option to Redirect for HTTPS Authentication.

    Disabled by default, click Enabled to direct all HTTPS requests to authenticate over HTTPS.

    Changing the manager options also resets a new records.config variable.

    proxy.config.auth.ssl_auth_url

  27. Custom certificates added for use with Captive Portal are not retained when upgrading to v8.5.x. These certificates must be re-added after the upgrade is completed.
  28. A new Socks Server Rule has been added to the "Do not route through SOCKS server" rule type to ensure that traffic that does not need to be directed through a SOCKS server is not sent there.This avoids SOCKS server issues that may result from excessive load.

    This rule is also added when upgrading to v8.5.4 or v8.5.5 or v8.5.6.

    Note: SOCKS traffic from the ip range included in the rule will be routed through a SOCKS server.
  29. To fix a vulnerability, the default value for the following records.config variables has been changed in v8.5.4 and will be updated to the new defaults when upgrading.

    proxy.config.ssl.server.cipherlist_suffix

    proxy.config.ssl.client.cipherlist_suffix

    See Content Gateway Manager Help for more information on how these variables work.

  30. The Session Cache section, previously available on Configure > SSL > Decryption / Encryption > Outbound was removed in v8.5.4 to avoid Content Gateway restarts. Upgrades to v8.5.4 or v8.5.5 or v8.5.6 will automatically disable these options if they had been previously enabled.