Step 3: Prepare to upgrade Content Gateway

Note:

Make sure the server hosting the Content Gateway has external connectivity allowed and can reach the domains listed below.

  • download.forcepoint.com
  • ddsdom.forcepoint.com
  • ddsint.forcepoint.com
  • download.websense.com

A constant access to these domains is recommended as various product services, including (but not limited to) URL database, AV definitions, and licensing need the open connection with Forcepoint for the purpose of maintenance, update or validation.

DNS queries can narrow down the relevant servers for your location. Prolonged period of more than two weeks without connectivity may result in license invalidation and policy enforcement will no longer occur.

Before upgrading Content Gateway, be aware of the following:

  • Most SSL configuration settings are saved and applied to the upgraded Content Gateway, except for dynamic certificates. Note that:
    • The Incident list is retained. Before upgrading, consider performing maintenance on the Incident list; remove unwanted entries.
    • SSLv2 is not enabled by default. If it is enabled prior to upgrade, the setting is retained.
  • For user authentication, there is one credential cache for both explicit and transparent proxy mode, and one Global Authentication Options page for setting the caching method and Time-To-Live.

    During upgrade, the Cache TTL value is retained from the Transparent Proxy Authentication tab unless the value on the Global Authentication Options tab is not the default. In this case, the customized value is used.

  • If you use Integrated Windows Authentication (IWA), be aware that IWA domain joins should be preserved through the upgrade process. However, in case the joins are dropped, make a record of the settings before starting the upgrade. Log on to the Content Gateway manager and record the IWA settings, including the names of domains to which IWA is joined. Keep this record where it is easily retrieved after the upgrade.
  • If you have software instances of Content Gateway, make sure the host system meets the following hardware requirements before upgrading:
    CPU Memory

    Quad-core running at 2.8 GHz or faster

    6 GB minimum

    8 GB recommended
    Disk Space

    2 disks:

    • 100 GB for the operating system, Content Gateway, and temporary data.
    • Max 147 GB for caching

      If caching will not be used, this disk is not required. The caching disk:

      • Should be at least 2 GB and no more than 147 GB
      • Must be a raw disk, not a mounted file system
      • Must be dedicated
      • Must not be part of a software RAID
      • Should be, for best performance, a 10K RPM SAS disk on a controller that has at least 64 MB of write-through cache
    Network Interfaces 2
  • In addition, to support transparent proxy deployments:
    • Router:

      Must support WCCP v2.

      A Cisco router must run IOS 12.2 or later. The latest version is recommended.

      To support IPv6, WCCP v2.01 and Cisco router version 15.4(1)T or later are required.

      Client machines, the destination Web server, and Content Gateway must reside on different subnets.

    —or—

    • Layer 4 switch:

      You may use a Layer 4 switch rather than a router.

      To support WCCP, a Cisco switch requires the EMI or IP services image of the 12.2SE IOS release (or later).

      Content Gateway must be Layer 2 adjacent to the switch.

      The switch must be able to rewrite the destination MAC address of frames traversing the switch.

      The switch must be able to match traffic based on the layer 4 protocol port (i.e., TCP port 80).