SSL Manager clustering

When SSL Manager clustering is configured, the following configuration settings are propagated:

The IP address of the primary

Certificates - Certificate Authorities

Certificates - Add Root CA

Certificates - Restore Certificates

Decryption / Encryption: all settings

Validation: all settings

Client Certificates: all settings

Logging: all settings

Internal Root CA - Import Root CA

Internal Root CA - Create Root CA

Dynamically generated certificates and incidents

Configuring SSL Manager clustering:

1.	Configure and start Management Clustering. See Changing clustering configuration.

2.	On any node in the cluster, log on to Content Gateway Manager.

3.	Go to the Configure > My Proxy > Basic > Clustering tab.

4.	In the SSL Manager Configuration Server field, enter the IP address of the SSL Manager Configuration Server (the primary). (If the field is not editable, the system is not a member of a cluster.)

5.	Click Apply and restart Content Gateway. Note that all Content Gateway nodes are restarted. The restart identifies the primary to all cluster members and activates SSL clustering.

The configuration can be confirmed on the Monitor > My Proxy > Summary page, at the bottom of the Node Details section. If the SSL Manager Configuration Server IP address is a link, the server is another node in the cluster. Click the link to log onto the SSL Manager Configuration Server.

mportant tips for backing up or restoring both Web Security and the TRITON console

When you are getting ready to restore an existing TRITON console or Websense Web Security configuration from backup, keep the following points in mind:

As a best practice, when you restore a previous TRITON console configuration, also use a backup file created in the same time period as the TRITON console backup file to restore configuration information for your filtering components.

If you are restoring both management and filtering components, do not restart the management components (listed below) until after the filtering component restore process is complete.

Before restoring a previous Websense Web Security configuration (for example, on the Policy Broker machine or full policy source appliance), stop the following TRITON console and Web reporting components:

Websense TRITON Unified Security Center

Websense TRITON Web Server

Websense TRITON - Web Security

Websense Web Reporting Tools

Websense RTM Server

Websense RTM Database

Websense RTM Client

Before restoring a TRITON console configuration, stop the following components:

Websense TRITON Unified Security Center

Websense TRITON Web Server

Websense TRITON - Web Security

If administrators receive a browser 404 error when they attempt to log on to the TRITON console after a restore process is complete, use the Windows Service Control Manager to restart the Websense TRITON Unified Security Center service.

How do I back up and restore Data Security software

Configuring and running the Data Security backup task

To configure the Data Security backup process:

1.	Log on to TRITON - Data Security and go to the Settings > General > System > Backup page.

2.	Enter a Path for storing backup files and, if necessary, Credentials for an account with read, write, and delete privileges to the path.

3.	Enter a value between 1 and 60 in the How many backup copies do you want to keep? field to specify how many separate backups to maintain (5, by default).

Each backup is stored in a separate folder. When the maximum number of copies is reached, Data Security reuses the oldest folder, overwriting the previous information.

4.	Indicate whether or not to include forensics in the backup.

5.	Click OK to save the settings.

Schedule backups when the system isn't under significant load. Each backup contains a complete snapshot of the system. The process collects needed information from other Data Security machines.

To schedule the backup task on a Windows Server 2008 machine:

1.	On the Data Security Management Server, go to Start > Administrative Tools > Task Scheduler.

2.	In the Task Scheduler window, select Task Scheduler Library.

3.	Right-click the DSS Backup task and select Enable.

4.	Right-click DSS Backup again and select Properties, then select the Triggers tab.

5.	Click Edit, and edit the schedule as required.

6.	Click OK twice.

If requested, enter your administrator password for the Data Security Management Server machine to confirm the changes to the task.

To schedule the backup task on a Windows 2003 machine:

1.	Open Windows Control Panel on the Data Security Management Server and select Scheduled Tasks.

2.	Double-click the DSS Backup task, then select the Schedule tab.

3.	Edit the schedule as necessary.

4.	On the General or Task tab (depending on your operating system), select the Enabled check box, then click OK.

To run the task immediately, right-click DSS Backup and select Run.

Restoring your Data Security configuration

1.	Make sure all Data Security modules—servers, agents, protectors—are registered with the Data Security Management Server and the system is operating normally.

2.	On the Data Security Management Server, open the Windows Control Panel and select Add/Remove Programs (Windows 2003) or Programs > Uninstall a program (Windows 2008).

3.	Select Websense Data Security, then click Change/Remove (Windows 2003) or Uninstall/Change (Windows 2008).

4.	When asked if you want to add, remove, or modify Data Security, select Modify.

5.	Click Next until you get to the Restore Data from Backup screen.

6.	Select the Load Data From Backup check box and click Browse to locate the backup file.

7.

Select the Clear Forensics since last backup check box if you want to use only the stored forensics from your backup file; this will remove all forensics gained since the last backup. (Leaving it unchecked means that your forensics data after the restore will include the backed-up forensics and the forensics added since that backup.)

8.	Click Next until the restore procedure begins.

During the restore process, a command window appears. Although it may remain for some time, it will close when the recovery is complete.

The restore operation completely erases all policies and data (and, if checked, forensics) of the current system, and replaces them with the backed-up data.

9.	Complete the restore wizard.

To review the restore activity, read the DataRestore.log file located in the backup folder (for example, MM-DD-YYYY-HH-MM-SS).

10.	Log onto TRITON - Data Security and click Deploy.

If the backup system contains many policies, it may take a while to load the policies and deploy them.

How do I back up and restore Websense Content Gateway

Taking Content Gateway configuration snapshots

You can save all the current configuration settings on your Content Gateway system through Content Gateway Manager.

To take a configuration snapshot and save it on the local system

1.	Navigate to Configure > Snapshots > File System.

2.

The Change Snapshot Directory field displays the name of the directory where Content Gateway saves configuration snapshots. The default location is the Content Gateway config/snapshots/ directory. To change the directory, enter the full path in the Change Snapshot Directory field. If you enter a relative path, Content Gateway assumes that the directory is relative to the /opt/WCG/config/ directory.

3.	In the Save Snapshot field, type the name you want to use for the current configuration.

4.	Click Apply.

To take a configuration snapshot and save it on an FTP server

1.	Navigate to Configure > Snapshots > FTP Server.

2.	In the fields provided, enter the FTP server name, the login and password, and the remote directory where the FTP server stores configuration snapshots.

3.	Click Apply.

After you have successfully logged on to the FTP server, the FTP Server page displays additional fields.

4.	In the Save Snapshot to FTP Server field, enter the name of the configuration snapshot you want to take.

5.	Click Apply.

Restoring Content Gateway configuration snapshots

If you are running a cluster of Content Gateway servers, the configuration is restored to all the nodes in the cluster.

To restore a configuration snapshot stored on the local node

1.	Navigate to the Configure > Snapshots > File System tab.

2.	From the Restore > Delete Snapshot drop-down list, select the configuration snapshot that you want to restore.

3.	Click the Restore Snapshot from "<directory_name>" Directory box.

4.	Click Apply.

The Content Gateway system or cluster uses the restored configuration.

To restore a configuration snapshot from an FTP server

1.	Navigate to Configure > Snapshots > FTP Server.

2.	In the fields provided, enter the FTP server name, the login and password, and the remote directory in which the FTP server stores configuration snapshots.

3.	Click Apply.

After you have successfully logged on to the FTP server, the FTP Server tab displays additional fields.

4.	In the Restore Snapshot drop-down list, select the configuration snapshot that you want to restore.

5.	Click Apply.

The Content Gateway system or cluster uses the restored configuration.

How do I back up and restore the TRITON infrastructure

Running immediate TRITON infrastructure backups

Before running a manual backup, make sure that all administrators are logged out of the TRITON Unified Security Center.

To launch an immediate backup:

1.	On the TRITON Management Server, go to Start > Administrative Tools > Task Scheduler.

2.	In the Task Scheduler window, select Task Scheduler Library.

 

Note  If you are using Windows Server 2003, open Windows control panel on the TRITON Management Server and select Scheduled Tasks.

3.	If the Triton Backup task is disabled, right-click the task and select Enable.

4.	Right-click the Triton Backup task and select Run.

Restoring TRITON infrastructure backup data

You can activate the restore operation from the TRITON Infrastructure "Modify" wizard. Make sure that all administrators are logged off of the TRITON Unified Security Center.

Before starting the restore process, it is recommended that you stop the TRITON Unified Security Center service. If you are running a Websense Web Security solution, see Important tips for backing up or restoring both Web Security and the TRITON console.

To restore TRITON infrastructure data:

1.	On the TRITON Management Server, go to Start > Administrative Tools > Services.

2.	Right-click the Websense TRITON Unified Security Center service and select Stop. (You may also need to stop Web Security services. See the article linked above.)

3.	Open the Windows control panel and select Programs > Programs and Features, then select Websense TRITON Infrastructure.

4.	Click Uninstall/Change.

5.	When asked if you want to modify, repair, or remove the TRITON Infrastructure, select Modify.

6.	Click Next until you get to the Restore Data from Backup screen.

7.	Mark the Use backup data box and click the Browse button to locate the backup folder.

8.	Click Next until you begin the restore process.

9.	Click Finish to complete the restore wizard.

10.	Go back to the Services window and click Refresh. If the Websense TRITON Unified Security Center service (or any other service that you stopped manually) has not restarted, right-click it and select Start.

Once the restore process is complete, a file named DataRestore.log is created in the date-stamped backup folder that was used for the restore.

How to migrate 7.1 and 7.5 policies to 7.6

Problem Description

How do I move policies from a version 7.1 or 7.5 Websense Web Security deployment to version 7.6 without performing an upgrade?

Resolution

The recommended method for migrating from version 7.1 or 7.5 to version 7.6 is via a standard upgrade. If you are migrating to new equipment, install your current version on the new machine, use the Backup Utility to move their existing configuration to the new installation, and then upgrade the new installation.
 

• Standard upgrade migration method 

If the recommended procedure is not possible, then use the following steps to perform the migration.


WARNING:  Error when running PgSetup on Linux:
 

• If running ./PgSetup on a Linux server produces a "Framework Library.so file that it can't find" error, then add a library path to the Websense bin directory by entering:
  • export LD_LIBRARY_PATH=/opt/Websense/bin
  • Or, before running PgSetup, execute the following from command from the Websense bin directory:
    • export LD_LIBRARY_PATH=.
      • Yes that is a period after the equals sign. It represents the current directory.

• Alternate error:
  
  /opt/Websense/bin/PgSetup: error while loading shared libraries: libWFCFramework.so: cannot open shared object file: No such file or directory

 

SECTION 1

On the v7.1 (or v7.5) machine:

1. Go to the Websense bin directory (C:\Program Files\Websense\bin\ or /opt/Websense/bin/, by default) and make a backup copy of the config.xml file.
2. From the same directory, use the appropriate command to back up the Policy Database. Note that the "--" in the commands below represents two dashes.
   • Linux:
     
        ./PgSetup --save 7x.policy_db
      
   • Windows:
     
        PgSetup --save 7x.policy_db
3. Place these files in a location that can be accessed from the v7.6 machine.

 

SECTION 2

On the v7.6 machine:

1. Use the Websense Backup Utility to run an immediate back up of the current, clean v7.6 configuration. To do this, go to the C:\Program Files (x86)\Websense\Web Security\bin directory (Windows) or /opt/Websense directory (Linux), and enter the following command:
   • Linux:
     • ./WebsenseTools -b -b -d <backup_file_directory>
   • Windows:
     • wsbackup -b -d <backup_file_directory>
2. Stop all Websense services. If Websense Manager or TRITON - Web Security is on another machine, stop all of the Websense Web Security services or daemons on any management console machine that connects to this Policy Broker.
3. Go to the Websense bin directory (C:\Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default) and back up the config.xml file. Rename the copy config.xml.orig.
4. From the same directory, use the appropriate command to back up the Policy Database:
   • Linux:
     
        ./PgSetup --save 76.backup_policy_db
      
   • Windows:
     
        PgSetup --save 76.backup_policy_db
5. Store the backup files in a safe location.
6. While still in the Websense bin directory, restore the v7.1 (or v7.5) Policy Database as follows:
   • Linux:
     
        ./PgSetup --restore 7x.policy_db
      
   • Windows:
     
        PgSetup --restore 7x.policy_db
7. From the same directory, use the following command to update the v7.1 (or v7.5) Policy Database to v7.6:
   • Linux:
     
        ./PgSetup --upgrade
      
   • Windows:
     
        PgSetup --upgrade
8. To synchronize config.xml password with Policy Database:
   1. Open v7.1 (or v7.5) config.xml file and search for "Token" under the "BrokerService" container.
   2. Copy the "Token" value.
   3. Edit v7.6 config.xml file.
   4. Replace existing "Token" value with the one copied from the v7.1 (or v7.5) file.
   5. Save and close the config.xml file.
9. On the v7.6 system, rename the config.xml.bak file to config.xml.bak.old.

 
 Note:

If policies are imported to a new off-box server running Policy Broker / Policy Database and the V-Series appliance is being used in Policy-Lite mode (Policy Server, User Service, Filtering Service), then the Token within the config.xml file must be updated on the V-Series appliance as well.  You will need to contact Websense Technical Support for assistance to access the config.xml on the V-Series appliance.

SECTION 3

On the TRITON Management Server:

1. Ensure that all administrators are logged out of the TRITON Unified Security Center.
2. Ensure that the Websense TRITON Settings Database service is running.
3. Go to Start > Administrative Tools > Task Scheduler.
4. In the Task Scheduler window, select Task Scheduler Library. 
   • If you are using Windows Server 2003, open Windows control panel and select Scheduled Tasks.
5. If the Triton Backup task is disabled, right-click the task and select Enable.
6. Right-click the Triton Backup task and select Run. By default, the backup file save to C:\EIPBackup.
7. Continue with the appropriate section:
   • If TRITON - Web Security and Policy Broker are on the same machine, see SECTION 3A.
   • If TRITON - Web Security and Policy Broker are on separate machines, see SECTION 3B.
   • If TRITON - Web Security or Policy Broker are on a V-Series appliance, see SECTION 3C.

 

SECTION 3A

If TRITON - Web Security and Policy Broker are on the same machine:

1. Use the Windows Service Control Manager to start the Websense Policy Database, Websense Policy Broker, Websense Policy Server, and Websense TRITON Settings Database services, in that order.
2. From the Websense\EIP Infra\ directory, run the following command:
   
      MergeTRITONAdministrators.bat "..\Web Security\Manager\wsg_admins.conf"
    
3. Start the remaining Websense services.

 

SECTION 3B

If TRITON - Web Security is on another machine:

1. Use the Windows Service Control Manager or /opt/Websense/WebsenseDaemonControl script to start the Websense Policy Database, Websense Policy Broker, and Websense Policy Server, in that order.
2. Go to the machine where TRITON - Web Security is installed.
3. Use the Windows Service Control Manager to start the Websense TRITON Settings Database service.
4. From the Websense\EIP Infra\ directory, run the following command
   
      MergeTRITONAdministrators.bat "..\Web Security\Manager\wsg_admins.conf"
    
5. Start the remaining Websense services.

 

SECTION 3C (The following procedure requires assistance from Websense Tech Support)

If TRITON - Web Security or Websense Policy Broker is on a V-Series appliance:

1. In the WSE DomU, go to the /opt/Websense/ directory and enter the following command:
   
      ./WebsenseDaemonControl
    
2. Start the services in this order:
   1. Policy Database - B
   2. Policy Broker - C
   3. Policy Server - D
3. Go to the /opt/Websense/Manager/ directory and edit the wsg_admins.conf file as follows:
   
      wsg.ps.ipaddress=169.254.254.3
      wsg.ps.port=55806
      eip.application.adapter.order=wsg
      eip.to.eip.merge.scenario=false
      prefer.application.password=true
    
4. Update the wsg.ps.ipaddress field from 169.254.254.3 to the IP address of the C interface.
5. Go to the /opt/Websense/EIP_Infra/ directory and enter the following command:
   
      ./MergeTRITONAdministrators ../Manager/wsg_admins.conf
    
6. Go to the /opt/Websense directory and enter the following command:
   
      ./WebsenseAdmin restart