Installation Guide: Forcepoint Web

Security

Installation Guide | Forcepoint Web Security | v8.5.x | 29-April-2022

Use these instructions to complete a typical installation of Forcepoint™ Web Security.

In this configuration:
● The policy source (the standalone or primary Policy Broker and its Policy Server)
resides on the Forcepoint Security Manager (management server) machine.
■ This configuration is not required. Policy Broker and Policy Server may
reside on another Windows or Linux server, or on a Forcepoint Appliance.
■ Regardless of where they reside, always install a central Policy Broker and
Policy Server before installing any other components.
● Log Server resides on a dedicated Windows server.
● The reporting databases are hosted on a full version (not Express) of Microsoft
SQL Server on its own machine.
This procedure includes steps for installing the components required to enable the
Forcepoint Web Security Hybrid Module and Forcepoint Web Security DLP Module.
The installation process includes the following steps:
● Step 1: Prepare for installation, page 2
● Step 2: Start the management server installation, page 6
● Step 3: Install the Forcepoint Management Infrastructure, page 7
● Step 4: Install the Web management components, page 9
● Step 5: (Forcepoint Web Security DLP Module only) Install the Forcepoint DLP
management components, page 10
● Step 6: Install an instance of Filtering Service, page 11
● Step 7: Install Log Server and (optionally) Sync Service, page 16
● Step 8: (Forcepoint Web Security DLP Module only) Install Linking Service on the
management server, page 19
● Step 9: Install additional web protection components, page 19
● Step 10: Install Content Gateway, page 24
● Step 11: Post installation activities, page 37
● Step 12: Initial Configuration, page 38

Installation Guide  1
Step 1: Prepare for installation

Make sure the servers you intend to use meet or exceed the System requirements for
this version.

Prepare your database server

Make sure that:
● A supported version of Microsoft SQL Server is installed and running in your
network. See this article to see a list of supported versions.
● The latest service pack for your version has been applied.
● The SQL Server Agent service is running on the database host.
● The database host can be reached from the machine that will host the management
server.
● You have identified a SQL Server or Windows Trusted account with appropriate
permissions to create the database and run SQL Agent jobs.
See Installing with SQL Server for details on the necessary permissions.

Note
An end user whose requests are managed by Filtering
Service has no direct or indirect influence over the
database. Although the log entry for each request is
stored in the SQL Server database, the user does not
direct its storage and cannot retrieve the record.
The only interface to the database itself is from Log
Server, the reporting services, and the management
console. Filtering Service and Content Gateway do not
access the database, but instead send information via
Log Server.

Prepare your Windows servers

Because Forcepoint Web Security management and reporting components can only
reside on Windows servers, prepare at least two Windows servers: one to be the
management server and one to host Log Server (and optionally Sync Service).
Before starting the installation process, on every Windows server that will host
Forcepoint Web Security components, do the following:

2  Forcepoint Web Security

1. Make sure there are no underscores in the machine’s fully-qualified domain name
(FQDN). The use of an underscore character in an FQDN is inconsistent with
Internet Engineering Task Force (IETF) standards.

Note
Further details of this limitation can be found in the IETF
specifications RFC-952 and RFC-1123.

2. Make sure all Microsoft updates have been applied. There should be no pending
updates, especially any requiring a restart of the system.
3. Verify that there is enough disk space to download the installer, extract temporary
installation files, and install the management components on the Windows
installation drive (typically C).
4. Make sure that .NET Framework versions 3.5 and 4.5 are installed.
■ Windows Server 2008 R2 (v8.5 only): You can use Server Manager to install
.NET 3.5. Usually the feature is on by default. You must download .NET 4.5
from the Microsoft site.
■ Windows Server 2012 or 2012 R2: Both .NET 3.5 and .NET 4.5 can be
installed using the Server Manager. Usually, v3.5 is off by default and v4.5 is
on by default. Turn them both on.
Note that .NET Framework 4.5 must be installed before adding any language
packs to the operating system (as noted in the following article from Microsoft:
https://msdn.microsoft.com/en-us/library/5a4x27ek(v=vs.110).aspx#To install
language packs.).
5. Synchronize the clocks on all machines (including appliances) where a
component will be installed. It is a good practice to point the machines to the same
Network Time Protocol server.
6. Disable the antivirus software on the machine before installation. After
installation, before restarting your antivirus software, see this section of the
Deployment and Installation Center.
7. Disable any firewall on the machine before starting the installer and then re-
enable it after installation. Open ports as required by the components you have
installed, and make sure that required ports are not being used by other local
services on the machine.
■ Some ports are used only during installation and can be closed once
installation is complete.
■ See the Web tab of the Forcepoint Ports spreadsheet for more information
about ports.
8. Disable User Account Control (UAC) and Data Execution Prevention (DEP)
settings, and make sure that no Software Restriction Policies will block the
installation.
9. Copy the Forcepoint Security Installer (Forcepoint85xSetup.exe) to a temporary
directory on the machine.

Installation Guide  3
 Find the installer executable on the Downloads menu of the Forcepoint Customer
Hub. You can download the installer to your network, then copy it to each
Windows server that will host Forcepoint components.
Note that the installer is quite large, so the download process may take some time.

Potential issue when installing v8.5.4 and v8.5.5

A security update done for the v8.5.4 product release has resulted in a new
requirement for a specific dynamic-link library (dll) when installing v8.5.4 or F8.5.5
Forcepoint Web Security software on a Windows platform.
If you have not recently downloaded the Visual C++ Redistributable Package from
Microsoft, it is likely that the installation will prompt with the error “Installation failed
with error code 3004”. The log file generated by the installation process, available in
the Temp folder of the user running the installer, will contain a line similar to:
java.lang.UnsatisfiedLinkError:
C:\Users\Administrator\AppData\Local\Temp\2\I1588276985\Windows\resource
\jre\bin\freetype.dll: Can't find dependent libraries
The dependency referenced in this log entry is for vcruntime140.dll, a file that is part
of the Redistributable Package.
Should the error occur during the installation process:
1. Close the error window but do NOT stop the install process. Leave the installer
window open.
2. Locate the latest 64-bit Redistributable Package for your Windows version from
this site.
3. Download and install the package.
4. Return to the installation window and continue the process.

Prepare your Linux servers

Before starting the installation process, on every Linux server that will host
Forcepoint Web Security components, do the following:
1. If SELinux is enabled, disable it or set it to permissive.
2. If a firewall is active, open a command shell and use the appropriate command,
based on your operating system, to shut down the firewall before running the
installation.
After installation, restart the firewall. In the firewall, be sure to open the ports
used by web protection components installed on this machine. See the Web tab of
the Forcepoint Ports spreadsheet for more information about ports.

Important
Do not install Network Agent on a machine running a
firewall. Network Agent uses packet capturing that may
conflict with the firewall software.

4  Forcepoint Web Security

3. If you receive an error during installation regarding the /etc/hosts file, use the
following information to correct the problem.
Make sure the hosts file contains a hostname entry for the machine, in addition to
the loopback address. (Use the hostname -f command to check this.)
To configure a hostname:
a. Enter the following command:
hostname <host>
b. Update the HOSTNAME entry in the /etc/sysconfig/network file:
HOSTNAME=<host>
c. In the /etc/hosts file, specify the IP address to associate with the hostname.
This should be static, and not served by DHCP. Do not delete the second line
in the file (the IPv4 loopback address) or the third line in the file (the IPv6
loopback address).
<IP address> <FQDN> <host>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
Here, <FQDN> is the fully-qualified domain name of this machine (i.e.,
<host>.<subdomains>.<top-level domain>)—for example,
myhost.example.com—and <host> is the name assigned to the machine.

Important
The hostname entry you create in the hosts file must be the
first entry in the file.

4. Your web protection software supports only TCP/IP-based networks. If your

network uses both TCP/IP- and non-IP-based network protocols, only users in the
TCP/IP portion of the network are filtered.
5. Make sure the following are installed.
■ haveged service
Make sure this service is running.
■ xorg-x11-fonts-Type1
■ dejavu-serif-fonts
The installer will check for these and display a message with instructions on how
to install if any are not found.
6. Copy the Web Security Linux installer (Web85xSetup_Lnx.tar.gz) to the
machine:
a. Log on to the installation machine with full administrative privileges
(typically, root) and create a setup directory for the installer files. For
example:
/root/Websense_setup
b. Find the installer executable on the Downloads menu of the Forcepoint
Customer Hub. You can download the installer to your network, then copy it
to each Linux server that will host Forcepoint components.

Installation Guide  5
 c. Enter the following to uncompress and extract files:
tar -xvzf Web85xSetup_Lnx.tar

Prepare for appliance installation

Refer to the Firstboot Wizard section of the Forcepoint Appliances Getting Started
Guide and gather information as instructed under “Gather data for firstboot”.

Step 2: Start the management server installation

Before installing management server components on a supported Windows server,

make sure you have prepared the machine (including downloading the installer file) as
described in Prepare your Windows servers, page 2.

Important
If, during the installation process, you encounter the error
“Installation failed with error code 3004”, refer to
Potential issue when installing v8.5.4 and v8.5.5 for
instructions.

To begin the installation process:

1. Log on to the machine.
2. Use the Run as administrator option to launch the Forcepoint85xSetup.exe
installer.

Important
If you are installing Forcepoint DLP components, run the
installer using a dedicated account that you want services
to use when interacting with the operating system. Do not
change this account after installation. If you must change
the account, contact Technical Support first.

After a few seconds, a progress dialog box appears, as files are extracted.
3. On the Welcome screen, click Start.
4. On the Subscription Agreement screen, select I accept this agreement, then click
Next.
5. On the Installation Type screen:
a. Select Forcepoint Security Manager.
b. Mark the Forcepoint Web Security or Forcepoint URL Filtering check
box.
c. If you have purchased the Forcepoint Web Security DLP Module, also mark
the Forcepoint DLP check box.

6  Forcepoint Web Security

 d. Click Next.
On the second Installation Type screen:
e. If the option is available, select Use the SQL Server database installed on
another machine.
Otherwise, simply make sure you have a supported version of Microsoft SQL
Server installed in your network. See the Certified Product Matrix for a list of
supported versions.
f. Click Next.
6. On the Summary screen, click Next to continue the installation.
Forcepoint Management Infrastructure Setup launches.

Step 3: Install the Forcepoint Management Infrastructure

The Forcepoint Management Infrastructure includes data storage and common

components for the Forcepoint Security Manager.
1. On the Forcepoint Management Infrastructure Setup Welcome screen, click Next.
2. On the Installation Directory screen, specify the location where you want
Forcepoint Management Infrastructure to be installed and then click Next.
■ To accept the default location (recommended), simply click Next.
■ To specify a different location, click Browse.

Important
The full installation path must use only ASCII characters.
Do not use extended ASCII or double-byte characters.

3. On the SQL Server screen, specify the location and connection credentials for a
database server located elsewhere in the network.
a. Enter the Hostname or IP address of the SQL Server machine, including the
instance name, if any, and the Port to use for SQL Server communication.
○ If you are using a named instance, the instance must already exist.
○ If you are using SQL Server clustering, enter the virtual IP address of the
cluster.
b. Specify whether to use SQL Server Authentication (a SQL Server account)
or Windows Authentication (a Windows trusted connection), then provide
the User Name or Account and its Password.
If you use a trusted account, an additional configuration step is required after
installation to ensure that reporting data can be displayed in the Web module
of the Security Manager. See Configuring Apache services to use a trusted
connection.
c. Click Next. The installer verifies the connection to the database engine. If the
connection test is successful, the next installer screen appears.

Installation Guide  7
 If the test is unsuccessful, the following message appears:
Unable to connect to SQL Server.
Make sure the SQL Server you specified is currently running. If it is running,
verify the access credentials you supplied.
Click OK to dismiss the message, verify the information you entered, and
click Next to try again.
4. On the Server & Credentials screen, do the following:
a. Select an IP address for this machine. If this machine has a single network
interface card (NIC), only one address is listed.
Administrators will use this address to access the console (via a web browser),
and web protection components on other machines will use the address to
connect to the management server.
b. Specify the Server or domain of the user account to be used by Forcepoint
Management Infrastructure and the Forcepoint Security Manager. The name
cannot exceed 15 characters.
c. Specify the User name of the account to be used by the Security Manager.
d. Enter the Password for the specified account.
5. On the Administrator Account screen, enter an email address and password for
the default Security Manager administration account: admin. When you are
finished, click Next.
■ The Administrator password must be a minimum of 8 characters, with at least
1 each of the following: upper case letter, lower case letter, number, special
character.
■ System notification and password reset information is sent to the email
address specified (once SMTP configuration is done; see next step).
6. On the Email Settings screen, enter information about the SMTP server to be
used for system notifications and then click Next. You can also configure these
settings after installation in the Security Manager.

Important
If you do not configure an SMTP server now and you lose
the admin account password (set on previous screen)
before the setup is done in the Security Manager, the
“Forgot my password” link on the logon page does not
provide password recovery information. SMTP server
configuration must be completed before password
recovery email can be sent.

■ IP address or hostname: IP address or host name of the SMTP server

through which email alerts should be sent. In most cases, the default Port (25)
should be used. If the specified SMTP server is configured to use a different
port, enter it here.
■ Sender email address: Originator email address appearing in notification
email.

8  Forcepoint Web Security

 ■ Sender name: Optional descriptive name that can appear in notification
email. This can help recipients identify this as a notification email from the
Forcepoint Security Manager.
7. On the Pre-Installation Summary screen, verify the information and then click
Next to begin the installation.
The Installation screen appears, showing installation progress. Wait until all files
have been installed.
If the following message appears, check to see if port 9443 is already in use on
this machine:
Error 1920. Server ‘TRITON Central Access’ (EIPManagerProxy) failed to
start. Verify that you have sufficient privileges to start system services.
If port 9443 is in use, release it and then click Retry to continue installation.
8. On the Installation Complete screen, click Finish.
You are returned to the Installer Dashboard and, after a few seconds, the Web
Protection Solutions setup program launches.

Step 4: Install the Web management components

After the Forcepoint Management Infrastructure installation is complete, the installer

for the Forcepoint Web Security management components is launched automatically.
To install the Web Security management components:
1. On the Select Components screen, select:
■ Forcepoint Security Manager (Web module) (selected by default)
■ Real-Time Monitor
■ Policy Broker and Policy Server
2. Still on the Select Components screen, clear the check box next to Linking
Service, then click Next.
If this service is required in your deployment, it will be installed in a later step,
when all component dependencies have been met.
3. On the Policy Broker Replication screen, indicate which Policy Broker mode to
use.
■ Select Standalone if this will be the only Policy Broker instance in your
deployment.
■ Select Primary, then create a Synchronization password if you will later
install additional, replica instances of Policy Broker.
The password may include between 4 and 300 alphanumeric characters.

Important
If you are installing the primary Policy Broker, be sure to
record the synchronization password. You must provide
this password each time you create a Policy Broker replica.

Installation Guide  9
 ■ Do not select Replica at this stage. You must install a standalone or primary
Policy Broker before you can install a replica.
If you are not sure about which Policy Broker mode to choose, see Managing
Policy Broker Replication.
4. If the management server machine does not include a supported version of the
Microsoft SQL Server Native Client and related tools, you are prompted to install
the required components. Follow the on-screen prompts to complete this process.
5. On the Pre-Installation Summary screen, verify the installation path, selected
components, and other information, then click or select Next.
A progress screen is displayed while components are installed.
6. On the Installation Complete screen, click Next.
7. If you have chosen to install the Forcepoint DLP management components, you
are returned to the Installer Dashboard and the next component installer is
launched. See Step 5: (Forcepoint Web Security DLP Module only) Install the
Forcepoint DLP management components, page 10.
If you are not installing any Forcepoint DLP (or Forcepoint Web Security DLP
Module) components, be sure to select the option that allows you to save
installation files on this machine when you exit the installer. There is one more
component to install on the management server, but it cannot be installed until
after you install Filtering Service. Continue with Step 6: Install an instance of
Filtering Service, page 11.

Step 5: (Forcepoint Web Security DLP Module only)

Install the Forcepoint DLP management components

When you add the Forcepoint Web Security DLP Module to Forcepoint Web Security,
Forcepoint Web Security and Forcepoint DLP components must reside on the same
management server.
To install the Forcepoint DLP components:
1. On the Forcepoint DLP installer Welcome screen, click Next.
2. On the Select Components screen, click Next to accept the default selections.
3. If prompted, click OK to indicate that services such as ASP.NET and SMTP will
be enabled.
Required Windows components will be installed. You may need access to the
operating system installation disc or image.
4. On the Fingerprinting Database screen, accept the default location or use the
Browse button to specify a different location.
Note that you must use a local path for the Fingerprinting database.
5. On the Temporary Folder Location screen, complete the fields as follows:
■ Enable incident archiving and system backup: Check this box if you plan
to archive old or aging incidents and perform system backup or restore.

10  Forcepoint Web Security

 ■ From SQL Server: Enter the path that Microsoft SQL Server should use to
access the temporary folder. For best practice, it should be a remote UNC
path, but local and shared network paths are supported. For example:
C:\folder or \\10.2.1.1.\folder. Make sure the account used to run SQL Server
has write access to this folder.
■ From Forcepoint management server: Enter the UNC path the management
server should use to access the temporary folder. For example:
\\10.2.1.1.\folder. Enter a user name and password for a user who is
authorized to access this location.
6. On the Local Administrator screen, enter or verify the local administrator user
name and password that will be used to run some Forcepoint Web Security DLP
Module services, then click Next.
7. On the Installation Confirmation screen, click Install to begin installation of
Forcepoint Web Security DLP Module components.
■ A message may appear stating that port 80 is required. Click Yes to continue
the installation.
■ A message may appear stating that port 443 may appear. Click Yes to continue
the installation.
■ If prompted to install required software, click Yes to continue the installation.
8. The Installation progress screen appears. Wait for the installation to complete.
9. When the Installation Complete screen appears, click Finish to close the
Forcepoint DLP installer.

Important
When you exit the installer, be sure to select the option that
allows you to save installation files on this machine. There
is one more component to install on the management
server, but it cannot be installed until after you install
Filtering Service.

Step 6: Install an instance of Filtering Service

When the standalone or primary Policy Broker and the central Policy Server reside on
the management server, you must install at least one instance of Filtering Service that
connects to the central Policy Server.
This instance of Filtering Service may reside:
● On a supported Windows server
● On a supported Linux server
● On a filtering only appliance
Note that using a software installation for this instance of Filtering Service may
make for a more convenient deployment. A software deployment allows you to

Installation Guide  11
 also install components like User Service and Usage Monitor for the central
Policy Server. (These components don’t reside on a filtering only appliance.)
Although other components (like Network Agent or a transparent identification agent)
may be installed with Filtering Service, a second instance of Policy Server may not
reside on this machine. This Filtering Service instance must connect to the central
Policy Server on the management server.

Installing Filtering Service on Windows

Before installing Filtering Service on a supported Windows server, make sure you
have prepared the machine (including downloading the installer file) as described in
Prepare your Windows servers, page 2.

Important
If, during the installation process, you encounter the error
“Installation failed with error code 3004”, refer to
Potential issue when installing v8.5.4 and v8.5.5 for
instructions.

To install Filtering Service:

1. Log on to the machine.
2. Use the Run as administrator option to launch the Forcepoint85xSetup.exe
installer. After a few seconds, a progress dialog box appears, as files are extracted.
3. On the Welcome screen, click Start.
4. On the Subscription Agreement screen, select I accept this agreement, then click
Next.
5. On the Installation Type screen, select Custom and then click Next.
6. On the Summary screen, click Next.
7. On the Custom Installation screen, click the Install link next to Forcepoint Web
Security or URL Filtering.
8. On the Welcome screen for the Web Protection Solutions setup program, click
Next.
9. Accept the subscription agreement, then click Next.
10. If the machine has multiple NICs, on the Multiple Network Interfaces screen,
select the IP address of the NIC that software components should use for
communication, then click Next.
11. Select the Custom installation type, then click Next.
12. On the Select Components screen, select the following components, then click
Next:
■ Filtering Service
■ User Service
■ Usage Monitor

12  Forcepoint Web Security

 Optionally, you may also select:
■ Network Agent
■ State Server
■ DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent
■ Directory Agent (used by the Forcepoint Web Security Hybrid Module)
13. On the Policy Server Connection screen, enter the IP address of the Policy Server
for this Filtering Service, and the Policy Server communication port (55806, by
default), then click Next.
14. On the Active Directory screen, indicate whether you are using Windows Active
Directory to authenticate users in your network, then click Next.
15. On the Computer Browser screen, indicate that the installer should attempt to start
the service, then click Next.
16. On the Integration Option screen, select Install Web Security to connect to
Content Gateway, then click Next.
17. If you are installing Network Agent, on the Network Card Selection screen, select
the NIC that Network Agent should use to communicate with other components,
then click Next.
18. On the Feedback screen, indicate whether you want your web protection software
to send feedback to Forcepoint, then click Next.
19. On the Directory Service Access screen, enter the domain, user name, and
password of an account that is a member of the Domain Admins group on the
domain controller, then click Next.
User Service, DC Agent, and Logon Agent use this information to query the
domain controller for user and group information.
20. On the Installation Directory screen, accept the default installation path, or click
or select Choose to specify another path, and then click Next.
The installation path must be absolute (not relative). The default installation path
is C:\Program Files\Websense\Web Security\.
The installer creates this directory if it does not exist.

Important
The full installation path must use only ASCII characters.
Do not use extended ASCII or double-byte characters.

21. On the Pre-Installation Summary screen, verify the installation path, selected
components, and other information, then click Next.
A progress screen is displayed while components are installed.
22. When the installation process finishes, the Installation Complete screen is
displayed. Click Next to exit the installer.
Continue with Step 7: Install Log Server and (optionally) Sync Service, page 16.

Installation Guide  13
Installing Filtering Service on Linux
Before installing Filtering Service on a supported Linux server, make sure that you
have prepared the machine (including downloading and extracting the installer files)
as described in Prepare your Linux servers, page 4.
To install Filtering Service:
1. Log on to the installation machine with full administrative privileges (typically,
root).
2. Launch the installer using the following command (from the setup directory):
./install.sh -g
This launches a GUI-based installer and is available on English versions of Linux
only. A text-only, command-line version can be launched by omitting the -g
switch:
./install.sh
3. On the Introduction screen, click or select Next.
4. On the Subscription Agreement screen, choose to accept the terms of the
agreement and then click or select Next.
5. If the machine has multiple NICs, on the Multiple Network Interfaces screen,
select the IP address of the NIC that software components should use for
communication.
6. On the Installation Type screen, select Custom and then click or select Next.
7. On the Select Components screen, select the following components, then click or
select Next:
■ Filtering Service
■ User Service
■ Usage Monitor
Optionally, you may also select:
■ Network Agent
■ State Server
■ Logon Agent, eDirectory Agent, or RADIUS Agent
■ Directory Agent (used by the Forcepoint Web Security Hybrid Module)
8. On the Policy Server Connection screen, enter the IP address of the Policy Server
for this Filtering Service, and the Policy Server communication port (55806, by
default).
9. On the Integration Option screen, select Install Web Security to connect to
Content Gateway then click or select Next.
When you install Content Gateway (as described in Step 10: Install Content
Gateway, page 24), you will be prompted for the Filtering Service IP address.
10. If you are installing Network Agent, on the Network Card Selection screen, select
the NIC that Network Agent should use to communicate with other software
components, then click or select Next.

14  Forcepoint Web Security

 11. On the Feedback screen, indicate whether you want your web protection software
to send feedback to Forcepoint, then click or select Next.
12. On the Installation Directory screen, accept the default installation path (/opt/
Websense/), or click or select Choose to specify another path. The installation
path:
■ Must be absolute (not relative)
■ Must use only ASCII characters (no extended ASCII or double-byte
characters)
When you are finished, click or select Next.
The installer creates the installation directory if it does not exist and compares the
installation’s system requirements with the machine’s resources.
■ Insufficient disk space prompts an error message. The installer closes when
you click or select OK.
■ Insufficient RAM prompts a warning message. The installation continues
when you click or select OK. To ensure optimal performance, increase your
memory to the recommended amount.
13. On the Pre-Installation Summary screen, verify the installation path, selected
components, and other information, then click or select Next.
A progress screen is displayed while components are installed.

Note
Do not click the Cancel button (GUI) or press Ctrl-C
(command-line) after the Pre-Installation Summary, as it
is installing components. In this case, allow the installation
to complete and then uninstall the unwanted components.

14. On the Installation Complete screen, click or select Done. (In the graphical
installer, be careful not to click Cancel.)
Continue with Step 7: Install Log Server and (optionally) Sync Service, page 16.

Using a filtering only appliance

The instructions that follow assume that you have already followed the instructions
provided in Prepare for appliance installation, page 6.
Follow the instructions found in the “Run firstboot” section of the Forcepoint
Appliances Getting Started Guide, selecting Forcepoint Web Security as your
security mode.

Installation Guide  15
 After the firstboot script has completed, a command-line interface (CLI) logon prompt
displays. Log on to perform post-firstboot configuration, including configuring
network interfaces. See Forcepoint Appliances Getting Started for details.

Note
It is not possible to rerun the firstboot script. However, all
of the settings established during firstboot, except the
security mode, can be changed in the CLI. See the
Forcepoint Appliances CLI Guide.
Changing the security mode requires re-imaging the
appliance.

Step 7: Install Log Server and (optionally) Sync Service

Log Server enables most reporting components, and must reside on a Windows
machine.
If you have purchased the Forcepoint Web Security Hybrid Module, Sync Service is
responsible for sending policy information to the hybrid service, and passing reporting
information from the hybrid service to Log Server. In most cases, it is best to install
Sync Service on the same machine as Log Server.
Before installing Log Server on a supported Windows server, make sure you have
prepared the machine (including downloading the installer file) as described in
Prepare your Windows servers, page 2.

Important
If, during the installation process, you encounter the error
“Installation failed with error code 3004”, refer to
Potential issue when installing v8.5.4 and v8.5.5 for
instructions.

To install Log Server and (optionally) Sync Service:

1. Log on to the machine.
If you plan to have Log Server connect to the Log Database using a trusted
account, log on to the machine using that account.
2. Use the Run as administrator option to launch the Forcepoint85xSetup.exe
installer. After a few seconds, a progress dialog box appears, as files are extracted.
3. On the Welcome screen, click Start.
4. On the Subscription Agreement screen, select I accept this agreement, then click
Next.
5. On the Installation Type screen, select Custom and then click Next.
6. On the Summary screen, click Next.

16  Forcepoint Web Security

7. On the Custom Installation screen, click the Install link next to Forcepoint Web
Security or URL Filtering.
8. On the Welcome screen for the Web Protection Solutions setup program, click
Next.
9. Accept the subscription agreement, then click Next.
10. If the machine has multiple NICs, on the Multiple Network Interfaces screen,
select the IP address of the NIC that software components should use for
communication, and then click Next.
11. Select the Custom installation type, then click Next.
12. On the Select Components screen:
a. Select Log Server.
b. If you have purchased the Forcepoint Web Security Hybrid Module,
optionally select Sync Service.
c. Click Next.
13. On the Policy Server Connection screen, enter the IP address of the Policy Server
for this Log Server, and the Policy Server communication port (55806, by
default), and then click Next.
14. On the Policy Broker Connection screen, enter the IP address of the primary (or
standalone) Policy Broker, and the Policy Broker communication port (55880, by
default), and then click Next.
15. If the Log Server server machine does not include a supported version of the
Microsoft SQL Server Native Client and related tools, you are prompted to install
the required components.
Depending on your current configuration, the Native Client installer may run
silently in the background, or prompt you for input.
■ When the Native Client installer runs in the background, you will know the
process is complete when the Forcepoint installer continues to the next screen.
This may take a few minutes.
■ When the Native Client installer runs in the foreground, follow the prompts to
complete the installation. Note that if you are prompted to reboot the machine,
do not reboot at this point. Instead, complete the Forcepoint software
installation first, then reboot.
16. On the Database Information screen, enter the hostname or IP address of the
machine on which a supported database engine is running. If you are using SQL
Server clustering, enter the virtual IP address of the cluster. Also indicate how to
connect to the database engine:
■ Select Trusted connection to use a Windows account to connect to the
database. Enter the user name and password of a trusted account with local
administrator privileges on the database machine. (As noted in step 1, this
should be the same account that you used to perform the installation.)
If you use a trusted account, an additional configuration step is required after
installation to ensure that reporting data can be displayed in the Forcepoint
Security Manager. See the Reporting FAQ.

Installation Guide  17
 ■ Select SQL Server authentication to use a SQL Server account to connect to
the database. Enter the user name and password for a SQL Server account that
has administrative access to the database. The SQL Server password cannot
be blank, or begin or end with a hyphen (-).
17. On the Log Database Location screen, either accept the default location for the
Log Database files or select a different location, then click Next.
■ The default location is C:\Program Files\Microsoft SQL Server on the SQL
Server machine.
■ If you specify a custom directory, that directory must already exist. The
installer cannot create a new directory on the SQL Server machine.
18. On the Optimize Log Database Size screen, select either or both of the following
options, and then click Next.
■ (Recommended) Log Web page visits: Enable this option to log fewer
records that combine hits and bandwidth data for a requested website, rather
than a logging a separate record for each file included in the request. This
results in fewer records and therefore smaller databases, allowing for
potentially faster report generation and longer storage capacities.
■ Consolidate requests: Enable this option to combine Internet requests that
share the same value for all of the following elements, within a certain
interval of time (1 minute, by default):
○ Domain name (for example: www.forcepoint.com)
○ Category
○ Keyword
○ Action (for example: Category Blocked)
○ User/device
19. On the Installation Directory screen, accept the default installation path, or click
or select Choose to specify another path, and then click Next.
■ The installation path must be absolute (not relative). The default installation
path is C:\Program Files\Websense\Web Security\.
■ The installer creates this directory if it does not exist.

Important
The full installation path must use only ASCII characters.
Do not use extended ASCII or double-byte characters.

20. On the Pre-Installation Summary screen, verify the installation path, components
selected, and other information shown, then click Next.
A progress screen is displayed while components are installed.
21. When the installation process finishes, the Installation Complete screen is
displayed. Click Next to exit the installer.
22. Restart the following services on the management server machine:
■ Websense TRITON - Web Security
■ Websense Web Reporting Tools

18  Forcepoint Web Security

 This step is required to ensure that reporting tools operate properly, and that any
scheduled reports that you create are saved properly.
If you have purchased Forcepoint DLP or the Forcepoint Web Security DLP Module,
continue with Step 8: (Forcepoint Web Security DLP Module only) Install Linking
Service on the management server.
Otherwise, go to Step 9: Install additional web protection components, page 19.

Step 8: (Forcepoint Web Security DLP Module only)

Install Linking Service on the management server

When you combine Forcepoint Web Security with Forcepoint DLP, or add the
Forcepoint Web Security DLP Module, Linking Service allows Forcepoint DLP
services to get category and user information from Filtering Service.
This service was not installed when you installed the rest of the management server
components because it is dependent on Filtering Service.
To install Linking Service:
1. Relaunch the Forcepoint Security Installer on the management server machine.
2. On the Modify Installation page, click the Modify link next to Forcepoint Web
Security.
3. On the Add Components screen, select Install additional components on this
machine, then click Next.
4. Use the Select Components screen to select Linking Service, then click Next.
5. On the Filtering Service Communication screen, enter the IP address of the
Filtering Service machine and the Filtering Service communication port (15868,
by default), then click Next.
6. On the Pre-Installation Summary screen, verify the installation path, components
selected, and other information shown, then click Next.
A progress screen is displayed while components are installed.
7. When the installation process finishes, the Installation Complete screen is
displayed. Click Next to exit the installer.
Continue with Step 9: Install additional web protection components.

Step 9: Install additional web protection components

Depending on your network configuration and size, you may need to install multiple
instances of several policy enforcement and user identification components.
● All components except Content Gateway can reside on Windows servers.
● Most components can reside on Linux servers.

Installation Guide  19
 ● Most components can reside on appliances in the following configurations:
■ User directory and filtering appliances include Policy Server, plus Filtering
Service, User Service, Usage Monitor, Network Agent, and Content Gateway.
Directory Agent can also be enabled on these appliances. During setup, you
are prompted to connect to Policy Broker (which typically resides on the
management server).
■ Filtering only appliances include Filtering Service, Network Agent, and
Content Gateway. During setup, you are prompted to connect to a Policy
Server instance (which may reside on a user directory and filtering
appliance, or a Windows or Linux server).

Installing components on Windows

Before installing Forcepoint Web Security components on a supported Windows
server, make sure you have prepared the machine (including downloading the installer
file) as described in Prepare your Windows servers, page 2.

Important
If, during the installation process, you encounter the error
“Installation failed with error code 3004”, refer to
Potential issue when installing v8.5.4 and v8.5.5 for
instructions.

To install the components:

1. Log on to the machine.
2. Use the Run as administrator option to launch the Forcepoint85xSetup.exe
installer. After a few seconds, a progress dialog box appears, as files are extracted.
3. On the Welcome screen, click Start.
4. On the Subscription Agreement screen, select I accept this agreement, then click
Next.
5. On the Installation Type screen, select Custom and then click Next.
6. On the Summary screen, click Next.
7. On the Custom Installation screen, click the Install link next to Forcepoint Web
Security or URL Filtering.
8. On the Welcome screen for the Web Protection Solutions setup program, click
Next.
9. Accept the subscription agreement, then click Next.
10. Select the Custom installation type, then click Next.
11. Select the components that you want to install, keeping in mind that:
■ Policy Server must always be installed before or with its dependent
components.

20  Forcepoint Web Security

 You will be prompted to provide the Policy Server IP address during
installation of most components if Policy Server resides on a different
machine.
■ Filtering Service must always be installed before or with dependent instances
of Network Agent.
You will be prompted for the Filtering Service IP address during Network
Agent installation if Filtering Service resides on another machine.
■ Each time you install a Filtering Service instance, select Content Gateway as
the integration product.
When you install Content Gateway, you will be prompted for a Policy Server
IP address and a Filtering Service IP address.
■ Unlike the primary or standalone Policy Broker, which must always be
installed first, replica Policy Brokers may be added at any time.
You can configure which Policy Broker instance any Policy Server (and its
dependent components) connects to after installation (use the Web >
Settings > General > Policy Brokers page in the Forcepoint Security
Manager).
12. Click Next to configure your installation.
Many of the screens that display depend on which components you have selected.
If you are not clear about what information to provide, click Help in the installer
for context and instructions.
13. On the Installation Directory screen, accept the default installation path, or click
or select Choose to specify another path, and then click Next.
The installation path must be absolute (not relative). The default installation path
is C:\Program Files\Websense\Web Security\.
The installer creates this directory if it does not exist.

Important
The full installation path must use only ASCII characters.
Do not use extended ASCII or double-byte characters.

14. On the Pre-Installation Summary screen, verify the installation path, selected
components, and other information, then click or select Next.
A progress screen is displayed while components are installed.
15. On the Installation Complete screen, click Next.
When the process is complete, you may want to repeat this procedure to install more
components, install one or more instances of Content Gateway (Step 10: Install
Content Gateway, page 24), or start configuring your new deployment (Step 12: Initial
Configuration, page 38).

Installation Guide  21
Installing components on Linux
Before installing components on a supported Linux server, make sure that you have
prepared the machine (including downloading and extracting the installer files) as
described in Prepare your Linux servers, page 4.
1. Log on to the installation machine with full administrative privileges (typically,
root).
2. Launch the installer using the following command (from the setup directory):
./install.sh -g
This launches a GUI-based installer and is available on English versions of Linux
only. A text-only, command-line version can be launched by omitting the -g
switch:
./install.sh
3. On the Introduction screen, click or select Next.
4. On the Subscription Agreement screen, choose to accept the terms of the
agreement and then click Next.
5. On the Installation Type screen, select Custom and then click or select Next.
6. On the Select Components screen, select the components that you want to install:
■ Policy Server must always be installed before or with its dependent
components.
You will be prompted to provide the Policy Server IP address during
installation of most components if Policy Server resides on a different
machine.
■ Filtering Service must always be installed before or with dependent instances
of Network Agent.
You will be prompted for the Filtering Service IP address during Network
Agent installation if Filtering Service resides on another machine.
■ Each time you install a Filtering Service instance, select Content Gateway as
the integration product.
When you install Content Gateway, you will be prompted for a Policy Server
IP address and a Filtering Service IP address.
■ Unlike the primary or standalone Policy Broker, which must always be
installed first, replica Policy Brokers may be added at any time.
You can configure which Policy Broker instance any Policy Server (and its
dependent components) connects to after installation (use the Settings >
General > Policy Brokers page in the Forcepoint Security Manager).
7. Click or select Next to configure your installation.
Many of the screens that display depend on which components you have selected.
If you are not clear about what information to provide, click or select Help in the
installer for context and instructions.
8. On the Installation Directory screen, accept the default installation path (/opt/
Websense/), or click or select Choose to specify another path. The installation
path:

22  Forcepoint Web Security

 ■ Must be absolute (not relative)
■ Must use only ASCII characters (no extended ASCII or double-byte
characters)
When you are finished, click or select Next.
The installer creates the installation directory if it does not exist and compares the
installation’s system requirements with the machine’s resources.
■ Insufficient disk space prompts an error message. The installer closes when
you click or select OK.
■ Insufficient RAM prompts a warning message. The installation continues
when you click or select OK. To ensure optimal performance, increase your
memory to the recommended amount.
9. On the Pre-Installation Summary screen, verify the installation path, selected
components, and other information, then click or select Next.
A progress screen is displayed while components are installed.

Note
Do not click the Cancel button (GUI) or press Ctrl-C
(command-line) after the Pre-Installation Summary, as it
is installing components. In this case, allow the installation
to complete and then uninstall the unwanted components.

10. On the Installation Complete screen, click or select Done. (In the graphical
installer, be careful not to click Cancel.)
When the process is complete, you may want to repeat this procedure to install more
components, install one or more instances of Content Gateway (Step 10: Install
Content Gateway, page 24), or start configuring your new deployment (Step 12: Initial
Configuration, page 38).

Using Forcepoint appliances

The instructions that follow assume that you have already followed the instructions
provided in Prepare for appliance installation, page 6.
Follow the instructions found in the “Run firstboot” section of the Forcepoint
Appliances Getting Started Guide.

Installation Guide  23
 After the firstboot script has completed, a command-line interface (CLI) logon prompt
displays. Log on to perform post-firstboot configuration, including configuring
network interfaces. See Forcepoint Appliances Getting Started for details.

Note
It is not possible to rerun the firstboot script. However, all
of the settings established during firstboot, except the
security mode, can be changed in the CLI. See the
Forcepoint Appliances CLI Guide.
Changing the security mode requires re-imaging the
appliance.

Step 10: Install Content Gateway

If you are not using appliances to host policy enforcement components, complete
these steps to install Content Gateway on one or more Linux servers.

Prepare for installation

1. Make sure that the server you intend to use meets or exceeds the requirements
listed in the “Content Gateway” section of “Requirements for web protection
solutions” in System requirements for this version.
See Installing on Red Hat Enterprise for additional details on installing on Red
Hat Linux.
2. Configure a hostname for the Content Gateway machine and also configure DNS
name resolution. Complete these steps on the machine on which you will install
Content Gateway.
a. Configure a hostname for the machine that is 15 characters or less:
hostname <hostname>
b. Update the HOSTNAME entry in the /etc/sysconfig/network file to include
the new hostname assigned in the previous step:
HOSTNAME=<hostname>
c. Specify the IP address to associate with the hostname in the /etc/hosts file.
This should be static and not served by DHCP.
The proxy uses this IP address in features such as transparent authentication
and hierarchical caching. This must be the first line in the file.
Do not delete the second and third lines (the ones that begin with “127.0.0.1”
and “::1”, respectively). Also, do not add the hostname to the second or third
line.
xxx.xxx.xxx.xxx <FQDN> <hostname>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

24  Forcepoint Web Security

 <FQDN> is the fully-qualified domain name of this machine (for example:
myhost.example.com). <hostname> is the same name specified in Step a.
Do not reverse the order of the FQDN and hostname.
d. Configure DNS in the /etc/resolv.conf file.
search <subdomain1>.<top-level domain>
<subdomain2>.<top-level domain> <subdomain3>.<top-
level domain>
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
This example demonstrates that more than one domain can be listed on the
search line. Listing several domains may have an impact on performance,
because each domain is searched until a match is found. Also, this example
shows a primary and secondary nameserver being specified.
e. Gather this information:
○ Default gateway (or other routing information)
○ List of your company’s DNS servers and their IP addresses
○ DNS domains to search, such as internal domain names. Include any
legacy domain names that your company might have.
○ List of additional firewall ports to open beyond SSH (22) and the proxy
ports (8080-8090).
3. For Content Gateway to operate as a caching proxy, it must have access to at least
one raw disk. Otherwise, Content Gateway will function as a proxy only.
To create a raw disk for the proxy cache when all disks have a mounted file
system:

Note
This procedure is necessary only if you want to use a disk
already mounted to a file system as a cache disk for
Content Gateway. Perform this procedure before installing
Content Gateway.

Warning
Do not use an LVM (Logical Volume Manager) volume as
a cache disk.

Warning
The Content Gateway installer will irretrievably clear the
contents of cache disks.

a. Enter the following command to examine which file systems are mounted on
the disk you want to use for the proxy cache:
df -k

Installation Guide  25
 b. Open the file /etc/fstab and comment out or delete the file system entries for
the disk.
c. Save and close the file.
d. Enter the following command for each file system you want to unmount:
umount <file_system>
When the Content Gateway installer prompts you for a cache disk, select the
raw disk you created.

Note
It is possible to add cache disks after Content Gateway is
installed. For instructions, see the Content Gateway
Manager Help.

4. If you plan to deploy multiple, clustered instances of Content Gateway:

■ Find the name of the network interface you want to use for cluster
communication. This must be a dedicated interface.
■ Find or define a multicast group IP address.
If a multicast group IP address has not already been defined, enter the
following at a command line to define the multicast route:
route add <multicast.group address>/32 dev
<interface_name>
Here, <interface_name> is the name of the interface used for cluster
communication. For example:
route add 224.0.1.37/32 dev eth1
5. It is recommended that the Content Gateway host machine have Internet
connectivity before starting the installation procedure. The software will install
without Internet connectivity, but analytic database updates cannot be performed
until Internet connectivity is available.
6. Find the installer executable on the Downloads menu of the Forcepoint Customer
Hub and download the ContentGateway85xSetup_Lnx.tar.gz installer tar
archive to a temporary directory on the machine that will host Content Gateway.
To unpack the tar archive, use the command:
tar -xvzf ContentGateway85xSetup_Lnx.tar.gz
7. Consider the following security issues prior to installing Content Gateway:
■ Physical access to the system can be a security risk. Unauthorized users could
gain access to the file system, and under more extreme circumstances,
examine traffic passing through Content Gateway. It is strongly recommended
that the Content Gateway server be locked in an IT closet and that a BIOS
password be enabled.
■ Ensure that root permissions are restricted to a select few persons. This
important restriction helps preclude unauthorized access to the Content
Gateway file system.

26  Forcepoint Web Security

 ■ For a list of default ports, see the Web tab of the Forcepoint Ports
spreadsheet. They must be open to support the full set of Forcepoint Web
Security features.

Note
If you customized any ports that your web protection
software uses for communication, replace the default port
with the custom port you implemented.

Restrict inbound traffic to as few other ports as possible on the Content

Gateway server. In addition, if your subscription does not include certain
features, you can restrict inbound traffic to the unneeded ports. For example,
if your subscription does not include the Forcepoint Web Security DLP
Module, you may choose to restrict inbound traffic to those ports related to
Forcepoint DLP.
■ If your server is running the Linux IPTables firewall, you must configure the
rules in a way that enables Content Gateway to operate effectively. See
IPTables for Content Gateway.
8. Content Gateway can be used as an explicit or transparent proxy. For setup
considerations for each option, see the Content Gateway explicit and transparent
proxy deployments.

Installing on Red Hat Enterprise

biosdevname
Red Hat Enterprise Linux 6, update 1 introduced biosdevname:
... optional convention for naming network interfaces. biosdevname assigns
names to network interfaces based on their physical location. ... biosdevname is
disabled by default, except for a limited set of Dell systems.
The biosdevname convention is designed to replace the older, inconsistent “eth#”
naming scheme. The new standard will be very helpful when it is fully adopted, but
that is still in the future.
In this release, biosdevname is not supported by Content Gateway.

Disabling biosdevname
If while installing Content Gateway the installer finds non-eth# interface names, the
installer quits and provides a link to instructions for modifying system startup files.
There are 2 ways to disable biosdevname:
1. During operating system installation.
2. Post-operating system installation through modification of several system files
and other activities.

Installation Guide  27
 The easiest way to disable biosdevname is to do it during operating system
installation. This is the recommend method.
Disabling biosdevname during operating system installation:

When the installer starts, press Tab and alter the boot line to add biosdevname=0 and,
when installing on Red Hat Enterprise Linux 7.x, net.ifnames=0 as follows:

Proceed through the rest of the installer as usual.

Disabling biosdevname after operating system installation:

Note
The following steps are applicable for Redhat/CentOS 6
and not for Redhat/CentOS 7. You can refer to the
Changing Interface Names in CentOS 7 and Forcepoint
Websense Content Gateway installation error “Device
eth0 does not exist” for Redhat/CentOS 7.

28  Forcepoint Web Security

Log on to the operating system and verify that non-eth# names are present.
ifconfig -a

If only “eth#” and “lo” names are present, you are done. No other actions are required.
If there are names like “emb#” or “p#p#” perform the following steps.

1. Log in as root.
2. Navigate to the network-scripts directory:
cd /etc/sysconfig/network-scripts
3. Rename all “ifcfg-<ifname>” files except “ifcfg-lo” so that they are named
ifcfg-eth#.
a. Start by renaming ifcfg-em1 to ifcfg-eth0 and continue with the rest of the
“ifcfg-em#” files.
b. When the above are done, rename the “ifcfg-p#p#” files.
If there are multiple ifcfg-p#p1 interfaces, rename all of them in the order of
the lowest ifcfg-p# first.
For example, if the initial set of interfaces presented by ifconfig -a is:
em1 em2 em3 em4 p1p1 p1p2 p2p1 p2p2
Then:
em1 -> eth0
em2 -> eth1
em3 -> eth2
em4 -> eth3

Installation Guide  29
 p1p1 -> eth4
p1p2 -> eth5
p2p1 -> eth6
p2p2 -> eth7
c. Make the ifcfg-eth# files linear so that if you have 6 interfaces you have eth0
through eth5.
4. Edit all the ifcfg-eth# files.
a. Update the DEVICE= sections to refer to the new name: “eth#”
b. Update the NAME= sections to refer to the new name: “System eth#”
5. Remove the old udev device mapping file if it exists:
rm -f /etc/udev/rules.d/70-persistent-net.rules
6. Modify the grub.conf file to disable biosdevname for the kernel you boot:
a. Edit the /boot/grub/grub.conf file.
b. Add the following to the end of the “kernel /vmlinuz” line:
biosdevname=0
7. Reboot the machine.
8. Reconfigure the interfaces as required.

Installer gives NetworkManager or avahi-daemon error

When Red Hat Enterprise Linux is installed with a graphical user interface (GUI), the
Content Gateway installer recognizes systems running NetworkManager or avahi-
daemon processes and emits an error similar to the following:
Error: The avahi-daemon service is enabled on this system
and must be disabled before Content Gateway v8.5.x can be
installed.
Please disable the avahi-daemon service with the following
commands and restart the Content Gateway installation.
chkconfig --levels 2345 avahi-daemon off
service avahi-daemon stop

Warning
Content Gateway is supported on Red Hat Enterprise
Linux, Basic Server (no GUI) and is not supported on
RHEL with a GUI.

To continue, the conflicting NetworkManager and avahi-daemon processes must be

stopped.
1. To disable the avahi-daemon service, enter the following commands:
chkconfig --levels 2345 avahi-daemon off
service avahi-daemon stop
2. Restart the installer:

30  Forcepoint Web Security

 ./wcg_install.sh

Install Content Gateway

1. Disable any currently running firewall on this machine for the duration of Content
Gateway installation. Bring the firewall back up after installation is complete,
opening ports used by Content Gateway.

Important
If SELinux is enabled, set it to permissive or disable it
before installing Content Gateway. Do not install or run
Content Gateway with SELinux enabled.

Important
Forcepoint Web Security customers using Red Hat
Enterprise Linux or CentOS 7.x must disable firewalld
prior to installing Content Gateway.
On the machine where Content Gateway will be installed,
execute the following:
systemctl stop firewalld
systemctl disable firewalld

2. Make sure you have root permissions:

su root
3. In the directory where you unpacked the tar archive, begin the installation, and
respond to the prompts to configure the application.
./wcg_install.sh
The installer installs Content Gateway in /opt/WCG. It is installed as root.

Note
Up to the configuration summary, you can quit the installer
by pressing Ctrl-C. If you choose to continue the
installation past the configuration summary and you want
to quit, do not use Ctrl-C. Instead, allow the installation to
complete and then uninstall it.
If you want to change your answer to any of the installer
prompts, you will be given a chance to start over at the first
prompt once you reach the configuration summary; you do
not have to quit the installer.

4. If your server does not meet the minimum hardware requirements or is missing
required operating system packages, you will receive error or warning messages.

Installation Guide  31
 Install the missing packages, reboot the server, and again start the Content
Gateway installer.
Here is an example of a system resource warning:
Warning: Content Gateway requires at least 6 gigabytes of
RAM.
Do you wish to continue [y/n]?
Enter n to end the installation and return to the system prompt.
Enter y to continue the installation. If you choose to run Content Gateway after
receiving this warning, performance may be affected.
5. Read the subscription agreement. At the prompt, enter y to continue installation or
n to cancel installation.
Do you accept the above agreement [y/n]? y
6. Enter and confirm a password for the Content Gateway Manager administrator
account.
Note that the cursor will not move while you are entering your password.
Enter the administrator password for the Content Gateway
management interface.
Username: admin
Password:>
Confirm password:>
This account enables you to log on to the management interface for Content
Gateway (the Content Gateway manager). The default username is admin.
To create a strong password (required), use 8 to 15 characters, with at least 1 each
of the following: upper case letter, lower case letter, number, special character.

Important
The password cannot contain the following characters:
■ space
■ $ (dollar symbol)
■ : (colon)
■ ‘ (backtick; typically shares a key with tilde, ~)
■ \ (backslash)
■ “ (double-quote)

7. Enter an email address where Content Gateway can send alarm messages:
Content Gateway requires an email address for alarm
notification.
Enter an email address using @ notation: [] >
Be sure to use @ notation (for example, [email protected]). Do not enter more
than 64 characters for this address.
8. Select 1 as your Content Gateway Integration Configuration:

32  Forcepoint Web Security

 '1' - Select '1' to configure Content Gateway as a
component of Forcepoint Web Security
'2' - Select '2' to configure Content Gateway as a
component of Forcepoint DLP (without Forcepoint Web
Security)
9. Enter the IP address for Policy Server:
Enter the Policy Server IP address (leave blank if
integrating with Data Security only): [] >
Use dot notation (i.e., xxx.xxx.xxx.xxx). The address must be IPv4.
10. Enter the IP address for Filtering Service:
Enter the Filtering Service IP address: [<Policy Server
address>] >
The default is the same address as Policy Server.
11. Review default Content Gateway ports:
Content Gateway uses 9 ports on your server:
Port Assignments:
-----------------
'1' Content Gateway Proxy Port 8080
'2' Web Interface port 8081
'3' Auto config port 8083
'4' Process manager port 8084
'5' Logging server port 8085
'6' Clustering port 8086
'7' Reliable service port 8087
'8' Multicast port 8088
'9' Endpoint Authentication Server Port 9090

Enter the port assignment you would like to change:

'1-9' - specific port changes
'X' - no change
'H' - help
[X] >
Change a port assignment if it will conflict with another application or process on
the machine. Otherwise, leave the default assignments in place.
If you do not want to use these ports for Content Gateway, or if the installation
program indicates that a port conflict exists, make any necessary changes. Any
new port numbers you assign must be between 1025 and 65535, inclusive.
12. For clustering, at least two network interfaces are required. If your machine has
only one, the following prompt appears:
Content Gateway requires at least 2 interfaces to support
clustering. Only one active network interface is detected
on this system.
Press Enter to continue installation and skip to Step 13.
13. If two or more network interfaces are found on this machine, you are asked
whether this instance of Content Gateway should be part of a cluster:
Content Gateway Clustering Information

Installation Guide  33
 ------------------------------------------------
'1' - Select '1' to configure Content Gateway
for management clustering. The nodes in the cluster
will share configuration/management information
automatically.
'2' - Select '2' to operate this Content Gateway
as a single node.

Enter the cluster type for this Content Gateway

installation:
[2] >
If you do not want this instance of Content Gateway to be part of a cluster, enter 2.
If you select 1, provide information about the cluster:
Enter the name of this Content Gateway cluster.
><cluster_name>
Note: All members of a cluster must use the same cluster name and multicast
group address.
Enter a network interface for cluster communication.
Available interfaces:
<interface, e.g., eth0>
<interface, e.g., eth1>
Enter the cluster network interface:
>
Enter a multicast group address for cluster <cluster_name>.
Address must be between 224.0.1.27 - 224.0.1.254:
[<default_IP_multicast_address>] >
14. For Content Gateway to act as a web cache, a raw disk must be present on this
machine. If no raw disk is detected, the following prompt appears:
No disks are detected for cache.
Content Gateway will operate in PROXY_ONLY mode.
Content Gateway will operate as a proxy only and will not cache web pages. Press
Enter to continue the installation and skip Step 15.
15. If a raw disk is detected, you can enable the web cache feature of Content
Gateway:

Note
If you choose to not enable raw disk cache now, cache
disks may be added after Content Gateway has been
installed. For instructions, see the Content Gateway
Manager Help.

Would you like to enable raw disk cache [y/n]? y

34  Forcepoint Web Security

a. Select available disks from the list. Selected disks become dedicated cache
disks and cannot be used for any other purpose. Cache disks must be raw.
Aggregate disk cache size should not exceed 147 GB.
Select available disk resources to use for the cache.
Remember that space used for the cache cannot be used
for any other purpose.
Here are the available drives
(1) /dev/sdb 146778685440 0x0
Note: The above drive is only an example.

Warning
Although it might be listed as available, do not use an
LVM (Logical Volume Manager) volume as a cache disk.

b. Indicate if you want to add or remove disks individually or as a group.

Choose one of the following options:
'A' - Add disk(s) to cache
'R' - Remove disk(s) from cache
'S' - Add all available disks to cache
'U' - Remove all disks from cache
'X' - Done with selection, continue
Content Gateway installation.
Option: > A
[ ] (1) /dev/sdb 146778685440 0x0
c. Specify which disk or disks to use for the cache.
Enter number to add item, press 'F' when finished:
[F] >1
Item '1' is selected
[F] >
d. Your selections are confirmed. Note the “x” before the name of the disk.
Here is the current selection
[X] (1) /dev/sdb 146778685440 0x0
e. Continue based on your choice in Step b, pressing X when you have finished
configuring cache disks.
Choose one of the following options:
'A' - Add disk(s) to cache
'R' - Remove disk(s) from cache
'S' - Add all available disks to cache
'U' - Remove all disks from cache
'X' - Done with selection, continue
Content Gateway installation.
Option: >X

Installation Guide  35
 16. As a way of improving the Content Gateway product, you can elect to send
Forcepoint information about usage statistics, analyzed content, and activated
product features. Important: Individual users are never identified.
Enter y or n.
17. A configuration summary appears, showing your answers to the installer prompts
(note: summary below is an example):
Configuration Summary
-----------------------------------------------------------
Content Gateway Install Directory : /opt/WCG
Admin Username for Content Gateway Manager: admin
Alarm Email Address : <email_address>
Content Gateway Install Type : Web Security
Policy Server IP Address : <IP_address>
Filtering Service IP Address : <IP_address>
Content Gateway Cluster Type : NO_CLUSTER
Content Gateway Cache Type : LRAW_DISK
Cache Disk : /dev/sdb
Total Cache Partition Used : 1
*******************
* W A R N I N G *
*******************
CACHE DISKS LISTED ABOVE WILL BE CLEARED DURING
INSTALLATION!! CONTENTS OF THESE DISKS WILL BE
COMPLETELY LOST WITH NO CHANCE OF RETRIEVAL.
Installer CANNOT detect all potential disk mirroring
systems. Please make sure the cache disks listed
above are not in use as mirrors of active file
systems and do not contain any useful data.
Do you want to continue installation with this configuration
[y/n]?
If you want to make changes, enter n to restart the installation process at the first
prompt. To continue and install Content Gateway configured as shown, enter y.

Important
If you enter y to proceed but you decide you want to cancel
the installation, do not attempt to quit the installer by
pressing Ctrl-C. Allow the installation to complete. Then
uninstall it.

36  Forcepoint Web Security

 18. Wait for the installation to complete.

Note
The subscription key is shared automatically with Content
Gateway when it is entered in the Forcepoint Security
Manager.
If you receive an email from Content Gateway (to the
address you specified during installation) with “WCG
license download failed” in the subject line, this alert does
not mean a problem occurred with the installation. The
alert indicates that your deployment may require you to
manually enter the subscription key in the Content
Gateway manager.

19. When installation is complete, reboot the Content Gateway server.

20. When the reboot is complete, check Content Gateway status with:
/opt/WCG/WCGAdmin status
All services should be running. These include Content Cop, Content Gateway,
Content Gateway Manager, and Analytics Server.
After you have installed all of the software instances of Content Gateway needed for
your deployment, continue with Step 12: Initial Configuration.

Step 11: Post installation activities

After you have finished installing components, refer to the following to ensure that
your Web Security installation is complete.
● If multiple Policy Servers were installed and assigned to the same Policy Broker,
and any of them reside on a Microsoft Windows 2016 server, some of the services
on all of the Windows 2016 machines in the deployment may fail to restart at the
end of the install process.
Log on to each machine and restart the following services as needed:
○ Websense Event Message Broker
○ Websense Cloud App Service
○ Websense Bridge Service
○ Websense SIEM Connector
Optionally, reboot each machine.

Installation Guide  37
Step 12: Initial Configuration

Tip
All web protection tools and utilities installed on Windows
Server platforms (such as wsbackup.exe and
websenseping.exe), as well as text editors used to modify
configuration files (such as websense.ini), must be run as
the local administrator. Otherwise, you may be prevented
from running the tool or the changes you make may not be
implemented.

Enter your subscription key

After installation is complete, log on to the Forcepoint Security Manager (console)
and enter your subscription key. Entering the key:
● Allows your product to be verified
● Initiates database downloads that activate your solution
● Enables several management console features.
To get started:
1. If administrators use Internet Explorer to access the console, make sure that
Enhanced Security Configuration (IE ESC) is disabled on their machines.
2. Use a supported browser to launch the console and log on using the default
account (admin) and the password created during installation.
The console URL is:
https://<IP_address>:9443/manager/
Here, <IP_address> is the IP address of the management server.
3. Enter your subscription key or keys. At first startup:
■ The Web module of the console prompts for a subscription key in the Initial
Setup Checklist. This key is automatically applied to Content Gateway.
■ If you have purchased the Forcepoint Web Security DLP Module, the Data
module of the console also displays a subscription key page.
Enter your subscription key and save the change in both consoles.
4. If you did not provide SMTP server details during installation, use the Global
Settings > Notifications page to specify the SMTP server used to enable
administrator password reset functionality and account change notifications.
5. Once the Web and (optionally) Data modules of the console show that your key
has been verified, log off of the console and log back on to see all of your
subscribed features.

38  Forcepoint Web Security

Confirm Content Gateway registration with Forcepoint DLP
If you have purchased the Forcepoint Web Security DLP Module, Content Gateway
registers with Forcepoint DLP automatically. To ensure that registration is successful:
● Synchronize the date and time on the Content Gateway and management server
machines to within a few minutes.
● If Content Gateway is deployed as a transparent proxy on a Forcepoint appliance,
ensure that traffic to and from the appliance management interface (C) is not
subject to transparent routing. If it is, the registration process will be intercepted
by the transparent routing and will not complete properly.
● Make sure that the IPv4 address of the eth0 NIC on the Content Gateway machine
is available (not required if Content Gateway is located on an appliance). This is
the NIC used by the management server during the registration process.
After registration, the IP address can move to another network interface.
If registration fails an alarm displays in the Content Gateway manager.
1. Verify connectivity between Content Gateway and the management server.
2. In the Content Gateway manager, navigate to the Configure > My Proxy >
Basic > General page.
3. In the Networking section of the page, confirm that Web DLP > Integrated on-
box is enabled.
4. Restart Content Gateway to initiate another registration attempt.
Alternatively:
a. Go to Configure > Security > Web DLP and enter the IP address of the
management server.
b. Enter the user name and password for a Data module administrator with
Deploy Settings privileges. (This may be the admin account.)
c. Click Register.
After Content Gateway has registered with Forcepoint DLP:
1. Log on to the Content Gateway manager.
2. Navigate to Configure > Security > Web DLP.
3. Set the following options:
a. Analyze FTP Uploads: Enable this option to send FTP uploads to Forcepoint
Web Security DLP Module components for analysis and policy enforcement.
b. Analyze HTTPS Content: Enable this option to send decrypted HTTPS
posts to Forcepoint Web Security DLP Module components for analysis and
policy enforcement. SSL Manager must be enabled on Content Gateway.
4. Click Apply and restart Content Gateway.
Forcepoint Web Security DLP Module components communicate with the Content
Gateway proxy over ports 17000-17014.

Installation Guide  39
Configure the Content Gateway policy engine
When Content Gateway is registered with Forcepoint DLP, the Data > System
Modules page in Forcepoint Security Manager includes a Content Gateway module.
By default, this agent is configured to monitor web traffic, not block it, and for a
default violation message to appear when an incident is triggered. If this is acceptable,
you do not need to make changes to the Content Gateway configuration. Simply
deploy the new settings.
If you want to block web traffic that breaches policy and customize the violation
message, do the following:
1. In the Security Manager, go to the Data > Settings > Deployment > System
Modules page.
2. Select the Content Gateway module in the tree view (click the module name itself,
not the plus sign next to it).
It will be listed as Forcepoint Content Gateway server on <FQDN>
(<PE_version>), where <FQDN> is the fully-qualified domain name of the
Content Gateway machine and <PE_version> is the version of the Content
Gateway policy engine.
3. Select the HTTP/HTTPS tab and configure the blocking behavior you want.
Select Help > Explain This Page for instructions for each option.
4. Select the FTP tab and configure the blocking behavior you want.
Select Help > Explain This Page for instructions for each option.
5. Click Save to save your changes.
6. Click Deploy to deploy your settings.

Important
Even if you do not change the default configuration, you
must click Deploy to finalize your Content Gateway
deployment process.

Verify that web and data protection components are linked

When Linking Service is installed, it allows Forcepoint Web Security DLP Module
components to access user identification and URL categorization data. To verify that it
is working:
1. Log on to the Forcepoint Security Manager.
2. Navigate to the Data > Settings > General > Linking Service page.
3. Verify settings and test the connection.
Select Help > Explain This Page for detailed information about the settings on
this screen.
4. Click OK to save any changes.
5. Click Deploy to deploy your settings.

40  Forcepoint Web Security

Set Up Content Gateway
● Log onto the Content Gateway manager and run a basic test (Getting Started)
● If there are multiple instances of Content Gateway, consider configuring a
managed cluster.
● Configure protocols to proxy in addition to HTTP: HTTP (SSL Manager), FTP
● Complete your explicit or transparent proxy deployment
■ Content Gateway explicit and transparent proxy deployments
■ In Content Gateway Manager Help: Explicit proxy, Transparent proxy
● If proxy user authentication will be used, configure user authentication.
Alternatively, you can configure Forcepoint Web Security user identification.
● Configure the real-time Scanning Options in the Web module of the Forcepoint
Security Manager.
● If you enabled content caching during installation, configure content caching.
After the base configuration has been tested, consider these additional activities:
● If you are using HTTPS (SSL Manager), use the Web module of the Security
Manager to configure categories, clients, and destination servers for SSL
decryption bypass
● Create Content Gateway filtering rules to:
■ Deny or allow URL requests
■ Insert custom headers
■ Allow specified applications, or requests to specified websites to bypass
authentication
■ Keep or strip header information from client requests
■ Prevent specified applications from transiting the proxy
● In explicit proxy deployments, customize the PAC file.
● In transparent proxy deployments, use ARM dynamic and static bypass, or use
router ACL lists to bypass Content Gateway (see your router documentation).
● The ARM (Adaptive Redirection Module) module of Content Gateway uses a
firewall. To facilitate interception and redirection of traffic:
■ IPTables rules are configured during installation of Content Gateway.
○ Forcepoint IPTables chains are inserted.
○ Forcepoint IPTables rules are also inserted into existing chains.
○ Forcepoint chains and rules use “NC_” as a prefix for identification
purposes.
■ IPTables rules configured outside of the Content Gateway manager must:
○ Be inserted after Forcepoint rules
○ Never be added to Forcepoint chains
■ Forcepoint chains and rules should never be edited.

Installation Guide  41
 ■ If customized chains or rules impact the Forcepoint configuration, navigate to
/opt/wcg/bin and execute the following to re-establish the Forcepoint IPTables
chains and rules:
netcontrol.sh -r

©2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All
other trademarks used in this document are the property of their respective owners.

42  Forcepoint Web Security