I nst allat ion a n d D e p l o y me n t Gu i d e Websense ® E n d p o i n t S o l u t i o n s , v 8 . 0 . x v8.0.
©2014, Websense Inc. All rights reserved. 10900 Stonelake Blvd, 3rd Floor, Austin, TX 78759, USA Published 2014 Printed in the United States and Ireland The products and/or methods of use described in this document are covered by U.S. Patent Numbers 5,983,270; 6,606,659; 6,947,985; 7,185,015; 7,194,464 and RE40,187 and other patents pending.
Contents Topic 1 Introducing Websense Endpoint Solutions . . . . . . . . . . . . . . . . . . . . . 1 TRITON AP-ENDPOINT Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TRITON AP-ENDPOINT DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operating system requirements. . . . . . . . . . . . .
Contents Uninstalling endpoint software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote uninstallation with deployment server . . . . . . . . . . . . . . Remote uninstallation using distribution systems . . . . . . . . . . . . Mac uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introducing Websense Endpoint Solutions Applies to: In this topic TRITON AP-WEB v8.0.x TRITON AP-ENDPOINT Web TRITON AP-DATA v8.0.x TRITON AP-ENDPOINT DLP Web Filter & Security v8.0.x Hardware requirements Operating system requirements Browser support DLP channel support TRITON AP-ENDPOINT Web v8.0.x TRITON AP-ENDPOINT DLP v8.0.
See System requirements, page 3 for information about the hardware requirements for endpoint client components. About this guide This guide describes how to deploy Websense software on endpoint client machines across your enterprise. Chapter 1 describes system requirements, browser and operating support, benefits, and other information. Chapter 2 describes how to obtain or create installation packages. Chapter 3 describes how to globally deploy software and install it on endpoint clients.
For supported browsers, TRITON AP-ENDPOINT Web manipulates proxy settings in real time. For example, if TRITON AP-ENDPOINT Web detects it is at a hotspot, but the user has not finished registration, it removes its proxy settings until the gateway has successfully opened. You can enable TRITON AP-ENDPOINT Web for some or all machines managed by the cloud or hybrid service.
At least 1 GB RAM At least 500 MB free hard disk space (375 MB for installation, 125 MB for operation) Linux (stand-alone DLP only) At least 1 GB RAM 1 GB free hard disk space (not including contained files and temporary buffers; see the Data Security Manager Help for information about contained files and allocating enough disk storage for them) Operating system requirements Endpoint clients must be running one of the following operating systems: Operating System Windows 7 with Service Pack 1 Wi
Red Hat Enterprise Linux/CentOS 5.1 with stock kernel 2.6.18-53* (TRITON AP-ENDPOINT DLP only) Note: by default, Windows Server 2003 or XP support only 3 agents per client. If your endpoint clients will be running multiple agents—for example the endpoint agent, an antivirus agent, and an antispam agent—you must modify their registry entries. *The Linux DLP endpoint requires FUSE support to enable USB detection. If you are running CentOS 5.1, FUSE support is configured upon installation.
Google Chrome up to v38 (32-bit only) Opera up to v24 Mac endpoints Firefox up to v33 Safari up to v8.x Google Chrome up to v38 (32-bit only) Opera up to v24 Full support means that the browser supports all installation methods, and both policy enforcement and proxy manipulation. In addition to enforcing browser traffic, TRITON AP-ENDPOINT Web also enforces other Internet-enabled applications.
using Outlook 2003, then Office 2003 SP3 must be installed. TRITON AP-DATA supports IBM Lotus Notes version 8.5.1, 8.5.2 FP4, and 8.5.3. For Mac OS X, TRITON AP-DATA can analyze endpoint email generated by Outlook 2008, Outlook 2011, and Apple Mail. Printer drivers You can monitor data being sent from an endpoint machine to a local or network printer. TRITON AP-DATA supports drivers that print to a physical device, not those that print to file or PDF.
LAN control Users commonly take their laptops home and then copy data through a LAN connection to a network drive or share on another computer. They also commonly take data from a shared folder (at work) to copy onto their laptop. With TRITON AP-DATA you can control LAN operations to protect your data. Endpoint LAN control is applicable to Microsoft sharing only. Destination channels by operating system Not all destination channels apply to all operating systems.
Obtaining or Creating the Installation Package Applies to: TRITON AP-WEB v8.0.x TRITON AP-DATA v8.0.x Web Filter & Security v8.0.x TRITON AP-ENDPOINT Web v8.0.x In this topic Downloading installation packages from the TRITON Manager Creating installation packages from a package builder TRITON AP-ENDPOINT DLP v8.0.
On-premises TRITON Manager (hybrid deployments) Customers with on-premises TRITON AP-WEB installations can log onto the Web module of the TRITON Manager and then navigate to Settings > Hybrid Configuration > Hybrid User Identification to obtain the endpoint installation package. You must set an anti-tampering password to enable the package download links.
The utility can be found on any Windows server that includes TRITON AP-WEB, Web Filter & Security, or TRITON AP-DATA. Note The packages created by the Websense Endpoint Package Builder are backwards compatible with previous endpoint versions. 1. Launch the Websense TRITON AP-ENDPOINT Package Builder.
Remote Filtering Client - choose this if you want to provide just remote filtering of endpoint clients (requires TRITON AP-WEB or Web Security & Filtering). Also select a language for the client components. In the TRITON Manager, you can change the language used for displaying messages to TRITON AP-ENDPOINT DLP users, but the language displayed in the user interface (buttons, captions, fields, etc.) can only be set during packaging. Click Next when you’re done.
3. On the Installation Platform and Security screen, select the operating system or systems for which you want to create an installation package, create the administrator password that will be used to uninstall or modify endpoint client software, and configure anti-tampering settings. When you are finished, click Next. You can create Windows (32-bit or 64-bit) or Mac OS X installation packages for endpoint web deployments or for deployments with both endpoint web and DLP features.
Click Show characters to display the password characters while you type. Sometimes when users cannot modify or uninstall the endpoint software, they try to delete the directory where the software is installed. Click Protect installation directory from modification or deletion if you do not want users to be able to perform these functions. 4. On the Installation Path screen, specify the directory to use for installing endpoint software on each endpoint device.
TRITON AP-ENDPOINT DLP module 1. If you subscribe to the TRITON AP-ENDPOINT DLP module, the Server Connection screen appears: IP address or hostname: Provide the IP address or hostname of the TRITON AP-DATA server that endpoint machines should use to retrieve initial profile and policy information. (Once configured, endpoints retrieve policy and profile updates from the endpoint server defined in their profiles.
2. Click Next and the Client Settings screen appears: Complete the fields as follows: User interface mode Select from the following 2 options: Interactive: A user interface is displayed on all endpoint machines. Users know when files have been contained and have the option to save them to an authorized location. Stealth: The TRITON AP-ENDPOINT DLP user interface is not displayed to the user.
TRITON AP-ENDPOINT Web 1. Use the Proxy Settings screen to specify the URL for your organization’s PAC file. Replace the default URL with the customized URL for your deployment. Hybrid deployments For hybrid deployments, the URL can be found on the Settings > Hybrid Configuration > User Access page in the Web module of the TRITON Manager. Select the URL appropriate for your environment (either port 8082 or port 80). For example: Default (port 8082): http://pac.hybridweb.global.blackspider.com:8082/proxy.
Note the difference between the sub-domains of the default PAC file URL and the sample customized URL. The “hybrid-web” sub-domain is used for on-premises TRITON AP-WEB deployments that use TRITON AP-ENDPOINT. Full cloud deployments For full cloud deployments, the “webdefence” sub-domain is used. For example, a policy-specific PAC file URL looks something like this: Default (port 8082): http:// webdefence.global.blackspider.com:8082/ proxy.pac?p=8h6hxmgf Alternate (port 80): http:// webdefence.global.
Indicate whether or not to Log user Internet activity seen by Remote Filtering Client instances installed using this customized installation package, and then click Next. 3. Use the Trusted Sites list to enter up to 4 URLs, IP addresses, or regular expressions for sites that Remote Filtering Client users can access directly, without being filtered or logged. Click Add to enter a URL, IP address, or regular expression.
When you are finished, click Next. 4. Indicate whether or not to Notify users when HTTPS or FTP traffic is blocked, then, if notification is enabled, specify how long (in seconds) the message is displayed. Enter and confirm the Pass phrase used for communication with Remote Filtering Server. This must match the pass phrase created when Remote Filtering Server was installed.
When you are finished, click Next. Global settings 1. When you’re done configuring your endpoint selections, use the Save Installation Package screen to enter a directory path to use for storing the installation package before it is deployed to client machines. Either manually enter a path or click Browse to find the location. 2. Click Finish.
You’ll see a system message if the package is created successfully. If the creation of the package fails, you’ll see an error message. If this happens, contact Websense Technical Support for assistance. 3. Click OK. Once the packaging tool has finished, the packages are created in the designated path. Refer to Deploying endpoint software in Your Enterprise, page 21 for instructions on distributing the package to the endpoint devices.
Deploying endpoint software in Your Enterprise Applies to: In this topic TRITON AP-WEB v8.0.x Before you begin TRITON AP-DATA v8.0.x Deploying Windows endpoints Web Filter & Security v8.0.x Deploying Mac endpoints TRITON AP-ENDPOINT Web v8.0.x TRITON AP-ENDPOINT DLP v8.0.
EndpointClassifier.exe and kvoop.exe Ensure the endpoint installation path is not being encrypted by disk encryption software. If you are including DLP, ensure that the auto-update feature in the Web module of the TRITON Manager is disabled. If you want auto-updates, you can use the TRITON AP-DATA method described below. (Windows only) For hybrid web deployments, make sure that your user accounts are synchronized with the hybrid service.
When configured properly, your update server pushes software updates out to endpoint machines and installs the packages in the background silently. Note If you want to change the components installed on an endpoint client with components of the same version (for example, switch from a mixed deployment to a stand-alone DLP deployment), you must use the package builder to generate a new package and use one of the other deployment options to deploy it.
where: is the anti-tampering password used by the previous-version endpoint client (if upgrading) or to be used by the new endpoint. is the WSCONTEXT value displayed in the GPO command string on the Settings > Hybrid Configuration > Hybrid User Identification page in the Web module of the TRITON Manager or the Web > Endpoint page in the Cloud TRITON Manager.
In virtual desktop (VDI) environments, install the endpoint software as if the client machine were a physical machine, while taking into consideration any additional steps required by the infrastructure for third-party installations. Testing deployment To confirm that the endpoint software is installed and running on a machine: For endpoint web deployments, go to Start > Administrative Tools > Services. Check that Websense SaaS Service is present in the Services list and is started.
Endpoint files are installed in the /Library/Application Support/Websense Endpoint/ directory. When TRITON AP-ENDPOINT DLP is installed and running in interactive mode, an icon ( ) appears on the endpoint machine’s task bar. Click the icon for status information. (No icon shows in stealth mode.) To check whether the endpoint is running, open ‘Activity Monitor’ and select ‘All Processes’ under the menu option ‘View’.
Configuring and managing endpoints Once the endpoint software is deployed, endpoint web protection is automatically started. The policies and exceptions you created for users whose requests are managed by the hybrid service are applied automatically. TRITON AP-ENDPOINT DLP requires configuration in the TRITON Manager. This entails: 1. Adding an endpoint profile to the Data module of the TRITON Manager or using the default. A default profile is automatically installed with the client package.
Uninstalling endpoint software Windows uninstallation You can uninstall endpoint software 2 ways: Locally on each endpoint client Remotely through a deployment server or distribution system Note If you configured an administrative password, you must supply it to uninstall the software. Local uninstallation 1. Go to Start > Control Panel > Add/Remove Programs. 2. The Add/Remove Programs screen is displayed. 3. Scroll down the list of installed programs, select TRITON AP-ENDPOINT and click Remove. 4.
Remote uninstallation with deployment server If you use a deployment server to deploy endpoint software, you can perform a silent uninstall by running the following command (does not apply to stand-alone DLP). msiexec /x {product_code} XPSWD=password /qn where: {product_code} is a unique identifier (GUID) that can be found in the setup.ini file of each installation package or the system registry. It is different for each version and bit type (32- versus 64-bit).
Mac uninstallation 1. Go to System Preferences. 2. In the Other section, click the icon for the Websense endpoint software. 3. Click Uninstall Endpoint. 4. Enter the local administrator name and password. 5. Click OK. 6. If you created an anti-tampering password to block attempts to uninstall or modify endpoint client software, enter that password. 7. Click OK to begin uninstalling the endpoint. 8. You’ll receive a confirmation message if the endpoint was successfully uninstalled.
