Client Policy Manager™ Installation Guide

v5.5.
Client Policy Manager™

Installation Guide
Websense Enterprise® v5.5.2 Client Policy Manager
Installation Guide
©1996–2005, Websense, Inc.
All rights reserved.
10240 Sorrento Valley Rd., San Diego, CA 92121, USA
Published May 2, 2005
Printed in the United States of America
NP33-0003CPMINSTALL
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine-readable form without prior consent in writing from Websense Inc.
Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with re-
spect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose.
Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,
performance, or use of this manual or the examples herein. The information in this documentation is subject to change with-
out notice.
Trademarks
Websense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain interna-
tional markets. Websense has numerous other unregistered trademarks in the United States and internationally. All other
trademarks are the property of their respective owners.
Microsoft, Windows NT, Windows 2000, Windows 2003, Windows XP, Internet Explorer, and Active Directory are trade-
marks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Netscape
Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be regis-
tered outside the U.S.
The following is a registered trademark of Novell, Inc., in the United States and other countries: Novell Directory Services.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States and/or other countries.
Pentium is a registered trademark of Intel Corporation.
This product includes software distributed by the Apache Software Foundation (http://www.apache.org).
Copyright (c) 2000. The Apache Software Foundation. All rights reserved.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies
and are the sole property of their respective manufacturers.
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Understanding the CPM Operating Environment . . . . . . . . . . . . . . . . . 12
Shared Websense Enterprise Components. . . . . . . . . . . . . . . . . . . . . . . 13
Policy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
User Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Websense Enterprise Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
CPM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CPM Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CPM Deployment Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Client Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Client Policy Manager Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Database Engine Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Websense Enterprise Master Database . . . . . . . . . . . . . . . . . . . . 20
CPM Inventory Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
CPM Log Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
CPM Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Explorer for CPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
CPM Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
SQL Database Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
CPM Reporter/Explorer for CPM. . . . . . . . . . . . . . . . . . . . . . . . . . . 23
CPM Deployment Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Client Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Bandwidth Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
CPM and Anti-Virus/Firewall Compatibility. . . . . . . . . . . . . . . . . . . . . 28
Client/Server Authenticated Communications. . . . . . . . . . . . . . . . . . . . 29
Communications and Port Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Client Policy Manager Installation Guide 3

Contents
Chapter 2 Distributing CPM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Choosing Your CPM Distribution Model . . . . . . . . . . . . . . . . . . . . . . . 34
Small Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Medium Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Large Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Enterprise Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Shared Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Installing Distributed CPM Components . . . . . . . . . . . . . . . . . . . . . . . . 38
Deploying Client Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 3 Installing CPM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Critical Installation Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Installing CPM on a Single Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Installing CPM on Multiple Machines . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Installing CPM in a Shared Environment. . . . . . . . . . . . . . . . . . . . . . . . 46
Using Websense Enterprise Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Accessing and Unzipping CPM Installation Files . . . . . . . . . . . . . . 50
Beginning CPM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Selecting Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Installing CPM Components on One Machine . . . . . . . . . . . . . . 57
Installing CPM Components on Multiple Machines . . . . . . . . . . 57
Installing CPM Components in a Shared Environment. . . . . . . . 57
Selecting an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Entering the Subscription Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Selecting a Web Server for Reporting Tools . . . . . . . . . . . . . . . . . . 62
Selecting the IIS Virtual Directory Location . . . . . . . . . . . . . . . . . . 65
Identifying the Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Identifying the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Database Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Identifying Domain Access for CPM Deployment Service . . . . . . . 73
Selecting Workstation Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Identifying the CPM Server Communication Port . . . . . . . . . . . . . . 75
Identifying an Encryption Pass Phrase . . . . . . . . . . . . . . . . . . . . . . . 77
Identifying the Websense File Location . . . . . . . . . . . . . . . . . . . . . . 78
Reviewing Installation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4 Websense Enterprise
Contents
Identifying Access for Explorer for CPM when Using Apache . . . . 81

Identifying HR User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Identifying Restricted Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Restarting Apache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Completing CPM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Completing Setup for Windows XP, Service Pack 2 . . . . . . . . . . . . . . . 86
Enabling File and Printer Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Adding WDC.exe as an Exception . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring Initial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Upgrading or Repairing CPM Components . . . . . . . . . . . . . . . . . . . . . . 88
Upgrades and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Upgrading or Repairing CPM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Removing CPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Uninstalling CPM from One Machine . . . . . . . . . . . . . . . . . . . . . . . 90
Uninstalling CPM from Multiple Machines . . . . . . . . . . . . . . . . . . . 91
Chapter 4 Preparing CPM for Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Working with Policy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Adding a Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Connecting to a Policy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Disconnecting from a Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . 96
Deleting a Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Subscribing to Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Chapter 5 Deploying Client Agent via Websense Enterprise Manager . . . . . . 99
Client Agent Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Windows 98 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
VPN Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Deploying Clients: The Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Installing or Deploying Client Agent for Windows XP . . . . . . . . . 103
Upgrading Client Agent v5.2 to v5.5 . . . . . . . . . . . . . . . . . . . . . . . 103
Accessing the Deployment Status Pane . . . . . . . . . . . . . . . . . . . . . . . . 104
Managing Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Deploying Client Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Refreshing Deployment Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Contents
Removing Clients From the Selected Clients List . . . . . . . . . . . . . 110

Canceling Client Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 6 Deploying Client Agent via Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . 113
Predeployment Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Selecting the Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Deploying Agents Across Multiple Domains . . . . . . . . . . . . . . . . . 115
Deploying Agents Across Multiple Domains: Method 1 . . . . . 115
Deploying Agents Across Multiple Domains: Method 2 . . . . . 116
Manually Configuring DeploymentServer.ini . . . . . . . . . . . . . . . . . . . 116
DeploymentServer.ini Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . 117
Identifying Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Identifying the CPM Deployment Service Port . . . . . . . . . . . . . 117
Identifying Maximum Number of Concurrent Deployments . . 118
Controlling Client Agent Settings . . . . . . . . . . . . . . . . . . . . . . . 118
Preparing to Use Logon Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Using Logon Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
WsClientDeployTrigger.exe Parameters. . . . . . . . . . . . . . . . . . . . . 120
Required Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Optional Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Encrypting ProxyUsername and ProxyPassword . . . . . . . . . . . 122
Configuring Logon Script Execution . . . . . . . . . . . . . . . . . . . . . . . 122
Windows 2000: Via Group Policy. . . . . . . . . . . . . . . . . . . . . . . 123
Windows 2000: Via User Profiles . . . . . . . . . . . . . . . . . . . . . . . 123
Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Uninstalling Client Agent via Scripts . . . . . . . . . . . . . . . . . . . . . . . 124
Using Command Line Options for Authentication . . . . . . . . . . . . . . . 125
Using Third-Party Deployment Tools . . . . . . . . . . . . . . . . . . . . . . . . . 126
Command Line Parameters for Client Agent Installation. . . . . . . . 126
AutoReboot Parameters for Uninstalls and Upgrades . . . . . . . . . . 127
Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Using Scripts for Unattended Client Agent Install/Uninstall. . . . . . . . 128
Using Command Prompt for Starting or Stopping Client Agent . . . . . 129
Starting Client Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Stopping Client Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Contents
Chapter 7 Working with Single Instances of Client Agent. . . . . . . . . . . . . . . . 131

Preparing for Client Agent Installation . . . . . . . . . . . . . . . . . . . . . . . . 131
Selecting an Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Accessing Client Agent Files from a Server . . . . . . . . . . . . . . . . . . . . 133
Installing CPM Deployment Service Locally . . . . . . . . . . . . . . . . . . . 134
Installing Client Agent Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Upgrading or Repairing a Local Instance of Client Agent . . . . . . . . . 137
Uninstalling a Local Instance of Client Agent . . . . . . . . . . . . . . . . . . . 138
Chapter 8 Preparing Explorer for CPM for Use. . . . . . . . . . . . . . . . . . . . . . . . 139
Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Microsoft IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Setting User Access for Microsoft IIS . . . . . . . . . . . . . . . . . . . . . . 141
Defining Department Level Reporting. . . . . . . . . . . . . . . . . . . . . . . . . 142
Populate the USER_MANAGERS Table. . . . . . . . . . . . . . . . . . . . 142
Simple Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Give Access to Department Managers . . . . . . . . . . . . . . . . . . . . . . 144
Launching Explorer for CPM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Launch Explorer for CPM From the Start Menu . . . . . . . . . . . . . . 145
Launch Explorer for CPM in a Browser . . . . . . . . . . . . . . . . . . . . . 146
Chapter 9 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Troubleshooting Server-side Installation . . . . . . . . . . . . . . . . . . . . . . . 147
Are there any installation methods I should avoid? . . . . . . . . . . . . 148
Why am I having problems installing CPM Reporter?. . . . . . . . . . 148
Why am I receiving a Failed to Connect to Database error after
installing CPM Reporter and Explorer for CPM when I use IIS as my
Web Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Why isn’t the subscription key recognized? . . . . . . . . . . . . . . . . . . 149
Why isn’t the user interface active in Websense Enterprise Manager
after installation?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Troubleshooting Database Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Why am I having trouble accessing Websense download sites and
my.websense.com? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Contents
Why can’t I download the Websense Enterprise Master Database or

send AppCatcher data to Websense? . . . . . . . . . . . . . . . . . . . . . . . 152
Proxy Information is Required. . . . . . . . . . . . . . . . . . . . . . . . . . 152
Proxy Information is Not Required . . . . . . . . . . . . . . . . . . . . . . 153
Authentication is Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Firewall Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Anti-virus Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Where can I find error messages when a Websense Enterprise Master
Database download fails? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Why am I receiving an “Unable to connect to database” error
message? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Troubleshooting Client Agent Installations . . . . . . . . . . . . . . . . . . . . . 155
Why does Client Agent deployment fail when Websense Enterprise
Manager is installed on a machine running XP Service Pack 2? . . 155
Why am I having problems installing Client Agent on a Windows NT
machine where ZoneAlarm has been installed? . . . . . . . . . . . . . . . 156
Why am I receiving an error message that says “Unable to read registry
keys” when I am trying to deploy Client Agent to a machine running the
XP operating system? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Why is it taking a very long time to deploy Client Agent?. . . . . . . 157
Why am I having problems upgrading from previous versions of Client
Agent to Client Agent v5.5.2?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
When do I need to uninstall Client Agent and how do I do it?. . . . 157
Uninstall Client Agent at a Single Machine . . . . . . . . . . . . . . . 158
Uninstall Client Agent at Multiple Machines . . . . . . . . . . . . . . 158
Why am I having trouble uninstalling Websense Client Agent? . . 159
When do employees need to restart their machines? . . . . . . . . . . . 159
Why am I having trouble reinstalling Client Agent? . . . . . . . . . . . 160
Why are employees having problems with machines where Client
Agent 5.x was upgraded to Client Agent 5.5.2? . . . . . . . . . . . . . . . 160
Troubleshooting and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . 161
What CPM files should I back up for recovery?. . . . . . . . . . . . . . . 161
Are there files on the SQL database server I should back up for
recovery? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
How do I restore CPM after a disaster? . . . . . . . . . . . . . . . . . . . . . 162
Contents
Appendix A Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Websense Technical Services Support Center . . . . . . . . . . . . . . . . . . . 163
Fee-based Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Support Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Email Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Telephone Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Improving Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Contents
CHAPTER 1
Introduction
Thank you for choosing Websense Enterprise® Client Policy Manager™
(CPM) to monitor software and hardware, and control software at machines in
your network. Client Policy Manager components allow you to set control,
monitor installations and launches, and create reports to show operational
details.
Before you can take advantage of the security that Websense, Inc. provides for
your desktops, you must:
1. Plan how you want to distribute components
2. Gather information necessary for installation
3. Properly install CPM components
4. Enter subscription data
5. Deploy Client Agent
The Client Policy Manager Installation Guide provides useful information for
determining which approach is suitable for your environment, in addition
installation procedures.
NOTE
CPM operates only on TCP/IP-based networks. If your
network uses both TCP/IP and non-TCP protocols, CPM
filters only those users on the TCP/IP portion of your
network.

Chapter 1: Introduction
Understanding the CPM Operating Environment
CPM is designed to work in tandem with the Websense Enterprise Web

Filtering module or in a stand-alone mode. All components, with the
exception of reporting tools, must be installed and active if CPM is to work
properly.
CPM uses:
Shared Websense Enterprise Components, page 13. These may be already
installed with the Web Filtering module, or may be installed as part of the
CPM installation.
CPM Components, page 16. These are specific to CPM and include
components that work with the shared components, in addition to
components that are specific to CPM.
CPM Operating Environment
Shared Websense Enterprise Components
Shared Websense components are necessary for CPM operations, and may be
installed with Websense Internet Filtering or CPM. The modules may share
components or may use them in standalone mode. Shared components can
reduce the overhead required for system and machine operations, and can be
distributed across your network.
Shared components are:

Policy Server, page 13
User Service, page 14
Websense Enterprise Manager, page 14
Policy Server
The Policy Server stores Websense configuration information. Policy Server
communicates this data to the CPM Server, which then passes the information
to the Client Agent. If your network is in the enterprise category (10,000+
users), you may want to install and run multiple Policy Servers.

Policy Server configuration first occurs during installation, while connectivity

configuration occurs in Websense Enterprise Manager, as described in
Working with Policy Server, page 93. After installation, Policy Server
automatically identifies other Websense components, continually tracking the
location and status of the Websense services. Policy Server also maintains
ongoing policy updates for CPM.
User Service, page 14
Websense Enterprise Manager, page 14
User Service
The User Service communicates with your organization’s directory service to
convey user-related information to Policy Server and CPM Server, for use in
identifying machines and applying the CPM policy. This information includes
user-to-group and user-to-domain relationships. User Service provides the list
of objects residing in your directory service to Websense Enterprise Manager.
User Service configuration first occurs during installation, while other options
are set in Websense Enterprise Manager.There must be one instance of User
Service for each Policy Server in your network.
Websense Enterprise Manager

Websense Enterprise Manager is the user interface for configuring Websense
modules. The Websense Enterprise Manager window contains a menu bar,
navigation tree, and content pane:
Websense Enterprise Manager, Desktop Tab
The first time you start Websense Enterprise Manager, the navigation tree is
empty. Once you add servers, these appear when you open Websense
Enterprise Manager and click the Desktop tab. When you connect to a server,
the navigation tree changes to show selections for that server.

CPM Components
Client Policy Manager components interact with Websense shared

components for desktop monitoring and control. The CPM components
provide the interfaces and communications necessary to inventory client
machines and populate the CPM databases for Websense Enterprise Manager,
CPM Reporter, and Explorer for CPM.
CPM components are:

CPM Server, page 17
CPM Deployment Service, page 17
Client Agent, page 18
CPM Reporter, page 21
Explorer for CPM, page 21
Client Policy Manager Databases, page 18
CPM Server
CPM Server processes are responsible for handling communications with
client machines, sending CPM inventory requests, downloading CPM rules
and database information to machines running Client Agent, and more.
CPM Server calls the User Service, one of the shared Websense Enterprise
components, for most directory service information. The User Service
identifies directory objects in the network, which are individual users, user
groups, domains, and machines identified by machine names.
For CPM Server and Client Agent communications, authentication is set
using a unique, encrypted passkey. During installation, you enter a passkey of
your choice. This, and internal passkeys in CPM, are combined and then
encrypted to provide a highly secure recognition code that authenticates the
communications, thus protecting data. Authentication is used by both CPM
Server and Client Agent.
You can also encrypt the actual communications between CPM Server and
Client Agent, based on the security level you want. You can accept the default
communication mode which uses clear text, or select communications using
Secure Socket Layers (SSL) technology. SSL protocol encrypts data before
transmitting information over the network.
CPM Deployment Service

The CPM Deployment Service makes it easy to deploy Client Agent using
one several methods:
Websense Enterprise Manager—In the Client Deployment pane, you
can deploy Client Agent to one, many, or all machines. You can also
uninstall Client Agent in the same manner.
Scripts—Scripts can also be used to uninstall Client Agent.
Third-party tools—Generally, this option is selected by companies that
are already using third-party tools for software deployment.
If you choose to deploy Client Agent using Websense Enterprise Manager,
CPM Server passes deployment information to CPM Deployment Service,
which then deploys Client Agent. Communications at this point occur between:
CPM Deployment Service and the machine where the deployment is
taking place.
CPM Deployment Service and CPM Server, where deployment status is
sent from the service to CPM Server.

If you use CPM Deployment Service to deploy Client Agent via scripts or
third-party tools, the CPM Deployment Service does not communicate with
CPM Server. This is because the script or third-party software provides CPM
Deployment Service with the necessary instructions.
Once Client Agent is installed, it then sends information directly to CPM
Server, and communications between CPM Deployment Service and Client
Agent stop.
Client Agent
Client Agent resides on desktops, laptops, and/or servers in the CPM network,
and communicates with the CPM Server as long as connections are available.
Machines are considered connected when Client Agent can communicate with
CPM Server, regardless of the method. Methods may include local LAN,
VPN, and so forth.
When you first install Client Agent on a machine, it registers with CPM
Server, and begins downloading the CPM policy. When the download is
complete, Client Agent checks the policy, which it uses to control launch and
port access requests, and to determine data logging requirements.
Client Policy Manager Databases

Client Policy Manager uses Microsoft SQL databases to store information.
The SQL Server may be on the same machine as CPM Server or on a machine
that is able to communicate with the machine where you install CPM Server.
While database population occurs in the background, it is useful to understand
the functions associated with each database, and the source of the information
each database includes.
NOTE
While technically the Websense databases are SQL tables,
it is easier to define them as databases, since the
information they contain is specific to each.
CPM Databases
Client Policy Manager uses two databases that are saved to SQL Server, and
one which resides at CPM Server:
Websense Enterprise Master Database is a proprietary and encrypted
database which Websense, Inc. creates and maintains. The database
identifies executables, applications, and port information and stores
category and risk class details. This database is maintained at CPM
ServerRead Websense Enterprise Master Database, page 20.
CPM Inventory Database contains information collected during
machine inventories. The database contains information about software
and hardware that physically resides at machines that run Client Agent.
Information is maintained in the SQL database. Read CPM Inventory
Database, page 20.
CPM Log Database contains CPM information collected when
employees request launches. The database records date, time, user,
machine name or IP address, and tracks category and risk class data as
well. nformation is maintained in the SQL database. Read CPM Log
Database, page 20.

Database Engine Requirements

The CPM installation requires a licensed version of SQL Server. SQL Server
can be purchased from Microsoft or a Microsoft reseller.
SQL Server must be installed and able to communicate with any other
machines that will have CPM components installed before you begin CPM
installation. If you do not have SQL Server, CPM cannot be configured or
used.
Websense Enterprise Master Database

The Websense Enterprise Master Database contains signatures for executables
and applications, and information about the ports that applications are
assigned to use if they require network access. In the database, Websense, Inc.
identifies executables based on the task they are designed to perform, and
associates them with a specific Websense category. Ports are identified based
on their functional use. The Websense Enterprise Master Database downloads
automatically as part of the subscription process.
CPM Inventory Database

CPM Server builds the CPM Inventory Database from scans of local hard
drives for machines running Client Agent. Companies can use the data to:
Monitor and control software.
Monitor hardware installations.
You can run inventories immediately, schedule them to occur at a specific date
and time, and/or run them on a repeating basis. Client Agent scans the
machine where it is installed, and sends the collected data back to CPM
Server. The data is then stored in the CPM Inventory Database.
CPM Log Database

CPM Log Database stores information about CPM launch requests that are
defined to use logging. Each time an employee attempts to launch an
application, the local Client Agent saves a record of the transaction that
contains:
Executable file name
Version, if known
Date and time of file installation, if known
Publisher, if known
Category
User name
Client Agent IP address
Action (Permit, Block, Continue)
Port access attempt, if any
Date and time of response
CPM Reporter and Explorer for CPM use this information to generate
detailed reports.
CPM Reporter
CPM Reporter provides reports about desktop inventory, the results of launch
requests and network access attempts. The application uses information
collected by Client Agent and stored in the CPM Log database.
CPM Reporter provides on-demand and scheduled reports. Reports are
available in a browser, can be sent via email, or can be posted to an FTP
server.
Explorer for CPM

Websense Enterprise Explorer for CPM allows employees to access report
data instantly in a browser. The reports provide interactive options for
filtering data, and sensitive information can be hidden. Explorer for CPM is
an ideal way for managers and Human Resources staff to access data. It
supports rapid access of information, and critical details can be masked.
Because Explorer for CPM is designed for general use, Websense includes
two configurations:
HR User access allows users to see all data. This includes employee and
machine names.
Restricted User access allows users to see software data but hides the
employee names and machine names. This option allows employees to
perform statistical and analytic review of data without having access to
information that could violate privacy laws.

System Requirements
Before installing Client Policy Manager components, make sure that
machines meet system requirements. You need to know in advance where
your CPM Server, Policy Server, SQL Server, CPM Deployment Server, and
CPM Reporter Scheduler/Explorer for CPM will be installed, and which
machines will support Client Agent.
For most configurations, one machine with the minimum CPM Server
requirements and an installation of the SQL Server is powerful enough to
handle all but the largest CPM installations. If you have questions, please
contact Websense Technical Support.
IMPORTANT
i
For distribution of components in various corporate
environments, read Distributing CPM Components,
page 33 before installing CPM.
CPM Server
CPM Server can support up to 20,000 desktops, if the server machine has
enough memory, speed and power. CPM Server does not require a dedicated
server, unless the machine is unable to handle functions imposed by Websense
modules. You can contact Websense or any Websense channel partner to
properly design your system for your environment
Your CPM Server must run one of the following operating systems:
Microsoft Windows 2000 Server, with Service Pack 3 or higher
Microsoft Windows 2003 Server
Other CPM Server requirements include the following minimums:
Processor 800 MHz Pentium III class or higher
Disk Space 65 MB for Client Policy Manager installation, 120 MB for
Microsoft SQL Server
Memory 512 MB RAM or more
SQL Database Server

The CPM databases require one of the following SQL installations:
Microsoft SQL Server 7, Service Pack 3 or 4
Microsoft SQL Server 2000, Service Pack 2 or 3
You may install the database software on the machine where you install CPM
Server, or on a separate machine. If CPM Server runs on a dedicated machine,
you need one SQL license for that machine; if your system uses multiple
machines, you need an SQL license for each machine. In small environments,
however, you may be able to use one machine and one SQL license for all
Websense modules.
CPM Reporter/Explorer for CPM

CPM Report and Explorer for CPM are installed during a single step. If you
are distributing components onto two or more machines, your installation
requires one of the following platforms:
Microsoft Windows 2000 Server or Advanced Server with Service Pack 3
or higher
Microsoft Windows Server 2003
Other CPM Report Scheduler requirements include the following minimums:
Processor 800 MHz Pentium III class or higher
Disk Space 25 MB for installation; 15 MB to run the application
Memory 256 MB RAM or more
Video 800 x 600 or higher resolution, with at least 256 colors
Web Server IIS 4.0 for Windows NT, IIS 5.0 for Windows 2000, or
Apache 2.x or higher
For Windows ME and NT client machines, you may need to install
Windows Management Instrumentation (WMI) if it is not already
installed. CPM Server uses the API to query and set data for Client Agent.

NOTE
To support client machines that are not preloaded with
WMI, Websense, Inc. includes the API in the Websense
Enterprise Setup. If you use Websense Enterprise Manager
or scripts that call CPM Deployment Service, WMI installs
automatically. For local installation, you must manually
install WMI. Installing Client Agent Locally, page 136,
documents the process.
Browsers must have cookies enabled in order to access CPM Reporter.
CPM Deployment Service

You can install the CPM Deployment Service on the same machine where you
install CPM Server and other components elsewhere.
A machine that deploys Client Agent must be running one of the following:
Microsoft Windows 2000 Professional with Service Pack 3 or higher
Microsoft Windows 2003 Server
Other CPM Deployment Service requirements include the following
minimums:
Processor 500 MHz Pentium III class or better
Disk Space 15 MB for installation
Memory 128 MB or more
The CPM Deployment Service must have network connectivity with any
client machines that require assistance to install Client Agent. These client
machines are ones where the employee does not have local administrative
rights.
NOTE
Install CPM components, and enter subscription data
before deploying agents. If you do not, you may encounter
difficulties communicating with Client Agent.
This service:
Supports mass deployment to numerous machines from Websense
Enterprise Manager’s Deployment Status pane.
Populates Websense Enterprise Manager deployment functions, and
provides installation progress information in the Deployment Status
pane. For details, read Chapter 5: Deploying Client Agent via Websense
Enterprise Manager, page 99.
Facilitates Client Agent installation for users who do not have local
administrator rights to their computers.
Requirements for using the CPM Deployment Service and scripts or third-
party tools include the following:
A copy of CPM Deployment Service must be installed. Generally, this
is installed when you first install Websense CPM. You can also install it
separately. For information, read Installing CPM Server, page 41.
If you are using logon scripts, you must develop the scripts to pass the
appropriate CPM Deployment Service machine name or IP address to
WSClientDeployTrigger.exe. For more information, read
Deploying Client Agent via Scripts, page 113.
You must assign rights for the CPM Deployment Service as an account
that runs as a user with domain administration privileges. This must be set
for any domain and machine where Client Agent will be deployed.
You must configure firewalls to allow communication between the
machine running CPM Deployment Service and the machines where you
want to deploy Client Agent.
You must ensure that any personal firewalls residing on client machines
do not block traffic between Client Agent and CPM Server. For example,
settings for a personal firewall could block HTTP, which would then
block communications between the client machine and CPM Server.

Client Agent
You must install Client Agent on machines you want to inventory, control,
and/or monitor. Client Agent is responsible for processing inventory at the
machine where it is installed, for applying CPM policies, and for all
communications with CPM Server.
WARNING
!
Do not install Client Agent on:
Machines running Windows 2000, Service Pack 2 or
earlier. The installation will fail.
Machines where you installed CPM Server or CPM
Reporter. Installation may cause software conflicts.
Machines running Windows NT where ZoneAlarm is
installed.
Client Agent is supported on the following operating systems:

Microsoft Windows 2000 Professional with Service Pack 3 or Service
Pack 4
Microsoft Windows 2000 Server with Service Pack 3 or Service Pack 4
Microsoft Windows 2000 Advanced Server with Service Pack 3 or
Service Pack 4
Microsoft Windows NT 4.0 Workstation with Service Pack 6a
Microsoft Windows NT 4.0 Server with Service Pack 6a
Microsoft Windows XP Professional with Service Pack 1 or Service Pack 2
Other minimum Client Agent requirements are:
Processor: Pentium III 500 MHz
Disk Space: 25 MB for installation; 15 MB to run the application
Memory: 64 MB RAM, 128 MB pagefile
For local Client Agent installations on Windows ME, and NT client
machines, Windows Management Instrumentation (WMI) must be
installed before installing Client Agent. Deployment via Websense
Enterprise Manager or scripts causes WMI to install without manual
intervention. The files you download or access from CD include the

wmicore.exe file for WMI installation. By default, the file is at
\\<cpm server>\C:\Program Files\Websense\
bin\Client\WMI Installers\9\wmicore.exe.
Language Pack for Foreign Language Versions
Websense Enterprise Client Policy Manager v5.5 installs in English only.
Websense Enterprise Language Packs for converting systems to foreign
language versions are released separately from Websense Enterprise.
Installation instructions are provided with the Websense Enterprise Language
Pack product. You can download the Websense Enterprise Language Pack
from the Websense Web site at:
www.websense.com/downloads/
The supported languages are:
Chinese Simplified French Japanese Spanish
Chinese Traditional German Korean English
To learn more about installing the Language Pack and how it supports foreign
languages, refer to the release notes and installation guide for the Websense
Enterprise Language Pack.
Bandwidth Requirements
Before CPM installation, you need to be aware of the bandwidth requirements
for Client Agent deployment. The table below shows the number of Client
Agent deployments that are supported, given the percentage of total
bandwidth used.

Percent of Bandwidth Used
10% 20% 30% 40% 50% 60% 70% 80% 90%

128 Kbps 5 10 15 20 25 30 35 40 45
256 Kbps 10 20 30 40 50 60 70 80 90
512 Kbps 20 40 60 80 100 120 140 160 180

Total Bandwidth
768 Kbps 30 60 90 120 150 180 210 240 270
1.0 Mbps 40 80 120 160 200 240 280 320 360
1.5 Mbps 60 120 180 240 300 360 420 480 540
10 Mbps 400 800 1,200 1,600 2,000 2,400 2,800 3,200 3,600
50Mbps 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000
100 Mbps 4,000 8,000 12,000 16,000 20,000 24,000 28,000 32,000 36,000
1 Gbps 40,000 80,000 12,0000 160,000 200,000 240,000 280,000 320,000 360,000
CPM and Anti-Virus/Firewall Compatibility

Websense Enterprise Client Policy Manager is designed to supplement
security provided by anti-virus software and personal firewalls. Before
installing components, be sure that machines where you plan to deploy Client
Agent are running compatible anti virus software and/or personal firewalls:
Anti Virus
Network Associates McAfee Anti Virus 4.x, 7.0
Norton/Symantec Anti Virus Corporate Edition 7.6, 8.1
Trend Micro Office Scan 5.0, 5.58
Computer Associates eTrust Anti Virus 6.0, 7.x
eTrust Anti Virus 6.0, 7.x
Sophos Anti Virus
Panda Business Secure
F-Secure Anti Virus 5.42
Norman Data Defense 5.7.0
Personal Firewalls
Zone Labs
Sygate
Symantec
Network Associates
Black Ice
EZ Armor
CPM may work with other anti-virus software and/or personal firewalls. If
you are running anti virus software and/or firewalls that are not in this list,
check the Websense Knowledge Base at www.websense.com/support/
knowledgebase/ for the most recent information.
Client/Server Authenticated Communications

CPM uses authenticated communications between CPM Server and Client
Agent. This adds extra security to communications, and stops any potential
unauthorized access to CPM Server and changes to rules that are sent to
Client Agent.
CPM verifies authenticated communications using a unique, unpublished
encrypted key. The key is created from a pass phrase you provide during
installation and unpublished keys in CPM. The combination of these elements
identify the authentication key.
NOTE
If, for some reason, you do not want to use authentication
for your CPM installation, contact Websense Technical
Support for assistance. Phone numbers and email
addresses are listed in Technical Support, page 163.
This encrypted key is eventually sent to the Client Agent when it is deployed
to workstations in your network. The method used to send the encrypted key
to the Client Agent varies with the deployment method.
If you use Websense Enterprise Manager to deploy Client Agent, the
authentication key is automatically sent to the Client Agent.
If you use scripts and the CPM Deployment Service to deploy Client
Agent, the authentication key is automatically sent to the Client Agent.

If you install Client Agent locally, you must provide either your pass
phrase or the encrypted key. You can locate the encrypted key in the
CAMServer.ini file. By default, the file is at C:\\Program
Files\Websense\bin.
Communications and Port Use

Client Policy Manager requires access to the Internet for database downloads,
and internal intranets for communications between CPM Server, SQL, and
Client Agent. While CPM has default port selections, you can change many of
them to fit your company’s business requirements.
The following list identifies the default port settings/protocol.
HTTP and FTP (80/TCP, 21/TCP) for master database downloads, from
your Policy Server to www.download.websense.com.
NetBIOS (137/TCP, 138/TCP, 139/TCP) for CPM Deployment Service,
from Websense Enterprise Manager to each machine where Client Agent
is being installed. By default, the DeploymentServerPort is 55372. You
can change the value in the DeploymentServer.ini file if
necessary.
NetBIOS 137/TCP, 138/TCP, 139/TCP) for choosing users and/or groups,
from the Websense User Service to your corporate directory service.
HTTP (80/TCP) from anyone authorized to view reports in CPM Reporter
and Explorer for CPM.
The following all use Port 0 as a default, and can be changed in Websense
Enterprise Manager:
Client Agent heartbeat, from each client to the CPM Server.
Outbreak, from CPM Server to each Client Agent, and from Client
Agent to Client Agent.
Policy updates, from CPM Server to each Client Agent.
Inventory, from each Client Agent to CPM Server.
Port 0 is the default port, which allows CPM to use any available port and
possibly improve communication times. You may select another if you
want. Read Client Policy Manager Administrator’s Manual, Chapter 3:
Configuring Client Policy Manager, Setting Client Control
The Policy Server Port (PolicyServerPort) is 55806.
The CPM Server port (DTMServerPort) is set to 80. If you use IIS as
your Web Server, you will be prompted to change this value during
installation, as IIS uses port 80 by design.
The Logging port (LogServerPort) is Port 55805.

CHAPTER 2
Distributing CPM Components
Websense Setup provides the tools necessary to install Client Policy Manager
and Client Agent on desktops, laptops, and servers in your network. You can
deploy components to various machines, modify and repair components, or
remove them completely using the installation program.
When installing Websense CPM, you may:
Install all components on one machine. You can run Websense Setup once
and install all components during the same operation.
Distribute components between machines. You will run the
WebWebsense Setup at each machine and select the component or
components you want to install.
How you install shared Websense Enterprise components depends on how
you are setting up your system:
If you have not installed any Websense product before, and you want to
install shared Websense Enterprise components on a different machine or
install them across multiple machines, you can use the CPM installation
program.
If you have installed Websense Web filtering components already, you
can use the same shared Websense Enterprise components for the CPM
components.
This flexibility allows you to set up Websense to maximize machine
capability, reduce the load for a single machine, or consolidate installation and
maintenance procedures.
IMPORTANT
i
With the exception of Client Agent, you cannot have
multiple copies of any component that point to the same
CPM Server or Policy Server. For example, you can install
only one instance of CPM Reporter for each CPM Server
and Policy Server.

Chapter 2: Distributing CPM Components
While CPM components do not require dedicated systems, larger

organizations often distribute components across various servers for
additional process durability.
Choosing Your CPM Distribution Model

Before you install CPM components, you need to determine how you are
going to distribute the components. Examples are provided for small,
medium, large, and enterprise environments.
You can also share common components with the Websense Enterprise Web
filtering module. Read Shared Environments, page 36.
Regardless of how you choose to install CPM, it is critical you know how you
want to distribute the components before you start. If you do not, it will take
longer to work out your approach, and you may need to uninstall components
from one machine and then reinstall them at another.
Small Environments
By definition, a small environment is an organization with between 1 and 500
client machines. The recommended setup is:
Dedicated machine to run CPM Server and Microsoft SQL Server
All CPM components on that same machine, which is, at a minimum, an
800 MHz Pentium III with 512 MB RAM
Setup for a Small Environment
If you have the available resources, use a separate machine for your SQL
Server installation. While this is not mandatory for a small environment, it
improves processing for both CPM management and reporting options. If you
are going to split the installation, consider putting CPM Reporter and
Explorer for CPM on the SQL Server machine.
Medium Environments
By definition, a medium environment is an organization with between 500
and 2,500 client machines. The recommended setup is:
Dedicated machine to run Microsoft SQL Server, CPM Reporter, and
Explorer for CPM
Dedicated machine to run CPM Server
Machines, at a minimum, are 1 GHz Pentium III with 1 GB RAM
Setup for a Medium Environment

Large Environments
By definition, a large environment is an organization with between 2,500 and
10,000 employees. The recommended setup is:
Dedicated machine running CPM Server and shared components
Dedicated machine running Microsoft SQL Server, CPM Reporter, and
Explorer for CPM
Machines are, at a minimum, 1.7 GHz Pentium IV with 2 GB RAM
The suggested component distribution for large environments is shown in the
diagram for medium environments. The difference is the available RAM and
processor speed at the machines where installation occurs.
Enterprise Environments
By definition, an enterprise environment is an organization with over 10,000
employees. The recommended setup is:
Dedicated machine running CPM Server and shared components on a
1.7GHz Pentium IV with 1GB RAM or higher
Dedicated machine running Microsoft SQL Server, CPM Reporter, and
Explorer for CPM on a 1.7GHz Pentium IV with 2 GB RAM or higher
The suggested component distribution for enterprise environments is shown
in the diagram for medium environments on page 35. The difference is the
available RAM and processor speed at the machines where installation
occurs.
Shared Environments
Shared Websense components may be installed with either the Websense
Enterprise Web filtering module or the CPM module. When you install CPM
components, you may connect to previously installed components or install
them in standalone mode.
You can install CPM and point towards shared components that are already
installed for the Websense Web filtering module. These shared components
are Websense Enterprise Manager, Policy Server, and User Service.
How you deploy the remaining components depends upon the size of your
environment and the potential load on your servers. For example, in a small
environment, you may decide to share the common Websense components,
and then install the CPM components on one machine.
Setup for a Small, Shared Environment
If you are in a larger environment, you want to share common components

with the Websense Enterprise Web filtering module at one machine, place the
CPM reporting tools on another, and install the CPM Server and CPM
Deployment Service on yet another.
WARNING
!
Websense, Inc. recommends that you do not install CPM
components on machines where you have installed the
Websense Enterprise Web filtering module. If you do so,
you run the risk of impacting both Web filtering and CPM
functions, due to the potential impact on the services
necessary to run the modules.

Installing Distributed CPM Components
While full installation details appear in Chapter 3: Installing CPM Server,

page 41, installing distributed components requires a modified approach to
installation, because of the need for multiple machines. You need to the run
the Websense Enterprise Setup at each machine and identify the specific
components you want to install at that machine.
If you are installing CPM components on more than one machine:
1. Decide how you want to distribute CPM components. Read Choosing
Your CPM Distribution Model, page 34.
2. Unzip CPM files. Read Accessing and Unzipping CPM Installation Files,
page 50. In a distributed environment, this should occur at a machine that
is easily accessible by the machines where you want to install Websense
components.
3. Go to a machine where you want to install components.
4. Access and run Setup552.exe. This may occur over a LAN, from a
CD, or from http://www.websense.com/global/en/downloads/.
5. When prompted to choose the installation method, select Custom, and
then click Next.
6. Select only the components you want to install on the local machine. For
details, read Selecting Components, page 54.
WARNING
!
If you are installing CPM in a standalone mode across
multiple machines, you must install Websense Enterprise
Manager, Policy Server, and User Service before installing
CPM-specific components. Generally, these “shared”
components are installed on one machine, with the CPM-
specific components installed at one or two other
machines.
Be sure to note the IP address or machine name where you
install the shared components. Also note the port you have
assigned. You will need this data when you install CPM
components on the other machines.
7. Follow any onscreen prompts to complete the installation.

8. Restart the local machine if prompted to do so.
9. Repeat Step 3 through Step 8 for each machine where you are installing
CPM components.
NOTE
As you install CPM components, you will be asked to
identify the machine where you installed the “shared”
components. Be ready to enter the IP address or machine
name where you installed Policy Server, and the port the
server is using.
Deploying Client Agent

If your organization has multiple domains, you need to install a copy of the
CPM Deployment Service on each domain. You cannot deploy clients
across domains. For complete details, read Deploying Client Agent via
Websense Enterprise Manager, page 99 or Deploying Client Agent via
Scripts, page 113.

CHAPTER 3
Installing CPM Server
Installing Client Policy Manager requires some advance planning on your part
to make the process as easy as possible. You must decide how you are going
to deploy CPM based on the size of your network and the presence of
Websense Web filtering components. Thre basic installation scenarios are:
CPM installed on a single machine.
CPM installed on multiple machines.
CPM installed in an environment where processes are shared with the
Websense Enterprise Web filtering module
Each step cross-references detailed information.
Using Websense Enterprise Setup, page 49, documents each of the possible
dialog boxes you may encounter during installation, and identifies the
component causing the dialog box to appear. The information is presented in
roughly the same order you will see if you install CPM on one machine.
Summaries are also provided for repairs and upgrades for each of the installation
types. Like the summaries for installation, the repair and upgrade summaries
provide cross references to the appropriate documentation where applicable.
Critical Installation Details

The following information is provided to help you identify machines and/or
configurations that may cause problems with your CPM installation.
CPM operates only on TCP/IP-based networks. If your network uses both
TCP/IP and non-TCP protocols, CPM filters only those users on the TCP/
IP portion of your network.
The Microsoft SQL database must be installed and accessible before you
install CPM. If you cannot access the database, the CPM installation fails.
If you are using IIS as your Web server, and are installing CPM Reporter
and Explorer for CPM separately, and not in tandem with CPM Server,
you must have appropriate IIS permission before installing CPM
Explorer/Reporter.

Chapter 3: Installing CPM Server
Websense, Inc. recommends that you install the CPM module and
components directly at the local machine, via CD or download. You may
encounter problems if you use Windows Terminal Service or a shared
drive.
If you are installing CPM in a standalone mode across multiple machines,
you must install Websense Enterprise Manager, Policy Server, and User
Service before installing CPM-specific components. Generally, these
shared components are installed on one machine, with the CPM-specific
components installed at one or two other machines.
If you are installing CPM components on machines running the Windows
XP, Service Pack 2 operating system, you must enable File and Print
Sharing, and must set WDC.exe as an exception in the firewall. For
details, read Completing Setup for Windows XP, Service Pack 2, page 86.
If you want to install Client Agent on more than one domain, you must
install one copy of CPM Deployment Service in each domain.
Installing CPM on a Single Machine

If your organization is using CPM for fewer than 500 machines, the “typical”
installation is the recommended installation process. The steps for a
successful installation are:
1. Check System Requirements, page 22, and make sure you have the
appropriate hardware, operating systems, and third-party software at the
machine where you are installing CPM.
2. Access files. Read Accessing and Unzipping CPM Installation Files,
page 50.
3. Make sure you have Administrator level access to the machine where you
are installing CPM. You need the user name and password.
4. Start the CPM installation. Read Beginning CPM Installation, page 52.
5. Select the components you want to install. Read Selecting Components,
page 54.
6. Enter a subscription key. Read Entering the Subscription Key, page 59.
7. Configure a Web server if necessary. Read Selecting a Web Server for
Reporting Tools, page 62. This page does not appear under the following
circumstances:
You have already installed a Websense Web-based reporting tool,
such as Real-Time Analyzer.
The CPM installer finds only one Web Browser at the machine. If this
occurs, the installer automatically configures that Web Browser.
If you do not have a Web server, you can install Apache, which is
available as a courtesy from Websense, Inc.
8. Configure the database and define access. Read Identifying the Database,
page 67.
9. Set domain access. Read Identifying Domain Access for CPM
Deployment Service, page 73, describes how to define access for the CPM
Deployment Service, which is needed to install Client Agent via
Websense Enterprise Manager or via scripts.
10. Set the communication port. Read Identifying the CPM Server
Communication Port, page 75.
11. If you are installing CPM Deployment Service, enter a pass phrase to
create an authentication key for communications between CPM Server
and Client Agent. Read Identifying an Encryption Pass Phrase, page 77.
12. If you are using Apache as your Web server, identify access roles for
Explorer for CPM. Read Identifying Access for Explorer for CPM
when Using Apache, page 81.
13. Decide where you want to install Websense files. Read Identifying the
Websense File Location, page 78. By default, the location is
C:\Program Files\Websense.
14. Make sure the components you selected are, in fact, the ones you want to
install. Read Restarting Apache, page 84.
15. If you are using Apache, and the Web server is currently running, you
may be asked to restart it. Read Restarting Apache, page 84.
16. Finish the installation. Read Completing CPM Installation, page 84.
17. If you installed CPM on a machine running Windows XP, Service Pack 2,
you must enable File and Print Sharing, and must enter WDC.exe as an
exception in the Windows firewall. Read Completing Setup for Windows
XP, Service Pack 2, page 86.
18. Configure CPM using Websense Enterprise Manager. Read Configuring
Initial Settings, page 87.
19. If you are using IIS as your Web server, you will need to configure
access for Explorer for CPM. Read Setting User Access for Microsoft
IIS, page 141.

Installing CPM on Multiple Machines

The following steps identify the functions and dialog boxes you will
encounter if you are installing CPM on multiple machines.
machines where you are installing CPM.
page 50.
3. Make sure you have Administrator level access to the machines where
you are installing CPM. You need the appropriate user name and
password.
page 54.
You will install only some of the components at each machine:
You must install shared Websense components first, respond to
installer prompts, and then finish the installation on the first machine.
At subsequent machines, you will install CPM components, respond
to installer prompts, and then finish the installation on each machine.
6. If one of the components you are installing is the Websense Policy Server,
you will be asked to enter a subscription key. Read Entering the
Subscription Key, page 59.
7. If you are installing CPM Reporter and Explorer for CPM on the
machine, and the installation process does not detect a Web server, or
detects two Web servers, you will be asked to configure a Web server.
Read Selecting a Web Server for Reporting Tools, page 62. This dialog
box does not appear if:
The CPM installer finds only one Web server at the machine. If this
occurs, the installer automatically points to that Web server.
WARNING
!
If you install CPM Reporter and Explorer for CPM
separately from CPM Server, and are using IIS as your
Web Server, you need to have an IIS user name with
administrative privileges before you install CPM Reporter
8. Point components to the Policy Server. Read Selecting a Web Server for
Reporting Tools, page 62. This dialog box appears on machines where
you are installing only CPM components. If you are installing Policy
Server on the machine, this dialog box does not appear.
.
NOTE
From this point forward, you may not see some of the dialog
boxes described, as they are included only if you have
chosen the related components for installation in Step 5.
page 67.

15. Make sure the components you selected are, in fact, the ones you want to
install. Read Restarting Apache, page 84.
18. If you installed CPM components on machines running Windows XP,
Service Pack 2, you must enable File and Print Sharing, and must enter
WDC.exe as an exception in the Windows firewall. Read Completing
Setup for Windows XP, Service Pack 2, page 86.
20. If you are using IIS as your Web server, you will need to configure access
for Explorer for CPM at the machine where you installed the CPM
reporting tools. Read Setting User Access for Microsoft IIS, page 141.
Installing CPM in a Shared Environment

The following steps identify the functions and dialog boxes you will
encounter if you are installing CPM on multiple machines.
machine or machines where you are installing CPM.
page 50.
3. Make sure you have Administrator level access to the machine where you
are installing CPM. You need the user name and password.
page 54.
Select only CPM components: you will identify shared components that
were installed with the Websense Enterprise Web filtering module. Do
not install Websense Enterprise Manager, Policy Server, or User Service.
6. If you are installing CPM Reporter and Explorer for CPM on the
machine, and the installation process does not detect a Web server, or
detects two Web servers, you will be asked to configure a Web server if.
Read Selecting a Web Server for Reporting Tools, page 62. This page does
not appear if:
The CPM installer finds only one Web server at the machine. If this
occurs, the installer automatically points to that Web server.
WARNING
!
If you install CPM Reporter and Explorer for CPM
separately from CPM Server, and are using IIS as your
Web Server, you need to have an IIS user name with
administrative privileges before you install CPM Reporter
7. Point components to the appropriate Policy Server. Read Selecting a Web

Server for Reporting Tools, page 62. You must know the IP address or
machine name where Policy Server was installed for the Websense
Enterprise Web filtering module.
NOTE
From this point forward, you may not see some of the dialog
boxes described, as they are included only if you have
chosen the related components for installation in Step 5.
page 67.

14. Make sure the components you selected are the ones you want to install.
Read Restarting Apache, page 84.
17. If you installed CPM components on machines running Windows XP,
Service Pack 2, you must enable File and Print Sharing, and must enter
WDC.exe as an exception in the Windows firewall. Read Completing
Setup for Windows XP, Service Pack 2, page 86.
19. If you are using IIS as your Web server, you will need to configure access
for Explorer for CPM at the machine where you installed the CPM
reporting tools. Read Setting User Access for Microsoft IIS, page 141.
Using Websense Enterprise Setup
The Websense Enterprise Setup provides smart installation for all possible
CPM environments. Depending on your selections during installation, the
installer identifies information you need to provide, and then leads you
through the process using the appropriate dialog boxes.
WARNING
!
If you have not yet planned CPM component distribution,
you need to do so before proceeding further. If you make
changes to component distribution after the initial
installation, you may need to fully reinstall all components
to successfully make changes.
If you need more information regarding the installation processes and the
details you need to identify in advance, read the following sections for the
distribution approach that best identifies your environment:
Small environments (fewer than 500 client machines)
Small Environments, page 34
Installing CPM on a Single Machine, page 42
Medium environments (between 500 and 2,500 client machines)
Medium Environments, page 35
Installing CPM on Multiple Machines, page 44
Large environments (between 2,500 and 10,000 client machines)
Large Environments, page 36
Enterprise environments (more than 10,000 client machines)
Enterprise Environments, page 36
Shared environments (any environment where both Websense Enterprise
Web filtering and CPM are installed, and share Websense Enterprise
Manager, Policy Server, and User Service)
Shared Environments, page 36
Installing CPM in a Shared Environment, page 46

Accessing and Unzipping CPM Installation Files

To access and unzip files for CPM installation:
1. Log onto the installation machine with local administrator rights.
NOTE
Websense, Inc. recommends that you install the CPM
module and components directly at the local machine, via
CD or download. You may encounter problems if you use
Windows Terminal Service or a shared drive.
2. Close all open applications on the installation machine.

3. Run one of the following Websense Enterprise installers:
Web download: Download one of the following packages from
http://www.websense.com/global/en/Downloads/ to a folder on the
installation machine and double-click to extract the installer files.
• Online installer: The online installer package (Setup552.exe)
contains only the installer files. The necessary product files are
downloaded from the Web site as needed after product selections
have been made.
• Offline installer: The offline installer
(Websense552Setup.exe) is much larger than the online
package and contains all the files needed to install CPM
components. Use this package only if you experience difficulties
installing with the online installer.
a. A screen displays instructions for extracting the setup program.
Installer Download Extraction Screen
b. Click Browse to select a destination folder or type in a path.

If the path you enter does not exist, the installer will create it for
you.
c. Click Extract to begin decompressing the files.
If Websense Enterprise installation files already exist in that
location, you may choose to overwrite the existing files.
A progress bar shows the status of the extraction, and the view
pane scrolls a list of the files as they are decompressed.
Product CD: Run WebsenseStart.exe from the Websense
Enterprise v5.5.2 product CD (\WebsenseStart) to launch the
installer start screen. The file will run automatically if autorun is
enabled. The product CD contains all the files needed to upgrade
Websense Enterprise components.

CD-ROM Installation Start Screen
Click Install to extracted the installer files to a default \Temp

directory on the installation machine.
Setup.exe runs automatically after the files are decompressed.
Beginning CPM Installation

After you unzip the files, you are ready to begin installing CPM:
1. Log on to the machine where you want to install CPM components as the
administrator. If you do not, a prompt appears that forces you to provide
the administrator password. If you do not have the password, the
Websense Enterprise Setup exits.
2. Access the installation files, and double-click Setup.exe to begin the
Websense Enterprise Setup.
3. When the Welcome screen opens, review the information and then click
Next. The Subscription Agreement dialog box opens.
4. Read the agreement. If you agree and want to continue the installation,
select Yes, I accept the terms of the subscription agreement, and then
click Next. The product selection dialog box opens.
Websense Module Selection
5. Select Client Policy Manager, and then click Next.
NOTE
Websense Setup provides links for installing Websense
Enterprise v5.5 Web filtering and Websense Enterprise
Reporting for Web filtering, in addition to CPM.
Do not install Websense Enterprise Reporting unless you
are also installing the Web filtering module. There are two
reporting tools that are specific to CPM, which are
installed during the CPM installation process.
If you decide to evaluate Websense Enterprise Web
filtering, install components on separate machines for the
best performance. Documentation is available at
www.websense.com/support/documentation.
You are now ready to select the CPM components you want to install.

Selecting Components
There are several ways you can distribute Websense components, most of
which require advance planning. You can install CPM components at one
machine or across several machines. If you subscribe to both CPM and the
Websense Enterprise Web filtering module, you can share Websense
Enterprise Manager, Policy Server, and User Service between the two
modules.
These flexible options allow you to adjust the installation to meet your needs.
If you are not sure what distribution option is appropriate in your
environment, review Chapter 2: Distributing CPM Components, page 33.
To select components:
1. When the setup screen appears, select the installation method that best
suits your environment, and then click Next. Your options are:
Typical. Select this option if you are installing all CPM components
on one machine.This is the best choice for environments with fewer
than 500 client machines. Move to Identifying the Database, page 67.
Custom. Select this option if you are distributing components to
more than one machine or if you are sharing components with the
Websense Enterprise Web filtering module. Move to Step 2.
Setup Selection
2. If you chose Custom, the Component Selection dialog box opens, listing
all components for CPM. Select one, many, or all of the components, in
any combination, and then click Next.
Component Selection
Make your choices based on the following guidelines:

Shared Components—components required by both CPM and Web
filtering
• Websense Enterprise Manager is what you use to configure the
CPM system and your policy, and run and view inventories.
• Policy Server stores CPM configuration details and your CPM
policy rules.
• User Service manages the Websense directory service
communications. The User Service collects information about the
machines and users that can be added for CPM monitoring and
control.
You can share these components between Websense modules if you
want or install them separately for each module. If you are sharing
components, described in Shared Environments, page 36, these
components may be installed with either the Web filtering or CPM
module.

In most distributed environments, these three components are

installed on the same machine. For information, read Chapter 2:
Distributing CPM Components, page 33.
WARNING
!
If you are distributing CPM components across
multiple machines, you must install the shared
components first. For specific installation
instructions, read Installing CPM Components on
Multiple Machines, page 57.
CPM Components—components required only for CPM. They may

be installed at the same machine where you install the shared
components, or may be distributed between several machines.
• CPM Server handles all communications to and from Client
Agent. The server also processes data for logging and handles
report requests from the reporting tools.
• CPM Deployment Service is needed to remotely install Client
Agent. You must install this component if you plan on using
Websense Enterprise Manager to deploy clients. It is also required
if you want to deploy clients using scripts.
NOTE
If you want to install Client Agent on more than one
domain, you must install one copy of CPM Deployment
Service in each domain. For details, read Chapter 5:
Deploying Client Agent via Websense Enterprise Manager,
page 99.
• CPM Reporter/Explorer provide Web-based CPM reporting

tools. Both reporting options are installed at the same time and in
the same location.
Installing CPM Components on One Machine

Generally, subscribers do not select Custom when installing CPM on a single
machine. If you do select Custom, and want to install all components on the
same machine, select all components for installation, and then click Next.
Installing CPM Components on Multiple Machines

If you are installing CPM components on multiple machines, but not in a
shared environment:
1. You must install Websense Enterprise Manager, Policy Server, and User
Service first. Most subscribers choose to install these shared components
on a single machine. Follow onscreen prompts as they appear. When the
installation is complete, go to the next machine.
2. Select the appropriate combinations of CPM components for installation,
based on your preplanned component distribution:
Medium to large environments: Install CPM Server, CPM
Deployment Service, and CPM Reporter/Explorer on a second
machine.
NOTE
If your environment includes more than one domain, you
must install CPM Deployment Service on each domain.
Enterprise environments: Install CPM Server on one machine and

CPM Reporter/Explorer for CPM on another machine, and CPM
Deployment Service on one machine in each domain. Many
organizations install the reporting components on the machine where
their SQL database engine is installed.
Installing CPM Components in a Shared Environment

If you are installing CPM components in a shared environment:
1. Do not select Websense Enterprise Manager, Policy Server, or User
Service. You will need to identify the Policy Server machine in the next
dialog box.

2. Select the appropriate combinations of CPM components for installation.

Medium to large environments: Install CPM Server, CPM
Deployment Service, and CPM Reporter/Explorer on a second
machine. This method is recommended for medium and large
environments.
Enterprise environments: Install CPM Server on one machine and
CPM Reporter/Explorer for CPM on another machine, and CPM
Deployment Service on one machine in each domain. Many
organizations install the reporting components on the machine where
their SQL database engine is installed.
3. When prompted, enter the IP address or machine name where the Policy
Server is installed.
4. Continue responding to onscreen prompts as appropriate.
The dialog box that appears next depends on how you are installing
components:
If you are installing all components on one machine, or if you are
installing only some of the components--one of which is the Policy
Server, you need to enter your subscription key. Read Entering the
Subscription Key, page 59.
If you are installing components at multiple machines and your selection
does not include Policy Server, or if you are installing CPM in a shared
environment, it is not necessary to enter your subscription key.
Selecting an Interface
If the installation machine has multiple network interface cards (NIC), Setup
displays a list of all NIC enabled on the machine. Select the interface you
want CPM to use for internal communication, and then click Next.
Multiple NIC Selection Screen
Entering the Subscription Key

If you are installing all Websense components on one machine, or if you are
installing components that include Policy Server in a multiple machine
environment, you will be asked to enter subscription data. If your installation
at the local machine does not include Policy Server, the dialog box does not
open.
The subscription key is needed for all configurations. In a shared
environment, that information is entered when you install the Web filtering
module. Once components are installed, the subscription key allows you to
download the Websense Enterprise Master database, and maintains
information about your evaluation or purchased subscription.
After you have selected components for installation, and the selection
includes the Policy Server, the Websense Subscription Key dialog box
opens.

Subscription Key Options
I have a Websense subscription key: Select this option and enter a

valid Websense subscription key if you want Setup to automatically
download the Websense Master Database during installation.
I need a 30-day evaluation key: Select this option to apply for a
temporary key to use for evaluating CPM, and then click Next.
A form for your company information appears.
a. Enter the name and title for the person in your organization who
is responsible for the decision to install and evaluate CPM in your
network. Provide the appropriate information about your
company and click Next to continue.
Company Information
b. Enter your contact information for the person named in previous

screen. Make sure to enter a valid email address. This is where
the evaluation key will be sent.
Customer Information

c. Click Next to order an evaluation key.

Your 30 day evaluation key appears. Setup will use this key to
download the Websense Master Database during installation.
IMPORTANT
i
Write down your subscription key. If you are forced to exit
the installer for any reason before completing the
installation, you can run Setup again and download the
Master Database with this key.
I do not wish to use a key at this time: Select this option to continue
with the installation without entering a key or requesting an
evaluation key. You can apply for an evaluation key at any time from
http://www.websense.com/keyrequest.
Selecting a Web Server for Reporting Tools

The CPM reporting tools, CPM Reporter and Explorer for CPM, require a
Web Server installation at the machine where you install these components.
The Web Server must be either IIS or Apache.
The installer checks your system for a supported Web server (Apache Web
Server or IIS) for the CPM Reporting and takes the following action:
If both supported Web servers are detected, a dialog box appears asking
you to choose one server for CPM Reporting components.
Web Server Selection Screen
If one of the supported servers is detected, the installer continues. No

notification appears.
If neither supported Web server is detected, the installer gives you the
option of installing the Apache Web Server or continuing the installation
without installing Reporting components.

Web Server Installation Options
Your Web server installation options are:

Do not install CPM Reporter/Explorer at this time. If you make this
selection, other components install normally. You will not be able to
access either Web-based reporting tool on the machine where you are
running the installer. Your options are:
Install a Web Server later, and then install only CPM Reporter/
Explorer for CPM at the machine where you are working.
Install CPM Reporter/Explorer for CPM on another machine where a
Web Server is already installed.
Decide not to install CPM Reporter/Explorer for CPM.
NOTE
If you do not install CPM Reporter/Explorer for CPM, you
will not be able to view or schedule reports.
Install Apache Web Server now. If you select the Apache Web Server
installation option, the Websense installer starts the Apache installer and
exits without installing any CPM components. You must restart your
computer after installing the Apache Web Server and run the Websense
installer again to install CPM.
NOTE
Apache Web Server documentation is installed in HTML
format in the docs/manual/ directory. The latest version
can be found at: http://httpd.apache.org/docs-2.0/
Cancel Setup. The Websense Enterprise Setup closes. No CPM

components are installed.
Selecting the IIS Virtual Directory Location

If you are installing CPM Reporter and Explorer for CPM, and are using IIS
as your Web server, you are prompted for the name of the Web site in the IIS
Manager under which the installer should create a virtual directory. The
default value is Default Web Site, which is correct in most instances. The
installer also detects any other valid Web sites that available to your network.
You can select any other valid Web site to which you have access, if
appropriate.
Virtual Directory Selection Screen

If you have renamed the default Web site in the IIS Manager or are using a
language version of Windows other than English, select the proper Web site
from the names in the drop-down list, and then click Next to continue.
Identifying the Policy Server

You will be asked to identify the Policy Server at this time under the
following circumstances:
If you are installing CPM on multiple machines, and you did not install
Policy Server on the machine where you are currently working.
If you are installing CPM in a shared environment, where shared
components are installed with the Websense Enterprise Web filtering
module.
Policy Server Connection Information
When the Policy Server dialog box opens:

1. Enter the IP address or the machine name of the machine on which Policy
Server is installed.
2. Enter the port number that CPM Server will use to access Policy Server.
By default, the port number is 53635.
In most installations, you will next be asked to identify the Microsoft SQL
database that you will use to store CPM data.
Identifying the Database

If you are installing CPM Server on the machine, you must identify the SQL
database. You must have administrator access to the database, and be prepared
to enter the user name and password.
Although the CPM database initializes when you install the first CPM
component, you still must identify the server and how the database directory
is managed. The machine you select must be running Microsoft SQL Server 7
or Microsoft SQL Server 2000.
The SQL database stores the following data:
Application and port information via the Websense Enterprise Master
Database.
If you edit host files and/or routing tables that restrict the URLs a
Websense server can access, make sure you permit the following:
download.websense.com
ddsdom.websense.com
ddsint.websense.com
portal.websense.com
www.my.websense.com
You must permit these URLs to access Websense Enterprise Master
Database downloads and your Websense subscription data.
Application launch and port access attempts via the CPM Log Database.
Hardware and software inventory data via the CPM Inventory Database.
NOTE
The Microsoft SQL database must be installed and
accessible before you install CPM. If Setup cannot access
the database, the CPM installation will fail.
Depending on your installation, the database configuration sequence may or

may not appear. If you are distributing components between several
machines, the dialog box appears only when you select CPM Server for
installation.

Database Access
Setup displays a dialog box asking you how you want to access the database.
Your options are:
Windows Trusted connection
SQL database account
Database Access Mode Selection
Your options for accessing the database are:

Windows trusted connection: When you use Windows Authentication
mode, CPM software accesses the SQL database using the Windows login
account you specify. The installation program grants certain privileges to
the user you specify for the CPM database. You can, if you want, create a
new user specifically for CPM Database access.
In this mode, CPM Server, CPM Reporter services and scripts, and
Explorer for CPM run under the specified domain account and use
Windows authentication to access the SQL Database.
Windows Trusted Connection Logon Specifics
To configure a Windows trusted connection:

1. Enter the domain and user name, separated by backslash, for
example, Domain\User Name.
If you are using a named instance of Microsoft SQL Server, you can
enter the engine name, using the following format:
Hostname\Instance Name
2. Enter the current password. If you do not use a password, leave the
field blank.
3. Click Next.
NOTE
The installation process checks your entries and may take a
short time to resolve details. If any information in the
Windows Trusted Connection dialog box is entered
incorrectly, a message appears informing you that
Websense was unable to validate your information. If this
occurs, click Back and then enter the correct data.

SQL database account: If you select SQL database account, Setup

displays a screen asking you to verify that an SQL database engine is
available in your network. A properly configured database must be
running and available in your network before you can install CPM. If no
SQL database exists, you can exit Setup and start the installer again when
the database has been installed and configured. Click Next to continue
NOTE
Websense, Inc. recommends using SQL authentication if
you choose Apache as your Web server for CPM Reporter.
If you choose the Windows trusted connection, you may
encounter difficulties.
Database Access Mode Selection
If you chose A database engine already exists, the Database Information

dialog box opens.
Database Location
1. Enter the IP address or machine name that identifies where the SQL
database engine is installed, and then click Next to continue.
Setup displays the Database Access Account dialog box.

Database Access Account
2. Enter the logon name for the database account.

3. Enter the current password. If you do not use a password, leave the field
blank.
4. Click Next.
NOTE
The installation process checks your entries and may take a
short time to resolve details. If any information in the
Database Access Account dialog box is entered
incorrectly, a message appears informing you that
Websense was unable to validate your information. If this
occurs, click Back and then enter the correct data.
If you are installing the CPM Deployment Service on the same machine, you
will next identify administrator account access.
Identifying Domain Access for CPM Deployment Service

If you are installing CPM Deployment Service, you must identify information
that gives you administrator level access for the domain. If you do not have
this information, you will be unable to deploy Client Agent via Websense
Enterprise Manager or logon scripts.
CPM Deployment Service Logon Information
When the Deployment Requirements dialog box opens, you must:

1. Enter the domain and user name, separated by a back slash, for example,
Domain\User Name. Your entry must identify the domain and user name
that has administrator level access to the domain where you are planning
to installing Client Agent on workstations.
2. Enter the current password for the administrator account.
3. Click Next.
You are now ready to identify any foreign languages for operating systems at
client machines.

Selecting Workstation Languages

If you are installing CPM Deployment Service, you need to identify the
languages of the workstation operating systems where you will deploy Client
Agent. This function allows CPM Server to communicate with Client Agent,
even though the language at the CPM Server and the language at the client
machine are different.
Windows Management Instrumentation (WMI) allows CPM Server to
exchange data and control options with Client Agent. If you do not specify all
the languages in your network, you will not be able to use CPM on
workstations where the operating system language is not supported.
In addition to English, Client Agent can collect information from operating
systems in the following languages:
Chinese (Simplified) Chinese (Traditional)

French German
Italian Japanese
Korean Portuguese (Brazilian)
Spanish
The information collected using WMI appears in the Websense Enterprise

Manager Hardware Inventory View, and in all hardware reports available
from CPM Reporter.
Workstation Language Selection
To select languages for your workstations:

1. Check each language associated with operating systems in your network.
These are the languages on workstations where you plan to deploy Client
Agent.
2. Click Next.
If you are installing CPM Reporter/Explorer for CPM on the machine where
you are working, you must now configure the Web server.
Identifying the CPM Server Communication Port

CPM Server uses an identified port for communications to and from Client
Agent. The port information needs to be included in any Client Agent setup
and/or trigger programs you may use to install Client Agent.
You may encounter port conflicts when identifying the communication port.
CPM Server prefers to use port 80 for HTTP, non-SSL communications. This
port is often already in use, however, because the IIS Web server uses port 80
by default.

If you receive warnings about your port selection, you need to select another
port that does not have default assignments for CPM Server/Client Agent
communications. If you need to use a port that is not the default selection, you
may have to perform additional configuration of your internal network to
ensure connectivity.
CPM Server Communication Port
In the CPM Server Communication Port dialog box, change the default
value to another port which CPM Server will use for communications to and
from Client Server. The accepted range of port number is between 10 and
65535.
Next, you must identify a pass phrase that is used to generate an authentication
key for communications between CPM Server and Client Agent.
Identifying an Encryption Pass Phrase

If you are installing CPM Deployment Service, you need to identify an
encryption pass phrase. Processes in CPM combine your pass phrase with
unpublished keys to create an authentication key, which is used to verify
communications between CPM Server and Client Agent.
Encryption Pass Phrase Definition
To define an Encryption pass phrase:

1. Enter a pass phrase of any length, using any combination of keyboard
characters.
2. Reenter the same pass phrase in the Confirm Pass phrase field.
3. Click Next.

You are now ready to identify the directory where you want to install
Websense files.
NOTE
If you forget your pass phrase, you can check the
CAMServer.ini file to find the encrypted key. By
default, the file is at C:\\Program
Files\Websense\bin.
Identifying the Websense File Location

You are now ready to select where you want Websense files located. By
default, the Websense Enterprise Setup places CPM files at C:\Program
Files\Websense.
Generally, Websense, Inc. recommends allowing the installation to occur at
this location. However, you can install the files wherever it is convenient.
Installation Path
When the directory location dialog box opens:

1. Enter the full path that identifies where you want the CPM files to be
installed.
Click Browse if you want to use Windows Explorer to search for and then
select the directory where you want to install CPM files.
2. Click Next.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory for optimal performance,
separate warnings are displayed.
If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended minimum.
Reviewing Installation Details

The Installation Summary dialog box identifies the components that are
being installed, and appears for all installations. The following information is
contained in this dialog box:
Path and folder where files will be installed
Disk space that is required for installation
Components that will be installed

Installation Summary
When the Installation Summary dialog box opens:

1. Study the details to verify that the selections are accurate and appropriate.
2. Determine if you want to proceed or not:
If there are any discrepancies of note, click Back and change your
entries.
If the information is accurate, click Next to continue
If you are using Apache as your Web server, you will next be asked
whether or not you want to stop and restart the service.
If you are installing CPM reporting tools on the same machine, you next
identify access for Explorer for CPM.
Identifying Access for Explorer for CPM when Using Apache

If you are installing CPM reporting tools, and are using Apache as your Web
server, you must identify access for Explorer for CPM. Explorer for CPM
supports two different access levels:
Human Resources: This access level generates reports that show all
details including user and machine names. This access level should be
provided only to staff members who are in trusted positions, and are
capable of maintaining confidentiality. Examples include Human
Resources and Management.
Restricted Users: This access level generates reports that replace user
and machine names with numeric data that cannot be specifically
associated with a user or machine. This access level is appropriate for
threat analysis and employee behavior mapping. Examples of
departments that may be assigned to this access level include Information
Technologies and security consultants.
More than one person may assume each role, and the user name and password
for a role applies to that role, not a specific user. Explorer for CPM does not
support individual passwords for specific employees.
NOTE
If you are installing CPM Reporter and Explorer for CPM,
and using IIS as the Web server, you still need to configure
user access. The process is completed after you have
installed CPM. For details, read Setting User Access for
Microsoft IIS, page 141.
Identifying HR User Access

The HR User access level generates reports that show all details including
user and machine names. This access level should be provided only to staff
members who are in trusted positions and are capable of maintaining
confidentiality. Examples include Human Resources and Management.

HR User Identification
To define HR User logon information:

1. Enter a user name (case sensitive) in the HR User field.
2. Enter a password in the Password field
3. Enter the password again in the Confirm Password field.
4. Click Next.
NOTE
If you do not want to enable the HR User access level,
leave all fields blank and then click Next.
Once you have identified the HR User role, you should distribute the
following to users who are being given this access level:
IP address and instance name for Explorer for CPM
User name
Password
Any number of staff members can be given this access.
You are now ready to identify the Restricted User access level.
Identifying Restricted Access

The Restricted Users access level generates reports that replace user and
machine names with numeric data that cannot be specifically associated with
a user or machine. This access level is appropriate for threat analysis and
employee behavior mapping. Examples of departments that may be assigned
to this access level include Information Technologies and security
consultants.
Restricted User Logon Information
When the Restricted Users dialog box opens:

1. Enter a user name in the Restricted Users field.
2. Enter a password in the Password field
3. Enter the password again in the Confirm Password field.
4. Click Next.
NOTE
If you do not want to enable the Restricted User access
level, leave all fields blank and then click Next.

Once you have identified the Restricted User ole, you should distribute the
following to users who are being given this access level:
The IP address and instance name for Explorer for CPM
The user name
The password
Any number of staff members can be given this access.
Restarting Apache
If you are using Apache as your Web server, and are installing CPM Reporter
and Explorer for CPM, you will receive a message about restarting Apache.
You can restart Apache during the installation process, or restart it later. Your
selection does not impact the installation process itself.
If you get the Restart Apache Web Server dialog box:
1. Decide how you want to proceed:
Select Yes, stop and restart the Apache Web Server if you want
this activity to occur now.
If you choose this option, there will be a brief pause after you click
Next, during which time, Apache is stopped and then restarted.
Select No, I will manually restart later if you do not want to take
the time to restart the Apache Web Server at this time.
2. Click Next.
You are nearly done with your CPM installation.
Completing CPM Installation

Once all entries are complete, the Websense Download Manager downloads
and installs the components you selected. The Download Manager includes
progress bars that track the progression of the total installation and each
individual component.
When Websense Enterprise Setup has completed your installation, a success

message is displayed. The information includes the server IP address,
communications port, and the machine name or IP address of the database
server.
Complete the installation as follows:
1. Write down the information provided for future reference.
2. Click Next to continue.
If you have installed the Websense Enterprise Manager on this machine,
Setup asks you if you want to start the Manager. By default, the Manager
is selected for launch.
3. Make a selection, and then click Finish to close the installation wizard
and begin running CPM.
Websense Application Launcher
In most installations, you are now ready to perform the initial configuration
required to activate CPM. However, if you are installing on Windows XP
Service Pack 2, you must change certain settings in the operating system
before CPM can work.

Completing Setup for Windows XP, Service Pack 2

If you are installing components on machines running the Windows XP,
Service Pack 2 operating systems, you need to change two settings within the
operating system for CPM to work:
File and Printer Sharing must be enabled
Add WDC.exe as an exception for Windows Firewall
Enabling File and Printer Sharing

Installing Windows XP with Service Pack 2 may disable File and Printer
Sharing services. If this occurs, CPM is unable to deploy clients via the CPM
Deployment Service.
Have your system administrator enable File and Printer Sharing services:
1. Select the Advanced tab of the properties of a connection and click
Settings to launch the new Windows Firewall control panel.
2. Select the Exceptions tab.
3. Check the File and Printer Sharing box to enable file and printer sharing
services, and then click OK.
XP Firewall settings will no longer block Client Agent, and you can now
deploy clients via the CPM Deployment Service.
4. Repeat this procedure to turn on File and Printer Sharing services for each
client machine.
Adding WDC.exe as an Exception

If you do not configure WDC.exe as an exception in the Windows Firewall
on machines running Windows XP, Service Pack 2, you will encounter
problems opening connections to WDC.exe. If the file is unable to open
connections, the Emergency Outbreak, peer-to-peer distribution may fail.
You can configure Windows Firewall manually on an individual machine or
configure Windows Firewall settings using Group Policy.
To configure the Windows Firewall locally on an individual machine:
1. Launch the Security Center: Start > Programs > Accessories > System
Tools > Security Center.
2. When the Security Center opens, click Windows Firewall.
3. Click the Exceptions tab, if necessary, and then click Add Program.
4. Browse to the location of WDC.exe and select it. By default, the location
is C:\Program Files\Websense\WDC\WDC.exe.
To configure the Windows Firewall using Group Policy, see Deploying
Windows Firewall Settings for Microsoft Windows XP with Service Pack 2,
available at http://www.microsoft.com/downloads/
details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-
499f73a637d1&displaylang=en.
Configuring Initial Settings

To complete your installation, you must configure basic settings in Websense
Enterprise Manager before you deploy or install Client Agent, and before the
CPM policy will be usable.
If you deploy or install Client Agent before performing the required initial
configuration, Websense Enterprise Manager may not be able to recognize the
client machines. If this occurs, you may be forced to uninstall and then
reinstall Client Agent on all client machines.
To perform the initial configuration:
1. Select Start > Programs > Websense Enterprise Manager to open the
Websense Enterprise Manager.
2. Click the Desktop tab to begin working with CPM functions.
3. Add a Policy Server, as described in Adding a Policy Server, page 93.
4. Connect to the Policy Server, as described in Connecting to a Policy
Server, page 95.
5. Select Server > Settings > Subscription, and then enter your
subscription key to register the CPM software.
This process automatically triggers a Websense Enterprise Master
Database download, which must be available before you can install Client
Agent
6. Select Server > Download Database to check your database download
status:
The entry in the Last download result field should be Success. If the
entry is not Success, you can manually request a download:

Click Start Download to begin downloading the Websense

Enterprise Master Database manually.
7. You may continue working in Websense Enterprise Manager or close the
manager and deploy or install Client Agent.
To continue configuring CPM, read the Websense Enterprise Client
Policy Manager Administrator’s Guide.
To deploy Client Agent via Websense Enterprise Manager, read
Chapter 5 Deploying Client Agent via Websense Enterprise Manager.
To deploy Client Agent via scripts, read Chapter 6 Deploying Client
Agent via Scripts.
Upgrading or Repairing CPM Components

If you are upgrading or repairing CPM, you may use the Websense Enterprise
Setup files. After you pass the opening dialog boxes for repairing or
upgrading components, your options parallel a “normal” installation.
You may install components that were not previously installed, or remove
components already on the machine using the Websense Enterprise Setup. If
you choose to repair already installed components, the repair process actually
removes the older version and installs the newer. During this process, various
services may be shut down and then restarted as needed.
Repairing or upgrading components does not affect your configuration
settings. This means that your configuration data and previous entries remain
intact. When you upgrade or repair components, Websense Enterprise Setup
uses these existing values.
Upgrades and Rules

If you are upgrading to CPM from Client Management v5.1 or earlier,
network access functions cause the following changes to your existing rules
and list of rules:
The Harmful Software rule appears immediately above the Global rule,
and below all other rules. You can move it to a higher position in the list if
you want to use the function.
Network access selections are added to your rule, and are set to permit all
ports by default. This retains the functionality of your current policy,
while expanding the potential control you can define. You can change the
network access selections as appropriate.
If logging is disabled in your existing rule, logging remains disabled

when you upgrade.
If logging is enabled in your existing rule, the logging selection changes
to Launch. You can log both launch and network access activity by
setting logging to Launch and Network.
If you are upgrading from Client Policy Manager v5.2 or any earlier versions,
the upgrade adds the Mass Mailing rule to your list of rules. The rule is always
disabled and must be enabled manually.
Upgrading or Repairing CPM
WARNING
!
If you have installed CPM on multiple machines, you must
upgrade shared Websense Enterprise components before
you upgrade CPM components. The shared components
are Websense Enterprise Manager, Policy Server, and User
Service. If you do not upgrade the shared components first,
CPM will not work.
To upgrade or repair a CPM installation:

1. Close all open applications.
2. Go to the machine where you want to upgrade or repair CPM
components.
3. Insert the installation CD in the CD-ROM drive or download the zipped
file from http://www.websense.com.
If you originally saved the files locally, you can also access the Websense
Enterprise Setup from the directory where you stored it. Move to Step 5.
4. Decide if you want to open the Websense Enterprise Setup immediately
or if you want to save it. If you save it, you will be prompted to open the
file after a brief pause.
5. Run Setup.exe. The Websense Enterprise Setup opens.
6. Review the Welcome message, and then click Next.
When the Add/Remove/Repair dialog box opens, select Repair
existing Websense Enterprise components, and then click Next.
The Repair dialog box opens.

7. The Repair dialog box states that existing components will be reinstalled
and asks if you want to proceed.
If you want to continue, select Yes, and then click Next.
If you do not want to continue, select No, and then click Next.
The Stopping Services dialog box opens.
8. The Stopping Services dialog box shows the services that are currently
running, and states that the services will be stopped if you continue.
Click Next to continue.
Messages appear briefly as the various services stop. When all services
are stopped, the next appropriate dialog box, based on your existing
installation, opens.
9. Follow onscreen prompts, complete any needed entries, and click Next to
move to the next appropriate screen. If you need assistance for a
particular dialog box, check subheadings in Using Websense Enterprise
Setup, page 49, to locate documentation about the dialog box you need
information about.
10. At the final dialog box, click Finish.
Removing CPM
You may need to remove CPM files if you are upgrading your existing
version, if you are changing the machine where components are installed, or if
you are not renewing your CPM subscription. You can use the Websense
Enterprise Setup or the Add/Remove Programs functions in the Windows
Control panel to remove all components. If you want to remove only some
components, you must use the Websense Enterprise Setup.
Uninstalling CPM from One Machine

To remove CPM when installed on one machine:
1. Go to the machine where CPM is installed.
file from http://ww2.websense.com/global/en/Downloads/. If you
originally saved the files locally, you can also access the Websense
Enterprise Setup from the directory where you stored it
3. Run Setup.exe to access the Websense Enterprise Setup.
4. When the Welcome message appears, click Next.

5. When the Component Selection dialog box opens, uncheck any
component you do not want to remove, and then click Next.
The uninstall process begins removing the selected components. If you
select shared Websense Enterprise components (Websense Enterprise
Manager, Policy Server, and User Service) and CPM components (CPM
Server, CPM Deployment Service, and CPM Reporter/Explorer for
CPM), the uninstall process first removes the CPM components, and then
the shared Websense components.
6. When the Finished dialog box appears, noting that the uninstall has been
successful, click Finish.
7. Restart your machine to remove all remaining Websense shared files and
registry entries.
Uninstalling CPM from Multiple Machines

To remove CPM when installed on multiple machines:
1. Go to a machine where any CPM components are installed that you want
to remove. These include CPM Server, CPM Deployment Service, and
CPM Reporter/Explorer for CPM.
file from http://www.websense.com. If you originally saved the files
locally, you can also access the Websense Enterprise Setup from the
directory where you stored it
3. Run Setup.exe to access the Websense Enterprise Setup.
5. When the Component Selection dialog box opens, uncheck any CPM-
specific component you do not want to remove, and then click Next.
The uninstall process begins removing the selected components.
6. When the Finished dialog box appears, noting that the uninstall has been
successful, click Finish.
7. Restart your machine to remove all remaining Websense shared files and
registry entries at this machine.

8. If you have distributed CPM specific components to more than one

machine, go to these other machines, and then repeat Steps 2-7.
NOTE
If you share components with the Websense Enterprise
Web filtering module, and want to continue using that
module, the CPM uninstall process is now complete.
9. Go to the machine where you installed shared Websense Enterprise

components (Websense Enterprise Manager, Policy Server, and User
Service).
file from http://www.websense.com/downloads/. If you originally saved
the files locally, you can also access the Websense Enterprise Setup from
the directory where you stored it
11. Run Setup.exe to access Websense Enterprise Setup.
13. When the Component Selection dialog box opens, uncheck any shared
Websense Enterprise component you do not want to remove, and then
click Next.
14. When the Finish screen appears, click Finish.
15. Restart this machine to finalize your uninstall.
CHAPTER 4
Preparing CPM for Use
Before you can deploy Client Agent, you must subscribe to CPM and
successfully download the Websense Enterprise Master Database. The steps
required are:
1. Add Policy Server. For specifics, read Adding a Policy Server, page 93.
2. Download the Websense Enterprise Master Database. This normally
occurs as part of the subscription process.
3. Deploy and/or install Client Agent. For details, read Deploying Client
Agent via Websense Enterprise Manager, page 99.
Working with Policy Server

The Websense Enterprise Manager Server menu allows you to work with
Policy Servers in your network. These options are also available by clicking
the right mouse button in the navigation tree.
Topics are:
Adding a Policy Server, page 93
Connecting to a Policy Server, page 95
Disconnecting from a Policy Server, page 96
Deleting a Policy Server, page 96
Adding a Policy Server

You cannot configure Client Policy Manager until you add a Policy Server via
Websense Enterprise Manager. You must perform this operation for each
Policy Server if you have not done so previously.
To add Policy Server, you must know the IP address or host name of the
Policy Server machine. This machine may or may not be the same machine on
which Websense Enterprise Manager is installed. You must add at least one
Policy Server when you first set up the Client Policy Manager system. When
you add a server, you must create a password for secure access.

Chapter 4: Preparing CPM for Use
To add a Policy Server:

1. Select Start > Websense > Websense Enterprise Manager to open
2. In Websense Enterprise Manager, click the Desktop tab.
3. Right-click in the Websense Enterprise Manager navigation tree, and then
select Add Server. You can also select Server > Add server from the
menu. The Add Server dialog box appears.
4. Enter the IP address or host name of the Policy Server machine in the
Server field.
5. Enter the port number for sending configuration information to Policy
Server. The default is 55806. The actual entry should be the configuration
port you identified during installation.
6. Click OK. An icon and the IP address or host name appears in the
navigation tree.
7. Double-click the entry for the Policy Server in the navigation tree to
configure or enter the password.
If this is the first time you are accessing a Policy Server, the Set
Websense Password dialog box opens for password configuration.
a. Enter the password in the Password field, and then press the Tab
key on the keyboard.
b. Reenter the password in the Confirm Password field.
c. Click OK to save the password and access the Policy Server.
If the Policy Server already has an assigned password, the Password

dialog box opens for password entry.
• Enter the password, and then click OK.
The Summary Data pane opens. If this is a new installation, you must enter the
subscription data now. For information, read Subscribing to Websense, page 96.
Related topics include:
Connecting to a Policy Server

To work with Client Policy Manager, you need to connect to a Policy Server.
Specific behaviors of which you should be aware are:
During future sessions, the password you enter the first time is required to
connect to the Policy Server.
If you have already connected to the Policy Server during the current
session in Websense Enterprise Manager, a Connecting message appears
while the Manager connects to the Policy Server. The password is not
necessary.
If you are in a session and already connected to a Policy Server, you can
connect to any other server as needed.
The Policy Server stores CPM policy details and user access information. To
connect to the Policy Server:
1. Choose the Policy Server you need from the Current Server list, and
then select Server > Connect to Server from the menu.
You can also right-click or double-click the Policy Server name, and then
select Connect to Server from the shortcut menu.
2. Enter the password, and then click OK.

Disconnecting from a Policy Server

You can disconnect from a Policy Server at any time. Once you disconnect,
you cannot configure that server until you reconnect to it again. If you exit
from Websense Enterprise Manager, the process automatically disconnects all
identified Policy Servers. If you log back onto the system, you need to
connect to the Policy Server or servers again.
Choose the Policy Server you need from the Current Server list, and
then select Server > Disconnect from Server. You can also right-click
the Policy Server in the Current Server list and then select Disconnect
from Server.
Websense Enterprise Manager severs the current connection.
Deleting a Policy Server

You can delete a Policy Server when necessary. For example, the CPM Server
is being moved to a new machine. You delete the entry for the machine that is
no longer used.
1. If necessary, disconnect from the Policy Server. Read Disconnecting from
a Policy Server, page 96.
2. Select the Policy Server you want to remove, and then click Delete. You
can also right-click the Policy Server and then select Delete. Websense
Enterprise Manager displays a warning message.
3. Click Yes to delete the Policy Server from the Current Server list.
Subscribing to Websense
You initially enter subscription data when you first install Websense Enter-
prise CPM. Later, however, you may need to update the subscription informa-
tion to add licenses or when you extend your subscription.
Additionally, the Subscription pane provides a link to your saved subscrip-
tion data, the current number of licenses you have, and your current expiration
date.
You must have an active internet link to connect to Websense and complete
the subscription process:
1. Click Server > Settings on the Websense Enterprise Manager menu to
open the Settings pane. You can also right-click anywhere in the
navigation tree, and then select Settings from the shortcut menu.
2. Select Subscription from the Settings Selection list to access
Subscription settings.
Subscription Pane
3. Type your 16- or 18-character key in the Subscription Key text box. Your
entry must match exactly the subscription key that Websense, Inc. provides.
4. Click Subscription Info to open a browser and link to the Websense
Registration page. Follow on-screen instructions to complete the
registration process.
5. Click Update Registration Info to save your entries and close the
registration form.
6. Close the browser.
7. Click OK to save the changes you made since you opened the Settings
pane.

The subscription process starts an automatic download of the Websense

Enterprise Master Database. Once the database downloads, the following
information appears: in the Information panel on the Subscription pane:
The number of subscribed users
The expiration date of your subscription
If you originally subscribe to one Websense module, and then later add a
second module, you do not need to resubscribe to the new module. When you
contact Websense and purchase another subscription, automatic processes
update the subscription key when you receive a download of the Websense
Enterprise Master Database. The changes in the subscription then take effect,
and register the new subscription details with CPM Server.
CHAPTER 5
Deploying Client Agent via
Websense Enterprise Manager
There are four ways to deploy, install, or uninstall Client Agent. Each method
has advantages and disadvantages, often dependant on the knowledge level of
the administrator. The four installation options are:
In Websense Enterprise Manager, select the Deployment Status pane.
This allows administrators to deploy Client Agent to networked
machines. For details, read Managing Client Options, page 106. This is
the easiest way to deploy Client Agent and to track deployment progress.
Use scripts to deploy Client Agent. For information, read Chapter 6:
Deploying Client Agent via Scripts, page 113. This is the most robust
way to deploy Client Agent, but requires some understanding of script
development.
Manually install a single copy of Client Agent at a local machine using
the Client folder. This installation method is relatively easy, but is
generally of use in a small organization or test environment. For details,
read Chapter 6: Deploying Client Agent via Scripts, page 113.
Use third-party applications to deploy Client Agent. Read the third-party
documentation for information. This is useful for organizations that often
deploy software using third-party tools. Generally, this option is useful
only if you have experience using such tools.
Potentially, an organization may use a combination of methods to manage
Client Agent deployment. For example, John is an experienced system
administrator. He uses the Deployment Status pane in Websense Enterprise
Manager to manage the initial agent deployment, but wants to automate
potential upgrades or new installations using scripts. By leveraging these two
options, John can rapidly set up his Websense system from Websense
Enterprise Manager, and then later take the time to create scripts that automate
the update process.

Chapter 5: Deploying Client Agent via Websense Enterprise Manager
The next table provides a quick reference of the advantages and disadvantages
of the available deployment options.
Considerations for use >
Deployment Service
Automated updates
Deployment Status
Mass Deployments
Single Deployment
Scripting Required
Deployment Method v
CPM Deployment Service with Websense X X X X

Enterprise Manager
Manual deployment using Websense Setup X
files
CPM Deployment Service with custom or X X X X X
third-party login scripts
Custom or third-party login scripts
Third-party deployment software X X X X
If you use scripts or third-party deployment software, requirements are

dependant on the method you select.
In the above table:
Mass deployment indicates that numerous machines may be included in
the deployment process.
Single deployment indicates that one machine at a time may be impacted
by the deployment process.
Deployment Service indicates that CPM Deployment Service is required.
For third-party options, this requirement is script- or application-dependant.
Scripting Required indicates that advanced scripting knowledge is
recommended. If you do not have scripting experience, Websense, Inc.
recommends calling someone who does or using some other deployment
option. For third-party options, this requirement is application-dependant.
Automated updates indicates that processes can be set to check version
data and update the agent.

Deployment Status indicates that tracking of the deployment process is

available in the Websense Enterprise Manager Deployment Status pane.
The status shows active processes and/or anticipated schedules. For
details, read Accessing the Deployment Status Pane, page 104.
Client Agent Requirements

You must install Client Agent on machines you want to inventory and/or
control. The agent is responsible for processing inventory at the machine
where it is installed, for applying CPM policies, and for all communications
with CPM Server.
WARNING
!
Do not install Client Agent on:
Machines running Windows 2000, Service Pack 2 or
lower.
The machine or machines where you installed CPM
Server or CPM Reporter/Explorer for CPM.
Client Agent is supported on the following operating systems:

Microsoft Windows 2000 Professional with Service Pack 3 or Service Pack 4
Microsoft Windows 2000 Server with Service Pack 3 or Service Pack 4
Microsoft Windows 2000 Advanced Server with Service Pack 3 or
Service Pack 4
Microsoft Windows NT 4.0 Workstation with Service Pack 6a
Microsoft Windows NT 4.0 Server with Service Pack 6a
Microsoft Windows XP Professional with Service Pack 1or Service Pack 2
Other minimum Client Agent requirements are:
Processor: Pentium III 500 MHz
Disk Space: 25 MB for installation; 15 MB to run the application
Memory: 64 MB RAM, 128 MB pagefile
File and Printer sharing must be enabled at the client machine to use the
CPM Deployment Service.

Windows 98 Compatibility
The v5.5.2 Client Agent does not support the Windows 98 operating system
on client workstations. However, pre-v5.5.2 Client Agents running on
Windows 98 workstations are backwardly compatible with the v5.5.2 CPM
Server and will retain their current functionality. New features in v5.5.2 are
not available to Windows 98 workstations.
VPN Support
The deployment of Client Agent is not supported over a VPN connection. You
can update policies, perform inventories, and apply lockdowns with the v5.5.2
Client Agent through the following VPN clients:
Microsoft L2TP/IPSec VPN Client
Cisco VPN Client v4.6
Check Point VPN-1 SecureClient
NOTE
After Installing Client Agent on a machine running Check
Point VPN-1, you must restart the machine before Client
Agent can function.
Deploying Clients: The Process

When you are ready to deploy clients, you can configure and monitor the
process from Websense Enterprise Manager, using the following process:
1. Access the Deployment Status pane. For details, read Accessing the
Deployment Status Pane, page 104.
2. Identify a machine or a group of machines to which you want to deploy
Client Agent. For details, read Deploying Client Agent, page 107.
3. Set the Deployment Status pane to the domain you want to monitor and
set the Current view field to Deployment status. For details, read Step 2
in Deploying Client Agent, page 107.
You can refresh data as often as you wish. CPM Server updates the list once
every 60 seconds. For details, read Refreshing Deployment Data, page 110.

Installing or Deploying Client Agent for Windows XP

Installing Windows XP with Service Pack 2 may disable File and Printer
Sharing services. This blocks CPM from deploying clients via CPM
Deployment Service (CDS).
1. Go to the Advanced tab of the properties of a connection and click
2. Go to the Exceptions tab.
The XP firewall settings will no longer impact CPM, and Client Agent
can be deployed via CPM Deployment Service.
Repeat this procedure to turn on File and Printer Sharing services for each
client machine.
Upgrading Client Agent v5.2 to v5.5

If you are upgrading Client Agent from v5.2 to v5.5, users at the machines
where Client Agent v5.5 has been installed need to restart those machines for
optimal functionality of the Client Agent. If users fail to restart their
machines, they may encounter situations where applications that use socket
connections may fail.
To address the need for restarting machines, the installation process for Client
Agent v5.5 recognizes when Client Agent v5.2 has been installed, and
prompts users to restart their machines. The user can restart his machine
immediately, or can wait until a later time.

Accessing the Deployment Status Pane
When you first open the Deployment Status pane, the list shows all
deployment related details for machines. You can view information for all
domains or by a specific domain, and by deployment status. For example, you
can view all machines in the Finance domain where a deployment action is
pending, or machines in the Purchasing domain where Client Agent is not yet
installed.
IMPORTANT
i
If you need to uninstall and then reinstall Client Agent,
make sure Windows Service Control Manager (SCM) is
closed at the machine where activity is to occur. If SCM is
open during the uninstall process, you will not be able to
start Client Agent. For more information, refer to
Microsoft Knowledge Base Article #287516.
To access the Deployment Status pane:

2. Select Deployment Status in the navigation pane to access the
Deployment Status pane.

Deployment Status Pane
3. Select a domain from Domain drop-down list. The default setting is All.
4. Select the appropriate machine status from the Current View drop-down
list. Your choices are:
All. Shows all machines that Websense Enterprise Manager
recognizes.
Installed. Shows machines where Client Agent is installed.
Not Installed. Shows machines where Client Agent is not installed.
Deployment status. Shows the status of the deploy process at
machines affected by a deployment option.
Uninstall status. Shows the status of any uninstall processes at
machines that are affected by such processes.

The Deployment Status pane shows the machines whose status matches your
entry in the filter fields. Information is available only for machines where
deployment or uninstall processes have been scheduled using the
Deployment Status pane or scripts.
Each row in the pane identifies one machine, and provides the following
information:
Domain Name. Shows the network domain on the client machine.
Machine Name. Shows the client machine name. This may be a server, a
laptop, a desktop system, or any other machine.
Asset Tag. Shows the user-defined asset tag name for the machine, if any.
Status. Shows the current status of the machine.
Client Version. Shows the current version of Client Agent installed at the
associated machine.
Install Date. Shows the date when the current version of Client Agent
was installed at the associated machine.
The information in the Deployment Status pane reflects actual situations at
machines that are in the list. For example, if you set the Current View field to
Deployment Status, only machines where Client Agent is being deployed
appear in the Deployment Status list. If you set the field to Not installed,
only machines that do not have Client Agent installed appear.
Managing Client Options

If you include the Websense CPM Deployment Service component during
installation, Websense Enterprise Manager allows you to install, upgrade, or
remove Client Agent from a single location, without using scripts or third-
party tools. These functions allow you to maintain your Client Policy
Manager system with a minimum of effort.
Details for the CPM Deployment Service are available in the following
locations:
Check Release Notes at http://www.websense.com/support for the latest
information.
For installation details, check Chapter 3: Installing CPM Server.
For deploying Client Agent using scripts, read Chapter 6: Deploying
Client Agent via Scripts.

When you deploy Client Agent using Websense Enterprise Manager, client
installation selections act in the following manner:
Deploy
If you select Deploy, and there is not a current version of Client
Agent at a machine, the process installs Client Agent.
If you select Deploy, and there is a current version of Client Agent at
a machine, the process uninstalls the existing Client Agent and then
reinstalls it.
If you deploy Client Agent to a machine that is already running Client
Agent, the policy at the local machine does not change. When you
next change the policy using Websense Enterprise Manager, policy
changes occur at the local machine as usual.
Uninstall
If you select Uninstall, and there is not a version of Client Agent at a
machine, the process does not impact the machine.
If you select Uninstall, and there is a current version of Client Agent
at a machine, the process removes the Client Agent.
Deploying Client Agent

To deploy Client Agent to machines using Websense Enterprise Manager:
3. Click Deployment Options to open the Client Install Options dialog
box.

Client Install Options Dialog Box
4. Select either Deploy or Uninstall. Only one option may be set at a time. If
you change this setting later, any selections you may have made in the
meantime are dropped.
NOTE
Generally, Websense, Inc. does not recommend
uninstalling and then reinstalling Client Agent. It is better
to deploy the agent and let the deployment process
upgrade or repair the agent. For more information, read
Troubleshooting Client Agent Installations, page 155.
5. Click in the View field, and then select one of the following:
Select All Clients to see all machines that are connected to the network.
Select Clients not installed to see only those machines where Client
Agent has not been installed.

Select Clients installed to see only those machines where Client

Agent is installed.
Select Clients active to see only those machines where Client Agent
is currently running and communicating with CPM Server.
Select Clients not responding to see only those machines where
clients are installed but are not communicating with CPM Server.
Select Clients disconnected to see only those machines where Client
Agent has been installed, but the machines are not currently on the
network.
6. Add client machines using one of the following methods:
Scroll through the Clients list, select the domain you want to include,
and then click Add. If you add a folder, all domains in the folder are
automatically included. If you add a single domain, only that domain
is included. In either case, only machines that meet the criteria in the
Client Action area are affected.
Enter a single IP address in the first IP Address/Range field, and
then click Add to add a single machine to the list.
Enter the starting and ending IP addresses of a range of IP address in
the IP Address/Range fields, and then click Add. The starting IP
address must be a smaller number than the ending IP address. For
example, 10.10.2.1 to 10.10.2.20 is a valid entry, while 10.10.2.20 to
10.10.2.1 is not.
WARNING
!
Do not install Client Agent on the machine or
machines where you have installed CPM Server or
CPM Reporter. If you do, you may encounter
serious operational problems with CPM functions.
7. Decide how you want Websense to manage the action you select:
By Schedule. The selected action occurs once, based on these
settings.
a. Click Schedule to run to activate the scheduling option.
b. Select the start date in the Date field.
c. Select the start time in the Time field.

CPM Server provides the timestamp, not the client machines. Even if
the client machine shows a different time, any logs or records of the
event will use the CPM Server time.
Run now. The action you selected begins processing as soon as you
click Run now. and close the Client Install Options dialog box.
Click OK to submit the action for processing.
NOTE
When Client Agent is deployed to a machine, the
employee receives a pop-up window. The message tells the
employee that the network administrator has deployed new
software, and the machine must be restarted. The
employee can choose to restart the machine immediately
or restart at a later time.
8. Reboot the client workstation if Check Point VPN-1 is installed on the

same machine as Client Agent:
Refreshing Deployment Data

The Deployment Status pane updates automatically every 60 seconds when it
is open. This process checks the current status of any deployment operations,
and then inserts the details into the Deployment Status pane.
If you want to monitor deployment progress more closely, click Refresh near
the top of the pane. The latest status information appears in the Deployment
Status pane.
Removing Clients From the Selected Clients List

You can remove clients from the Selected Clients list if you accidently
include them, and have not yet sent your deployment request. When you
remove clients from the list, Websense Enterprise Manager will not include
that machine in any deployment action that is being set:
1. Scroll through the Selected Clients list and select the client or clients you
want to remove.
2. Click Remove to delete the client or clients from the list.

Canceling Client Agent Deployment

You can cancel a scheduled deployment action whenever necessary, and the
list may include both install and uninstall processes. If a process has already
been started at a machine, this option will not work.
For example, four machines in the Deployment Status list are scheduled for
upgrades, and one is currently uninstalling Client Agent. If you select these
five machines and click Cancel Deployment/Uninstall, Websense Enterprise
Manager cancels the four upgrades, but cannot cancel the uninstall process
that has already started.
To cancel a deployment action:
3. Make selections in the Domain and Current View fields to list machines
that meet your criteria.
4. Select the machines to be included in the cancellation, and then click
Cancel Deployment/ Uninstall. A confirmation message appears.
5. Click Yes to cancel the installation action.


CHAPTER 6
Deploying Client Agent via
Scripts
Websense provides a number of ways to deploy Client Agent, depending on
machine configuration and administrative access rights. To help you
determine how to deploy the agent, read Selecting the Deployment Method,
page 114.
The deployment methods are:
Use CPM Deployment Service by accessing it through Websense
Enterprise Manager’s Deployment Status pane to install Client Agent.
For details, read Managing Client Options, page 106.
NOTE
For Windows NT and later versions, this is the easiest way
to deploy Client Agent and to monitor the process.
Use third-party deployment software to install Client Agent. Refer to the

third-party publisher's documentation for details. Read Using Third-Party
Deployment Tools, page 126. This is useful for organizations that
regularly deploy software using third-party deployment tools.
Use the installation CD or a shared network machine to install a single
copy of Client Agent. This method may be useful if you are in a small
environment or test situation. Read Chapter 7: Working with Single
Instances of Client Agent, page 131.
This is useful for new machines you are adding to an existing network, or
in a test environment. This method works for any operating system that
Client Policy Manager supports.

Chapter 6: Deploying Client Agent via Scripts
Predeployment Information
Before you begin deploying Client Agent, it is critical that you consider the
following:
Before installing or deploying Client Agent, you must install Client
Policy Manager, enter your subscription data, and have the Websense
Enterprise Master Database downloaded and available. Read Chapter 4:
Preparing CPM for Use, page 93.
Client Agent must be installed on every machine you want to monitor,
and must be able to communicate with CPM Server to access policies,
perform inventories, and upload logged information.
If you need to uninstall and then reinstall Client Agent, make sure
Windows Service Control Manager (SCM) is closed at the machine
where activity is to occur. If SCM is open during the uninstall process,
you will not be able to start Client Agent. For more information, refer to
Microsoft Knowledge Base Article #287516.
For Windows 2000, you must run Service Pack 3 or higher.
Do not install Client Agent on the machine or machines where you have
installed CPM Server or CPM Reporter.
Selecting the Deployment Method

How you deploy Client Agent depends on the operating system at the client
machines, the access rights at those machines, if you are deploying to only
one domain or across domains, and what tools you choose to use. Deployment
options should be carefully weighed, and network configuration considered
before deploying agents.
Websense, Inc. provides the CPM Deployment Service to help with the task of
deploying Client Agent to one or many machines. When CPM Deployment
Service is installed, it provides functionality to the Deployment Status pane
in Websense Enterprise Manager.
The CPM Deployment Service can be accessed from:
Websense Enterprise Manager and the Deployment Status pane.
Logon scripts that call WsClientDeployTrigger.exe

The method of deployment depends on what system administrators are

comfortable with, and what operating systems machines are running. If you
choose to use CPM Deployment Service to install Websense Client Agent,
you need to determine which method is most appropriate for your
situation.The methods can be used in a mix of deployment options if
appropriate.
If your environment is small and includes only one domain, it is easy to install
a single copy of CPM Deployment Service and use it to deploy the agent. An
example of this configuration appears in the next figure.
Single Deployment Service, Single Domain
Deploying Agents Across Multiple Domains

There are two basic ways you can deploy Websense Client Agent to multiple
domains. Ultimately, your choice depends on your own expertise, and the way
your networks are designed.
Deploying Agents Across Multiple Domains: Method 1

You can install a copy of CPM Deployment Service for each domain. An
example of this configuration appears in the next figure.
Multiple CPM Deployment Services, Multiple Domains

If you select this method, the first CPM Deployment Service you install
becomes the “master.” If you uninstall Websense Client Policy Manager, and
are uninstalling any CPM Deployment Service, the “master” CPM
Deployment Service cannot be uninstalled until all other instances of the
CPM Deployment Service are uninstalled. If you uninstall the “master,”
subsequent processes will fail.
Deploying Agents Across Multiple Domains: Method 2

You can use one CPM Deployment Service if you have a single user name and
password for administrative control across domains. All domains must be
identified in the DeploymentServer.ini file, as described in Manually
Configuring DeploymentServer.ini, page 116. An example of this method
appears in the next figure.
Single CPM Deployment Service Across Multiple Domains
Manually Configuring DeploymentServer.ini

The DeploymentServer.ini file identifies how CPM Deployment
Service sees the network, how Client Agent is installed on machines, and
more. When you are ready to deploy Client Agent, you can manually edit the
DeploymentServer.ini file to define installation parameters. The
combination of changes you make define how the CPM Deployment Service
functions in your environment.
Normally, only the two following situations require manual entries in the
DeploymentServer.ini file:
Identifying multiple domains for deployment
In response to troubleshooting issues

If you make changes to the settings in the DeploymentServer.ini file,

you can avoid having to uninstall and then reinstall the CPM Deployment
Service. The default path for DeploymentServer.ini is
C:\Program Files\Websense\bin.
DeploymentServer.ini Parameters
The following parameters can be set in the DeploymentServer.ini file.
If you make changes to this file, double-check your entries for accuracy. If
you enter invalid parameters or mistype data, CPM Deployment Service
might not work correctly.
WARNING
!
Although you can edit DeploymentServer.ini,
Websense, Inc. recommends using default settings
whenever possible. If you do change this .ini file, use
Windows Service Control Manager to restart CPM
Deployment Service.
Identifying Multiple Domains

You can modify the DeploymentServer.ini file so that one
installation of the CPM Deployment Service can support deployment to
multiple domains. When you enter the parameters, list each domain
individually, and separate each entry with a space. The next example
identifies three domains:
[Settings]
DomainList=DOMAIN1 DOMAIN2 DOMAIN3
Identifying the CPM Deployment Service Port

You can modify the DeploymentServer.ini file to override the default
port. In the next example, CPM Deployment Service will use port 55372:
[Settings]
DeploymentServerPort=55372

Identifying Maximum Number of Concurrent Deployments

You can define how many concurrent deployments of Client Agent can occur
simultaneously. This allows you to better manage bandwidth use, which can
be critical in small environments.
The allowed range of concurrent deployments is between 1 and 64. If you
enter a value higher than 64, CPM Deployment Service automatically defaults
to 64.
In the next example, CPM Deployment Service will be able to deploy up to 20
Client Agent installations simultaneously:
[Settings]
MaxConcurrentDeployments=20
Controlling Client Agent Settings

Your entries in the DeploymentServer.ini file determine how the
CPM Deployment Service operates. To help you create entries that are valid,
several scenarios and the necessary scripts to meet your needs are provided
next.
Example 1: You want to point installed agents to ControlServer, at port 8013,
and do not want to use SSL. Your entries in the DeploymentServer.ini file
would be:
[CMAgent]
ServerName=ControlServer
ServerPort=8013
Example 2: You want to deploy Client Agent to the agent subdirectory. Use
the format %PROGRAMFILES% for best results. For example, using this
value, your entry in the DeploymentServer.ini file will be:
[CMAgent]
ClientPathSpec=%ProgramFiles%\websense\WDC
IMPORTANT
i
Websense recommends using environment variables
instead of hardcoding the path. This ensures installation at
the machine if the machine does not have a C drive or if
localization issues are of concern.

Preparing to Use Logon Scripts
To successfully deploy Client Agent, you must have already:

Installed Client Policy Manager components, described in Chapter 3:
Installing CPM Server, page 41.
Subscribed to Client Policy Manager and downloaded the Websense
Enterprise Master Database. For details, refer to Chapter 4: Preparing
CPM for Use, page 93.
Installed the shared Client directory, which is included in the “Typical”
installation.
If you are using deployment logon scripts or installing Client Agent directly
on to a machine, you must have access to Client Policy Manager installation
files. The files may be installed when you install other Client Policy Manager
components, or may be installed separately from the CD-ROM or from
downloaded files available at www.websense.com/downloads/.
To access files for Client Agent installation:
1. Copy the Client directory. This directory installs, by default, at
C:\Websense\bin\Client.
2. Make sure the location where you are copying the directory is a read-only
public share. If necessary, click Browse to search for the appropriate
location.
The Client folder contains two critical files:
WsIsCAMCurrent.exe determines whether a current version of
Client Agent exists on a machine or not. Login scripts can use this
program to selectively install Client Agent, based on the currently
installed version of the agent at a machine.
WsClientDeployTrigger.exe deploys agents to machines with
administrator privileges. If the client machine does not have administrator
privileges, WsClientDeployTrigger.exe calls the CPM
Deployment Service to deploy Websense Client Agent.

Using Logon Scripts

You can use logon scripts to install Websense Client Agent. When you install
files from the Client Agent Installation Pack, the process places the
SampleLoginScript.bat file in the location you selected.
This file provides a sample logon script, that includes various comments to
help explain what the code is designed to do. You can modify this file to
easily create logon scripts that you can use immediately. With minor changes,
this same file may be used to uninstall Client Agent.
WsClientDeployTrigger.exe Parameters
Script parameters are not case-sensitive, and do not need to be placed in any
particular sequence. To specify parameters for the proxy server, you need the
IP address or machine name, the port number, the user name, and the
password. Contact the proxy server administrator if you do not have access to
these details.
NOTE
You can view installation settings including the server port
in the CAMServer.ini file. The file is installed with
CPM Server. By default, the file location is C:\Program
Files\Websense\bin\CAMServer.ini.
Required Parameters
The following are required parameters for
WsClientDeployTrigger.exe:
DeploymentServerName—name or IP address of the machine where
CPM Deployment Service is running, for example
DeploymentServerName=ITServer. Websense, Inc. recommends
using machine names whenever possible. For networks using DHCP-
based communications, the machine name is the only way to avoid
critical problems that result from the IP address changes that are normal.
DeploymentServerPort—port on which CPM Deployment Service
listens, for example, DeploymentServerPort=55372.
InstallMode—parameter that defines whether to install or uninstall the
Client Agent. Possible values are InstallMode=install or

InstallMode=uninstall. If you select InstallMode, you need to

identify the following:
ServerName—name of the machine where CPM Server resides.
Your entry must match the selection you made when installing Client
Policy Manager components.
ServerPort—port on which CPM Server listens.
Your entries must match the selection you made when installing Client
Policy Manager components.
Optional Parameters
The following are optional parameters for
WsClientDeployTrigger.exe. Generally, you can accept default
values for these parameters.
ClientPathSpec—directory into which Client Agent is being installed at
the client machine. The default is
ClientPathSpec="%PROGRAMFILES%\Websense\WDC".
IMPORTANT
i
Quotation marks around directory strings are important,
especially if the directory string includes spaces. Websense
also recommends the use of environment variables instead
of hardcoding the path. This ensures installation at the
machine if the machine does not have a C drive or if
localization issues are of concern.
ClientTempPath—parameter that identifies a temporary directory that

CPM Deployment Service can use to temporarily store necessary files.
AutoReboot—parameter that defines automatic restart for client
machines when Client Agent installation is complete. Valid values are:
Yes forces an immediate restart. There is no employee notification.
Generally, this is not recommended.
No does not restart the machine.
Prompt presents an interface to any employee at the client machine,
allowing them to restart or not.

WMI_Prompt—forces a restart if the installation process included

installing Windows Management Instrumentation (WMI) software.
WMI is needed for inventories, and if it is not on a system, the Client
Policy Manager Installation process installs it. This is the default.
ProxyName—IP address of the proxy server, if a proxy is required for
HTTP traffic, for example, ProxyName=192.168.0.253. There is
no default selection.
NOTE
If the proxy server requires authentication, you can encrypt
the ProxyUsername and ProxyPassword by running
CAMencrypt.exe. Read Encrypting ProxyUsername
and ProxyPassword, page 122. These parameters do not
have default settings. If the proxy server does not require
authentication, you need not enter these parameters.
ProxyPort—proxy server port, if a proxy is required for HTTP traffic, for

example ProxyPort=80. 80 is the default selection.
ProxyUsername—user name required to authenticate through the proxy
server. The value is an encrypted string, for example,
ProxyUsername= 135d6a9b4b79cdbbd38927f0f4ca7be8.
ProxyPassword—user's password required to authenticate through the
proxy server. The value is an encrypted string, for example,
ProxyPassword=f8380db439507b3e050ea2e2dfaf0094.
Encrypting ProxyUsername and ProxyPassword

If scripts identify proxy servers that require authentication, encrypt the
ProxyUsername and ProxyPassword for additional security. Use
WSCAMencrypt.exe to encrypt the ProxyUsername and ProxyPassword.
Configuring Logon Script Execution

The following are instructions for configuring logon scripts to run on
Windows NT or 2000. For third-party application to manage logon scripts,
consult the publisher’s documentation.

Windows 2000: Via Group Policy

See Windows Help or check the Microsoft Knowledge Base at
www.support.Microsoft.com for complete details.
Windows 2000: Via User Profiles

To execute your logon script, for example, install.bat, via User
Profiles:
1. Place the logon script you created into the domain controller's Netlogon
share folder, located at %SystemRoot%\SysVol\<DNS domain
name>\scripts.
2. Select Start>Programs>Administrative Tools, and launch Active
Directory Users and Computers to view the list of domain users.
3. Expand the domain branch for users who will run the logon script.
4. Select the Users folder. The list of domain users appears.
5. From the list of domain users, double-click a user who must run the logon
script. The User Properties dialog box displays.
6. Select the Profile tab.
7. In the Logon script field, type the file name of the logon script, for
example, install.bat. This is the file you handled during Step 1.
8. Click OK to exit the User Properties dialog box.
9. Repeat Step 4 through Step 8 for each user who must run the logon script.
IMPORTANT
i
If you are running Check Point VPN-1 on the client
workstation, you must restart the machine after deploying
the Client Agent.

Windows NT
To execute the logon script in Windows NT:
1. Place the logon script you created, for example, install.bat, into the
domain controller's Netlogon share, located at
%SystemRoot%\system32\repl\import\scripts.
2. On the domain controller, select Start>Run and type usrmgr.exe to
launch the User Manager.
3. In the list of domain users, double-click on a user to whom you want to
assign the logon script. The User Properties dialog box opens.
4. Click Profile. The User Profile dialog box opens.
5. In the Logon Script Name field, type the file name of the logon script,
for example, install.bat. This is the file you handled in Step 1.
6. Click OK to exit the User Profile dialog box, and then click OK again to
exit the User Properties dialog box.
7. Repeat Step 3 through Step 6 for each user who must run the logon script.
IMPORTANT
i
the Client Agent.
Uninstalling Client Agent via Scripts

If you are uninstalling Client Agent using scripts, the only required
parameters are DeployServerName, DeployServerPort, and InstallMode.

Using Command Line Options for Authentication
During CPM Server installation, you are prompted for a pass phrase to protect
communications between the server and the agent, as described in Identifying
an Encryption Pass Phrase, page 77. How you deploy Client Agent
determines how the pass phrase is provided:
If you deploy Client Agent from Websense Enterprise Manager, the
encrypted authentication pass phrase is automatically submitted to Client
Agent.
If you deploy Client Agent via scripts, you need to use command line
options to set authentication for CPM Server/Client Agent
communications.
The authentication pass phrase at each Client Agent must match the pass
phrase, or encrypted pass phrase, used at the CPM Server. For example, if you
set authentication at the server, you must also set authentication at the
machines running Client Agent.
While your unencrypted pass phrase is not stored, the encrypted pass phrase
is. If you need to access to the encrypted pass phrase, you will find it in the
camserver.ini file. By default, the file is at C:\Program
Files\Websense\bin.
To use command line options for authentication, enter:
-k to set authentication key encryption for Client Agent
-p to set authentication key encryption for CPM Server
The only way you can have a mixed environment--where some machines use
authentication and others do not--is if you use multiple CPM Servers. Even
so, the authentication selection at each CPM Server must be the same for the
Client Agent machines that are in communication with that server.

Using Third-Party Deployment Tools
If you are using a third-party deployment solution, for example, Microsoft

SMS, Novidigm, or Zenworks, you do not need the CPM Deployment Service
and its associated utilities. Instead--if you have not already done so--you need
only extract the CAMAgentPack.exe package located in the
InstallPackage directory.
Your third party deployment tool can deploy Client Agent using the program
at C:\\Program Files\Websense\bin\Client\.
There are four ways to deploy Client Agent, depending on whether or not the
target machine has Windows Installer available or not:
For Windows NT or higher, where Windows Installer is not available, use
C:\\Program Files\Websense\bin\Client\NT\
MSI\setup.exe
For Windows NT or higher, where Windows Installer is available, use
C:\\Program Files\Websense\bin\Client\NT\
No_MSI\CPMClient.msi
Command Line Parameters for Client Agent Installation

Below are command line parameters for the Client Agent installer, which are
necessary for any third party deployment:
/s—silent mode. When you select this option, Client Agent installs
silently. If you do not use /s¸ the installer launches in interactive mode and
installation dialog boxes display to the employee at the machine during
installation. Most organizations choose the silent mode, as interactive
mass deployment has little value.
Address—IP address of the machine where Policy Server resides. This
parameter is required in silent mode.
Port—port on which CPM Server listens. This parameter is required in
silent mode.
Path—directory where Client Agent is installed at a client machine. The
default installation directory is C:\PROGRAMFILES\Websense\WDC,
and is hidden by default.
Reboot—defines if the client machine restarts automatically once the
Client Agent is installed. Valid selections are:

Y—yes
N—no
P—prompt.
WMI_Reboot—default that becomes active only if WMI is not
detected on a machine.
IMPORTANT
i
the Client Agent.
Proxy—IP address and port of the proxy server, if a proxy is required for
HTTP traffic. The value for this parameter is in the form Address:Port,
for example 192.168.0.253.
Pxyauthname—user name required to authenticate through the proxy
server. The value is an encrypted string, for example
135d6a9b4b79cdbbd38927f0f4ca7be8. This parameter is not needed if
the proxy server does not require authentication.
Pxyauthpwd—user's password required to authenticate through the
proxy server. The value is an encrypted string, for example
f8380db439507b3e050ea2e2dfaf0094. This parameter is not needed if
the proxy server does not require authentication.
AutoReboot Parameters for Uninstalls and Upgrades

If you are removing Client Agent v5.x, or are upgrading from Client Agent
v5.x, you can define the autoreboot parameters that impact your employees.
Most organizations do not choose to restart machines for a new installation of
Client Agent v5.5.2. However, restarting machines is mandatory if you
remove or upgrade Client Agent v5.x.
The parameters that impact the autoreboot function are:
YES—machines will restart, and employees are not prompted to restart
NO—machines do not restart
PROMPT—employees will always be prompted to restart their machines
WMI_PROMPT—employees are prompted to restart their machines only
if WMI is installed

IF_NEEDED_PROMPT—default setting prompts employees to restart

their machines if WMI is installed, if Client Agent 5.2 is uninstalled, or if
Client v5.2 is upgraded to v5.5.
If you use third-party scripts to uninstall or upgrade Client Agent v5.2, the
parameters you set are the ones that are passed to the machines where activity
occurs.
Syntax
With the exception of the silent mode parameter ( /s ), enclose command-line
options in double quotes. Do not use single-quotes or double-quotes within
the parameters otherwise. For example, the following restarts the machine
where Client Agent resides if the employee clicks Yes in a prompt dialog box:
setup.bat /s
"ADDRESS|192.168.0.253,PORT|443,PATH|C:\PROGRAMFI
LES\Client Agent,SSL|1,REBOOT|PROMPT"
The next script example uninstalls Client Agent:
setup.bat /s "UNINSTALL|Yes"
Using Scripts for Unattended Client Agent Install/Uninstall

If you do not want to manually deploy Client Agent, you can perform an
unattended installation, using command line setup options, described in Using
Third-Party Deployment Tools, page 126. System administrators with some
experience can combine scripts to remove an older version and install a newer
version, which a user triggers at logon.
Script details are installed at the following default locations:
C:\Websense\bin\Client\SampleLoginscript.bat
C:\Websense\bin\Client\Sample.vbs

Using Command Prompt for Starting or Stopping Client Agent
You can use the Command Prompt option at the client machine to start and
stop Client Agent.
Starting Client Agent

If you want to start Client Agent using the Command Prompt option:
1. Open the Command Prompt window.
2. Type: net start "Client Agent" Make sure you include the double-
quotation marks in your entry.
3. Press Enter to start the service.
Stopping Client Agent

If you want to stop Client Agent using the Command Prompt option:
1. Open the Command Prompt window.
2. Type: net stop "Websense Desktop Client" Make sure you include the
double-quotation marks in your entry.
3. Press Enter to stop the service.


CHAPTER 7
Working with Single Instances
of Client Agent
There are times when it is appropriate to avoid mass deployments to install
Client Agent. For example, you may isolate a group of machines to serve as a
test facility and install Client Agent manually, or you may be rebuilding a
machine and need to reinstall Client Agent only on that machine.
Other functions such as upgrading or uninstalling Client Agent may also take
place at a single machine using the same installation files. Before you can use
the installation program, you must unzip and access the appropriate files. For
details, read Selecting an Installer, page 132.
To install a single instance of Client Agent, you can use:
Logon scripts. Read Using Logon Scripts, page 120.
command line syntax, directly, or in a script for unattended installation.
Read Using Third-Party Deployment Tools, page 126, and Using Scripts
for Unattended Client Agent Install/Uninstall, page 128.
Client Agent files, accessed from CPM Server. Read Accessing Client
Agent Files from a Server, page 133.
the Client Agent files installed locally from CD or www.websense.com/
support/downloads/. Read Installing Client Agent Locally, page 136.
Preparing for Client Agent Installation

Anytime you are installing Client Agent at a local machine, you must have all
of the following available beforehand:
Domain administrator access including user name and password.
If you want to access Client Agent files from a server, you must set up a
shared directory. For details, refer to Preparing to Use Logon Scripts,
page 119.
If you are not accessing files from servers, you need the Websense CD or
Internet access for downloading the Websense Enterprise Setup.

Chapter 7: Working with Single Instances of Client Agent
If you are not accessing installation files from a server, and not installing
on a machine where you have already installed Websense Enterprise
Manager, you will need:
The IP address of the machine where you installed Policy Server.
NOTE
If you do not know the IP address of the machine but you
do know the name, use Start > Run and ping the machine.
Type “ping <machine name>”. A system window
opens and shows the IP address for the machine you are
pinging.
The configuration port for Policy Server.

Administrator access to the local machine where you are installing a
single instance of Client Agent.
The port number which CPM Server and Client Agent will use for
communications.
Either the pass phrase you entered when you installed CPM Server, or the
encrypted key that is automatically created by Websense.
NOTE
You can locate port information and the encrypted key
from the CAMServer.ini file. By default, this is at the
machine where you installed CPM Server. The default path
is <cpm_server>\C:\Program
Files\Websense\bin\CAMServer.ini.
Selecting an Installer
CPM includes five different installation files, three for Windows ME, and two
for Windows NT and other Windows systems. Two of the installers are
bundled with Windows Installer, and are approximately 4 MB; the other two
installers are for systems where Windows Installer is already available, and
are approximately 2 MB.
If you do not know whether or not Windows Installer is available at the local
machine, and do not select the correct file the first time, simply select the

remaining file the second time. If the installer fails, there are no repercussions
at the local machine.
For machines running Windows ME, you must install Windows Management
Instrumentation (WMI), an application that allows Client Agent and CPM
Server to pass information, in addition to installing Client Agent. For
Windows NT, Windows 2000, Windows 2003, and Windows XP, WMI is
already installed with the operating system.
The Client Agent installation files that are available, the operating systems
(OS) they impact, and their approximate size, appear in the next table. The
default paths are also provided.
Operating System/Default Path and File WMI? Size

Windows NT/200/2003/XP
(Client Agent Installation) \\Program Files\ Yes 2 KB
Websense\bin\Client\NT\MSI\
Setup.exe
(Client Agent Installation) \\Program Files\ No 4 KB
Websense\bin\Client\NT\No_MSI\
CPMClient.msi
Windows ME
(WMI Installation) \\Program N/A 6.5 KB
Files\Websense\bin\
Client\WMI Installers\9\wmicore.exe
Once you have access to the Client Agent installers, the installation process at
the local machine takes approximately 30 seconds.
Accessing Client Agent Files from a Server

You can deploy Client Agent to a single machine from any machine where
you have installed CPM Deployment Service. This may be the machine where
CPM Server is installed, or may be a domain machine accessible to a local
machine where you are installing Client Agent:
1. Make sure the local machine is able to communicate with CPM Server or
a domain server where you installed CPM Deployment Service.

2. Make sure you have administrator level access to the local machine. You
need the user name and password.
3. If the local machine is running a Windows ME operating system, install
Windows Management Instrumentation (WMI). The default location for
the installer is
<cpm_server>\C:\Program Files\Websense\bin\Client
\WMI Installers\9\wmicore.exe.
NOTE
Windows Management Instrumentation (WMI) is needed
for CPM Server and Client Agent communications and
information transmissions.
4. Decide which Client Agent installation file is most suitable for the local
machine, and then locate it. Default paths and file information appear in
Selecting an Installer, page 132. All files are in the
\\Program Files\Websense\bin\Client\directory path.
5. Once you locate the appropriate file, double click it to begin running the
installer.
6. Follow onscreen prompts to install Client Agent. The process is described
in Installing Client Agent Locally, page 136.
Installing CPM Deployment Service Locally

If you do not want to use files from CPM server or domain servers, as
described in Accessing Client Agent Files from a Server, page 133, install
CPM Deployment Service at the local machine. You can use a CD or
downloaded files for this installation.
NOTE
The following procedure assumes you do not have any
Websense Enterprise components currently installed. If
you do, Step 7 does not appear.
To install CPM Deployment Service at the local machine:

1. Review the information you need to install Client Agent. Read Preparing
for Client Agent Installation, page 131.

2. Use a CD or access the Websense Enterprise Setup from the Websense

download site, www.websense.com\support\downloads.
3. Run the installer.
4. When prompted to choose a module for installation, select Client Policy
Manager, and then click Next.
5. When prompted to choose a setup type, select Custom, and then click
Next.
6. When prompted to select components, select only CPM Deployment
Service, and then click Next.
7. When the Policy Server Information dialog box opens:
a. enter the IP address of the Policy Server.
b. enter the configuration port number for the Policy Server.
c. Click Next.
8. When the Domain Access dialog box opens:
a. enter the domain name and user name separated by a back slash. For
example, Accounting\SuperUser could be a valid domain and user
name. This user must have full administrative access rights for the
domain.
b. Enter the password for the administrative user.
c. Click Next.
9. If the local machine is using a non-English operating system, you must
identify the language for the operating system when the Non-English
WMI dialog box opens, and then click Next.
If the operating system is in English, simply click Next.
10. When the Directory Location dialog box opens, either accept the default
installation path or click Browse to select an alternate, and then click
Next.
Messages appear as the process checks the local system.
11. When the Installation Summary dialog box opens, review the details,
and then click Next.
Messages and progress bars appear as files are installed.
12. When the Installation Complete dialog box opens, click Finish to
conclude your installation.

13. Check Selecting an Installer, page 132, to determine which Client Agent
installation file is appropriate for the local
14. Install Client Agent. Read Installing Client Agent Locally, the next topic,
for details.
Installing Client Agent Locally

Once you have access to the Client Agent installation files at the local
machine, the installation process takes between 30 and 45 seconds. To access
these files easily, Websense, Inc. recommends that you create a shared
directory, as described in Preparing to Use Logon Scripts, page 119.
Once you have located the appropriate installation file, described in Selecting
an Installer, page 132:
1. Double-click the file you need to install Client Agent.
2. When the Welcome dialog box opens, click Next.
3. When the CPM Server Connection Information dialog box opens, enter
the necessary details:
a. Enter the IP address or name of the CPM Server in the Server
Address field.
b. Enter the communications port number over which CPM Server and
Client Agent will communicate.
c. Enter one of the following security parameters:
• Enter the pass phrase you defined when installing CPM Server.
If you do not know or do not remember the pass phrase, use the
encrypted key.
• Enter the encrypted key. Websense Enterprise generates this key
automatically using the pass phrase you defined during CPM
Server installation, and combining it with non-published
Websense keys.

IMPORTANT
i
If you do not know the encrypted key, go to
the machine where you installed CPM
Server, if you have administrator access to
that machine. Locate and open the
CAMServer.ini file. For details, read
Preparing for Client Agent Installation,
page 131.
d. Click Next.
4. After brief messages appear, the Installation Complete dialog box opens.
Click Finish to complete the CPM Deployment Service installation.
Upgrading or Repairing a Local Instance of Client Agent

If you are upgrading or repairing Client Agent at a local machine, first review
Selecting an Installer, page 132. Generally, the installer you select should be
the installer you first chose to install Client Agent.
The installation program compares the existing version with the new version,
and updates files that have changed or that are corrupt. This process does not
change your configuration files, which ensures that your configuration data
remains intact. You do not need to uninstall the existing Client Agent files.
:To upgrade an instance of Client Agent.
1. If you have not already done so, create a shared directory for the files
installed, by default, at C:\\Program
Files\Websense\bin\Client. The process is described in
Preparing to Use Logon Scripts, page 119. You can also install the
necessary files from CD or downloading them from
www.websense.com\downloads.
2. If your organization uses lockdowns for machines, you need to remove
the lockdown at the machine or machines where you are upgrading Client
Agent. Information is available in online help when you are in Websense
Enterprise Manager, or in the Websense Enterprise Client Policy
Manager Administrator’s Guide, available from the Websense Enterprise
selection on the Start menu.

3. Access the installation program to upgrade Client Agent. Read

Accessing Client Agent Files from a Server, page 133, and Installing
CPM Deployment Service Locally, page 134, for details.
4. Locate the appropriate installation file, and then double-click it.
5. When the application detects an installation of Client Agent, it presents
the Program Maintenance dialog box. Click Repair, and then click OK.
Brief messages appear as the repair processes occur.
6. When the Ready to Repair the Program dialog box appears, click
Install.
7. When the InstallShield Wizard Complete dialog box opens, click
Finish to complete your installation.
Uninstalling a Local Instance of Client Agent

To uninstall Client Agent at a local client machine:
necessary files from CD or downloading them from
www.websense.com\downloads.
the lockdown at the machine or machines where you are uninstalling
Client Agent. Information is available in online help when you are in
Websense Enterprise Manager, or in the Websense Enterprise Client
Policy Manager Administrator’s Guide, available from the Websense
Enterprise selection on the Start menu.
3. Remove Client Agent using the following script at the local machine:
“\\YourServerName\Client\
WsClientDeployTrigger"
DeploymentServerName=YourServerName
InstallMode=UNINSTALL

CHAPTER 8
Preparing Explorer for CPM
for Use
Explorer for CPM may be installed with other Client Policy Manager
components, and is bundled with CPM Reporter. Configuration is slightly
different, as you may need to define access.
Be aware of the following issues that impact installation:
An IIS or Apache server must be installed at the machine where CPM
Reporter and/or Explorer for CPM reside. If you do not have a Web
server, the Websense installation process includes Apache at no additional
cost.
The Web Server can be installed on any machine that can connect to the
CPM Log Database.
Your company may encrypt Web traffic that contains sensitive
information by using HTTPS. If this is not a concern, you can use HTTP.
Explorer for CPM will run over either.
Windows authentication between the Web browser (Microsoft Internet
Explorer) and the Microsoft IIS Web server is supported in this release.
Component Minimum Requirements

Web Browser Microsoft Internet Explorer - version 5.5 or higher
RAM on client PC 256 MB minimum
512 MB recommended
Web Server The Web Server must be one of the following running
on Windows 2000 Server SP3:
Microsoft IIS - version 4 or higher
Apache Web Server - version 2.0.36 or higher.

Chapter 8: Preparing Explorer for CPM for Use
Apache
If you use Apache, during installation you will be required to set a user name
and password three different roles required for Explorer for CPM. These roles
are:
An HR User can run any report and can see user and machine names.
A Restricted User can run reports only with user IDs instead of user
names.
More than one person may assume each role, and the user name and password
for a role applies to that role, not a specific user.
Microsoft IIS
If you use IIS, before installing Explorer for CPM, you need to know the
location of the IIS Virtual Directory. During the installation, you will be asked
to provide the name of an existing Website from IIS Manager in which to
create the virtual directory.
To create a new Web site or view existing Web sites, access the Windows
Internet Services Manager by selecting
Start>Programs>Administrative Tools>Internet Services Manager.
Explorer for CPM users access the same installed reporting tools. There are,
however, two different user access levels controlled by individual files, each
of which results in a different access path. You must identify each Windows
user and provide access with her user name and password. The files are:
explorer.exe - Users can run any Explorer for CPM reports and see
all information. User and machine names are viewable or can be manually
hidden.
explorer_anon.exe - Users can run any Explorer for CPM reports.
All launch-related data is available, except user and machine names are
shown as numeric IDs.
Once Explorer for CPM is installed, access levels are set at the machine where
Explorer for CPM resides, by setting permissions on the Explorer for CPM
files. Later, you may need to remove permissions if employees change job
positions or leave the company.

Setting User Access for Microsoft IIS

To set user access:
1. Go to the machine where you installed Explorer for CPM.
2. Locate the files on the harddrive. By default, the files are at
C:\\Program Files\Websense\webroot\Explorer\.
3. Right-click on the appropriate file, and then select Properties.
Select explorer.exe if you are setting permissions for someone
who needs full access to all report data, including user and machine
names.
Select explorer_anon.exe if you are setting permissions for
someone who needs access to launch data, but should not see user and
machine names.
4. When the Properties dialog box opens, click the Security tab.
5. Define permissions:
Set permissions for employees who need access by selecting the
appropriate name from the list, and then clicking Add.
Remove permissions for employees who no longer need access by
clicking the appropriate name in the list, and then clicking Remove.
If you need assistance, check system help or contact Microsoft.
6. Set permissions for the other Explorer for CPM files if necessary.
7. When you are done, contact employees who now have access and give
them the following information:
a. URL where they can connect to Explorer for CPM
b. Appropriate user name and password that will allow them to see data

Defining Department Level Reporting
You can define department level reporting as an additional feature for

Explorer for CPM. This functionality provides managers who have access to
explorer_auth.exe to view information about those employees for
whom they are directly responsible. If department level reporting is not set,
the manager sees his own Internet activity, but cannot track information for
employees.
WARNING
!
For optimum results, you should be familiar with
Microsoft SQL concepts and table structures. If you do not
have the appropriate knowledge, Websense Inc.
recommends you contact someone who does.
To set department level reporting, you must add employees’ user IDs to the
USER_MANAGERS table.
When the table is populated, department managers with access to
explorer_auth.exe will be able to view launch activity for employees
in their department.
Populate the USER_MANAGERS Table

The USERS table already exists in the CPM Log Database. It is populated
with user IDs and user names, and contains the following columns:
USER_ID
LOGIN_NAME
DOMAIN_ID
NAME_SPACE
FULL_NAME
Insert the user IDs from this table to populate the USER_MANAGERS table.
user_id (int manager_id (int)

Once the USER_MANAGERS table is populated for a department, that

manager will be able to view and track software launches for employees in
her department.
Simple Example
John Rodriguez is the department manager. Department employees are Stella
Fisher, Robert Smith, and Joseph Huang.
The prepopulated USERS table looks like this:
.
Use these simple SQL statements to populate the USER_MANAGERS table:

INSERT into USER_MANAGERS (user_id, manager_id)
values (9832, 1154)

values (2374, 1154)

values (8882, 1154)
After the SQL queries are resolved, the USER_MANAGERS table would
then look like this:.
user_id (int manager_id (int)

9832 1154
2374 1154
8882 1154

Give Access to Department Managers

Before you can give access to department level reporting, you must first
populate the USER_MANAGERS table. If you have not done so already, read
Populate the USER_MANAGERS Table, page 142. Populate the table as
appropriate, and then:
1. Select Start > Programs > Websense > Explorer for CPM to access the
Explorer for CPM Administration page.
2. Click Restricted User.
3. Check the Address field in the Web browser. The URL should end with
the text explorer_anon.exe similar to the following example.
4. In the Address field:

Highlight webserver or localhost, and then type the IP address of the
machine where the Explorer for CPM Web server is installed.
Highlight _anon.exe, and then type _auth.exe.
5. Provide this URL to the appropriate department managers.

When a manager accesses explorer_auth.exe, she will be able to view
information about employees in her department. She will not be able to access
information about employees in other departments.

Launching Explorer for CPM
Once Explorer for CPM is installed, there are two ways to launch the
program.
Launch Explorer for CPM From the Start Menu
Launch Explorer for CPM in a Browser
Explorer for CPM, Default View
Launch Explorer for CPM From the Start Menu

If you have access to the machine where Explorer for CPM software is
installed, you can launch it directly from the Start menu:
1. Select Start > Programs > Websense > Explorer for CPM.
2. The Administration page opens.
3. Determine how you want to access Explorer for CPM:
If you want to see all available data, click Unlimited Access.
If you want to see only launch data but do not want to see user or
machine name information, click Restricted Access.
After a brief pause, the Explorer for CPM version you chose opens in the
browser.

Launch Explorer for CPM in a Browser

For most Explorer for CPM users, access using a browser is most likely.
1. Open your browser.
2. Type the appropriate URL into the Address field, and then press
<Enter>. The format includes the file designator to which that user has
access. Examples are:
https://10.1.1.1/websense/explorer/cm/
explorer.exe
http://10.1.1.1/websense/explorer/cm/
explorer_anon.exe
3. When prompted, enter your user name, password, and identify the
domain.
4. Click OK to open Explorer for CPM.

CHAPTER 9
Troubleshooting
If you encounter problems with Client Policy Manager setup or configuration,
check the topics in this appendix to troubleshoot the problem.
A critical tool for troubleshooting includes access to logged data. When Client
Policy Manager encounters error, logs appear in the following locations for
the indicated events:
Server errors log to the Windows Event Viewer.
Connection errors between the directory services and CPM Server log to
the Windows Event Viewer. Entries include warnings and actual errors.
Connection errors between Client Agent and CPM Server appear in the
server user interface.
Client Policy Manager user interface errors appear in messages at the user
interface.
Troubleshooting Server-side Installation

If you encounter problems installing CPM components, the following
information may be of value.
These situations are:
Are there any installation methods I should avoid?, page 148
Why am I having problems installing CPM Reporter?, page 148
Why am I receiving a Failed to Connect to Database error after installing
CPM Reporter and Explorer for CPM when I use IIS as my Web Server?,
page 149
Why isn’t the subscription key recognized?, page 149
Why isn’t the user interface active in Websense Enterprise Manager after
installation?, page 149

Chapter 9: Troubleshooting
Are there any installation methods I should avoid?

Websense, Inc. recommends installing Client Policy Manager components
directly at the machine or machines where those components will run. The
files can be on CD or downloaded from http://ww2.websense.com/global/en/
downloads/. If you install Client Policy Manager from mapped network
drives, or from a remote machine, for example, when using Terminal
Services, you may encounter difficulties.
Why am I having problems installing CPM Reporter?

If you are installing CPM Reporter and using IIS as your Web server, the
installation process prompts you for the name of the Web site in the IIS
Manager, under which the installation program should create a virtual
directory. The default value is Default Web Site, which is correct in most
cases.
However, if you renamed the default Web site in the IIS Manager, or are using
a language version of Windows other than English, you must enter a value in
the Web site name field that matches an existing Web site name in the IIS
Manager.
To enter the correct name of your default Web site, if it is different than the
Default Web Site, type or paste the desired Web site name into the input field
exactly as it appears in the IIS Manager. To open the IIS Manager:
1. Go to the Windows Control Panel, and then open Administrative Tools.
2. Double-click Internet Services Manager. The IIS control dialog box
opens.
3. Expand the tree under your machine name to view available Web site
names.
4. Select a Web site from the list in which the installation program should
create the virtual directory.
5. Copy the name to the clipboard, and then close the IIS Manager.
6. Return to the Virtual Directory dialog box in the Client Policy Manager
installation program and replace Default Web Site with the name from
the IIS Manager.
7. Click Next to continue the installation.

Why am I receiving a Failed to Connect to Database error after

installing CPM Reporter and Explorer for CPM when I use IIS as my
Web Server?
If you install CPM Reporter and Explorer for CPM separately from CPM
Server, and are using IIS as your Web Server, you need to have an IIS user
name with administrative privileges before you install CPM Reporter and
Explorer for CPM.
Why isn’t the subscription key recognized?

If you install Client Policy Manager, but are unable to successfully subscribe
to the service, you may have entered the subscription key incorrectly.
1. Select Server >Settings on the Websense Enterprise Manager menu to
access the Settings dialog box. You can also right-click anywhere in the
navigation tree, and then select Settings from the shortcut menu.
2. Select Subscription from the navigation tree to open the Subscription
dialog box.
3. Compare the key you received from Websense, Inc. with the key you
entered in the Subscription key field. The key is not case-sensitive.
If you have been running Client Policy Manager for some time, your
subscription may have expired. Check details in the Information area. If the
date is past, contact Websense, Inc. to renew your subscription.
Why isn’t the user interface active in Websense Enterprise Manager

after installation?
If you have just installed CPM components, and then open Websense
Enterprise Manager, it is possible that the Summary pane is not active, and if
you click any selection in the navigation pane, you will see marketing text
about the CPM product.
If this occurs, it is because the Websense Enterprise Master Database is still
downloading from Websense, Inc. You can view the current status of the
download by selecting Server > Database Download. Status information
includes:
Downloading: The database is currently being downloaded.
Loading: The database is being loaded into your SQL Server.

Idle: There is no database download currently requested, or the download

is complete.

Troubleshooting Database Issues
If you encounter problems with the Websense Enterprise Master Database,

this section may be of value. If a particular problem is not addressed here,
check the Websense Knowledge Base at
http://www.websense.com/support/knowledgebase/. The Knowledge Base
is updated whenever customers, developers, or other users of Websense
products find and then resolve problems.
Why am I having trouble accessing Websense download sites and

my.websense.com?
If you edit host files and/or routing tables that restrict the URLs a Websense
server can access, make sure you permit the following:
download.websense.com
ddsdom.websense.com
ddsint.websense.com
portal.websense.com
http://www.my.websense.com
You must permit these URLs to access Websense Enterprise Master Database
downloads and your Websense subscription data.
Topics in this section are:
Why can’t I download the Websense Enterprise Master Database or send
AppCatcher data to Websense?, page 152
Database download fails?, page 154
Why am I receiving an “Unable to connect to database” error message?,
page 154

Why can’t I download the Websense Enterprise Master Database or

send AppCatcher data to Websense?
The machine running CPM Server must have access to HTTP and must be
able to receive incoming transmissions to download the Websense Enterprise
Master Database or send AppCatcher data to Websense, Inc. for review. You
can verify Internet access by performing the following steps:
1. Check to see if CPM Server is accessing the Internet through a proxy
server. Select Proxy / Authentication in the navigation tree, and check
the information in the Proxy area.
2. Determine what to do next.
If proxy information is required, read Proxy Information is
Required,below.
If proxy information is not required, read Proxy Information is Not
Required, page 153.
If authentication is required, read Authentication is Required,
page 153.
If CPM Server sits behind a firewall, read Firewall Restrictions,
page 153.
If your system includes any anti-virus applications, read Anti-virus
Applications, page 154.
Proxy Information is Required

If your configuration includes a proxy server:
1. From CPM Server, open either Internet Explorer or Netscape.
2. Set the browser to access the Internet with the same proxy settings as
CPM Server.
3. Enter one of the following addresses:
http://download.websense.com
http://asia.download.websense.com
http://europe.download.websense.com
If you reach one of these sites, the Websense logo appears, along with a
message that indicates you are being redirected to the Websense home screen.
This verifies that proxy settings are correct and the CPM Server should have
the appropriate access for downloading the database.

Proxy Information is Not Required

If your configuration does not include a proxy server:
1. From CPM Server, open the Command Prompt dialog box by selecting
Start>Applications>Command Prompt.
2. Use the nslookup command with the address of the download site to
make sure CPM Server can resolve the download location to an IP
address. Your choices are:
nslookup download.websense.com
nslookup asia.download.websense.com
nslookup europe.download.websense.com
3. If this does not return an IP address, you must set up CPM Server so it can
access a DNS server.
Authentication is Required
If CPM Server must access the Internet through an upstream firewall or proxy
server that requires authentication, check the following:
Check the spelling and capitalization for the user name and password in
the Proxy/Authentication dialog box.
Make sure the firewall or proxy is configured to accept clear text or basic
authentication.
Firewall Restrictions
If your firewall restricts access to the Internet at the time CPM Server calls for
the download, or if the firewall limits the size of files that can be sent via
HTTP, CPM Server cannot receive the download.
Make the appropriate changes on the firewall, or change the time for the
download by selecting Settings > Database Download and changing
values in the Download time fields.
NOTE
If you are running CPM Server behind a Gauntlet firewall,
check FAQs at http://www.websense.com/support/
knowledgebase/ for specific information.

Anti-virus Applications
Some anti-virus applications, such as virus scanners or size-limiting applica-
tions, can interfere with database downloads. You need to disable the restric-
tions relating to CPM Server and the download location.

Database download fails?
If you have problems downloading the Websense Enterprise Master Database,
you can check the Windows application Event Log for information about the
download or any other error and status messages.
If you are using a Windows NT system, select Start > Programs >
Administrative Tools > Event Viewer. Once the Event Viewer opens,
select Log >Application.
If you are using a Windows 2000 system, select Start > Programs >
Administrative Tools > Event Viewer. Once the Event Viewer opens,
select Application Log.
Use the information available in the log to troubleshoot the download issue.
Why am I receiving an “Unable to connect to database” error message?

If you select Apache 2.x as your Web Server, and use Windows authentication
to connect to the SQL database, you may receive database error connections.
The Apache service tries to run as the local system user to connect to the SQL
database. If the SQL database can be accessed with only certain Windows
authentication, then the Apache service should be made to run as the
Windows user who has privilege to access the database.
For example, if the SQL database allows User1 access, but the Apache
Service accesses the database as User2, an error will occur. In this event,
manually configure Apache to access the database as User1.
To configure Apache:
1. Select Start > Settings > Control Panel > Administrative Tools >
Services to open the Services window.
2. Locate Apache 2.x in the list, and then right-click.
3. Select Properties from the shortcut menu.
4. In the Properties dialog box, click the Log On tab.

5. Click Select this account and enter the same Windows authentication
data that you defined during installation. The user must have privileges to
access the database. Enter:
The account
The password
The password again.
6. Click OK to close the Properties dialog box and save your information.
Troubleshooting Client Agent Installations

If you are experiencing difficulties with Client Agent installation, review the
following troubleshooting topics. If a particular problem is not addressed
here, check the Websense Knowledge Base at
www.websense.com/support/knowledgebase/. The Knowledge Base is
updated whenever customers, developers, or other users of Websense
products find and then resolve problems.
Why does Client Agent deployment fail when Websense Enterprise

Manager is installed on a machine running XP Service Pack 2?
If you install CPM on a machine running XP Service Pack 2, you need to
enable File and Printer sharing. Until you do so, you will be unable to deploy
Client Agent using Client Deployment Service.
1. Go to the Advanced tab of the properties of a connection and click
2. Go to the Exceptions tab.-
XP Firewall settings will no longer block Client Agent, and you can now
deploy clients via the Client Deployment Service.

4. Repeat this procedure to turn on File and Printer Sharing services for each
client machine.
NOTE
Alternately, administrators can use Group Policy Options
to enable File and Print sharing.
Why am I having problems installing Client Agent on a Windows NT

machine where ZoneAlarm has been installed?
Client Agent is unable to run on any Windows NT machine where ZoneAlarm
has been installed. When you log onto the machine, it will hang when users
log on. To resolve the problem, remove ZoneAlarm.
Why am I receiving an error message that says “Unable to read registry

keys” when I am trying to deploy Client Agent to a machine running the
XP operating system?
If you have upgraded machines from Windows 2000 to Windows XP SP1 or
earlier, there is a known Microsoft issue that impacts the Client Deployment
Service. This upgrade deletes the LOCAL SERVICE user, which must be
added back. The subregistry path for this key is:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/
SecurePipeServers/winreg
There are two ways to address this issue:
1. Use the Registry Editor:
a. Start > Run to access the Run dialog box.
b. Type regedit to open the Registry Editor.
c. Access HKEY_LOCAL_MACHINE/SYSTEM/
CurrentControlSet/Control/SecurePipeServers/winreg.
d. Right-click the winreg folder, and then select Permissions.
e. Select LOCAL SERVICE and give that user Read access.
f. Click OK to close the Permissions dialog box.
g. Close Registry Editor.

2. Use Group Policy to add the user back to the registry. Be sure you give
the user Read access rights.
NOTE
Microsoft Knowledge Base Article 832082 describes the
problem, offers patch and hotfix details, and fully
describes the manual process to fix this issue. The article,
in English, is available at http://support.microsoft.com.
Why is it taking a very long time to deploy Client Agent?

If you are deploying Client Agent over slow LAN lines (LSDN speed or less),
you will encounter difficulties. Websense, Inc. recommends deploying over
LAN lines of 256 MB or greater.
Why am I having problems upgrading from previous versions of Client

Agent to Client Agent v5.5.2?
If you are trying to upgrade Client Agent, and have used lockdowns on your
machines, you will have problems with deployment. To resolve the issue:
1. Select Server > Settings > Client Control.
2. Click Global Client Disable, and respond to any messages before closing
the Settings dialog box.
3. Deploy Client Agent to machines as appropriate. You can use:
Deployment Status pane—described in Chapter 5: Deploying Client
Agent via Websense Enterprise Manager, page 99.
Scripts—described in Chapter 6: Deploying Client Agent via Scripts,
page 113.
4. When deployment is complete, return to the Client Control dialog box.
5. Click Global Client Enable to reset your normal policy.
When do I need to uninstall Client Agent and how do I do it?

Generally, Websense, Inc. does not recommend uninstalling and then
reinstalling Client Agent. The only known situations that force users to
remove and then reinstall Client Agent is when the CPM Server IP address
changes, or when the machine is ghosted.

Uninstall Client Agent at a Single Machine

To uninstall Client Agent at a local client machine:
necessary files from CD or downloading them from http://
ww2.websense.com/global/en/downloads/.
the lockdown at the machine or machines where you are uninstalling
Client Agent. Information is available in online help when you are in
Websense Enterprise Manager, or in the Websense Enterprise Client
Policy Manager Administrator’s Guide, available from Start >
Programs > Websense Enterprise > Documents.
3. Remove Client Agent using the following script at the local machine:
“\\YourServerName\Client\
WsClientDeployTrigger"
DeploymentServerName=YourServerName
InstallMode=UNINSTALL
Uninstall Client Agent at Multiple Machines

To uninstall multiple copies of Client Agent, you can create a script for the
process, and then reinstall following the procedure in the Chapter 5:
Deploying Client Agent via Websense Enterprise Manager, page 99.
The following script is an example for uninstalling Client Agents. The text
that differs between this and an install script appears in a bold font:
\\192.168.255.255\CAMAgentPack\
WsClientDeployTrigger.exe
ClientDeployServiceIP=192.168.255.255
ClientDeployServicePort=55372 Mode=uninstall
CamServerIP=192.168.255.255 CamServerPort=8081
Silent=yes
: end

Make sure the DeploymentServerName and DeploymentServerPort entries

are specific to your installation.
NOTE
Using Scripts for Unattended Client Agent Install/
Uninstall, page 128 describes sample scripts provided by
Websense, Inc.
Why am I having trouble uninstalling Websense Client Agent?

If you are having trouble uninstalling Client Agent using the Websense
Enterprise Manager Deployment Status options, and used a master/slave
Client Deployment Service configuration to deploy agents across domains,
you need to make sure the master Client Deployment Service is still installed.
The master/slave relationship was defined when you first installed the Client
Deployment Services:
The first Client Deployment Service that you installed was automatically
assigned the status of the master as soon as you installed a second Client
Deployment Service that CPM Server could communicate with.
Any subsequent Client Deployment Service that you installed were also
designated as slaves.
From the time of the initial installation, CPM Server has used the master
Client Deployment Service to communicate with the slave Client Deployment
Service or services. If the master Client Deployment Service has been
uninstalled, you cannot communicate with any slave Client Deployment
Service, and cannot uninstall Client Agent.
To fix the problem, you need to reinstall the master Client Deployment
Service. When this is done, you can uninstall Websense Client Agent using
Websense Enterprise Manager Deployment Status options.
If you decide you do not want to reinstall the master Client Deployment
Service, you can manually uninstall Client Agent using CAMAgentPack
files. These can be accessed from a CD or from a shared machine or drive.
When do employees need to restart their machines?

If you remove or upgrade Client Agent v5.2, employees need to restart their
machines. During upgrades performed manually at the local machine, or via
the Websense Enterprise Manager Deploy Status pane, a message opens at

the machine where Client Agent v5.2 has been upgraded, informing the
employee that she must restart her machine. The employee can choose to
restart immediately or wait to restart.
Why am I having trouble reinstalling Client Agent?

If you encounter difficulties when reinstalling Client Agent, it is possible the
problem started with the uninstall process. If you uninstall Client Agent while
the Windows Service Control Manager (SCM) is open, the uninstall process
may not fully remove Client Agent. If this occurs:
And you are working in Client Policy Manager, you will see
"Deployment failed" in the Deployment Status pane. The Windows
Event Viewer will include the message: “Unable to create/start
WDC.exe. Install has aborted”.
And you are reinstalling directly at one machine, you will see an error
message “Unable to create/start WDC.exe. Install has aborted.”
The problem is a result of a known Microsoft error, documented in Microsoft
Knowledge Base Article #287516.
To fix the problem you must:
1. Restart the machine.
2. Reinstall Client Agent again.
Why are employees having problems with machines where Client

Agent 5.x was upgraded to Client Agent 5.5.2?
If you have upgraded from Client Agent v5.2 to Client Agent v5.5, and
employees are having problems at machines where the upgrade occurred, it is
possible that the machines need to be restarted. Applications may fail, or the
machine may not work properly if the restart does not occur.
This occurs because previous socket bindings become invalid when you
upgrade Client Agent. When the employee restarts the machine, the socket
bindings are reset.
To address this issue:
1. Inform employees before they begin that they will need to restart
machines after the upgrade.
2. If employees call and complain about failed applications, problems with
machines, or difficulty accessing networks, ask them to restart the machine.

Troubleshooting and Disaster Recovery

If you lose your CPM Server, you need to rebuild it. Make sure you have the
following information available:
the IP address of your integration device, (PIX, Content Engine, ISA, and
so forth), if any
Your SQL (or MSDE) account and password
Proxy credentials for the nightly database download
Your subscription license key from Websense Manager > Server >
Settings > Database Download
An account with domain administrator privileges to read user accounts
(User Service)
What CPM files should I back up for recovery?

If the following files are intact at the CPM Server, back them up for recovery
C:\Program Files\Websense\websense.ini
C:\Program Files\Websense\bin\app.db
C:\Program Files\Websense\bin\config.xml
C:\Program Files\Websense\bin\CAMserver.ini
C:\Program Files\Websense\bin\Client\*.*
C:\Program Files\Websense\bin\DeploymentServer.ini
C:\Program Files\Websense\bin\websense.ini
C:\Program Files\Websense\Manager\wsmanager.ini
C:\Program Files\Websense\webroot\websense.ini
C:\Program Files\Websense\webroot\Explorer\cm.ini
C:\Program Files\Websense\webroot\Explorer\database.xml
C:\Program Files\Websense\webroot\Explorer\database_cam.xml
C:\Program Files\Websense\webroot\Explorer\websense.ini
C:\temp\Websense55Setup\*.* (unpacked installation files)

Are there files on the SQL database server I should back up for
recovery?
You will need to back up the following files on the machine where you have
installed your SQL database:
wscamil: At your SQL Server, use Programs > Microsoft SQL Server
> Enterprise Manager to detach and copy wscamil. The path in SQL
Enterprise Manager is Console Root > SQL Server Group > (SQL
Server name) > Databases > wscamil. For information on detaching and
copying the wscamil database, read online help for Microsoft SQL Server
Enterprise Manager.
.mdf: Any MDF file associated with Websense logging, typically
named wslogdb50.mdf. These files possibly include a date/time
stamp in the name. Filetype ldf's are not required.
How do I restore CPM after a disaster?

To restore CPM:
1. Install the operating system, IIS, SQL, and then patch to latest revision.
2. Install the same version of Websense that you backed up.
3. After installation is complete, stop all Websense services.
4. Make backups of the newly installed files. Read What CPM files should I
back up for recovery? and Are there files on the SQL database server I
should back up for recovery? for specifics.
5. Restore the backup files in place of the newly installed files.
6. Start Websense Policy Manager.
7. Start all other Websense services.

APPENDIX A
Technical Support
Websense, Inc. is committed to providing excellent service worldwide. Our

goal is to provide professional assistance in the use of our software wherever
you are located.
Websense Technical Services Support Center

Technical information about Websense Enterprise is available 24 hours a day
on the Internet at: http://ww2.websense.com/global/en/SupportAndKB/.
You will find here the latest release information, Frequently Asked Questions
(FAQ), a Knowledge Base, product documentation, and other information.
Fee-based Support
The Websense 24x7 support contract is available for purchase. For a list of
services, please visit our Web site at: http://www.websense.com/products/
about/24x7/.
For additional information, please contact our Sales Department at
800.723.1166 or 858.320.8000, or send an email to sales@websense.com.
Support Options
Websense Technical Support can be requested 24 hours a day.
Web Portal
You can submit support tickets through the Web Portal 24 hours a day. The
response time during business hours is approximately 4 hours. Response to
after-hours requests will occur the next business day. Support tickets can be
submitted at: http://ww2.websense.com/global/en/SupportAndKB/
CreateRequest/.

Appendix A: Technical Support
Email Questions
You may email your questions to us at the addresses listed below. Make sure
you include your subscription key. This option is available 24 hours a day, 7
days a week. We will respond during business hours Monday through Friday.
support@websense.com—San Diego, California, USA
japansupport@websense.com—Japan (Asia)
Email support can take 24 hours or more for a response. If you need a quicker
turnaround, submit your issues through the Web Portal.
NOTE
For technical support in the UK, submit support tickets
through the Web Portal address.
Telephone Assistance
Before you call a Websense Technical Support representative, please be ready
with the following:
Websense subscription key.
Access to Websense Enterprise Manager.
Access to the machine running the Filtering Service, the Websense
Reporter server, and the database (MSDE or SQL) server.
Permission to access the Websense log database.
Familiarity with your network's architecture, or access to a person who
has this familiarity.
Specifications of the machines running the Filtering Service and
A list of other applications running on the Filtering Service machine.
For severe problems, additional information may be needed.
Telephone assistance is available during normal business hours Monday
through Friday at the following numbers:
San Diego, California, USA: 858.458.2940
London, England: +44 (0) 1932 796244

Improving Documentation
Websense, Inc. understands the value of high quality, accurate documentation.
If you have any suggestions for improving the documentation, contact us at
DocFeedback@websense.com. We appreciate your input.


GLOSSARY
The list below contains words common to the CPM installation process. In
some cases, the CPM installation program or the documentation may use
familiar terms to describe concepts specific to the program, in which cases the
glossary defines these terms in that context.
BROWSER
A browser is a software application used to view Web pages. Examples
include Netscape Navigator and Microsoft Internet Explorer. Explorer for
CPM and CPM Reporter both require access to a browser for report
generation and presentation.
CLIENT
Generally, the term client defines a computer that accesses shared information
from another computer, called a server. In Websense, clients refer to users,
groups, workstations, and networks filtered by Websense.
CPM REPORTER
CPM Reporter provides Web-based reporting that provides more ways to

view application launch data and schedule reports in advance. Users can also
request inventory reports that provide the best options for software
installation and license management options.
CPM SERVER
CPM Server is the Client Policy Manager component that interacts with
Client Agent and the Policy Server to provide software filtering.
DATABASE ENGINE
The database management system used to create and manage a database. In
Explorer for CPM, database engine refers to the SQL Server.

Glossary
DEPARTMENT LEVEL REPORTING

Provides reports that are viewable only by a department manager. The
function requires modification of SQL tables.
EXPLORER FOR CPM

Explorer is a Web-based reporting tool that allows users to interactively locate
data about employee access to Internet sites and software launches, depending
on the subscriptions to Websense modules their company has.
HTTP (HYPERTEXT TRANSFER PROTOCOL)

The protocol used by the World Wide Web, HTTP defines message formatting
and transmission, and the actions Web servers and browsers should take in
response to various commands.
IP (INTERNET PROTOCOL)
Internet Protocol is the format in which information is transmitted over the
Internet.
IP ADDRESS
An IP address uniquely identifies a computer on a TCP/IP network. An IP
address is a 32-bit numeric address written as four numbers separated by
periods. Each number can be zero to 255. For example, 102.3.5.78 can be an
IP address.
PORT
A port is a numeric value that identifies a logical connection over which two
programs communicate.
SERVER
Websense refers to both hardware and software servers. A hardware server is
a machine that manages network resources. Software servers are programs
that manage network resources. For example, the Policy Server is software
that manages software resources.
TCP/IP
Abbreviation for Transmission Control Protocol/Internet Protocol, the suite
of communications protocols used to connect hosts on the Internet.

Glossary
USER
In Websense, a user is a predefined name in a Windows NT domain
controller. Users can be added to the Websense Enterprise Manager, and then
assigned to a policy, enabling you to define unique filtering strategies for
individual employees.
WEBSENSE ENTERPRISE MASTER DATABASE
The Websense Enterprise Master Database contains a list of executables

assigned to categories. Client Policy Manager contacts the Websense server
via the Internet to receive the current database according to the schedule you
establish in Websense Enterprise Manager.
WORKSTATION
Websense defines a workstation as a computer from which users access
software. Workstations, identified by their IP address, can be added to Client
Policy Manager, and then assigned to a policy, enabling you to define unique
control strategies for individual computers.

Glossary

Index
A startup and log on transmissions, 18

Access department level reporting, 144 stopping, using Command Prompt, 129
Add Policy Server, 93 third party deployment solution, 126
Answer file, 128 using Command Prompt to start and
CAMServer.ini, 132 stop, 129
DeploymentServer.ini, 116 Client Deployment Service, 17
Apache Web Server configure INI files, 116
checks, 140 requirements, 24
installation, 43, 45, 47 Client Deployment Service access, 155
installing, 62 Client IDs, errors caused by uninstalling or
port identification, 75 ghosting, 157
SQL authentication and database access, 70 Client Policy Manager components
Authentication configuration for Client Agent deploy
deployment via scripts, 125 enterprise environment, 36
large environment, 36
B medium environment, 35
small environment, 34
Bandwidth requirements, 27
installation options, 36
Browser access to Explorer for CPM, 146
modifying components, 88
C repairing components, 88
Client Policy Manager databases
CAMServer.ini details for installation, 132 Client Policy Manager Inventory
Client Agent Database, 20
backwards compatibility with Windows Log Database, 20
98, 102 setup, 67
command-line examples, installing and Websense Enterprise Master Database, 20
uninstalling, 128 Client Policy Manager installation
communication with CPM Server, 114 procedure, 33
deployment and ZoneAlarm, 157 Client Policy Manager Server
hardware requirements, 26, 101 introduction, 17
install via logon scripts, 120 User Service access, 17
installation file choices, 133 Client Policy Manager subscription, 96
installation requirements, 26, 101 Client/Server authentication, 29
introduction, 18 Command line options
restart machines, 159 authentication, 125
start using Command Prompt, 129 syntax, 128

Index
third-party deployment tools for Client relationship to firewalls, 153

Agent, 126 Database requirements, 23
Command Prompt Databases
start Client Agent, 129 CPM Inventory Database, 20
starting and stopping Client Agent, 129 CPM Log Database, 20
stop Client Agent, 129 Websense Enterprise Master Database, 20
Command-line examples for installing and Default Web Site, 65
uninstalling Client Agent, 128 Default Web site for IIS, 65
Communication ports, 30 Delete Policy Server, 96
Communications Department level reporting, 142
Client/Server authentication, 29 assign access, 144
server and client, 18 populate USER_MANAGERS, 142
setup SSL security mode for databases, 67 SQL queries for populating
Configure USER_MANAGERS, 143
INI files for Client Deployment Service, 116 Deploy
logon scripts, 122 across multiple domains, 115
Windows 2000 using User profiles, 123 Client Agent, 114
Windows NT, 124 Client Policy Manager components
Policy Server, 93 enterprise environment, 36
SSL security, 67 large environment, 36
Configure logon script execution, 122 medium environment, 35
Connect to Policy Server, 95 small environment, 34
CPM Deployment Service options for agents, 114
hardware requirements, 24 DeploymentServer.ini
CPM Inventory Database, 20 examples of parameter entry, 118
CPM Log Database, 20 DeploymentServerPort, 120
CPM Reporter DeploymentServerPort parameter for Client
hardware requirements, 23 Deployment Service, 117
installation requirements, 23 DeplymentServer.ini parameters, 117
CPM Reporter software requirements, 23 Disconnecting from Policy Server, 96
CPM Server Domain controller queries by CPM Server, 17
communication with Client Agent, 114 DomainList, 117
domain controller queries, 17 Download, first time Websense Enterprise
hardware requirements, 22 Master Database, 98
installation requirements, 22 Downloads of the policy to Client Agent, 18
introduction, 17
operating system requirements, 22 E
User Service access, 17 Encryption key, location, 30
Customer support, See Technical Support Enterprise environment, deploying Client
Policy Manager components, 36
D explorer.exe
Database downloads access levels, 140
authentication for proxies and firewalls, 153 permissions for Microsoft IIS Web
permit URLs, 67, 151 server, 141

Index
explorer_anon.exe define user access for Microsoft IIS Web

access levels, 140 Server, 140
permissions for Microsoft IIS Web Microsoft IIS Web Server checks, 140
server, 141 minimum requirements, 139
prerequisites, 139
F installation
File and Print Sharing requirements for Apache Web Server, 62
Windows XP, Service Pack 2, 86 detecting IIS Web Server, 62
File and Printer sharing, enable, 155 Installation requirements
Firewalls Client Agent, 26, 101
configuration for Windows XP, Service Pack CPM Reporter, 23
2, 86 CPM Server, 22
relationship to database download, 153 Installing, 86
troubleshooting, 152 Inventory Database, 20
IP addresses and pinging, 132
G
Ghosted machines, impact on client ID, 157
L
Glossary, 167 Language Pack, 27
Large environment, deploying Client Policy
H Manager components, 36
Hardware requirements Launch Explorer for CPM
Client Agent, 26, 101 browser access, 146
CPM Deployment Service, 24 Start menu access, 145
CPM Reporter, 23 Log Database, 20
CPM Server, 22 Log on scripts, 128
Logon and startup functions for Client
I Agent, 18
Logon scripts
IIS
configuration, 122
port identification, 75
configure execution, 122
Web Server checks, 140
install Client Agent, 120
IIS permission required for reporting tools
preparing to use, 119
installed separately, 41
See also Answer file, command line options,
IIS virtual directory location, 65
scripts, 119
IIS Web Server
Windows 2000 using User Profiles, 123
detecting, 62
Windows NT, 124
INI file edits, 117
INI files M
DeploymentServer.ini, 116
Installation Mass Mailing rule and upgrades, 89
Apache Web Server checks, 140 Master Database, 20
CPM components, 36 Master database download, 98
CPM requirements, 33 MaxConcurrentDeployments, 118
Medium environment, deploying Client Policy
Manager components, 35

Index
Microsoft IIS Web Server checks, 140 R

Minimum requirements for Explorer Real-Time Analyzer (RTA)
installation, 139 supported Web servers for, 62
Modifying Client Policy Manager Register Client Policy Manager, 96
components, 88 Repair Client Policy Manager components, 88
Multiple domain Reporting tools installed separately require IIS
deployment methods, 115 permission, 41
settings, 117 Restart machines, 159
my.websense.com permissions, 67, 151 Rules and upgrade changes, 88
O S
Operating system Scripts
Client Agent requirements, 26, 101 encrypting, 122
CPM Server requirements, 22 unattended install, 128
Database Server requirements, 23 unattended uninstall, 128
Scripts for logon
P Windows 2000 User Profiles, 123
Parameter Windows NT, 124
DeploymentServerPort, 117 See Also Command line options, logon scripts
Parameters Shared Websense Enterprise components, 46,
DeploymentServer.ini, 117 55
examples in DeploymentServer.ini, 118 introduction, 13
optional for Small environment, deploying Client Policy
WsClientDeployTrigger.exe, 121 Manager components, 34
required for Software requirements
WsClientDeployTrigger.exe, 120 Client Deployment Service, 24
WsClientDeployTrigger.exe, 120 CPM Reporter, 23
Pass phrase, 29 SQL authentication and database access, 70
Pinging for IP addresses, 132 SQL queries to populate the
Policy USER_MANAGERS table, 143
initial download, 18 SSL security, configuration, 67
Policy Server Start Client Agent using Command
add, 93 Prompt, 129
configure, 93 Start menu access Explorer for CPM, 145
connect, 95 Startup and log on functions for Client
delete, 96 Agent, 18
disconnect, 96 Stop Client Agent using Command
Populate the USER_MANAGERS table, 142 Prompt, 129
Ports used by default, 30 Subscribe to Client Policy Manager, 96
Prerequisites for installation, 139
Proxy Server T
troubleshooting, 152 Technical Support
documentation feedback, 165

Index
email, 164 Microsoft IIS checks, 140

fee-based, 163 port identification, 75
telephone assistance, 164 Websense, 27
Web portal, 163 Websense Enterprise Manager
Web site, 163 multiple machine distribution, 57
Third-party deployment solutions for Client shared components, 46, 55
Agent, 126 Websense Enterprise Manager,
introduction, 14
U Websense Enterprise Master Database
Uninstall first download, 98
CPM components at multiple machines, 91 Websense User Service, 14
CPM components at one machine, 90 Windows 2000 NT and logon scripts, 124
Upgrades Windows 2000 User Profiles for logon
changes to CPM rules, 88 scripts, 123
Mass Mailing rule, 89 Windows 98 compatibility, 102
procedure, 89 Windows installation files for Client
URLs that must be permitted for database Agent, 133
downloads, 67, 151 Windows NT operating system and
User access, define for Microsoft IIS Web ZoneAlarm, 157
Server, 140 Windows XP firewalls and Client Agent
User Service deployment, 103
access by Client Policy Manager Server, 17 Windows XP Service Pack 2 and Client
introduction, 14 Deployment Service, 155
USER_MANAGERS table, 142 Windows XP, Service Pack 2
populate, 142 enable File and Print sharing, 86
SQL queries for population, 143 firewall configuration, 86
WsClientDeployTrigger.exe, 119, 120
V optional parameters, 121
Virtual directory location for IIS, 65 required parameters, 120
WsIsCAMCurrent.exe, 119
W
Z
Web Server
Apache checks, 140 ZoneAlarm, 157
define Microsoft IIS user access, 140

Client Policy Manager™ Installation Guide

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Client Policy Manager™ Installation Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

v5.5.

Client Policy Manager™

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Client Policy Manager Installation Guide 3

Chapter 2 Distributing CPM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Identifying Access for Explorer for CPM when Using Apache . . . . 81

Client Policy Manager Installation Guide 5

Removing Clients From the Selected Clients List . . . . . . . . . . . . . 110

Chapter 7 Working with Single Instances of Client Agent. . . . . . . . . . . . . . . . 131

Client Policy Manager Installation Guide 7

Why can’t I download the Websense Enterprise Master Database or

Appendix A Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Client Policy Manager Installation Guide 9

Client Policy Manager Installation Guide 11

Understanding the CPM Operating Environment

CPM is designed to work in tandem with the Websense Enterprise Web

CPM Operating Environment

Shared Websense Enterprise Components

Shared components are:

Client Policy Manager Installation Guide 13

Policy Server configuration first occurs during installation, while connectivity

Websense Enterprise Manager

Websense Enterprise Manager, Desktop Tab

Client Policy Manager Installation Guide 15

Client Policy Manager components interact with Websense shared

CPM components are:

CPM Deployment Service

Client Policy Manager Installation Guide 17

Client Policy Manager Databases

Client Policy Manager Installation Guide 19

Database Engine Requirements

Websense Enterprise Master Database

CPM Inventory Database

CPM Log Database

Explorer for CPM

Client Policy Manager Installation Guide 21

SQL Database Server

CPM Reporter/Explorer for CPM

Client Policy Manager Installation Guide 23

 Browsers must have cookies enabled in order to access CPM Reporter.

CPM Deployment Service

Client Policy Manager Installation Guide 25

Client Agent is supported on the following operating systems:

intervention. The files you download or access from CD include the

Client Policy Manager Installation Guide 27

Percent of Bandwidth Used

10% 20% 30% 40% 50% 60% 70% 80% 90%

512 Kbps 20 40 60 80 100 120 140 160 180

768 Kbps 30 60 90 120 150 180 210 240 270

1.0 Mbps 40 80 120 160 200 240 280 320 360

CPM and Anti-Virus/Firewall Compatibility

Client/Server Authenticated Communications

Client Policy Manager Installation Guide 29

Communications and Port Use

Client Policy Manager Installation Guide 31

Client Policy Manager Installation Guide 33

While CPM components do not require dedicated systems, larger

Choosing Your CPM Distribution Model

Setup for a Small Environment

Setup for a Medium Environment

Client Policy Manager Installation Guide 35

Setup for a Small, Shared Environment

If you are in a larger environment, you want to share common components

Browsers must have cookies enabled in order to access CPM Reporter.

CPM Components—components required only for CPM. They may

Enterprise environments: Install CPM Server on one machine and

I have a Websense subscription key: Select this option and enter a

If one of the supported servers is detected, the installer continues. No

Cancel Setup. The Websense Enterprise Setup closes. No CPM

SQL database account: If you select SQL database account, Setup