4 Websense Enterprise
Contents
6 Websense Enterprise
Contents
8 Websense Enterprise
Contents
10 Websense Enterprise
CHAPTER 1
Introduction
Thank you for choosing Websense Enterprise® Client Policy Manager™
(CPM) to monitor software and hardware, and control software at machines in
your network. Client Policy Manager components allow you to set control,
monitor installations and launches, and create reports to show operational
details.
Before you can take advantage of the security that Websense, Inc. provides for
your desktops, you must:
1. Plan how you want to distribute components
2. Gather information necessary for installation
3. Properly install CPM components
4. Enter subscription data
5. Deploy Client Agent
The Client Policy Manager Installation Guide provides useful information for
determining which approach is suitable for your environment, in addition
installation procedures.
NOTE
CPM operates only on TCP/IP-based networks. If your
network uses both TCP/IP and non-TCP protocols, CPM
filters only those users on the TCP/IP portion of your
network.
12 Websense Enterprise
Chapter 1: Introduction
Shared Websense components are necessary for CPM operations, and may be
installed with Websense Internet Filtering or CPM. The modules may share
components or may use them in standalone mode. Shared components can
reduce the overhead required for system and machine operations, and can be
distributed across your network.
Policy Server
The Policy Server stores Websense configuration information. Policy Server
communicates this data to the CPM Server, which then passes the information
to the Client Agent. If your network is in the enterprise category (10,000+
users), you may want to install and run multiple Policy Servers.
User Service
The User Service communicates with your organization’s directory service to
convey user-related information to Policy Server and CPM Server, for use in
identifying machines and applying the CPM policy. This information includes
user-to-group and user-to-domain relationships. User Service provides the list
of objects residing in your directory service to Websense Enterprise Manager.
User Service configuration first occurs during installation, while other options
are set in Websense Enterprise Manager.There must be one instance of User
Service for each Policy Server in your network.
14 Websense Enterprise
Chapter 1: Introduction
The first time you start Websense Enterprise Manager, the navigation tree is
empty. Once you add servers, these appear when you open Websense
Enterprise Manager and click the Desktop tab. When you connect to a server,
the navigation tree changes to show selections for that server.
CPM Components
16 Websense Enterprise
Chapter 1: Introduction
CPM Server
CPM Server processes are responsible for handling communications with
client machines, sending CPM inventory requests, downloading CPM rules
and database information to machines running Client Agent, and more.
CPM Server calls the User Service, one of the shared Websense Enterprise
components, for most directory service information. The User Service
identifies directory objects in the network, which are individual users, user
groups, domains, and machines identified by machine names.
For CPM Server and Client Agent communications, authentication is set
using a unique, encrypted passkey. During installation, you enter a passkey of
your choice. This, and internal passkeys in CPM, are combined and then
encrypted to provide a highly secure recognition code that authenticates the
communications, thus protecting data. Authentication is used by both CPM
Server and Client Agent.
You can also encrypt the actual communications between CPM Server and
Client Agent, based on the security level you want. You can accept the default
communication mode which uses clear text, or select communications using
Secure Socket Layers (SSL) technology. SSL protocol encrypts data before
transmitting information over the network.
If you use CPM Deployment Service to deploy Client Agent via scripts or
third-party tools, the CPM Deployment Service does not communicate with
CPM Server. This is because the script or third-party software provides CPM
Deployment Service with the necessary instructions.
Once Client Agent is installed, it then sends information directly to CPM
Server, and communications between CPM Deployment Service and Client
Agent stop.
Client Agent
Client Agent resides on desktops, laptops, and/or servers in the CPM network,
and communicates with the CPM Server as long as connections are available.
Machines are considered connected when Client Agent can communicate with
CPM Server, regardless of the method. Methods may include local LAN,
VPN, and so forth.
When you first install Client Agent on a machine, it registers with CPM
Server, and begins downloading the CPM policy. When the download is
complete, Client Agent checks the policy, which it uses to control launch and
port access requests, and to determine data logging requirements.
NOTE
While technically the Websense databases are SQL tables,
it is easier to define them as databases, since the
information they contain is specific to each.
18 Websense Enterprise
Chapter 1: Introduction
CPM Databases
Client Policy Manager uses two databases that are saved to SQL Server, and
one which resides at CPM Server:
Websense Enterprise Master Database is a proprietary and encrypted
database which Websense, Inc. creates and maintains. The database
identifies executables, applications, and port information and stores
category and risk class details. This database is maintained at CPM
ServerRead Websense Enterprise Master Database, page 20.
CPM Inventory Database contains information collected during
machine inventories. The database contains information about software
and hardware that physically resides at machines that run Client Agent.
Information is maintained in the SQL database. Read CPM Inventory
Database, page 20.
CPM Log Database contains CPM information collected when
employees request launches. The database records date, time, user,
machine name or IP address, and tracks category and risk class data as
well. nformation is maintained in the SQL database. Read CPM Log
Database, page 20.
20 Websense Enterprise
Chapter 1: Introduction
Publisher, if known
Category
User name
Client Agent IP address
Action (Permit, Block, Continue)
Port access attempt, if any
Date and time of response
CPM Reporter and Explorer for CPM use this information to generate
detailed reports.
CPM Reporter
CPM Reporter provides reports about desktop inventory, the results of launch
requests and network access attempts. The application uses information
collected by Client Agent and stored in the CPM Log database.
CPM Reporter provides on-demand and scheduled reports. Reports are
available in a browser, can be sent via email, or can be posted to an FTP
server.
System Requirements
Before installing Client Policy Manager components, make sure that
machines meet system requirements. You need to know in advance where
your CPM Server, Policy Server, SQL Server, CPM Deployment Server, and
CPM Reporter Scheduler/Explorer for CPM will be installed, and which
machines will support Client Agent.
For most configurations, one machine with the minimum CPM Server
requirements and an installation of the SQL Server is powerful enough to
handle all but the largest CPM installations. If you have questions, please
contact Websense Technical Support.
IMPORTANT
i
For distribution of components in various corporate
environments, read Distributing CPM Components,
page 33 before installing CPM.
CPM Server
CPM Server can support up to 20,000 desktops, if the server machine has
enough memory, speed and power. CPM Server does not require a dedicated
server, unless the machine is unable to handle functions imposed by Websense
modules. You can contact Websense or any Websense channel partner to
properly design your system for your environment
Your CPM Server must run one of the following operating systems:
Microsoft Windows 2000 Server, with Service Pack 3 or higher
Microsoft Windows 2003 Server
Other CPM Server requirements include the following minimums:
Processor 800 MHz Pentium III class or higher
Disk Space 65 MB for Client Policy Manager installation, 120 MB for
Microsoft SQL Server
Memory 512 MB RAM or more
22 Websense Enterprise
Chapter 1: Introduction
NOTE
To support client machines that are not preloaded with
WMI, Websense, Inc. includes the API in the Websense
Enterprise Setup. If you use Websense Enterprise Manager
or scripts that call CPM Deployment Service, WMI installs
automatically. For local installation, you must manually
install WMI. Installing Client Agent Locally, page 136,
documents the process.
NOTE
Install CPM components, and enter subscription data
before deploying agents. If you do not, you may encounter
difficulties communicating with Client Agent.
24 Websense Enterprise
Chapter 1: Introduction
This service:
Supports mass deployment to numerous machines from Websense
Enterprise Manager’s Deployment Status pane.
Populates Websense Enterprise Manager deployment functions, and
provides installation progress information in the Deployment Status
pane. For details, read Chapter 5: Deploying Client Agent via Websense
Enterprise Manager, page 99.
Facilitates Client Agent installation for users who do not have local
administrator rights to their computers.
Requirements for using the CPM Deployment Service and scripts or third-
party tools include the following:
A copy of CPM Deployment Service must be installed. Generally, this
is installed when you first install Websense CPM. You can also install it
separately. For information, read Installing CPM Server, page 41.
If you are using logon scripts, you must develop the scripts to pass the
appropriate CPM Deployment Service machine name or IP address to
WSClientDeployTrigger.exe. For more information, read
Deploying Client Agent via Scripts, page 113.
You must assign rights for the CPM Deployment Service as an account
that runs as a user with domain administration privileges. This must be set
for any domain and machine where Client Agent will be deployed.
You must configure firewalls to allow communication between the
machine running CPM Deployment Service and the machines where you
want to deploy Client Agent.
You must ensure that any personal firewalls residing on client machines
do not block traffic between Client Agent and CPM Server. For example,
settings for a personal firewall could block HTTP, which would then
block communications between the client machine and CPM Server.
Client Agent
You must install Client Agent on machines you want to inventory, control,
and/or monitor. Client Agent is responsible for processing inventory at the
machine where it is installed, for applying CPM policies, and for all
communications with CPM Server.
WARNING
!
Do not install Client Agent on:
Machines running Windows 2000, Service Pack 2 or
earlier. The installation will fail.
Machines where you installed CPM Server or CPM
Reporter. Installation may cause software conflicts.
Machines running Windows NT where ZoneAlarm is
installed.
26 Websense Enterprise
Chapter 1: Introduction
To learn more about installing the Language Pack and how it supports foreign
languages, refer to the release notes and installation guide for the Websense
Enterprise Language Pack.
Bandwidth Requirements
Before CPM installation, you need to be aware of the bandwidth requirements
for Client Agent deployment. The table below shows the number of Client
Agent deployments that are supported, given the percentage of total
bandwidth used.
256 Kbps 10 20 30 40 50 60 70 80 90
1.5 Mbps 60 120 180 240 300 360 420 480 540
10 Mbps 400 800 1,200 1,600 2,000 2,400 2,800 3,200 3,600
50Mbps 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000
100 Mbps 4,000 8,000 12,000 16,000 20,000 24,000 28,000 32,000 36,000
1 Gbps 40,000 80,000 12,0000 160,000 200,000 240,000 280,000 320,000 360,000
Anti Virus
Network Associates McAfee Anti Virus 4.x, 7.0
Norton/Symantec Anti Virus Corporate Edition 7.6, 8.1
Trend Micro Office Scan 5.0, 5.58
Computer Associates eTrust Anti Virus 6.0, 7.x
eTrust Anti Virus 6.0, 7.x
Sophos Anti Virus
Panda Business Secure
F-Secure Anti Virus 5.42
Norman Data Defense 5.7.0
28 Websense Enterprise
Chapter 1: Introduction
Personal Firewalls
Zone Labs
Sygate
Symantec
Network Associates
Black Ice
EZ Armor
CPM may work with other anti-virus software and/or personal firewalls. If
you are running anti virus software and/or firewalls that are not in this list,
check the Websense Knowledge Base at www.websense.com/support/
knowledgebase/ for the most recent information.
NOTE
If, for some reason, you do not want to use authentication
for your CPM installation, contact Websense Technical
Support for assistance. Phone numbers and email
addresses are listed in Technical Support, page 163.
This encrypted key is eventually sent to the Client Agent when it is deployed
to workstations in your network. The method used to send the encrypted key
to the Client Agent varies with the deployment method.
If you use Websense Enterprise Manager to deploy Client Agent, the
authentication key is automatically sent to the Client Agent.
If you use scripts and the CPM Deployment Service to deploy Client
Agent, the authentication key is automatically sent to the Client Agent.
If you install Client Agent locally, you must provide either your pass
phrase or the encrypted key. You can locate the encrypted key in the
CAMServer.ini file. By default, the file is at C:\\Program
Files\Websense\bin.
30 Websense Enterprise
Chapter 1: Introduction
The CPM Server port (DTMServerPort) is set to 80. If you use IIS as
your Web Server, you will be prompted to change this value during
installation, as IIS uses port 80 by design.
The Logging port (LogServerPort) is Port 55805.
32 Websense Enterprise
CHAPTER 2
Distributing CPM Components
Websense Setup provides the tools necessary to install Client Policy Manager
and Client Agent on desktops, laptops, and servers in your network. You can
deploy components to various machines, modify and repair components, or
remove them completely using the installation program.
When installing Websense CPM, you may:
Install all components on one machine. You can run Websense Setup once
and install all components during the same operation.
Distribute components between machines. You will run the
WebWebsense Setup at each machine and select the component or
components you want to install.
How you install shared Websense Enterprise components depends on how
you are setting up your system:
If you have not installed any Websense product before, and you want to
install shared Websense Enterprise components on a different machine or
install them across multiple machines, you can use the CPM installation
program.
If you have installed Websense Web filtering components already, you
can use the same shared Websense Enterprise components for the CPM
components.
This flexibility allows you to set up Websense to maximize machine
capability, reduce the load for a single machine, or consolidate installation and
maintenance procedures.
IMPORTANT
i
With the exception of Client Agent, you cannot have
multiple copies of any component that point to the same
CPM Server or Policy Server. For example, you can install
only one instance of CPM Reporter for each CPM Server
and Policy Server.
Small Environments
By definition, a small environment is an organization with between 1 and 500
client machines. The recommended setup is:
Dedicated machine to run CPM Server and Microsoft SQL Server
All CPM components on that same machine, which is, at a minimum, an
800 MHz Pentium III with 512 MB RAM
34 Websense Enterprise
Chapter 2: Distributing CPM Components
If you have the available resources, use a separate machine for your SQL
Server installation. While this is not mandatory for a small environment, it
improves processing for both CPM management and reporting options. If you
are going to split the installation, consider putting CPM Reporter and
Explorer for CPM on the SQL Server machine.
Medium Environments
By definition, a medium environment is an organization with between 500
and 2,500 client machines. The recommended setup is:
Dedicated machine to run Microsoft SQL Server, CPM Reporter, and
Explorer for CPM
Dedicated machine to run CPM Server
Machines, at a minimum, are 1 GHz Pentium III with 1 GB RAM
Large Environments
By definition, a large environment is an organization with between 2,500 and
10,000 employees. The recommended setup is:
Dedicated machine running CPM Server and shared components
Dedicated machine running Microsoft SQL Server, CPM Reporter, and
Explorer for CPM
Machines are, at a minimum, 1.7 GHz Pentium IV with 2 GB RAM
The suggested component distribution for large environments is shown in the
diagram for medium environments. The difference is the available RAM and
processor speed at the machines where installation occurs.
Enterprise Environments
By definition, an enterprise environment is an organization with over 10,000
employees. The recommended setup is:
Dedicated machine running CPM Server and shared components on a
1.7GHz Pentium IV with 1GB RAM or higher
Dedicated machine running Microsoft SQL Server, CPM Reporter, and
Explorer for CPM on a 1.7GHz Pentium IV with 2 GB RAM or higher
The suggested component distribution for enterprise environments is shown
in the diagram for medium environments on page 35. The difference is the
available RAM and processor speed at the machines where installation
occurs.
Shared Environments
Shared Websense components may be installed with either the Websense
Enterprise Web filtering module or the CPM module. When you install CPM
components, you may connect to previously installed components or install
them in standalone mode.
You can install CPM and point towards shared components that are already
installed for the Websense Web filtering module. These shared components
are Websense Enterprise Manager, Policy Server, and User Service.
How you deploy the remaining components depends upon the size of your
environment and the potential load on your servers. For example, in a small
environment, you may decide to share the common Websense components,
and then install the CPM components on one machine.
36 Websense Enterprise
Chapter 2: Distributing CPM Components
WARNING
!
Websense, Inc. recommends that you do not install CPM
components on machines where you have installed the
Websense Enterprise Web filtering module. If you do so,
you run the risk of impacting both Web filtering and CPM
functions, due to the potential impact on the services
necessary to run the modules.
WARNING
!
If you are installing CPM in a standalone mode across
multiple machines, you must install Websense Enterprise
Manager, Policy Server, and User Service before installing
CPM-specific components. Generally, these “shared”
components are installed on one machine, with the CPM-
specific components installed at one or two other
machines.
Be sure to note the IP address or machine name where you
install the shared components. Also note the port you have
assigned. You will need this data when you install CPM
components on the other machines.
38 Websense Enterprise
Chapter 2: Distributing CPM Components
NOTE
As you install CPM components, you will be asked to
identify the machine where you installed the “shared”
components. Be ready to enter the IP address or machine
name where you installed Policy Server, and the port the
server is using.
40 Websense Enterprise
CHAPTER 3
Installing CPM Server
Installing Client Policy Manager requires some advance planning on your part
to make the process as easy as possible. You must decide how you are going
to deploy CPM based on the size of your network and the presence of
Websense Web filtering components. Thre basic installation scenarios are:
CPM installed on a single machine.
CPM installed on multiple machines.
CPM installed in an environment where processes are shared with the
Websense Enterprise Web filtering module
Each step cross-references detailed information.
Using Websense Enterprise Setup, page 49, documents each of the possible
dialog boxes you may encounter during installation, and identifies the
component causing the dialog box to appear. The information is presented in
roughly the same order you will see if you install CPM on one machine.
Summaries are also provided for repairs and upgrades for each of the installation
types. Like the summaries for installation, the repair and upgrade summaries
provide cross references to the appropriate documentation where applicable.
Websense, Inc. recommends that you install the CPM module and
components directly at the local machine, via CD or download. You may
encounter problems if you use Windows Terminal Service or a shared
drive.
If you are installing CPM in a standalone mode across multiple machines,
you must install Websense Enterprise Manager, Policy Server, and User
Service before installing CPM-specific components. Generally, these
shared components are installed on one machine, with the CPM-specific
components installed at one or two other machines.
If you are installing CPM components on machines running the Windows
XP, Service Pack 2 operating system, you must enable File and Print
Sharing, and must set WDC.exe as an exception in the firewall. For
details, read Completing Setup for Windows XP, Service Pack 2, page 86.
If you want to install Client Agent on more than one domain, you must
install one copy of CPM Deployment Service in each domain.
42 Websense Enterprise
Chapter 3: Installing CPM Server
The CPM installer finds only one Web Browser at the machine. If this
occurs, the installer automatically configures that Web Browser.
If you do not have a Web server, you can install Apache, which is
available as a courtesy from Websense, Inc.
8. Configure the database and define access. Read Identifying the Database,
page 67.
9. Set domain access. Read Identifying Domain Access for CPM
Deployment Service, page 73, describes how to define access for the CPM
Deployment Service, which is needed to install Client Agent via
Websense Enterprise Manager or via scripts.
10. Set the communication port. Read Identifying the CPM Server
Communication Port, page 75.
11. If you are installing CPM Deployment Service, enter a pass phrase to
create an authentication key for communications between CPM Server
and Client Agent. Read Identifying an Encryption Pass Phrase, page 77.
12. If you are using Apache as your Web server, identify access roles for
Explorer for CPM. Read Identifying Access for Explorer for CPM
when Using Apache, page 81.
13. Decide where you want to install Websense files. Read Identifying the
Websense File Location, page 78. By default, the location is
C:\Program Files\Websense.
14. Make sure the components you selected are, in fact, the ones you want to
install. Read Restarting Apache, page 84.
15. If you are using Apache, and the Web server is currently running, you
may be asked to restart it. Read Restarting Apache, page 84.
16. Finish the installation. Read Completing CPM Installation, page 84.
17. If you installed CPM on a machine running Windows XP, Service Pack 2,
you must enable File and Print Sharing, and must enter WDC.exe as an
exception in the Windows firewall. Read Completing Setup for Windows
XP, Service Pack 2, page 86.
18. Configure CPM using Websense Enterprise Manager. Read Configuring
Initial Settings, page 87.
19. If you are using IIS as your Web server, you will need to configure
access for Explorer for CPM. Read Setting User Access for Microsoft
IIS, page 141.
44 Websense Enterprise
Chapter 3: Installing CPM Server
If you do not have a Web server, you can install Apache, which is
available as a courtesy from Websense, Inc.
WARNING
!
If you install CPM Reporter and Explorer for CPM
separately from CPM Server, and are using IIS as your
Web Server, you need to have an IIS user name with
administrative privileges before you install CPM Reporter
and Explorer for CPM.
8. Point components to the Policy Server. Read Selecting a Web Server for
Reporting Tools, page 62. This dialog box appears on machines where
you are installing only CPM components. If you are installing Policy
Server on the machine, this dialog box does not appear.
.
NOTE
From this point forward, you may not see some of the dialog
boxes described, as they are included only if you have
chosen the related components for installation in Step 5.
9. Configure the database and define access. Read Identifying the Database,
page 67.
10. Set domain access. Read Identifying Domain Access for CPM
Deployment Service, page 73, describes how to define access for the CPM
Deployment Service, which is needed to install Client Agent via
Websense Enterprise Manager or via scripts.
11. If you are installing CPM Deployment Service, enter a pass phrase to
create an authentication key for communications between CPM Server
and Client Agent. Read Identifying an Encryption Pass Phrase, page 77.
12. Set the communication port. Read Identifying the CPM Server
Communication Port, page 75.
13. If you are using Apache as your Web server, identify access roles for
Explorer for CPM. Read Identifying Access for Explorer for CPM
when Using Apache, page 81.
14. Decide where you want to install Websense files. Read Identifying the
Websense File Location, page 78. By default, the location is
C:\Program Files\Websense.
15. Make sure the components you selected are, in fact, the ones you want to
install. Read Restarting Apache, page 84.
16. If you are using Apache, and the Web server is currently running, you
may be asked to restart it. Read Restarting Apache, page 84.
17. Finish the installation. Read Completing CPM Installation, page 84.
18. If you installed CPM components on machines running Windows XP,
Service Pack 2, you must enable File and Print Sharing, and must enter
WDC.exe as an exception in the Windows firewall. Read Completing
Setup for Windows XP, Service Pack 2, page 86.
19. Configure CPM using Websense Enterprise Manager. Read Configuring
Initial Settings, page 87.
20. If you are using IIS as your Web server, you will need to configure access
for Explorer for CPM at the machine where you installed the CPM
reporting tools. Read Setting User Access for Microsoft IIS, page 141.
46 Websense Enterprise
Chapter 3: Installing CPM Server
6. If you are installing CPM Reporter and Explorer for CPM on the
machine, and the installation process does not detect a Web server, or
detects two Web servers, you will be asked to configure a Web server if.
Read Selecting a Web Server for Reporting Tools, page 62. This page does
not appear if:
You have already installed a Websense Web-based reporting tool,
such as Real-Time Analyzer.
The CPM installer finds only one Web server at the machine. If this
occurs, the installer automatically points to that Web server.
If you do not have a Web server, you can install Apache, which is
available as a courtesy from Websense, Inc.
WARNING
!
If you install CPM Reporter and Explorer for CPM
separately from CPM Server, and are using IIS as your
Web Server, you need to have an IIS user name with
administrative privileges before you install CPM Reporter
and Explorer for CPM.
NOTE
From this point forward, you may not see some of the dialog
boxes described, as they are included only if you have
chosen the related components for installation in Step 5.
8. Configure the database and define access. Read Identifying the Database,
page 67.
9. Set domain access. Read Identifying Domain Access for CPM
Deployment Service, page 73, describes how to define access for the CPM
Deployment Service, which is needed to install Client Agent via
Websense Enterprise Manager or via scripts.
10. If you are installing CPM Deployment Service, enter a pass phrase to
create an authentication key for communications between CPM Server
and Client Agent. Read Identifying an Encryption Pass Phrase, page 77.
11. Set the communication port. Read Identifying the CPM Server
Communication Port, page 75.
12. If you are using Apache as your Web server, identify access roles for
Explorer for CPM. Read Identifying Access for Explorer for CPM
when Using Apache, page 81.
13. Decide where you want to install Websense files. Read Identifying the
Websense File Location, page 78. By default, the location is
C:\Program Files\Websense.
14. Make sure the components you selected are the ones you want to install.
Read Restarting Apache, page 84.
15. If you are using Apache, and the Web server is currently running, you
may be asked to restart it. Read Restarting Apache, page 84.
16. Finish the installation. Read Completing CPM Installation, page 84.
17. If you installed CPM components on machines running Windows XP,
Service Pack 2, you must enable File and Print Sharing, and must enter
WDC.exe as an exception in the Windows firewall. Read Completing
Setup for Windows XP, Service Pack 2, page 86.
18. Configure CPM using Websense Enterprise Manager. Read Configuring
Initial Settings, page 87.
19. If you are using IIS as your Web server, you will need to configure access
for Explorer for CPM at the machine where you installed the CPM
reporting tools. Read Setting User Access for Microsoft IIS, page 141.
48 Websense Enterprise
Chapter 3: Installing CPM Server
The Websense Enterprise Setup provides smart installation for all possible
CPM environments. Depending on your selections during installation, the
installer identifies information you need to provide, and then leads you
through the process using the appropriate dialog boxes.
WARNING
!
If you have not yet planned CPM component distribution,
you need to do so before proceeding further. If you make
changes to component distribution after the initial
installation, you may need to fully reinstall all components
to successfully make changes.
If you need more information regarding the installation processes and the
details you need to identify in advance, read the following sections for the
distribution approach that best identifies your environment:
Small environments (fewer than 500 client machines)
Small Environments, page 34
Installing CPM on a Single Machine, page 42
Medium environments (between 500 and 2,500 client machines)
Medium Environments, page 35
Installing CPM on Multiple Machines, page 44
Large environments (between 2,500 and 10,000 client machines)
Large Environments, page 36
Installing CPM on Multiple Machines, page 44
Enterprise environments (more than 10,000 client machines)
Enterprise Environments, page 36
Installing CPM on Multiple Machines, page 44
Shared environments (any environment where both Websense Enterprise
Web filtering and CPM are installed, and share Websense Enterprise
Manager, Policy Server, and User Service)
Shared Environments, page 36
Installing CPM in a Shared Environment, page 46
NOTE
Websense, Inc. recommends that you install the CPM
module and components directly at the local machine, via
CD or download. You may encounter problems if you use
Windows Terminal Service or a shared drive.
50 Websense Enterprise
Chapter 3: Installing CPM Server
52 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
Websense Setup provides links for installing Websense
Enterprise v5.5 Web filtering and Websense Enterprise
Reporting for Web filtering, in addition to CPM.
Do not install Websense Enterprise Reporting unless you
are also installing the Web filtering module. There are two
reporting tools that are specific to CPM, which are
installed during the CPM installation process.
If you decide to evaluate Websense Enterprise Web
filtering, install components on separate machines for the
best performance. Documentation is available at
www.websense.com/support/documentation.
You are now ready to select the CPM components you want to install.
Selecting Components
There are several ways you can distribute Websense components, most of
which require advance planning. You can install CPM components at one
machine or across several machines. If you subscribe to both CPM and the
Websense Enterprise Web filtering module, you can share Websense
Enterprise Manager, Policy Server, and User Service between the two
modules.
These flexible options allow you to adjust the installation to meet your needs.
If you are not sure what distribution option is appropriate in your
environment, review Chapter 2: Distributing CPM Components, page 33.
To select components:
1. When the setup screen appears, select the installation method that best
suits your environment, and then click Next. Your options are:
Typical. Select this option if you are installing all CPM components
on one machine.This is the best choice for environments with fewer
than 500 client machines. Move to Identifying the Database, page 67.
Custom. Select this option if you are distributing components to
more than one machine or if you are sharing components with the
Websense Enterprise Web filtering module. Move to Step 2.
Setup Selection
54 Websense Enterprise
Chapter 3: Installing CPM Server
2. If you chose Custom, the Component Selection dialog box opens, listing
all components for CPM. Select one, many, or all of the components, in
any combination, and then click Next.
Component Selection
WARNING
!
If you are distributing CPM components across
multiple machines, you must install the shared
components first. For specific installation
instructions, read Installing CPM Components on
Multiple Machines, page 57.
NOTE
If you want to install Client Agent on more than one
domain, you must install one copy of CPM Deployment
Service in each domain. For details, read Chapter 5:
Deploying Client Agent via Websense Enterprise Manager,
page 99.
56 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
If your environment includes more than one domain, you
must install CPM Deployment Service on each domain.
Selecting an Interface
If the installation machine has multiple network interface cards (NIC), Setup
displays a list of all NIC enabled on the machine. Select the interface you
want CPM to use for internal communication, and then click Next.
58 Websense Enterprise
Chapter 3: Installing CPM Server
60 Websense Enterprise
Chapter 3: Installing CPM Server
Company Information
Customer Information
IMPORTANT
i
Write down your subscription key. If you are forced to exit
the installer for any reason before completing the
installation, you can run Setup again and download the
Master Database with this key.
I do not wish to use a key at this time: Select this option to continue
with the installation without entering a key or requesting an
evaluation key. You can apply for an evaluation key at any time from
http://www.websense.com/keyrequest.
62 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
If you do not install CPM Reporter/Explorer for CPM, you
will not be able to view or schedule reports.
Install Apache Web Server now. If you select the Apache Web Server
installation option, the Websense installer starts the Apache installer and
exits without installing any CPM components. You must restart your
64 Websense Enterprise
Chapter 3: Installing CPM Server
computer after installing the Apache Web Server and run the Websense
installer again to install CPM.
NOTE
Apache Web Server documentation is installed in HTML
format in the docs/manual/ directory. The latest version
can be found at: http://httpd.apache.org/docs-2.0/
If you have renamed the default Web site in the IIS Manager or are using a
language version of Windows other than English, select the proper Web site
from the names in the drop-down list, and then click Next to continue.
66 Websense Enterprise
Chapter 3: Installing CPM Server
In most installations, you will next be asked to identify the Microsoft SQL
database that you will use to store CPM data.
NOTE
The Microsoft SQL database must be installed and
accessible before you install CPM. If Setup cannot access
the database, the CPM installation will fail.
Database Access
Setup displays a dialog box asking you how you want to access the database.
Your options are:
Windows Trusted connection
SQL database account
68 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
The installation process checks your entries and may take a
short time to resolve details. If any information in the
Windows Trusted Connection dialog box is entered
incorrectly, a message appears informing you that
Websense was unable to validate your information. If this
occurs, click Back and then enter the correct data.
NOTE
Websense, Inc. recommends using SQL authentication if
you choose Apache as your Web server for CPM Reporter.
If you choose the Windows trusted connection, you may
encounter difficulties.
70 Websense Enterprise
Chapter 3: Installing CPM Server
Database Location
1. Enter the IP address or machine name that identifies where the SQL
database engine is installed, and then click Next to continue.
Setup displays the Database Access Account dialog box.
NOTE
The installation process checks your entries and may take a
short time to resolve details. If any information in the
Database Access Account dialog box is entered
incorrectly, a message appears informing you that
Websense was unable to validate your information. If this
occurs, click Back and then enter the correct data.
If you are installing the CPM Deployment Service on the same machine, you
will next identify administrator account access.
72 Websense Enterprise
Chapter 3: Installing CPM Server
74 Websense Enterprise
Chapter 3: Installing CPM Server
If you receive warnings about your port selection, you need to select another
port that does not have default assignments for CPM Server/Client Agent
communications. If you need to use a port that is not the default selection, you
may have to perform additional configuration of your internal network to
ensure connectivity.
In the CPM Server Communication Port dialog box, change the default
value to another port which CPM Server will use for communications to and
from Client Server. The accepted range of port number is between 10 and
65535.
Next, you must identify a pass phrase that is used to generate an authentication
key for communications between CPM Server and Client Agent.
76 Websense Enterprise
Chapter 3: Installing CPM Server
You are now ready to identify the directory where you want to install
Websense files.
NOTE
If you forget your pass phrase, you can check the
CAMServer.ini file to find the encrypted key. By
default, the file is at C:\\Program
Files\Websense\bin.
Installation Path
78 Websense Enterprise
Chapter 3: Installing CPM Server
Click Browse if you want to use Windows Explorer to search for and then
select the directory where you want to install CPM files.
2. Click Next.
The installer compares the system requirements for the installation you
have selected with the resources of the installation machine. If the
machine has inadequate disk space or memory for optimal performance,
separate warnings are displayed.
If the installation machine has insufficient disk space, the selected
components cannot be installed, and the installer will quit.
If the installation machine has less than the recommended amount of
memory, the installation can continue. To ensure the best performance
of the components you are installing, you should upgrade your
machine’s memory to the recommended minimum.
Installation Summary
80 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
If you are installing CPM Reporter and Explorer for CPM,
and using IIS as the Web server, you still need to configure
user access. The process is completed after you have
installed CPM. For details, read Setting User Access for
Microsoft IIS, page 141.
HR User Identification
NOTE
If you do not want to enable the HR User access level,
leave all fields blank and then click Next.
Once you have identified the HR User role, you should distribute the
following to users who are being given this access level:
IP address and instance name for Explorer for CPM
User name
Password
Any number of staff members can be given this access.
You are now ready to identify the Restricted User access level.
82 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
If you do not want to enable the Restricted User access
level, leave all fields blank and then click Next.
Once you have identified the Restricted User ole, you should distribute the
following to users who are being given this access level:
The IP address and instance name for Explorer for CPM
The user name
The password
Any number of staff members can be given this access.
Restarting Apache
If you are using Apache as your Web server, and are installing CPM Reporter
and Explorer for CPM, you will receive a message about restarting Apache.
You can restart Apache during the installation process, or restart it later. Your
selection does not impact the installation process itself.
If you get the Restart Apache Web Server dialog box:
1. Decide how you want to proceed:
Select Yes, stop and restart the Apache Web Server if you want
this activity to occur now.
If you choose this option, there will be a brief pause after you click
Next, during which time, Apache is stopped and then restarted.
Select No, I will manually restart later if you do not want to take
the time to restart the Apache Web Server at this time.
2. Click Next.
You are nearly done with your CPM installation.
84 Websense Enterprise
Chapter 3: Installing CPM Server
In most installations, you are now ready to perform the initial configuration
required to activate CPM. However, if you are installing on Windows XP
Service Pack 2, you must change certain settings in the operating system
before CPM can work.
86 Websense Enterprise
Chapter 3: Installing CPM Server
3. Click the Exceptions tab, if necessary, and then click Add Program.
4. Browse to the location of WDC.exe and select it. By default, the location
is C:\Program Files\Websense\WDC\WDC.exe.
To configure the Windows Firewall using Group Policy, see Deploying
Windows Firewall Settings for Microsoft Windows XP with Service Pack 2,
available at http://www.microsoft.com/downloads/
details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-
499f73a637d1&displaylang=en.
88 Websense Enterprise
Chapter 3: Installing CPM Server
WARNING
!
If you have installed CPM on multiple machines, you must
upgrade shared Websense Enterprise components before
you upgrade CPM components. The shared components
are Websense Enterprise Manager, Policy Server, and User
Service. If you do not upgrade the shared components first,
CPM will not work.
7. The Repair dialog box states that existing components will be reinstalled
and asks if you want to proceed.
If you want to continue, select Yes, and then click Next.
If you do not want to continue, select No, and then click Next.
The Stopping Services dialog box opens.
8. The Stopping Services dialog box shows the services that are currently
running, and states that the services will be stopped if you continue.
Click Next to continue.
Messages appear briefly as the various services stop. When all services
are stopped, the next appropriate dialog box, based on your existing
installation, opens.
9. Follow onscreen prompts, complete any needed entries, and click Next to
move to the next appropriate screen. If you need assistance for a
particular dialog box, check subheadings in Using Websense Enterprise
Setup, page 49, to locate documentation about the dialog box you need
information about.
10. At the final dialog box, click Finish.
Removing CPM
You may need to remove CPM files if you are upgrading your existing
version, if you are changing the machine where components are installed, or if
you are not renewing your CPM subscription. You can use the Websense
Enterprise Setup or the Add/Remove Programs functions in the Windows
Control panel to remove all components. If you want to remove only some
components, you must use the Websense Enterprise Setup.
90 Websense Enterprise
Chapter 3: Installing CPM Server
NOTE
If you share components with the Websense Enterprise
Web filtering module, and want to continue using that
module, the CPM uninstall process is now complete.
92 Websense Enterprise
CHAPTER 4
Preparing CPM for Use
Before you can deploy Client Agent, you must subscribe to CPM and
successfully download the Websense Enterprise Master Database. The steps
required are:
1. Add Policy Server. For specifics, read Adding a Policy Server, page 93.
2. Download the Websense Enterprise Master Database. This normally
occurs as part of the subscription process.
3. Deploy and/or install Client Agent. For details, read Deploying Client
Agent via Websense Enterprise Manager, page 99.
4. Enter the IP address or host name of the Policy Server machine in the
Server field.
5. Enter the port number for sending configuration information to Policy
Server. The default is 55806. The actual entry should be the configuration
port you identified during installation.
6. Click OK. An icon and the IP address or host name appears in the
navigation tree.
7. Double-click the entry for the Policy Server in the navigation tree to
configure or enter the password.
If this is the first time you are accessing a Policy Server, the Set
Websense Password dialog box opens for password configuration.
a. Enter the password in the Password field, and then press the Tab
key on the keyboard.
b. Reenter the password in the Confirm Password field.
c. Click OK to save the password and access the Policy Server.
94 Websense Enterprise
Chapter 4: Preparing CPM for Use
Subscribing to Websense
You initially enter subscription data when you first install Websense Enter-
prise CPM. Later, however, you may need to update the subscription informa-
tion to add licenses or when you extend your subscription.
Additionally, the Subscription pane provides a link to your saved subscrip-
tion data, the current number of licenses you have, and your current expiration
date.
96 Websense Enterprise
Chapter 4: Preparing CPM for Use
You must have an active internet link to connect to Websense and complete
the subscription process:
1. Click Server > Settings on the Websense Enterprise Manager menu to
open the Settings pane. You can also right-click anywhere in the
navigation tree, and then select Settings from the shortcut menu.
2. Select Subscription from the Settings Selection list to access
Subscription settings.
Subscription Pane
3. Type your 16- or 18-character key in the Subscription Key text box. Your
entry must match exactly the subscription key that Websense, Inc. provides.
4. Click Subscription Info to open a browser and link to the Websense
Registration page. Follow on-screen instructions to complete the
registration process.
5. Click Update Registration Info to save your entries and close the
registration form.
6. Close the browser.
7. Click OK to save the changes you made since you opened the Settings
pane.
98 Websense Enterprise
CHAPTER 5
Deploying Client Agent via
Websense Enterprise Manager
There are four ways to deploy, install, or uninstall Client Agent. Each method
has advantages and disadvantages, often dependant on the knowledge level of
the administrator. The four installation options are:
In Websense Enterprise Manager, select the Deployment Status pane.
This allows administrators to deploy Client Agent to networked
machines. For details, read Managing Client Options, page 106. This is
the easiest way to deploy Client Agent and to track deployment progress.
Use scripts to deploy Client Agent. For information, read Chapter 6:
Deploying Client Agent via Scripts, page 113. This is the most robust
way to deploy Client Agent, but requires some understanding of script
development.
Manually install a single copy of Client Agent at a local machine using
the Client folder. This installation method is relatively easy, but is
generally of use in a small organization or test environment. For details,
read Chapter 6: Deploying Client Agent via Scripts, page 113.
Use third-party applications to deploy Client Agent. Read the third-party
documentation for information. This is useful for organizations that often
deploy software using third-party tools. Generally, this option is useful
only if you have experience using such tools.
Potentially, an organization may use a combination of methods to manage
Client Agent deployment. For example, John is an experienced system
administrator. He uses the Deployment Status pane in Websense Enterprise
Manager to manage the initial agent deployment, but wants to automate
potential upgrades or new installations using scripts. By leveraging these two
options, John can rapidly set up his Websense system from Websense
Enterprise Manager, and then later take the time to create scripts that automate
the update process.
The next table provides a quick reference of the advantages and disadvantages
of the available deployment options.
Deployment Service
Automated updates
Deployment Status
Mass Deployments
Single Deployment
Scripting Required
Deployment Method v
WARNING
!
Do not install Client Agent on:
Machines running Windows 2000, Service Pack 2 or
lower.
The machine or machines where you installed CPM
Server or CPM Reporter/Explorer for CPM.
Windows 98 Compatibility
The v5.5.2 Client Agent does not support the Windows 98 operating system
on client workstations. However, pre-v5.5.2 Client Agents running on
Windows 98 workstations are backwardly compatible with the v5.5.2 CPM
Server and will retain their current functionality. New features in v5.5.2 are
not available to Windows 98 workstations.
VPN Support
The deployment of Client Agent is not supported over a VPN connection. You
can update policies, perform inventories, and apply lockdowns with the v5.5.2
Client Agent through the following VPN clients:
Microsoft L2TP/IPSec VPN Client
Cisco VPN Client v4.6
Check Point VPN-1 SecureClient
NOTE
After Installing Client Agent on a machine running Check
Point VPN-1, you must restart the machine before Client
Agent can function.
When you first open the Deployment Status pane, the list shows all
deployment related details for machines. You can view information for all
domains or by a specific domain, and by deployment status. For example, you
can view all machines in the Finance domain where a deployment action is
pending, or machines in the Purchasing domain where Client Agent is not yet
installed.
IMPORTANT
i
If you need to uninstall and then reinstall Client Agent,
make sure Windows Service Control Manager (SCM) is
closed at the machine where activity is to occur. If SCM is
open during the uninstall process, you will not be able to
start Client Agent. For more information, refer to
Microsoft Knowledge Base Article #287516.
3. Select a domain from Domain drop-down list. The default setting is All.
4. Select the appropriate machine status from the Current View drop-down
list. Your choices are:
All. Shows all machines that Websense Enterprise Manager
recognizes.
Installed. Shows machines where Client Agent is installed.
Not Installed. Shows machines where Client Agent is not installed.
Deployment status. Shows the status of the deploy process at
machines affected by a deployment option.
Uninstall status. Shows the status of any uninstall processes at
machines that are affected by such processes.
The Deployment Status pane shows the machines whose status matches your
entry in the filter fields. Information is available only for machines where
deployment or uninstall processes have been scheduled using the
Deployment Status pane or scripts.
Each row in the pane identifies one machine, and provides the following
information:
Domain Name. Shows the network domain on the client machine.
Machine Name. Shows the client machine name. This may be a server, a
laptop, a desktop system, or any other machine.
Asset Tag. Shows the user-defined asset tag name for the machine, if any.
Status. Shows the current status of the machine.
Client Version. Shows the current version of Client Agent installed at the
associated machine.
Install Date. Shows the date when the current version of Client Agent
was installed at the associated machine.
The information in the Deployment Status pane reflects actual situations at
machines that are in the list. For example, if you set the Current View field to
Deployment Status, only machines where Client Agent is being deployed
appear in the Deployment Status list. If you set the field to Not installed,
only machines that do not have Client Agent installed appear.
When you deploy Client Agent using Websense Enterprise Manager, client
installation selections act in the following manner:
Deploy
If you select Deploy, and there is not a current version of Client
Agent at a machine, the process installs Client Agent.
If you select Deploy, and there is a current version of Client Agent at
a machine, the process uninstalls the existing Client Agent and then
reinstalls it.
If you deploy Client Agent to a machine that is already running Client
Agent, the policy at the local machine does not change. When you
next change the policy using Websense Enterprise Manager, policy
changes occur at the local machine as usual.
Uninstall
If you select Uninstall, and there is not a version of Client Agent at a
machine, the process does not impact the machine.
If you select Uninstall, and there is a current version of Client Agent
at a machine, the process removes the Client Agent.
4. Select either Deploy or Uninstall. Only one option may be set at a time. If
you change this setting later, any selections you may have made in the
meantime are dropped.
NOTE
Generally, Websense, Inc. does not recommend
uninstalling and then reinstalling Client Agent. It is better
to deploy the agent and let the deployment process
upgrade or repair the agent. For more information, read
Troubleshooting Client Agent Installations, page 155.
5. Click in the View field, and then select one of the following:
Select All Clients to see all machines that are connected to the network.
Select Clients not installed to see only those machines where Client
Agent has not been installed.
WARNING
!
Do not install Client Agent on the machine or
machines where you have installed CPM Server or
CPM Reporter. If you do, you may encounter
serious operational problems with CPM functions.
7. Decide how you want Websense to manage the action you select:
By Schedule. The selected action occurs once, based on these
settings.
a. Click Schedule to run to activate the scheduling option.
b. Select the start date in the Date field.
c. Select the start time in the Time field.
CPM Server provides the timestamp, not the client machines. Even if
the client machine shows a different time, any logs or records of the
event will use the CPM Server time.
Run now. The action you selected begins processing as soon as you
click Run now. and close the Client Install Options dialog box.
Click OK to submit the action for processing.
NOTE
When Client Agent is deployed to a machine, the
employee receives a pop-up window. The message tells the
employee that the network administrator has deployed new
software, and the machine must be restarted. The
employee can choose to restart the machine immediately
or restart at a later time.
NOTE
For Windows NT and later versions, this is the easiest way
to deploy Client Agent and to monitor the process.
Predeployment Information
Before you begin deploying Client Agent, it is critical that you consider the
following:
Before installing or deploying Client Agent, you must install Client
Policy Manager, enter your subscription data, and have the Websense
Enterprise Master Database downloaded and available. Read Chapter 4:
Preparing CPM for Use, page 93.
Client Agent must be installed on every machine you want to monitor,
and must be able to communicate with CPM Server to access policies,
perform inventories, and upload logged information.
If you need to uninstall and then reinstall Client Agent, make sure
Windows Service Control Manager (SCM) is closed at the machine
where activity is to occur. If SCM is open during the uninstall process,
you will not be able to start Client Agent. For more information, refer to
Microsoft Knowledge Base Article #287516.
For Windows 2000, you must run Service Pack 3 or higher.
Do not install Client Agent on the machine or machines where you have
installed CPM Server or CPM Reporter.
If you select this method, the first CPM Deployment Service you install
becomes the “master.” If you uninstall Websense Client Policy Manager, and
are uninstalling any CPM Deployment Service, the “master” CPM
Deployment Service cannot be uninstalled until all other instances of the
CPM Deployment Service are uninstalled. If you uninstall the “master,”
subsequent processes will fail.
DeploymentServer.ini Parameters
The following parameters can be set in the DeploymentServer.ini file.
If you make changes to this file, double-check your entries for accuracy. If
you enter invalid parameters or mistype data, CPM Deployment Service
might not work correctly.
WARNING
!
Although you can edit DeploymentServer.ini,
Websense, Inc. recommends using default settings
whenever possible. If you do change this .ini file, use
Windows Service Control Manager to restart CPM
Deployment Service.
IMPORTANT
i
Websense recommends using environment variables
instead of hardcoding the path. This ensures installation at
the machine if the machine does not have a C drive or if
localization issues are of concern.
WsClientDeployTrigger.exe Parameters
Script parameters are not case-sensitive, and do not need to be placed in any
particular sequence. To specify parameters for the proxy server, you need the
IP address or machine name, the port number, the user name, and the
password. Contact the proxy server administrator if you do not have access to
these details.
NOTE
You can view installation settings including the server port
in the CAMServer.ini file. The file is installed with
CPM Server. By default, the file location is C:\Program
Files\Websense\bin\CAMServer.ini.
Required Parameters
The following are required parameters for
WsClientDeployTrigger.exe:
DeploymentServerName—name or IP address of the machine where
CPM Deployment Service is running, for example
DeploymentServerName=ITServer. Websense, Inc. recommends
using machine names whenever possible. For networks using DHCP-
based communications, the machine name is the only way to avoid
critical problems that result from the IP address changes that are normal.
DeploymentServerPort—port on which CPM Deployment Service
listens, for example, DeploymentServerPort=55372.
InstallMode—parameter that defines whether to install or uninstall the
Client Agent. Possible values are InstallMode=install or
Optional Parameters
The following are optional parameters for
WsClientDeployTrigger.exe. Generally, you can accept default
values for these parameters.
ClientPathSpec—directory into which Client Agent is being installed at
the client machine. The default is
ClientPathSpec="%PROGRAMFILES%\Websense\WDC".
IMPORTANT
i
Quotation marks around directory strings are important,
especially if the directory string includes spaces. Websense
also recommends the use of environment variables instead
of hardcoding the path. This ensures installation at the
machine if the machine does not have a C drive or if
localization issues are of concern.
NOTE
If the proxy server requires authentication, you can encrypt
the ProxyUsername and ProxyPassword by running
CAMencrypt.exe. Read Encrypting ProxyUsername
and ProxyPassword, page 122. These parameters do not
have default settings. If the proxy server does not require
authentication, you need not enter these parameters.
IMPORTANT
i
If you are running Check Point VPN-1 on the client
workstation, you must restart the machine after deploying
the Client Agent.
Windows NT
To execute the logon script in Windows NT:
1. Place the logon script you created, for example, install.bat, into the
domain controller's Netlogon share, located at
%SystemRoot%\system32\repl\import\scripts.
2. On the domain controller, select Start>Run and type usrmgr.exe to
launch the User Manager.
3. In the list of domain users, double-click on a user to whom you want to
assign the logon script. The User Properties dialog box opens.
4. Click Profile. The User Profile dialog box opens.
5. In the Logon Script Name field, type the file name of the logon script,
for example, install.bat. This is the file you handled in Step 1.
6. Click OK to exit the User Profile dialog box, and then click OK again to
exit the User Properties dialog box.
7. Repeat Step 3 through Step 6 for each user who must run the logon script.
IMPORTANT
i
If you are running Check Point VPN-1 on the client
workstation, you must restart the machine after deploying
the Client Agent.
During CPM Server installation, you are prompted for a pass phrase to protect
communications between the server and the agent, as described in Identifying
an Encryption Pass Phrase, page 77. How you deploy Client Agent
determines how the pass phrase is provided:
If you deploy Client Agent from Websense Enterprise Manager, the
encrypted authentication pass phrase is automatically submitted to Client
Agent.
If you deploy Client Agent via scripts, you need to use command line
options to set authentication for CPM Server/Client Agent
communications.
The authentication pass phrase at each Client Agent must match the pass
phrase, or encrypted pass phrase, used at the CPM Server. For example, if you
set authentication at the server, you must also set authentication at the
machines running Client Agent.
While your unencrypted pass phrase is not stored, the encrypted pass phrase
is. If you need to access to the encrypted pass phrase, you will find it in the
camserver.ini file. By default, the file is at C:\Program
Files\Websense\bin.
To use command line options for authentication, enter:
-k to set authentication key encryption for Client Agent
-p to set authentication key encryption for CPM Server
The only way you can have a mixed environment--where some machines use
authentication and others do not--is if you use multiple CPM Servers. Even
so, the authentication selection at each CPM Server must be the same for the
Client Agent machines that are in communication with that server.
Y—yes
N—no
P—prompt.
WMI_Reboot—default that becomes active only if WMI is not
detected on a machine.
IMPORTANT
i
If you are running Check Point VPN-1 on the client
workstation, you must restart the machine after deploying
the Client Agent.
Proxy—IP address and port of the proxy server, if a proxy is required for
HTTP traffic. The value for this parameter is in the form Address:Port,
for example 192.168.0.253.
Pxyauthname—user name required to authenticate through the proxy
server. The value is an encrypted string, for example
135d6a9b4b79cdbbd38927f0f4ca7be8. This parameter is not needed if
the proxy server does not require authentication.
Pxyauthpwd—user's password required to authenticate through the
proxy server. The value is an encrypted string, for example
f8380db439507b3e050ea2e2dfaf0094. This parameter is not needed if
the proxy server does not require authentication.
Syntax
With the exception of the silent mode parameter ( /s ), enclose command-line
options in double quotes. Do not use single-quotes or double-quotes within
the parameters otherwise. For example, the following restarts the machine
where Client Agent resides if the employee clicks Yes in a prompt dialog box:
setup.bat /s
"ADDRESS|192.168.0.253,PORT|443,PATH|C:\PROGRAMFI
LES\Client Agent,SSL|1,REBOOT|PROMPT"
The next script example uninstalls Client Agent:
setup.bat /s "UNINSTALL|Yes"
You can use the Command Prompt option at the client machine to start and
stop Client Agent.
If you are not accessing installation files from a server, and not installing
on a machine where you have already installed Websense Enterprise
Manager, you will need:
The IP address of the machine where you installed Policy Server.
NOTE
If you do not know the IP address of the machine but you
do know the name, use Start > Run and ping the machine.
Type “ping <machine name>”. A system window
opens and shows the IP address for the machine you are
pinging.
NOTE
You can locate port information and the encrypted key
from the CAMServer.ini file. By default, this is at the
machine where you installed CPM Server. The default path
is <cpm_server>\C:\Program
Files\Websense\bin\CAMServer.ini.
Selecting an Installer
CPM includes five different installation files, three for Windows ME, and two
for Windows NT and other Windows systems. Two of the installers are
bundled with Windows Installer, and are approximately 4 MB; the other two
installers are for systems where Windows Installer is already available, and
are approximately 2 MB.
If you do not know whether or not Windows Installer is available at the local
machine, and do not select the correct file the first time, simply select the
remaining file the second time. If the installer fails, there are no repercussions
at the local machine.
For machines running Windows ME, you must install Windows Management
Instrumentation (WMI), an application that allows Client Agent and CPM
Server to pass information, in addition to installing Client Agent. For
Windows NT, Windows 2000, Windows 2003, and Windows XP, WMI is
already installed with the operating system.
The Client Agent installation files that are available, the operating systems
(OS) they impact, and their approximate size, appear in the next table. The
default paths are also provided.
Once you have access to the Client Agent installers, the installation process at
the local machine takes approximately 30 seconds.
2. Make sure you have administrator level access to the local machine. You
need the user name and password.
3. If the local machine is running a Windows ME operating system, install
Windows Management Instrumentation (WMI). The default location for
the installer is
<cpm_server>\C:\Program Files\Websense\bin\Client
\WMI Installers\9\wmicore.exe.
NOTE
Windows Management Instrumentation (WMI) is needed
for CPM Server and Client Agent communications and
information transmissions.
4. Decide which Client Agent installation file is most suitable for the local
machine, and then locate it. Default paths and file information appear in
Selecting an Installer, page 132. All files are in the
\\Program Files\Websense\bin\Client\directory path.
5. Once you locate the appropriate file, double click it to begin running the
installer.
6. Follow onscreen prompts to install Client Agent. The process is described
in Installing Client Agent Locally, page 136.
NOTE
The following procedure assumes you do not have any
Websense Enterprise components currently installed. If
you do, Step 7 does not appear.
13. Check Selecting an Installer, page 132, to determine which Client Agent
installation file is appropriate for the local
14. Install Client Agent. Read Installing Client Agent Locally, the next topic,
for details.
IMPORTANT
i
If you do not know the encrypted key, go to
the machine where you installed CPM
Server, if you have administrator access to
that machine. Locate and open the
CAMServer.ini file. For details, read
Preparing for Client Agent Installation,
page 131.
d. Click Next.
4. After brief messages appear, the Installation Complete dialog box opens.
Click Finish to complete the CPM Deployment Service installation.
Apache
If you use Apache, during installation you will be required to set a user name
and password three different roles required for Explorer for CPM. These roles
are:
An HR User can run any report and can see user and machine names.
A Restricted User can run reports only with user IDs instead of user
names.
More than one person may assume each role, and the user name and password
for a role applies to that role, not a specific user.
Microsoft IIS
If you use IIS, before installing Explorer for CPM, you need to know the
location of the IIS Virtual Directory. During the installation, you will be asked
to provide the name of an existing Website from IIS Manager in which to
create the virtual directory.
To create a new Web site or view existing Web sites, access the Windows
Internet Services Manager by selecting
Start>Programs>Administrative Tools>Internet Services Manager.
Explorer for CPM users access the same installed reporting tools. There are,
however, two different user access levels controlled by individual files, each
of which results in a different access path. You must identify each Windows
user and provide access with her user name and password. The files are:
explorer.exe - Users can run any Explorer for CPM reports and see
all information. User and machine names are viewable or can be manually
hidden.
explorer_anon.exe - Users can run any Explorer for CPM reports.
All launch-related data is available, except user and machine names are
shown as numeric IDs.
Once Explorer for CPM is installed, access levels are set at the machine where
Explorer for CPM resides, by setting permissions on the Explorer for CPM
files. Later, you may need to remove permissions if employees change job
positions or leave the company.
WARNING
!
For optimum results, you should be familiar with
Microsoft SQL concepts and table structures. If you do not
have the appropriate knowledge, Websense Inc.
recommends you contact someone who does.
To set department level reporting, you must add employees’ user IDs to the
USER_MANAGERS table.
When the table is populated, department managers with access to
explorer_auth.exe will be able to view launch activity for employees
in their department.
Simple Example
John Rodriguez is the department manager. Department employees are Stella
Fisher, Robert Smith, and Joseph Huang.
The prepopulated USERS table looks like this:
.
Once Explorer for CPM is installed, there are two ways to launch the
program.
Launch Explorer for CPM From the Start Menu
Launch Explorer for CPM in a Browser
Authentication is Required
If CPM Server must access the Internet through an upstream firewall or proxy
server that requires authentication, check the following:
Check the spelling and capitalization for the user name and password in
the Proxy/Authentication dialog box.
Make sure the firewall or proxy is configured to accept clear text or basic
authentication.
Firewall Restrictions
If your firewall restricts access to the Internet at the time CPM Server calls for
the download, or if the firewall limits the size of files that can be sent via
HTTP, CPM Server cannot receive the download.
Make the appropriate changes on the firewall, or change the time for the
download by selecting Settings > Database Download and changing
values in the Download time fields.
NOTE
If you are running CPM Server behind a Gauntlet firewall,
check FAQs at http://www.websense.com/support/
knowledgebase/ for specific information.
Anti-virus Applications
Some anti-virus applications, such as virus scanners or size-limiting applica-
tions, can interfere with database downloads. You need to disable the restric-
tions relating to CPM Server and the download location.
5. Click Select this account and enter the same Windows authentication
data that you defined during installation. The user must have privileges to
access the database. Enter:
The account
The password
The password again.
6. Click OK to close the Properties dialog box and save your information.
4. Repeat this procedure to turn on File and Printer Sharing services for each
client machine.
NOTE
Alternately, administrators can use Group Policy Options
to enable File and Print sharing.
2. Use Group Policy to add the user back to the registry. Be sure you give
the user Read access rights.
NOTE
Microsoft Knowledge Base Article 832082 describes the
problem, offers patch and hotfix details, and fully
describes the manual process to fix this issue. The article,
in English, is available at http://support.microsoft.com.
NOTE
Using Scripts for Unattended Client Agent Install/
Uninstall, page 128 describes sample scripts provided by
Websense, Inc.
the machine where Client Agent v5.2 has been upgraded, informing the
employee that she must restart her machine. The employee can choose to
restart immediately or wait to restart.
Are there files on the SQL database server I should back up for
recovery?
You will need to back up the following files on the machine where you have
installed your SQL database:
wscamil: At your SQL Server, use Programs > Microsoft SQL Server
> Enterprise Manager to detach and copy wscamil. The path in SQL
Enterprise Manager is Console Root > SQL Server Group > (SQL
Server name) > Databases > wscamil. For information on detaching and
copying the wscamil database, read online help for Microsoft SQL Server
Enterprise Manager.
.mdf: Any MDF file associated with Websense logging, typically
named wslogdb50.mdf. These files possibly include a date/time
stamp in the name. Filetype ldf's are not required.
Fee-based Support
The Websense 24x7 support contract is available for purchase. For a list of
services, please visit our Web site at: http://www.websense.com/products/
about/24x7/.
For additional information, please contact our Sales Department at
800.723.1166 or 858.320.8000, or send an email to sales@websense.com.
Support Options
Websense Technical Support can be requested 24 hours a day.
Web Portal
You can submit support tickets through the Web Portal 24 hours a day. The
response time during business hours is approximately 4 hours. Response to
after-hours requests will occur the next business day. Support tickets can be
submitted at: http://ww2.websense.com/global/en/SupportAndKB/
CreateRequest/.
Email Questions
You may email your questions to us at the addresses listed below. Make sure
you include your subscription key. This option is available 24 hours a day, 7
days a week. We will respond during business hours Monday through Friday.
support@websense.com—San Diego, California, USA
japansupport@websense.com—Japan (Asia)
Email support can take 24 hours or more for a response. If you need a quicker
turnaround, submit your issues through the Web Portal.
NOTE
For technical support in the UK, submit support tickets
through the Web Portal address.
Telephone Assistance
Before you call a Websense Technical Support representative, please be ready
with the following:
Websense subscription key.
Access to Websense Enterprise Manager.
Access to the machine running the Filtering Service, the Websense
Reporter server, and the database (MSDE or SQL) server.
Permission to access the Websense log database.
Familiarity with your network's architecture, or access to a person who
has this familiarity.
Specifications of the machines running the Filtering Service and
Websense Enterprise Manager.
A list of other applications running on the Filtering Service machine.
For severe problems, additional information may be needed.
Telephone assistance is available during normal business hours Monday
through Friday at the following numbers:
San Diego, California, USA: 858.458.2940
London, England: +44 (0) 1932 796244
Improving Documentation
Websense, Inc. understands the value of high quality, accurate documentation.
If you have any suggestions for improving the documentation, contact us at
DocFeedback@websense.com. We appreciate your input.
BROWSER
A browser is a software application used to view Web pages. Examples
include Netscape Navigator and Microsoft Internet Explorer. Explorer for
CPM and CPM Reporter both require access to a browser for report
generation and presentation.
CLIENT
Generally, the term client defines a computer that accesses shared information
from another computer, called a server. In Websense, clients refer to users,
groups, workstations, and networks filtered by Websense.
CPM REPORTER
CPM SERVER
CPM Server is the Client Policy Manager component that interacts with
Client Agent and the Policy Server to provide software filtering.
DATABASE ENGINE
The database management system used to create and manage a database. In
Explorer for CPM, database engine refers to the SQL Server.
IP (INTERNET PROTOCOL)
Internet Protocol is the format in which information is transmitted over the
Internet.
IP ADDRESS
An IP address uniquely identifies a computer on a TCP/IP network. An IP
address is a 32-bit numeric address written as four numbers separated by
periods. Each number can be zero to 255. For example, 102.3.5.78 can be an
IP address.
PORT
A port is a numeric value that identifies a logical connection over which two
programs communicate.
SERVER
Websense refers to both hardware and software servers. A hardware server is
a machine that manages network resources. Software servers are programs
that manage network resources. For example, the Policy Server is software
that manages software resources.
TCP/IP
Abbreviation for Transmission Control Protocol/Internet Protocol, the suite
of communications protocols used to connect hosts on the Internet.
USER
In Websense, a user is a predefined name in a Windows NT domain
controller. Users can be added to the Websense Enterprise Manager, and then
assigned to a policy, enabling you to define unique filtering strategies for
individual employees.
WORKSTATION
Websense defines a workstation as a computer from which users access
software. Workstations, identified by their IP address, can be added to Client
Policy Manager, and then assigned to a policy, enabling you to define unique
control strategies for individual computers.