You are on page 1of 7

Deployment Checklist

Quick Start for Websense Security Suite

Websense Technical Support


Online: http://www.websense.com/support/form/

Deployment Checklist

7/19/2016

CONTENTS

INTRODUCTION......................................................................................................................................................3
ABOUT WEBSENSE SECURITY SUITE........................................................................................................... 3
WHY PILOT VERSUS EVAL?......................................................................................................................... 3
DOCUMENTATION........................................................................................................................................ 3
SUPPORT.................................................................................................................................................... 3

OBJECTIVES.............................................................................................................................................................4
MITIGATE LEGAL LIABILITY.......................................................................................................................... 4
MITIGATE PRODUCTIVITY LOSS.................................................................................................................... 4
MITIGATE SECURITY THREATS..................................................................................................................... 4
MITIGATE BANDWIDTH LOSS........................................................................................................................ 4
DEMONSTRATE EASE OF USE...................................................................................................................... 4
OTHER OBJECTIVES (SPECIFY).................................................................................................................... 4
OTHER OBJECTIVES (SPECIFY).................................................................................................................... 4
SCHEDULE.................................................................................................................................................. 4
Pilot Deployment Date...........................................................................................................................................4
Status Review telcon..............................................................................................................................................4
Present Results to Management on........................................................................................................................4
Submit Order Requisition by..................................................................................................................................4
PO Received by Websense on.................................................................................................................................4

PRE-DEPLOYMENT CHECKLIST DEPLOYMENT DATE: ............................................................................5


ENVIRONMENT............................................................................................................................................ 5
INTEGRATION.............................................................................................................................................. 5
SWITCH CONFIGURATION............................................................................................................................. 5
DIRECTORY SERVICES................................................................................................................................. 5
WEBSENSE SERVER.................................................................................................................................... 5
CPM SERVER............................................................................................................................................. 5
REPORTING SERVER................................................................................................................................... 5
DATABASE SERVER..................................................................................................................................... 5
NETWORK PORTS....................................................................................................................................... 6
PASSWORDS............................................................................................................................................... 6
SPECIALISTS............................................................................................................................................... 6

DEPLOYMENT CHECKLIST DEPLOYMENT DATE: .....................................................................................7


SPECIALISTS............................................................................................................................................... 7
SPECIALISTS............................................................................................................................................... 7
SPECIALISTS............................................................................................................................................... 7
SPECIALISTS............................................................................................................................................... 7
SPECIALISTS............................................................................................................................................... 7
SPECIALISTS............................................................................................................................................... 7

POST-DEPLOYMENT CHECKLIST DEPLOYMENT DATE: ..........................................................................7


SPECIALISTS............................................................................................................................................... 7

Websense Proprietary & Confidential


DRAFT

Page 2 of 7

Deployment Checklist

7/19/2016

Introduction

This document serves as a quick start for deploying Websense Security Suite, and will ensure the success
of your deployment. References to source documents are provided so that you can obtain more detail. A
Websense Field Systems Engineer may be available to assist you during the planning and deployment
phases; please ask your Sales Representative. Websense Technical Support is available to all customers
and prospects by phone and online. Our Knowledgebase is also available online, as is our documentation.

About Websense Security Suite


Websense Security Suite protects the enterprise network at the gateway and on the desktop, while
promoting employee productivity through behavior reinforcement. Gateway enforcement includes blocking
access to dangerous and offensive web sites, limiting time spent on unproductive sites, blocking undesirable
protocols from exiting the corporate gateway, and restricting the use of network protocols to desirable
purposes. Desktop policy enforcement is achieved by tightly controlling what can launch, and by restricting
what resources are available to applications permitted to launch. In addition, Websense Security Suite can
detect certain fraudulent use of an organizations brands (BrandWatcher) as well as unauthorized changes
made to its web sites (SiteWatcher). Websense Security Suite promotes productivity by applying
immediate feedback to users behavior while enforcing the companys Internet policies. This behavior
reinforcement is achieved through hard blocks, time quota-limited blocks, blocks with a continue option, and
through the users knowledge that their activity is being monitored and logged.

Why Pilot versus Eval?


Websense Security Suite can be deployed as a pass-by technology, and when configured in monitor only
mode there is no impact to users or equipment on your production network. In this configuration, Websense
is completely transparent while it is operational and when it is offline. You can then apply policies to a small
number of users and workstations for testing. Deployment on your production network ensures that the test
conditions and results are true to your actual environment, not obscured by unusual configurations and
unsupervised changes made in a lab. Converting the pilot deployment to production simply requires
replacing the evaluation key with a subscription key. Generally, no additional effort is needed.

Documentation
Websense Policy Planner assists in formulating policies of what to block and for whom
Websense Enterprise Evaluators Guide setup instructions and configuration examples
Websense Deployment Guide server specifications and network architecture
Websense Installation Guide installation and configuration instructions (use stand-alone or Universal)
Websense Integration Guide integrating Websense with your preferred partner device
Websense Admin Guide configuring features and editing policies
Websense CPM Admin Guide filtering applications on the desktop
Websense Reporting Admin Guide running reports and configuring automated reports
Websense Reporting User Guide running reports and configuring automated reports

Support
For best results, search the Knowledgebase first. If no resolution is found, open a support request online
while you dial the support number. That way, by the time your call is answered, you can refer the support
engineer to your new case with all the details in it already. Be sure to include your office and mobile phone
numbers to expedite resolution. Make sure your spam filter permits email from websense.com, and be sure
to respond to all support replies by phone, email, or using the online form to prevent your case from being
closed for unresponsiveness. If your case is closed prematurely, ask that it be reopened; otherwise, you may
be asked to start troubleshooting from the beginning.
Knowledgebase -- http://ww2.websense.com/global/en/SupportAndKB/SearchKB/
Technical Support Online -- http://ww2.websense.com/global/en/SupportAndKB/CreateRequest/
Technical Support Phone -- 5 a.m. to 5 p.m. Pacific Time (858) 458-2940

Websense Proprietary & Confidential


DRAFT

Page 3 of 7

Deployment Checklist

7/19/2016

Objectives

Please review the following criteria to establish objectives for the pilot deployment.
Mitigate Legal Liability
DONE
Example: Block pornographic web sites (hostile workplace compliance), pornographic image searches on
Google and Yahoo, peer-to-peer file sharing (potential copyright infringement and a potential source of porn),
Instant Messaging (potential source of information leaks), Instant Messaging Attachments (potential source
of information leaks and a security risk).
Mitigate Productivity Loss
DONE
Example: Block pornographic web sites, pornographic image searches on Google and Yahoo,
advertisements, peer-to-peer file sharing protocols, streaming media protocols, Internet radio and TV sites,
Instant Messaging sites and protocols, MP3 sites and file type downloads, Internet storage sites. Set quota
limits on shopping web sites, news, and sports sites. Block the launch of IM, P2P, and streaming media
applications on the desktop.
Mitigate Security Threats
DONE
Example: Block spyware infection and back channel sites (payload delivery and reinfection), malware
infection and back channel sites, phishing and other Internet fraud sites, keyloggers, proxy avoidance sites
and protocols, Internet storage sites, and IM attachments. Block the launch of hacking tools, spyware, and
malware on the desktop. Block the silent install of applications on the desktop. Block network access for all
unknown applications. Automatically generate reports on these activities for follow up. Automatic, real-time
updates on security-related threats, and automatic email notification of new web-based threats. Notify on
detected fraudulent uses of brand and corporate image, and on unauthorized web site changes.
Mitigate Bandwidth Loss
DONE
Example: Block streaming media protocols, Internet radio and TV sites, MP3 sites and file type downloads,
peer-to-peer file sharing. Set quota limits on shopping web sites, news, and sports sites. Block streaming
media and VOIP applications on the desktop.
Demonstrate Ease of Use
DONE
Example: 100% GUI-driven management interface; user-friendly reporting tools; automatic categorization
and feedback loop for URLs, protocols, and applications; automatic nightly database updates.
Other Objectives (Specify)

DONE

Other Objectives (Specify)

DONE

Schedule
For the smoothest transition to production, Websense recommends adopting the following schedule so that
the pilot is completed, management can review and approve the acquisition, and a PO is received within the
30-day evaluation key time limit. If the limit is reached, filtering will either fail open (default, all traffic is
allowed to the Internet) or fail closed (optional, all traffic is blocked).
Pilot Deployment Date:
Status Review telcon:
Present Results to Management on:
Submit Order Requisition by:
PO Received by Websense on:

Websense Proprietary & Confidential


DRAFT

Day 1 (Pre-Deployment Checklist completed.)


(recommended not later than Week 2)
(recommended not later than Week 3)
(recommended not later than end of Week 3)
Day 30 (A production key will be sent via email.)

Page 4 of 7

Deployment Checklist

Pre-Deployment Checklist

7/19/2016

Deployment Date:

Environment

Production network
Laboratory (Note: Lab results are not certifiable.)
Internet connections at this facility:
One
more (specify) Type: (specify)
Remote branches supported: (specify number and location)
Remote branches use
their own Internet access
corporate Internet access
Remote branches will connect to Websense via VPN
private circuit

Integration

Standalone
Integrated (with )
Embedded (on )
IP address of integration/embedded device:

Switch configuration

Hardware brand: model:


Configure a bi-directional mirror/SPAN of the firewall port
Run one Ethernet cable from the SPAN port to the Websense server
Run a second Ethernet cable from the switch to the Websense server

DONE
DONE
DONE

Directory services

NT/AD mixed
AD native
LDAP
eDirectory ( with NMAS)
Optional: Account with domain read privileges: (specify dom/account)

RADIUS
DONE

Websense server

Hardware brand: model: CPU: RAM:


OS:
Windows 2000
Linux RH Enterprise 3.0
Solaris 9.0
Size server according to Websense specifications
Configure two NICs (one for monitoring, one for management/blocking)
Configure static IP address for management NIC:
Install IIS web server (or accept Apache during Websense install)
Apply all service packs and critical updates
Add server to the domain (or a trusted domain)
Configure network time service
Document any security modifications made (for troubleshooting)

DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE

Lockdown/CPM server CPM Server is on


the Websense server
its own server
Hardware brand: model: CPU: RAM: OS: Win 2000
Size server according to Websense specifications
DONE
Configure static IP address: (specify IP)
DONE
Apply all service packs and critical updates
DONE
Configure network time service
DONE
Document any security modifications made (for troubleshooting)
DONE
Reporting server

Database server

Hardware brand: model: CPU: RAM:


OS:
Windows 2000
Linux RH Enterprise 3.0
Solaris 9.0
Size server according to Websense specifications
Install IIS or Apache web server
Configure static IP address: (specify IP)
Apply all service packs and critical updates
Configure network time service
Document any security modifications made (for troubleshooting)
Hardware brand: model: CPU: RAM:
OS:
Windows 2000
Linux RH Enterprise 3.0
Solaris 9.0
Database engine is
on Reporting server on server name or IP
Size server according to Websense specifications
Use separate spindles, one for OS and apps, and one for database
Install DB engine: MS SQL 2000
Recommended: Use SQL (not Windows) authentication type
Configure static IP address: (specify IP)
Apply all service packs and critical updates
Document any security modifications made (for troubleshooting)

Websense Proprietary & Confidential


DRAFT

DONE
DONE
DONE
DONE
DONE
DONE

DONE
DONE
DONE
DONE
DONE
DONE
Page 5 of 7

Deployment Checklist
Network Ports

Passwords

Specialists

Open HTTP and FTP to download the install files and patches from
my.websense.com
Open HTTP and FTP for database updates to Policy and CPM servers
download.websense.com
ddsdom.websense.com
ddsint.websense.com
portal.websense.com
Open 15868/TCP from the integration device to the filtering server
(Port 18182/TCP for the UFP filter with CheckPoint FW-1.)
Open 55805/TCP from the filtering server to the log server
Open SQL ports from the log server to the SQL database server
Open NetBIOS ports between the DC Agent and all domain controllers
Open NetBIOS bi-dir between DC Agent and User Service
Open NetBIOS bi-dir between User Service and domain controllers
Open HTTP to the filtering and reporting servers (for RTA and Explorer)
Open 25/TCP from the servers to your internal mail relay
Open NetBIOS bi-dir between CPM server and clients
Open 55372/TCP between CPM server and clients
Review CPM Install Guide for alternate CPM ports
Review KB 604 for other requirements (LDAP, eDirectory, etc.)
The following passwords are needed to deploy Websense software:
IP address, username, and password to configure the switch
IP address, username, and password to configure the integration device
Username and password for the integration software
Admin account and password for the various Websense servers
An account with domain admin privileges to read user accounts
SQL account to create/manage databases (eg, sa login and password)
Name / IP of internal SMTP server (specify *internal* mail server)
Email account (for alerts and reports, if open relay is disabled internally)
Proxy IP, port, and account (for the nightly database download)

7/19/2016
DONE
DONE

DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE
DONE

We may need assistance from the following specialists during the deployment:
Integration Device engineer scheduled to be on duty on deployment day
DONE
Integration Device engineer name and cell phone:
Switch engineer schedule to be on duty on deployment day
DONE
Switch engineer name and cell phone:
Directory Services engineer schedule to be on duty on deployment day
DONE
Directory Services engineer name and cell phone:
Websense operator scheduled to be on duty on deployment day
DONE
Websense operator name and cell phone:
Database Administrator scheduled to be on duty on deployment day
DONE
Database Administrator name and cell phone:
Reporting Tools operator scheduled to be on duty on deployment day
DONE
Reporting Tools operator name and cell phone:
Desktop security engineer scheduled to be on duty on deployment day
DONE
Desktop security engineer name and cell phone:

Websense Proprietary & Confidential


DRAFT

Page 6 of 7

Deployment Checklist

Deployment Checklist

Get Key & Software

7/19/2016

Deployment Date:

Visit our download site to obtain an evaluation key and get software
The evaluation key will arrive via email within 30 minutes
Appliances: If v5.2 is pre-installed; download v5.2 Reporting Tools
Windows/Solaris/Linux: Download the latest full package version

DONE
DONE

Uncompress

Uncompress the download package


Windows: double-click the downloaded executable
Solaris/Linux:
gunzip the downloaded file
tar xvf the gunzipped tar file

DONE

Install Websense

Run the installer, following the onscreen prompts for Websense


Windows: run c:\temp\WebsenseSecuritySuite\Setup.exe
Solaris/Linux: ./install.sh

DONE

Install Reporting

Run the installer, following the onscreen prompts for Reporting Tools
Windows: run c:\temp\WebsenseSecuritySuite\Setup.exe
Solaris/Linux: ./install.sh
Note: The filter and reporting versions must match.
Note: Use the same SQL authentication method used during SQL setup.

DONE

DONE

DONE

Install Lockdown/CPM Run the installer, following the onscreen prompts for Lockdown/CPM
Windows: run c:\temp\WebsenseSecuritySuite\Setup.exe
Configure Lockdown/CPM policies. (See the CPM Admin Guide.)
Note: The default policies may be sufficient for your use.
Deploy Lockdown/CPM clients. (See the CPM Install Guide.)

DONE

Verify Installation

DONE

Check Real-Time Analyzers Protocol Trends


HTTP/HTTPS/FTP may come from the integration device (if any)
IM/P2P/Streaming Media will come from Network Agent (if deployed)
Check /var/adm/messages or Windows Event Viewer - Applications
Check <install path>\Websense\bin\Websense.log
Check that Websense services are running
Windows: Use the Windows Services applet
Solaris/Linux: ./WebsenseAdmin status
Check <install path>\Websense Reporting\LogServer\Cache
You should see files created and deleted, no more than 10 at any time

Post-Deployment Checklist

DONE
DONE

DONE
DONE
DONE
DONE
DONE

Deployment Date:

Recovery Options

Use SNMP to test for active NICs and a live OS


DONE
Setup alerts in case a Websense service fails to start or re-start
DONE
Windows: Set the recovery options to restart>restart>run a program
Follow KB775 to create a VBScript as the program to run
Using the server as the from email address may help ID the server
Sending to an email group alias may help during off hours, vacations, etc.
Consider sending to phones or pagers with text messaging capability
The smtp server name must be an internal interface with relay enabled
Test the VBScript by double-clicking it. If it runs okay, youll get an email.
Note: Alerts fail if the OS dies, the NIC is disabled, or mail relay is disabled

Reports

Setup automated weekly spyware reports (See Reporter Admin Guide.)


DONE
Send to the desktop support group with a message to clean infected systems

Websense Proprietary & Confidential


DRAFT

Page 7 of 7