GETTING STARTED GUIDE

Websense Data Security Suite

v7.1

19962009, Websense Inc. All rights reserved. 10240 Sorrento Valley Rd., San Diego, CA 92121, USA Published March ' 2009 Printed in the United States of America and Ireland The products and/or methods of use described in this document are covered by U.S. Patent Numbers 6,606,659 and 6,947,985 and other patents pending. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from Websense Inc. Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice. Trademarks Websense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain international markets. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners. PreciseID is a registered trademark of Websense Inc, patent pending Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Sun, Solaris, UltraSPARC, Sun Java System, and all Sun Java System based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S. The following is a registered trademark of Novell, Inc., in the United States and other countries: Novell Directory Services. Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Pentium is a registered trademark of Intel Corporation. Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds, in the United States and other countries. This product includes software distributed by the Apache Software Foundation (http://www.apache.org). Copyright (c) 2000. The Apache Software Foundation. All rights reserved. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

Websense Data Security Suite

Contents
Websense Data Security Suite Introduction Installation Prerequisites Installing the Data Security Suite Logging in System Setup Updating Licenses Licensing Licensing the Data Security Suite Setting General System Parameters Setting LDAP Server Settings Setting Outgoing Mail Server Configuring System Modules Setting Policies 1 4 5 5 7 22 24 24 24 25 28 28 30 31 34

Websense Data Security Suite

Introduction
This Getting Started Guide explains basic procedures for getting the Data Security Suite up and running. For complete Data Security Suite documentation, consult the Users Guide, the Policy Configuration Guide and the Protector Guide. The following steps are necessary to get the Data Security Suite up and running: 1. Install the Data Security Suite components. 2. Log into the DSS Manager 3. Set the following:

License Set General System Parameters Configure System Modules Set Policies

Websense Data Security Suite

Installation
To install the Data Security Suite follow the following instructions. The installation will depend on which components and which agents will be installed. NOTE: The Data Security Suite supports installations over Virtual Machines (VM), but to do so you must upgrade to the Oracle Database 10.2.0.4 patch set. Upgrade procedures can be found in the following KB article "Upgrading Oracle Database to 10.2.0.4" in the Websense Knowledge Base.

Prerequisites
Prior to Websense Data Security Suite installation, make sure the following Hardware and Software requirements are met and that the following are installed on the Windows 2003 Server, onto which the Websense Data Security Suite is to be installed.

DSS Server Hardware Requirements

Two 2.4 GHz Intel or AMD Processors or better 4 GB RAM Four 74 GB, 15K RPM, SCSI U320 hard drives (minimum) in RAID

1+0
NIC 1000/100/10 for fast connection to a Protector device using a cross

cable For optimized performance of the Websense Data Security Suite, verify that the Operating System's file cluster is set to 4096B. For more information, see Websense KB article: File System Performance Optimization..

Websense Data Security Suite

DSS Server Software Requirements

Windows 2003 standard R2 edition with the latest SP Windows Installation Requirements:

Set the partition to 1 NTFS Partition. For more information, see Websense KB article: File System Performance Optimization.. To maximize the system's performance and abilities Websense recommend's that the server not be part of a domain. If it is part of the domain, GPOs enforced on the domain as well as Anti virus scans may interfere and cause the system to halt. Please contact Websense Tech support for more information. NOTE: Windows organizational security policy GPOs can affect Data Security Suite functionality. Before applying GPOs, contact Websense technical support.

Regional Settings: should be set according to the primary location. If necessary, add supplemental language support and adjust the default language for non-Unicode programs. Configure the network connection to have a static IP address.

Install the following Windows components by running appwiz.cpl from the Start | Run and selecting Add/Remove Windows Components Application Server:

ASP.NET Create a local administrator to be used as a Service Account.

For instructions regarding hardening, contact Websense

Technical Support.

It is necessary to set the System Time accurately on the server onto which the DSS Server will be installed.

Websense Data Security Suite

Installing the Data Security Suite

1. Close all Windows programs before starting installation. 2. Create a "Websense" folder for the <dss_cap> Manager and copy the following to it:

Database 10g gs folder Database 2K5 folder

3. Run the Data Security Suite installation by double-clicking on the DSS7-x86.msi file in the Websense Data Security Suite directory. NOTE: During DSS Management installation, make sure that the DSS7x86.msi installer resides in the same location as the folder Database 10g. If not, the installation will not succeed. In the event that the Printer Agent is to be installed, it is also necessary to make sure that the Ghostscript file gs857w32.exe is in the same folder as the installer DSS7-x86.msi. During installation of the Data Security Suite, the installer will verify that .NET 2.0 and SQL Server are installed. If not, they will be installed.

Websense Data Security Suite

4. Follow the instructions on the screen. Click the next button to proceed throughout the installation.

Websense Data Security Suite

5. Read the License Agreement carefully before accepting in order to proceed.

Websense Data Security Suite

6. Select a folder into which the Data Security Suite will be installed on the server. By default, it will be stored in C:\Program Files\Websense\Data Security Suite.

10

Websense Data Security Suite

7. Select the intended type of installation. This screen configures whether management and/or analysis capabilities are to be installed on your system. Select Management DSS Server to install all Data Security Suite analysis and management capabilities. This selection is intended for the main Data Security Suite server. Select DSS Server to install all Data Security Suite analysis capabilities. This selection is intended for secondary Data Security Suite servers used for analysis scalability (load balancing). Select Agents Only installation if you do not want to install any analysis or management capabilities, and only want to install agents on the server. Clicking Next after choosing any of the three options above will allow you to select from a list of agents, and install them regardless of the management and analysis capabilities selected in this stage.

11

Websense Data Security Suite

8. Click on the icon next to each feature to select which agents to install, this will toggle back and forth between the X and the Agent icon . Subsequent screens will depend on which options are selected here.

12

Websense Data Security Suite

9. The Print Processor Destination(s) is an informative screen, which will only be displayed when the Printer Agent is selected in the installation options, and the server is configured as a node in a Windows server cluster. The displayed list will contain the names of all cluster nodes on which the printer agent will be installed. Make sure that all nodes holding print spooler resources are listed.

13

Websense Data Security Suite

10. When installing the Management DSS Server, this dialog determines where SQL-Server data files will be stored. Manually edit the location, or click the "Browse" Buttons in order to change the location in which these files will be stored. When installing a DSS Server, this dialog determines where the Management DSS Server is located. Type the hostname or IP address of the Management DSS server in the SQL Server Name field. In both cases, the sa password to the SQL-Server needs to be supplied. This is necessary to enable communication between the Data Security Suite and the SQL Server. If an SQL Server is not already installed, the Websense Data Security Suite will install it for you, but you will need to provide a User Name and Password.

14

Websense Data Security Suite

11. The Oracle Server Connection screen determines the location to which the Data Security Suite Management database is installed, and credentials used to access it. Browse to the location where the Oracle Table Space is to be stored. If a database is not already installed on the system, use the edit boxes on the bottom of the dialog box to define both the system and the sa passwords. The system account is a general master account for the database, while the sa account is an administrative account for the DSS application. If, on the other hand, a database is already installed on the system (from a prior installation, for example), use the edit box on the left to enter the password for the system account, and the edit boxes on the right to define a password for the sa account.

15

Websense Data Security Suite

12. The Fingerprint Repository Destination folder screen enables you to set a destination location for the Data Security Suite PreciseID Database into which all fingerprints will be stored. The PreciseID Database stores and serves fingerprints to the Data Security Suite.

16

Websense Data Security Suite

13. The Virtual SMTP Server screen will appear only if SMTP Agent was selected in the Agent installation options and there is more than one virtual SMTP Server detected on the server. In this case, select which Virtual SMTP server should be used to be bound to the Data Security Suite SMTP Agent.

17

Websense Data Security Suite

The Server IP Address screen will be displayed to enable you to select the IP address to be used to connect to the Data Security Suite.

18

Websense Data Security Suite

14. If this is a DSS Server or Agent only installation it is necessary to register with the DSS Manager. Enter the IP address of the DSS Manager and its One Time Password (set during DSS Manager installation). In the event that this password has been used (either by clicking the Next button and then going Back to this screen, or if this is a subsequent installation) it will be necessary to click the Reestablish Connection checkbox in order to input the DSS Manager IP address again and set a fresh One Time Password.

19

Websense Data Security Suite

15. Enter the local administrator username and password according to the instructions indicated.

20

Websense Data Security Suite

16. If all the information entered is correct, click the Install button to begin installation.

Installation may take awhile. If the installation process is lengthy, do not assume that the installation has encountered an error unless a specific failure notification is displayed. Once installation is complete, the Installation Successful screen will appear to inform you that installation is complete.

21

Websense Data Security Suite

Logging in
Accessing the DSS Manager is accomplished via your Internet browser. To Access the DSS Manager: 1. In the Internet browser address field, type: https://[FQDN]:8443/mng Where FQDN is your fully qualified domain name - IP address or hostname. Alternatively, you can access the DSS Manager via the DSS Manager shortcut placed on the desktop during installation or by selecting DSS Manager from your Start menu. The DSS Manager Login window opens.

22

Websense Data Security Suite

2. In the Username and Password fields, type the Username and Password. The initial value word for both is admin (case sensitive). Click the Log On button. The Change Password screen appears. Upon initial login, you are required to reset the original password. 3. In the Change Password screen, type the old password (admin). Enter a new password and retype it for confirmation.

4. Click the OK button. NOTE: A maximum of 20 users can be signed in simultaneously.

23

Websense Data Security Suite

System Setup
Updating Licenses
Before beginning to work with the Data Security Suite it is necessary to enter your registration codes into the Data Security Suite to activate your license.

Licensing
Your Websense Data Security Suite license is a signed and sealed XML file that should not be modified. It is recommended not to tamper with the license file. If you delete or damage the file, the Content Manager will stop responding, and as a result, will stop analyzing events - all transactions will be passed undeterred. It is also necessary to enter the Websense license key. To obtain a new license, contact a Websense Data Security Suite sales representative. Websense Data Security Suite arrives with a limited evaluation license. You will be updated when this license is about to expire. You must keep the terms of your Websense Data Security Suite license, otherwise Websense Data Security Suite will not analyze any traffic.

Important: Once the evaluation license has expired, traffic WILL NOT be analyzed. This means that violations of your policies will not be monitored or blocked.

24

Websense Data Security Suite

Licensing the Data Security Suite

If you purchased an upgrade or changed your license type, you must update your Data Security Suite license file. If you do not do so, you will receive an error message when you try to use the Data Security Suite. Because the Websense Data Security Suite is shipped with a trial license, it is necessary to update the license upon purchase. To update the Data Security Suite license 1. In the Data Security Suite Management Console, click the Global Properties button in the applications toolbar. The Global Properties dialog box appears with the General tab displayed. 2. Click the License tab. The License tab is displayed. Enter the Websense License Key - this is to be provided by a Websense sales representative, SE or Websense vendor.

25

Websense Data Security Suite

In the Enter a license file field, click the Browse button the find the Data Security Suite xml license file.

3. Click the Browse button, and navigate to the new license file. 4. Click Commit License. The new license terms appear in the License Terms area. A confirmation message appears. 5. Verify that the license terms are correct, and click OK. A success message appears.

26

Websense Data Security Suite

6. Click OK. The Data Security Suite license is updated. The license will take effect after one minute.

27

Websense Data Security Suite

Setting General System Parameters

Setting LDAP Server Settings
There are two LDAP imports required, one in the DSS Management Console (MMC) used for importing users and groups which will be used by the authorized/unauthorized list features in the policy definition. The second LDAP import is this DSS Manager LDAP which is used to:
Authenticate LDAP administrators - defining an LDAP administrator

allows the user to login with the LDAP username and password.
Collect more users details and display them in the incident details.

The Data Security Suite currently supports the following types of LDAP Servers: AD, ADAM and IBM Domino. To import LDAP Server administrators and details in the DSS Manager: 1. In the DSS Manager menu click on Options followed by Settings. The Settings General Screen is displayed. 2. Click the Settings screen, click the LDAP option. The Settings LDAP screen is displayed.

28

Websense Data Security Suite

3. Under Users' LDAP Server, update the IP Address/Hostname and Port Number parameters as necessary. 4. Enter a Username and Password used to access the LDAP Server and click the Test Connection button to make sure that the server is accessible. 5. In the LDAP User Info section, enter the LDAP Attributes you want the DSS Manager to collect for all users (comma separated), and enter a Test Email to be used to test that the LDAP information is successfully imported. Click the Test LDAP Information button.
Click the Save button to apply changes

29

Websense Data Security Suite

Setting Outgoing Mail Server

This SMTP server will be used for scheduled reports. It has no relevance to release/notifications etc. To configure the outgoing mail server: 1. In the DSS Manager menu click on Options followed by Settings. 2. In the Settings screen, click the Email Configuration option. The Email Configuration screen is displayed.

3. Under Outgoing Mail Server (SMTP) update the IP Address/Hostname and Port Number parameters as necessary. 4. Click the OK button to apply changes.

30

Websense Data Security Suite

Configuring System Modules

The System Modules parameters screen enables you to set global parameters that will apply to all modules in the Data Security Suite. It is important to configure these parameters as part of the initial setup. For more information about System Modules, see Managing System Modules in the Websense Data Security Suite Manager Users Guide.

1. In the DSS Manager click Configuration | System Modules. 2. Click the System Modules icon or link.

The Global Properties-Mail Gateways screen is displayed.

31

Websense Data Security Suite

3. In the Global Properties-Mail Gateways screen, set the following parameters.

Parameter

Definition

Mail Release Gateway Notification Gateway

Set the mail release gateway IP address and Port number. These will be used by the Data Security Suite to send released emails after they were blocked and someone released them. The notification gateway defines the gateway to be used for all administrator notifications that are sent to alert administrators when violations are detected.

32

Websense Data Security Suite

Email Encryption Gateway

The Redirection Gateway IP address and port let the Data Security Suite know where to send traffic that is supposed to be encrypted or is set to bypass analysis. One way to inform the Data Security Suite that email is to be sent to the encryption gateway, is by inserting a specific string, or flag, in the Subject field of the email. In the event that a policy specifies that certain content should be encrypted, this flag will automatically be added to the subject field. Set the flag here. One way to inform the Data Security Suite that email is to bypass content analysis, is by inserting a specific string, or flag, in the Subject field of the email. To set an email to bypass content analysis, check the checkbox here and set the string to be used as a flag by the Data Security Suite.

33

Websense Data Security Suite

Setting Policies
The final necessary step before the Data Security Suite can actually begin monitoring and analyzing data is to set policies which define what kind of data to look for, where to find it and what to do when it is encountered. For more information about working with policies, see the Websense Data Security Suite Policy Configuration Guide.

34