Webwasher Secure Content Management 6.0 Upgrade Guide

kc.mcafee.com

Webwasher Secure Content Management 6.0 Upgrade Guide

UPGRADE GUIDE

Webwasher Secure Content Management

Version 6.0

www.securecomputing.com


Part Number: 86-0946283-A

All Rights Reserved, Published and Printed in Germany

©2006 Secure Computing Corporation. This document may not, in whole or in part, be copied, photocopied,

reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent

in writing from Secure Computing Corporation. Every effort has been made to ensure the accuracy of this

manual. However, Secure Computing Corporation makes no warranties with respect to this documentation

and disclaims any implied warranties of merchantability and fitness for a particular purpose. Secure Computing

Corporation shall not be liable for any error or for incidental or consequential damages in connection

with the furnishing, performance, or use of this manual or the examples herein. The information in this

document is subject to change without notice. Webwasher, MethodMix, AV PreScan, Live Reporting, Content

Reporter, Real-Time Classifier are all trademarks or registered trademarks of Secure Computing Corporation

in Germany and/or other countries. Microsoft, Windows NT, Windows 2000 are registered trademarks of Microsoft

Corporation in the United States and/or other countries. Sun and Solaris are trademarks or registered

trademarks of Sun Microsystems, Inc. in the United States and other countries. Squid is copyrighted by the

University of California, San Diego. The Mozilla SpiderMonkey and NSPR libraries distributed with Webwasher

are built from the original Mozilla source code, without modifications (MPL section 1.9). The source code is

available under the terms of the Mozilla Public License, Version 1.1. Linux is a registered trademark of Linus

Torvalds. Other product names mentioned in this guide may be trademarks or registered trademarks of their

respective companies and are the sole property of their respective manufacturers.

Secure Computing Corporation

Webwasher – A Secure Computing Brand

Vattmannstrasse 3, 33100 Paderborn, Germany

Phone: +49 (0) 5251 50054-0

Fax: +49 (0) 5251 50054-11

info@webwasher.com

www.webwasher.com

www.securecomputing.com

European Hotline

Phone: +49 (0) 5251 50054-460

US Hotline

Phone: +1 800 700 8328, +1 651 628 1500


Contents

Chapter 1 Introduction ........................................................................................ 1– 1

Chapter 2 Upgrading from 5.2 ............................................................................. 2– 1

2.1 SSL Scanner Migration ................................................................... 2– 1

2.2 Cluster Configuration...................................................................... 2– 2

2.3 Mixed Cluster Environment.............................................................. 2– 3

2.4 SSL Scanner Functions in a Cluster .................................................. 2– 3

2.5 Using SUSE Linux Enterprise Server 8............................................... 2– 3

Chapter 3 Upgrading from 5.1 ............................................................................. 3– 1

3.1 SSL Scanner Migration ................................................................... 3– 1

3.2 Cluster Configuration...................................................................... 3– 2

3.3 Mixed Cluster Environment.............................................................. 3– 4

3.4 SSL Scanner Functions in a Cluster .................................................. 3– 4

3.5 Generic Body Filter ........................................................................ 3– 5

3.6 NTLM Authentication on UNIX.......................................................... 3– 5

3.7 Reporting with SNMP Support.......................................................... 3– 5

3.8 Using SUSE Linux Enterprise Server 8............................................... 3– 5

Chapter 4 Upgrading from Older Versions .......................................................... 4– 1

4.1 Upgrading from 3.x ........................................................................ 4– 1

4.2 Upgrading from 4.x ........................................................................ 4– 1

i


Introduction

Chapter 1

Welcome to the Webwasher® Upgrade Guide. This guide provides you

with some useful information for upgrading to a new version of the Webwasher

software.

The Webwasher Secure Content Management (SCM) software comes in a

suite of high-performance content security products for use at the network

gateway and integrated in the Secure Computing product line.

By providing an unparalleled breadth and depth of content security filtering and

management, it creates an entirely new level of defense against today’s new

blended network security threats.

Upgrading to a new version of Webwasher is a routine process performed to

increase and enhance content security on your network.

To ensure a full understanding of this process, you should be aware of some

related issues that are described in the sections of this guide:

• Upgrading from version 5.2, see 2.1 to 2.5

• Upgrading from version 5.1, see 3.1 to 3.8

• Upgrading from older versions, see 4.1 and 4.2

More information is provided in the Webwasher User’s Guides.

1–1


Upgrading from 5.2

Chapter 2

When upgrading your software from Webwasher CSM 5.2 to 5.3, you should

be aware of some issues relating to this upgrade. The following sections provide

information on them.

Some of these issues concern the upgrade process itself. Others are resulting

from this process and are described here to ensure you understand their

effects.

These issues include the following:

• SSL Scanner Migration, see 2.1

• Cluster Configuration, see 2.2

• Mixed Cluster Environment, see 2.3

• SSL Scanner Functions in a Cluster, see 2.4

• Using SUSE Linux Enterprise Server 8, see 2.5

2.1

SSL Scanner Migration

This section provides upgrade information concerning the SSL Scanner product.

If you are not using this product, this information does not apply to you.

If you are using the product, the procedure described in this section is only to

be performed in case you have changed the root CA. The section then tells

you how to import this changed root CA for an instance of Webwasher.

When Webwasher is upgraded to 5.3, the sub-folder ssl-migration is created

in the info folder of the Webwasher program files.

Among the files stored in this folder are two files that are needed to perform a

migration of the root CA (Certificate Authority):

• PCACert.pem – the certificate of the root CA

• PCAKey.pem – the private key needed for access to the root CA

2–1


Upgrading from 5.2

2.2

These files contain information on the root CA for Webwasher, which needs to

be imported once again.

To do this, toggle to the System Configuration view of the Web interface provided

for configuring Webwasher. Then go to Configuration > Certificate

Management > Webwasher Root CA.

In the field labeled Import Certificate Authority, usetheBrowse buttons

next to the Certificate and Private Key input fields to browse to the files

mentioned above.

In the Password input field, enter the passphrase you specified as password

for the private key.

Then import the root CA by clicking on the Import button.

Cluster Configuration

2–2

When the Webwasher 5.2 software is upgraded to version 5.3 on a cluster, no

configuration activities can be performed for Webwasher on this cluster while

the upgrade process is going on.

All operative functions, however, will continue to work during the upgrade. The

filtering process is not interrupted, which ensures continuous protection of your

network against all security threats. For the SSL Scanner functions, see section

2.4.

After finishing the upgrade, configuration of the cluster software can be performed

as usual.

Split Configuration

To enable continuous access to the configuration functions, you could split the

cluster, e. g. in two parts, and upgrade one part of the cluster first.

During this time, the other part of the cluster will be accessible for configuration.

After completing the first part of the cluster, the upgrade is continued for the

other part until the cluster is completely accessible for configuration again.

To proceed in this way would mean that at least one part of the cluster is accessible

for configuration throughout the whole upgrade process.

A simple example would be a cluster consisting of a master and four site instances.

The cluster could be split in two parts, with each of them consisting

of two systems. The configuration procedure could then be performed as described.


2.3

Mixed Cluster Environment

Upgrading from 5.2

When the Webwasher 5.2 software is upgraded to version 5.3 on the master

system of a cluster, no site instances running version 5.2 can be members of

this cluster any more.

In other words, it is not possible to set up a mixed cluster environment in this

case.

2.4

SSL Scanner Functions in a Cluster

This section provides information concerning the use of the SSL Scanner in a

cluster. If you are not using this product, this information does not apply to you.

When the Webwasher software is operated on a cluster, the SSL Scanner functions

will only work as long as the master system is available to them.

During an upgrade to version 5.3, upgrading the master system in a cluster

means, however, that this system is not available to the SSL Scanner functions.

It is therefore recommended to switch these functions off while the upgrade is

going on.

This applies, however, only to the first time version 5.3 is installed. It is not

needed for maintenance releases following this upgrade.

2.5

Using SUSE Linux Enterprise Server 8

When using SUSE Linux Enterprise Server 8, note that UnitedLinux 1.0 x86

Service Pack 3 is needed as a prerequisite for running this server software.

2–3


Upgrading from 5.1

Chapter 3

When upgrading your software from Webwasher CSM 5.1 to 5.3, you should

be aware of some issues relating to this upgrade.

Some of these issues concern the upgrade process itself. Others are resulting

from this process and are described here to ensure you understand their

effects.

These issues include the following:

• SSL Scanner Migration, see 3.1

• Cluster Configuration, see 3.2

• Mixed Cluster Environment, see 3.3

• SSL Scanner Functions in a Cluster, see 3.4

• Generic Body Filter, see 3.5

• NTLM Authentication on UNIX, see 3.6

• Reporting with SNMP Support, see 3.7

• Using SUSE Linux Enterprise Server 8, see 3.8

3.1

SSL Scanner Migration

This section provides upgrade information concerning the SSL Scanner product.

If you are not using this product, this information does not apply to you.

If you are using the product, the procedure described in this section is only to

be performed in case you have changed the root CA. The section then tells

you how to import this changed root CA for an instance of Webwasher.

When upgrading to Webwasher 5.3, it is advisable to keep two important lists

with settings needed for filtering SSL traffic:

• The Decryption Filter list

• The Ticket ID list

3–1


Upgrading from 5.1

3.2

To keep these lists, you need to complete the following steps:

1. Install version 5.2 of Webwasher on your system and start it.

2. Toggle to the Filter Policies view of the Web interface provided for configuring

Webwasher and go to SSL Scanner > Policy Independent >

Ticket ID List.

3. Close Webwasher and install version 5.3, overwriting 5.2.

The upgrade procedure is continued by importing a root CA. If you think you

do not need the lists mentioned above, you can begin the upgrade procedure

here by just installing version 5.3 of Webwasher.

After installing 5.3, the sub-folder ssl-migration is created in the info folder

of the Webwasher program files.

Among the files stored in this folder are two files that are needed to perform a

migration of the root CA:

• PCACert.pem – the certificate of the root CA (Certificate Authority)

• PCAKey.pem – the private key needed for access to the root CA

These files contain information on the root CA for Webwasher, which needs

to be imported once again. To perform the import procedure, complete the

following steps:

1. Toggle to the System Configuration view of the Web interface and go to

Configuration > Certificate Management > Webwasher Root CA.

2. In the field labeled Import Certificate Authority, usetheBrowse buttons

next to the Certificate and Private Key input fields to browse to the

files mentioned above.

3. In the Password input field, enter the passphrase you specified as password

for the private key.

4. Import the root CA by clicking on the Import button.

Cluster Configuration

3–2

When the Webwasher 5.1 software is upgraded to version 5.3 on a cluster, no

configuration activities can be performed for Webwasher on this cluster while

the upgrade process is going on.

All operative functions, however, will continue to work during the upgrade. The

filtering process is not interrupted, which ensures continuous protection of your

network against all security threats. For the SSL Scanner functions, see section

3.4.


Upgrading from 5.1

After finishing the upgrade, configuration of the cluster software can be performed

as usual.

3–3


Upgrading from 5.1

Split Configuration

To enable continuous access to the configuration functions, you could split the

cluster, e. g. in two parts, and upgrade one part of the cluster first.

During this time, the other part of the cluster will be accessible for configuration.

After completing the first part of the cluster, the upgrade is continued for the

other part until the cluster is completely accessible for configuration again.

To proceed in this way would mean that at least one part of the cluster is accessible

for configuration throughout the whole upgrade process.

A simple example would be a cluster consisting of a master and four site instances.

The cluster could be split in two parts, with each of them consisting

of two systems. The configuration procedure could then be performed as described.

3.3

Mixed Cluster Environment

When the Webwasher 5.1 software is upgraded to version 5.3 on the master

system of a cluster, no site instances running version 5.1 can be members of

this cluster any more.

In other words, it is not possible to set up a mixed cluster environment in this

case.

3.4

SSL Scanner Functions in a Cluster

3–4

This section provides information concerning the use of the SSL Scanner in a

cluster. If you are not using this product, this information does not apply to you.

When the Webwasher software is operated on a cluster, the SSL Scanner functions

will only work as long as the master system is available to them.

During an upgrade to version 5.3, upgrading the master system in a cluster

means that this system is not available to the SSL Scanner functions.

It is therefore recommended to switch these functions off while the upgrade is

going on.

This applies, however, only to the first time version 5.3 is installed. It is not

needed for maintenance releases following this upgrade.


3.5

Generic Body Filter

Upgrading from 5.1

Using the Generic Body Filter, you can filter and block Web and e-mail content

according to keywords, regardless of the URL from which it originates. The

filter works by applying rules that specify the byte structure of potentially malicious

content.

There was a restriction in the complexity of rules up to version 5.1. A rule could

be composed of no more than five parts specifying filtering conditions.

This restriction is no longer valid for versions 5.2 and 5.3. With these versions,

the maximum number of conditions that a rule may be composed of is not fixed.

3.6

NTLM Authentication on UNIX

With version 5.2 and 5.3, an NTLM Agent is included among the features of the

Webwasher software. Resulting from this, the NTLM authentication method

can be used also on UNIX systems.

Using a proxy chain to enable this authentication method on UNIX is therefore

no longer required.

3.7

Reporting with SNMP Support

To enable reporting of the filtering functions, messages sent by the clients are

entered in a central log system. With versions 5.2 and 5. 3, the SNMP protocol

is available to support this communication.

Setting up special agents to enable client reporting is therefore no longer required.

3.8

Using SUSE Linux Enterprise Server 8

When using SUSE Linux Enterprise Server 8, note that UnitedLinux 1.0 x86

Service Pack 3 is needed as a requirement for running this server software.

3–5


Chapter 4

Upgrading from Older Versions

The following sections provide you with information about upgrading from older

versions of Webwasher CSM.

4.1

Upgrading from 3.x

Upgrading from Webwasher 3.x is not possible. Please de-install this version

first before you install Webwasher 5.x.

You will also need to obtain a new license for Webwasher 5.x by going to the

Webwasher extranet.

4.2

Upgrading from 4.x

Webwasher 5.x can be installed over an earlier version of Webwasher 4.x.

When updating an old Webwasher installation with a new Webwasher version,

Webwasher tries to take over as much of the old settings as possible. This

process is called migration.

Due to setting changes, e. g. new settings, removed, or renamed settings,

etc., this is not an easy task. However, Webwasher migrates old settings automatically.

After a new Webwasher version is installed and started for the first

time, Webwasher detects the presence of old settings and automatically migrates

them.

All changes are logged to the file “logs/migration.log”.If the first start of Webwasher

fails due to an unsuccessful migration, this log file gives you information

about what went wrong.

Please note that all changes are undone if migration fails, to avoid having an

inconsistent state for configuration files.

4–1


Upgrading from Older Versions

4–2

More details about configuration file changes can be found in Chapter 2 of the

Reference Guide.

More magazines by this user
Similar magazines