TRITON Unified Security Center Help, Version 7.7 - Websense
TRITON Unified Security Center Help, Version 7.7 - Websense
TRITON Unified Security Center Help, Version 7.7 - Websense
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong><br />
<strong>Websense</strong> ® <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong><br />
v<strong>7.7</strong>
©2011-2012, <strong>Websense</strong> Inc.<br />
All rights reserved.<br />
10240 Sorrento Valley Rd., San Diego, CA 92121, USA<br />
Published 2012<br />
Printed in the United States of America and Ireland.<br />
The products and/or methods of use described in this document are covered by U.S. Patent Numbers 6,606,659 and 6,947,985<br />
and other patents pending.<br />
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic<br />
medium or machine-readable form without prior consent in writing from <strong>Websense</strong> Inc.<br />
Every effort has been made to ensure the accuracy of this manual. However, <strong>Websense</strong> Inc., makes no warranties with<br />
respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose.<br />
<strong>Websense</strong> Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,<br />
performance, or use of this manual or the examples herein. The information in this documentation is subject to change<br />
without notice.<br />
Trademarks<br />
<strong>Websense</strong>, the <strong>Websense</strong> Logo, Threatseeker and the YES! Logo are registered trademarks of <strong>Websense</strong>, Inc. in the United<br />
States and/or other countries. <strong>Websense</strong> has numerous other unregistered trademarks in the United States and<br />
internationally. All other trademarks are the property of their respective owners.
Contents<br />
Topic 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
Logging on to the <strong>TRITON</strong> console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
Logging on with two-factor authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
<strong>Security</strong> certificate alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4<br />
<strong>TRITON</strong> console session time outs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5<br />
Managing your account through the My<strong>Websense</strong> Portal . . . . . . . . . . . . . . . . . . . 7<br />
<strong>Websense</strong> technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
Topic 2 Configuring <strong>TRITON</strong> Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Viewing your account information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Setting user directory information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Introducing administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Global <strong>Security</strong> Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
<strong>TRITON</strong> administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
Enabling access to the <strong>TRITON</strong> console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Adding a local account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Adding a network account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
Editing a local account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<br />
Editing a network account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
Setting email notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
Configuring certificate authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
How does certificate authentication work . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
Setting up attribute matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27<br />
Audit log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
Topic 3 Accessing Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
Managing appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29<br />
Registering an appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
Editing appliance details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31<br />
Configuring an existing appliance for single sign-on . . . . . . . . . . . . . . . . . . . 32<br />
Topic 4 Backup and Restore of <strong>TRITON</strong> Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33<br />
Scheduling <strong>TRITON</strong> infrastructure backups . . . . . . . . . . . . . . . . . . . . . . . . . . . .34<br />
Running immediate backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
Restoring <strong>TRITON</strong> infrastructure backup data . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
Changing backup settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Synchronizing <strong>TRITON</strong> infrastructure and <strong>TRITON</strong> - Web <strong>Security</strong> backups. . 37<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> i
Contents<br />
ii <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
1<br />
Getting Started<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
The <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> is a browser-based console that provides a<br />
central, graphical interface to the general configuration, policy management, and<br />
reporting functions of your <strong>Websense</strong> security software.<br />
The <strong>TRITON</strong> console includes one or more of the following modules, depending on<br />
your subscription:<br />
<br />
<br />
<br />
<strong>TRITON</strong> - Web <strong>Security</strong> works in conjunction with integration devices<br />
(including proxy servers, firewalls, routers, and caching appliances) and enables<br />
you to develop, monitor, and enforce Internet access policies.<br />
<strong>TRITON</strong> - Data <strong>Security</strong> protects organizations from information leaks and data<br />
loss both at the perimeter and inside the organization.<br />
<strong>TRITON</strong> - Email <strong>Security</strong> protects your organization against the threats of<br />
malware, spam, and other unwanted content in email traffic.<br />
If your subscription includes <strong>TRITON</strong> Mobile <strong>Security</strong>, the <strong>TRITON</strong> console also<br />
provides a link to the Mobile <strong>Security</strong> portal: a cloud-based console used to manage<br />
threat protection and data loss prevention for mobile devices.<br />
To learn to use the <strong>TRITON</strong> console, browse this guide or use select one of the<br />
following topics as a launch point.<br />
First steps<br />
• Logging on to the <strong>TRITON</strong> console<br />
• Navigating in the <strong>TRITON</strong> console<br />
• Managing your account through the<br />
My<strong>Websense</strong> Portal<br />
• Viewing your account information<br />
Other administrator tasks<br />
• Configuring certificate authentication<br />
• Audit log<br />
• Managing appliances<br />
Manage administrators<br />
• Introducing administrators<br />
• Setting user directory information<br />
• Enabling access to the <strong>TRITON</strong><br />
console<br />
• Setting email notifications<br />
Backup and restore<br />
• Scheduling <strong>TRITON</strong> infrastructure<br />
backups<br />
• Restoring <strong>TRITON</strong> infrastructure<br />
backup data<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 1
Getting Started<br />
Logging on to the <strong>TRITON</strong> console<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Related topics:<br />
Logging on with two-factor authentication, page 3<br />
<strong>Security</strong> certificate alerts, page 4<br />
<strong>TRITON</strong> console session time outs, page 5<br />
The <strong>TRITON</strong> console is the central configuration interface used to manage software<br />
configuration and settings for your <strong>Websense</strong> software modules. This Web-based tool<br />
runs on the following supported browsers:<br />
Microsoft Internet Explorer 8 and 9<br />
Note<br />
If you are using Internet Explorer, make sure Enhanced<br />
<strong>Security</strong> Configuration is switched off.<br />
Also, if you are using Internet Explorer 8, Compatibility<br />
View is not supported.<br />
<br />
<br />
Mozilla Firefox 4.x and later<br />
Google Chrome 13 and later<br />
Although it is possible to launch the <strong>TRITON</strong> console using some other browsers, use<br />
the supported browsers to receive full functionality and proper display of the<br />
application.<br />
Note<br />
Some animations in the <strong>TRITON</strong> console depend on the<br />
browser settings. In Internet Explorer, select the Tools ><br />
Internet Options > Advanced > Multimedia > Play<br />
animation in webpages option to ensure animations<br />
display properly.<br />
To launch the <strong>TRITON</strong> console, do one of the following:<br />
<br />
<br />
<br />
On Windows machines, go to Start > Programs > <strong>Websense</strong>, and then select<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>.<br />
Double-click the <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> shortcut placed on the desktop<br />
during installation.<br />
Open a supported browser on any machine in your network and enter the<br />
following:<br />
https://:9443/triton/<br />
2 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Getting Started<br />
Substitute the IP address or hostname of the <strong>TRITON</strong> machine. It is recommended<br />
that you use the IP address, especially when launching the <strong>TRITON</strong> console from<br />
a remote machine.<br />
After installation, the default user, admin, has full administrative access to all<br />
modules of the <strong>TRITON</strong> console. The account cannot be deleted, and the user name<br />
cannot be changed. The admin password is configured during installation.<br />
At the logon page, enter your User name and Password, then click Log On. If your<br />
organization is using two-factor authentication, see Logging on with two-factor<br />
authentication, page 3.<br />
Note<br />
If you are using a local user name created in the <strong>TRITON</strong><br />
console and that user name and password match a network<br />
account user name and password, the local account takes<br />
precedence.<br />
If you are unable to connect to the <strong>TRITON</strong> console from a remote machine, make<br />
sure that your firewall allows communication on that port.<br />
Windows 7 considerations<br />
If you are using the Windows 7 operating system, you may need to run the browser as<br />
administrator for it to allow ActiveX controls.<br />
1. Right-click the browser application and select Run as administrator.<br />
2. Log on to the <strong>TRITON</strong> console and accept the security certificate as described<br />
above.<br />
Adobe Flash Player<br />
Adobe Flash Player v8 or beyond is required for the Data <strong>Security</strong>, Web <strong>Security</strong>, and<br />
Email <strong>Security</strong> dashboards. All the other functions of the <strong>TRITON</strong> console can<br />
operate without Flash. If you do not already have Flash Player, you are prompted to<br />
install it when you log on. Click the link that is supplied and download Flash Player<br />
from the Adobe download center.<br />
Logging on with two-factor authentication<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
If you are using two-factor authentication, you do not usually see the logon page.<br />
Instead, when you access the <strong>TRITON</strong> console URL:<br />
1. The console detects whether a client certificate is installed.<br />
2. You provide your two-factor authentication credentials as defined by your<br />
organization.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 3
Getting Started<br />
3. After successful authentication, the <strong>TRITON</strong> console receives the client<br />
certificate and checks that it matches the signature in the uploaded root CA<br />
certificates.<br />
4. If the signature matches, the <strong>TRITON</strong> console checks for a full match with the<br />
certificates that you have either uploaded to the <strong>TRITON</strong> console, or imported<br />
from your user directory.<br />
5. If a match is found, you are logged on to the console.<br />
If no certificate match is found, the logon process depends on the fallback options that<br />
have been set up:<br />
<br />
<br />
Attribute matching checks if the client certificate contains a property matching a<br />
specific LDAP attribute in your user directory.<br />
Password authentication can be enabled in case certificate matching and attribute<br />
matching fails.<br />
If neither of these options is available, you cannot log on without a matching<br />
certificate.<br />
If all of your administrator accounts are configured to use two-factor authentication,<br />
and you encounter an issue where your administrators do not have client certificates or<br />
certificate matching is failing, you can still log on to the <strong>TRITON</strong> console as follows:<br />
1. Open a browser on the <strong>TRITON</strong> Management Server machine. You can access the<br />
machine using a Remote Desktop Connection.<br />
2. Go to the URL https://127.0.0.1:9443/triton (or https://localhost:9443/triton).<br />
3. Log on using the admin user name and password.<br />
You can then configure your two-factor authentication options to provide a fallback<br />
for your other administrators. See Configuring certificate authentication, page 25.<br />
<strong>Security</strong> certificate alerts<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
An SSL connection is used for secure, browser-based communication with the<br />
<strong>TRITON</strong> console. This connection uses a security certificate issued by <strong>Websense</strong>, Inc.<br />
Because the supported browsers do not recognize <strong>Websense</strong>, Inc., as a known<br />
Certificate Authority, a certificate error is displayed the first time you launch the<br />
<strong>TRITON</strong> console from a new browser. To avoid seeing this error, you can install or<br />
permanently accept the certificate within the browser. See the <strong>Websense</strong> Technical<br />
Library for instructions.<br />
4 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Getting Started<br />
Once the security certificate has been accepted, the <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong><br />
logon page is displayed in the browser window.<br />
Note<br />
If you are using Internet Explorer, the certificate error will<br />
still be present after you accept the certificate. You must<br />
close and reopen your browser to remove the error<br />
message.<br />
<strong>TRITON</strong> console session time outs<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
A <strong>TRITON</strong> console session ends 30 minutes after the last action taken in the user<br />
interface (clicking from page to page, entering information, caching changes, or<br />
saving changes). A warning message is displayed 5 minutes before session end.<br />
<br />
<br />
<br />
<br />
If there are uncached or unsaved changes, the changes are lost when the session<br />
ends. Remember to save and deploy changes regularly.<br />
If the <strong>TRITON</strong> console is open in multiple tabs of the same browser window, all<br />
instances share the same session. If the session times out in one tab, it times out in<br />
all tabs.<br />
If the <strong>TRITON</strong> console is open in multiple browser windows on the same<br />
computer, the instances, by default, share the same session.<br />
If the session times out in one window, it times out in all windows.<br />
In the following instances, you can open multiple <strong>TRITON</strong> instances that do not<br />
share a session. In these situations, if one window times out, the others are not<br />
affected.<br />
• Use the File > New Session command to open a new Internet Explorer 8 or 9<br />
window.<br />
• Use Internet Explorer to open one connection to the <strong>TRITON</strong> console, and<br />
then use Firefox or Chrome to open another connection.<br />
If you close the browser without logging off of the <strong>TRITON</strong> console, or if the remote<br />
machine from which you are accessing a <strong>TRITON</strong> module shuts down unexpectedly,<br />
you may be temporarily locked out. <strong>Websense</strong> software typically detects this issue<br />
within about 2 minutes and ends the interrupted session, allowing you to log on again.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 5
Getting Started<br />
Navigating in the <strong>TRITON</strong> console<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
The <strong>TRITON</strong> Settings interface can be divided into 5 main areas:<br />
1. Banner<br />
2. <strong>TRITON</strong> toolbar<br />
3. Module toolbar<br />
4. Navigation pane<br />
5. Content pane<br />
The banner shows:<br />
<br />
<br />
Your current logon account<br />
A Log Off button, for when you’re ready to end your administrative session<br />
The <strong>TRITON</strong> toolbar indicates which module is active, and lets you launch other<br />
<strong>TRITON</strong> modules. It also provides access to <strong>Help</strong>, tutorials, the Technical Library,<br />
and other useful information.<br />
When you log on to the <strong>TRITON</strong> console, the module you last accessed is active and<br />
the button for that module in the <strong>TRITON</strong> toolbar is yellow. Buttons for modules that<br />
are installed but not currently active are blue, and buttons for uninstalled modules are<br />
grey.<br />
The module toolbar contains information and options relevant to the module that is<br />
currently active. If you are configuring <strong>TRITON</strong> settings or appliances, it contains<br />
your <strong>TRITON</strong> administrator permissions.<br />
6 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Getting Started<br />
The navigation pane contains the available navigation choices for the <strong>TRITON</strong><br />
module or <strong>TRITON</strong> configuration option that is currently selected. The content pane<br />
varies according to the selection in the navigation pane.<br />
For more information about specific modules, see:<br />
<br />
<br />
<br />
<strong>TRITON</strong> - Data <strong>Security</strong> <strong>Help</strong><br />
<strong>TRITON</strong> - Email <strong>Security</strong> <strong>Help</strong><br />
<strong>TRITON</strong> - Web <strong>Security</strong> <strong>Help</strong><br />
Managing your account through the My<strong>Websense</strong> Portal<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
<strong>Websense</strong>, Inc., maintains a customer portal at www.mywebsense.com that you can<br />
use to access product updates, patches and hotfixes, product news, evaluations, and<br />
technical support resources for your <strong>Websense</strong> software.<br />
When you create an account, the account is associated with your <strong>Websense</strong><br />
subscription key or keys. This helps to ensure your access to information, alerts, and<br />
patches relevant to your <strong>Websense</strong> product and version.<br />
Multiple members of your organization can create My<strong>Websense</strong> logons associated<br />
with the same subscription key.<br />
<strong>Websense</strong> technical support<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Technical information about <strong>Websense</strong> software and services is available 24 hours a<br />
day at support.websense.com, including:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the latest release information<br />
the searchable <strong>Websense</strong> Knowledge Base<br />
Support forums<br />
Support Webinars<br />
show-me tutorials<br />
product documents<br />
answers to frequently asked questions<br />
Top Customer Issues<br />
in-depth technical papers<br />
For additional questions, click the Contact Support tab at the top of the page.<br />
If your issue is urgent, please call one of the offices listed below. You will be routed to<br />
the first available technician, who will gladly assist you.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 7
Getting Started<br />
For less urgent cases, use our online Support Request Portal at ask.websense.com.<br />
For faster phone response, please use your Support Account ID, which you can find<br />
in the Profile section at My<strong>Websense</strong>.<br />
Location Contact information<br />
North America +1-858-458-2940<br />
France Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +33 (0) 1 5732 3227<br />
Germany Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +49 (0) 69 517 09347<br />
UK<br />
Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +44 (0) 20 3024 4401<br />
Rest of Europe Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +44 (0) 20 3024 4401<br />
Middle East Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +44 (0) 20 3024 4401<br />
Africa Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +44 (0) 20 3024 4401<br />
Australia/NZ Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +61 (0) 2 9414 0033<br />
Asia<br />
Contact your <strong>Websense</strong> Reseller. If you cannot locate<br />
your Reseller: +86 (10) 5884 4200<br />
Latin America +1-858-458-2940<br />
and Caribbean<br />
For telephone requests, please have ready:<br />
<br />
<br />
<br />
<br />
<strong>Websense</strong> subscription key<br />
Access to the <strong>Websense</strong> management console.<br />
Access to the machine running reporting tools and the database server<br />
Familiarity with your network’s architecture, or access to a specialist<br />
8 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
2<br />
Configuring <strong>TRITON</strong><br />
Settings<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
The <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> helps you manage Web, data, and email<br />
security configuration, policies, and reporting from a central management console.<br />
To facilitate this centralized management, Global <strong>Security</strong> Administrators (including<br />
the default admin account) can use <strong>TRITON</strong> Settings create and configure<br />
administrator accounts with:<br />
<br />
<br />
<br />
Full management access to all <strong>TRITON</strong> modules<br />
Full management access to a single <strong>TRITON</strong> module<br />
Limited access (for example, reporting-only access) to one or more <strong>TRITON</strong><br />
modules<br />
See Introducing administrators, page 13.<br />
Note<br />
When you make changes to <strong>TRITON</strong> settings, it can take<br />
between 30 and 90 seconds for the changes to propagate to<br />
other <strong>TRITON</strong> modules. For example, if you create an<br />
administrator for <strong>TRITON</strong> - Data <strong>Security</strong>, it may take a<br />
minute or two for that administrator to appear in the Data<br />
<strong>Security</strong> module.<br />
<strong>TRITON</strong> Settings can also be used to:<br />
<br />
<br />
<br />
<br />
View account information and change passwords. See Viewing your account<br />
information, page 10.<br />
Set up a connection to a directory service to allow administrators to use their<br />
network accounts to log on to the <strong>TRITON</strong> console. See Setting user directory<br />
information, page 10.<br />
Configure a connection to an SMTP server so that administrators can receive<br />
email notifications when they are granted access to the <strong>TRITON</strong> console or when<br />
their account changes. This also allows administrators to request a password reset,<br />
when needed. See Setting email notifications, page 23.<br />
Configure two-factor authentication for administrators. See Configuring<br />
certificate authentication, page 25.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 9
Configuring <strong>TRITON</strong> Settings<br />
<br />
Audit administrator logon attempts and changes to <strong>TRITON</strong> Settings. See Audit<br />
log, page 28.<br />
Viewing your account information<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > My Account page to view permissions information for<br />
your account, and to select a preferred language for viewing <strong>Help</strong> information.<br />
If you have been assigned a local user name and password for the <strong>TRITON</strong> console,<br />
you can also change your password on this page.<br />
If you log on to the <strong>TRITON</strong> console with network credentials, password changes are<br />
handled through your network directory service. Contact your system administrator<br />
for assistance.<br />
The permissions allocated to your account are shown in the toolbar above the page:<br />
<br />
<br />
Global <strong>Security</strong> Administrator means you have full access to all <strong>TRITON</strong> console<br />
settings and all policy, reporting, and configuration settings in all of the modules<br />
that are part of your subscription. See Global <strong>Security</strong> Administrator, page 13.<br />
If you do not have Global <strong>Security</strong> Administrator permissions, the <strong>TRITON</strong><br />
modules you can access and manage are listed.<br />
To change your password:<br />
1. Enter your Current password.<br />
2. Enter and confirm a New password.<br />
• The password must be between 4 and 40 characters.<br />
• Strong passwords are recommended: 8 characters or longer, including at least<br />
one uppercase letter, lowercase letter, number, and special character (such as<br />
hyphen, underscore, or blank).<br />
3. Click OK to save your changes.<br />
To select a language other than English as your preferred <strong>Help</strong> language, select an<br />
entry in the Language drop-down list. Note that not all <strong>Help</strong> pages are available in all<br />
languages. If a particular <strong>Help</strong> page is not available in the selected language, the<br />
English page is displayed.<br />
Setting user directory information<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > User Directory page to configure directory<br />
communication for administrators using their network accounts. The same directory<br />
must be used to authenticate all administrative users.<br />
10 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
<br />
<br />
A user directory stores information about a network’s users and resources.<br />
To allow administrators to use their network accounts to log on to the<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>, you must configure the <strong>TRITON</strong> console to<br />
retrieve information from your user directory.<br />
Note<br />
User directory configuration for administrators is<br />
performed separately from directory service configuration<br />
for end users. Set up end user directory service<br />
configuration within each <strong>TRITON</strong> module.<br />
The <strong>TRITON</strong> console can communicate with the following LDAP (Lightweight<br />
Directory Access Protocol) directories:<br />
<br />
<br />
<br />
<br />
Windows Active Directory (Native Mode)<br />
Novell eDirectory<br />
Oracle Directory Service<br />
Lotus Notes/Domino<br />
It can also communicate with other generic LDAP-based directories.<br />
Note that:<br />
<br />
<br />
Duplicate user names are not supported in an LDAP-based directory service.<br />
Ensure that the same user name does not appear in multiple domains.<br />
If you are using Windows Active Directory or Oracle Directory Service, user<br />
names with blank passwords are not supported. Make sure that all users have<br />
passwords assigned.<br />
To enable administrators to log on to the <strong>TRITON</strong> console using a network account:<br />
1. Select your user directory from the User directory server list.<br />
2. Enter the IP address or host name to identify the directory server.<br />
3. Enter the Port that <strong>Websense</strong> software should use to communicate with the<br />
directory.<br />
4. Specify the User distinguished name and Password for the administrative<br />
account <strong>Websense</strong> software should use to retrieve user name and path information<br />
from the directory.<br />
• The account must be able to query and read from the directory, but does not<br />
need to be able to make changes to the directory, or be a domain<br />
administrator.<br />
• Enter the account details as a single string in the User distinguished name<br />
field. You can use the format “CN=user, DC=domain” or, if your organization<br />
uses Active Directory, “domain\username”.<br />
5. Click Test Connection to confirm that the directory exists at the specified IP<br />
address or name and port number, and that the specified account can connect to it.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 11
Configuring <strong>TRITON</strong> Settings<br />
6. Enter the Root naming context that the <strong>TRITON</strong> console should use to search for<br />
user information. This is required for generic LDAP directories, Lotus Notes/<br />
Domino, and Oracle Directory Service, and optional for Active Directory and<br />
Novell eDirectory. If you supply a value, it must be a valid context in your<br />
domain.<br />
If the Root naming context field is left blank, <strong>Websense</strong> software begins searching<br />
at the top level of the directory service.<br />
Note<br />
Avoid having the same user name in multiple domains. If<br />
<strong>Websense</strong> software finds duplicate account names for a<br />
user, the user cannot be identified transparently.<br />
7. If your LDAP schema includes nested groups, mark Perform additional nested<br />
group search.<br />
8. To encrypt communication with the directory service, mark Use SSL encryption.<br />
9. If your directory service uses LDAP referrals, indicate whether <strong>Websense</strong><br />
software should follow the referrals.<br />
10. If you have selected Generic Directory, also configure the following settings:<br />
• Email attribute: The attribute name used to locate a user’s email address in<br />
LDAP entries. The default is mail.<br />
• User logon ID attribute: The attribute name used to locate a user’s logon ID<br />
in LDAP entries.<br />
• User logon filter: The filter to apply when searching for user details at logon.<br />
This string must contain the %uid token, which is then replaced with the user<br />
name entered by the user when logging on.<br />
• User lookup filter: The filter used to find users for import on the Add<br />
Network Account page. You can enter %query in this field as a placeholder,<br />
and then click Refine search on the Add Network Account page to enter a<br />
new context for finding network users.<br />
• Group object class (optional): The LDAP object class that represents a<br />
group. The default is group.<br />
• Group Properties: Specify whether your directory schema uses the<br />
memberOf attribute. If it does, in the Group attribute field enter the attribute<br />
used to reference the groups that the user is a member of.<br />
If it does not, in the User group filter field enter the query used to resolve<br />
groups containing the specific user. You can enter %dn, which will be<br />
replaced by the DN of the user.<br />
12 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
11. Click OK.<br />
Note<br />
If you change your user directory settings at a later date,<br />
existing administrators become invalid unless you are<br />
pointing to an exact mirror of the user directory server. If<br />
the new server is not a mirror, you may not be able to<br />
distinguish between your new and existing users.<br />
Introducing administrators<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Administrators can access the <strong>TRITON</strong> console to configure one or more security<br />
solutions, manage policies, generate reports, or perform some combination of these<br />
tasks. The specific permissions available depend on the type of administrator.<br />
<br />
<br />
Global <strong>Security</strong> Administrators have full access and management permissions in<br />
all available <strong>TRITON</strong> modules. See Global <strong>Security</strong> Administrator, page 13.<br />
Other types of administrators have more restricted access to <strong>TRITON</strong> modules.<br />
An administrator may be given permission to manage or audit one or more<br />
<strong>TRITON</strong> modules using the same account. See <strong>TRITON</strong> administrators, page 14.<br />
You can identify administrators using their network logon credentials, or you can<br />
create accounts used only to access the <strong>TRITON</strong> console. See Adding a network<br />
account, page 18, and Adding a local account, page 16.<br />
Global <strong>Security</strong> Administrator<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
A default Global <strong>Security</strong> Administrator role is created during installation, and the<br />
default user, admin, is assigned to this role. When you first log on with the password<br />
set during installation, you have full administrative access to all configuration settings<br />
in the <strong>TRITON</strong> console, and also the following permissions in the modules that are<br />
part of your subscription:<br />
<br />
<br />
<br />
<strong>TRITON</strong> - Web <strong>Security</strong>: Added to the Super Administrator role with<br />
unconditional permissions.<br />
<strong>TRITON</strong> - Data <strong>Security</strong>: Assigned Super Administrator permissions.<br />
<strong>TRITON</strong> - Email <strong>Security</strong>: Assigned Super Administrator permissions.<br />
You also have full permissions to manage and transparently log on to all appliances<br />
registered with this instance of the <strong>TRITON</strong> console.<br />
The permissions given to a Global <strong>Security</strong> Administrator within the individual<br />
<strong>TRITON</strong> modules cannot be modified.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 13
Configuring <strong>TRITON</strong> Settings<br />
The admin account does not appear in the list of administrators for the Super<br />
Administrator role. It cannot be deleted, and its permissions cannot be modified.<br />
You can add further Global <strong>Security</strong> Administrators as needed. Creating multiple<br />
Global <strong>Security</strong> Administrators ensures that if the primary Global <strong>Security</strong><br />
Administrator is not available, another administrator has access to all <strong>Websense</strong> policy<br />
and configuration settings.<br />
<strong>TRITON</strong> administrators<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
<strong>TRITON</strong> administrators are given access to one or more <strong>TRITON</strong> modules (Web<br />
<strong>Security</strong>, Data <strong>Security</strong>, Email <strong>Security</strong>). They can also be granted access to the<br />
Mobile <strong>Security</strong> portal, one or more appliances registered to the <strong>TRITON</strong> console, and<br />
one or more Content Gateway Manager instances.<br />
Administrators can be given access to one or more modules, or access and account<br />
management permissions. The permissions these administrators have in each module<br />
depend on how administrators are configured within the module. By default the<br />
following permissions are allocated:<br />
<br />
<br />
<br />
<strong>TRITON</strong> - Web <strong>Security</strong><br />
• Access: the administrator is not added to any roles, and can only access the<br />
Status > Dashboard and Status > Alerts pages.<br />
• Access and account management: the administrator is added to the Super<br />
Administrator role with unconditional permissions.<br />
Administrator permissions can be changed in <strong>TRITON</strong> - Web <strong>Security</strong> on the<br />
Policy Management > Delegated Administration page.<br />
<strong>TRITON</strong> - Data <strong>Security</strong><br />
• All options: the administrator is assigned the Default access role, with access<br />
to the Incidents & Reports, Today, and My Settings pages.<br />
Administrator permissions can be changed in <strong>TRITON</strong> - Data <strong>Security</strong> on the<br />
Settings > General > Authorization > Administrators, and Settings ><br />
General > Authorization > Roles pages.<br />
<strong>TRITON</strong> - Email <strong>Security</strong><br />
• Access: the administrator is assigned the default Reporting permissions.<br />
• Access and account management: the administrator is assigned Super<br />
Administrator permissions by default.<br />
Administrator permissions can be changed in <strong>TRITON</strong> - Email <strong>Security</strong> on the<br />
Settings > General > Administrator Accounts page.<br />
For appliances, administrators can be given full access or limited access to the<br />
appliances registered in the <strong>TRITON</strong> console.<br />
<br />
Full access enables the administrator to register and unregister appliances, and to<br />
access appliances directly from the <strong>TRITON</strong> console. Access is via single sign-on<br />
if configured (see Configuring an existing appliance for single sign-on, page 32).<br />
14 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
<br />
Limited access enables the administrator to access appliances, but not register or<br />
unregister them. Access can be to all appliances, including those added<br />
subsequently, or to specifically selected appliances.<br />
Administrators with account management permissions can also edit and delete other<br />
administrators in the <strong>TRITON</strong> console, subject to the limitations of the permissions<br />
they have been allocated.<br />
Administrators who log on to the <strong>TRITON</strong> console with a local user account can also<br />
change their own <strong>TRITON</strong> password (see Viewing your account information, page<br />
10).<br />
Once shared administrator accounts have been configured, an administrator logged on<br />
to one <strong>TRITON</strong> module (for example, <strong>TRITON</strong> - Web <strong>Security</strong>) can use the <strong>TRITON</strong><br />
toolbar to switch to a different module (Data <strong>Security</strong> or Email <strong>Security</strong>) without<br />
needing to log on a second time.<br />
Enabling access to the <strong>TRITON</strong> console<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Administrators page to create and manage the accounts<br />
that administrators use to access the <strong>TRITON</strong> console.<br />
Note<br />
This page is available only to Global <strong>Security</strong><br />
Administrators and administrators that have permission to<br />
manage at least one <strong>TRITON</strong> module.<br />
In deployments that include a combination of <strong>Websense</strong> web, email, and data security<br />
solutions, administrator accounts can be given individual or joint access to the<br />
available <strong>TRITON</strong> modules.<br />
Next to the User Name column, the Type column displays the type of each<br />
administrator account:<br />
<br />
<br />
Local accounts are created specifically for use within the <strong>TRITON</strong> console.<br />
Network accounts are accounts from a supported directory service that have been<br />
granted access to the <strong>TRITON</strong> console (see Setting email notifications, page 23).<br />
To add an account, click either Add Local Account or Add Network Account (see<br />
Adding a local account, page 16, and Adding a network account, page 18).<br />
If an administrator account has an exclamation mark icon next to the name on this<br />
page, it is due to one or both of the following:<br />
<br />
The account does not have an email address associated with it. This means the<br />
administrator will not receive notifications of password changes or permission<br />
updates. Edit the administrator details to add an email address.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 15
Configuring <strong>TRITON</strong> Settings<br />
<br />
The administrator permissions have been imported from <strong>Websense</strong> Data <strong>Security</strong><br />
version 7.5 and <strong>Websense</strong> Web <strong>Security</strong> Gateway version 7.5 and unified within<br />
the <strong>TRITON</strong> console.<br />
For example, if in v7.5 you had an administrator with Data <strong>Security</strong> Super<br />
Administrator permissions and Web <strong>Security</strong> Full Reporting permissions, that<br />
administrator is imported into the <strong>TRITON</strong> console with the following<br />
permissions:<br />
• Data <strong>Security</strong>: access and account management permissions<br />
• Web <strong>Security</strong>: access only<br />
• Email <strong>Security</strong>: no access<br />
You must edit the administrator account and confirm or change the allocated<br />
permissions. The administrator will not be able to log on until you do this.<br />
If you are viewing this page as a <strong>TRITON</strong> administrator with permission to manage at<br />
least one <strong>TRITON</strong> module, you can manage and delete only administrator accounts<br />
for those modules.<br />
Global <strong>Security</strong> Administrators can manage and delete any existing accounts. To<br />
delete an account, mark the check box next to the account name and click Delete.<br />
Important<br />
If you delete an administrator account, actions performed<br />
by this administrator will no longer appear in the Data<br />
<strong>Security</strong> incident history. To preserve administrator<br />
actions, it is recommended that you do not delete the<br />
account, but instead limit the administrator’s role in<br />
<strong>TRITON</strong> - Data <strong>Security</strong>.<br />
Adding a local account<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Related topics:<br />
Enabling access to the <strong>TRITON</strong> console, page 15<br />
Adding a network account, page 18<br />
Editing a local account, page 20<br />
Use the <strong>TRITON</strong> Settings > Administrators > Add Local Account page to add<br />
<strong>Websense</strong> user accounts.<br />
1. Enter a unique User name, up to 50 characters.<br />
• The name must be between 1 and 50 characters long, and cannot include any<br />
of the following characters:<br />
* < > ' ‘ { } ~ ! $ % & @ # . " | \ & + = / ; : , ^ ( )<br />
16 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
• User names can include spaces and dashes.<br />
2. Enter a valid Email address for the user.<br />
This email address is used to send account information to the new administrator.<br />
3. Enter and confirm a Password (4-255 characters) for this user.<br />
Strong passwords are recommended: 8 characters or longer, including at least one<br />
each of the following:<br />
• uppercase letter<br />
• lowercase letter<br />
• number<br />
• special character (such as hyphen, underscore, or blank)<br />
Note<br />
If two-factor authentication is enabled and password<br />
authentication is disabled on the <strong>TRITON</strong> Settings ><br />
Certificate Authentication page, password logon is not<br />
available for the local account.<br />
4. If two-factor authentication is enabled on the <strong>TRITON</strong> Settings > Certificate<br />
Authentication page:<br />
a. Click Certificate Authentication.<br />
b. Browse to the location of the certificate to use for administrator authentication<br />
for this account.<br />
c. Click Upload Certificate.<br />
For more information, see Configuring certificate authentication, page 25.<br />
5. To create an administrator with full permissions across the <strong>TRITON</strong> console and<br />
all of the modules and appliances in your subscription, select Global <strong>Security</strong><br />
Administrator.<br />
Note<br />
Only Global <strong>Security</strong> Administrators can create other<br />
Global <strong>Security</strong> Administrators.<br />
6. To send account information and access instructions to the new administrator via<br />
email, mark Notify administrator of the new account via email.<br />
To send administrator emails, you must set up SMTP details on the Notifications<br />
page. You can also customize the contents of the email message on the<br />
Notifications page (see Setting email notifications, page 23).<br />
7. To require the administrator to change the account password the first time he or<br />
she logs on to the <strong>TRITON</strong> console, mark Force administrator to create a new<br />
password at logon.<br />
8. If this account is not a Global <strong>Security</strong> Administrator, under Module Access<br />
Permissions, select the permissions you want to give to the new administrator.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 17
Configuring <strong>TRITON</strong> Settings<br />
• Choose a setting under each of the available options (Web <strong>Security</strong>, Data<br />
<strong>Security</strong>, Email <strong>Security</strong>) to give the new administrator permissions to<br />
manage one or more of the <strong>TRITON</strong> modules. The options available depend<br />
on the modules in your subscription.<br />
For each module, choose whether the new administrator has:<br />
• no access to that module<br />
• only access to the module<br />
• both access and the ability to manage other administrators in that module.<br />
For more information see <strong>TRITON</strong> administrators, page 14.<br />
Note<br />
You can assign access permissions only for the <strong>TRITON</strong><br />
modules where you have management permissions.<br />
• If your deployment includes one or more appliances, you can grant the<br />
administrator:<br />
• no appliance access<br />
• full access to all appliances<br />
• limited access to appliances<br />
If you select limited access, indicate whether the administrator can access all<br />
appliances or only specified appliances.<br />
9. When you are finished making changes, click OK.<br />
Adding a network account<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Related topics:<br />
Setting email notifications, page 23<br />
Adding a local account, page 16<br />
Editing a network account, page 22<br />
Use the <strong>TRITON</strong> Settings > Administrators > Add Network Account page to add<br />
users defined in a supported directory service as <strong>TRITON</strong> administrators.<br />
Enter keywords to search on in the Search field to find the accounts that you want to<br />
add as <strong>TRITON</strong> administrators. Optionally, you can use the asterisk wildcard (*) as<br />
part of your search.<br />
By default, the search context for your search is the default domain context from the<br />
Directory Service page (see Setting email notifications, page 23). You can edit this<br />
context by clicking Refine search and entering a new search context in the field that<br />
appears. You can revert to the default context by clicking Restore default.<br />
18 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
If you are using Active Directory, for users the Email, Login Name, and Display<br />
Name fields in your selected context are searched. If you are using Novell eDirectory,<br />
Oracle Directory Service, or Lotus Notes/Domino, for users the Email, Display Name,<br />
Username, and Common Name (CN) fields are searched. For all directory services,<br />
the CN field is searched for groups.<br />
The search results list both users and groups that match the specified keywords, and<br />
display both user name and email address for the network account. To add a user or<br />
group as an administrator, mark the check box next to the account name, and then<br />
click the right arrow (>) to add the account to the Selected accounts list.<br />
To delete a user from the Selected accounts list, mark the check box next to the<br />
account name, and then click the left arrow ( Certificate<br />
Authentication page (see Configuring certificate authentication, page 25), click<br />
Certificate Authentication to upload or import the certificate used to authenticate the<br />
selected administrators during <strong>TRITON</strong> console logon.<br />
<br />
<br />
Click Import from LDAP to import the certificate from your user directory.<br />
Click Upload Certificate to browse to the location of the certificate and upload it.<br />
When the certificate has been imported or uploaded successfully, the certificate name,<br />
expiration date, issuer, and source information are displayed in the Certificate<br />
Authentication area of the page.<br />
Once you have added one or more accounts to the Selected accounts list, indicate<br />
whether to Notify administrator of the new account via email. To send<br />
administrator emails, you must set up SMTP details on the Notifications page. You<br />
can also customize the contents of the email message on the Notifications page (see<br />
Setting email notifications, page 23).<br />
Next, select the access permissions you want to give to the new administrators.<br />
<br />
Select Global <strong>Security</strong> Administrator to create an administrator with full<br />
permissions across the <strong>TRITON</strong> console and all of the modules and appliances in<br />
your subscription.<br />
Note<br />
Only Global <strong>Security</strong> Administrators can create other<br />
Global <strong>Security</strong> Administrators.<br />
<br />
If the accounts are not Global <strong>Security</strong> Administrators, under Module Access<br />
Permissions, select the permissions you want to give to the new administrators.<br />
• Choose a setting under each of the available options (Web <strong>Security</strong>, Data<br />
<strong>Security</strong>, Email <strong>Security</strong>) to give the new administrator permissions to<br />
manage one or more of the <strong>TRITON</strong> modules. The options available depend<br />
on the modules in your subscription.<br />
For each module, choose whether the new administrator has:<br />
• no access to that module<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 19
Configuring <strong>TRITON</strong> Settings<br />
• only access to the module<br />
• both access and the ability to manage other administrators in that module.<br />
For more information see <strong>TRITON</strong> administrators, page 14.<br />
Note<br />
You can assign access permissions only for the <strong>TRITON</strong><br />
modules where you have management permissions.<br />
• If you have one or more appliances as part of your subscription, choose<br />
whether the new administrator has:<br />
• If your deployment includes one or more appliances, you can grant the<br />
administrator:<br />
• no appliance access<br />
• full access to all appliances<br />
• limited access to appliances<br />
If you select limited access, indicate whether the administrator can access all<br />
appliances or only specified appliances.<br />
When you are done selecting administrator accounts, click OK.<br />
Editing a local account<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Administrators > Edit Local Account page to edit<br />
existing <strong>Websense</strong> user accounts.<br />
1. To change the User name, enter a unique name up to 50 characters.<br />
• The name must be between 1 and 50 characters long, and cannot include any<br />
of the following characters:<br />
* < > ' { } ~ ! $ % & @ # . " | \ & + = / ; : ,<br />
• User names can include spaces and dashes.<br />
2. To change the administrator Email address, enter a valid address for the user.<br />
This email address is used to send account information to the administrator.<br />
3. To reset the administrator’s Password, enter and confirm a password (4-255<br />
characters).<br />
Strong passwords are recommended: 8 characters or longer, including at least one<br />
each of the following:<br />
• uppercase letter<br />
• lowercase letter<br />
• number<br />
20 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
• special character (such as hyphen, underscore, or blank)<br />
Note<br />
If two-factor authentication is enabled and password<br />
authentication is disabled on the <strong>TRITON</strong> Settings ><br />
Certificate Authentication page, password logon is not<br />
available for the local account.<br />
4. If two-factor authentication is enabled on the <strong>TRITON</strong> Settings > Certificate<br />
Authentication page:<br />
a. Click Certificate Authentication.<br />
b. Browse to the location of the certificate that the administrator will<br />
authenticate against when logging on to the <strong>TRITON</strong> console.<br />
c. Click Upload Certificate.<br />
For more information, see Configuring certificate authentication, page 25.<br />
5. To give the administrator full permissions across the <strong>TRITON</strong> console and all of<br />
the modules and appliances in your subscription, select Global <strong>Security</strong><br />
Administrator.<br />
Note<br />
Only Global <strong>Security</strong> Administrators can create other<br />
Global <strong>Security</strong> Administrators.<br />
6. To send account update information to the administrator via email, mark Notify<br />
administrator of the account changes via email.<br />
7. To require the administrator to change the account password the next time he or<br />
she logs on to the <strong>TRITON</strong> console, mark Force administrator to create a new<br />
password at logon.<br />
8. If this is not a Global <strong>Security</strong> Administrator account, use the Module Access<br />
Permissions options to update permissions for the administrator.<br />
• Choose a setting under each of the available options (Web <strong>Security</strong>, Data<br />
<strong>Security</strong>, Email <strong>Security</strong>) to give the administrator permissions to manage<br />
one or more of the <strong>TRITON</strong> modules. The options available depend on the<br />
modules in your subscription.<br />
For each module, choose whether the administrator has:<br />
• no access to that module<br />
• only access to the module<br />
• both access and the ability to manage other administrators in that module.<br />
For more information see <strong>TRITON</strong> administrators, page 14.<br />
Note<br />
You can assign access permissions only for the <strong>TRITON</strong><br />
modules where you have management permissions.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 21
Configuring <strong>TRITON</strong> Settings<br />
• If your deployment includes one or more appliances, you can grant the<br />
administrator:<br />
• no appliance access<br />
• full access to all appliances<br />
• limited access to appliances<br />
If you select limited access, indicate whether the administrator can access all<br />
appliances or only specified appliances.<br />
9. When you are finished making changes, click OK.<br />
Editing a network account<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Administrators > Edit Network Account page to edit<br />
the access and authentication permissions and for existing network accounts.<br />
If two-factor authentication is enabled on the <strong>TRITON</strong> Settings > Certificate<br />
Authentication page (see Configuring certificate authentication, page 25), click<br />
Certificate Authentication to upload or import the certificate that the administrators<br />
will authenticate against when logging on to the <strong>TRITON</strong> console.<br />
<br />
<br />
Click Import from LDAP to import the certificate from your user directory.<br />
Click Upload Certificate to browse to the location of the certificate and upload it.<br />
When the certificate has been imported or uploaded successfully, the certificate name,<br />
expiration date, issuer, and source information are displayed in the Certificate<br />
Authentication area of the page. Click Import New from LDAP to import a new<br />
certificate from your user directory, replacing the existing certificate.<br />
Click Remove Certificate to delete the certificate from this network account. If you<br />
remove the certificate, this network account cannot use two-factor authentication.<br />
To change the access permissions for the network account:<br />
<br />
Select Global <strong>Security</strong> Administrator to give the administrator full permissions<br />
across the <strong>TRITON</strong> console and all of the modules and appliances in your<br />
subscription.<br />
Note<br />
Only Global <strong>Security</strong> Administrators can create other<br />
Global <strong>Security</strong> Administrators.<br />
<br />
If this is not a Global <strong>Security</strong> Administrator account, use the Module Access<br />
Permissions options to update permissions for the administrator.<br />
• Choose a setting under each of the available options (Web <strong>Security</strong>, Data<br />
<strong>Security</strong>, Email <strong>Security</strong>) to give the administrator permissions to manage<br />
one or more of the <strong>TRITON</strong> modules. The options available depend on the<br />
modules in your subscription.<br />
For each module, choose whether the administrator has:<br />
22 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
• no access to that module<br />
• only access to the module<br />
• both access and the ability to manage other administrators in that module.<br />
For more information see <strong>TRITON</strong> administrators, page 14.<br />
Note<br />
You can assign access permissions only for the <strong>TRITON</strong><br />
modules where you have management permissions.<br />
• If your deployment includes one or more appliances, you can grant the<br />
administrator:<br />
• no appliance access<br />
• full access to all appliances<br />
• limited access to appliances<br />
If you select limited access, indicate whether the administrator can access all<br />
appliances or only specified appliances.<br />
When you are done editing administrator permissions, click OK.<br />
Setting email notifications<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Notifications page to set up the SMTP server used for<br />
all email notifications from the <strong>TRITON</strong> console, and to configure the notification<br />
email messages sent to administrators.<br />
Note<br />
This page can be viewed and edited only by Global<br />
<strong>Security</strong> Administrators.<br />
First, establish a connection with your SMTP server so that email notifications can be<br />
sent:<br />
1. Enter the IP address or host name and Port of the SMTP server machine.<br />
2. Enter the Sender email address to use in notifications.<br />
3. Enter a Sender name to appear with the From email address. This is useful to<br />
make it clear to administrators that the email is related to the <strong>TRITON</strong> console.<br />
Next, review the templates used for administrator notifications. There are 3 available<br />
templates:<br />
<br />
New Account: Notifies an administrator of their new <strong>TRITON</strong> account. Typically,<br />
this template includes the new logon name and password, and a summary of the<br />
permissions allocated to the administrator.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 23
Configuring <strong>TRITON</strong> Settings<br />
<br />
<br />
Edit Account: Notifies an administrator of any changes to their <strong>TRITON</strong> account.<br />
Typically, this includes any information that might be changed and would need to<br />
be communicated to the administrator, such as their logon name, password, and<br />
permissions.<br />
Forgot Your Password: Confirms to an administrator who has clicked the<br />
“Forgot Your Password” link on the <strong>TRITON</strong> logon page that their password has<br />
been reset. Typically, this includes the temporary password and expiration details<br />
for that password.<br />
Each template contains default text that you can use or modify, and includes some<br />
available variables. At the time the email is sent to the administrator, these variables<br />
are replaced either with user-specific data or with values configured elsewhere in the<br />
system. Variables are always surrounded by percentage symbols, such as<br />
%Username%.<br />
To modify a notification message:<br />
1. Select one of the Email Notification Templates tabs: New Account, Edit Account,<br />
or Forgot Your Password.<br />
2. Enter a suitable subject header for the email message. For example, for a new<br />
account, you might use “Welcome to <strong>Websense</strong> <strong>TRITON</strong>” or “Your new <strong>TRITON</strong><br />
console account.”<br />
3. Modify the message body as required. To add a variable, click Insert Variable<br />
and select from the drop-down list:<br />
Variable<br />
%<strong>TRITON</strong> URL%<br />
%Username%<br />
%Password%<br />
%Permissions%<br />
Description<br />
The URL used to access the <strong>TRITON</strong> console.<br />
The administrator’s <strong>TRITON</strong> username.<br />
The administrator’s <strong>TRITON</strong> password.<br />
This may be the temporary password assigned to an<br />
administrator who used the “Forgot Your Password” link.<br />
This password is valid for 30 minutes; an administrator<br />
logging on during that time is prompted to enter a new<br />
password.<br />
The permissions allocated to the administrator.<br />
Note<br />
If you are using all or part of the default notification text,<br />
you can only include variables at the end of the default<br />
message.<br />
4. To return to the default notification text at any time, click Restore Default, then<br />
click OK to confirm.<br />
24 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
Configuring certificate authentication<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Certificate Authentication page to manage the use of<br />
two-factor authentication for administrator logons.<br />
Note<br />
Only Global <strong>Security</strong> Administrators can access this page.<br />
Two-factor authentication requires administrators to provide 2 forms of identification<br />
when logging on to the <strong>TRITON</strong> console (see How does certificate authentication<br />
work, page 26).<br />
<strong>TRITON</strong> administrators can be granted single sign-on access to other <strong>Websense</strong><br />
management consoles (Appliance Manager and Content Gateway Manager). To use<br />
this functionality with two-factor authentication:<br />
<br />
<br />
Appliance Manager: Set up single sign-on permissions for administrator<br />
accounts (see Configuring an existing appliance for single sign-on, page 32).<br />
Content Gateway Manager: Disable password authentication for Content<br />
Gateway Manager (see “Configuring Content Gateway for two-factor<br />
authentication” in the Content Gateway <strong>Help</strong>).<br />
To set up <strong>TRITON</strong> console certificate authentication:<br />
1. Mark Authenticate administrators using two-factor authentication.<br />
2. To enable attribute matching, mark Use attribute matching as a fallback<br />
method and select whether it applies to all administrators, or only administrators<br />
without certificates in the <strong>TRITON</strong> console.<br />
To configure the attributes used for matching, click Configure Attribute<br />
Matching, then see Setting up attribute matching, page 27.<br />
3. To import certificates from your user directory for network administrators, click<br />
Import Administrator Certificates.<br />
When certificates are successfully imported, a success message is displayed at the<br />
top of the page. If any of the certificates are not imported correctly, you can<br />
upload a certificate for each network administrator on the <strong>TRITON</strong> Settings ><br />
Administrators > Edit Network Account page.<br />
4. Click Add under Root Certificates to add a root certificate for signature<br />
verification. There must be at least one root certificate in the <strong>TRITON</strong> console for<br />
two-factor authentication to operate.<br />
5. Browse to the location of the root certificate file, then click Upload Certificate.<br />
6. Whenever you add or change a root certificate, you must create a new master<br />
certificate file and copy that file to the <strong>Websense</strong> <strong>TRITON</strong> Web Server service.<br />
Click Create Master Certificate File to create the new file, then see Deploying<br />
the master certificate file, page 27 for further information.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 25
Configuring <strong>TRITON</strong> Settings<br />
7. To enable password authentication as a fallback method, mark Allow password<br />
authentication to log on to the <strong>TRITON</strong> console and select whether it applies to<br />
all administrators, or only administrators without certificates in the <strong>TRITON</strong><br />
console.<br />
Note<br />
The admin account created during installation can always<br />
log on from the <strong>TRITON</strong> Management Server machine<br />
using password-based authentication.<br />
8. Click OK.<br />
How does certificate authentication work<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
When you enable two-factor authentication on the Certificate Authentication page, the<br />
logon process for an administrator accessing the <strong>TRITON</strong> console URL is as follows:<br />
<br />
<br />
<br />
<br />
The <strong>TRITON</strong> console detects whether a client certificate is installed. If more than<br />
one certificate is available, the administrator is asked to select the certificate that<br />
allows access to the console.<br />
The administrator provides their two-factor authentication credentials as defined<br />
by your organization. For example, this could be through the use of the Common<br />
Access Card (CAC) and a card reader.<br />
After successful authentication, the <strong>TRITON</strong> console receives the client<br />
certificate and checks that it matches the signature in the uploaded root CA<br />
certificates. If the signature matches, the <strong>TRITON</strong> console checks for a full match<br />
with the certificates that you have either uploaded to the <strong>TRITON</strong> console, or<br />
imported from your user directory. If a match is found, the administrator<br />
associated with the two-factor authentication credentials is logged on to the<br />
console.<br />
If no certificate match is found and you have set up attribute matching as a<br />
fallback option, a check is performed to see if the client certificate contains a<br />
property matching a specific LDAP attribute in your user directory. If a match is<br />
found, the administrator associated with the two-factor authentication credentials<br />
is logged on to the console.<br />
If all configured certificate and attribute matching fails, or if the administrator does<br />
not have a client certificate, you can allow password authentication as a fallback<br />
option. If password authentication is disabled, administrators without matching<br />
certificates cannot log on.<br />
26 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Configuring <strong>TRITON</strong> Settings<br />
Deploying the master certificate file<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
When you create a new master certificate file following changes to your certificate<br />
authentication root certificate, you must update the <strong>Websense</strong> <strong>TRITON</strong> Web Server<br />
service with the new file. To do this:<br />
1. Go to the directory where you installed <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> (by<br />
default C:\Program Files (X86)\<strong>Websense</strong>), and access the EIP Infra directory.<br />
2. Run the script file replace_2fa_certificate.bat.<br />
The script file copies the new master certificate file that you have created to the<br />
<strong>Websense</strong> <strong>TRITON</strong> Web Server service, and then restarts the service.<br />
Setting up attribute matching<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Certificate Authentication > Configure Attribute<br />
Matching page to define the administrator LDAP property that matches against a<br />
property in the certificate provided.<br />
1. Under Administrator Property, select the property from your user directory that<br />
will be used to match against the administrator’s certificate. This can be:<br />
• The administrator Email address (local and network accounts)<br />
• LDAP distinguished name (network accounts only)<br />
• User name (local and network accounts)<br />
• A Custom LDAP field (network accounts only)<br />
Note<br />
If you are using a generic LDAP user directory, you must<br />
specify a custom field.<br />
2. If you have defined a custom LDAP field, click Verify Administrator Property<br />
to confirm that the property exists in your user directory. Select a network<br />
administrator account to verify against.<br />
Note<br />
Verify Administrator Property is available only if you<br />
have configured your user directory in the <strong>TRITON</strong><br />
console, and you have set up at least one network<br />
administrator account.<br />
When you save the settings on this page, the custom property is imported for all<br />
applicable accounts (network only, or local and network accounts) in the <strong>TRITON</strong><br />
console. If you need to change this field at a later date, click Update Property to<br />
import the new attribute matching value.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 27
Configuring <strong>TRITON</strong> Settings<br />
3. Under Certificate Property, select the property in the administrator’s logon<br />
certificate to match against the LDAP property that you defined:<br />
• The email (RFC822) attribute of the subjectAltName field. Select this if you<br />
are matching against the administrator email address in your user directory<br />
• The Subject distinguished name, which defines the entity associated with this<br />
certificate<br />
• The unique serial number for each certificate issued by a particular<br />
Certification Authority (CA).<br />
4. Click OK.<br />
The properties that you selected are displayed in the Certificate Matching area on<br />
the <strong>TRITON</strong> Settings > Certificate Authentication page.<br />
Audit log<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the <strong>TRITON</strong> Settings > Audit Log page to view actions performed by<br />
administrators in the system.<br />
Note<br />
Only Global <strong>Security</strong> Administrators can access this page.<br />
By default, the displayed actions are sorted by date and time. If a filter is used, the<br />
number of displayed actions is shown at the top of the list.<br />
Column<br />
ID<br />
Date & Time<br />
Administrator<br />
Role<br />
Action Performed<br />
Description<br />
ID number of the action. You can quickly jump to an Audit Log action<br />
by entering the ID number in the Find ID field and clicking Find.<br />
Date and time the action occurred.<br />
Name and user name of the administrator that initiated the action in the<br />
<strong>TRITON</strong> console.<br />
Role of the administrator.<br />
Details of the action. This column may contain variables that are filled<br />
in by the system, for example a logon user name.<br />
28 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
3<br />
Accessing Appliances<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
<strong>Websense</strong>, Inc., offers security appliances with an operating system optimized for<br />
analyzing Web and email traffic and content. If you have purchased an appliancebased<br />
solution, the <strong>TRITON</strong> console enables you to view details of and easily access<br />
multiple appliances.<br />
For more information, see:<br />
Managing appliances, page 29<br />
Registering an appliance, page 30<br />
Editing appliance details, page 31<br />
Configuring an existing appliance for single sign-on, page 32<br />
Managing appliances<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Use the Appliances > Manage Appliances page to review the <strong>Websense</strong> appliances<br />
registered (associated) with this <strong>TRITON</strong> console, register additional appliances, or<br />
unregister an appliance.<br />
The following information is displayed for each registered appliance:<br />
<br />
<br />
<br />
<br />
<br />
IP address for interface C on the appliance<br />
Appliance hostname<br />
<strong>Security</strong> mode: Web <strong>Security</strong>, Email <strong>Security</strong>, or Web <strong>Security</strong> and Email <strong>Security</strong><br />
Policy source mode (applies only to appliances that include Web <strong>Security</strong>): full<br />
policy source, user directory and filtering, or filtering only<br />
Description (can be edited on the System page in Appliance Manager)<br />
<strong>Websense</strong> software version (for example, <strong>7.7</strong>.0)<br />
Hardware platform (for example, V5000 or V10000 G2)<br />
Click the arrow next to the appliance IP address to expand the appliance information<br />
and see these details. Use the Expand All and Collapse All buttons to expand or<br />
collapse all appliance information.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 29
Accessing Appliances<br />
If the details for an appliance include a Single Sign-On button, you can access that<br />
appliance without providing further logon credentials.<br />
<br />
<br />
<br />
To register an appliance with the <strong>TRITON</strong> console, see Registering an appliance,<br />
page 30. New appliances can be configured for single sign-on when you add them<br />
to the <strong>TRITON</strong> console.<br />
To configure an existing appliance (for example, an appliance upgraded from a<br />
previous version) for single sign-on, see Configuring an existing appliance for<br />
single sign-on, page 32.<br />
To access an appliance that is not configured for single-sign on, click the<br />
appliance’s IP address. This opens a logon page in a new browser. Enter your<br />
Appliance Manager logon credentials.<br />
Registering an appliance<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
To register a new appliance with the <strong>TRITON</strong> console:<br />
1. Click Register Appliance.<br />
2. Enter the IP address for network interface C on the appliance.<br />
3. To configure single sign-on from this <strong>TRITON</strong> console to the appliance, mark<br />
Enable single sign-on from the <strong>TRITON</strong> console.<br />
4. Enter the administrator password for the appliance.<br />
5. To specify <strong>TRITON</strong> administrators who have single sign-on permissions for this<br />
appliance, click User Permissions.<br />
6. To give an administrator single sign-on permissions, mark the check box next to<br />
the user name in the Available users list, and then click the right arrow (>) to add<br />
the administrator to the Users with access list.<br />
Note<br />
Global <strong>Security</strong> Administrators and administrators with<br />
full appliance access are greyed out in the Users with<br />
access list, because they have single sign-on access by<br />
default, and this cannot be changed.<br />
7. Click Save.<br />
If successful, an Appliance Details popup appears confirming the appliance has<br />
been added to the <strong>TRITON</strong> console, and displaying information retrieved from the<br />
appliance.<br />
An appliance can only be configured for single sign-on from one <strong>TRITON</strong><br />
Management Server. If another <strong>TRITON</strong> instance has already registered an<br />
appliance with single sign-on, an error message appears. Select Transfer<br />
registration to transfer the single sign-on to this instance of the <strong>TRITON</strong> console,<br />
or select Register without Single Sign-On to register the appliance and preserve<br />
single sign-on configuration on the other <strong>TRITON</strong> Management Server.<br />
30 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Accessing Appliances<br />
8. To add further appliances, click Add Another Appliance and repeat steps 2 to 7<br />
above. If you are finished adding appliances, click Done.<br />
If the <strong>TRITON</strong> console cannot connect to the IP address that you enter, ensure:<br />
<br />
<br />
<br />
The IP address you entered is the correct one for the appliance’s C interface<br />
The appliance and appliance manager are both running<br />
The system clock on the <strong>TRITON</strong> console machine matches the clock on the<br />
appliance to within 1 minute<br />
To refresh the information for an appliance, expand the appliance information and<br />
click Refresh Details. To refresh all of the appliance information on this page, click<br />
Refresh All Appliances.<br />
To remove an appliance from the list, expand the appliance information and click<br />
Unregister, then click Yes to confirm.<br />
Editing appliance details<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
To edit an appliance’s IP address:<br />
1. Click the arrow next to the current appliance IP address to expand the appliance<br />
information.<br />
2. Click the icon to the right of the current IP address.<br />
3. Enter the new IP address for network interface C on the appliance.<br />
4. Click Save.<br />
If the <strong>TRITON</strong> console cannot connect to the IP address that you enter, ensure:<br />
<br />
<br />
<br />
The IP address you entered is the correct one for the appliance’s C interface<br />
The appliance and appliance manager are both running<br />
The system clock on the <strong>TRITON</strong> console machine matches the clock on the<br />
appliance to within 1 minute<br />
To change the list of administrators who can access the appliance with single sign-on:<br />
1. Click the arrow next to the current appliance IP address to expand the appliance<br />
information.<br />
2. Click the Edit single sign-on user permissions icon in the top right corner of the<br />
appliance information pane.<br />
3. To give an administrator single sign-on permissions, mark the check box next to<br />
the user name in the Available users list, and then click the right arrow (>) to add<br />
the administrator to the Users with access list.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 31
Accessing Appliances<br />
4. To remove single sign-on permissions from an administrator, mark the check box<br />
next to the user name in the Users with access list, and then click the left arrow () to add<br />
the administrator to the Users with access list.<br />
Note<br />
Global <strong>Security</strong> Administrators and administrators with<br />
full appliance access are greyed out in the Users with<br />
access list, because they have single sign-on access by<br />
default, and this cannot be changed.<br />
6. Click Save.<br />
An appliance can only be configured for single sign-on from one <strong>TRITON</strong><br />
Management Server. If another <strong>TRITON</strong> instance has already registered an appliance<br />
with single sign-on, an error message appears. Select Transfer registration to<br />
transfer the single sign-on to this instance of the <strong>TRITON</strong> console, or select Register<br />
without Single Sign-On to register the appliance and preserve single sign-on<br />
configuration on the other <strong>TRITON</strong> Management Server.<br />
32 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
4<br />
Backup and Restore of<br />
<strong>TRITON</strong> Data<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
You can back up your <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> settings and system data on<br />
your <strong>TRITON</strong> Management Server machine, and revert to a previous configuration if<br />
required. Data saved by the backup process can also be used to import <strong>Websense</strong><br />
configuration information after an upgrade, and to transfer configuration settings to a<br />
different <strong>TRITON</strong> Management Server machine.<br />
Important<br />
Make sure that all administrators log off of the<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> before you back up or<br />
restore your configuration.<br />
The backup process saves:<br />
<br />
<br />
Global configuration and infrastructure information, including administrator and<br />
appliance data, stored in the <strong>TRITON</strong> Settings Database.<br />
Certificate files required for the <strong>TRITON</strong> browser components.<br />
The backup process works as follows:<br />
1. You initiate an immediate backup (see Running immediate backups, page 35) or<br />
define a backup schedule (see Scheduling <strong>TRITON</strong> infrastructure backups, page<br />
34).<br />
• Manually launch a backup at any time.<br />
• Backup files are stored in the C:\EIPBackup directory by default. To change<br />
the backup file location, see Changing backup settings, page 36.<br />
2. The backup process checks all <strong>Websense</strong> components on the machine, collects the<br />
data eligible for backup, and creates a new folder in the EIPBackup directory with<br />
the format:<br />
mm-dd-yyyy-hh-mm-ss-PP<br />
This format represents the date and time of the backup, for example:<br />
02-10-2011-10-45-30-PM<br />
Each backup folder contains a number of files, including:<br />
• EIP.db: a standard PostgreSQL backup file.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 33
Backup and Restore of <strong>TRITON</strong> Data<br />
• httpd-data.txt: contains embedded certificate information and encryption keys<br />
• backup.txt: created if the backup completes successfully<br />
• DataBackup.log: a detailed log file containing information generated during<br />
backup<br />
These files should be part of your organization’s regular backup procedures.<br />
To check that a backup completed successfully, navigate to the C:\Program Files<br />
(X86)\<strong>Websense</strong>\EIP Infra directory and open the EIPBackup.log file in a text<br />
editor such as Notepad. The log information should look similar to this:<br />
2/15/2011 2:27:42 AM --- Backing up to: C:\EIPBackup\2-15-<br />
2011-2-27-42-AM<br />
2/15/2011 2:27:42 AM --- Backing Up Certificates ...<br />
2/15/2011 2:27:42 AM --- Backing Up PostgreSQL ...<br />
2/15/2011 2:27:42 AM *** BACKUP FINISHED ***<br />
Each <strong>TRITON</strong> module has its own backup and restore process for the module system<br />
settings:<br />
<br />
<br />
<br />
For <strong>TRITON</strong> - Data <strong>Security</strong>, see Backing up the system in <strong>TRITON</strong> - Data<br />
<strong>Security</strong> <strong>Help</strong>.<br />
For <strong>TRITON</strong> - Email <strong>Security</strong>, see Backing up and restoring management server<br />
settings in <strong>TRITON</strong> - Email <strong>Security</strong> <strong>Help</strong>.<br />
For <strong>TRITON</strong> - Web <strong>Security</strong>, see Backing up and restoring your <strong>Websense</strong> data<br />
in <strong>TRITON</strong> - Web <strong>Security</strong> <strong>Help</strong>.<br />
You should run <strong>TRITON</strong> infrastructure backups in synchronization with <strong>TRITON</strong> -<br />
Web <strong>Security</strong> backups. See Synchronizing <strong>TRITON</strong> infrastructure and <strong>TRITON</strong> - Web<br />
<strong>Security</strong> backups, page 37.<br />
Scheduling <strong>TRITON</strong> infrastructure backups<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
When you installed the <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>, a scheduled task for<br />
backups was created. By default this task is disabled.<br />
Notify <strong>Websense</strong> administrators of the backup schedule, so that they can be sure to log<br />
off of the <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> during the backup process.<br />
All backups are “hot”—that is, they do not interfere with system operation. However,<br />
<strong>Websense</strong> recommends that you schedule backups when the system isn’t under<br />
significant load.<br />
To schedule backups on Windows Server 2008:<br />
1. On the <strong>TRITON</strong> Management Server, go to Start > Administrative Tools > Task<br />
Scheduler.<br />
2. In the Task Scheduler window, select Task Scheduler Library.<br />
34 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Backup and Restore of <strong>TRITON</strong> Data<br />
3. Right-click the Triton Backup task and select Enable.<br />
4. Right-click Triton Backup again and select Properties.<br />
5. Select the Triggers tab.<br />
6. Click Edit, and edit the schedule as required. By default, the task is scheduled to<br />
run weekly on Saturdays at midnight.<br />
7. Click OK twice.<br />
8. If requested, enter your administrator password for the <strong>TRITON</strong> Management<br />
Server machine to confirm the changes to the task.<br />
Running immediate backups<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
Before running a manual backup, make sure that all administrators are logged out of<br />
the <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>.<br />
To launch an immediate backup:<br />
1. On the <strong>TRITON</strong> Management Server, go to Start > Administrative Tools > Task<br />
Scheduler.<br />
2. In the Task Scheduler window, select Task Scheduler Library.<br />
3. If the Triton Backup task is disabled, right-click the task and select Enable.<br />
4. Right-click the Triton Backup task and select Run.<br />
Restoring <strong>TRITON</strong> infrastructure backup data<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
You can activate the restore operation from the <strong>TRITON</strong> Infrastructure Modify<br />
wizard. Make sure that all administrators are logged off of the <strong>TRITON</strong> <strong>Unified</strong><br />
<strong>Security</strong> <strong>Center</strong>.<br />
Before starting the restore process, it is recommended that you stop the <strong>TRITON</strong><br />
<strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> service.<br />
To restore <strong>TRITON</strong> infrastructure data:<br />
1. On the <strong>TRITON</strong> Management Server, go to Start > Administrative Tools ><br />
Services.<br />
2. Right-click the <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> service and select<br />
Stop.<br />
3. Open the Windows Control Panel and select Programs > Programs and<br />
Features.<br />
4. Select <strong>Websense</strong> <strong>TRITON</strong> Infrastructure.<br />
5. Click Uninstall/Change.<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 35
Backup and Restore of <strong>TRITON</strong> Data<br />
6. When asked if you want to add, remove, or modify the <strong>TRITON</strong> Infrastructure,<br />
select Modify.<br />
7. Click Next until you get to the Restore Data from Backup screen.<br />
8. Select Use backup data, then click Browse to locate the backup folder.<br />
9. Click Next until you begin the restore process.<br />
10. Click Finish to complete the restore wizard.<br />
11. Go back to the Services window and click Refresh. If the <strong>Websense</strong> <strong>TRITON</strong><br />
<strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> service has not restarted, right-click it and select Start.<br />
Once the restore process is complete, a file named DataRestore.log is created in the<br />
date-stamped backup folder that was used for the restore.<br />
Changing backup settings<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
When you run your first backup, an EIPBackup directory is created to contain the<br />
date-stamped folders for each set of backup files. By default this directory is created in<br />
C:\. You can change this location, and also define how many old backups are kept in<br />
the backup directory.<br />
To change the settings for the backup files:<br />
1. On the <strong>TRITON</strong> Management Server, navigate to the C:\Program Files<br />
(X86)\<strong>Websense</strong>\EIP Infra directory.<br />
2. Open EIPBackup.xml in a text editor such as Notepad.<br />
This file contains the following parameters:<br />
Parameter<br />
NUM_OF_COPIES<br />
PATH<br />
DOMAIN<br />
Description<br />
The number of old backups to store in the backup<br />
directory. Defaults to 5.<br />
The location of the EIPBackup directory. Defaults to<br />
C:\.<br />
Only required if the parameter is set to access<br />
a remote machine and you need to supply credentials in<br />
the form domain\user to write to the location. Leave this<br />
field blank if you have defined a path on the local<br />
machine, or if you have entered credentials in<br />
.<br />
36 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Backup and Restore of <strong>TRITON</strong> Data<br />
Parameter<br />
USER_NAME<br />
PASSWORD<br />
Description<br />
Only required if the parameter is set to access<br />
a remote machine and you need to supply a user name to<br />
write to the location. Leave this field blank if you have<br />
defined a path on the local machine, or if you have<br />
entered credentials in .<br />
Only required if the parameter is set to access<br />
a remote machine and you have entered credentials in<br />
either or . Passwords are<br />
stored as plain text.<br />
3. Edit the parameter to specify the number of old backups<br />
that should be kept. Once this number is reached, the oldest backup is deleted<br />
when the next backup is run.<br />
4. Edit the parameter to define the location of the backup files. The location<br />
must exist already as the backup process will not create it. For example, if you set<br />
the parameter to a location on the <strong>TRITON</strong> Management Server machine, such as:<br />
D:\<strong>TRITON</strong>\Backups<br />
the backup files will be stored in D:\<strong>TRITON</strong>\Backups\EIPBackup.<br />
You can also set the location to be another machine on your network, for example:<br />
//server01/backups<br />
If you do this, you may also need to enter credentials for access to the remote<br />
machine in the or , and <br />
parameters. This is not recommended as the password is stored as plain text and<br />
could therefore be accessed by other users. Instead, it is recommended that you<br />
store the backups in a location to which you have write access without needing<br />
credentials.<br />
Note<br />
If you change the location of the backup files, older<br />
backup files are deleted only from the new location.<br />
Manage backup files in any previously-defined locations<br />
manually.<br />
5. Save the file when done. Changes take effect when the next backup is run.<br />
Synchronizing <strong>TRITON</strong> infrastructure and <strong>TRITON</strong> - Web<br />
<strong>Security</strong> backups<br />
<strong>TRITON</strong> Console <strong>Help</strong> | Web, Data, and Email <strong>Security</strong> Solutions | v<strong>7.7</strong><br />
If you have the <strong>TRITON</strong> - Web <strong>Security</strong> module, administrator information, including<br />
permissions and local administrators’ passwords, is stored in both the <strong>TRITON</strong><br />
Settings Database and the <strong>TRITON</strong> - Web <strong>Security</strong> Policy Database. This is because<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> <strong>Help</strong> 37
Backup and Restore of <strong>TRITON</strong> Data<br />
the administrators defined on the <strong>TRITON</strong> Settings > Administrators page can then<br />
be assigned roles in <strong>TRITON</strong> - Web <strong>Security</strong>, and different privileges within those<br />
roles.<br />
To ensure that this information is kept in sync, always back up and restore <strong>TRITON</strong> -<br />
Web <strong>Security</strong> and the <strong>TRITON</strong> infrastructure at the same time. The steps in this<br />
section describe the <strong>TRITON</strong> infrastructure backup followed by the <strong>TRITON</strong> - Web<br />
<strong>Security</strong> backup; however, the order in which you run the two processes does not<br />
matter, as long as there are no changes made in the <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong><br />
for the duration of both backups.<br />
To run a combined <strong>TRITON</strong> - Web <strong>Security</strong> and <strong>TRITON</strong> Infrastructure manual<br />
backup:<br />
1. Follow the instructions in Running immediate backups, page 35.<br />
2. Open a command prompt and navigate to the <strong>Websense</strong> bin directory (by default<br />
C:\Program Files (X86)\<strong>Websense</strong>\Web <strong>Security</strong>\bin).<br />
3. Enter the following command:<br />
wsbackup -b -d <br />
Here, directory indicates the destination directory for the <strong>TRITON</strong> - Web <strong>Security</strong><br />
backup archive.<br />
To schedule a combined <strong>TRITON</strong> - Web <strong>Security</strong> and <strong>TRITON</strong> Infrastructure backup,<br />
set the schedule time and frequency to ensure the backups are always synchronized.<br />
Follow the instructions in Scheduling <strong>TRITON</strong> infrastructure backups, page 34, then<br />
see “Scheduling backups” in <strong>TRITON</strong> - Web <strong>Security</strong> <strong>Help</strong>.<br />
To run a combined <strong>TRITON</strong> - Web <strong>Security</strong> and <strong>TRITON</strong> Infrastructure restore:<br />
1. On the <strong>TRITON</strong> Management Server, go to Start > Administrative Tools ><br />
Services.<br />
2. Right-click the <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong> service and select<br />
Stop.<br />
3. Right-click the <strong>Websense</strong> <strong>TRITON</strong> - Web <strong>Security</strong> service and select Stop.<br />
4. Follow the <strong>TRITON</strong> Infrastructure restore process in Restoring <strong>TRITON</strong><br />
infrastructure backup data, page 35.<br />
5. Run the backup utility in restore mode, as described in “Restoring your <strong>Websense</strong><br />
data” in <strong>TRITON</strong> - Web <strong>Security</strong> <strong>Help</strong>. Ensure the backup file you specify has the<br />
same date as the <strong>TRITON</strong> infrastructure backup file.<br />
6. Go back to the Services window and click Refresh. If the <strong>TRITON</strong> - Web<br />
<strong>Security</strong> service has not restarted, right-click it and select Start.<br />
38 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Index<br />
A<br />
accessing <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>, 2<br />
account information<br />
configuring, 10<br />
account permissions<br />
viewing, 10<br />
Add Local Account page, 16<br />
Add Network Account page, 18<br />
adding an appliance, 30<br />
admin, 3, 13<br />
password, 13<br />
administrator access<br />
admin, 3<br />
administrator certificates<br />
importing for two-factor authentication, 25<br />
administrators<br />
overview, 13<br />
Adobe Flash Player, 3<br />
appliances<br />
logging on, 30<br />
managing, 29<br />
refreshing information, 31<br />
registering, 30<br />
single sign-on, 30, 32<br />
troubleshooting, 31<br />
attribute matching<br />
configuring, 27<br />
enabling, 25<br />
audit logging, 28<br />
Authentication Gateway<br />
allowing password authentication, 26<br />
configuring attribute matching, 27<br />
deploying the master certificate file, 27<br />
B<br />
backing up <strong>TRITON</strong> data, 33<br />
backups<br />
changing settings, 36<br />
running manual, 35<br />
scheduling, 34<br />
C<br />
synchronizing with <strong>TRITON</strong> - Web <strong>Security</strong>, 38<br />
Certificate Authentication<br />
configuring, 25<br />
certificate error, 4<br />
changing password, 10<br />
contacting technical support, 7<br />
customer support, 7<br />
D<br />
default user, 13<br />
E<br />
Edit Local Account page, 20<br />
email notifications, 23<br />
F<br />
Flash Player, 3<br />
G<br />
Global <strong>Security</strong> Administrator<br />
adding multiple, 14<br />
overview, 13<br />
L<br />
launching <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>, 2<br />
local user accounts, 15<br />
adding, 16<br />
editing, 20<br />
password, 10, 15<br />
locating product information, 7<br />
logging on, 3<br />
appliance, 30<br />
Windows 7, 3<br />
M<br />
manual backups, 35<br />
master certificate file<br />
deploying, 27<br />
<strong>TRITON</strong> Administrator <strong>Help</strong> 1
Index<br />
module toolbar, 6<br />
My<strong>Websense</strong> portal, 7<br />
N<br />
navigating <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>, 6<br />
network accounts<br />
adding, 18<br />
editing, 22<br />
notifications<br />
configuring, 23<br />
templates, 23<br />
P<br />
password<br />
admin, 13<br />
changing, 10<br />
local user, 10, 15<br />
patches, 7<br />
permissions, 14<br />
configuring, 17, 19, 21, 22<br />
editing, 22<br />
<strong>TRITON</strong> - Data <strong>Security</strong> default, 14<br />
<strong>TRITON</strong> - Email <strong>Security</strong> default, 14<br />
<strong>TRITON</strong> - Web <strong>Security</strong> default, 14<br />
viewing, 10<br />
R<br />
register new appliance, 30<br />
restore process<br />
running, 35<br />
synchronizing with <strong>TRITON</strong> - Web <strong>Security</strong>, 38<br />
restoring <strong>TRITON</strong> data, 33<br />
running the restore process, 35<br />
running <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>, 2<br />
S<br />
scheduling backups, 34<br />
security certificate alerts, 4<br />
session timeout, 5<br />
settings<br />
Administrators, 15<br />
backup, 36<br />
My Account, 10<br />
Notifications, 23<br />
User Directory, 10<br />
single sign-on<br />
configure existing appliance, 32<br />
editing permissions, 31<br />
enabling for new appliance, 30<br />
transferring from another appliance, 30<br />
subscriptions<br />
My<strong>Websense</strong> portal, 7<br />
synchronized <strong>TRITON</strong> and Web <strong>Security</strong><br />
backups, 38<br />
T<br />
technical support, 7<br />
templates<br />
modifying, 24<br />
toolbar<br />
module, 6<br />
<strong>TRITON</strong>, 6<br />
<strong>TRITON</strong> administrator<br />
overview, 14<br />
permissions, 14<br />
<strong>TRITON</strong> settings<br />
Administrators, 15<br />
Audit Log, 28<br />
Certificate Authentication, 25<br />
defined, 9<br />
My Account, 10<br />
Notifications, 23<br />
User Directory, 10<br />
<strong>TRITON</strong> toolbar, 6<br />
<strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong><br />
administrator access, 15<br />
appliance details, 29<br />
launching, 2<br />
logging on, 3<br />
navigation, 6<br />
session timeouts, 5<br />
<strong>Websense</strong> banner, 6<br />
two-factor authentication<br />
allowing password authentication, 26<br />
configuring, 25<br />
configuring attribute matching, 27<br />
deploying the master certificate file, 27<br />
importing certificates, 25<br />
2 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>
Index<br />
U<br />
user accounts<br />
adding local, 16<br />
adding network, 18<br />
admin, 13<br />
editing local, 20<br />
editing network, 22<br />
local, 15<br />
network, 15<br />
password, 10, 15<br />
user directory services<br />
configuring, 11<br />
W<br />
<strong>Websense</strong> user accounts, 15<br />
admin, 3<br />
Windows 7, 3<br />
<strong>TRITON</strong> Administrator <strong>Help</strong> 3
Index<br />
4 <strong>Websense</strong> <strong>TRITON</strong> <strong>Unified</strong> <strong>Security</strong> <strong>Center</strong>