TRITON Unified Security Center Help

Websense ® TRITON Un ified Security Center

v7.7
©2011-2012, Websense Inc.
All rights reserved.
10240 Sorrento Valley Rd., San Diego, CA 92121, USA
Published 2012
Printed in the United States of America and Ireland.
The products and/or methods of use described in this document are covered by U.S. Patent Numbers 6,606,659 and 6,947,985
and other patents pending.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine-readable form without prior consent in writing from Websense Inc.
Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., makes no warranties with
respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose.
Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,
performance, or use of this manual or the examples herein. The information in this documentation is subject to change
without notice.
Trademarks
Websense, the Websense Logo, Threatseeker and the YES! Logo are registered trademarks of Websense, Inc. in the United
States and/or other countries. Websense has numerous other unregistered trademarks in the United States and
internationally. All other trademarks are the property of their respective owners.
Contents
Topic 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Logging on to the TRITON console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Logging on with two-factor authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Security certificate alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
TRITON console session time outs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Managing your account through the MyWebsense Portal . . . . . . . . . . . . . . . . . . . 7
Websense technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Topic 2 Configuring TRITON Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Viewing your account information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Setting user directory information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Introducing administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Global Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
TRITON administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Enabling access to the TRITON console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Adding a local account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Adding a network account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Editing a local account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Editing a network account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Setting email notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring certificate authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
How does certificate authentication work? . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting up attribute matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Audit log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Topic 3 Accessing Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Managing appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Registering an appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Editing appliance details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring an existing appliance for single sign-on . . . . . . . . . . . . . . . . . . . 32
Topic 4 Backup and Restore of TRITON Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Scheduling TRITON infrastructure backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Running immediate backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Restoring TRITON infrastructure backup data . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Changing backup settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Synchronizing TRITON infrastructure and TRITON - Web Security backups. . 37

TRITON Unified Security Center Help i

Contents

ii Websense TRITON Unified Security Center

1 Getting Started
TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

The TRITON Unified Security Center is a browser-based console that provides a

central, graphical interface to the general configuration, policy management, and
reporting functions of your Websense security software.
The TRITON console includes one or more of the following modules, depending on
your subscription:
 TRITON - Web Security works in conjunction with integration devices
(including proxy servers, firewalls, routers, and caching appliances) and enables
you to develop, monitor, and enforce Internet access policies.
 TRITON - Data Security protects organizations from information leaks and data
loss both at the perimeter and inside the organization.
 TRITON - Email Security protects your organization against the threats of
malware, spam, and other unwanted content in email traffic.
If your subscription includes TRITON Mobile Security, the TRITON console also
provides a link to the Mobile Security portal: a cloud-based console used to manage
threat protection and data loss prevention for mobile devices.
To learn to use the TRITON console, browse this guide or use select one of the
following topics as a launch point.

First steps Manage administrators

 Logging on to the TRITON console  Introducing administrators
 Navigating in the TRITON console  Setting user directory information
 Managing your account through the  Enabling access to the TRITON
MyWebsense Portal console
 Viewing your account information  Setting email notifications
Other administrator tasks Backup and restore
 Configuring certificate authentication  Scheduling TRITON infrastructure
 Audit log backups
 Managing appliances  Restoring TRITON infrastructure
backup data

TRITON Unified Security Center Help  1

Getting Started

Logging on to the TRITON console

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Related topics:
 Logging on with two-factor authentication, page 3
 Security certificate alerts, page 4
 TRITON console session time outs, page 5

The TRITON console is the central configuration interface used to manage software
configuration and settings for your Websense software modules. This Web-based tool
runs on the following supported browsers:
 Microsoft Internet Explorer 8 and 9

Note
If you are using Internet Explorer, make sure Enhanced
Security Configuration is switched off.
Also, if you are using Internet Explorer 8, Compatibility
View is not supported.

 Mozilla Firefox 4.x and later

 Google Chrome 13 and later
Although it is possible to launch the TRITON console using some other browsers, use
the supported browsers to receive full functionality and proper display of the
application.

Note
Some animations in the TRITON console depend on the
browser settings. In Internet Explorer, select the Tools >
Internet Options > Advanced > Multimedia > Play
animation in webpages option to ensure animations
display properly.

To launch the TRITON console, do one of the following:

 On Windows machines, go to Start > Programs > Websense, and then select
TRITON Unified Security Center.
 Double-click the TRITON Unified Security Center shortcut placed on the desktop
during installation.
 Open a supported browser on any machine in your network and enter the
following:
https://<IP_address_or_hostname>:9443/triton/

2  Websense TRITON Unified Security Center

 Getting Started

Substitute the IP address or hostname of the TRITON machine. It is recommended

that you use the IP address, especially when launching the TRITON console from
a remote machine.
After installation, the default user, admin, has full administrative access to all
modules of the TRITON console. The account cannot be deleted, and the user name
cannot be changed. The admin password is configured during installation.
At the logon page, enter your User name and Password, then click Log On. If your
organization is using two-factor authentication, see Logging on with two-factor
authentication, page 3.

Note
If you are using a local user name created in the TRITON
console and that user name and password match a network
account user name and password, the local account takes
precedence.

If you are unable to connect to the TRITON console from a remote machine, make
sure that your firewall allows communication on that port.

Windows 7 considerations
If you are using the Windows 7 operating system, you may need to run the browser as
administrator for it to allow ActiveX controls.
1. Right-click the browser application and select Run as administrator.
2. Log on to the TRITON console and accept the security certificate as described
above.

Adobe Flash Player

Adobe Flash Player v8 or beyond is required for the Data Security, Web Security, and
Email Security dashboards. All the other functions of the TRITON console can
operate without Flash. If you do not already have Flash Player, you are prompted to
install it when you log on. Click the link that is supplied and download Flash Player
from the Adobe download center.

Logging on with two-factor authentication

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

If you are using two-factor authentication, you do not usually see the logon page.
Instead, when you access the TRITON console URL:
1. The console detects whether a client certificate is installed.
2. You provide your two-factor authentication credentials as defined by your
organization.

TRITON Unified Security Center Help  3

Getting Started

3. After successful authentication, the TRITON console receives the client

certificate and checks that it matches the signature in the uploaded root CA
certificates.
4. If the signature matches, the TRITON console checks for a full match with the
certificates that you have either uploaded to the TRITON console, or imported
from your user directory.
5. If a match is found, you are logged on to the console.
If no certificate match is found, the logon process depends on the fallback options that
have been set up:
 Attribute matching checks if the client certificate contains a property matching a
specific LDAP attribute in your user directory.
 Password authentication can be enabled in case certificate matching and attribute
matching fails.
If neither of these options is available, you cannot log on without a matching
certificate.
If all of your administrator accounts are configured to use two-factor authentication,
and you encounter an issue where your administrators do not have client certificates or
certificate matching is failing, you can still log on to the TRITON console as follows:
1. Open a browser on the TRITON Management Server machine. You can access the
machine using a Remote Desktop Connection.
2. Go to the URL https://127.0.0.1:9443/triton (or https://localhost:9443/triton).
3. Log on using the admin user name and password.
You can then configure your two-factor authentication options to provide a fallback
for your other administrators. See Configuring certificate authentication, page 25.

Security certificate alerts

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

An SSL connection is used for secure, browser-based communication with the

TRITON console. This connection uses a security certificate issued by Websense, Inc.
Because the supported browsers do not recognize Websense, Inc., as a known
Certificate Authority, a certificate error is displayed the first time you launch the
TRITON console from a new browser. To avoid seeing this error, you can install or
permanently accept the certificate within the browser. See the Websense Technical
Library for instructions.

4  Websense TRITON Unified Security Center

 Getting Started

Once the security certificate has been accepted, the TRITON Unified Security Center
logon page is displayed in the browser window.

Note
If you are using Internet Explorer, the certificate error will
still be present after you accept the certificate. You must
close and reopen your browser to remove the error
message.

TRITON console session time outs

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

A TRITON console session ends 30 minutes after the last action taken in the user
interface (clicking from page to page, entering information, caching changes, or
saving changes). A warning message is displayed 5 minutes before session end.
 If there are uncached or unsaved changes, the changes are lost when the session
ends. Remember to save and deploy changes regularly.
 If the TRITON console is open in multiple tabs of the same browser window, all
instances share the same session. If the session times out in one tab, it times out in
all tabs.
 If the TRITON console is open in multiple browser windows on the same
computer, the instances, by default, share the same session.
If the session times out in one window, it times out in all windows.
 In the following instances, you can open multiple TRITON instances that do not
share a session. In these situations, if one window times out, the others are not
affected.
 Use the File > New Session command to open a new Internet Explorer 8 or 9
window.
 Use Internet Explorer to open one connection to the TRITON console, and
then use Firefox or Chrome to open another connection.
If you close the browser without logging off of the TRITON console, or if the remote
machine from which you are accessing a TRITON module shuts down unexpectedly,
you may be temporarily locked out. Websense software typically detects this issue
within about 2 minutes and ends the interrupted session, allowing you to log on again.

TRITON Unified Security Center Help  5

Getting Started

Navigating in the TRITON console

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

The TRITON Settings interface can be divided into 5 main areas:

1. Banner
2. TRITON toolbar
3. Module toolbar
4. Navigation pane
5. Content pane
The banner shows:
 Your current logon account
 A Log Off button, for when you’re ready to end your administrative session
The TRITON toolbar indicates which module is active, and lets you launch other
TRITON modules. It also provides access to Help, tutorials, the Technical Library,
and other useful information.
When you log on to the TRITON console, the module you last accessed is active and
the button for that module in the TRITON toolbar is yellow. Buttons for modules that
are installed but not currently active are blue, and buttons for uninstalled modules are
grey.
The module toolbar contains information and options relevant to the module that is
currently active. If you are configuring TRITON settings or appliances, it contains
your TRITON administrator permissions.

6  Websense TRITON Unified Security Center

 Getting Started

The navigation pane contains the available navigation choices for the TRITON
module or TRITON configuration option that is currently selected. The content pane
varies according to the selection in the navigation pane.
For more information about specific modules, see:
 TRITON - Data Security Help
 TRITON - Email Security Help
 TRITON - Web Security Help

Managing your account through the MyWebsense Portal

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Websense, Inc., maintains a customer portal at www.mywebsense.com that you can

use to access product updates, patches and hotfixes, product news, evaluations, and
technical support resources for your Websense software.
When you create an account, the account is associated with your Websense
subscription key or keys. This helps to ensure your access to information, alerts, and
patches relevant to your Websense product and version.
Multiple members of your organization can create MyWebsense logons associated
with the same subscription key.

Websense technical support

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Technical information about Websense software and services is available 24 hours a

day at support.websense.com, including:
 the latest release information
 the searchable Websense Knowledge Base
 Support forums
 Support Webinars
 show-me tutorials
 product documents
 answers to frequently asked questions
 Top Customer Issues
 in-depth technical papers
For additional questions, click the Contact Support tab at the top of the page.
If your issue is urgent, please call one of the offices listed below. You will be routed to
the first available technician, who will gladly assist you.

TRITON Unified Security Center Help  7

Getting Started

For less urgent cases, use our online Support Request Portal at ask.websense.com.
For faster phone response, please use your Support Account ID, which you can find
in the Profile section at MyWebsense.

Location Contact information

North America +1-858-458-2940
France Contact your Websense Reseller. If you cannot locate
your Reseller: +33 (0) 1 5732 3227
Germany Contact your Websense Reseller. If you cannot locate
your Reseller: +49 (0) 69 517 09347
UK Contact your Websense Reseller. If you cannot locate
your Reseller: +44 (0) 20 3024 4401
Rest of Europe Contact your Websense Reseller. If you cannot locate
your Reseller: +44 (0) 20 3024 4401
Middle East Contact your Websense Reseller. If you cannot locate
your Reseller: +44 (0) 20 3024 4401
Africa Contact your Websense Reseller. If you cannot locate
your Reseller: +44 (0) 20 3024 4401
Australia/NZ Contact your Websense Reseller. If you cannot locate
your Reseller: +61 (0) 2 9414 0033
Asia Contact your Websense Reseller. If you cannot locate
your Reseller: +86 (10) 5884 4200
Latin America +1-858-458-2940
and Caribbean

For telephone requests, please have ready:

 Websense subscription key
 Access to the Websense management console.
 Access to the machine running reporting tools and the database server
 Familiarity with your network’s architecture, or access to a specialist

8  Websense TRITON Unified Security Center

2 Configuring TRITON
Settings

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

The TRITON Unified Security Center helps you manage Web, data, and email
security configuration, policies, and reporting from a central management console.
To facilitate this centralized management, Global Security Administrators (including
the default admin account) can use TRITON Settings create and configure
administrator accounts with:
 Full management access to all TRITON modules
 Full management access to a single TRITON module
 Limited access (for example, reporting-only access) to one or more TRITON
modules
See Introducing administrators, page 13.

Note
When you make changes to TRITON settings, it can take
between 30 and 90 seconds for the changes to propagate to
other TRITON modules. For example, if you create an
administrator for TRITON - Data Security, it may take a
minute or two for that administrator to appear in the Data
Security module.

TRITON Settings can also be used to:

 View account information and change passwords. See Viewing your account
information, page 10.
 Set up a connection to a directory service to allow administrators to use their
network accounts to log on to the TRITON console. See Setting user directory
information, page 10.
 Configure a connection to an SMTP server so that administrators can receive
email notifications when they are granted access to the TRITON console or when
their account changes. This also allows administrators to request a password reset,
when needed. See Setting email notifications, page 23.
 Configure two-factor authentication for administrators. See Configuring
certificate authentication, page 25.

TRITON Unified Security Center Help  9

Configuring TRITON Settings

 Audit administrator logon attempts and changes to TRITON Settings. See Audit
log, page 28.

Viewing your account information

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > My Account page to view permissions information for
your account, and to select a preferred language for viewing Help information.
If you have been assigned a local user name and password for the TRITON console,
you can also change your password on this page.
If you log on to the TRITON console with network credentials, password changes are
handled through your network directory service. Contact your system administrator
for assistance.
The permissions allocated to your account are shown in the toolbar above the page:
 Global Security Administrator means you have full access to all TRITON console
settings and all policy, reporting, and configuration settings in all of the modules
that are part of your subscription. See Global Security Administrator, page 13.
 If you do not have Global Security Administrator permissions, the TRITON
modules you can access and manage are listed.
To change your password:
1. Enter your Current password.
2. Enter and confirm a New password.
 The password must be between 4 and 40 characters.
 Strong passwords are recommended: 8 characters or longer, including at least
one uppercase letter, lowercase letter, number, and special character (such as
hyphen, underscore, or blank).
3. Click OK to save your changes.
To select a language other than English as your preferred Help language, select an
entry in the Language drop-down list. Note that not all Help pages are available in all
languages. If a particular Help page is not available in the selected language, the
English page is displayed.

Setting user directory information

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > User Directory page to configure directory
communication for administrators using their network accounts. The same directory
must be used to authenticate all administrative users.

10  Websense TRITON Unified Security Center

 Configuring TRITON Settings

 A user directory stores information about a network’s users and resources.

 To allow administrators to use their network accounts to log on to the
TRITON Unified Security Center, you must configure the TRITON console to
retrieve information from your user directory.

Note
User directory configuration for administrators is
performed separately from directory service configuration
for end users. Set up end user directory service
configuration within each TRITON module.

The TRITON console can communicate with the following LDAP (Lightweight
Directory Access Protocol) directories:
 Windows Active Directory (Native Mode)
 Novell eDirectory
 Oracle Directory Service
 Lotus Notes/Domino
It can also communicate with other generic LDAP-based directories.
Note that:
 Duplicate user names are not supported in an LDAP-based directory service.
Ensure that the same user name does not appear in multiple domains.
 If you are using Windows Active Directory or Oracle Directory Service, user
names with blank passwords are not supported. Make sure that all users have
passwords assigned.
To enable administrators to log on to the TRITON console using a network account:
1. Select your user directory from the User directory server list.
2. Enter the IP address or host name to identify the directory server.
3. Enter the Port that Websense software should use to communicate with the
directory.
4. Specify the User distinguished name and Password for the administrative
account Websense software should use to retrieve user name and path information
from the directory.
 The account must be able to query and read from the directory, but does not
need to be able to make changes to the directory, or be a domain
administrator.
 Enter the account details as a single string in the User distinguished name
field. You can use the format “CN=user, DC=domain” or, if your organization
uses Active Directory, “domain\username”.
5. Click Test Connection to confirm that the directory exists at the specified IP
address or name and port number, and that the specified account can connect to it.

TRITON Unified Security Center Help  11

Configuring TRITON Settings

6. Enter the Root naming context that the TRITON console should use to search for
user information. This is required for generic LDAP directories, Lotus Notes/
Domino, and Oracle Directory Service, and optional for Active Directory and
Novell eDirectory. If you supply a value, it must be a valid context in your
domain.
If the Root naming context field is left blank, Websense software begins searching
at the top level of the directory service.

Note
Avoid having the same user name in multiple domains. If
Websense software finds duplicate account names for a
user, the user cannot be identified transparently.

7. If your LDAP schema includes nested groups, mark Perform additional nested
group search.
8. To encrypt communication with the directory service, mark Use SSL encryption.
9. If your directory service uses LDAP referrals, indicate whether Websense
software should follow the referrals.
10. If you have selected Generic Directory, also configure the following settings:
 Email attribute: The attribute name used to locate a user’s email address in
LDAP entries. The default is mail.
 User logon ID attribute: The attribute name used to locate a user’s logon ID
in LDAP entries.
 User logon filter: The filter to apply when searching for user details at logon.
This string must contain the %uid token, which is then replaced with the user
name entered by the user when logging on.
 User lookup filter: The filter used to find users for import on the Add
Network Account page. You can enter %query in this field as a placeholder,
and then click Refine search on the Add Network Account page to enter a
new context for finding network users.
 Group object class (optional): The LDAP object class that represents a
group. The default is group.
 Group Properties: Specify whether your directory schema uses the
memberOf attribute. If it does, in the Group attribute field enter the attribute
used to reference the groups that the user is a member of.
If it does not, in the User group filter field enter the query used to resolve
groups containing the specific user. You can enter %dn, which will be
replaced by the DN of the user.

12  Websense TRITON Unified Security Center

 Configuring TRITON Settings

11. Click OK.

Note
If you change your user directory settings at a later date,
existing administrators become invalid unless you are
pointing to an exact mirror of the user directory server. If
the new server is not a mirror, you may not be able to
distinguish between your new and existing users.

Introducing administrators

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Administrators can access the TRITON console to configure one or more security
solutions, manage policies, generate reports, or perform some combination of these
tasks. The specific permissions available depend on the type of administrator.
 Global Security Administrators have full access and management permissions in
all available TRITON modules. See Global Security Administrator, page 13.
 Other types of administrators have more restricted access to TRITON modules.
An administrator may be given permission to manage or audit one or more
TRITON modules using the same account. See TRITON administrators, page 14.
You can identify administrators using their network logon credentials, or you can
create accounts used only to access the TRITON console. See Adding a network
account, page 18, and Adding a local account, page 16.

Global Security Administrator

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

A default Global Security Administrator role is created during installation, and the
default user, admin, is assigned to this role. When you first log on with the password
set during installation, you have full administrative access to all configuration settings
in the TRITON console, and also the following permissions in the modules that are
part of your subscription:
 TRITON - Web Security: Added to the Super Administrator role with
unconditional permissions.
 TRITON - Data Security: Assigned Super Administrator permissions.
 TRITON - Email Security: Assigned Super Administrator permissions.
You also have full permissions to manage and transparently log on to all appliances
registered with this instance of the TRITON console.
The permissions given to a Global Security Administrator within the individual
TRITON modules cannot be modified.

TRITON Unified Security Center Help  13

Configuring TRITON Settings

The admin account does not appear in the list of administrators for the Super
Administrator role. It cannot be deleted, and its permissions cannot be modified.
You can add further Global Security Administrators as needed. Creating multiple
Global Security Administrators ensures that if the primary Global Security
Administrator is not available, another administrator has access to all Websense policy
and configuration settings.

TRITON administrators
TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

TRITON administrators are given access to one or more TRITON modules (Web
Security, Data Security, Email Security). They can also be granted access to the
Mobile Security portal, one or more appliances registered to the TRITON console, and
one or more Content Gateway Manager instances.
Administrators can be given access to one or more modules, or access and account
management permissions. The permissions these administrators have in each module
depend on how administrators are configured within the module. By default the
following permissions are allocated:
 TRITON - Web Security
 Access: the administrator is not added to any roles, and can only access the
Status > Dashboard and Status > Alerts pages.
 Access and account management: the administrator is added to the Super
Administrator role with unconditional permissions.
Administrator permissions can be changed in TRITON - Web Security on the
Policy Management > Delegated Administration page.
 TRITON - Data Security
 All options: the administrator is assigned the Default access role, with access
to the Incidents & Reports, Today, and My Settings pages.
Administrator permissions can be changed in TRITON - Data Security on the
Settings > General > Authorization > Administrators, and Settings >
General > Authorization > Roles pages.
 TRITON - Email Security
 Access: the administrator is assigned the default Reporting permissions.
 Access and account management: the administrator is assigned Super
Administrator permissions by default.
Administrator permissions can be changed in TRITON - Email Security on the
Settings > General > Administrator Accounts page.
For appliances, administrators can be given full access or limited access to the
appliances registered in the TRITON console.
 Full access enables the administrator to register and unregister appliances, and to
access appliances directly from the TRITON console. Access is via single sign-on
if configured (see Configuring an existing appliance for single sign-on, page 32).

14  Websense TRITON Unified Security Center

 Configuring TRITON Settings

 Limited access enables the administrator to access appliances, but not register or
unregister them. Access can be to all appliances, including those added
subsequently, or to specifically selected appliances.
Administrators with account management permissions can also edit and delete other
administrators in the TRITON console, subject to the limitations of the permissions
they have been allocated.
Administrators who log on to the TRITON console with a local user account can also
change their own TRITON password (see Viewing your account information, page
10).
Once shared administrator accounts have been configured, an administrator logged on
to one TRITON module (for example, TRITON - Web Security) can use the TRITON
toolbar to switch to a different module (Data Security or Email Security) without
needing to log on a second time.

Enabling access to the TRITON console

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > Administrators page to create and manage the accounts
that administrators use to access the TRITON console.

Note
This page is available only to Global Security
Administrators and administrators that have permission to
manage at least one TRITON module.

In deployments that include a combination of Websense web, email, and data security
solutions, administrator accounts can be given individual or joint access to the
available TRITON modules.
Next to the User Name column, the Type column displays the type of each
administrator account:
 Local accounts are created specifically for use within the TRITON console.
 Network accounts are accounts from a supported directory service that have been
granted access to the TRITON console (see Setting email notifications, page 23).
To add an account, click either Add Local Account or Add Network Account (see
Adding a local account, page 16, and Adding a network account, page 18).
If an administrator account has an exclamation mark icon next to the name on this
page, it is due to one or both of the following:
 The account does not have an email address associated with it. This means the
administrator will not receive notifications of password changes or permission
updates. Edit the administrator details to add an email address.

TRITON Unified Security Center Help  15

Configuring TRITON Settings

 The administrator permissions have been imported from Websense Data Security
version 7.5 and Websense Web Security Gateway version 7.5 and unified within
the TRITON console.
For example, if in v7.5 you had an administrator with Data Security Super
Administrator permissions and Web Security Full Reporting permissions, that
administrator is imported into the TRITON console with the following
permissions:
 Data Security: access and account management permissions
 Web Security: access only
 Email Security: no access
You must edit the administrator account and confirm or change the allocated
permissions. The administrator will not be able to log on until you do this.
If you are viewing this page as a TRITON administrator with permission to manage at
least one TRITON module, you can manage and delete only administrator accounts
for those modules.
Global Security Administrators can manage and delete any existing accounts. To
delete an account, mark the check box next to the account name and click Delete.

Important
If you delete an administrator account, actions performed
by this administrator will no longer appear in the Data
Security incident history. To preserve administrator
actions, it is recommended that you do not delete the
account, but instead limit the administrator’s role in
TRITON - Data Security.

Adding a local account

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Related topics:
 Enabling access to the TRITON console, page 15
 Adding a network account, page 18
 Editing a local account, page 20

Use the TRITON Settings > Administrators > Add Local Account page to add
Websense user accounts.
1. Enter a unique User name, up to 50 characters.
 The name must be between 1 and 50 characters long, and cannot include any
of the following characters:
* < > ' ‘ { } ~ ! $ % & @ # . " | \ & + = ? / ; : , ^ ( )

16  Websense TRITON Unified Security Center

 Configuring TRITON Settings

 User names can include spaces and dashes.

2. Enter a valid Email address for the user.
This email address is used to send account information to the new administrator.
3. Enter and confirm a Password (4-255 characters) for this user.
Strong passwords are recommended: 8 characters or longer, including at least one
each of the following:
 uppercase letter
 lowercase letter
 number
 special character (such as hyphen, underscore, or blank)

Note
If two-factor authentication is enabled and password
authentication is disabled on the TRITON Settings >
Certificate Authentication page, password logon is not
available for the local account.

4. If two-factor authentication is enabled on the TRITON Settings > Certificate

Authentication page:
a. Click Certificate Authentication.
b. Browse to the location of the certificate to use for administrator authentication
for this account.
c. Click Upload Certificate.
For more information, see Configuring certificate authentication, page 25.
5. To create an administrator with full permissions across the TRITON console and
all of the modules and appliances in your subscription, select Global Security
Administrator.

Note
Only Global Security Administrators can create other
Global Security Administrators.

6. To send account information and access instructions to the new administrator via
email, mark Notify administrator of the new account via email.
To send administrator emails, you must set up SMTP details on the Notifications
page. You can also customize the contents of the email message on the
Notifications page (see Setting email notifications, page 23).
7. To require the administrator to change the account password the first time he or
she logs on to the TRITON console, mark Force administrator to create a new
password at logon.
8. If this account is not a Global Security Administrator, under Module Access
Permissions, select the permissions you want to give to the new administrator.

TRITON Unified Security Center Help  17

Configuring TRITON Settings

 Choose a setting under each of the available options (Web Security, Data
Security, Email Security) to give the new administrator permissions to
manage one or more of the TRITON modules. The options available depend
on the modules in your subscription.
For each module, choose whether the new administrator has:
• no access to that module
• only access to the module
• both access and the ability to manage other administrators in that module.
For more information see TRITON administrators, page 14.

Note
You can assign access permissions only for the TRITON
modules where you have management permissions.

 If your deployment includes one or more appliances, you can grant the
administrator:
• no appliance access
• full access to all appliances
• limited access to appliances
If you select limited access, indicate whether the administrator can access all
appliances or only specified appliances.
9. When you are finished making changes, click OK.

Adding a network account

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Related topics:
 Setting email notifications, page 23
 Adding a local account, page 16
 Editing a network account, page 22

Use the TRITON Settings > Administrators > Add Network Account page to add
users defined in a supported directory service as TRITON administrators.
Enter keywords to search on in the Search field to find the accounts that you want to
add as TRITON administrators. Optionally, you can use the asterisk wildcard (*) as
part of your search.
By default, the search context for your search is the default domain context from the
Directory Service page (see Setting email notifications, page 23). You can edit this
context by clicking Refine search and entering a new search context in the field that
appears. You can revert to the default context by clicking Restore default.

18  Websense TRITON Unified Security Center

 Configuring TRITON Settings

If you are using Active Directory, for users the Email, Login Name, and Display
Name fields in your selected context are searched. If you are using Novell eDirectory,
Oracle Directory Service, or Lotus Notes/Domino, for users the Email, Display Name,
Username, and Common Name (CN) fields are searched. For all directory services,
the CN field is searched for groups.
The search results list both users and groups that match the specified keywords, and
display both user name and email address for the network account. To add a user or
group as an administrator, mark the check box next to the account name, and then
click the right arrow (>) to add the account to the Selected accounts list.
To delete a user from the Selected accounts list, mark the check box next to the
account name, and then click the left arrow (<).
If two-factor authentication is enabled on the TRITON Settings > Certificate
Authentication page (see Configuring certificate authentication, page 25), click
Certificate Authentication to upload or import the certificate used to authenticate the
selected administrators during TRITON console logon.
 Click Import from LDAP to import the certificate from your user directory.
 Click Upload Certificate to browse to the location of the certificate and upload it.
When the certificate has been imported or uploaded successfully, the certificate name,
expiration date, issuer, and source information are displayed in the Certificate
Authentication area of the page.
Once you have added one or more accounts to the Selected accounts list, indicate
whether to Notify administrator of the new account via email. To send
administrator emails, you must set up SMTP details on the Notifications page. You
can also customize the contents of the email message on the Notifications page (see
Setting email notifications, page 23).
Next, select the access permissions you want to give to the new administrators.
 Select Global Security Administrator to create an administrator with full
permissions across the TRITON console and all of the modules and appliances in
your subscription.

Note
Only Global Security Administrators can create other
Global Security Administrators.

 If the accounts are not Global Security Administrators, under Module Access
Permissions, select the permissions you want to give to the new administrators.
 Choose a setting under each of the available options (Web Security, Data
Security, Email Security) to give the new administrator permissions to
manage one or more of the TRITON modules. The options available depend
on the modules in your subscription.
For each module, choose whether the new administrator has:
• no access to that module

TRITON Unified Security Center Help  19

Configuring TRITON Settings

• only access to the module

• both access and the ability to manage other administrators in that module.
For more information see TRITON administrators, page 14.

Note
You can assign access permissions only for the TRITON
modules where you have management permissions.

 If you have one or more appliances as part of your subscription, choose

whether the new administrator has:
 If your deployment includes one or more appliances, you can grant the
administrator:
• no appliance access
• full access to all appliances
• limited access to appliances
If you select limited access, indicate whether the administrator can access all
appliances or only specified appliances.
When you are done selecting administrator accounts, click OK.

Editing a local account

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7
Use the TRITON Settings > Administrators > Edit Local Account page to edit
existing Websense user accounts.
1. To change the User name, enter a unique name up to 50 characters.
 The name must be between 1 and 50 characters long, and cannot include any
of the following characters:
* < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,
 User names can include spaces and dashes.
2. To change the administrator Email address, enter a valid address for the user.
This email address is used to send account information to the administrator.
3. To reset the administrator’s Password, enter and confirm a password (4-255
characters).
Strong passwords are recommended: 8 characters or longer, including at least one
each of the following:
 uppercase letter
 lowercase letter
 number

20  Websense TRITON Unified Security Center

 Configuring TRITON Settings

 special character (such as hyphen, underscore, or blank)

Note
If two-factor authentication is enabled and password
authentication is disabled on the TRITON Settings >
Certificate Authentication page, password logon is not
available for the local account.

4. If two-factor authentication is enabled on the TRITON Settings > Certificate

Authentication page:
a. Click Certificate Authentication.
b. Browse to the location of the certificate that the administrator will
authenticate against when logging on to the TRITON console.
c. Click Upload Certificate.
For more information, see Configuring certificate authentication, page 25.
5. To give the administrator full permissions across the TRITON console and all of
the modules and appliances in your subscription, select Global Security
Administrator.

Note
Only Global Security Administrators can create other
Global Security Administrators.

6. To send account update information to the administrator via email, mark Notify
administrator of the account changes via email.
7. To require the administrator to change the account password the next time he or
she logs on to the TRITON console, mark Force administrator to create a new
password at logon.
8. If this is not a Global Security Administrator account, use the Module Access
Permissions options to update permissions for the administrator.
 Choose a setting under each of the available options (Web Security, Data
Security, Email Security) to give the administrator permissions to manage
one or more of the TRITON modules. The options available depend on the
modules in your subscription.
For each module, choose whether the administrator has:
• no access to that module
• only access to the module
• both access and the ability to manage other administrators in that module.
For more information see TRITON administrators, page 14.

Note
You can assign access permissions only for the TRITON
modules where you have management permissions.

TRITON Unified Security Center Help  21

Configuring TRITON Settings

 If your deployment includes one or more appliances, you can grant the
administrator:
• no appliance access
• full access to all appliances
• limited access to appliances
If you select limited access, indicate whether the administrator can access all
appliances or only specified appliances.
9. When you are finished making changes, click OK.

Editing a network account

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > Administrators > Edit Network Account page to edit
the access and authentication permissions and for existing network accounts.
If two-factor authentication is enabled on the TRITON Settings > Certificate
Authentication page (see Configuring certificate authentication, page 25), click
Certificate Authentication to upload or import the certificate that the administrators
will authenticate against when logging on to the TRITON console.
 Click Import from LDAP to import the certificate from your user directory.
 Click Upload Certificate to browse to the location of the certificate and upload it.
When the certificate has been imported or uploaded successfully, the certificate name,
expiration date, issuer, and source information are displayed in the Certificate
Authentication area of the page. Click Import New from LDAP to import a new
certificate from your user directory, replacing the existing certificate.
Click Remove Certificate to delete the certificate from this network account. If you
remove the certificate, this network account cannot use two-factor authentication.
To change the access permissions for the network account:
 Select Global Security Administrator to give the administrator full permissions
across the TRITON console and all of the modules and appliances in your
subscription.

Note
Only Global Security Administrators can create other
Global Security Administrators.

 If this is not a Global Security Administrator account, use the Module Access
Permissions options to update permissions for the administrator.
 Choose a setting under each of the available options (Web Security, Data
Security, Email Security) to give the administrator permissions to manage
one or more of the TRITON modules. The options available depend on the
modules in your subscription.
For each module, choose whether the administrator has:

22  Websense TRITON Unified Security Center

 Configuring TRITON Settings

• no access to that module

• only access to the module
• both access and the ability to manage other administrators in that module.
For more information see TRITON administrators, page 14.

Note
You can assign access permissions only for the TRITON
modules where you have management permissions.

 If your deployment includes one or more appliances, you can grant the
administrator:
• no appliance access
• full access to all appliances
• limited access to appliances
If you select limited access, indicate whether the administrator can access all
appliances or only specified appliances.
When you are done editing administrator permissions, click OK.

Setting email notifications

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > Notifications page to set up the SMTP server used for
all email notifications from the TRITON console, and to configure the notification
email messages sent to administrators.

Note
This page can be viewed and edited only by Global
Security Administrators.

First, establish a connection with your SMTP server so that email notifications can be
sent:
1. Enter the IP address or host name and Port of the SMTP server machine.
2. Enter the Sender email address to use in notifications.
3. Enter a Sender name to appear with the From email address. This is useful to
make it clear to administrators that the email is related to the TRITON console.
Next, review the templates used for administrator notifications. There are 3 available
templates:
 New Account: Notifies an administrator of their new TRITON account. Typically,
this template includes the new logon name and password, and a summary of the
permissions allocated to the administrator.

TRITON Unified Security Center Help  23

Configuring TRITON Settings

 Edit Account: Notifies an administrator of any changes to their TRITON account.

Typically, this includes any information that might be changed and would need to
be communicated to the administrator, such as their logon name, password, and
permissions.
 Forgot Your Password: Confirms to an administrator who has clicked the
“Forgot Your Password” link on the TRITON logon page that their password has
been reset. Typically, this includes the temporary password and expiration details
for that password.
Each template contains default text that you can use or modify, and includes some
available variables. At the time the email is sent to the administrator, these variables
are replaced either with user-specific data or with values configured elsewhere in the
system. Variables are always surrounded by percentage symbols, such as
%Username%.
To modify a notification message:
1. Select one of the Email Notification Templates tabs: New Account, Edit Account,
or Forgot Your Password.
2. Enter a suitable subject header for the email message. For example, for a new
account, you might use “Welcome to Websense TRITON” or “Your new TRITON
console account.”
3. Modify the message body as required. To add a variable, click Insert Variable
and select from the drop-down list:

Variable Description
%TRITON URL% The URL used to access the TRITON console.
%Username% The administrator’s TRITON username.
%Password% The administrator’s TRITON password.
This may be the temporary password assigned to an
administrator who used the “Forgot Your Password” link.
This password is valid for 30 minutes; an administrator
logging on during that time is prompted to enter a new
password.
%Permissions% The permissions allocated to the administrator.

Note
If you are using all or part of the default notification text,
you can only include variables at the end of the default
message.

4. To return to the default notification text at any time, click Restore Default, then
click OK to confirm.

24  Websense TRITON Unified Security Center

 Configuring TRITON Settings

Configuring certificate authentication

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > Certificate Authentication page to manage the use of
two-factor authentication for administrator logons.

Note
Only Global Security Administrators can access this page.

Two-factor authentication requires administrators to provide 2 forms of identification

when logging on to the TRITON console (see How does certificate authentication
work?, page 26).
TRITON administrators can be granted single sign-on access to other Websense
management consoles (Appliance Manager and Content Gateway Manager). To use
this functionality with two-factor authentication:
 Appliance Manager: Set up single sign-on permissions for administrator
accounts (see Configuring an existing appliance for single sign-on, page 32).
 Content Gateway Manager: Disable password authentication for Content
Gateway Manager (see “Configuring Content Gateway for two-factor
authentication” in the Content Gateway Help).
To set up TRITON console certificate authentication:
1. Mark Authenticate administrators using two-factor authentication.
2. To enable attribute matching, mark Use attribute matching as a fallback
method and select whether it applies to all administrators, or only administrators
without certificates in the TRITON console.
To configure the attributes used for matching, click Configure Attribute
Matching, then see Setting up attribute matching, page 27.
3. To import certificates from your user directory for network administrators, click
Import Administrator Certificates.
When certificates are successfully imported, a success message is displayed at the
top of the page. If any of the certificates are not imported correctly, you can
upload a certificate for each network administrator on the TRITON Settings >
Administrators > Edit Network Account page.
4. Click Add under Root Certificates to add a root certificate for signature
verification. There must be at least one root certificate in the TRITON console for
two-factor authentication to operate.
5. Browse to the location of the root certificate file, then click Upload Certificate.
6. Whenever you add or change a root certificate, you must create a new master
certificate file and copy that file to the Websense TRITON Web Server service.
Click Create Master Certificate File to create the new file, then see Deploying
the master certificate file, page 27 for further information.

TRITON Unified Security Center Help  25

Configuring TRITON Settings

7. To enable password authentication as a fallback method, mark Allow password

authentication to log on to the TRITON console and select whether it applies to
all administrators, or only administrators without certificates in the TRITON
console.

Note
The admin account created during installation can always
log on from the TRITON Management Server machine
using password-based authentication.

8. Click OK.

How does certificate authentication work?

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

When you enable two-factor authentication on the Certificate Authentication page, the
logon process for an administrator accessing the TRITON console URL is as follows:
 The TRITON console detects whether a client certificate is installed. If more than
one certificate is available, the administrator is asked to select the certificate that
allows access to the console.
 The administrator provides their two-factor authentication credentials as defined
by your organization. For example, this could be through the use of the Common
Access Card (CAC) and a card reader.
 After successful authentication, the TRITON console receives the client
certificate and checks that it matches the signature in the uploaded root CA
certificates. If the signature matches, the TRITON console checks for a full match
with the certificates that you have either uploaded to the TRITON console, or
imported from your user directory. If a match is found, the administrator
associated with the two-factor authentication credentials is logged on to the
console.
 If no certificate match is found and you have set up attribute matching as a
fallback option, a check is performed to see if the client certificate contains a
property matching a specific LDAP attribute in your user directory. If a match is
found, the administrator associated with the two-factor authentication credentials
is logged on to the console.
If all configured certificate and attribute matching fails, or if the administrator does
not have a client certificate, you can allow password authentication as a fallback
option. If password authentication is disabled, administrators without matching
certificates cannot log on.

26  Websense TRITON Unified Security Center

 Configuring TRITON Settings

Deploying the master certificate file

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

When you create a new master certificate file following changes to your certificate
authentication root certificate, you must update the Websense TRITON Web Server
service with the new file. To do this:
1. Go to the directory where you installed TRITON Unified Security Center (by
default C:\Program Files (X86)\Websense), and access the EIP Infra directory.
2. Run the script file replace_2fa_certificate.bat.
The script file copies the new master certificate file that you have created to the
Websense TRITON Web Server service, and then restarts the service.

Setting up attribute matching

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > Certificate Authentication > Configure Attribute
Matching page to define the administrator LDAP property that matches against a
property in the certificate provided.
1. Under Administrator Property, select the property from your user directory that
will be used to match against the administrator’s certificate. This can be:
 The administrator Email address (local and network accounts)
 LDAP distinguished name (network accounts only)
 User name (local and network accounts)
 A Custom LDAP field (network accounts only)

Note
If you are using a generic LDAP user directory, you must
specify a custom field.

2. If you have defined a custom LDAP field, click Verify Administrator Property
to confirm that the property exists in your user directory. Select a network
administrator account to verify against.

Note
Verify Administrator Property is available only if you
have configured your user directory in the TRITON
console, and you have set up at least one network
administrator account.

When you save the settings on this page, the custom property is imported for all
applicable accounts (network only, or local and network accounts) in the TRITON
console. If you need to change this field at a later date, click Update Property to
import the new attribute matching value.

TRITON Unified Security Center Help  27

Configuring TRITON Settings

3. Under Certificate Property, select the property in the administrator’s logon

certificate to match against the LDAP property that you defined:
 The email (RFC822) attribute of the subjectAltName field. Select this if you
are matching against the administrator email address in your user directory
 The Subject distinguished name, which defines the entity associated with this
certificate
 The unique serial number for each certificate issued by a particular
Certification Authority (CA).
4. Click OK.
The properties that you selected are displayed in the Certificate Matching area on
the TRITON Settings > Certificate Authentication page.

Audit log

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the TRITON Settings > Audit Log page to view actions performed by
administrators in the system.

Note
Only Global Security Administrators can access this page.

By default, the displayed actions are sorted by date and time. If a filter is used, the
number of displayed actions is shown at the top of the list.

Column Description
ID ID number of the action. You can quickly jump to an Audit Log action
by entering the ID number in the Find ID field and clicking Find.
Date & Time Date and time the action occurred.
Administrator Name and user name of the administrator that initiated the action in the
TRITON console.
Role Role of the administrator.
Action Performed Details of the action. This column may contain variables that are filled
in by the system, for example a logon user name.

28  Websense TRITON Unified Security Center

3 Accessing Appliances
TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Websense, Inc., offers security appliances with an operating system optimized for
analyzing Web and email traffic and content. If you have purchased an appliance-
based solution, the TRITON console enables you to view details of and easily access
multiple appliances.
For more information, see:
 Managing appliances, page 29
 Registering an appliance, page 30
 Editing appliance details, page 31
 Configuring an existing appliance for single sign-on, page 32

Managing appliances

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Use the Appliances > Manage Appliances page to review the Websense appliances
registered (associated) with this TRITON console, register additional appliances, or
unregister an appliance.
The following information is displayed for each registered appliance:
 IP address for interface C on the appliance
 Appliance hostname
 Security mode: Web Security, Email Security, or Web Security and Email Security
 Policy source mode (applies only to appliances that include Web Security): full
policy source, user directory and filtering, or filtering only
 Description (can be edited on the System page in Appliance Manager)
 Websense software version (for example, 7.7.0)
 Hardware platform (for example, V5000 or V10000 G2)
Click the arrow next to the appliance IP address to expand the appliance information
and see these details. Use the Expand All and Collapse All buttons to expand or
collapse all appliance information.

TRITON Unified Security Center Help  29

Accessing Appliances

If the details for an appliance include a Single Sign-On button, you can access that
appliance without providing further logon credentials.
 To register an appliance with the TRITON console, see Registering an appliance,
page 30. New appliances can be configured for single sign-on when you add them
to the TRITON console.
 To configure an existing appliance (for example, an appliance upgraded from a
previous version) for single sign-on, see Configuring an existing appliance for
single sign-on, page 32.
 To access an appliance that is not configured for single-sign on, click the
appliance’s IP address. This opens a logon page in a new browser. Enter your
Appliance Manager logon credentials.

Registering an appliance
TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

To register a new appliance with the TRITON console:

1. Click Register Appliance.
2. Enter the IP address for network interface C on the appliance.
3. To configure single sign-on from this TRITON console to the appliance, mark
Enable single sign-on from the TRITON console.
4. Enter the administrator password for the appliance.
5. To specify TRITON administrators who have single sign-on permissions for this
appliance, click User Permissions.
6. To give an administrator single sign-on permissions, mark the check box next to
the user name in the Available users list, and then click the right arrow (>) to add
the administrator to the Users with access list.

Note
Global Security Administrators and administrators with
full appliance access are greyed out in the Users with
access list, because they have single sign-on access by
default, and this cannot be changed.

7. Click Save.
If successful, an Appliance Details popup appears confirming the appliance has
been added to the TRITON console, and displaying information retrieved from the
appliance.
An appliance can only be configured for single sign-on from one TRITON
Management Server. If another TRITON instance has already registered an
appliance with single sign-on, an error message appears. Select Transfer
registration to transfer the single sign-on to this instance of the TRITON console,
or select Register without Single Sign-On to register the appliance and preserve
single sign-on configuration on the other TRITON Management Server.

30  Websense TRITON Unified Security Center

 Accessing Appliances

8. To add further appliances, click Add Another Appliance and repeat steps 2 to 7
above. If you are finished adding appliances, click Done.
If the TRITON console cannot connect to the IP address that you enter, ensure:
 The IP address you entered is the correct one for the appliance’s C interface
 The appliance and appliance manager are both running
 The system clock on the TRITON console machine matches the clock on the
appliance to within 1 minute
To refresh the information for an appliance, expand the appliance information and
click Refresh Details. To refresh all of the appliance information on this page, click
Refresh All Appliances.
To remove an appliance from the list, expand the appliance information and click
Unregister, then click Yes to confirm.

Editing appliance details

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

To edit an appliance’s IP address:

1. Click the arrow next to the current appliance IP address to expand the appliance
information.
2. Click the icon to the right of the current IP address.
3. Enter the new IP address for network interface C on the appliance.
4. Click Save.
If the TRITON console cannot connect to the IP address that you enter, ensure:
 The IP address you entered is the correct one for the appliance’s C interface
 The appliance and appliance manager are both running
 The system clock on the TRITON console machine matches the clock on the
appliance to within 1 minute
To change the list of administrators who can access the appliance with single sign-on:
1. Click the arrow next to the current appliance IP address to expand the appliance
information.
2. Click the Edit single sign-on user permissions icon in the top right corner of the
appliance information pane.
3. To give an administrator single sign-on permissions, mark the check box next to
the user name in the Available users list, and then click the right arrow (>) to add
the administrator to the Users with access list.

TRITON Unified Security Center Help  31

Accessing Appliances

4. To remove single sign-on permissions from an administrator, mark the check box
next to the user name in the Users with access list, and then click the left arrow (<)
to add the administrator to the Available users list.

Note
Global Security Administrators and administrators with
full appliance access are greyed out in the Users with
access list, because they have single sign-on access by
default, and this cannot be changed.

5. Click Save.

Configuring an existing appliance for single sign-on

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7
1. Click Configure single sign-on for the appliance you want to edit.
2. Mark Enable single sign-on from the TRITON console.
3. Enter the administrator password for the appliance.
4. To specify TRITON administrators who have single sign-on permissions for this
appliance, click User Permissions.
5. To give an administrator single sign-on permissions, mark the check box next to
the user name in the Available users list, and then click the right arrow (>) to add
the administrator to the Users with access list.

Note
Global Security Administrators and administrators with
full appliance access are greyed out in the Users with
access list, because they have single sign-on access by
default, and this cannot be changed.

6. Click Save.
An appliance can only be configured for single sign-on from one TRITON
Management Server. If another TRITON instance has already registered an appliance
with single sign-on, an error message appears. Select Transfer registration to
transfer the single sign-on to this instance of the TRITON console, or select Register
without Single Sign-On to register the appliance and preserve single sign-on
configuration on the other TRITON Management Server.

32  Websense TRITON Unified Security Center

4 Backup and Restore of
TRITON Data

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

You can back up your TRITON Unified Security Center settings and system data on
your TRITON Management Server machine, and revert to a previous configuration if
required. Data saved by the backup process can also be used to import Websense
configuration information after an upgrade, and to transfer configuration settings to a
different TRITON Management Server machine.

Important
Make sure that all administrators log off of the
TRITON Unified Security Center before you back up or
restore your configuration.

The backup process saves:

 Global configuration and infrastructure information, including administrator and
appliance data, stored in the TRITON Settings Database.
 Certificate files required for the TRITON browser components.
The backup process works as follows:
1. You initiate an immediate backup (see Running immediate backups, page 35) or
define a backup schedule (see Scheduling TRITON infrastructure backups, page
34).
 Manually launch a backup at any time.
 Backup files are stored in the C:\EIPBackup directory by default. To change
the backup file location, see Changing backup settings, page 36.
2. The backup process checks all Websense components on the machine, collects the
data eligible for backup, and creates a new folder in the EIPBackup directory with
the format:
mm-dd-yyyy-hh-mm-ss-PP
This format represents the date and time of the backup, for example:
02-10-2011-10-45-30-PM
Each backup folder contains a number of files, including:
 EIP.db: a standard PostgreSQL backup file.

TRITON Unified Security Center Help  33

Backup and Restore of TRITON Data

 httpd-data.txt: contains embedded certificate information and encryption keys

 backup.txt: created if the backup completes successfully
 DataBackup.log: a detailed log file containing information generated during
backup
These files should be part of your organization’s regular backup procedures.
To check that a backup completed successfully, navigate to the C:\Program Files
(X86)\Websense\EIP Infra directory and open the EIPBackup.log file in a text
editor such as Notepad. The log information should look similar to this:
2/15/2011 2:27:42 AM --- Backing up to: C:\EIPBackup\2-15-
2011-2-27-42-AM
2/15/2011 2:27:42 AM --- Backing Up Certificates ...
2/15/2011 2:27:42 AM --- Backing Up PostgreSQL ...
2/15/2011 2:27:42 AM *** BACKUP FINISHED ***

Each TRITON module has its own backup and restore process for the module system
settings:
 For TRITON - Data Security, see Backing up the system in TRITON - Data
Security Help.
 For TRITON - Email Security, see Backing up and restoring management server
settings in TRITON - Email Security Help.
 For TRITON - Web Security, see Backing up and restoring your Websense data
in TRITON - Web Security Help.
You should run TRITON infrastructure backups in synchronization with TRITON -
Web Security backups. See Synchronizing TRITON infrastructure and TRITON - Web
Security backups, page 37.

Scheduling TRITON infrastructure backups

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

When you installed the TRITON Unified Security Center, a scheduled task for
backups was created. By default this task is disabled.
Notify Websense administrators of the backup schedule, so that they can be sure to log
off of the TRITON Unified Security Center during the backup process.
All backups are “hot”—that is, they do not interfere with system operation. However,
Websense recommends that you schedule backups when the system isn’t under
significant load.
To schedule backups on Windows Server 2008:
1. On the TRITON Management Server, go to Start > Administrative Tools > Task
Scheduler.
2. In the Task Scheduler window, select Task Scheduler Library.

34  Websense TRITON Unified Security Center

 Backup and Restore of TRITON Data

3. Right-click the Triton Backup task and select Enable.

4. Right-click Triton Backup again and select Properties.
5. Select the Triggers tab.
6. Click Edit, and edit the schedule as required. By default, the task is scheduled to
run weekly on Saturdays at midnight.
7. Click OK twice.
8. If requested, enter your administrator password for the TRITON Management
Server machine to confirm the changes to the task.

Running immediate backups

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

Before running a manual backup, make sure that all administrators are logged out of
the TRITON Unified Security Center.
To launch an immediate backup:
1. On the TRITON Management Server, go to Start > Administrative Tools > Task
Scheduler.
2. In the Task Scheduler window, select Task Scheduler Library.
3. If the Triton Backup task is disabled, right-click the task and select Enable.
4. Right-click the Triton Backup task and select Run.

Restoring TRITON infrastructure backup data

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

You can activate the restore operation from the TRITON Infrastructure Modify
wizard. Make sure that all administrators are logged off of the TRITON Unified
Security Center.
Before starting the restore process, it is recommended that you stop the TRITON
Unified Security Center service.
To restore TRITON infrastructure data:
1. On the TRITON Management Server, go to Start > Administrative Tools >
Services.
2. Right-click the Websense TRITON Unified Security Center service and select
Stop.
3. Open the Windows Control Panel and select Programs > Programs and
Features.
4. Select Websense TRITON Infrastructure.
5. Click Uninstall/Change.

TRITON Unified Security Center Help  35

Backup and Restore of TRITON Data

6. When asked if you want to add, remove, or modify the TRITON Infrastructure,
select Modify.
7. Click Next until you get to the Restore Data from Backup screen.
8. Select Use backup data, then click Browse to locate the backup folder.
9. Click Next until you begin the restore process.
10. Click Finish to complete the restore wizard.
11. Go back to the Services window and click Refresh. If the Websense TRITON
Unified Security Center service has not restarted, right-click it and select Start.
Once the restore process is complete, a file named DataRestore.log is created in the
date-stamped backup folder that was used for the restore.

Changing backup settings

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

When you run your first backup, an EIPBackup directory is created to contain the
date-stamped folders for each set of backup files. By default this directory is created in
C:\. You can change this location, and also define how many old backups are kept in
the backup directory.
To change the settings for the backup files:
1. On the TRITON Management Server, navigate to the C:\Program Files
(X86)\Websense\EIP Infra directory.
2. Open EIPBackup.xml in a text editor such as Notepad.
This file contains the following parameters:

Parameter Description
NUM_OF_COPIES The number of old backups to store in the backup
directory. Defaults to 5.
PATH The location of the EIPBackup directory. Defaults to
C:\.
DOMAIN Only required if the <PATH> parameter is set to access
a remote machine and you need to supply credentials in
the form domain\user to write to the location. Leave this
field blank if you have defined a path on the local
machine, or if you have entered credentials in
<USER_NAME>.

36  Websense TRITON Unified Security Center

 Backup and Restore of TRITON Data

Parameter Description
USER_NAME Only required if the <PATH> parameter is set to access
a remote machine and you need to supply a user name to
write to the location. Leave this field blank if you have
defined a path on the local machine, or if you have
entered credentials in <DOMAIN>.
PASSWORD Only required if the <PATH> parameter is set to access
a remote machine and you have entered credentials in
either <DOMAIN> or <USER_NAME>. Passwords are
stored as plain text.

3. Edit the <NUM_OF_COPIES> parameter to specify the number of old backups

that should be kept. Once this number is reached, the oldest backup is deleted
when the next backup is run.
4. Edit the <PATH> parameter to define the location of the backup files. The location
must exist already as the backup process will not create it. For example, if you set
the parameter to a location on the TRITON Management Server machine, such as:
<PATH>D:\TRITON\Backups</PATH>
the backup files will be stored in D:\TRITON\Backups\EIPBackup.
You can also set the location to be another machine on your network, for example:
<PATH>//server01/backups</PATH>
If you do this, you may also need to enter credentials for access to the remote
machine in the <USER_NAME> or <DOMAIN>, and <PASSWORD>
parameters. This is not recommended as the password is stored as plain text and
could therefore be accessed by other users. Instead, it is recommended that you
store the backups in a location to which you have write access without needing
credentials.

Note
If you change the location of the backup files, older
backup files are deleted only from the new location.
Manage backup files in any previously-defined locations
manually.

5. Save the file when done. Changes take effect when the next backup is run.

Synchronizing TRITON infrastructure and TRITON - Web

Security backups

TRITON Console Help | Web, Data, and Email Security Solutions | v7.7

If you have the TRITON - Web Security module, administrator information, including
permissions and local administrators’ passwords, is stored in both the TRITON
Settings Database and the TRITON - Web Security Policy Database. This is because

TRITON Unified Security Center Help  37

Backup and Restore of TRITON Data

the administrators defined on the TRITON Settings > Administrators page can then
be assigned roles in TRITON - Web Security, and different privileges within those
roles.
To ensure that this information is kept in sync, always back up and restore TRITON -
Web Security and the TRITON infrastructure at the same time. The steps in this
section describe the TRITON infrastructure backup followed by the TRITON - Web
Security backup; however, the order in which you run the two processes does not
matter, as long as there are no changes made in the TRITON Unified Security Center
for the duration of both backups.
To run a combined TRITON - Web Security and TRITON Infrastructure manual
backup:
1. Follow the instructions in Running immediate backups, page 35.
2. Open a command prompt and navigate to the Websense bin directory (by default
C:\Program Files (X86)\Websense\Web Security\bin).
3. Enter the following command:
wsbackup -b -d <directory>
Here, directory indicates the destination directory for the TRITON - Web Security
backup archive.
To schedule a combined TRITON - Web Security and TRITON Infrastructure backup,
set the schedule time and frequency to ensure the backups are always synchronized.
Follow the instructions in Scheduling TRITON infrastructure backups, page 34, then
see “Scheduling backups” in TRITON - Web Security Help.
To run a combined TRITON - Web Security and TRITON Infrastructure restore:
1. On the TRITON Management Server, go to Start > Administrative Tools >
Services.
2. Right-click the Websense TRITON Unified Security Center service and select
Stop.
3. Right-click the Websense TRITON - Web Security service and select Stop.
4. Follow the TRITON Infrastructure restore process in Restoring TRITON
infrastructure backup data, page 35.
5. Run the backup utility in restore mode, as described in “Restoring your Websense
data” in TRITON - Web Security Help. Ensure the backup file you specify has the
same date as the TRITON infrastructure backup file.
6. Go back to the Services window and click Refresh. If the TRITON - Web
Security service has not restarted, right-click it and select Start.

38  Websense TRITON Unified Security Center

 Index
A synchronizing with TRITON - Web Security, 38
accessing TRITON Unified Security Center, 2
account information
C
configuring, 10 Certificate Authentication
account permissions configuring, 25
viewing, 10 certificate error, 4
Add Local Account page, 16 changing password, 10
Add Network Account page, 18 contacting technical support, 7
adding an appliance, 30 customer support, 7
admin, 3, 13
D
password, 13
administrator access default user, 13
admin, 3
administrator certificates
E
importing for two-factor authentication, 25 Edit Local Account page, 20
administrators email notifications, 23
overview, 13
Adobe Flash Player, 3 F
appliances Flash Player, 3
logging on, 30
managing, 29 G
refreshing information, 31 Global Security Administrator
registering, 30 adding multiple, 14
single sign-on, 30, 32 overview, 13
troubleshooting, 31
L
attribute matching
configuring, 27 launching TRITON Unified Security Center, 2
enabling, 25 local user accounts, 15
audit logging, 28 adding, 16
Authentication Gateway editing, 20
allowing password authentication, 26 password, 10, 15
configuring attribute matching, 27 locating product information, 7
deploying the master certificate file, 27 logging on, 3
appliance, 30
B Windows 7, 3
backing up TRITON data, 33
backups M
changing settings, 36 manual backups, 35
running manual, 35 master certificate file
scheduling, 34 deploying, 27

TRITON Administrator Help  1

Index

module toolbar, 6 User Directory, 10

MyWebsense portal, 7 single sign-on
configure existing appliance, 32
N editing permissions, 31
navigating TRITON Unified Security Center, 6 enabling for new appliance, 30
network accounts transferring from another appliance, 30
adding, 18 subscriptions
editing, 22 MyWebsense portal, 7
notifications synchronized TRITON and Web Security
configuring, 23 backups, 38
templates, 23
T
P technical support, 7
password templates
admin, 13 modifying, 24
changing, 10 toolbar
local user, 10, 15 module, 6
patches, 7 TRITON, 6
permissions, 14 TRITON administrator
configuring, 17, 19, 21, 22 overview, 14
editing, 22 permissions, 14
TRITON settings
TRITON - Data Security default, 14
Administrators, 15
TRITON - Email Security default, 14
Audit Log, 28
TRITON - Web Security default, 14
Certificate Authentication, 25
viewing, 10
defined, 9
R My Account, 10
register new appliance, 30 Notifications, 23
restore process User Directory, 10
running, 35 TRITON toolbar, 6
synchronizing with TRITON - Web Security, 38 TRITON Unified Security Center
restoring TRITON data, 33 administrator access, 15
running the restore process, 35 appliance details, 29
running TRITON Unified Security Center, 2 launching, 2
logging on, 3
S navigation, 6
scheduling backups, 34 session timeouts, 5
security certificate alerts, 4 Websense banner, 6
session timeout, 5 two-factor authentication
settings allowing password authentication, 26
Administrators, 15 configuring, 25
backup, 36 configuring attribute matching, 27
My Account, 10 deploying the master certificate file, 27
Notifications, 23 importing certificates, 25

2 Websense TRITON Unified Security Center

 Index

U password, 10, 15
user accounts user directory services
adding local, 16 configuring, 11
adding network, 18
W
admin, 13
editing local, 20 Websense user accounts, 15
editing network, 22 admin, 3
local, 15 Windows 7, 3
network, 15

TRITON Administrator Help  3

Index

4 Websense TRITON Unified Security Center