KB Article | Forcepoint Support

Notes & Warnings

Note Do not use wsbackup to restore information during these steps as it will bring over the old IP address. Any configuration file with the old IP will have issues in the new setup. 

Problem Description

What do I do to reinstall the Policy Broker and Policy Database on a machine with a different IP address from the original?  How do I use a different Policy Broker for my Policy Server(s)?

Resolution

Changing the Policy Broker in an environment is an involved task as it will require changing every Policy Server in the deployment to read from the new broker. This article has multiple sections for instruction:

Installing Policy Broker and Policy Database Associating the Policy Servers to the new Policy Broker

Installing Policy Broker and Policy Database

There can only be one Policy Broker in the deployment when using standalone mode. The alternative is to use Policy Broker Replicas that copy the data from the Primary Policy Broker. For more information on Policy Broker Replicas, see Managing Policy Broker Replication.

Important Changing the Policy Broker will bring down services and affect filtering. 

For Windows servers:
  • If changing the IP on an existing Policy Broker server
Forcepoint Technical Support does not support changing the IP address of a server as there are many files which use this IP address. If the IP address of the Policy Broker must be changed on a Windows server, the product will need to be reinstalled or installed on a separate server or appliance which Technical Support can provide guidance on setup.
  • If creating a new server
  1. Note all services, IP addresses and logins are present on the existing Windows server. This includes:
  • SQL server IP address and login.
  • Active Directory Global Catalog Servers and logins.
  • Any SIEM solution information including IP and chosen format.
  • Any Service Accounts being used for services.
  • IP addresses of all proxies and other tied servers such as Remote Filtering Client servers in the environment.
  • Any manual bypasses, such as ignore.txt for DC Agent.
  • Create a policy.wsdb backup file. See Backup and Restore the Policy Database for backup instructions.
  • Create a wsbackup file as a reference. It will not be used directly to restore information but is helpful if Technical Support assistance is required. See How do I back up and restore web protection software? for backup instructions.
  1. If other Forcepoint products exist on the server, such as Email or Data, raise a case with Forcepoint Technical Support to discuss what will need to be done to migrate.
  2. On the new server, use the Forcepoint Setup file to install all items that will be retired from the old server. If the installer is not on the server, you may download it from here. When downloading the installer, ensure the version matches your installation.
    • To prepare the server:
      1. Ensure DEP/UAC/Firewall are turned off:
        • User Access Control (UAC):
          1. Click Control Panel and search for UAC.
          2. Set to Never and restart the server after other steps are complete.
        • Data Execution Prevention (DEP):
          1. Click Control Panel and click System.
          2. Click Advanced System Settings, click Settings (Performance), and click Data Execution Prevention.
          3. Ensure DEP is selected to For windows components/services only, then restart the server.
        • Windows Firewall:

Click Control Panel, click Firewall and ensure Windows Firewall is turned off.

  1. Ensure Antivirus solutions installed on the machine are turned off and are set to not scan the installation folder or its subfolders (by default, Program Files (x86)\Websense) after installation. See the documentation for the Antivirus solution for instructions.
  2. Ensure read-write permissions on the hard drive where being installed are active on the administrator account used to log onto the server:
    1. Open a Folder Explorer window to This PC.
    2. Right-click the drive where the software will be installed.
    3. Click Properties.
    4. Select the Security tab. 
    5. Ensure the administrator account is either present or part of a present group that states Full Control. If not present, click Edit and add Full Control to the user or group, then press OK
    6. Press OK again to save changes.
  • If the Windows server was also the Forcepoint Security Manager, EIP Infrastructure will need to be installed first, then Web.
  1. After fresh installation is complete, create a backup of the clean server. See How do I back up and restore web protection software? for instructions. If the server is a VM, creating a snapshot is also advised.
  2. Apply the policy.wsdb backup to the new server to restore policies. See Backup and Restore the Policy Database for restore instructions.
  3. Log into the Manager. On first login, an error will pop up stating to put in the old password for the old server. After putting in the old password, log out and then log in again with the new password.
Note Once this is done, the other Policy Broker Manager can no longer be used and will be locked out as only one Manager is allowed in the deployment. See Forcepoint instance is not authorized to connect to the Policy Broker for instructions on releasing the permissions on the old server's Security Manager if absolutely necessary to check configurations to bring into the new environment.
 

For Appliances:
Note
If using Software Content Gateway this option is not available and requires reinstallation of the software to choose a different Policy method.
 
  • Version 8.3 to 8.5 Appliance using CLI
This takes approximately 20-30 minutes to complete.
  1. SSH into the appliance C interface IP
  2. Log in with admin credentials
  3. Type: config
  4. Enter the admin password again.
  5. Change the Web Components mode:
    1. Take note of the current Filtering mode, check by typing: show appliance info
    2. Type: set mode full
 
  • Version 7.5 to 8.2 using Appliance Manager
This takes approximately 20-30 minutes to complete.
  1. Appliance Manager > Configuration > Web Components
  2. Take note of the current Filtering mode.
  3. Click Full Policy Source.
  4. Press OK.
 

Associating the Policy Servers to the new Policy Broker

For Windows servers:
Note If the Policy Broker is now on an Appliance, create a Full Appliance Backup on the Policy Broker machine (For v8.3-v8.5, use How do I back up and restore V-Series appliances? for instructions. For v7.5-v8.2 use How do I back up and restore V-Series appliances? for instructions) and raise a case with Technical Support so they may retrieve the token from the encrypted file. 
  1. On the Windows server where the new Policy Broker is installed, go Websense\web security\bin and open config.xml with Notepad or any text editor.
  2. Search for the container named BrokerService and take note of the Token value for the Token data container.
  3. On the Policy Server machines, stop all Websense services. (see Stopping and starting Websense services)
  4. On the Policy Server machines, go to Websense\web security\bin and open config.xml with Notepad or any text editor. 
  5. Search for the container WsBrokerServiceConfig and change the IP address within that container to point to the new Policy Broker.
  6. Search for the container BrokerService and change the values for Host to the IP address of the new Policy Broker and Token to the Token value you noted in step 1.
  7. Restart all Websense services on the affected Policy Servers (see Stopping and starting Websense services).
  8. In Websense Manager, go to Settings > Policy Servers and add the other Policy Servers.

For Appliances:
Note If using Software Content Gateway this option is not available and requires reinstallation of the software to choose a different Policy method.
 
  • Version 8.3 to 8.5 Appliance using CLI
This takes approximately 20-30 minutes to complete.
  1. SSH into the appliance C interface IP
  2. Log in with admin credentials
  3. Type: config
  4. Enter the admin password again.
  5. Change the Web Components mode:
    1. Take note of the current Filtering mode, check by typing show appliance info
    2. Type set mode full
  6. Change back to the original Web Components mode but enter the new IP:
    1. If using Filtering Only mode, type set mode filter --policy-server <IP-Address-of-Policy-Broker>
    2. If using User Service & Directory mode, type set mode user --policy-source <IP-Address-of-Policy-Broker>
  • Version 7.5 to 8.2 using Appliance Manager
This takes approximately 20-30 minutes to complete for each change.
  1. Appliance Manager > Configuration > Web Components
  2. Take note of the current Filtering mode.
  3. Click Full Policy Source.
  4. Press OK.
  5. Change back to the previous Filtering Mode, type the IP address of the Policy Broker.
  6. Press OK.

Article Feedback



Thank you for the feedback and comments.