Trustwave SWG 3000, SWG 5000, SWG 7000 Setup Manual

Download

.Trustwave.com Updated October 9, 2007

Secure Web Gateway

Version 11.5

Setup Guide

Secure Web Gateway 11.5 Setup Guide

Legal Notice

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

The most current version of this document may be obtained by contacting:

Trustwave Technical Support: Phone: +1.800.363.1621 Email: support@Trustwave.com

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

Revision History

Version Date Changes

1.0 February 2012 Version 10.2

2.0 October 2012 Version 11.0 update

2.1 November 2013 Version 11.5 update

Secure Web Gateway 11.5 Setup Guide

Formatting Conventions

This guide uses the following formatting conventions to denote specific information.

Formats and Symbols Meaning

Blue Underline A blue underline indicates a Web site or email address.

Bold Bold text denotes UI control and names such as commands, menu items, tab and field

names, button and check box names, window and dialog box names, and areas of windows or dialog boxes.

Code

Italics

[Square brackets] Square brackets indicate a placeholder for values and expressions.

Text in Lucinda Console indicates computer code or information at a command

line.

Italics denotes the name of a published work, the current document, name of another document, text emphasis, or to introduce a new term.

Notes, Tips, and Warnings

Note: This symbol indicates information that applies to the task at hand.

Tip: This symbol denotes a suggestion for a better or more productive way to use the

product.

Caution: This symbol highlights a warning against using the software in an unintended manner.

Question: This symbol indicates a question that the reader should consider.

Secure Web Gateway 11.5 Setup Guide

Table of Contents

Legal Notice ii

Trademarks ............................................................................................................................... ii

Revision History ......................................................................................................................... ii

Formatting Conventions iii

Notes, Tips, and Warnings ........................................................................................................ iii

About This Guide v

1 Before You Begin 6

2 Installing the Appliance 6

2.1 Installing a Physical SWG Appliance .................................................................................. 6

2.1.1 Requirements before Installing a Physical Appliance ............................................... 7

2.1.2 Connecting an Appliance Using an Ethernet Cable .................................................. 7

2.1.2.1 For SWG 3000 and SWG 5000 models: ................................................ 7

2.1.2.2 For an SWG 7000 appliance: ............................................................... 8

2.1.3 Connecting an Appliance Using a Serial Cable ........................................................ 9

2.2 Deploying a Virtual SWG from an OVF File ......................................................................... 9

3 Setting Up the Appliance 10

3.1 Preparing Values for the Appliance Setup ........................................................................ 10

3.2 Setting Up the Appliance ................................................................................................ 11

4 Performing Additional Configuration 12

4.1 Limited Shell Commands — Summary List ....................................................................... 12

4.2 Limited Shell Configuration Commands ............................................................................ 14

4.3 Limited Shell Monitoring Commands ................................................................................ 18

5 SWG Installation Utility 22

5.1 Usage Instructions ......................................................................................................... 22

5.1.1 Upgrading the Policy Server and All-in-One .......................................................... 23

5.1.2 Scanning Servers Upgrade .................................................................................. 24

5.1.3 Using the USB Key ............................................................................................. 24

5.1.4 Using the config_upgrade Command ................................................................... 24

5.2 Limited Shell .................................................................................................................. 25

Secure Web Gateway 11.5 Setup Guide

6 Upgrading from Version 10.2 26

7 USB Key Creator 27

7.1 Notes and Warnings ....................................................................................................... 27

7.2 Usage Instructions ......................................................................................................... 27

About This Guide

This guide provides the instructions you need to install and set up your Trustwave SWG appliance.

Secure Web Gateway 11.5 Setup Guide

1 Before You Begin

Note: Physical SWG appliances come with the required image already loaded. Should you need to reload or replace the image, refer to SWG Installation Utility on page 22.

You should perform the following tasks in the order listed:

1. Installing the Appliance

2. Setting Up the Appliance

3. Performing Additional Configuration

After you have set up the appliance, you can configure the system according to your needs. For instructions, see the

Management Console Reference Guide

2 Installing the Appliance

This section contains the following:

• Installing a Physical SWG Appliance

• Deploying a Virtual SWG from an OVF File

2.1 Installing a Physical SWG Appliance

Installation consists of connecting to the appliance. You can connect in any of the following ways:

• Using an Ethernet cable

• Using a Serial cable (SWG 3000 and SWG 5000 only)

• Using a keyboard and monitor

Instructions for connecting are provided on the following pages. Before connecting to the appliance, ensure that the following requirements are satisfied.

Secure Web Gateway 11.5 Setup Guide

2.1.1 Requirements before Installing a Physical Appliance

• Working electrical outlet:

• 1 x Outlet for the SWG 3000

• 2 x Outlets for the SWG 5000

• 4 x 16amp Outlets for the SWG 7000, preferably via PDU

• Network connection — cable and switch

• Hardware for connecting — ethernet cable, serial cable, or a keyboard and monitor

• Rack space for the appliance

• 1U Rack space for SWG 3000 or SWG 5000

• 7U Rack space for SWG 7000

• Switch port for the internet cable

• Appliance name

• Physical address

• DNS address

• DNS name

• Default gateway

2.1.2 Connecting an Appliance Using an Ethernet Cable

2.1.2.1 For SWG 3000 and SWG 5000 models:

1. Plug in the power cable and switch the appliance on.

2. Connect a PC directly to the appliance’s GE0 port or via a switch (for 5000-SWG, see 5000-SWG Rear

Panel) using a standard (8 thread) Ethernet cable. CAT5e cables (or better) are recommended.

3. The default IP of the GE0 interface is 10.0.0.1, and its default netmask is 255.255.255.0. Configure

the TCP/IP settings of your PC so that it is on the same logical network subnet as the appliance’s GE0 interface. For example, configure the IP on the PC as 10.0.0.101 and the PC’s netmask as

255.255.255.0.

IMPORTANT: Do not set the PC’s IP to 10.0.0.1, as this will result in an IP conflict with the appliance.

4. Continue with initial setup of your SWG Appliance using Limited Shell.

Secure Web Gateway 11.5 Setup Guide

2.1.2.2 For an SWG 7000 appliance:

The SWG 7000 model is a chassis containing blade servers, each of which operates as an appliance. This provides for overall higher end performance.

Perform the following procedure for each blade regardless of its intended network role.

1. Plug in the power cables.

2. Configure the network settings of any PC to match those of the appliance (IP address and subnet

mask).

• IP address in the same subnet e.g. 10.0.0.101

• Subnet mask 255.255.255.0

3. Connect your PC to one of the ports on the Gigabit Ethernet switch in I/O switch module Bay 1 on

the appliance using an ethernet cable.

4. Power up the blades as follows:

In the control panel for the blade:

a. Press the KVM Select button so that the VGA screen attached to the chassis displays output from

the blade being powered up.

b. Press the Power button until the blade turns on. After the blade finishes booting, a login prompt

is displayed.

5. Continue by doing either of the following:

• Repeat Step 1 for each blade, and when done, continue with initial setup of your SWG Appliance

blades using the Limited Shell, or

• Continue with initial setup of this SWG Appliance blade using the Limited Shell, and when done,

repeat Step 1 for each blade.

Note: For more information on setting up the SWG 7000, contact your Trustwave representative.

Secure Web Gateway 11.5 Setup Guide

2.1.3 Connecting an Appliance Using a Serial Cable

Note: Connection using a serial cable is applicable only to SWG 3000 and SWG 5000 appliances.

1. Connect the PC to the appliance’s Serial Console, using the serial cable.

2. Using the Hyper Terminal application, enter the appropriate Port settings:

• Bits per Second (Baud Rate): 19,200

• Data Bits (Word): 8

• Parity: None

• Stop bits: 1

2.2 Deploying a Virtual SWG from an OVF File

This section explains how to deploy a virtual SWG from an OVF file. Virtual SWG appliances are certified to work with VMWare ESXI version 4.1 servers.

Note: Before deploying the virtual appliance, ensure that you have access to a VMWare vSphere client and that the OVF files are accessible in your local machine.

1. In the vSphere client, choose File | Deploy OVF Template.

2. In the wizard, browse to the OVF file and then complete the deployment.

When done, it is recommended that you set the attributes for the virtual machine according to the values in the following table.

Machine Attribute Recommended Value

CPUs At least 2

Memory At least 4GB

Secure Web Gateway 11.5 Setup Guide

3 Setting Up the Appliance

The setup procedure is the same for both physical and virtual SWG appliances. You perform the setup using a setup script that is run in the Limited Shell.

Note: Before setting up the installed appliance, you should prepare for setup by assembling the detailed

This section contains the following:

• Preparing Values for the Appliance Setup

• Setting Up the Appliance

3.1 Preparing Values for the Appliance Setup

What to Do Details

information and values that you will need to supply as part of setup.

1 Decide the role of the

appliance

2 Decide which network

interface should be used for the appliance:

Network Interfaces Description

GE0 (eth0): 1GB - Autonegotiation enabled Recommended!

You must define a single Policy Server (provides management and reporting services), and at least one Scanner (provides scanning and authentication services). You can choose to define both of these roles in the same appliance or in different appliances:

• All In One (Default) – Defines the appliance as both a Policy Server

and a Scanner. This value is often used for SWG 3000 or 5000 models.

• SWG Scanner – Defines the appliance or blade as a Scanner only.

• SWG Policy Server – Defines the appliance or blade as a Policy Server

only.

• Standby Policy Server – Defines the appliance as a standby Policy

Server to support high availability.

Allows communication at a speed of up to 1GB with Auto-Negotiation enabled. Auto- negotiation enables simple, automatic connection of appliances by taking control of the cable when a connection is established to a network device that supports a variety of modes from a variety of manufacturers. The device is able to automatically configure the highest speed.

GE1 (eth1): 1GB - Auto-

negotiation

Allows communication at a speed of up to 1GB with Auto-Negotiation enabled.

Secure Web Gateway 11.5 Setup Guide

What to Do Details

GE2 (eth2): 1GB - Auto-

negotiation

GE3 (eth3) 1GB - Auto-

negotiation

3 Determine the IP address and netmask for the selected interface as IP/ (netmask/prefix), if you will not be using

the default settings. 4 Determine the Default Gateway IP address. 5 Determine the hostname if you will not be accepting the current settings.

6 Determine the IP address for the DNS Server if you will not be accepting the current DNS configuration settings.

Note: DNS configuration setting is mandatory. 7 Determine the DNS domain names if you will not be accepting the current settings. 8 Decide on any password changes if required.

(Available for SWG 5000, and the Policy Server in SWG 7000 only.) Allows communication at a speed of up to 1GB with Auto-Negotiation enabled.

3.2 Setting Up the Appliance

Perform the setup using the values you prepared.

1. Log in to the Limited Shell. The default user name and password for the shell (command line) is

admin and TrustwaveSWG respectively:

• For a physical machine, you can connect from a remote machine using an SSH client, serial

cable, or by connecting a keyboard and monitor to the appliance.

• For a virtual appliance, connect through the vSphere client.

2. Enter the setup command. The current configuration status is displayed.

3. Using the data you prepared, page through the setup script entering the needed values. This

displayed configuration is updated as you enter values.

Secure Web Gateway 11.5 Setup Guide

4 Performing Additional Configuration

You can optionally use the commands of the Limited Shell to manage the functionality and monitor the appliance.

Each appliance has different configuration needs, so there is no set procedure. Enter the relevant Limited Shell commands and values.

Limited Shell commands are divided into two categories; Configuration commands and Monitoring commands.

This section contains the following:

• Limited Shell Commands — Summary List

• Limited Shell Configuration Commands

• Limited Shell Monitoring Commands

4.1 Limited Shell Commands — Summary List

The following monitoring and configuration commands are available:

Note: The A/C/M column indicates if the command is an Administration (A), Configuration(C), or

For more information on configuring the system, refer to Limited Shell Configuration Commands.

For further in-depth analysis and diagnostics of the system, refer to Limited Shell Monitoring Commands.

Command

access_list

arp

change_password

check_connectivity

config_ ...

Monitoring (M) command.

A/C/M

Enables/disables access list

Displays the arp table

Change password

Checks connectivity to the remote devices (for Policy Server or All-

Description

in-One appliances)

Network or service configuration. Double tab to view the

config_network, config_time, config_hardware, config_upgrade, config_support, config_psweb, config_exclude, config_bridge, and config_access_log

commands.

Secure Web Gateway 11.5 Setup Guide

Command

disable_ ...

enable_ ...

ethconf

flush_dnscache

ifconfig

ip2name

iptraf

last

name2ip

A/C/M

Displays disk usage

Disables service. Double tab to view the

Menu interface to ethtool

Flushes the DNS cache

Displays NIC configuration and statistics

Resolves IP to hostname

Interactive IP LAN monitor

Displays last login

Resolves hostname to IP

Description

disable_service_snmpd

Enables service. Double tab to view the enable_service_snmpd and enable_service_ssh

and disable_service_ssh

commands.

netstat

ping

poweroff

reboot

reset_config

restart_role

save_exclude_logs

save_support_logs

setup

show_ ...

Displays Network statistics

Sends ICMP ECHO_REQUES to network hosts

Powers off the system

Reboots the system

Sends full configuration to appliance

Restarts the role

Saves Exclude logs

Saves Support logs

C Runs configuration setup

Shows system or service status. Double tab to view the

show_bridge, show_config, show_hardware, show_network

, show_service, show_dbsize,

show_proxy_buffers, show_proxy_connections, show_route

, show_time, and show_version commands.

supersh

Provides access to privileged shell

Secure Web Gateway 11.5 Setup Guide

access_list

change_password

Command

tcpdump

top

traceroute

uptime

vmstat

wget

A/C/M

Dumps traffic on a network. Results files will be under sftp chroot/

Displays Linux tasks

Prints the route packets taken to network host (traceroute

Displays uptime

Reports information about system usage (usage: vmstat,

Shows who is logged on

Retrieves files using HTTP, HTTPS and FTP

Description

tcpdump_captures. Files can be downloaded using any sftp client

4.2 Limited Shell Configuration Commands

Limited Shell configuration commands enable you to define the role the appliance takes, the security, access and time settings, and also carry out routine maintenance operations. The configuration commands are also used to define how the network works, and how the appliance communicates with the network.

This feature is configured from the Management Console. The administrator can define a range of IP addresses to access Management applications on predefined ports (such as the Management Console, SNMP, SSH) or User applications on predefined ports (such as HTTP, FTP, ICAP) or System ports (internal ports). Any IP address not defined in the IP range will then be blocked from accessing these applications on the ports defined by Trustwave.

The access_list command is used to enable or disable the Access List and is useful for situations when due to a mistaken configuration, or other circumstances, you cannot access the Management Console, and want to disable the Access List feature.

Enter the access_list command and choose enable or disable.

Allows system administrators to change the Limited Shell’s password. For security reasons, it is recommended to choose a password which contains both characters (higher case and lower case) and digits. It is also recommended to change the password frequently.

Enter the change_password command and confirm current and new passwords.

Secure Web Gateway 11.5 Setup Guide

config_ ...

config_network

config_time

Enables network, service and Policy Server configuration. Press the tab button twice to display the config_network, config_time, config_hardware, config_upgrade, config_support, config_psweb, config_exclude, config_bridge, and config_access_log commands.

Allows system administrators to configure network parameters, such as the IP address(es), routing information, DNS parameters. Enter the config_network command.

The current network configuration is displayed (i.e. the DNS Search Domain, nameserver and Hostname configuration). A Name Server is a network server that provides a naming or directory service. A prompt

is displayed asking if you want to change the configuration. Enter y to change the network configuration.

Select an option from the following commands:

• View: This command allows you to view the current network configuration: The IP address assigned

to each interface, the current DNS configuration and the current hostname configuration.

• Interface: Allows system administrators to modify interface related parameters such as: Add,

Remove or Change an IP address from a physical interface; Add, Remove or Change routing information; Enable or Disable a physical interface.

• Choose an interface, for example, 1 (eth0). The editing options are displayed.

• Choose an editing action, for example, 1 (Change IP address). To add a static route, choose 4

(Add route). The new route must be input as ‘IP/via prefix IP’. For example, 1.1.1.1/32 via 10.0.3

• Gateway: Allows system administrators to set the default gateway of the appliance. The IP address

of the default gateway must be a local IP address. It is mandatory to configure a default gateway to the appliance. To change the current gateway configuration, enter the IP address.

• DNS: Allows configuring the DNS servers, which the appliance uses in order to resolve the

hostnames to IP addresses. It is also possible to configure a search domain under the DNS settings which allows the appliance to complete the domain name (according to the configured value) in case the host name is not completed. For example, if the search is on http://mize and the search domain is Trustwave.com, the appliance will try to resolve to http://mize.Trustwave.com.

IMPORTANT: It is mandatory to configure the DNS Server that has the ability to resolve external IP addresses

The current DNS configuration is displayed. Select an action, for example, 1 (change search).

• Hostname: Allows configuring the appliance hostname.

• Hosts: Allows configuring the host files.

Allows system administrators to set the system date and time, the time zone and also the NTP Server. To change a setting, type y. Select an option from the menu, else Q to exit.

Secure Web Gateway 11.5 Setup Guide

config_hardware

config_upgrade

config_support

config_psweb

config_exclude

config_bridge

config_access_log

disable_ ...

This command allows the system administrator to configure an installed Caching Kit and/or Bypass NIC.

Note: Caching Kit is relevant to both physical and virtual devices. Bypass NIC is relevant only to physical devices.

When the command is entered, the screen displays the installation and configuration status of these two pieces of hardware.

To configure an installed piece of hardware, select the hardware option (Caching Kit or Bypass NIC) from the menu, and then enter Y to configure it. Select Q to exit.

After upgrading the Policy Server to a new version, running this command will upgrade the scanners.

Allows you to install support packages.

Allows you to change the Policy Server management port for enhanced security. To change the Listening port for the Policy Server, add the new Port settings.

Defines bypass rules in intercepting proxy mode.

Configures intercepting proxy to work in bridge mode. In Bridge mode, only traffic that should be scanned will be processed. All other traffic will flow uninterrupted.

Enables or disables the access log.

Disables the service. The disable command includes the disable_service_snmpd and disable_service_ssh commands.

Secure Web Gateway 11.5 Setup Guide

disable_service_snmpd

disable_service_ssh

enable_ ...

enable_service_snmpd

enable_service_ssh

ethconf

flush_dnscache

reset_config

Disables the snmpd network service. Enter the disable_service_snmpd command.

Disables the ssh network service. Enter the disable_service_ssh command.

Enables the network service. The enable command includes the enable_service_snmpd and enable_service_ssh commands.

Enables the snmpd network service. Enter the enable_service_snmpd command.

Enables the ssh network service. Enter the enable_service_ssh command.

Enables configuring the Network Interface parameters.

Enter the ethconf command and choose the required interface. Choose the required speed or select Autonegotiation to enable the appliance to negotiate its own speed.

Enter the ethconf command and choose the interface, for example, enter 1 (eth1).

The settings for the selected interface are displayed.

Choose configuration for the adapter and confirm to make the settings permanent

Note: According to the IEEE 802.3 standard, when working with 1000Base-T at a speed of 1000Mbps, auto-negotiation must be enabled. A fixed speed of 1000Mbps is not supported. For more information, refer to the 1000BASE-X Auto-Negotiation standard as defined in Clause 37 of the IEEE 802.3 standard.

Flushes the dns cache.

Rebuilds the appliance configuration in extreme situations where the appliance, for whatever reason, was disconnected for a period of time. This action restarts the appliances and may take several minutes.

Secure Web Gateway 11.5 Setup Guide

arp

check_connectivity

ifconfig

ip2name

iptraf

4.3 Limited Shell Monitoring Commands

Address Resolution Protocol command — the standard method for finding a host's hardware address when only its network layer address is known. Enter the arp command to display the appliance's arp table.

For Policy Server or All-in-One appliance, checks connectivity to the remote devices.

Disk free command — a standard Unix command used to display the amount of available disk space for file systems.

Enter the df command to display the disk usage.

This Unix command is used to display TCP/IP network interfaces. Enter the ifconfig command to display configuration and statistics.

Looks up the hostname associated with an IP address entered by the administrator. Enter the ip2name command followed by the IP address to display the associated hostname.

This command is a Linux network statistics utility. It gathers a variety of parameters such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/ UDP traffic breakdowns, and LAN station packet and byte counts. Enter the iptraf command to display the IP traf options:

• IP traffic monitor

• General Interface Statistics

• Detailed Interface Statistics

• Statistical breakdowns

• LAN station monitor

For example, select IP traffic monitor to display the IP traffic monitor details.

Secure Web Gateway 11.5 Setup Guide

last

name2ip

netstat

ping

poweroff

reboot

restart_role

save_exclude_logs

save_support_logs

Displays a list of the previous administrators who logged on to the Limited Shell - including those still logged on.

Displays the IP address associated with a given hostname. Enter the name2ip command followed by a hostname to display the associated IP address.

This command is a useful tool for checking your network configuration and activity. It displays the status of network connections on either TCP, UDP, RAW or UNIX sockets to the system.

Use the ping command to check the network connectivity - for example after using netconf.

Enables you to remotely shut down the appliance.

IMPORTANT: Physical access to the appliance is needed to bring the system back online for all models except the 7000-SWG.

Enables you to remotely reboot the appliance.

Restarts all role services.

Saves Exclude logs in the Exclude directory.

Saves Support logs in the Support directory.

Secure Web Gateway 11.5 Setup Guide

setup

show_ ...

show_bridge

show_config

show_hardware

show_network

show_service

show_dbsize

show_proxy_buffers

Assists you in setting up the appliance for the first time. It guides you to perform all the necessary steps to establish a working appliance. You can choose to rerun the setup command to repeat the initial configuration commands at any time.

Shows system or service status. The show command includes show_bridge, show_config, show_network, show_service, show_dbsize, show_proxy_buffers, show_proxy_connections, show_route, show_time, and show_version.

Shows the Bridge role configuration.

Shows the current configuration.

Shows the hardware specs of a given SWG device.

Shows the current network configuration. This includes: defined interfaces, DNS configuration, DNS cache and current hostname.

Allows system administrators to view the service configuration status.

The following options are available:

• show_service_all: Displays the service configuration status for all the available services.

• show_service_snmpd: Displays the service configuration status for snmpd.

• show_service_ssh: Displays the service configuration status for ssh.

Shows the file size of the data- bases connected with your appliance.

Shows the status of proxy buffers.

Secure Web Gateway 11.5 Setup Guide

show_proxy_connections

show_route

show_time

show_version

supersh

tcpdump

traceroute

uptime

Shows the status of proxy connections.

Allows system administrators to view the Kernel IP routing table.

Allows system administrators to view the time, date, time zone and ntp settings.

Shows the currently installed SWG version.

Enables root access to the appliance. This command is reserved for Trustwave Support only.

Allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It writes all the information into a tcpdump file. This file can then be downloaded for further analysis. Up to 4 files of 100 MB each are kept. When the fourth file gets full, the first file is deleted (i.e.cyclic progression). SFTP, such as WinSCP, is required in order to download the files.

top

Displays all the running processes, and updates the display every few seconds, so that you can interactively see what the appliance is doing.

Displays the route over the network between two systems, listing all the intermediate routers a connection must pass through to get to its destination. It can help you determine why connections to a given server might be poor, and can often help you figure out where exactly the problem is.

Produces a single line of output that shows the current time, how long the system has been running (in minutes) since it was booted up, how many user sessions are currently open and the load averages.

Secure Web Gateway 11.5 Setup Guide

vmstat

wget

Reports statistics about kernel threads, virtual memory, disks, traps and CPU activity. Reports generated by the vmstat command can be used to balance system load activity.

Shows who is currently logged on and the current command they are running.

Allows you to download web files using HTTP, HTTPS and FTP protocols.

5 SWG Installation Utility

The SWG Installation Utility replaces the previous version upgrade mechanism as of version 9.0. The Installation Utility provides several options for version upgrades and clean installations.

The SWG Installation Utility should be used in the following scenarios:

• Upgrade to any currently available version, starting from version 10.1

• Clean installation of last version

• Restoration of previous versions

If upgrading from Version 10.2 to Version 11.x or later, go to Upgrading from Version 10.2 on page

26.

5.1 Usage Instructions

Notes:

• The SWG Installation Utility is an application provided by Trustwave. To use the application it must

be placed on a bootable USB key with the relevant version ISO files. If you have not yet configured a bootable USB key, refer to USB Key Creator on page 26. (The necessary files for the USB key installation are found in the Support section of the Trustwave website.)

• Physical access to the Policy Server is required to connect the USB key.

Secure Web Gateway 11.5 Setup Guide

5.1.1 Upgrading the Policy Server and All-in-One

To upgrade the Policy Server:

1. Connect the USB key to the Policy Server and reboot the appliance.

Note: Ensure that the appliance boots from the USB as the first boot device.

After the appliance boots from the USB key, the following options are displayed. (The menu is dynamic and therefore this image is for example purposes only):

2. Select the required option.

Note: After the upgrade option is selected, the current system is automatically backed up. The system verifies which ISO files are available on the USB key for use.

The menu displayed is based on the ISO files available on the USB and HDD/image partition. Therefore, the list is dynamic. The following is a sample menu:

The format of the filenames is designed so that the first *** numbers displayed are the version number, and the subsequent b** is the build number.

Secure Web Gateway 11.5 Setup Guide

3. Select the required option.

The following menu opens:

Note: The above clean installation option differs from the main menu clean install in that it keeps all (saved) device settings and ISO images intact.

4. To continue the upgrade, select option 1.

The system will now install a fresh installation on the Policy Server and restore the previous settings on the device (Network, GUI Configuration, Logs and Reports).

5.1.2 Scanning Servers Upgrade

After the upgrade utility has completed upgrading the Policy Server, the remote devices (if present) must also be upgraded.

The following options are available:

5.1.3 Using the USB Key

To upgrade the scanning servers follow the procedure described in Upgrading the Policy Server and All-in-One on page 23. This process requires physical access to all scanning servers and cannot be performed remotely.

5.1.4 Using the config_upgrade Command

The config_upgrade command (available on the Policy Server starting with version 9.2 only when upgraded from 9.0 M02 and up) allows you to decide which groups of remote devices to upgrade and in what order.

Note: Scanners can be divided into specialized ‘groups’, which enables upgrading for specific devices only.

Secure Web Gateway 11.5 Setup Guide

5.2 Limited Shell

The following steps are required to upgrade the remote devices using the config_upgrade command

from the limited shell.

These procedures describe the upgrade process using an All-in-One appliance (Policy Server and Scanner) with an additional remote scanning server.

1. Log in to the limited shell of the upgraded Policy Server.

2. Run config_upgrade.

3. The list of available scanners is displayed. Press Y.

4. New upgrade group. Enter 1.

5. The scanner is listed under Group 1. Press N when prompted to change the configuration. This will

start the upgrade process.

6. Start the Upgrade: Press Y.

The status of the installation is displayed under Running State.

For example, “Copy installation image to hosts in group 1”.

The installation is complete. The new version is installed on the scanner.

Note: If there are additional groups, the system will automatically move to the next upgrade group. Groups that have already been upgraded will not change.

Secure Web Gateway 11.5 Setup Guide

6 Upgrading from Version 10.2

With the introduction of version 11, upgrading the SWG has been simplified and can now be done from

the GUI (Administration | Updates and Upgrades | Management).

To upgrade the Policy Server to Version 11:

When running version 10.2, the OS update will display in the Available Updates tab.

1. Right-click the icon on the left and select Install Now.

Secure Web Gateway 11.5 Setup Guide

After the upgrade is complete and GUI access is restored, the scanners can be upgraded from the Trustwave devices tree.

2. Navigate to Administration | System Settings | SWG Devices.

3. Right-click the Scanning Server IP and selecting Upgrade to PS Version.

You can also downgrade from the current version by selecting Downgrade to Previous Version.

7 USB Key Creator

This section describes the bootable USB key creator procedure for re-imaging or upgrading the Secure Web Gateway.

• The USB Key Creator is certified for Windows XP Service Pack 2 and later.

• Any residual instances of “VS Installer” in filenames or utility names refer to the SWG Installation

Utility.

7.1 Notes and Warnings

• The installation of files onto the bootable USB is not required in a specific sequential order when

copying SWG Installation Utility files manually.

• Ensure that the latest SWG Installation Utility is used, as it is compatible with previous versions and

older hardware.

• The USB Creator will format the USB drive and all previous data will be deleted.

7.2 Usage Instructions

To download and install files:

1. Navigate to the Trustwave Support section of the Trustwave website. Proceed to the SWG Downloads

and Documentation section/Product Downloads.

2. Log in with valid email and password credentials.

3. Download the USB Creator for Windows. The file is titled Trustwave_Disk-on-Key.zip and includes the

TrustwaveUSB.exe and TrustwaveUSBTOOL.avi files.)

Secure Web Gateway 11.5 Setup Guide

4. Create a working directory, unzip the files, and run SETUP to install the program.

5. From the Trustwave Support website section, copy the SWG Installation Utility files and the ISO into

the working directory.

6. Unzip the SWG Installation Utility files to the working directory.

7. Insert a USB key and run the USB Key Creator program from its saved location.

8. Choose the USB key drive letter and browse to the working directory.

Make sure that you have selected the correct drive letter!

9. Click CREATE for the program to format the USB key and copy the necessary files.

10. When complete, the USB key is ready to use for the SWG Installation/upgrade. For more information,

refer to SWG Installation Utility on page 22.

About Trustwave®

Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper® portal and other proprietary security solutions. Trustwave has helped hundreds of thousands of organizations — ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers — manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit

https://www.trustwave.com

Trustwave SWG 3000, SWG 5000, SWG 7000 Setup Manual

Specifications and Main Features

Frequently Asked Questions

User Manual