The WebBlocker Server must be installed on a virtual machine with a 64-bit OS. You can use virtual machines on these environments:
The WebBlocker Server is distributed as an OVA file for installation on VMware ESXi 5.x–6.x (64-bit required).
The vSphere client is used to provision and install the OVA file. You cannot use VMware Client, Player, or any other non-EXSi server/client mechanisms to deploy the OVA file.
For installation instructions, see Install the WebBlocker Server on VMware.
The WebBlocker Server is distributed as a VHD file for installation on Hyper-V for Microsoft Windows Server 2008 R2, 2012, or 2012 R2 (64-bit required).
To deploy the VHD file, you can use a Hyper-V Manager on Microsoft Server, or another Hyper-V environment.
For installation instructions, see Install the WebBlocker Server on Hyper-V.
Install the WebBlocker Server on a network where it can be accessed by the Fireboxes that will use it for website lookups. The WebBlocker Server must have Internet access to download database updates.
After you install and start the WebBlocker Server, run the Setup Wizard and configure the initial settings. For more information about the WebBlocker Server Setup Wizard, see Run the WebBlocker Server Setup Wizard.
WebBlocker Server Defaults
When you install the WebBlocker Server, it is configured with default settings.
WebBlocker Server Ports
WebBlocker Server uses these TCP ports:
- 22 — For support and console access to the WebBlocker Server
- 443 — For Firebox connections to send WebBlocker queries to the WebBlocker Server using HTTPS
- 4130 — For connections to the WebBlocker Server web UI
System Memory Allocation
WebBlocker Server is installed with 2GB of memory by default. If you change the system memory value manually in the VM settings, make sure to specify a value of 2GB or higher.
Disk Size for Storage
WebBlocker Server is installed with two hard disks; a 3 GB hard disk for the operating system and a 40 GB hard disk for the WebBlocker database. If you decide to change the default disk size, do not change the database hard disk to less than 40 GB.
To use the WebBlocker Server for website category lookups, your WatchGuard account must have an active WebBlocker license.
When you install the WebBlocker Server, you must specify your WatchGuard account ID and the serial number of any Firebox activated in your WatchGuard account. This information is used to get the expiration date of your WebBlocker license.
The date when your WebBlocker Server activation expires is the latest WebBlocker license expiration date from the feature keys of all Fireboxes associated with your WatchGuard account.
Your WebBlocker Server remains active if you have an active WebBlocker license for any Firebox activated in your WatchGuard account. If you do not have an active WebBlocker license, your WebBlocker Server activation will expire.
If the Firebox you specify in the Setup Wizard is returned to WatchGuard, the WebBlocker Server cannot get the expiration date of your WebBlocker license and the WebBlocker Server activation will expire. To resolve this, add a serial number for a different Firebox in the WebBlocker Server Web UI. For more information, see Configure WebBlocker Server General Settings.
Deploy the WebBlocker Server Behind a Firebox
If you deploy your WebBlocker Server behind a Firebox, make sure that the configuration for this Firebox meets these requirements:
- The configuration includes an HTTP or TCP-UDP proxy policy that monitors outbound HTTP traffic. The HTTP-proxy action for this proxy policy must allow HTTP responses that do not include the Content-Type field in the response header.
- If the HTTP or TCP-UDP proxy policy uses an HTTPS-proxy action with deep inspection enabled to monitor outbound HTTPS traffic, you must import the CA certificate used to sign the Proxy Authority CA certificate (used by the HTTPS proxy for deep inspection) to the WebBlocker Server as a trusted CA certificate. This enables the WebBlocker Server to validate the server certificate when it makes an outbound HTTPS connection. If the validation fails, WebBlocker Server drops the connection.
WebBlocker Server must make these HTTPS connections through the Firebox:
- Connect to download.websense.com and other *.websense.com URLs to download daily WebBlocker database updates.
- Connect to services.watchguard.com to get your WebBlocker license and to send diagnostic feedback to WatchGuard if the option is selected in the System Settings page.
To get Ubuntu Linux OS updates, the WebBlocker Server must be able to resolve these addresses through DNS:
WebBlocker Server must also make HTTP requests to these addresses. If you use proxies in your Firebox configuration (for example, the HTTP-proxy policy), you must make exceptions to allow WebBlocker Server to contact these addresses.