What's new ?

Understanding Product Usage

Service IP addresses and ports

End of Life

Supported Browsers

Administrators

Active Directory

AD Connect software

Roles

Keyword Lists

Devices & Groups

Active Directory Synchronisation Explained

Active Directory Object Synchronisation

Account Password and MFA

Role Builder

Granting access to synchronise Azure AD shared mailboxes

Add the Exchange Online API permission to an existing AAD connection

Collecting debug information - USS Agent for Mac OS X

Configuration options for the Mac OS X agent type

Configuration options for the Gateway agent type

Configuration options for the Windows agent type

Configuration options for the Chromebook agent type

Bypassing Office 365

Disable QUIC in Chrome Browser

Prevent Law features for UK organisations

Unclassified / Uncategorised Site Processing

CensorNet Web Filtering Policy and Approach for Education

List of domains to bypass apps for SSL Interception

Bypass GoToMeeting & LogMeIn

Bypassing the Apple Store

Using Web Security with Sophos

Deployment Overview

Installing SSL Certificates On IOS 10.3/IOS 11 Devices

Check for the presence of a system proxy user

YouTube appears to work despite Block or Warn final action applied

Importing an SSL Certificate into the Cloud Gateway

Collecting debug information - USS Gateway

ESET issues identified

Active Directory Login Service

MIME Categories and Types

How to submit a URL reclassification request

Third Party Load Balancer Guides

What happens when my Web Security license is suspended or deleted?

SSL/TLS Strict Mode blocked ciphers

Installing an SSL Certificate on iOS 13

Custom URL parsing and overlapping patterns

YouTube Safe or Restricted mode enforced by DNS

Alter the default agent configuration poll time

Overview

Rules Engine Concepts

Filter Rules

Feature Control Rules

Browser Categories

Custom URLs

Bypass Categories

Deployment

Agent Configuration Profiles

Unblock Requests

Web Security: Product Configuration

Global Web Filtering Coverage

Web Categories List

Fair Usage Policy for Web & CASB (Inline)

Web Security: Quick Start

Web Security: Best Practice Guide

Getting Started

Requirements

Changelog - Windows Agent

Download Microsoft Windows agent

Deploying via Wizard

Deploying via Startup/Shutdown script

Deploying the Windows agent via a custom MSI

Deployment via GPO

Deploying via Microsoft Intune

Command-line parameters

Collecting debug information - USS Agent for Windows

Processes used by USS Agent for Windows

How to disable Device Guard or Credential Guard

Upgrading the USS agent from the v3.x release to the v4.x release

Installing the USS Agent SSL certificate in Firefox

Tray icon status codes

Temporary files generated by the endpoint agent software

Windows Agent Log File Storage

Incompatibility with nmap based products such as Wireshark

Getting Started

Requirements

Changelog - Mac OS X Agent

Download Mac OS X Agent

Install - Deploying via Wizard

Command-line parameters

Mac OS X agent VPN client incompatibility

Mac OS X Agent Log File Storage

Getting Started

Requirements

Changelog - Chromebook Agent

Download Chromebook agent

Deploying Chromebook agent via Google Admin console

Overview

Charts

Authentication & Identification

Deployment

Network

Settings

System

Advanced configuration

Configuring USS Gateway to work with LoadBalancer.org software load balancer

AddTrust or UserTrust root CA causes connectivity issues

Regular Gateway server maintenance

Preparing the USS Gateway for use with a load balancer

USS Gateway - Getting Started

USS Gateway - Requirements

Download Gateway Virtual Machine

Changelog - Gateway

Installation

First time Configuration

Upgrading USS Gateway

Accessing the Command Line

Take Packet Capture From Command Line

Reset Linux Password To Log Into Gateway Command Line

Captive Portal on Samsung Devices

SSL Certificate installation for iOS 10.3

'The Requested Content Was Blocked' Error Message

Resizing a Partition in ESX Server Virtual Machine

Export SSL Certificate From One Gateway To Import To Another

Interception of iOS and Android apps (SSL Pinning)

Deploying Web Browser proxy settings

Migrating the SSL intercept certificate to a new gateway

Using an intermediate CA signed by Windows DC root CA

Installing on Hyper-V

Upgrading USS Gateway software packages

Events not arriving for Office 365 Onedrive or Sharepoint

Overview

App Catalog

API Integrations

DLP Scanning

Malware Scanning

App Catalog List

Digest generation and Quarantines

Executive Tracking

Blocking emails from hacked Gmail accounts

Stop specific users from receiving Word documents

Detect credit card numbers in an email

Disable spam filtering for specific mailboxes

Nearby Domain Rule

IP Geolocation connection Rule

Reject oversized emails

Configure Office 365 for EMS

Safelisting Email Security IP addresses in Office 365

Configure GMail using Google Workspace for EMS

MX records and IP addresses for EU customers

MX records and IP addresses for USA customers

MX records and IP addresses for UAE customers

MX records and IP addresses for non-EU customers

Reporting spam or false positives

Configure outbound email for Exchange 2007/2010

Configuring TLS encryption

LinkScan: on-demand URL protection

Bulk Email & Fair Usage

Queue retention and retry times

Personal Safe Lists and Personal Deny Lists

Configure outbound DMARC

Configure outbound DKIM

Configure outbound email for Exchange 2016

CEA - Data storage explained

Reject message due to message “550 5.1.8 sender denied”

Insufficient system resources message on inbound email delivery

Email Sandbox - Level 1 supported file types

Outbound Delivery error: 550 Unable to relay

[Marketing Medium] or [High Medium] prefixed to the subject of mails

DMARC Failure Reporting

Image Analysis for Email supported image types

Powershell Script to list Office 365 Shared Mailboxes

What happens when my Email Security license is suspended or deleted?

Example Spam Digest or Quarantine Report

No Valid MX Record NDR message

How to onboard users into the End User Portal

Installing the Outlook add-in for reporting spam and phishing email

How to avoid multiple disclaimers being added when forwarding or replying to emails

Cisco Fixup Protocol

Adding images to email disclaimers

Reject Top Level Domains

Adding an alias to a primary mailbox

Outlook add-in is not the newest version

Temporary Server Error

Unable to Relay error on outbound email

Notify Recipient/Sender Actions

Managing DNS in Office 365

Upgrading to LinkScan version 2

Email Sandbox Level 2 - Supported File Types

Activate the Quarantine Portal for Spam Digest users

DMARC Abuse Report received even though it passes DMARC

Display Name Detection

HTML attachments

How to block double extension filenames

How to use the Domain Name Detection rule

How does DMARC work?

SecureMail concepts explained

Configuring SecureMail

Using the SecureMail dashboard

Overview

Email Security: Quick Start

Message Rules

Connection Rules

Default Rules

Custom rule Data

Global Quarantine

Personal Quarantine

Spam Deny List

Spam Safe List

Mailboxes

Product Configuration

Group Management

Placeholders for inserting message data into actions

Redirect emails to a different address

Configure Inbound mail on Office 365 to reject non-EMS emails

Managing an MFA lock-out

Count how many users are in an AD group

Configure FortiGate to use PAP for Challenge-Response

Overview

Quick Start

Rules Engine Concepts

Authentication Client (server)

Authentication App (enduser)

Product Configuration

Third Party Guides

Configuring Windows Logon Protection

Configuring RADIUS Protection

Deploying the Cloud MFA Authentication App

Configuring RD Web Access using IIS Website Protection

Products not supporting RADIUS Challenge-Response

Configuring AD FS Protection

Activity Reports

Charts

Schedules

Upgrading USS Gateway

Updated 1 year ago by admin

Upgrading 1.1.x (Ubuntu 16.04 based)
Upgrading from 1.0.x to 1.1.x
- Upgrading with the standard reinstall procedure
  - Important Considerations
  - To perform a reinstall
- Performing a manual upgrade

From time to time, updates to the USS Gateway core software and operating system are released. You will be notified when logging in to the USS Gateway web interface of any new core software updates. It is best practice to keep your gateway up to date with the latest release.

From version 1.1, the USS Gateway is based on the Ubuntu 16.04 operating system. All customers are advised to upgrade (see steps below) before April 2019 after which Ubuntu are ceasing security updates for the 14.04 operating system.

Upgrading 1.1.x (Ubuntu 16.04 based)

To upgrade the USS Gateway software and operating system:

Web access will be interrupted during the upgrade process. If you are unsure, please contact your Service Provider

Log in to the Command Line
Prior to Gateway version 1.2.x, if you have created any custom Squid configuration overrides then you must back these up manually before you begin the upgrade, and restore them afterwards (step 7).

sudo cp /usr/local/uss-squid4/etc/squid.conf.override squid.conf.override.old

sudo cp /usr/local/uss-squid4/etc/squid.conf.pre-override squid.conf.pre-override.old

At the prompt, enter sudo apt-get update && sudo apt-get dist-upgrade and press Enter
Enter your superuser password
Enter Y when prompted to install the new packages
Follow any further prompts and accept any defaults if asked
After the process has finished, if you backed up any Squid configuration override files in step 2, you can now restore them.

sudo cp /usr/local/uss-squid4/etc/squid.conf.pre-override.old squid.conf.pre-override

sudo cp /usr/local/uss-squid4/etc/squid.conf.override.old squid.conf.override

Once the update has completed, you may perform a reboot - however this is not a mandatory step

Upgrading from 1.0.x to 1.1.x

The new 1.1.x (and higher) version of the USS Gateway is based on the Ubuntu 16.04 operating system and includes numerous new features and performance optimisations.

There are two methods for upgrading the USS Gateway. If you are unsure, please seek advice from your service provider.

Reinstall to upgrade
Upgrade an existing 1.0.x version manually - the advantage of this method is that the Active Directory configuration is preserved

Upgrading with the standard reinstall procedure

This reinstall procedure is for customers wishing to upgrade from 1.0.x to 1.1.x of the USS Gateway software . The alternative is to upgrade an existing v1.0.x installation to v1.1.x without a reinstall (see below).

Important Considerations

If you use a physical machine for the USS Gateway, you will need to consider that upgrading to 1.1.x will require a reinstall of the operating system. It is recommended that you schedule the upgrade to minimise downtime for end-users, as the proxy will be offline whilst you reinstall the software. The estimated time for the upgrade procedure is 30-60 minutes.

If you use a virtual machine environment, the best practice is to create a new virtual machine for the 1.1.x-based proxy, and then swap end-users when configuration is complete.

To perform a reinstall

On your existing USS Gateway, follow the first part of the article Migrating the SSL Intercept certificate to a new server and store the .pem somewhere safe.
If you have customised the USS Gateway using the advanced override scripts, take a copy of the contents of each of the files and store them somewhere safe.
Make a note of the Active Directory configuration if you are using Kerberos Authentication. You will need to join the new proxy to the domain after installation.

This part of the configuration cannot be transferred to the new gateway.

Download the 16.04 ISO image
Install the USS Gateway software from ISO
Link the new gateway to your USS cloud account
If your old gateway was using a Configuration Profile other than the default one, then assign the correct configuration profile to the new gateway. Use the Update Config button to download the latest configuration profile, or wait 15 minutes for the gateway to automatically update.
Follow the second part of the article Migrating the SSL Intercept certificate to a new server and import the .pem from Step 1.
If you followed Step 2, restore the override scripts on the new gateway and restart ussgw-sysmond (e.g. /etc/init.d/ussgw_sysmond stop; /etc/init.d/ussgw_sysmond start )
If you followed Step 3, re-join the gateway to the Active Directory domain and ensure you create the new encryption keys.
Test the new gateway for authentication and SSL interception before switching end-users to the new proxy.

Performing a manual upgrade

It is possible to upgrade an existing USS Gateway based on Ubuntu 14.04 to 16.04 without reinstalling the operating system. This procedure requires familiarity with the Linux command line.

This is an advanced guide and familiarity with the Linux command line (the shell) is required. Please ensure you follow the backup steps so that in the case of failure, it is still possible to reinstall the USS Gateway to its original state.

If any of the steps below result in an error message that is not covered in the guide, seek advice from your service provider before continuing.

Before proceeding:

On your existing USS Gateway, follow the first part of the article Migrating the SSL Intercept certificate to a new server and store the .pem somewhere safe.
If you have customised the USS Gateway using the advanced override scripts, take a copy of the contents of each of the files and store them somewhere safe.

To begin, log in to the USS Gateway command line console. The first step is to ensure your current gateway has all of the latest updates applied. Run the following commands to ensure that your gateway is up to date:

sudo apt-get update

sudo apt-get dist-upgrade

sudo reboot

It is important to use dist-upgrade and it is important to reboot afterwards to install any new kernel updates.

Next, configure the update manager to use the LTS (Long Term Support) version of Ubuntu 16.04. To do this, run:

sudo nano /etc/update-manager/release-upgrades

Scroll down to the line that starts Prompt= and set the value to lts. The result on screen should look like the screenshot below:

The lts value is case-sensitive, so it must be lts, rather than LTS or Lts.

Save the file and exit the editor (Ctrl+X then Y then Enter if using nano).

Next, run the following command:

do-release-upgrade -c

This will check for any available upgrades and display the version.

If the version shown is not 16.04 then do not continue. Seek advice from your service provider.

You should see the following:

To begin the upgrade, run the following command:

do-release-upgrade

The following message will be displayed:

This means that you've actually disabled the package repository for the USS Gateway. This is intentional. You'll resolve this later in this guide.

Press Enter to continue.

After a few moments the following message will be displayed:

Press Y and then press Enter. Wait for the download to complete and for the upgrade to begin.

At the following prompt, select NO (if required, use the Tab key to switch buttons and Enter to confirm).

Next, you will see the following message. Press Enter to accept the default:

Next you will be prompted a number of times with messages like the example below. Accept the defaults by pressing N and then Enter for each message.

After a while, the following message will be displayed. This issue will be resolved later in the guide. For now, press Enter to continue.

One the next screen, select Install the package maintainer's version and then use the Tab key to select OK and press Enter.

Once the package analysis completes, the following prompt will be displayed:

Press Y and then Enter.

This will actually remove the USS Gateway software packages. This is intentional: the configuration will remain in place.

The upgrade will continue.

The upgrade may take a long time.

Once the upgrade is complete, you will be prompted to reboot. Press Y and then Enter.

It may take several minutes for the machine to reboot after pressing Y. This is normal.

You may see warning/error messages such as the ones shown in the screenshot below - these can be safely ignored.

After the reboot, log in to the console again to continue the process.

The next step is to install the USS Gateway packages for Ubuntu 16.04. To do this, it is necessary to update the apt repository sources.

At the console prompt, type:

sudo nano /etc/apt/sources.list

Scroll to the end of the file and add the following line:

deb http://apt-xenial.clouduss.com xenial non-free

The result on screen should look like the screenshot below:

Save the file (Ctrl+X then Y then Enter if using nano) and then run:

sudo apt-get update

Next, install the latest USS Gateway software package:

sudo apt-get install ussgateway

sudo reboot

The final step is to fix the Postgres 9.3 warning that was displayed earlier in the upgrade process. To do this, run the following commands:

sudo /etc/init.d/nginx stop

sudo /etc/init.d/uss-squid stop

sudo /etc/init.d/ussgw_sysmond stop

The next step is to disable the unnecessary Postgres 9.5 cluster that was created during the upgrade, and promote the original 9.3 cluster in its place. The final step removes the old 9.3 cluster, which is no longer needed.

sudo pg_dropcluster 9.5 main --stop

sudo pg_upgradecluster 9.3 main

sudo pg_dropcluster 9.3 main

The last step of the upgrade is to reboot the USS Gateway to ensure that everything starts up as expected:

sudo reboot

You should now be able to access the local UI for configuration. We recommend clearing your browser cache to ensure you are using the latest version of the UI.

The upgrade procedure is now complete.

Upgrading USS Gateway

Upgrading 1.1.x (Ubuntu 16.04 based)

Upgrading from 1.0.x to 1.1.x

Upgrading with the standard reinstall procedure

Important Considerations

To perform a reinstall

Performing a manual upgrade

How did we do?

Feedback