Installing the Website Categorization Module

The ITM On-Prem Website Categorization module automatically detects categories of Websites that end users are browsing, enabling alerts to be generated on browsing categories such as Gaming, Adults, Infected or Malicious Websites, Phishing Websites, and more.

The diagram below shows the configuration including the Web Categorization module.

For details, see Website Categorization.

Website Categorization Prerequisites

In order to trigger alerts on Internet browsing, the Website Categorization module must be installed. The Website Categorization module can be installed on the same endpoint as the Web Console or on a separate dedicated endpoint (recommended).

Prerequisites for installing the Website Categorization module

  • To download the initial data and receive updates directly from NetSTAR cloud service, your machine (that is, the server on which the Website Categorization module is installed), you must have Internet access.

    If you don’t have Internet access you can use an HTTP proxy that will provide Internet access and allow the data download.

  • Window Server 2016/2019 64 bit is required for this module.
  • Make sure that port number 443 is open, and that the URL (that the module needs to access NETSTAR for initial data download and daily database updates) is not blocked by the Firewall.

    • Make sure that the following URLs are not blocked by the Firewall: (for DB download authentication)

    • (for DB download)

    • (for Telemetry)

  • 12 GB minimum memory requirement.

  • Open port 8000 between the Application server and the Website Categorization.

  • Visual C++ 2010 and 2015 packages are required

    Visual C++ 2010 has reached EOL by its vendor Microsoft

Installing the Website Categorization Module

System events related to installation of the Website Categorization module and download of the web categories database are generated by the system. For details, see Event Types.

  1. Connect (with RDP) to the server that will host the ITM On-Prem (ObserveIT) Web Console component as the Active Directory Service Account.

  2. Download the ITM On-Prem installer into c:\temp and extract the contents. (See Downloading the Latest Version.)

    (Assume the installer files are extracted to c:\temp\ObserveIT_Setup_vx.xx.y.yy path, where x.xx the major ITM On-Prem version, and y.yy is the minor version and build.)

  3. Run PowerShell as Administrator.

  4. From the table below, copy the rows from Command column, replacing the values as applicable. The Values to Replace column indicates which values you will need to replace.

    Paste the commands into the PowerShell window.

    Command Values to Replace
    $observeitInstallerPath = "c:\temp\ObserveIT_Setup_vx.xx.y.yy" Replace the generalized path with the correct path for your ITM On-Prem (ObserveIT) Installer . For example: C:\temp\ObserveIT_Setup_v7.11.0.25
    $SQLServer = '<# FQDN of the SQL Server #>' Replace the commented section with FQDN of your SQL Server
    $DNSForestName = "<# enter your DNS domain name here #>" Replace the commented section with the DNS domain name of your Active Directory. For example: domain.local.
    $Creds = Get-Credential  
    $ComputerName = (Get-WmiObject -Class Win32_ComputerSystem).PSComputerName  
    $MachineFQDN = $ComputerName + '.' + $DNSForestName  
    $OutputDestination = 'C:\temp'  
    $gmsaUser="1" Optional for gMSA account
  5. When PowerShell prompts, Enter your Active Directory Service Account credentials here, enter the username in the format DOMAIN\account.

  6. Configure Windows firewall to accept Website Categorization module requests:

    New-NetFirewallRule -DisplayName "ObserveIT Web Categorization module" -Direction Inbound –Protocol TCP –LocalPort 8000 -Action allow

    Install the ITM On-Prem Website Categorization module component:

    $ComponentInstallArguments = "/i", ($observeitInstallerPath + '\' + 
    'WebsiteCat\WebsiteCat_Setup.msi'), '/qb', "/norestart", 
    "SERVICE_USERNAME=$($Creds.GetNetworkCredential().Domain + '\' + 
    "SERVICE_PASSWORD=$($Creds.GetNetworkCredential().Password)", "/leo", 

    For gMSA user (recommended): 

    $ComponentInstallArguments = "/i", ($observeitInstallerPath + 'WebsiteCat\WebsiteCat_Setup.msi'), "/qb", "/norestart", "DATABASE_SERVER=$SQLServer","DATABASE_LOGON_TYPE=WindowsAccount", "SERVICE_USERNAME=$($Creds.GetNetworkCredential().Domain + '\' + $Creds.GetNetworkCredential().UserName)", "GMSA_USER=$gmsaUser","/leo", ".\WebSiteCatMSI.log"

    Start-Process msiexec.exe -ArgumentList $ComponentInstallArguments -
    Wait -NoNewWindow
  7. A new minimized Command Prompt window will appear. You can view Website Categorization module database download status by restoring the Command Prompt window that appeared right after the Website Categorization module installation is complete.

If your environment requires Internet proxy to access the Internet, see Configuring Internet proxy settings for Website Categorization module

Assign Login as Service Rights to the Active Directory Service Account

function Set-LogonRight ($accountToAdd) {
if ( [string]::IsNullOrEmpty($accountToAdd) ) {
Write-Output "no account specified"
$sidstr = $null
try {
$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
} catch {
$sidstr = $null
Write-Output "Account: $($accountToAdd)"
if ( [string]::IsNullOrEmpty($sidstr) ) {
Write-Output "Account not found!"
exit -1
Write-Output "Account SID: $($sidstr)"
$tmp = [System.IO.Path]::GetTempFileName()
Write-Output "Export current Local Security Policy"
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach ($s in $c) {
if ( $s -like "SeServiceLogonRight*") {
$x = $s.split("=", [System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
if ( $currentSetting -notlike "*$($sidstr)*" ) {
Write-Output "Modify Setting ""Logon as a Service"""
if ( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = "*$($sidstr)"
} else {
$currentSetting = "*$($sidstr),$($currentSetting)"
Write-Output "$currentSetting"
$outfile = @"
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
$tmp2 = [System.IO.Path]::GetTempFileName()
Write-Output "Import new settings to Local Security Policy"
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
Push-Location (Split-Path $tmp2)
try {
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS
} finally {
} else {
Write-Output "NO ACTIONS REQUIRED! Account already in ""Logon as a Service"""
Write-Output "Done."
Set-LogonRight "$($Creds.GetNetworkCredential().UserName)"

Related Topic:

Custom Installation Steps