CATD UNC Implementation en

Total Defense for Unified Network Control
Implementation Guide
r12
This documentation, which includes embedded help systems and electronically distributed materials (hereinafter collectively referred to as the "Documentation"), is for your informational purposes only and is subject to change or withdrawal by Total Defense at any time. The Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of Total Defense. The Documentation is confidential and proprietary information of Total Defense and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and Total Defense governing your use of the Total Defense software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and Total Defense. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all Total Defense copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to Total Defense that all copies and partial copies of the Documentation have been returned to Total Defense or destroyed. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE DOCUMENTATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL TOTAL DEFENSE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF TOTAL DEFENSE IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of the Documentation is Total Defense. The Documentation is provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2011 Total Defense, Inc. All rights reserved. All trademarks, trade names, service marks, and logos referenced in the Documentation are the property of their respective owners.
Contact Total Defense

Contact Technical Support For your convenience, Total Defense provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise Total Defense products. At http://totaldefense.com/support http://www.totaldefense.com/support, you can access the following: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads Total Defense support policies and guidelines Other helpful resources appropriate for your product
Product References
This document references the following Total Defense products: Total Defense Total Defense for Unified Network Control
Contents
Chapter 1: Introducing Total Defense for Unified Network Control 7
Architecture Overview ......................................................................... 8
Chapter 2: Preparing to Install the Product
11
Pre-Installation Checklist ...................................................................... 11 Verify Microsoft Windows Installer Version .................................................. 12 Verify System Requirements ............................................................... 12 Install Internet Information Services and .NET Framework ................................... 13 Install Microsoft Network Access Protection (MS-NAP) ....................................... 14 Configure MSMQ .......................................................................... 15 Perform Pre-installation Database Tasks .................................................... 16 Activate Your License ......................................................................... 20 (Optional) Use in Test Mode ................................................................... 21
Chapter 3: Installing the Infrastructure
23
Management Server Host Names .............................................................. 26 Install Server Components (Standalone Install) ................................................. 27 Install Server Components (Distributed Install) ................................................. 32 Install Server Components (Combined Standalone Install)....................................... 36 Install Server Components (Combined Distributed Install) ....................................... 41 First-Time Install ......................................................................... 42 Subsequent Install ........................................................................ 48 Verify Services are Running ................................................................... 51
Chapter 4: Enabling JavaScript in the Web Browser Chapter 5: Installing the Client Agent
53 55
Prepare to Install the Client Agent ............................................................. 55 Install Microsoft Network Access Protection (MS-NAP) Agent ................................. 55 Install the Client Agent........................................................................ 56 Configure the Client Agent .................................................................... 57 Configure the Communication Server IP Address and Port ................................... 58
Chapter 6: Uninstalling and Repairing Server Components
59
Uninstall and Repair .......................................................................... 60
Contents 5
Appendix A: Troubleshooting
63
Management Server .......................................................................... 63 Reimporting the SSL Certificate ............................................................ 63 Locating Error Logs ....................................................................... 64 Communication Server ........................................................................ 64 Verifying the Presence of the System Health Validator ....................................... 64 Uninstalling Servers .......................................................................... 65
6 Implementation Guide
Chapter 1: Introducing Total Defense for Unified Network Control
Architecture Overview
A standard Total Defense for Unified Network Control installation consists of: One Management Server One Reporting Server One or more Communication Servers One or more Client Agents
The Management Server controls the installation. With the Management Console, the server's graphical user interface, you can manage all aspects of the installation, including databases, reports, events, policies, user access, and licenses. Dashboard panels display Total Defense for Unified Network Control status information. Events are related to the assessment, quarantine, and remediation of endpoint devices. Policies define the Minimum Baseline Standard (MBS) for endpoint devices that comply with network security requirements. The Reporting Server is the reporting and event management component of an installation. It builds the standard policy-based and custom reports that you request through the Management Console. The Management Server, Reporting Server, and Communication Server can be installed on the same computer or on separate computers. The Client Agent is installed on an endpoint device. The Communication Server and Client Agent cannot be installed on the same computer. A Communication Server is the conduit between the Management Server and its assigned Client Agents on the endpoint devices. It also validates the applicability of a policy, assesses the MBS compliance of an endpoint device, and triggers remediation of that device when necessary. A Client Agent resides on an endpoint device and collects user, machine, and policy attribute data for the Communication Server.
Chapter 2: Preparing to Install the Product

Pre-Installation Checklist
Each of these tasks is fully described in the following sections of this chapter. As you complete each task, use this checklist to check-off each task as you complete it:
Verify that you have Administrative credentials to perform the installation. Verify the operating system and hardware requirements for server and
agent.
Verify that the Microsoft Windows Installer version is 3.0 or higher. Install/enable Internet Information Services, MSMQ, CGI, and .NET
Framework 3.5 SP1.
Install Microsoft Network Access Protection (MS-NAP), if enforcement is

desired.
Perform pre-installation database tasks. Verify that the necessary ports are open. Activate your license. (Optional) Use test mode to make sure it meets the requirements outlined
in this checklist.
Chapter 2: Preparing to Install the Product 11
Verify Microsoft Windows Installer Version

Verify that the computer on which you will run the Total Defense Installation Wizard has version 3.0 or higher of the Microsoft Windows Installer. If you need to download the Windows Installer, go to the Windows Download Center and search for Windows Installer 3.0. The Windows Download Center is located at: http://www.microsoft.com/downloads/en/default.aspx You can also find it in the \Common\Bin folder of the Total Defense R12 distribution medium (DVD or compressed folder) with the name "Windows Installer v3.1 - KB893803-v2-x86.exe".
Verify System Requirements

Total Defense provides information on the minimum system requirements for the Total Defense for Unified Network Control Servers and the Total Defense for Unified Network Control Client Agent in the Total Defense for Unified Network Control Release Notes. The Release Notes are located on the installation DVD. Once you have reviewed the system requirements, do the following: Select one or more computers that meet the minimum hardware and operating system requirements to host the server components. Verify that all endpoints meet the minimum hardware and operating system requirements to host the client agent.
Install Internet Information Services and .NET Framework

The following applications and services must be installed and running on the host computer(s) for the Total Defense for Unified Network Control (UNC) server components if version 7.0 or higher of Internet Information Services (IIS) is used: Communication Server: Internet Information Services (IIS) IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008
.NET Framework 3.5 SP1 MSMQ CGI
Management Server, Reporting Server: Internet Information Services (IIS) IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008
.NET Framework 3.5 SP1 ASP.NET .NET Extensibility
IIS is bundled with Microsoft Windows Server 2008. However you must ensure that IIS is installed and enabled so that the Total Defense Installation Wizard can configure specific settings. For more information, search the Microsoft Tech Net (http://technet.microsoft.com) for discussions of IIS. Note: A Management Server or Reporting Server running on Microsoft Windows Server 2003 uses IIS 6.0. A Communication Server requires IIS 7.0 or higher because it can run only on Microsoft Windows Server 2008. If NET Framework 3.5 SP1 is not already installed on your server, you can download it using the Microsoft Windows Update feature or from http://www.microsoft.com/downloads. If your computer already has IIS (any version) and .NET Framework (older than version 3.5) installed, you need to install .NET Framework 3.5 and then map IIS to it. The mapping identifies the .NET Framework 3.x configurations to IIS.
Install Microsoft Network Access Protection (MS-NAP)

Total Defense for Unified Network Control (UNC) requires Microsoft Network Access Protection (MS-NAP) for the enforcement of network policies. Before you install the UNC Communication Server, you must install and configure Network Policy Server (NPS) on the host computer (which must be running Microsoft Windows Server 2008). In addition, You must have MS-NAP Agent installed on every computer (running Windows Vista or Windows XP-SP3) where UNC Client Agent is installed. If either NPS or MS-NAP Agent is missing or is not configured properly, UNC will not enforce network policies. Provide domain services UNC requires the following domain services: Domain controller for the Active Directory domain DNS server for the DNS domain
The domain controller must be installed on a separate computer (running on Windows Server 2003 and above), not the host computer. Once Active Directory and DNS are running, perform the following: 1. 2. Create a user account and group in Active Directory. Create an NAP client computer security group for UNC client agents.
For a full description of the steps involved, see the Microsoft Step By Step Guide for your enforcement method listed at the end of this section. Configure the host computer The host computer for the Communication Server must run Microsoft Windows Server 2008 and host the NPS service. The host computer for a Standalone installation, which includes the Communication Server, must also meet these requirements. Perform the following steps to configure the host computer for UNC: 1. 2. 3. 4. 5. 6. Join the computer to the domain. Install the NPS and enforcement server (DHCP, VPN, etc.) roles. Install the Group Policy Management feature. Configure NPS as a NAP health policy server. Configure the enforcement method (DHCP, VPN, etc.). Configure NAP client settings in Group Policy.
For a full description of the steps involved, see the Microsoft Step By Step Guide for your enforcement method listed at the end of this section.
Documentation resources The following Microsoft Step By Step Guides demonstrate how to configure MS-NAP for different enforcement methods: Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test Lab
You can find these guides by searching for all or part of their titles at http:www.microsoft.com/downloads.
Configure MSMQ
Perform this procedure on the host computer for the Communication Server to configure Microsoft Message Queuing. To configure MSMQ 1. 2. In the Server Manager window, click Features. In the right pane under Features Summary, click Add Features. The Select Features window appears. 3. 4. 5. Expand Message Queuing and then Message Queuing Services. Select the Message Queuing Server check box. Click Next, and then click Install. The feature is installed and the Select Features window closes. 6. 7. In the Server Manager window, expand Features and then Message Queuing. Verify that Private Queues are available.
Perform Pre-installation Database Tasks

Total Defense for Unified Network Control supports the following database applications: Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Microsoft SQL Server 2008 Microsoft SQL Server 2008 Express
If your company already has one of these database applications, you can also use it to host the Total Defense for Unified Network Control databases. However, Total Defense also provides Microsoft SQL Server 2005 Express as an out-of-the-box solution. Microsoft SQL Server 2005 Express is located on the installation DVD and, if chosen as an installation option, is automatically installed and configured during the installation of Total Defense for Unified Network Control. Note: Microsoft SQL Server Express can be used during a product trial or if your organization has fewer than 500 endpoints; however it is not recommended for larger organizations. During the installation of Total Defense for Unified Network Control, the Installation Wizard prompts you to enter the following information for each database: Database user credentials Name of the database instance Name of the computer that hosts the database
These fields are pre-populated with default values if you are installing Microsoft SQL Server Express. The Installation Wizard automatically creates the required database schema for the Total Defense for Unified Network Control Management Server database.
Tasks for Microsoft SQL Server

If you are already using Microsoft SQL Server and plan to use it for the Total Defense for Unified Network Control database, check that the following items are configured: Create a new user that has the sysadmin role. Verify that you are using SQL authentication. Verify that the TCP/IP protocol is enabled for port 1433. Verify that firewall blocking access is disabled. Enable Common Language Runtime (CLR).
See the sections that follow for instructions on how to configure these items. The items noted above are automatically configured if you choose to install Microsoft SQL Server Express during the Total Defense for Unified Network Control installation. Note: If you are reinstalling or repairing Total Defense for Unified Network Control, the installer will delete the existing database (named "UNCDB") and create a new one. To preserve the contents of the existing database, you must create a backup version of the database before running the installer. After installation, you can then restore the contents of the UNCDB database from the backup version.
Enable Windows and SQL Authentication

To enable Windows and SQL authentication 1. 2. From All Programs, select Microsoft SQL Server, SQL Server Management Studio. Enter the server name, select Windows authentication, and then click Connect. The Microsoft SQL Server Management Studio window appears. 3. Right click on the server and select Properties. The Server Properties dialog appears. 4. 5. Select the Security page, and then click SQL Server and Windows Authentication Mode. Click OK.
Your SQL Server now supports both SQL Server and Windows authentication.
Enable TCP/IP Protocol

To enable the TCP/IP Protocol 1. 2. 3. 4. 5. Log into the SQL Server Configuration Manager. Expand the SQL Server Network Configuration. Click Protocols for SQL Server or SQL Express. Right click the TCP/IP protocol in the right pane and select Enable. Right click the TCP/IP protocol again and select Properties. The TCP/IP Properties dialog appears. 6. Click the IP Address tab and enter the IP address of the machine hosting the SQL Server or SQL Express, and then click Ok.
The IP address is added and TCP/IP is enabled on port 1433.
Verify Communication Ports

The Total Defense for Unified Network Control (UNC) server components communicate over the HTTPS channel on ports whose numbers are set during the UNC Server installation. The default port numbers are: HTTPS Web-Service Website: 34443 HTTPS Content Update Website: 34444 HTTPS Certificate Website: 44333
The default port number for the UNC database is 1433. The Client Agent installation sets the default port number 34443 for its Communication Server. The Communication Server port number can be reset from the endpoint. Your proxy settings and firewall must be configured for these port numbers (or their replacements) to allow the UNC components to communicate.
Create a Login User and Role

The following procedure uses SQL Server Management Studio Express. If you do not already have this application, you may download it using the following link: http://www.microsoft.com/express/sql/download/ ( http://www.microsoft.com/express/sql/download/) Best Practice Tip! Although you may use your sa user during installation and skip this procedure, Total Defense recommends creating a new user name and a strong password to protect the integrity of the database. 1. 2. Using the SQL Server Management Studio Express interface, connect to the Database Server you created during the SQL installation. Navigate to the Security folder, right-click the Logins folder, and then select New login from the pop-up menu. The SQL Server Login Properties - New Login dialog appears, displaying the General tab. 3. Enter a name in the Login name field. Note: Do not include curly braces, { or }, in the Login name field, as they are not supported. 4. Click SQL Server Authentication. The password fields are enabled. 5. 6. 7. Enter and confirm a password for the new login. Uncheck the Enforce password expiration option. Select the Server Roles page. The Server Roles page appears. 8. Check the sysadmin role, and then click OK.
Activate Your License
Enable Common Language Runtime (CLR)

To enable Common Language Runtime (CLR) 1. From the Start menu, select All Programs, Microsoft SQL Server, Configuration Tools, SQL Server Surface Area Configuration. The SQL Server Surface Area Configuration window appears. 2. Click Surface Area Configuration for Features. The Surface Area Configuration for Features - localhost window appears. 3. 4. 5. 6. Click the View by Instance tab and expand the database instance name (for example, SQLEXPRESS) and then Database Engine. In the vertical menu list, click CLR Integration. Select the Enable CLR integration check box. Click Apply, and then click OK.
Activate Your License

With the purchase of this product, Total Defense sends you the following license-related documentation: A hard-copy of your License Certificate in regular mail. Keep this certificate in a safe location for future reference. An electronic version of your License Certificate in email. Keep this email in a safe, yet convenient location, as you will need the license number during the installation of this product. A license activation link in email. Best Practice Tip! Total Defense highly recommends that you activate your license as soon as you receive the license activation email. If you do not click the license activation link provided in the license activation email before you start the installation, you may install this product in a 30-day trial mode. When the installation is complete, the Management Server will attempt to register your license with the Entitlement Management System. If it is unable to do so, a banner appears in the Management Console providing further instructions on how to complete this transaction. For more information about licensing, refer to "License Management" in the Total Defense for Unified Network Control Administration Guide.
(Optional) Use in Test Mode

Using Total Defense for Unified Network Control in Test mode allows you to test your policies and assess endpoints prior to activating policy enforcement and remediation. It also provides you the opportunity to become familiar with the Management Console and to configure key policies prior to full product deployment. Best Practice Tip! We recommend that you initially deploy the product to a limited number of endpoints. To test the UNC installation 1. Choose a host computer or server for the Total Defense for Unified Network Control server components that meets the minimum system requirements as defined in the Release Notes. The host machine(s) for the server components can be the same computer(s) that will serve as the permanent host(s) for these servers in your normal production environment. Choose a small number of endpoints to which you will deploy the Total Defense for Unified Network Control Client Agent. These endpoints should represent each type of platform (hardware and operating system) currently used in your production network and supported by this release. Verify that the pre-installation tasks outlined in this chapter have been met for each of these endpoints.
2.
3.
Chapter 3: Installing the Infrastructure
Chapter 3: Installing the Infrastructure 23
Total Defense for Unified Network Control (TDUNC) provides the following installation scenarios: Standalone Installation In a Standalone Installation all TDUNC server components are installed on the same host machine that meets the minimum hardware and operating system requirements. A Standalone Installation works best for sites with fewer than 1,000 endpoints in the same physical location. Best Practice Tip! Since this server is considered mission critical for keeping your environment healthy, Total Defense recommends that no other applications run on this server. It should be dedicated to TDUNC alone. Database Connectivity in a Standalone Installation: The Total Defense Installation Wizard will automatically install and configure Microsoft SQL Server Express on the same machine that you install the Management Server or allow you to use a locally installed database instead. If you use an existing database, you must complete several configuration tasks prior to starting the Total Defense installation. Distributed Installation In a Distributed Installation the TDUNC Management Server, Reporting Server, and Communication Server may each be installed on a separate machine to improve product performance and network flow. This installation is recommended for sites with more than 1,000 endpoints or sites that have endpoints located across more than one physical location. A Distributed Installation can have one of the following configurations: Configuration 1 Computer A: Management Server Computer B: Reporting Server Computer C: Communication Server Configuration 2 Computer A: Management Server and Reporting Server Computer B: Communication Server Configuration 3 Computer A: Management Server Computer B: Reporting Server and Communication Server Database Connectivity in a Distributed Installation
In a Distributed Installation you may use an existing Microsoft SQL database for the Management Server. The database may be located on a separate machine, such as an application server located in a database farm. In this scenario, the Installation Wizard prompts you for the required database information (SQL hostname, SQL instance name, and so on). Before you begin the Total Defense installation, you must complete several configuration tasks. Combined Standalone Installation In a Combined Standalone Installation, all Total Defense (TD) and TDUNC server components are installed at the same time on the same host machine that meets the recommended hardware and operating system requirements. A Standalone Installation works best for sites with fewer than 1,000 endpoints in the same physical location. Combined Distributed Installation In a Combined Distributed Installation the TD and TDUNC Management Servers are installed at the same time on the same machine, while the remaining server components of both products may each be installed on a separate machine to improve product performance and network flow. This installation is recommended for sites with more than 1,000 endpoints or sites that have endpoints located across more than one physical location. Combined Staged Installations In a Combined Staged Installation, TD and TDUNC are installed at different times in Standalone or Distributed Installations. Standalone Configurations Computer A: TD installed first; TDUNC installed second. Computer A: TDUNC installed first; TD installed second. Distributed Configurations Note: All servers in these configurations must be installed with a distributed installation type. Computer A: All TD servers installed first; TDUNC Management Server installed second. Computer B: Remaining TDUNC servers installed.
Computer A: All TDUNC servers installed first; TD Management Server installed second. Computer B: Remaining TD servers installed.
Management Server Host Names
Management Server Host Names

When selecting a host machine for the Management Server, be sure its name conforms to the Domain Name System (DNS) naming standards. A standard host name can: Begin with a letter (A-Z, a-z) End with a letter or digit (0-9) Contain any combination of letters, digits, and hyphens (-)
Host names are case-insensitive, so host names such as Safety-First and safety-first are seen as identical.
Install Server Components (Standalone Install)

The instructions in this section describe how to perform a Standalone Installation in which all server components are installed on the same host computer. Note: To ensure a successful installation, please read Preparing to Install Total Defense for Unified Network Control (see page 11) before you start the installation process. To perform a Standalone Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click the setup.exe program located in the root folder of the DVD. The Language dialog appears. 2. Select the appropriate installation language when prompted, and then click OK. The Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results.
The results appear on the right side of the screen. 5. When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired. 6. If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears. 7. Click Yes to install the Management Server, select Endpoint Protection, and then click Next. License Agreements appear. 8. After reading the legal notices, click the I accept the terms of the License Agreement button, and then click Next. Registration appears.
9.
Enter the registration information, and then click Next. Note: The Total Defense Entitlement Management System (EMS) sends a license activation link to the email address that you enter on this screen. Make sure to enter an address that you check frequently so that you can finalize the license activation process. Renewal appears.
10. (Optional) Modify the information if your Renewal Contact information is different than the Product Registration information, and then click Next. Internet Proxy Information appears. 11. If you use a web proxy to access the Internet, enter the specified information, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next. If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Click Standalone Installation, and then click Next. Another Product Selection appears.
14. Select Unified Network Control Management Components, unselect the other options, and then click Next. 15. The Unified Network Control servers appear, all selected for a standalone installation. Click Next. Unified Network Control Administrator and Port Settings appears. 16. Enter the user name, password, and email address for the person responsible for implementing Total Defense for Unified Network Control: If you specify a domain with the user name (for example, domain\username), the installer attempts to authenticate the user name through Active Directory. If you do not enter a domain, the installer stores the unauthenticated user name and password in the Total Defense for Unified Network Control database catalog. 17. Accept the port numbers for the web service and certificate web sites by clicking Next. Email Notifications appears. 18. Enter the email address for the Total Defense for Unified Network Control administrator. If authentication is required to access the Management Server, select the check box for an authenticated user, and enter the domain user name and password. Database Selection appears. 19. Choose to install Microsoft SQL Server Express or use an existing Microsoft SQL Server or Microsoft SQL Server Express installation. Click Next. Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you chose to use an installed database server in this step, Database Version appears. If you chose to install Microsoft SQL Server Express in this step, Database Server appears. 20. (Installing Microsoft SQL Server Express) Enter the following database login information: User Name Password
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL sa account. The new account must have system administrator (sysadmin) permissions and no System Roles.
21. (Using an installed database server) click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection appears. 22. Enter the following database configuration information for the UNC Management Server, and then click Next. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. 23. Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. The Destination screen appears. 24. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next. Finish Installation appears with a list of the components you selected for installation. 25. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
Install Server Components (Distributed Install)

The instructions in this section describe how to perform a Distributed Installation in which server components are installed on separate machines to improve product performance and network flow. This installation is recommended for sites with more than 1,000 endpoints or sites that have endpoints located across more than one geographical location. To determine if a Distributed Installation is the appropriate implementation for your organization, see Installation Scenarios. Note: To ensure a successful installation, please see the Pre-Installation Checklist (see page 11) before you begin this procedure. To perform a Distributed Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click setup.exe located in the root folder of the DVD. The Language screen appears. 2. Select the appropriate installation language and click OK. The Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found.
4.
(Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen.
5.
When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired.
6.
If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears.
7.
Select the following options, and then click Next: Would you like to install the Management Server? Select Yes if you are installing on the first of multiple machines in a distributed installation, or if you are installing all components on only one machine. Select No if you are installing on an additional machine in a distributed installation.
Endpoint Protection. Select this option to install Total Defense for Unified Network Control. Gateway Security. Do not select this option.
License Agreements appear. 8. After reading the agreements, click the I accept the terms of the License Agreements, and then click Next. Registration appears.
9.
10. (Optional) Modify the information as needed if your Renewal Contact information is different than the Product Registration information, then click Next. Internet Proxy Information appears. 11. If you are using a proxy to access the Internet, enter the information necessary or select the check box indicating that a web proxy server is not used to access the Internet, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next. If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Select Distributed Installation, and then click Next. Another Product Selection appears and displays the options you are entitled to install. 14. Select Unified Network Control Management Components, unselect all other options, and then click Next. Unified Network Control appears. 15. Select the server components you want to install, and then click Next. For information on the Total Defense for Unified Network Control server components, see Architecture Overview (see page 8). Unified Network Control Administrator and Port Settings appears.
16. Enter the user name, password, and email address of the individual who will be responsible for managing Total Defense for Unified Network Control. This user may be you or another user who has a valid account on the machine that will host the Total Defense for Unified Network Control Management Server. This user will have full Administrative authority within the Management Server. 17. Accept the default ports by clicking Next. Email Notifications appears. 18. Enter the email address for the Total Defense for Unified Network Control administrator. If authentication is required to access the Management Server, select the check box for an authenticated user, and enter the domain user name and password. Database Selection appears. 19. Choose to use an existing database or install a new one to use with Total Defense for Unified Network Control, and then click Next: Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you chose Install Microsoft SQL Server Express, Database Server appears. Enter a user name and password for the new SQL Server Express database server, and then click Next. If you chose Use existing MS SQL Server or SQL Server Express, Database Version appears. Do the following: a. Select the version of MS SQL Server and ODBC driver to use, and then click Next. Database Connection appears. b. Enter the database configuration information, and then click Next.
Note: Total Defense highly recommends creating and using an account other than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. 20. Accept the default installation folder, or click the Browse button (...) and create or select a different folder, and then click OK. Click Next. Finish Installation appears with the list of components you selected for installation. 21. Review the list of components. To modify any of the installation options, click Back to make the necessary adjustments. To begin the installation, click Finish.
Install Server Components (Combined Standalone Install)

The instructions in this section describe how to perform a Standalone Installation in which all Total Defense and Total Defense for Unified Network Control server components are installed on the same system. Note: Read the Pre-Installation Checklist for Total Defense and Total Defense for Unified Network Control before you begin this procedure. To perform a Standalone Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click setup.exe located in the root folder of the DVD. The Language dialog appears. 2. Select the appropriate installation language and click OK. Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen.
5.
6.
7.
Select the following options, and then click Next: Would you like to install the Management Server? Select Yes. Endpoint Protection. Select this option to install Total Defense and Total Defense for Unified Network Control. Gateway Security. Do not select this option.
License Agreements appear. 8. After reading the agreements, click I accept the terms of the License Agreements, and then click Next. Registration appears.
9.
10. (Optional) Modify the information as needed if your renewal contact information is different than the product registration information, then click Next. Internet Proxy Information appears. 11. If you use a web proxy to access the Internet, enter the specified information, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next. If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Click Standalone Installation, and then click Next. Another Product Selection appears. 14. Select Endpoint Protection Management Components and Unified Network Control Management Components, and then click Next. Endpoint Discovery Acknowledgement appears.
15. Read the acknowledgement and click Next. Certificate Password appears. 16. Enter a password for the digital certificate, verify the password, and then click Next. This password protects the generation and storage of your digital certificate and encrypts and authenticates sensitive Total Defense data communications. Note: If you install additional server components or proxies at a later time, the Installation Wizard prompts you for this password. Total Defense recommends storing this password in a safe location. User Specification appears. 17. Enter the user name and password of the individual that will perform the remote deployment of the Total Defense Agent/Client and the user who will initiate the Endpoint Discovery process to discover all unmanaged endpoints in your organization. Port Specification appears. 18. (Optional) Modify the Total Defense Management Server ports, if necessary, and then click Next. Unified Network Control appears. 19. The Total Defense for Unified Network Control server components to be installed are displayed. Click Next. Unified Network Control Administrator and Port Settings appears. 20. Enter the user name, password, and email address for the person responsible for implementing Total Defense for Unified Network Control: If you specify a domain with the user name (for example, domain\username), the installer attempts to authenticate the user name through Active Directory. If you do not enter a domain, the installer stores the unauthenticated user name and password in the Total Defense for Unified Network Control database catalog. 21. Accept the port numbers for the web service and certificate web sites by clicking Next. Email Notifications appears. 22. Enter the Fully Qualified Domain Name of your email server and your email address to receive email notification when certain events occur and when reports are ready for viewing. If authentication is required, click Authenticated Server, and enter the domain user name and password. Database Selection appears. 23. Choose to install Microsoft SQL Server Express or use an existing Microsoft SQL Server or Microsoft SQL Server Express installation. Click Next.
Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you choose to use an installed database server in this step, Database Version will appear. If you choose to install Microsoft SQL Server Express in this step, Database Server will appear instead. 24. (Database Server screen) Enter the following database server login information: User Name Password
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. Destination appears. (Skip the Database Version and Database Connection steps.) 25. (Database Version) Click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection appears. 26. (Database Connection) Enter the following database configuration information for the Total Defense and Total Defense for Unified Network Control Management Servers. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles.
Install Server Components (Combined Distributed Install)
27. (Database Connection, continued) Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. Destination appears. 28. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next. Finish Installation appears with a list of the components you selected for installation. 29. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.

When you perform a Combined Distributed Install, you install the Total Defense and Total Defense for Unified Network Control Management Servers and Management Consoles first on the same machine. You can also install any other server components at that time and on that machine. To install the remaining server components, you repeat the Combined Distributed Install on other machines until all of the required server components are installed. A Combined Distributed Install also lets you install all server components on the same machine. Note: If Total Defense and Total Defense for Unified Network Control are installed Standalone on separate machines, there can be no integration of products. They must be installed Combined Distributed to be integrated (reports only). Note: Performing a Standalone install of one product on top of the Standalone install of another product invalidates and disables the first product installed. This section describes the following procedures: First-Time Install Installs the Management Servers and Management Consoles for both products together, and any other server components you select, on the same machine (referred to as the first-time machine). Subsequent Install Installs one or more server components on an additional machine (referred to as a subsequent machine).
First-Time Install
The instructions in this section describe how to perform a first-time Distributed Installation in which the Management Servers and Management Consoles of Total Defense and Total Defense for Unified Network Control, and any other available server components, are installed on the same machine. Note: Read and perform the tasks in the Pre-Installation Checklist for Total Defense and Total Defense for Unified Network Control before you begin this procedure. To perform a Distributed Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click setup.exe located in the root folder of the DVD. The Language dialog appears. 2. Select the appropriate installation language and click OK. Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results.
The results appear on the right side of the screen. 5. When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired. 6. If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears. 7. Select the following options, and then click Next: Would you like to install the Management Server? Select Yes if you are installing on the first of multiple machines in a distributed installation, or if you are installing all components on only one machine. Endpoint Protection. Select this option to install Total Defense and Total Defense for Unified Network Control. Gateway Security. Do not select this option.
License Agreements appear. 8. After reading the agreements, click I accept the terms of the License Agreements, and then click Next. Registration appears. 9. Enter the registration information, and then click Next. Note: The Total Defense Entitlement Management System (EMS) sends a license activation link to the email address that you enter on this screen. Make sure to enter an address that you check frequently so that you can finalize the license activation process. Renewal appears. 10. (Optional) Modify the information as needed if your renewal contact information is different than the product registration information, then click Next. Internet Proxy Information appears. 11. If you are using a proxy to access the Internet, enter the information necessary or select the check box indicating that a web proxy server is not used to access the Internet, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next.
If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Click Distributed Installation, and then click Next. Another Product Selection appears and displays the options you are entitled to install. 14. Select Endpoint Protection Management Components and Unified Network Control Management Components, and then click Next. Endpoint Discovery Acknowledgement appears. 15. Read the Acknowledgement and click Next. Server Components appears. 16. Select the Total Defense server components you want to install, and then click Next. If this is a first installation, the Total Defense Management Server and Management Console are automatically selected. You can install other server components on the same system or unselect the components to install them elsewhere. Server Location appears. 17. Enter the Fully Qualified Domain Names for the Total Defense Report Server, Events Server, or both, and then click Next. An FQDN is required for any server not selected for installation on the preceding Server Components screen. Certificate Password appears. 18. Enter a password for the digital certificate, verify the password, and then click Next. This password protects the generation and storage of your digital certificate and encrypts and authenticates sensitive Total Defense data communications. Note: If you install additional server components or proxies at a later time, the Installation Wizard prompts you for this password. Total Defense recommends storing this password in a safe location. User Specification appears.
19. Enter the user name and password of the individual who will perform remote deployments of the Total Defense Agent/Client, and the user name and password of the user who will initiate the discovery of endpoints on your network. Note: It is preferred that the Endpoint Discovery user have domain administrative privileges, however it not a requirement. Using domain administrator privileges ensures a better discovery rate. The remote deployment password can be a user in the Local Users group or a domain user. Port Specification appears. 20. Accept or modify the default ports for the Total Defense Management Server, and then click Next. Unified Network Control appears. 21. The Total Defense for Unified Network Control server components to be installed are displayed. Click Next. Unified Network Control Administrator and Port Settings appears. 22. Enter the user name, password, and email address for the person responsible for implementing Total Defense for Unified Network Control: If you specify a domain with the user name (for example, domain\username), the installer attempts to authenticate the user name through Active Directory. If you do not enter a domain, the installer stores the unauthenticated user name and password in the Total Defense for Unified Network Control database catalog. 23. Accept the port numbers for the web service and certificate web sites by clicking Next. Email Notifications appears. 24. Enter the Fully Qualified Domain Name of your email server and your email address to receive email notification when certain events occur and when reports are ready for viewing. If authentication is required, click Authenticated Server, and enter the domain user name and password. Database Selection appears. 25. Choose to install Microsoft SQL Server Express or use an existing Microsoft SQL Server or Microsoft SQL Server Express installation. Click Next. Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you choose to use an installed database server in this step, Database Version and Database Connection will appear. If you choose to install Microsoft SQL Server Express in this step, Database Server will appear instead.
26. (Database Server) Enter the following database server login information, and then click Next: User Name Password
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. Destination appears. (Skip the Database Version and Database Connection steps.) 27. (Database Version) Click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection for Total Defense appears. 28. (Database Connection screen) Enter the following database configuration information for the Total Defense Management Server. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. 29. (Database Connection) Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. The Database Connection screen for Total Defense for Unified Network Control appears. 30. (Database Connection) For the Total Defense for Unified Network Control Management Server, enter the same database information you used for Total Defense. Also verify the connection, close the message box, and then click Next. Destination appears. 31. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next. Finish Installation appears with a list of the components you selected for installation. 32. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
Note: During the installation of the Endpoint Discovery feature, a WinPCap install wizard appears. Click Next, I Agree, Install, and Finish when required to accept all of the default settings and continue with the Total Defense installation.
Subsequent Install
The instructions in this section describe how to install some or all the remaining server components during a subsequent install. The Total Defense and Total Defense for Unified Network Control Management Servers and Management Consoles must have already been installed on a different machine during a first-time Distributed Installation. Note: Read and perform the tasks in the Pre-Installation Checklist for Total Defense and Total Defense for Unified Network Control before you begin this procedure. To perform a Distributed Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click setup.exe located in the root folder of the DVD. The Language dialog appears. 2. Select the appropriate installation language and click OK. Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found.
4.
(Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen.
5.
6.
7.
Select the following options, and then click Next: Would you like to installthe Management Server? Select No if you are installing on an additional machine in a distributed installation. Endpoint Protection. Select this option to install Total Defense and Total Defense for Unified Network Control. Gateway Security. Do not select this option.
Another Product Selection appears and displays the options you are entitled to install. 8. Select Endpoint Protection Management Components and Unified Network Control Management Components, and then click Next. Management Server appears. 9. Enter the Fully Qualified Domain Name of the Endpoint Protection Master Management Server, and then click Next to accept the default port number. Server Components for Total Defense appears. 10. Select the Total Defense server components you want to install, and then click Next. The Total Defense Management Server and Management Console are not available. You can install other server components or unselect the components to install them elsewhere. Certificate Password appears. 11. Enter the password for the digital certificate, verify the password, and then click Next. Note: This is the certificate password you created when you installed the Management Server and Management Console during the first-time installation.
12. Enter the Fully Qualified Domain Names for the Total Defense Report Server, Events Server, or both, and then click Next. An FQDN is required for any server not selected for installation on the preceding Server Components screen. Unified Network Control appears. 13. The Total Defense for Unified Network Control server components to be installed are displayed. Click Next. Unified Network Control Management Server Settings appears. 14. Enter the following Management Server and Administrator information: Management Server IP Address Management Server Host Name Administrator User Name Administrator Password
The Administrator information must match what was specified during the first-time installation of the Management Server and Management Console. 15. Accept the port numbers for the web service and certificate web sites by clicking Next. Database Selection appears. 16. Choose to use the Endpoint Protection Management Server. Database Version appears. 17. Click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection appears. 18. Enter the following database configuration information for the Total Defense and Total Defense for Unified Network Control Management Servers. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
19. Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. Destination appears. 20. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next.
Verify Services are Running
Finish Installation appears with a list of the components you selected for installation. 21. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
Verify Services are Running

If performing a Distributed installation, verify that the Management Server service is running before installing the Reporting Server. Repeat the procedure for the Reporting Server and then the Communication Server after installing each of those components. At the same time, you should also verify that the component is accessible over the network. To verify that the server component is running 1. On the host computer, click Start, and then click Run. The Run dialog opens. 2. In the Open field, enter services.msc and click OK. The Services window opens. 3. Verify that the Total Defense for Unified Network Control <component> Server service has started. If it has not started, right-click the service name in the Services window and select Start.
If performing a Standalone installation, you will have to wait until all of the server components are installed to verify that their services are running.
Chapter 4: Enabling JavaScript in the Web Browser

The web browser(s) you use to run the Management Console must have JavaScript enabled. To enable JavaScript in an Internet Explorer window 1. 2. 3. 4. 5. 6. 7. Select Tools from the top of the window. Select Internet Options. Click the Security tab. Click Custom level.... Scroll to the Scripting section. Under Active scripting, click Enable. Click OK.
To enable JavaScript in a Mozilla Firefox window 1. 2. 3. 4. 5. Select Tools from the top of the window. Click Options. Click the Content tab. Select the Enable JavaScript check box. Click OK.
Chapter 4: Enabling JavaScript in the Web Browser 53
Chapter 5: Installing the Client Agent

Prepare to Install the Client Agent
The Microsoft Network Access Protection (MS-NAP) Agent is a prerequisite for the Total Defense for Unified Network Control Client Agent if policy enforcement is desired.
Install Microsoft Network Access Protection (MS-NAP) Agent

Before installing the Client Agent on an endpoint, you need to configure that endpoint as follows for MS-NAP: 1. 2. 3. 4. Join the computer to the domain. Add the computer to the NAP client computers security group and restart the computer. Enable Run on the Start menu. Verify Group Policy settings.
The following Microsoft Step By Step Guides explain how to perform these steps for different enforcement methods: Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test Lab
You can find these guides by searching for all or part of their titles at http:www.microsoft.com/downloads.
Chapter 5: Installing the Client Agent 55
Install the Client Agent
Install the Client Agent

Note: Do not install the Total Defense for Unified Network Control (UNC) Client Agent on the same computer as the UNC Communication Server. To install the UNC Client Agent 1. Insert the Total Defense DVD. If the Installation Wizard does not start automatically, click the setup.exe program located in the root folder of the DVD. The Language screen appears. 2. Select the installation language when prompted, and then click OK. The Main Menu screen appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen. 5. When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it.
Configure the Client Agent
Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired. 6. If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears. 7. Respond as indicated to the following options, and then click Next: Would you like to install the Management Server: No Endpoint Protection: Selected Gateway Security: Unselected
Product Selection appears. 8. Select the Unified Network Control Management Components check box, and then click Next. The other Total Defense products are not required for this installation. Unified Network Control appears. 9. Select the Unified Network Control Client Agent check box, and then click Next. The other UNC components are not required for this installation. Destination appears. 10. Enter the destination folder for the UNC product installation, and then click Next. (Use the ellipsis (...) to browse to a location.) Finish Installation appears. 11. Verify that Unified Network Control is the only component selected for installation, and then Click Finish. A progress bar and Current Action indicate the progress of the installation. When the installation finishes, a reboot prompt message appears. 12. Click Yes to restart the computer. To restart the computer at a later time, click No. The computer restarts.

When you configure the Total Defense for Unified Network Control Client Agent, you specify the IP address and port number of its associated Communication Server.
Chapter 5: Installing the Client Agent 57
Configure the Communication Server IP Address and Port

Configuring the Total Defense for Unified Network Control (UNC) Client Agent establishes its connection with a Communication Server. Configuration consists of setting the IP address and port number of the Communication Server used by the Client Agent. To configure the Communication Server IP address and port number 1. 2. On the UNC Client Agent computer, open the Health Monitor (click Start, All Programs, Health Monitor). Right click on the Health Monitor tray icon (twin monitors with yellow screens) and select Setting. The UNCCA Settings dialog appears. 3. Enter the following values for the UNC Communication Server associated with the UNC Client Agent: 4. Primary IP Address Port Number
Click OK. Cancel discards your changes. Your changes are saved. The dialog closes.
5.
Open the Services window (click Start, All Programs, Administrative Tools, and then Services) on the UNC Client Agent computer and restart the Unified Network Control service.
Chapter 6: Uninstalling and Repairing Server Components

This section describes how to uninstall Total Defense for Unified Network Control components.The Uninstallation Wizard guides you through the process of completely removing Total Defense for Unified Network Control, or choosing components to remove from your computer. You can also select to repair an installation by reinstalling Total Defense for Unified Network Control components.
Chapter 6: Uninstalling and Repairing Server Components 59
Uninstall and Repair

To uninstall or repair Total Defense for Unified Network Control on MS Windows Server 2003 1. 2. 3. Click Start, Control Panel, Add or Remove Programs. Select Total Defense from the list of installed programs. Click Remove to completely remove Total Defense for Unified Network Control. Alternatively, click Change to select components to remove or repair. If you selected the Change option, the Maintenance screen appears. 4. Select to remove components, or repair components by reinstallation. Click Next. The list of Total Defense for Unified Network Control components is displayed. Note: Components that were not installed are grayed out. 5. Use the checkboxes to select components to remove or reinstall, and click Next. The selected Total Defense for Unified Network Control components are removed or reinstalled depending on your previous selections. To uninstall or repair Total Defense for Unified Network Control on MS Windows Server 2008 1. 2. 3. 4. Click Start, Control Panel, Programs and Features. Right-click on Total Defense in the list of installed programs. Select Uninstall to completely remove Total Defense for Unified Network Control, or Change to select components to remove or repair. If you selected the Uninstall option, the Total Defense Uninstaller screen appears. Click Yes to completely remove the selected application (Total Defense for Unified Network Control). The Uninstall Complete screen appears. 5. If you selected the Change option, the Maintenance screen appears. a. Select to remove components, or repair components by reinstallation. Click Next. The list of Total Defense for Unified Network Control components is displayed. Note: Components that were not installed are grayed out. b. Use the checkboxes to select components to remove or reinstall, and click Next.
The selected Total Defense for Unified Network Control components are removed or reinstalled depending on your previous selections. The Maintenance Complete screen appears. 6. Select Yes to restart your computer now or No to restart it later, and click Finish.
Chapter 6: Uninstalling and Repairing Server Components 61
Appendix A: Troubleshooting
This section contains the following topics: Management Server (see page 63) Communication Server (see page 64) Uninstalling Servers (see page 65)
Management Server
Reimporting the SSL Certificate
When the Management Console is hosted in IE 7.0 or above with the SSL combination environment, and executed using local host (for example, https://localhost/uncgui/mainapplication.html), then the print and export feature may not work because of the Certificate Import Issue in the browser. To re-import the SSL certificate 1. Open an Internet Explorer browser window. Click Tools, and then click Internet Options. The Internet Options dialog appears. 2. Click on the Content Tab. The Content page appears. 3. Click Certificates. The Certificates dialog appears. 4. Click Import. The File to Import pane appears. 5. Click Browse and select the appropriate certificate from the physical location on your local machine .It could be the same certificate created at the time of installation. Click Next. The Certificate Store pane appears. 7. 8. Choose the Personal location by default or let the system choose the location based on the certificate. Click Next to import the certificate to your browser and view the summary. A message box appears, indicating success. 9. Click OK, Close, and OK.
6.
Appendix A: Troubleshooting 63
Communication Server
Locating Error Logs

Total Defense for Unified Network Control (TDUNC) maintains error logs that you can use to obtain error messages and other critical information. To locate the UNC error logs 1. 2. 3. Navigate to the UNC installation folder (for example, Program Files\CA\UNC). Navigate to the Management Server's UNCMS/UNCWS folder. Open errorlog.txt with a text editor. The file contains the error logs for all the transactions made from that server.
Any critical error/information from UNCMS Services will also be logged in the Windows Logs under the Application category for easy reference. To locate the Windows logs 1. Click Start, All Programs, Administrative Tools, and then Computer Management. The Computer Management window appears. 2. In the browser pane on the left, expand System Tools and then Event Viewer, and then click Application. A list of error and information messages appear. Relevant messages are from the Total Defense for Unified Network Control Management Server.
Communication Server
Verifying the Presence of the System Health Validator
After restarting the Communication Server, verify System Health Validator is present under Health Policies of Compliant and Non-compliant properties.
Uninstalling Servers
Uninstalling Servers
If you are using the installer to remove the Management, Reporting, or Communication Server and the operation fails, you can remove the server manually with one of the following msiexec commands executed from the Command prompt: Note: When unistalling a Standalone installation, uninstall the components in the following order: 1. 2. 3. 32-bit Communication Server:
msiexec /X {ED315E14-2F90-4C16-90EA-7798C900097E}
Communication Server Reporting Server Management Server
Reporting Server:
msiexec /X {8A79276E-A0F2-43EC-8127-E6052B791E41}
Management Server:
msiexec /X {1F841E57-A694-4090-AAA4-28C39A73089B}
Client Agent:
msiexec /X {FBBC00EC-2A53-4A76-8004-2D8A5CFC55D5}
64-bit Communication Server:

msiexec /X {ED315E14-2F90-4C16-90EA-7798C900097E}
Reporting Server:
msiexec /X {8A79276E-A0F2-43EC-8127-E6052B791E41}
Management Server :
msiexec /X {7CD61E76-26B3-42F9-9E3F-05C8446EE621}
Client Agent:
msiexec /X {0D2C2595-912D-488E-8F3D-67254F3ABF6E}
Appendix A: Troubleshooting 65

CATD UNC Implementation en

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CATD UNC Implementation en

Enviado por

Direitos autorais:

Formatos disponíveis

Total Defense for Unified Network Control

Contact Total Defense

Chapter 2: Preparing to Install the Product

Chapter 3: Installing the Infrastructure

Chapter 6: Uninstalling and Repairing Server Components

Uninstall and Repair .......................................................................... 60

Chapter 1: Introducing Total Defense for Unified Network Control

Chapter 1: Introducing Total Defense for Unified Network Control 7

Chapter 1: Introducing Total Defense for Unified Network Control 9

Chapter 2: Preparing to Install the Product

Install Microsoft Network Access Protection (MS-NAP), if enforcement is

Chapter 2: Preparing to Install the Product 11

Verify Microsoft Windows Installer Version

Verify System Requirements

Install Internet Information Services and .NET Framework

.NET Framework 3.5 SP1 MSMQ CGI

.NET Framework 3.5 SP1 ASP.NET .NET Extensibility

Chapter 2: Preparing to Install the Product 13

Install Microsoft Network Access Protection (MS-NAP)

Chapter 2: Preparing to Install the Product 15

Perform Pre-installation Database Tasks

Tasks for Microsoft SQL Server

Enable Windows and SQL Authentication

Chapter 2: Preparing to Install the Product 17

Enable TCP/IP Protocol

The IP address is added and TCP/IP is enabled on port 1433.

Verify Communication Ports

Create a Login User and Role

Chapter 2: Preparing to Install the Product 19

Activate Your License

Enable Common Language Runtime (CLR)

Activate Your License

(Optional) Use in Test Mode

(Optional) Use in Test Mode

Chapter 2: Preparing to Install the Product 21

Chapter 3: Installing the Infrastructure

Chapter 3: Installing the Infrastructure 23

(Optional) Use in Test Mode

(Optional) Use in Test Mode

Chapter 3: Installing the Infrastructure 25

Management Server Host Names

Management Server Host Names

Install Server Components (Standalone Install)

Install Server Components (Standalone Install)

Chapter 3: Installing the Infrastructure 27

Install Server Components (Standalone Install)

Install Server Components (Standalone Install)

Chapter 3: Installing the Infrastructure 29

Install Server Components (Standalone Install)

Install Server Components (Standalone Install)

Chapter 3: Installing the Infrastructure 31

Install Server Components (Distributed Install)

Install Server Components (Distributed Install)

Install Server Components (Distributed Install)

Chapter 3: Installing the Infrastructure 33

Install Server Components (Distributed Install)

Install Server Components (Distributed Install)

Chapter 3: Installing the Infrastructure 35

Install Server Components (Combined Standalone Install)

Install Server Components (Combined Standalone Install)

Install Server Components (Combined Standalone Install)

Chapter 3: Installing the Infrastructure 37