Escolar Documentos
Profissional Documentos
Cultura Documentos
Implementation Guide
r12
This documentation, which includes embedded help systems and electronically distributed materials (hereinafter collectively referred to as the "Documentation"), is for your informational purposes only and is subject to change or withdrawal by Total Defense at any time. The Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of Total Defense. The Documentation is confidential and proprietary information of Total Defense and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and Total Defense governing your use of the Total Defense software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and Total Defense. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all Total Defense copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to Total Defense that all copies and partial copies of the Documentation have been returned to Total Defense or destroyed. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE DOCUMENTATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL TOTAL DEFENSE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF TOTAL DEFENSE IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of the Documentation is Total Defense. The Documentation is provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2011 Total Defense, Inc. All rights reserved. All trademarks, trade names, service marks, and logos referenced in the Documentation are the property of their respective owners.
Product References
This document references the following Total Defense products: Total Defense Total Defense for Unified Network Control
Contents
Chapter 1: Introducing Total Defense for Unified Network Control 7
Architecture Overview ......................................................................... 8
11
Pre-Installation Checklist ...................................................................... 11 Verify Microsoft Windows Installer Version .................................................. 12 Verify System Requirements ............................................................... 12 Install Internet Information Services and .NET Framework ................................... 13 Install Microsoft Network Access Protection (MS-NAP) ....................................... 14 Configure MSMQ .......................................................................... 15 Perform Pre-installation Database Tasks .................................................... 16 Activate Your License ......................................................................... 20 (Optional) Use in Test Mode ................................................................... 21
23
Management Server Host Names .............................................................. 26 Install Server Components (Standalone Install) ................................................. 27 Install Server Components (Distributed Install) ................................................. 32 Install Server Components (Combined Standalone Install)....................................... 36 Install Server Components (Combined Distributed Install) ....................................... 41 First-Time Install ......................................................................... 42 Subsequent Install ........................................................................ 48 Verify Services are Running ................................................................... 51
Chapter 4: Enabling JavaScript in the Web Browser Chapter 5: Installing the Client Agent
53 55
Prepare to Install the Client Agent ............................................................. 55 Install Microsoft Network Access Protection (MS-NAP) Agent ................................. 55 Install the Client Agent........................................................................ 56 Configure the Client Agent .................................................................... 57 Configure the Communication Server IP Address and Port ................................... 58
59
Contents 5
Appendix A: Troubleshooting
63
Management Server .......................................................................... 63 Reimporting the SSL Certificate ............................................................ 63 Locating Error Logs ....................................................................... 64 Communication Server ........................................................................ 64 Verifying the Presence of the System Health Validator ....................................... 64 Uninstalling Servers .......................................................................... 65
6 Implementation Guide
Architecture Overview
Architecture Overview
A standard Total Defense for Unified Network Control installation consists of: One Management Server One Reporting Server One or more Communication Servers One or more Client Agents
8 Implementation Guide
Architecture Overview
The Management Server controls the installation. With the Management Console, the server's graphical user interface, you can manage all aspects of the installation, including databases, reports, events, policies, user access, and licenses. Dashboard panels display Total Defense for Unified Network Control status information. Events are related to the assessment, quarantine, and remediation of endpoint devices. Policies define the Minimum Baseline Standard (MBS) for endpoint devices that comply with network security requirements. The Reporting Server is the reporting and event management component of an installation. It builds the standard policy-based and custom reports that you request through the Management Console. The Management Server, Reporting Server, and Communication Server can be installed on the same computer or on separate computers. The Client Agent is installed on an endpoint device. The Communication Server and Client Agent cannot be installed on the same computer. A Communication Server is the conduit between the Management Server and its assigned Client Agents on the endpoint devices. It also validates the applicability of a policy, assesses the MBS compliance of an endpoint device, and triggers remediation of that device when necessary. A Client Agent resides on an endpoint device and collects user, machine, and policy attribute data for the Communication Server.
Verify that you have Administrative credentials to perform the installation. Verify the operating system and hardware requirements for server and
agent.
Verify that the Microsoft Windows Installer version is 3.0 or higher. Install/enable Internet Information Services, MSMQ, CGI, and .NET
Framework 3.5 SP1.
Perform pre-installation database tasks. Verify that the necessary ports are open. Activate your license. (Optional) Use test mode to make sure it meets the requirements outlined
in this checklist.
Pre-Installation Checklist
12 Implementation Guide
Pre-Installation Checklist
Management Server, Reporting Server: Internet Information Services (IIS) IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008
IIS is bundled with Microsoft Windows Server 2008. However you must ensure that IIS is installed and enabled so that the Total Defense Installation Wizard can configure specific settings. For more information, search the Microsoft Tech Net (http://technet.microsoft.com) for discussions of IIS. Note: A Management Server or Reporting Server running on Microsoft Windows Server 2003 uses IIS 6.0. A Communication Server requires IIS 7.0 or higher because it can run only on Microsoft Windows Server 2008. If NET Framework 3.5 SP1 is not already installed on your server, you can download it using the Microsoft Windows Update feature or from http://www.microsoft.com/downloads. If your computer already has IIS (any version) and .NET Framework (older than version 3.5) installed, you need to install .NET Framework 3.5 and then map IIS to it. The mapping identifies the .NET Framework 3.x configurations to IIS.
Pre-Installation Checklist
The domain controller must be installed on a separate computer (running on Windows Server 2003 and above), not the host computer. Once Active Directory and DNS are running, perform the following: 1. 2. Create a user account and group in Active Directory. Create an NAP client computer security group for UNC client agents.
For a full description of the steps involved, see the Microsoft Step By Step Guide for your enforcement method listed at the end of this section. Configure the host computer The host computer for the Communication Server must run Microsoft Windows Server 2008 and host the NPS service. The host computer for a Standalone installation, which includes the Communication Server, must also meet these requirements. Perform the following steps to configure the host computer for UNC: 1. 2. 3. 4. 5. 6. Join the computer to the domain. Install the NPS and enforcement server (DHCP, VPN, etc.) roles. Install the Group Policy Management feature. Configure NPS as a NAP health policy server. Configure the enforcement method (DHCP, VPN, etc.). Configure NAP client settings in Group Policy.
For a full description of the steps involved, see the Microsoft Step By Step Guide for your enforcement method listed at the end of this section.
14 Implementation Guide
Pre-Installation Checklist
Documentation resources The following Microsoft Step By Step Guides demonstrate how to configure MS-NAP for different enforcement methods: Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test Lab
You can find these guides by searching for all or part of their titles at http:www.microsoft.com/downloads.
Configure MSMQ
Perform this procedure on the host computer for the Communication Server to configure Microsoft Message Queuing. To configure MSMQ 1. 2. In the Server Manager window, click Features. In the right pane under Features Summary, click Add Features. The Select Features window appears. 3. 4. 5. Expand Message Queuing and then Message Queuing Services. Select the Message Queuing Server check box. Click Next, and then click Install. The feature is installed and the Select Features window closes. 6. 7. In the Server Manager window, expand Features and then Message Queuing. Verify that Private Queues are available.
Pre-Installation Checklist
If your company already has one of these database applications, you can also use it to host the Total Defense for Unified Network Control databases. However, Total Defense also provides Microsoft SQL Server 2005 Express as an out-of-the-box solution. Microsoft SQL Server 2005 Express is located on the installation DVD and, if chosen as an installation option, is automatically installed and configured during the installation of Total Defense for Unified Network Control. Note: Microsoft SQL Server Express can be used during a product trial or if your organization has fewer than 500 endpoints; however it is not recommended for larger organizations. During the installation of Total Defense for Unified Network Control, the Installation Wizard prompts you to enter the following information for each database: Database user credentials Name of the database instance Name of the computer that hosts the database
These fields are pre-populated with default values if you are installing Microsoft SQL Server Express. The Installation Wizard automatically creates the required database schema for the Total Defense for Unified Network Control Management Server database.
16 Implementation Guide
Pre-Installation Checklist
See the sections that follow for instructions on how to configure these items. The items noted above are automatically configured if you choose to install Microsoft SQL Server Express during the Total Defense for Unified Network Control installation. Note: If you are reinstalling or repairing Total Defense for Unified Network Control, the installer will delete the existing database (named "UNCDB") and create a new one. To preserve the contents of the existing database, you must create a backup version of the database before running the installer. After installation, you can then restore the contents of the UNCDB database from the backup version.
Your SQL Server now supports both SQL Server and Windows authentication.
Pre-Installation Checklist
The default port number for the UNC database is 1433. The Client Agent installation sets the default port number 34443 for its Communication Server. The Communication Server port number can be reset from the endpoint. Your proxy settings and firewall must be configured for these port numbers (or their replacements) to allow the UNC components to communicate.
18 Implementation Guide
Pre-Installation Checklist
20 Implementation Guide
2.
3.
Total Defense for Unified Network Control (TDUNC) provides the following installation scenarios: Standalone Installation In a Standalone Installation all TDUNC server components are installed on the same host machine that meets the minimum hardware and operating system requirements. A Standalone Installation works best for sites with fewer than 1,000 endpoints in the same physical location. Best Practice Tip! Since this server is considered mission critical for keeping your environment healthy, Total Defense recommends that no other applications run on this server. It should be dedicated to TDUNC alone. Database Connectivity in a Standalone Installation: The Total Defense Installation Wizard will automatically install and configure Microsoft SQL Server Express on the same machine that you install the Management Server or allow you to use a locally installed database instead. If you use an existing database, you must complete several configuration tasks prior to starting the Total Defense installation. Distributed Installation In a Distributed Installation the TDUNC Management Server, Reporting Server, and Communication Server may each be installed on a separate machine to improve product performance and network flow. This installation is recommended for sites with more than 1,000 endpoints or sites that have endpoints located across more than one physical location. A Distributed Installation can have one of the following configurations: Configuration 1 Computer A: Management Server Computer B: Reporting Server Computer C: Communication Server Configuration 2 Computer A: Management Server and Reporting Server Computer B: Communication Server Configuration 3 Computer A: Management Server Computer B: Reporting Server and Communication Server Database Connectivity in a Distributed Installation
24 Implementation Guide
In a Distributed Installation you may use an existing Microsoft SQL database for the Management Server. The database may be located on a separate machine, such as an application server located in a database farm. In this scenario, the Installation Wizard prompts you for the required database information (SQL hostname, SQL instance name, and so on). Before you begin the Total Defense installation, you must complete several configuration tasks. Combined Standalone Installation In a Combined Standalone Installation, all Total Defense (TD) and TDUNC server components are installed at the same time on the same host machine that meets the recommended hardware and operating system requirements. A Standalone Installation works best for sites with fewer than 1,000 endpoints in the same physical location. Combined Distributed Installation In a Combined Distributed Installation the TD and TDUNC Management Servers are installed at the same time on the same machine, while the remaining server components of both products may each be installed on a separate machine to improve product performance and network flow. This installation is recommended for sites with more than 1,000 endpoints or sites that have endpoints located across more than one physical location. Combined Staged Installations In a Combined Staged Installation, TD and TDUNC are installed at different times in Standalone or Distributed Installations. Standalone Configurations Computer A: TD installed first; TDUNC installed second. Computer A: TDUNC installed first; TD installed second. Distributed Configurations Note: All servers in these configurations must be installed with a distributed installation type. Computer A: All TD servers installed first; TDUNC Management Server installed second. Computer B: Remaining TDUNC servers installed.
Computer A: All TDUNC servers installed first; TD Management Server installed second. Computer B: Remaining TD servers installed.
Host names are case-insensitive, so host names such as Safety-First and safety-first are seen as identical.
26 Implementation Guide
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results.
The results appear on the right side of the screen. 5. When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired. 6. If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears. 7. Click Yes to install the Management Server, select Endpoint Protection, and then click Next. License Agreements appear. 8. After reading the legal notices, click the I accept the terms of the License Agreement button, and then click Next. Registration appears.
28 Implementation Guide
9.
Enter the registration information, and then click Next. Note: The Total Defense Entitlement Management System (EMS) sends a license activation link to the email address that you enter on this screen. Make sure to enter an address that you check frequently so that you can finalize the license activation process. Renewal appears.
10. (Optional) Modify the information if your Renewal Contact information is different than the Product Registration information, and then click Next. Internet Proxy Information appears. 11. If you use a web proxy to access the Internet, enter the specified information, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next. If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Click Standalone Installation, and then click Next. Another Product Selection appears.
14. Select Unified Network Control Management Components, unselect the other options, and then click Next. 15. The Unified Network Control servers appear, all selected for a standalone installation. Click Next. Unified Network Control Administrator and Port Settings appears. 16. Enter the user name, password, and email address for the person responsible for implementing Total Defense for Unified Network Control: If you specify a domain with the user name (for example, domain\username), the installer attempts to authenticate the user name through Active Directory. If you do not enter a domain, the installer stores the unauthenticated user name and password in the Total Defense for Unified Network Control database catalog. 17. Accept the port numbers for the web service and certificate web sites by clicking Next. Email Notifications appears. 18. Enter the email address for the Total Defense for Unified Network Control administrator. If authentication is required to access the Management Server, select the check box for an authenticated user, and enter the domain user name and password. Database Selection appears. 19. Choose to install Microsoft SQL Server Express or use an existing Microsoft SQL Server or Microsoft SQL Server Express installation. Click Next. Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you chose to use an installed database server in this step, Database Version appears. If you chose to install Microsoft SQL Server Express in this step, Database Server appears. 20. (Installing Microsoft SQL Server Express) Enter the following database login information: User Name Password
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL sa account. The new account must have system administrator (sysadmin) permissions and no System Roles.
30 Implementation Guide
21. (Using an installed database server) click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection appears. 22. Enter the following database configuration information for the UNC Management Server, and then click Next. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. 23. Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. The Destination screen appears. 24. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next. Finish Installation appears with a list of the components you selected for installation. 25. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found.
32 Implementation Guide
4.
(Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen.
5.
When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired.
6.
If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears.
7.
Select the following options, and then click Next: Would you like to install the Management Server? Select Yes if you are installing on the first of multiple machines in a distributed installation, or if you are installing all components on only one machine. Select No if you are installing on an additional machine in a distributed installation.
Endpoint Protection. Select this option to install Total Defense for Unified Network Control. Gateway Security. Do not select this option.
License Agreements appear. 8. After reading the agreements, click the I accept the terms of the License Agreements, and then click Next. Registration appears.
9.
Enter the registration information, and then click Next. Note: The Total Defense Entitlement Management System (EMS) sends a license activation link to the email address that you enter on this screen. Make sure to enter an address that you check frequently so that you can finalize the license activation process. Renewal appears.
10. (Optional) Modify the information as needed if your Renewal Contact information is different than the Product Registration information, then click Next. Internet Proxy Information appears. 11. If you are using a proxy to access the Internet, enter the information necessary or select the check box indicating that a web proxy server is not used to access the Internet, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next. If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Select Distributed Installation, and then click Next. Another Product Selection appears and displays the options you are entitled to install. 14. Select Unified Network Control Management Components, unselect all other options, and then click Next. Unified Network Control appears. 15. Select the server components you want to install, and then click Next. For information on the Total Defense for Unified Network Control server components, see Architecture Overview (see page 8). Unified Network Control Administrator and Port Settings appears.
34 Implementation Guide
16. Enter the user name, password, and email address of the individual who will be responsible for managing Total Defense for Unified Network Control. This user may be you or another user who has a valid account on the machine that will host the Total Defense for Unified Network Control Management Server. This user will have full Administrative authority within the Management Server. 17. Accept the default ports by clicking Next. Email Notifications appears. 18. Enter the email address for the Total Defense for Unified Network Control administrator. If authentication is required to access the Management Server, select the check box for an authenticated user, and enter the domain user name and password. Database Selection appears. 19. Choose to use an existing database or install a new one to use with Total Defense for Unified Network Control, and then click Next: Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you chose Install Microsoft SQL Server Express, Database Server appears. Enter a user name and password for the new SQL Server Express database server, and then click Next. If you chose Use existing MS SQL Server or SQL Server Express, Database Version appears. Do the following: a. Select the version of MS SQL Server and ODBC driver to use, and then click Next. Database Connection appears. b. Enter the database configuration information, and then click Next.
Note: Total Defense highly recommends creating and using an account other than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. 20. Accept the default installation folder, or click the Browse button (...) and create or select a different folder, and then click OK. Click Next. Finish Installation appears with the list of components you selected for installation. 21. Review the list of components. To modify any of the installation options, click Back to make the necessary adjustments. To begin the installation, click Finish.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen.
36 Implementation Guide
5.
When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired.
6.
If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears.
7.
Select the following options, and then click Next: Would you like to install the Management Server? Select Yes. Endpoint Protection. Select this option to install Total Defense and Total Defense for Unified Network Control. Gateway Security. Do not select this option.
License Agreements appear. 8. After reading the agreements, click I accept the terms of the License Agreements, and then click Next. Registration appears.
9.
Enter the registration information, and then click Next. Note: The Total Defense Entitlement Management System (EMS) sends a license activation link to the email address that you enter on this screen. Make sure to enter an address that you check frequently so that you can finalize the license activation process. Renewal appears.
10. (Optional) Modify the information as needed if your renewal contact information is different than the product registration information, then click Next. Internet Proxy Information appears. 11. If you use a web proxy to access the Internet, enter the specified information, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next. If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Click Standalone Installation, and then click Next. Another Product Selection appears. 14. Select Endpoint Protection Management Components and Unified Network Control Management Components, and then click Next. Endpoint Discovery Acknowledgement appears.
38 Implementation Guide
15. Read the acknowledgement and click Next. Certificate Password appears. 16. Enter a password for the digital certificate, verify the password, and then click Next. This password protects the generation and storage of your digital certificate and encrypts and authenticates sensitive Total Defense data communications. Note: If you install additional server components or proxies at a later time, the Installation Wizard prompts you for this password. Total Defense recommends storing this password in a safe location. User Specification appears. 17. Enter the user name and password of the individual that will perform the remote deployment of the Total Defense Agent/Client and the user who will initiate the Endpoint Discovery process to discover all unmanaged endpoints in your organization. Port Specification appears. 18. (Optional) Modify the Total Defense Management Server ports, if necessary, and then click Next. Unified Network Control appears. 19. The Total Defense for Unified Network Control server components to be installed are displayed. Click Next. Unified Network Control Administrator and Port Settings appears. 20. Enter the user name, password, and email address for the person responsible for implementing Total Defense for Unified Network Control: If you specify a domain with the user name (for example, domain\username), the installer attempts to authenticate the user name through Active Directory. If you do not enter a domain, the installer stores the unauthenticated user name and password in the Total Defense for Unified Network Control database catalog. 21. Accept the port numbers for the web service and certificate web sites by clicking Next. Email Notifications appears. 22. Enter the Fully Qualified Domain Name of your email server and your email address to receive email notification when certain events occur and when reports are ready for viewing. If authentication is required, click Authenticated Server, and enter the domain user name and password. Database Selection appears. 23. Choose to install Microsoft SQL Server Express or use an existing Microsoft SQL Server or Microsoft SQL Server Express installation. Click Next.
Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you choose to use an installed database server in this step, Database Version will appear. If you choose to install Microsoft SQL Server Express in this step, Database Server will appear instead. 24. (Database Server screen) Enter the following database server login information: User Name Password
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. Destination appears. (Skip the Database Version and Database Connection steps.) 25. (Database Version) Click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection appears. 26. (Database Connection) Enter the following database configuration information for the Total Defense and Total Defense for Unified Network Control Management Servers. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles.
40 Implementation Guide
27. (Database Connection, continued) Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. Destination appears. 28. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next. Finish Installation appears with a list of the components you selected for installation. 29. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
First-Time Install
The instructions in this section describe how to perform a first-time Distributed Installation in which the Management Servers and Management Consoles of Total Defense and Total Defense for Unified Network Control, and any other available server components, are installed on the same machine. Note: Read and perform the tasks in the Pre-Installation Checklist for Total Defense and Total Defense for Unified Network Control before you begin this procedure. To perform a Distributed Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click setup.exe located in the root folder of the DVD. The Language dialog appears. 2. Select the appropriate installation language and click OK. Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results.
42 Implementation Guide
The results appear on the right side of the screen. 5. When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired. 6. If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears. 7. Select the following options, and then click Next: Would you like to install the Management Server? Select Yes if you are installing on the first of multiple machines in a distributed installation, or if you are installing all components on only one machine. Endpoint Protection. Select this option to install Total Defense and Total Defense for Unified Network Control. Gateway Security. Do not select this option.
License Agreements appear. 8. After reading the agreements, click I accept the terms of the License Agreements, and then click Next. Registration appears. 9. Enter the registration information, and then click Next. Note: The Total Defense Entitlement Management System (EMS) sends a license activation link to the email address that you enter on this screen. Make sure to enter an address that you check frequently so that you can finalize the license activation process. Renewal appears. 10. (Optional) Modify the information as needed if your renewal contact information is different than the product registration information, then click Next. Internet Proxy Information appears. 11. If you are using a proxy to access the Internet, enter the information necessary or select the check box indicating that a web proxy server is not used to access the Internet, and then click Next. License Verification appears. 12. Copy and paste your license (or manually enter it using all UPPER CASE characters), and then click Next.
If you have an Internet connection, the Total Defense Entitlement Management Server is contacted and registers your license. If you do not have an Internet connection or the Entitlement Management Server cannot be reached, click Next to complete the installation in a 30day trial mode. Note: The Management Server will attempt to complete the registration for you when the installation is complete. The server will attempt to activate the license for 5 days. If it is unable to do so, a message will appear in the banner of the Management Console with a link to instructions on how to complete the registration. Installation Type appears. 13. Click Distributed Installation, and then click Next. Another Product Selection appears and displays the options you are entitled to install. 14. Select Endpoint Protection Management Components and Unified Network Control Management Components, and then click Next. Endpoint Discovery Acknowledgement appears. 15. Read the Acknowledgement and click Next. Server Components appears. 16. Select the Total Defense server components you want to install, and then click Next. If this is a first installation, the Total Defense Management Server and Management Console are automatically selected. You can install other server components on the same system or unselect the components to install them elsewhere. Server Location appears. 17. Enter the Fully Qualified Domain Names for the Total Defense Report Server, Events Server, or both, and then click Next. An FQDN is required for any server not selected for installation on the preceding Server Components screen. Certificate Password appears. 18. Enter a password for the digital certificate, verify the password, and then click Next. This password protects the generation and storage of your digital certificate and encrypts and authenticates sensitive Total Defense data communications. Note: If you install additional server components or proxies at a later time, the Installation Wizard prompts you for this password. Total Defense recommends storing this password in a safe location. User Specification appears.
44 Implementation Guide
19. Enter the user name and password of the individual who will perform remote deployments of the Total Defense Agent/Client, and the user name and password of the user who will initiate the discovery of endpoints on your network. Note: It is preferred that the Endpoint Discovery user have domain administrative privileges, however it not a requirement. Using domain administrator privileges ensures a better discovery rate. The remote deployment password can be a user in the Local Users group or a domain user. Port Specification appears. 20. Accept or modify the default ports for the Total Defense Management Server, and then click Next. Unified Network Control appears. 21. The Total Defense for Unified Network Control server components to be installed are displayed. Click Next. Unified Network Control Administrator and Port Settings appears. 22. Enter the user name, password, and email address for the person responsible for implementing Total Defense for Unified Network Control: If you specify a domain with the user name (for example, domain\username), the installer attempts to authenticate the user name through Active Directory. If you do not enter a domain, the installer stores the unauthenticated user name and password in the Total Defense for Unified Network Control database catalog. 23. Accept the port numbers for the web service and certificate web sites by clicking Next. Email Notifications appears. 24. Enter the Fully Qualified Domain Name of your email server and your email address to receive email notification when certain events occur and when reports are ready for viewing. If authentication is required, click Authenticated Server, and enter the domain user name and password. Database Selection appears. 25. Choose to install Microsoft SQL Server Express or use an existing Microsoft SQL Server or Microsoft SQL Server Express installation. Click Next. Note: If the installer discovers an existing Microsoft SQL Server or Microsoft SQL Server Express installation on the host computer, the choice to install Microsoft SQL Server Express is disabled. If you choose to use an installed database server in this step, Database Version and Database Connection will appear. If you choose to install Microsoft SQL Server Express in this step, Database Server will appear instead.
26. (Database Server) Enter the following database server login information, and then click Next: User Name Password
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. Destination appears. (Skip the Database Version and Database Connection steps.) 27. (Database Version) Click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection for Total Defense appears. 28. (Database Connection screen) Enter the following database configuration information for the Total Defense Management Server. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
Note: Total Defense highly recommends creating and using an alternate account rather than the default MS SQL Server sa account. The new account must have system administrator (sysadmin) permissions and no System Roles. 29. (Database Connection) Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. The Database Connection screen for Total Defense for Unified Network Control appears. 30. (Database Connection) For the Total Defense for Unified Network Control Management Server, enter the same database information you used for Total Defense. Also verify the connection, close the message box, and then click Next. Destination appears. 31. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next. Finish Installation appears with a list of the components you selected for installation. 32. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
46 Implementation Guide
Note: During the installation of the Endpoint Discovery feature, a WinPCap install wizard appears. Click Next, I Agree, Install, and Finish when required to accept all of the default settings and continue with the Total Defense installation.
Subsequent Install
The instructions in this section describe how to install some or all the remaining server components during a subsequent install. The Total Defense and Total Defense for Unified Network Control Management Servers and Management Consoles must have already been installed on a different machine during a first-time Distributed Installation. Note: Read and perform the tasks in the Pre-Installation Checklist for Total Defense and Total Defense for Unified Network Control before you begin this procedure. To perform a Distributed Installation 1. Insert the Total Defense DVD into the computer's CD/DVD drive. If the Installation Wizard does not start automatically, click setup.exe located in the root folder of the DVD. The Language dialog appears. 2. Select the appropriate installation language and click OK. Main Menu appears. 3. Click Install Total Defense Suite r12. The Installation Wizard validates the operating system running on the host computer. If the operating system is not supported, the Installation Wizard displays an error message with a list of supported operating systems and virtual environments. Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a list of prerequisite tests to be performed. Click Next or Exit to proceed with the tests. The Installation Wizard runs the tests and displays the results (Success, Fail, or Optional). Success indicates that the test succeeded and that the prerequisite is met. Fail indicates that the test failed and that the prerequisite is not met. Optional indicates that the test failed, but that the tested item or condition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found.
48 Implementation Guide
4.
(Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen.
5.
When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it. Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired.
6.
If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears.
7.
Select the following options, and then click Next: Would you like to installthe Management Server? Select No if you are installing on an additional machine in a distributed installation. Endpoint Protection. Select this option to install Total Defense and Total Defense for Unified Network Control. Gateway Security. Do not select this option.
Another Product Selection appears and displays the options you are entitled to install. 8. Select Endpoint Protection Management Components and Unified Network Control Management Components, and then click Next. Management Server appears. 9. Enter the Fully Qualified Domain Name of the Endpoint Protection Master Management Server, and then click Next to accept the default port number. Server Components for Total Defense appears. 10. Select the Total Defense server components you want to install, and then click Next. The Total Defense Management Server and Management Console are not available. You can install other server components or unselect the components to install them elsewhere. Certificate Password appears. 11. Enter the password for the digital certificate, verify the password, and then click Next. Note: This is the certificate password you created when you installed the Management Server and Management Console during the first-time installation.
12. Enter the Fully Qualified Domain Names for the Total Defense Report Server, Events Server, or both, and then click Next. An FQDN is required for any server not selected for installation on the preceding Server Components screen. Unified Network Control appears. 13. The Total Defense for Unified Network Control server components to be installed are displayed. Click Next. Unified Network Control Management Server Settings appears. 14. Enter the following Management Server and Administrator information: Management Server IP Address Management Server Host Name Administrator User Name Administrator Password
The Administrator information must match what was specified during the first-time installation of the Management Server and Management Console. 15. Accept the port numbers for the web service and certificate web sites by clicking Next. Database Selection appears. 16. Choose to use the Endpoint Protection Management Server. Database Version appears. 17. Click the Microsoft SQL Server and ODBC Driver types that identify your installed database server. Click Next. Database Connection appears. 18. Enter the following database configuration information for the Total Defense and Total Defense for Unified Network Control Management Servers. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
19. Click the Test SQL Connection button to verify the connection, close the message box, and then click Next. The database configuration information on the screen must be complete. Destination appears. 20. Click the Browse button (...) to select or create an installation folder, or accept the default installation location, and then click Next.
50 Implementation Guide
Finish Installation appears with a list of the components you selected for installation. 21. Review the list of components and click Finish to begin the installation. To modify any of the installation options, click Back to make the necessary adjustments.
If performing a Standalone installation, you will have to wait until all of the server components are installed to verify that their services are running.
To enable JavaScript in a Mozilla Firefox window 1. 2. 3. 4. 5. Select Tools from the top of the window. Click Options. Click the Content tab. Select the Enable JavaScript check box. Click OK.
The following Microsoft Step By Step Guides explain how to perform these steps for different enforcement methods: Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test Lab
You can find these guides by searching for all or part of their titles at http:www.microsoft.com/downloads.
Note: The CA Threat Manager r8.1 test determines the presence of that product. The Fail result indicates that the product was found; the Success result indicates that the product was not found. 4. (Optional) Select the name of a failed test on the screen to display the test results. The results appear on the right side of the screen. 5. When you have finished viewing the results, click Next to continue with the installation, or click Exit to cancel it.
56 Implementation Guide
Note: A failed test indicates a missing Total Defense prerequisite. If you continue to install the product, the resulting installation may not operate as intended or desired. 6. If the Installation Wizard cannot complete the prerequisite testing, it displays the error message: "The Total Defense R12 prerequisite tool failed to complete successfully. Do you wish to continue?" Click Yes to continue with the installation. No cancels the installation. Product Selection appears. 7. Respond as indicated to the following options, and then click Next: Would you like to install the Management Server: No Endpoint Protection: Selected Gateway Security: Unselected
Product Selection appears. 8. Select the Unified Network Control Management Components check box, and then click Next. The other Total Defense products are not required for this installation. Unified Network Control appears. 9. Select the Unified Network Control Client Agent check box, and then click Next. The other UNC components are not required for this installation. Destination appears. 10. Enter the destination folder for the UNC product installation, and then click Next. (Use the ellipsis (...) to browse to a location.) Finish Installation appears. 11. Verify that Unified Network Control is the only component selected for installation, and then Click Finish. A progress bar and Current Action indicate the progress of the installation. When the installation finishes, a reboot prompt message appears. 12. Click Yes to restart the computer. To restart the computer at a later time, click No. The computer restarts.
Click OK. Cancel discards your changes. Your changes are saved. The dialog closes.
5.
Open the Services window (click Start, All Programs, Administrative Tools, and then Services) on the UNC Client Agent computer and restart the Unified Network Control service.
58 Implementation Guide
60 Implementation Guide
The selected Total Defense for Unified Network Control components are removed or reinstalled depending on your previous selections. The Maintenance Complete screen appears. 6. Select Yes to restart your computer now or No to restart it later, and click Finish.
Appendix A: Troubleshooting
This section contains the following topics: Management Server (see page 63) Communication Server (see page 64) Uninstalling Servers (see page 65)
Management Server
Reimporting the SSL Certificate
When the Management Console is hosted in IE 7.0 or above with the SSL combination environment, and executed using local host (for example, https://localhost/uncgui/mainapplication.html), then the print and export feature may not work because of the Certificate Import Issue in the browser. To re-import the SSL certificate 1. Open an Internet Explorer browser window. Click Tools, and then click Internet Options. The Internet Options dialog appears. 2. Click on the Content Tab. The Content page appears. 3. Click Certificates. The Certificates dialog appears. 4. Click Import. The File to Import pane appears. 5. Click Browse and select the appropriate certificate from the physical location on your local machine .It could be the same certificate created at the time of installation. Click Next. The Certificate Store pane appears. 7. 8. Choose the Personal location by default or let the system choose the location based on the certificate. Click Next to import the certificate to your browser and view the summary. A message box appears, indicating success. 9. Click OK, Close, and OK.
6.
Appendix A: Troubleshooting 63
Communication Server
Any critical error/information from UNCMS Services will also be logged in the Windows Logs under the Application category for easy reference. To locate the Windows logs 1. Click Start, All Programs, Administrative Tools, and then Computer Management. The Computer Management window appears. 2. In the browser pane on the left, expand System Tools and then Event Viewer, and then click Application. A list of error and information messages appear. Relevant messages are from the Total Defense for Unified Network Control Management Server.
Communication Server
Verifying the Presence of the System Health Validator
After restarting the Communication Server, verify System Health Validator is present under Health Policies of Compliant and Non-compliant properties.
64 Implementation Guide
Uninstalling Servers
Uninstalling Servers
If you are using the installer to remove the Management, Reporting, or Communication Server and the operation fails, you can remove the server manually with one of the following msiexec commands executed from the Command prompt: Note: When unistalling a Standalone installation, uninstall the components in the following order: 1. 2. 3. 32-bit Communication Server:
msiexec /X {ED315E14-2F90-4C16-90EA-7798C900097E}
Reporting Server:
msiexec /X {8A79276E-A0F2-43EC-8127-E6052B791E41}
Management Server:
msiexec /X {1F841E57-A694-4090-AAA4-28C39A73089B}
Client Agent:
msiexec /X {FBBC00EC-2A53-4A76-8004-2D8A5CFC55D5}
Reporting Server:
msiexec /X {8A79276E-A0F2-43EC-8127-E6052B791E41}
Management Server :
msiexec /X {7CD61E76-26B3-42F9-9E3F-05C8446EE621}
Client Agent:
msiexec /X {0D2C2595-912D-488E-8F3D-67254F3ABF6E}
Appendix A: Troubleshooting 65