RSA EnVision 4.0 Configuration Guide

RSA enVision™
Configuration Guide
enVision 4.0
RSA enVision 4.0
Configuration Guide
Copyright © 1996 - 2009 RSA Security Inc.
enVision, Enterprise Dashboard, and Internet Protocol Database (IPDB) are trademarks of RSA Security Inc. LogSmart is a
registered trademark of RSA Security Inc.
All other trademarks, service marks, registered trademarks, registered service marks mentioned in this document are the
property of their respective owners.
Information in this document is subject to change without notice. The software described in this document is furnished under
a license agreement or nondisclosure agreement. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose
other than the purchaser’s personal use without the written permission of RSA Security Inc.
RSA Security Inc.

200 Lowder Brook Drive, Suite 2000
Westwood, MA 02090
U.S.A.
781.375.9000
Contents
1. INTRODUCTION .................................................................................................... 1-1
Site Deployment......................................................................................................................................... 1-2
2. SINGLE APPLIANCE SITE .................................................................................... 2-1

Configuration Tasks.................................................................................................................................. 2-2
Next Steps................................................................................................................................................... 2-2
Configuration Wizard Planning Worksheet Single Appliance Site ...................................................... 2-3

Name the Site.......................................................................................................................................... 2-3
IP Address............................................................................................................................................... 2-4
Identify External Storage ........................................................................................................................ 2-4
DNS Servers............................................................................................................................................ 2-5
Time ........................................................................................................................................................ 2-6
External IP Address ................................................................................................................................ 2-7
3. MULTIPLE APPLIANCE SITE ............................................................................... 3-1

Site Deployment......................................................................................................................................... 3-2
Multiple Site Deployment ....................................................................................................................... 3-3
Site Access in the NIC Domain .............................................................................................................. 3-6
Multiple Appliance Site with Enhanced Availability.............................................................................. 3-6
Next Steps................................................................................................................................................... 3-8
Configuration Wizard Planning Worksheet Multiple Appliance Site .................................................. 3-9

NIC Domain............................................................................................................................................ 3-9
Site .......................................................................................................................................................... 3-9
Identify Appliances in the Site.............................................................................................................. 3-10
Identify External Storage ...................................................................................................................... 3-10
DNS Servers.......................................................................................................................................... 3-11
Time ...................................................................................................................................................... 3-12
Local Site Time..................................................................................................................................... 3-12
Site to Site Connection.......................................................................................................................... 3-13
Data Server External IP Address........................................................................................................... 3-13
4. REMOTE COLLECTOR SITE ................................................................................ 4-1

Verify the RC Configuration................................................................................................................... 4-3
Configure the Data Forwarding Task...................................................................................................... 4-4
Test the Configuration ............................................................................................................................ 4-5
Configuration Wizard Planning Worksheet Remote Collector Site ..................................................... 4-6

Name the Site.......................................................................................................................................... 4-6
Identify Appliance................................................................................................................................... 4-7
RSA enVision 4.0 Configuration Guide iii

Contents
DNS Servers............................................................................................................................................ 4-7

Time ........................................................................................................................................................ 4-8
Site to Site Connection............................................................................................................................ 4-9
Data Server External IP Address............................................................................................................. 4-9
5. NEXT STEPS ......................................................................................................... 5-1

Set Up enVision.......................................................................................................................................... 5-1
Log In to enVision ..................................................................................................................................... 5-2
enVision Client Software and Hardware Requirements........................................................................ 5-3
Log Out of enVision .................................................................................................................................. 5-4
APPENDIX A. CONNECT TO THE APPLIANCE USING A KEYBOARD,

MONITOR, AND MOUSE ........................................................................................... A-1
APPENDIX B. DELL REMOTE ACCESS CONTROLLER UTILITY........................... B-1

Ports Used by enVision for the DRAC Utility.........................................................................................B-1
Set Up the Remote Access Controller Utility ..........................................................................................B-2
Access the Appliance from a Remote Location.......................................................................................B-4
APPENDIX C. CHANGE PRIVATE RSA ENVISION NETWORK IP ADDRESSES... C-1

Rename IP Address for Each Appliance before Setting Up Your Site ................................................ C-2
Add Trusted Sites ..................................................................................................................................... C-3
Change the IP Addresses in the Configuration Wizard to Match Renamed

Appliance Addresses ................................................................................................................................ C-3
RSA enVision 4.0 Configuration Guide iv

Preface
This guide contains information on configuring your RSA enVision™ site. Use this guide in conjunction
with the Hardware Guide.
Audience
The Configuration Guide is for system administrators who need to configure an enVision site.
Documentation Set
The enVision documentation set consists of the following:
Documentation Description
Configuration Guide Instructions on configuring your enVision site. Intended audience is

the system administrator.
Hardware Guide Instructions on setting up your RSA enVision appliances. Intended

audience is the system administrator.
Migration Guide Instructions on migrating your data from a previous version of

enVision to the current version.
Online Help Comprehensive online guide to setting up enVision processing

options and using enVision analysis tools.
Go to https://knowledge.rsasecurity.com and log into RSA SecurCare Online to download all product
documentation.
Conventions
This guide uses the following conventions:
Item Formatting
Literals (exact values that the user Bold font.

must type)
Example: Type New Report.
Variables (adjustable values that the Bold, italicized font.

user must type)
Example: Type user-name.
Fields, buttons, menu items, and so Bold font. (Note: Screen names are not bold.)
forth
Example: Type New Report in the Description field on the Report
Setup window.
Keys (on the keyboard) Bold font.

Example: Press Enter.
RSA enVision 4.0 Configuration Guide v

Preface
Contact RSA
Contact RSA at:
200 Lowder Brook Drive

Suite 2000
Westwood, MA 02090
U.S.A.
Telephone: 781.375.9000
Fax: 781.375.9100
World Wide Web: http://www.rsa.com
Sales
You can purchase enVision directly from RSA’s dedicated team of sales professionals or through RSA’s
North American and international resellers. Call RSA at 781.375.9000.
Technical Support
You can contact Technical Support as follows:
 By Telephone - Technical support is available during business hours via telephone at

800.995.5095.
 Through the Internet - The RSA SecurCare Online support page contains answers to common
questions and solutions to known problems. It also provides information on new releases,
important technical news, device configuration guides, product documentation, and software
downloads. You can visit the RSA SecurCare Online web site at
https://knowledge.rsasecurity.com. You can visit the RSA Technical Support web site at
https://www.rsa.com/support.
RSA enVision 4.0 Configuration Guide vi

1. Introduction
RSA enVision™ is a feature-rich compliance and security application. It allows you to capture and analyze
log information automatically from your network, security, application, operating and storage
environments. The enVision's LogSmart® Internet Protocol Database (IPDB) provides the only
architecture proven to collect and protect all the data automatically, from any network device, without
filtering or agents. It gives you an accurate picture of how your network is being used, and by whom. It
independently monitors your network to verify security policies, to generate alerts for possible compliance
breaches, and to analyze and report on network performance.
enVision is tightly coupled with its underlying appliance operating system and hardware, and together they
comprise a highly scalable platform that provides guaranteed levels of performance.
enVision is made up of three components:

 Application—supports interactive users and runs the suite of analysis tools.
 Collector—captures incoming events.
 Database—manages access and retrieval of captured events.
RSA enVision 4.0 Configuration Guide 1-1

1. Introduction
Site Deployment
enVision is deployed on a site basis. The enVision components are deployed based on the type of site you
have. The two types of sites are:
 Single appliance site.
The ES series appliances are designed to operate in a stand-alone, non-distributed mode. They
have all three enVision components—Application, Collector, and Database—installed on one
appliance. The single appliance is a site. Some single appliance sites have an external storage
system.
See Chapter 2 “Single Appliance Site,” for information on a single appliance site.
 Multiple appliance site.
The LS series appliances are designed to operate in a distributed installation. Each enVision
component—Application, Collector, and Database—is on its own appliance. The appliances
together form a site. Distributed multiple appliance sites allow multiple installations of any of the
three appliance types to be deployed in order to manage the variety of network infrastructures
found in production environments. All multiple appliance sites have external storage systems.
See Chapter 3 “Multiple Appliance Site” for information on a multiple appliance site.
See Chapter 4 “Remote Collector Site” for information on associating a Remote Collector site
with a multiple appliance site.

2. Single Appliance Site
The ES series appliances are designed to operate in a stand-alone, non-distributed mode. The ES appliances
have all three enVision components—Application, Collector, and Database—installed on one appliance.
The single appliance is a site.
See the Hardware Guide for information on the hardware.

Configuration Tasks
The configuration process takes approximately 30 minutes to complete. You cannot change any of the site
configuration options after the wizard is finished. The configuration tasks for a single appliance site are as
follows:
Task Activity
1 Plan the installation. Complete the Configuration Wizard Planning Worksheet - Single Appliance
Site in this chapter.
2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 3 “Single Appliance
Site” in the Hardware Guide.
3 Connect to the appliance using a KVM switch. (You can also connect remotely using DRAC instead
of using a local KVM. See Appendix B “Dell Remote Access Controller Utility.”)
The Configuration Wizard starts automatically.
4 Complete the enVision Configuration Wizard.

Note: enVision uses the default IP address 192.168.1.55. IP address conflicts can occur if the LAN
cable is connected to an existing network when you run the configuration wizard. For this reason, you
should verify the LAN cable is not connected to an existing network or confirm the IP address is not
being used before you run the configuration wizard.
If you click Cancel at any time while using the wizard, you must restart the wizard to configure your
site. To restart the wizard, double-click the lsconfigurationwizard.exe file in the
c:\windows\installations directory.
When the wizard displays the Review Page window, verify that everything is correct on the Review
Page. Click Finish. (If the Review page is not correct, click Cancel and check your hardware setup.)
In the last step, the wizard displays the enVision Configuration Wizard Log window. The log
displays the steps the system is performing to configure the site. The system restarts several times
while completing the setup.
The appliances restart automatically when the site configuration process is complete.
5 Immediately after you configure RSA enVision 4.0, RSA strongly recommends that you download
and install two Content Updates: Event Source Update Package and VAM & Signature Content
Update Package.
Go to RSA SecurCareOnline https://knowledge.rsasecurity.com. Click on Products. Under RSA
enVision click Content Updates. Complete the instructions available on that page to download and
install the updates.
6 Apply the license keys that were sent, via email, to the contact provided when you ordered the
enVision appliance.
Next Steps
After the site configuration is complete, you must set up the processing options in enVision. See Chapter 5
“Next Steps” for more information.

Configuration Wizard Planning Worksheet

Single Appliance Site
Name the Site
Site Name
Selecting the site name is extremely important. Once you name the site you cannot change the name. A
valid site name is a unique 2- to 11-character, alphanumeric string.
The site name cannot be the same as any other enVision site name, nor can it be the same as any existing
Windows domain name, or NetBIOS name for a Windows domain. (The NetBIOS name for a Windows
domain is the name preceding the dot). For example if your Windows domain name is
MyDomainName.com, then the NetBIOS name for this Windows domain would be MyDomainName; it
would then be wrong to install an enVision site with the name MyDomainName.
The site name is used in the following names:
 Node name for the appliance. For example, for an ES series appliance site, if your site name is
Seattle, the ES appliance node name is Seattle-ES.
 NIC Windows domain name created for your site. The site name also becomes the name of the
Windows domain created for your site, sitename.nic. For example, if your site name is Seattle,
the Windows domain for the site is Seattle.nic.

IP Address
The default addresses for the appliance are:
 LAN IP address—used to access the appliance on the LAN.
 Subnet mask—used to determine to which subnet an IP address belongs.
 Gateway address—identifies the computer that routes the traffic to the outside network.
You can override the default values during configuration. If you want to override the default values, write
the new values in the table.
Default Override Value
LAN IP Address 192.168.1.155
Subnet Mask 255.255.255.0
Gateway Address 192.168.1.1
Identify External Storage

If your ES series appliance has external storage, the wizard recognizes this and prompts you to enter the IP
address of the DAS external storage device. If you want to override the default IP address value shown
below, write the new value in the table.
DAS IP Address 10.203.2.101

DNS Servers
Identify the primary and secondary DNS servers on your network, and options for the servers. enVision
uses the DNS servers to resolve IP addresses found in events for reporting and alerting.
DNS Server IP Address
Primary
Secondary
Identify processing options for the DNS Servers.
Field Description Option
Do Not Use Recursion Select this check box to indicate that the DNS  Do not Use Recursion
server uses forwarders exclusively to resolve
queries on behalf of its DNS clients. If the
process using forwarders for resolution fails to
resolve a query, a failure message is returned.
Forwarding Timeout Type the number of seconds that the DNS _____ seconds
server continues to attempt to contact and use
a listed forwarder. When the timeout expires,
DNS moves to the next forwarder on the list
and repeats the process. The default value is 5.

Time
Network Time Protocol
You can identify a server to which enVision will periodically synchronize its time.
If you are using a server to synchronize time, you should be aware that known NTP time
servers, such as atomic clocks, are outside your network and may be a security issue. RSA
assumes no risk to your network if you choose to use a known NTP server.
The enVision Configuration Wizard allows you to use the Windows Date and Time
Properties window to update your date and time directly from the wizard. If you change
the time zone on the Time Zone tab, you must click Apply before clicking on the Date &
Time tab to change the time. If you do not click Apply on the Time Zone tab, changing
the time on the Date & Time tab changes the time for the previously selected time zone.
Select NTP Servers
 ntp2.usno.navy.mil
 tock.usno.navy.mil
 tick.usno.navy.mil
 navobs1.oar.net
 ntp0.mcs.anl.gov
 navobs1.wustl.edu
 tick.usnogps.navy.mil
 tock.usnogps.navy.mil
 tick.ucla.edu
 bigben.cac.washington.edu
 ntp.alaska.edu
 tick.mhpcc.hpc.mil
Local Site Time
Identify the time zone in which your site is located.
Time Zone
(While running the configuration wizard, you must confirm the current date and time in your selected time
zone.)

External IP Address
Indicate whether this site uses an external address.
 This site uses an external IP address and port number.
Data Server LAN IP Address

(internal IP address)
Data Server LAN Port Number

(internal port number)
Data Server External IP Address
Data Server External Port Number

3. Multiple Appliance Site
The LS series appliances are designed to operate in a distributed installation. Each enVision component—
Application, Collector, and Database—is on its own appliance. The appliances together form a site.
Distributed, multiple appliance sites allow multiple installations of any of the three appliance types to be
deployed in order to manage the variety of network infrastructures found in production environments. All
multiple appliance sites use external storage systems.
See the Hardware Guide for information about the hardware.

Site Deployment
The appliance types used in a multiple appliance site are as follows:
Component Appliance Description Each site has...

Type
Database server D-SRV Manages access and retrieval One

of captured events.
Application server A-SRV1 Supports interactive users. Up to three.

A-SRV2 Runs the suite of analysis You may want multiple A-SRVs
tools. so that you can separate the
A-SRV3 alerting processes from the
reporting processes.
Collector (Local LC1 Captures incoming events Up to three

Collector) locally.
LC2 Each site has at least one LC.
LC3
Remote Collectors (RCs) capture incoming events remotely and forward data to their master site. Each
multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances. Each
RC is considered a site. RCs capture incoming events remotely. Remote collectors forward data collected
to the enVision site (using the NIC Forwarder Service). (The Administrator sets up the remote collector's
Forwarder parameters on the Modify Collector Service window in enVision. See Chapter 5 “Remote
Collector Site” for information on configuring RCs.
Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.
The following diagram illustrates a possible configuration of a multiple appliance site:

Multiple Site Deployment

A group of multiple appliance sites is referred to as a NIC domain. You can deploy up to ten D-SRVs in a
NIC domain.
The NIC domain is set up in a specific configuration with one site acting as the NIC domain master site.
Data flow and configuration information are based on your NIC domain configuration.
You set up the NIC domain during installation, using the enVision Configuration Wizard.
The following diagram illustrates a possible configuration of a NIC domain.

Master/Slave Relationship
The following diagram illustrates a basic enVision multiple site setup with a master site and a slave site. In
a configuration with more than one site, the master is always Site 1 in the hierarchy.
In a multiple site NIC domain, Site 1 is the NIC domain master site. You can only have one NIC domain
master site and it is always Site 1. The sites connected to Site 1 are slaves to Site 1.
A slave site can also be a master site in a multiple site deployment.

In the following example, the NIC domain consists of seven sites:
 Site 1 is the NIC domain master site.
 Sites 2 and 5 are slaves to site 1; site 1 is the master site for sites 2 and 5, in addition to being the
NIC domain master site.
 Sites 3 and 4 are slaves to site 2; site 2 is the master site for sites 3 and 4.
 Sites 6 and 7 are slaves to site 5; site 5 is the master site for sites 6 and 7.
In enVision, the Set Up Site Communications window (OverviewSystem

ConfigurationServicesSet Up Site Communications) lists the site names and the names of their
corresponding master sites. If a multiple site deployment is set up as shown in the example illustration, the
master/slave relationship of the sites in this NIC domain is as follows:
Site Name Master Site

Site 1 None
Site 2 Site 1
Site 3 Site 2
Site 4 Site 2
Site 5 Site 1
Site 6 Site 5
Site 7 Site 5

Site Access in the NIC Domain

You can access and maintain data globally across all sites in the NIC domain with a few exceptions.
The exceptions are these site-specific items that only have meaning to the site where they were configured:
 Directories
 Module or tool settings that you set for:
 System Performance tool - display options

 Query tool - process options and storage directory for saved queries
 Reports module - storage directory and format for saved report results
 Executive Dashboard - item settings (Note: Permissions for the items are set globally.)
 Custom reports that you added

 Scheduled reports (can only be scheduled to run on the site where they were configured)
 Custom queries that you added
Multiple Appliance Site with Enhanced Availability

The LS series appliances are designed to operate in a distributed installation. Each enVision component—
Application, Collector, and Database—is on its own appliance. The appliances together form a site.
Distributed, multiple appliance sites allow multiple installations of any of the three appliance types to be
deployed to manage the variety of network infrastructures found in production environments. All multiple
appliance sites use external storage systems.
Optionally, you can set up enhanced availability (EA) for the Local Collectors (LCs). This allows you to
define up to six cluster appliances (CAs) for a site to perform the LC roles.
The implementation of the enhanced availability feature for the Local Collectors is a Professional Services
package. You can arrange for a Professional Services package by contacting RSA at 781.375.9000.

Configuration Tasks
configuration options after the wizard is finished. In a multiple site domain, repeat the tasks on each site,
with the exception of Task 5. Task 5 only needs to be performed once in a NIC domain.
Task Activity
1 Complete the Configuration Wizard Planning Worksheet - Multiple Appliance Site in this
chapter.
Note: enVision uses the default IP address 192.168.1.55. IP address conflicts can occur if the LAN
cable is connected to an existing network when you run the configuration wizard. For this reason, you
should verify the LAN cable is not connected to an existing network or confirm the IP address is not
being used before you run the configuration wizard.
2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 4 “Multiple Appliance
3 Connect to the D-SRV appliance using a KVM switch. (You can also connect remotely using DRAC
instead of using a local KVM. See Appendix B “Dell Remote Access Controller Utility.”)
The enVision Configuration Wizard starts automatically.

5 Within the NIC domain, verify that Replication is working correctly. To do so, open the Services
window, locate the NIC DB Replication Client service, and ensure it is running.
6 Install and start the NIC App Server service:

Important: You must have the NIC App Server installed on the A-SRV of the NIC domain master
site. Only one instance of the NIC App Server can be running in a given enVision domain.
a. Before you begin, make sure that you have installed the RSA enVision 4.0 software.
b. Run the appserver_install.bat batch script in the nic\4000\servername\bin\ folder providing
the external LAN IP address of the A-SRV machine in the NIC Domain master site, as an
input parameter to the batch script. For example:
E:\nic\4000\servername\bin\ appserver_install.bat a-srv-ip_address
This batch program installs and starts the NIC App Server Service on the A-SRV and adds it
to the list of services in the Manage Services window in enVision.
Even if you have only one A-SRV in the NIC Domain, you must run the
appserver_install.bat batch program to install and start the NIC App Server Service.

Task Activity
7 Immediately after you configure RSA enVision 4.0, RSA strongly recommends that you download
and install two Content Updates: Event Source Update Package and VAM & Signature Content
Update Package.
Go to RSA SecurCareOnline https://knowledge.rsasecurity.com. Click on Products. Under RSA
enVision click Content Updates. Complete the instructions available on that page to download and
install the updates.
enVision appliance.
Next Steps
If there are Remote Collectors (RCs) for this site, see Chapter 4 “Remote Collector Site” for information
on configuring the remote sites.
After the site configuration is complete, you must set up the processing options in enVision. See Chapter 5
“Next Steps” for more information.


Multiple Appliance Site
The worksheet consists of two sections:
 NIC domain. Complete this section for your NIC domain.
 Site. Complete this section for each site in your NIC domain. (Make a copy of the worksheet, so
that you can complete a worksheet for each site.) If you are configuring a remote collector for a
multiple appliance site, see Chapter 4 “Remote Collector Site”.
NIC Domain
Draw a topology diagram of your NIC domain. Label the NIC domain master site. Label each site with a
site name to identify it for additional planning purposes.
Site
Complete this section of the worksheet for each site in the NIC domain.
Name the Site
Site Name
Selecting the site name is extremely important. Once you name the site you cannot change the name. A
valid site name is a unique 2- to 11-character, alphanumeric string.
 Node name for each of the appliances in the site. For example, if your site name is Boston, the
Database server appliance node name is Boston-DS1.
Windows domain created for your site, sitename.nic. For example, if your site name is Boston,
the Windows domain for the site is Boston.nic.

Identify Appliances in the Site

The default addresses for each appliance in the site are:
 Gateway address—used to identify the computer that routes the traffic to the outside network.
Select each appliance type in your site. If you want to override the default values, write the new values in
the table.
Select Appliance IP Address Subnet Mask Gateway Address

Type
 A-SRV1 192.168.1.155 255.255.255.0 192.168.1.1
 A-SRV2 192.168.1.155 255.255.255.0 192.168.1.1
 A-SRV3 192.168.1.155 255.255.255.0 192.168.1.1
 D-SRV 192.168.1.155 255.255.255.0 192.168.1.1
 LC1 192.168.1.155 255.255.255.0 192.168.1.1
 LC2 192.168.1.155 255.255.255.0 192.168.1.1
 LC3 192.168.1.155 255.255.255.0 192.168.1.1
If there are remote collectors for this site, complete the Configuration Wizard Planning Worksheet –
Remote Collector Site in Chapter 4, “Remote Collector Site.”
Identify External Storage

If you want to override the default IP address value shown below, write the new value in the table.
NAS IP Address 10.203.2.101

DNS Servers
Identify the primary and secondary DNS servers on your network and options for the servers. enVision uses
the DNS servers to resolve IP addresses found in events for reporting and alerting.
Primary
Secondary

Time
Network Time Protocol (NTP)
Select NTP Servers
 navobs1.oar.net
 tick.ucla.edu
 ntp.alaska.edu
Local Site Time

Time Zone
While running the configuration wizard, you must confirm the current date and time in your selected time
zone.

Site to Site Connection

If this site is not the NIC domain master site, identify the master site, the site to which this site is
connected.
 This site is connected to another site in the NIC domain.
Master Site Data Server (D-SRV) IP Address

(external IP address)
Master Site Name

Indicate whether this site’s database server (D-SRV) requires an external address and port number.
 This site’s data server (D-SRV) uses an external IP address and port number.



4. Remote Collector Site
Each multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances.
Each RC is considered a site. RCs capture incoming events remotely. Remote collectors forward data
collected to the enVision site (using the NIC Forwarder Service). (The Administrator sets up the remote
collector's Forwarder parameters on the Modify Collector Service window in enVision.)
The RCs use the LS series appliances. See Appendix A “Hardware Specifications” in the Hardware Guide
for the specifications for the LS series appliances.
Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.
Important! Before you configure the RC, make sure that its master is configured, and up and running.

Configuration Tasks
configuration options after the wizard is finished. The configuration tasks to configure an RC site are as
follows:
Task Activity
1 Complete the Configuration Wizard Planning Worksheet - Multiple Appliance Site in this
chapter.
2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 5 “Remote Collector
3 Connect to the RC appliance using a KVM switch.

The enVision Configuration Wizard starts automatically.

5 Verify the RC configuration on the RC’s master site’s A-SRV. See “Verify the RC Configuration”
later in this chapter for complete instructions.
6 Configure the data forwarding scheduled task on the RC’s master site’s A-SRV. See “Configure the
Data Forwarding Task” later in this chapter for complete instructions.
7 Test the configuration. See “Test Configuration” section later in this chapter for complete
instructions.
enVision appliance.

Verify the RC Configuration

To verify the RC configuration on the master site's A-SRV:
1. Log in to enVision on the application server (A-SRV) of the master site.
2. Make sure that the RC is listed as a site:
a. Click OverviewSystem ConfigurationServicesSet Up Site Communication.
enVision displays the Set Up Site Communication window.
b. Make sure that the RC is listed as a site and the information displayed is correct.

Configure the Data Forwarding Task

To schedule the data forwarding task for the RC on the master site's A-SRV:
1. Complete the following steps to log in to enVision on the application server (A-SRV) of the
master site:
a. Start your web browser.
b. Type http://address:8080 in the Address field, where address is the machine name or IP
address of the A-SRV and 8080 is the port through which you access enVision.
For example, http://sunshine:8080 or http://10.10.30.140:8080.
c. Press Enter.
The system displays the Log In window.
d. Type your password and click Log In.
2. Click OverviewSystem ConfigurationServicesScheduler ServiceSchedule Task.
enVision displays the Schedule Task window.
3. Select the remote collector from the Site drop-down list.
enVision displays: NIC Forwarding (the data forwarding task).
By default, the data forwarding task runs every hour.
4. To specify when the data forwarding task is performed and how often, click Set Recurrence.
enVision displays the Set Recurrence window.
5. Complete the window and click Apply.
enVision displays the Schedule Task window.
6. Click Schedule.
enVision displays the task on the Manage Scheduled Tasks window.
7. Click Apply.
8. If the NIC Scheduler Service is not running, start the NIC Scheduler Service.

Test the Configuration

To test the configuration:
1. After the Data Forwarding task runs, from the A-SRV analyze the devices collected on the RC
site.
2. Run a report (for example, Bandwidth Usage by Address) to analyze the devices collected.
Important! When you select the time range of the report, the forwarded data is four hours old by
default (and, at a minimum, one hour old).
3. Make sure that data was returned for your devices.


Remote Collector Site
Name the Site
Site Name
Selecting the site name is extremely important. Once you name the site, you cannot change the name. A
valid site name is a unique, 2- to 11-character, alphanumeric string.
 Node name for the appliance. For example, if your site name is Hartford, the appliance node
name is Hartford-RC1.
Windows domain created for your site, sitename.nic. For example, if your site name is Hartford,
the Windows domain for the site is Hartford.nic.

Identify Appliance
The default addresses for the site are:
 Gateway address—used to identify the computer that routes the traffic to the outside network.
If you want to override the default values, write the new values in the table.
Appliance IP Address Subnet Mask Gateway Address

Type
RC1 192.168.1.155 255.255.255.0 192.168.1.1
DNS Servers
Identify the primary and secondary DNS servers on your network and options for the servers. enVision uses
the DNS servers to resolve IP addresses found in events for reporting and alerting.
Primary
Secondary

Time
Network Time Protocol (NTP)
Select NTP Servers
 navobs1.oar.net
 tick.ucla.edu
 ntp.alaska.edu
Local Site Time
Time Zone
(While running the configuration wizard, you must confirm the current date and time in your selected time
zone.)

Site to Site Connection

Identify the master site, the site to which this site is connected.
Master Site Data Server (D-SRV) IP Address

(external IP address)
Master Site Name

Indicate whether this site’s database server (D-SRV) requires an external address and port number.
 This site’s data server (D-SRV) uses an external IP address and port number.



5. Next Steps
After you complete the RSA enVision site configuration, you must set up the processing options in
enVision. First you should plan how to set up the system to accomplish your security goals, policies, and
requirements. See the enVision online Help for information on setting up and using the enVision analysis
tools.
Set Up enVision
Setting up enVision involves three sets of tasks:
I. Event source and vulnerability assessment (VA) tool configuration tasks.

These are tasks that you perform outside of the enVision software.
II. Basic setup tasks.

These tasks to set up the enVision software allow you to collect, report, and alert on events from
supported event sources.
1. Set up event collection.
2. Set up vulnerability and asset management.
3. Set up system access permissions.
4. Set up views.
5. Set up Alerts module tools.
6. Schedule reports.
III. Optional setup tasks.

These are tasks to set up additional features or processing options.
1. Set up data storage.
2. Set up data processing options.
3. Set up message handling.
4. Set up customized reporting.
5. Set up application display options.

5. Next Steps
See the enVision online Help for a list of the required reading topics for each task. Additional tasks may be
required to perform the specific processing that you want.
To access Help within enVision:
1. Click OverviewBest Practices.
enVision displays the Best Practices menu and splash screen.
2. Select Help from the menu.
Log In to enVision
You log in to enVision through a remote system, connecting to the enVision appliance (for multiple
appliance sites, connect to the Application Server, A-SRV). Use one of two protocols to access the system,
depending on how enVision has been configured:
 HTTPS (Hypertext Transfer Protocol Secure), using default port 8443.
 HTTP (Hypertext Transfer Protocol), using default port 8080.
To log in to enVision:
1. Start your web browser.
2. Type https://address:port in the Address field, where:
 address is the machine name or IP address of the machine on which the system is installed;
for multiple appliance sites, this is the A-SRV (Application Server).
 port is the port through which you access enVision.
For example, https://sunshine: 8443 or sunshine: 8443 or https://10.10.10.10: 8443.
3. Press Enter.
When you connect through HTTPS, your browser may display certificate validation messages the
first time you access enVision. (Depending on how server certificates are configured on the
appliance, these messages may cite validation issues, such as, a host name mismatch between the
server and its certificate.)
The system displays the Log In window.
4. Type your password and click Log In.
Immediately change your password to a more secure one after you log in to enVision. See
the online Help for instructions.

5. Next Steps
enVision Client Software and Hardware Requirements

The hardware and software requirements for running the enVision client software are:
Windows Macintosh
O/S Microsoft Windows 2000 or Windows OS X 10.4.6

XP
Browser Microsoft Internet Explorer v6.x Mozilla Firefox 2.0 or later *

Mozilla Firefox 2.0 or later*
Java Plug-In Recommended: 1.5.x 1.1.0.0_13 1.5.x 1.1.0.0_13

Also Support: v1.4.2, v 1.4.1
Processor Minimum: P3:1Ghz or P4:1.8Ghz Minimum: G5

Athlon 1800+
RAM Minimum: 512 MB Minimum: 1 GB RAM
Network Minimum: 100baseTX Minimum: 100baseTX
Display Resolution Minimum: 1024x768 at 16 bit color Minimum:1024x768 at 16 bit

color
* You cannot use Mozilla Firefox to view the Enterprise Dashboard tool.
Earlier versions of enVision automatically launched the Java Plug-In Installation. Because
of the security constraints in the image for RSA enVision 3.5.0 and later, this no longer
happens and you must install the JRE manually.
Pop-up blockers, ad banner blockers, and personal firewalls can all interfere with the launching of
enVision, especially at first login. Make sure that you set up the blockers to allow enVision to operate
normally, or disable these blockers. (You can disable pop-up blockers in your browser under Tools/Pop-
Up Blocker or by clicking on the Pop-Ups icon). Configure personal firewalls to allow connections
between the enVision client and appliance.
You must enable animation for web pages in your browser.
To enable animation for web pages in Microsoft Internet Explorer:

1. In the browser, click ToolsInternet Options.
2. In the Internet Options dialog box, click the Advanced tab.
3. Scroll to Multimedia and select the box Play animations in web pages.
4. Click OK.
5. Restart the browser.

5. Next Steps
Log Out of enVision

To log out of the user interface:
 Click Log Out in the bottom left-hand side of window.
enVision closes all open windows. All enVision services and processes continue to run without
interruption.

Appendix A. Connect to the Appliance Using a
Keyboard, Monitor, and Mouse
The first time you work with an appliance, you must connect using a Keyboard, Video and Mouse (KVM).
You can continue to work using the KVM or you can use the Remote Controller Access utility. See
Appendix C “Remote Access Controller (DRAC) Utility” for information on setting up the utility.
To connect to the appliance through KVM:
1. Connect the keyboard, monitor, and mouse to the appliance. You can connect from the USB
connectors and the video connector on either the front or back panel.
2. If the appliance is off, turn on the power using the front panel.
See Chapter 2 “Hardware Layout”, in the Hardware Guide for diagrams of the front and back panel of the
appliance.
RSA enVision 4.0 Configuration Guide A-1

Appendix B. Dell Remote Access Controller Utility
This appendix describes how to configure enVision on your appliance from a remote location. To do this
you must:
1. Set up the Dell Remote Access Controller (DRAC) utility.
2. Using a web browser, access the appliance from a remote location and configure enVision.
Ports Used by enVision for the DRAC Utility

Item Port Service Direction Appliance Type
DRAC HTTP 80 Terminal Server Inbound and Outbound All

(part of the appliance OS)
HTTPS 443
Dell Remote Access Card for
VNC proxy server 5900 OOB Management
Video VNC Port 5901
A random number larger
than 32768 - RAC FW
update through RAC GUI
RSA enVision 4.0 Configuration Guide B-1

Set Up the Remote Access Controller Utility

To set up the Remote Access Controller utility:
1. Reboot the machine, and when prompted, press Ctrl-E to set up remote access.
The system displays the initial Remote Access Controller (setup utility) screen with several
options. You only need to configure the options described in these instructions to configure
enVision.
3. Highlight NIC Selection and press the spacebar to set NIC Selection to Dedicated.
4. Highlight the LAN Parameters option and press ENTER.
The setup utility opens a smaller screen with RCMP+ Encryption Key as the first option.
5. Highlight the IP Address Source option and use the plus (+) and minus (–) keys to select DHCP
or Static.
If you are going to select DHCP, attach your network cable to a network that has DHCP or contact
your network administrator.
 If you select DHCP, the rest of the values are completed by the utility and you cannot change
them.
 If you select Static, the values for MAC Address VLAN ID are completed by the utility and
you cannot change them, but you must specify a value for the following parameters:
i. Highlight Ethernet IP Address and enter a value in the right column.
ii. Highlight Subnet Mask and enter a value in the right column.
iii. Highlight Default gateway and enter a value in the right column.
iv. Highlight VLAN Enable and press the spacebar to set VLAN Enable to Off.
6. Press the Esc key to close the smaller screen.
7. Highlight the Advanced LAN Parameters option and press ENTER.
The setup utility opens the smaller DNS Configuration Options screen.

8. Depending on the IP Address Source option you selected in step 5, do one of the following:
 If you selected DHCP, the DNS Configuration Options’ values are completed by the utility
and you cannot change them.
 If you selected Static, the DNS Server from DHCP option is set to Off by the utility and you
cannot change it, but you must enter a value for the following options:
 DNS Server1
 DNS Server2
 Register RAC Name (defaults to Off)
 Domain name from DHCP (defaults to Off)
9. Press the Esc key twice.
The setup utility prompts you to do one of the following:
 Save Changes + Exit,
 Discard Changes + Exit
 Return to Setup
10. Highlight Save Changes + Exit and press ENTER.
The setup utility finishes the boot process.

Access the Appliance from a Remote Location

To access the appliance remotely:
1. Start a web browser and go to the Ethernet IP Address you specified in step 5 b of the “Set Up
the Remote Access Controller Utility” procedure.
The system prompts you to proceed.
2. Click Yes.
The system displays the Remote Access Login window.
3. To log in:
a. Type root for username (all lower case letters).
b. Type calvin for password (all lower case letters).
c. Click OK.
(Change your password as soon as you can for security purposes.)
The utility displays the Remote Access Controller window.
4. Click the Console tab at the top of the window.
If this is your first time accessing the Remote Access Controller utility, the system prompts you to
load the Console Redirection Plug-in.
5. Click Connect to access the enVision Configuration wizard.
6. Complete the configuration instructions for your type of appliance site as described in one of the
following chapters:
 Chapter 2. Single Appliance Site
 Chapter 3. Multiple Appliance Site
 Chapter 4. Remote Collector Site

Appendix C. Change Private RSA enVision
Network IP Addresses
Use the instructions in this appendix only in multiple appliance sites if you are installing RSA
enVision on pre-existing Celerra hardware and you want to maintain your IP address structure for this
hardware.
To change the IP addresses in accordance with enVision’s automatic IP address

assignments:
1. Rename the IP address for each appliance after factory typing and before you start the set up tasks.
2. Change IPaddresses in the lsconfigurationwizard.cfg file to match the addresses you renamed
on the appliances.
RSA enVision 4.0 Configuration Guide C-1

Appendix C. Changing Private enVision Network IP Addresses
Rename IP Address for Each Appliance before Setting Up

Your Site
To rename the IP addresses for each enVision appliance at your site:
1. Access the appliance with a KVM (see Appendix A) or from a remote location (see Appendix B).
2. In Windows, select Network Connections/SWITCH/Internet Protocol Settings and click

properties (SWITCH is the name of the interface).
3. Change the C class of the IP address (for example, change 10.203.2 to 10.0.0).
You can use any value for the C class of the IP address, but enVision appends a value to each IP
address as illustrated in the diagram below:

Appendix C. Changing Private enVision Network IP Addresses
Add Trusted Sites

To allow enVision to install the application on the other nodes in your NIC domain, you must add trusted
sites. If you do not do this, the enVision installation will fail.
To add trusted host so remote sites can access various appliances:
1. Open Internet Explorer.
2. Click ToolsInternet options and select Security tab.
3. Click the Local Intranet icon.
4. Select Sites radio button.
5. Type *://site-ip-address.* in the Add this web site to the zone section.
Where site-ip-address can consist of your IP Address naming conventions for the 1st octet and 2nd
octet of the address, but you must use 1-255 for the 3rd octet. For example, *://10.203.1-255.*
6. Click AddCloseOK.
The system closes Internet Options.
Change the IP Addresses in the Configuration Wizard to

Match Renamed Appliance Addresses
Factory and system typing of your appliance is done before delivery. However, if you are reimaging
your appliance, you must do this before you change IP addresses in enVision configuration wizard to
match renamed appliance addresses.
To update the enVision configuration wizard for the renamed IP addresses:
1. When the configuration wizard starts automatically, click Cancel to stop the wizard.
2. Go to C:\WINDOWS\system32\drivers\etc.
This folder contains the lsconfiguration.cfg file, the enVision configuration wizard.
3. Edit the SwIpBase=10.203.2 IP address in the lsconfiguration.cfg file so that the IP addresses of
the enVision appliances match the newly renamed addresses.
For example, change SwIpBase=10.203.2 to SwIpBase=10.0.0.
4. Save the edited lsconfiguration.cfg file.
5. Double-click E:\nic\4000\servername\bin lsconfiguratiuonwizard.exe to restart the configuration

wizard so you can finish configuring enVision with the renamed IP addresses.
6. Ping each machine to make sure that the renamed IP addresses are correct.

RSA EnVision 4.0 Configuration Guide

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

RSA EnVision 4.0 Configuration Guide

Enviado por

Direitos autorais:

Formatos disponíveis

RSA enVision™

RSA Security Inc.

2. SINGLE APPLIANCE SITE .................................................................................... 2-1

Next Steps................................................................................................................................................... 2-2

Configuration Wizard Planning Worksheet Single Appliance Site ...................................................... 2-3

3. MULTIPLE APPLIANCE SITE ............................................................................... 3-1

Configuration Tasks.................................................................................................................................. 3-7

Next Steps................................................................................................................................................... 3-8

Configuration Wizard Planning Worksheet Multiple Appliance Site .................................................. 3-9

4. REMOTE COLLECTOR SITE ................................................................................ 4-1

Configuration Wizard Planning Worksheet Remote Collector Site ..................................................... 4-6

RSA enVision 4.0 Configuration Guide iii

DNS Servers............................................................................................................................................ 4-7

5. NEXT STEPS ......................................................................................................... 5-1

Log In to enVision ..................................................................................................................................... 5-2

enVision Client Software and Hardware Requirements........................................................................ 5-3

Log Out of enVision .................................................................................................................................. 5-4

APPENDIX A. CONNECT TO THE APPLIANCE USING A KEYBOARD,

APPENDIX B. DELL REMOTE ACCESS CONTROLLER UTILITY........................... B-1

Set Up the Remote Access Controller Utility ..........................................................................................B-2

Access the Appliance from a Remote Location.......................................................................................B-4

APPENDIX C. CHANGE PRIVATE RSA ENVISION NETWORK IP ADDRESSES... C-1

Add Trusted Sites ..................................................................................................................................... C-3

Change the IP Addresses in the Configuration Wizard to Match Renamed

RSA enVision 4.0 Configuration Guide iv

Configuration Guide Instructions on configuring your enVision site. Intended audience is

Hardware Guide Instructions on setting up your RSA enVision appliances. Intended

Migration Guide Instructions on migrating your data from a previous version of

Online Help Comprehensive online guide to setting up enVision processing

Literals (exact values that the user Bold font.

Variables (adjustable values that the Bold, italicized font.

Keys (on the keyboard) Bold font.

RSA enVision 4.0 Configuration Guide v

200 Lowder Brook Drive

World Wide Web: http://www.rsa.com

 By Telephone - Technical support is available during business hours via telephone at

RSA enVision 4.0 Configuration Guide vi

enVision is made up of three components:

RSA enVision 4.0 Configuration Guide 1-1

 Single appliance site.

 Multiple appliance site.

RSA enVision 4.0 Configuration Guide 1-2

See the Hardware Guide for information on the hardware.

RSA enVision 4.0 Configuration Guide 2-1

4 Complete the enVision Configuration Wizard.

RSA enVision 4.0 Configuration Guide 2-2

Configuration Wizard Planning Worksheet

The site name is used in the following names:

RSA enVision 4.0 Configuration Guide 2-3

 LAN IP address—used to access the appliance on the LAN.

 Subnet mask—used to determine to which subnet an IP address belongs.

Default Override Value

LAN IP Address 192.168.1.155

Subnet Mask 255.255.255.0

Gateway Address 192.168.1.1

Identify External Storage

DAS IP Address 10.203.2.101

RSA enVision 4.0 Configuration Guide 2-4

DNS Server IP Address

Identify processing options for the DNS Servers.

Field Description Option

RSA enVision 4.0 Configuration Guide 2-5

Select NTP Servers