Transcript
SafeGuard PortProtector 3.30 SP6 Installation guide
Document date: March 2010
SafeGuard® PortProtector 3.30, Installation guide
Important Notice This guide is delivered subject to the following conditions and restrictions:
This guide contains proprietary information belonging to Sophos. Such information is supplied solely for the purpose of assisting explicitly and properly authorized SafeGuard PortProtector users.
No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic or mechanical, without the express prior written permission of Sophos.
The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice.
The software described in this guide is furnished under a license. The software may be used or copied only in accordance with the terms of that agreement.
Information in this guide is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted.
The information in this document is provided in good faith but without any representation or warranty whatsoever, whether it is accurate, or complete or otherwise and on express understanding that Sophos shall have no liability whatsoever to other parties in any way arising from or relating to the information or its use.
SafeGuard PortProtector and SafeGuard PortAuditor are OEM versions of Safend Protector and Safend Auditor from Safend. Therefore some screenshots throughout this manual may still contain the Safend branding but mean the same as within the SafeGuard OEM version.
Boston, USA | Oxford, UK © Copyright 2010. Sophos. All rights reserved. All trademarks are the property of their respective owners. Other company and brand products and service names are trademarks or registered trademarks of their respective holders.
2
SafeGuard® PortProtector 3.30, Installation guide
About This Guide This Installation Guide is comprised of the following chapters:
Chapter 1, Installation Workflow, suggests workflow for using the SafeGuard PortProtector solution to protect your organization's endpoints.
Chapter 2, Preparing for Installation, describes the SafeGuard PortProtector architecture and the SafeGuard PortProtector installation workflow. It then describes the system requirements and prerequisites for installation and all the preparations that need to take place before installing SafeGuard PortProtector.
Chapter 3, Installing SafeGuard PortProtector Management Server, describes how to install, restore and upgrade the SafeGuard PortProtector Management Server, and how to launch the SafeGuard PortProtector Management Console.
Chapter 4, Installing SafeGuard PortProtector Management Console, describes how to install SafeGuard PortProtector Management Console.
Chapter 5, Installing SafeGuard PortProtector Client, describes the various methods for installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and upgrade SafeGuard PortProtector Client.
Appendix A - OPSEC™ Interoperability, describes Check Point's OPSEC™ and how it interfaces with SafeGuard PortProtector.
Appendix B - NAC Interoperability, describes Cisco's NAC and how it interfaces with SafeGuard PortProtector.
3
SafeGuard® PortProtector 3.30, Installation guide
Contents 1
Installation Workflow ....................................................................................................................... 5
2
Preparing for Installation .................................................................................................................. 8
3
Installing SafeGuard PortProtector Management Server ............................................................. 12
4
Installing SafeGuard PortProtector Management Console .......................................................... 42
5
Installing SafeGuard PortProtector Client .................................................................................... 54
6
Appendix A - OPSEC™ Interoperability ........................................................................................ 81
7
Appendix B - NAC Interoperability ............................................................................................... 94
4
SafeGuard® PortProtector 3.30, Installation guide
1 Installation Workflow About This Chapter Before installing SafeGuard PortProtector V3.3, it is important to fully understand the implementation process of the SafeGuard PortProtector solution. This chapter suggests a workflow for using the SafeGuard PortProtector solution to protect your organization's data. It contains the following section:
SafeGuard PortProtector Implementation Workflow describes the workflow for implementing and using SafeGuard PortProtector.
5
SafeGuard® PortProtector 3.30, Installation guide
1.1 SafeGuard PortProtector Implementation Workflow The following is an overview of the workflow for implementing and using SafeGuard PortProtector.
6
SafeGuard® PortProtector 3.30, Installation guide Step 1: Install the SafeGuard PortProtector Management Server and Console, as described in Chapter 2, Preparing for Installation and Chapter 3,
Installing SafeGuard PortProtector Management Server.
Step 2: Install Additional Management Consoles, as described in Chapter 4, Installing SafeGuard PortProtector Management Console.
Step 3: Define General SafeGuard PortProtector Administration Settings, such as the method in which policies are published, as described in Chapter 7, Administration in SafeGuard PortProtector User help.
Step 4: Scan Computers and Detect Port/Device Usage. Use SafeGuard PortAuditor to detect the ports that have been used in your organization and the devices and WiFi networks that are or were connected to these ports, as described in SafeGuard PortAuditor User help.
Step 5: Define SafeGuard PortProtector Policies. In this stage you define the blocked, allowed and restricted ports, devices and WiFi networks according to the security and productivity requirements of your organization as described in Chapter 3, Defining Policies in SafeGuard PortProtector User help.
Step 6: Install SafeGuard PortProtector Client on Endpoints, as described in Chapter 5,
Installing SafeGuard PortProtector Client.
Step 7: Distribute SafeGuard PortProtector Policies to Endpoints: in this stage, you can either associate policies to users and computer and distribute directly to endpoints (via SSL), or use Active Directory's GPO feature to distribute SafeGuard PortProtector Policies or any other third-party tool, as described in Chapter 4, Distributing Policies in SafeGuard PortProtector User help.
Step 8: Endpoints are Protected by SafeGuard PortProtector Policies: in this stage, only approved devices and WiFi networks can be used, through permitted ports. Logs about port, device and WiFi network use and attempted use, as well as tampering attempts, are created and sent to the Management Server as described in Chapter 8, End-User Experience in SafeGuard PortProtector User help.
Step 9: Monitoring Logs and Alerts, view and export the log entries generated by SafeGuard PortProtector Clients, as described in Chapter 5, Viewing Logs in SafeGuard PortProtector User help.
7
SafeGuard® PortProtector 3.30, Installation guide
2 Preparing for Installation About This Chapter
This chapter first describes the SafeGuard PortProtector architecture and the SafeGuard PortProtector installation workflow. It then specifies the system requirements and prerequisites for installing the different components of SafeGuard PortProtector, followed by instructions on how to prepare the network for installation. It contains the following sections:
System Requirements, page 9, describes the system requirements for each one of the SafeGuard PortProtector components.
Preparing your Network, page 10, describes the preparation that needs to be done on your network in order to allow the different SafeGuard PortProtector components to communicate without interruptions.
Tips on preparing your Endpoints, page 11, describes the preparation that needs to be done on your endpoints before installing SafeGuard PortProtector in order to optimize the security of your network.
8
SafeGuard® PortProtector 3.30, Installation guide
2.1 System Requirements Following are the system requirements for the various system components:
SafeGuard PortProtector Client Requirements Operating System
SafeGuard PortProtector Server Requirements
Windows XP 64 bit Professional (SP 2-3) – note that there is a separate MSI from version 3.2 for 64 bit OS
Windows 2003 Server (SP 1-2)
Windows 2000 SP4 Rollup 1
Windows Vista Business/Enterprise /Ultimate (SP 1-2) 32bit
Windows 7 Business/ Enterprise/Ultimate 32-bit
Hardware
Software
Windows XP Professional (SP 1-3)
SafeGuard PortProtector Console Requirements Windows XP Professional (SP 2) Windows 2003 Server (SP 1-2)
Windows XP Professional (SP2 – not supported for production environments)
Windows 2003 Server (SP 1-2)
Pentium 800 MHz
Pentium 800 MHz
256 MB RAM
256 MB of RAM
50 MB HDD space
50 MB HDD space
Microsoft .NET Framework 2.0 (Make sure that the server and console are installed with the same .Net 2.0 SP)
The server hardware requirements depend on the number of installed SafeGuard PortProtector clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at
[email protected].
Microsoft .NET Framework 2.0 (Make sure that the server and console are installed with the same .Net 2.0 SP)
Microsoft IIS
9
SafeGuard® PortProtector 3.30, Installation guide
2.2 Preparing your Network Before installing the system, be sure to enable the following communications in your network and personal firewalls. To prepare your network: 1
In order to communicate freely between the SafeGuard PortProtector management Server and the SafeGuard PortProtector Clients, make sure that the SSL port is open in your network firewall. Sophos typically uses port 443 (SSL standard) for this. If you have chosen otherwise, make sure to allow this port in your firewall.
2
In order for the SafeGuard PortProtector Management Console to be able to control clients (send control commands to clients to send their logs and update their policy), it needs WMI ports to be open on the personal firewalls of each endpoint. WMI uses port 135 and a series of random ports.
2.2.1 Opening WMI ports on Windows XP (SP2) Firewall If you are using Windows XP (SP2) firewall as the personal firewall on your endpoints, you can use the GPO mechanism to configure endpoints to accept incoming WMI communications. The following section is quoted from Microsoft documentation. "Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. Identical sets of policy settings are available for two profiles:
Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
The relevant policy setting for WMI is: Windows Firewall: Allow remote administration exception This allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM. The default is Not Configured".
10
SafeGuard® PortProtector 3.30, Installation guide
2.3 Tips on Preparing Your Endpoints Booting via an external boot device (floppy, CD etc.) will circumvent any security software. However, there are a few ways to either prevent this scenario from happening, or make it impossible to be able to read the data outside the Sophos protected operating system: Changing the boot sequence: Change the boot sequence so that the machine does not boot first from the floppy, then the CD\DVD-ROM, and, finally, the hard disk drive. The hard disk drive should always be the first boot device. If the floppy or the CD\DVD-ROM is the initial boot device, anyone can use a bootable medium that can directly access the hard disk drive and reset the administrator password in seconds. Physical seal \ chassis protection: Make sure that the hardware is sealed and that the hard disk drive cannot be simply disconnected. Setting a password to protect the BIOS: This prevents users from entering the BIOS and re-enabling the boot access through devices other than the internal hard disk drive. Disk Encryption: Several disk encryption software packages are available in the market. These are used to encrypt the entire disk, making sure that the data can be read only when loading the operating system (which contains a decrypt-able client). Booting from any external boot device will not prove useful since all data will be encrypted. SafeGuard PortProtector Client has been tested to work along with the leading software products of this type, including PGP Wholedisk, Sophos SafeGuard Easy, WinMagic and Pointsec.
11
SafeGuard® PortProtector 3.30, Installation guide
3 Installing SafeGuard PortProtector Management Server About This Chapter
This chapter describes how to install SafeGuard PortProtector Management Server and contains the following sections:
Prerequisites, describes the requirements for installing the management server.
Installing Prerequisite Software, describes how to install Microsoft .NET framework and IIS.
Before Installing SafeGuard PortProtector Management Server, provides a checklist of issues you need to verify before starting the installation process.
Installing the Management Server, describes how to install the SafeGuard PortProtector Management Server for the first time and how to launch the SafeGuard PortProtector Management Console.
Restoring an Existing Management Server, describes how to restore an existing SafeGuard PortProtector Management Server in case of hardware upgrade or failure.
Upgrading the Management Server, explains how to upgrade SafeGuard PortProtector from version 3.2 to version 3.3.
Post-Installation Settings (Checklist), lists a set of critical settings to define after installation.
Uninstalling SafeGuard PortProtector Management Server, explains how to uninstall SafeGuard PortProtector Management Server.
Changing your Database, explains how to switch from using an embedded SafeGuard PortProtector database to and external MS SQL database, and vice versa.
12
SafeGuard® PortProtector 3.30, Installation guide
3.1 Prerequisites 3.1.1 Operating System
Windows XP Professional (SP0-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
3.1.2 Hardware The server hardware requirements depend on the number of installed SafeGuard PortProtector Clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at
[email protected].
3.1.3 Software
Microsoft .NET Framework 2.0 installed
Microsoft Internet Information Services (IIS)
3.2 Installing Prerequisite Software 3.2.1 Installing Microsoft .NET Framework 2.0 To install .NET Framework Microsoft .NET Framework 2.0 is built in by default on Windows 2003, and can be downloaded for free from the Microsoft website for Windows XP. Link to .NET framework 2.0 installation package: http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8eddaab15c5e04f5&DisplayLang=en
13
SafeGuard® PortProtector 3.30, Installation guide
3.2.2 Installing Microsoft IIS To install Microsoft IIS: 1
In Control Panel on your computer, double-click Add or Remove Programs. The Add or Remove Programs window opens.
2
Click Add/Remove Windows Components. The Windows Components Wizard window opens.
3
If you are installing the application on a machine running Windows 2003, check the Application Server checkbox. If you are installing IIS on a machine running Window XP, check the Internet Information Services checkbox, as shown below:
4
Click Next.
5
The Insert Disk window opens, asking for the utility disc or location that holds the relevant Microsoft Windows installation components:
6
Insert the disc and click OK. The installation may take a few moments.
14
SafeGuard® PortProtector 3.30, Installation guide 7
When the wizard notifies you that the installation is complete, as shown in the following figure, click Finish to close the wizard. IIS is now installed.
3.3 Before Installing SafeGuard PortProtector Management Server 1
Verify that all system requirements and prerequisites are met.
2
Make sure that the SafeGuard PortProtector Server machine belongs to the same domain in which you intend to deploy SafeGuard PortProtector policies.
3
Make sure that a MySQL DB is not installed on the SafeGuard PortProtector Management Server machine.
15
SafeGuard® PortProtector 3.30, Installation guide
3.4 Installing the Management Server To install SafeGuard PortProtector Management Server: 1
Locate
on your installation CD.
2
Double-click the file. The SafeGuard PortProtector Server Installation window appears:
3
Click Browse to select a destination folder for the extracted installation files.
Note: Make sure that the files are extracted to a local folder. The installation will not run from a network path. 4
16
Click Install.
SafeGuard® PortProtector 3.30, Installation guide 5
Following extraction, you will be asked to select the SafeGuard PortProtector Server language, as shown below:
6
Select the required language and click OK. The first step of the installation wizard appears:
17
SafeGuard® PortProtector 3.30, Installation guide Click Next and read the End User License Agreement. After accepting, click Next again. The Installation Mode step opens:
Select one of the following options:
For a new installation select the New radio button and proceed to step 9 below.
For instructions regarding the Restore option, refer to Restoring an Existing Management Server on page 33).
To join a server cluster, select the Join a Cluster radio button.
A server cluster enables the installation of several SafeGuard PortProtector Management Servers connected to a single external database, so that they seamlessly share the load of traffic from the endpoints, as well as to provide redundancy and high availability.
18
SafeGuard® PortProtector 3.30, Installation guide
The following window opens: 7
Click Next. The Database window opens:
SafeGuard PortProtector can create its own internal database for storing configuration and data. Alternatively, you can use an existing external database. Note: SafeGuard PortProtector supports MS SQL 2000 and up. 8
In the Database window, select the required radio button. Select the first radio button if you want to use a database which resides on the same machine as the Management Server (the database is managed by SafeGuard PortProtector Management Server). Select the second option if you have an MS SQL database on another machine and you want to use it as your SafeGuard PortProtector database.
Note: If you select to use an existing external database, this database must already be installed.
19
SafeGuard® PortProtector 3.30, Installation guide 9
Click Next. If you selected to install an embedded database, skip to Step 14.
10 If you have selected to use an existing database server or to join a cluster, the following window opens:
11 In the Database Credentials window, perform the following steps: a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance). b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security. c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name. 12 Click Next. The installation program validates access to the database. Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation wizard.
20
SafeGuard® PortProtector 3.30, Installation guide
Note: If a valid SafeGuard PortProtector database already exists on this database server, the following window opens:
In this window, click Yes in order to overwrite the existing database. If you wish to use the existing database, click No and skip to Restoring an Existing Management Server on page 33. 13 The Destination Folder step opens:
21
SafeGuard® PortProtector 3.30, Installation guide
14 Click Next to select the default installation folder: C:\Program Files\Sophos\SafeGuard PortProtector, or click Change to select a different installation folder then click Next. The Domain Credentials window opens:
15 In the Domain Credentials window, enter the domain user credentials: SafeGuard PortProtector Management Server requires a domain account from your Active Directory in order to perform tasks such as creating GPOs and for controlling clients via WMI. We recommend that you enter an account with domain administrator privileges (you may change this user after installation).
22
SafeGuard® PortProtector 3.30, Installation guide
16 Click Next. Users' access to the Management Console is restricted for security reasons. SafeGuard PortProtector does not require its own users and computers database. Instead, credentials are checked against Active Directory and/or local user accounts on the Management Server machine. Following installation, access to the Management Console is restricted to users who have local administrative rights on the computer hosting the Server, as shown below:
17 Click Next. The Communication Port window opens. SafeGuard PortProtector Management Server communicates with the SafeGuard PortProtector Management Consoles and Clients through SSL ports. Port definitions differ in Windows XP and Windows 2003. Windows XP
23
SafeGuard® PortProtector 3.30, Installation guide
The Management Server will use the default SSL port which is defined by the website of the host computer for communicating both with SafeGuard PortProtector Clients and with the Management Console.
Note: If no website is found on the host computer, the same window appears, with the Communication Port (SSL) text box editable. If you are not using the standard port 443, change it as required.
24
SafeGuard® PortProtector 3.30, Installation guide
Windows 2003 In Windows 2003, SafeGuard PortProtector uses two different ports to communicate with SafeGuard PortProtector Clients and with the Management Server.
The default ports are 443 for Clients communications and 4443 for Management Console communications. If you wish, you may change these default ports. 18 In order for SSL to operate, a certificate is needed to authenticate the Management Server. This certificate is also used for encrypting the data sent on the communication port. If the computer that is running the Server already has an active website that allows the SSL port activation, the application will use the existing certificate. If no certificate exists, the application will create a new certificate and will notify you of this.
25
SafeGuard® PortProtector 3.30, Installation guide
Note: A Sophos generated certificate is not signed by a valid Certificate Authority (CA). Although this does not affect the overall security level of the system, using this certificate will cause Internet Explorer to display security alerts.
In order to avoid these alerts you will need to replace the certificate with a signed certificate you receive from a trusted Certificate Authority. 19 Click OK to continue with the installation. 20 Click Next. In the following window, you will be asked to backup the encryption keys that are generated by SafeGuard PortProtector. To enhance the security of the system, encryption keys are generated during the installation. These keys are unique to your organization and raise the tampering resistance of your system. The keys are used to encrypt policies and logs as well as for mutual authentication between the Server and the endpoints. One example for the use of these unique keys is in that endpoints need to be initialized upon installation with the organization's unique keys. From this point on, an endpoint will treat any information (i.e. policy) that does not correlate to the keys as an attempt to circumvent its protection. For this reason it is highly recommended to backup the keys and store them on another machine/site in order to ensure smooth recovery in cases of server malfunction without the need to re-deploy Clients to endpoints.
26
SafeGuard® PortProtector 3.30, Installation guide
In order to backup your encryption keys, you need to set a password that will be used to protect the keys:
If you do not want to backup your encryption keys during the installation, check the Do not backup encryption keys now checkbox and click Next. To backup you encryption keys click Browse to select a path. Enter a password, confirm it. Note: The password should be at least 7 characters long and should contain one upper case character and one digit. 21. Click Next.
27
SafeGuard® PortProtector 3.30, Installation guide In the following window, you will be asked to configure the schedule for automatic system backup to the network, which includes the encryption keys that are generated by SafeGuard PortProtector.
You may change the default Perform backups interval (Daily, Weekly, Monthly) and the time. The backup path supplied must reside on a network share, with write permissions for the user provided in the Domain Credentials window (step 16) in the setup wizard. Click Browse to select the Network backup path. Enter a Password and Confirm it. If there is a problem with the password you choose (or share permission), the following message will be displayed.
22. Click Next.
28
SafeGuard® PortProtector 3.30, Installation guide The Summary window opens:
29
SafeGuard® PortProtector 3.30, Installation guide 21 Confirm the installation summary and click Install to perform the Server installation. Installation begins, and the Installation Progress window opens:
30
SafeGuard® PortProtector 3.30, Installation guide
22 Once installation has been completed, the following window opens:
23 The SafeGuard PortProtector Management Server has been installed. Check the checkbox at the bottom of the screen if you wish to launch the SafeGuard PortProtector Management Console, and click Finish. Note: The installation process installs the SafeGuard PortProtector Management Console as well.
31
SafeGuard® PortProtector 3.30, Installation guide
24 If you have chosen to launch the SafeGuard PortProtector Management Console, the Login window opens:
Enter your User Name, Password and Domain and click Login. The application opens, displaying the main window. 25 Take the time to define preliminary settings in the Administration and Global Policy Settings. Please refer to Post-Installation Settings (Checklist) on page 38 for a list of settings which you may want to review and change.
32
SafeGuard® PortProtector 3.30, Installation guide
3.5 Restoring an Existing Management Server In some cases you will need to install SafeGuard PortProtector Management Server while maintaining your system unique encryption keys, in order to work with your existing SafeGuard PortProtector Clients. This may happen when you want to migrate the Server from a low-CPU machine to a stronger one, or when recovering from hardware malfunctions. In order to restore an existing Management Server you will need to provide the encryption keys backup file and the password that was set to protect it. To restore an existing Management Server: 1
Perform the steps described in Installing the Management Server on page 16 up to Step 7.
2
At this stage, you will be asked to choose the installation mode, as shown below:
33
SafeGuard® PortProtector 3.30, Installation guide
3
Select the Restore radio button. The following window opens:
4
In the Restore window, select the appropriate radio button according to whether you wish to use SafeGuard PortProtector backup files or connect to an existing external SafeGuard PortProtector MS SQL database. If you select the second option, Connect to an existing SafeGuard PortProtector MS SQL database, skip to step 8 below.
34
SafeGuard® PortProtector 3.30, Installation guide
5
Click Next. The Backup Files window opens:
6
Enter the path to your keys backup file and the password protecting it. If you have saved your previous installation configuration (policies, queries etc.), you can restore the configuration as well. Do this by checking the checkbox and selecting the path to the configuration backup file.
Note: To learn how to restore logs refer to Restoring Logs on page 37. 7
Skip to step 11 below.
35
SafeGuard® PortProtector 3.30, Installation guide
8
If you have selected to use an existing database server, the following window opens:
9
In the Database Credentials window, perform the following steps: a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance). b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security. c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.
10 Click Next. The installation program validates access to the database. Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation wizard. 11 Follow the instructions in steps 15-27 in Installing the Management Server.
36
SafeGuard® PortProtector 3.30, Installation guide
3.5.1 Restoring Logs The need may arise to restore version 3.2 logs that you have previously backed up. This may happen in one of the following cases:
You wish to upgrade or replace your version 3.2 Management Server machine
Upgrading from version 3.2 to a higher version fails and rolls back to version 3.2 without logs.
Note: This utility only restores logs from and to an embedded SafeGuard PortProtector database, since backing up and restoring logs on an external database is handled by your DBA. Log restoring is performed using the Log Restore Utility. Running this utility deletes the existing log tables, and restores the exact log schema from the backup file. Log views are created automatically when starting the Management Server. To view Log Restore Tool version (optional): 1
Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder under the "bin" folder (if you installed in the default destination folder the path is \Program Files\Sophos\SafeGuard PortProtector\Management Server\Bin)
2
Run RestoreTool.exe using the following syntax:
RestoreTool version The command returns the assembly version of RestoreTool.exe. To restore logs: 1
Stop the Management Server.
2
Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder under the "bin" folder (if you installed in the default destination folder the path is \Program Files\Sophos\SafeGuard PortProtector\Management Server\Bin)
3
Run RestoreTool.exe using the following syntax:
RestoreTool restore -backupFile [-silent ] [-verbose ] -backupFile
specifies full backup (SLB) file path to restore from
-silent
do not ask user for confirmation
-verbose
verbose operation
37
SafeGuard® PortProtector 3.30, Installation guide
The program notifies you of any errors in the restore process. If there are no errors, your log data and structure are restored. 4
Start the Management Server.
3.6 Upgrading the Management Server Upgrading from a previous version of SafeGuard PortProtector to this new version 3.3 SP5 is not supported. Customers will have to uninstall the older version and re-install the SP5 version. Also the policies will not be migrated. If customers have purchased professional services, we can help in the migration of policies.
3.7 Upgrading in a Clustered Environment Upgrading in a clustered environment is not support due to the rebranding of the product.
3.8 Post-Installation Settings (Checklist) The SafeGuard PortProtector Management Server installation package defines default settings for system behavior which you can find under Administration and Global Policy Settings (both available from the Tools menu in the SafeGuard PortProtector Management Console). Once you complete installing SafeGuard PortProtector Management Server and access the Management Console, you may want to visit these windows and set the parameters relevant to your environment.
3.8.1 Checklist for the Most Critical Settings in the Administration Window: 1
Policy Publishing Method – Select the format and destination for publishing policies.
2
Encryption Keys Backup – If you haven't backed up the encryption keys during installation.
3
Client Installation Folder – Set a shared folder for creating client installation files. You will need these files in order to install clients.
Refer to Chapter 7, Administration in SafeGuard PortProtector User help for an explanation of Administration settings.
38
SafeGuard® PortProtector 3.30, Installation guide
3.8.2 Checklist for the Most Critical Settings in the Global Policy Settings Window: 1
Log Transfer Interval – Define the frequency in which logs will be sent from endpoints to the Server. Important: Take extra care while configuring the Logs Transfer Interval in order not to burden your network and endpoints with excessive log sending. Consider the following:
The number of endpoints in your network
The number of expected events from each endpoint (client and file logs)
The level of need for "real time" logs information in the Management Console
During installation, the default log interval is set to 90 minutes. In the case of large scale deployments, please consult Sophos Support in order to optimize your settings. 2
Clients Uninstall Password – Change the default password to your own preference. Important: Upon product installation the password is set to "Password1". Since the password is one of the foundations for the tampering resistance of the client, it is highly recommended that you change it as soon as you start deploying the product in a production environment. Important: Make sure you have created a backup for the Server encryption keys. This will prevent situations in which you cannot uninstall Clients due to password loss.
Refer to Chapter 3, Defining Policies in SafeGuard PortProtector User help for an explanation of Global Policy settings.
39
SafeGuard® PortProtector 3.30, Installation guide
3.9 Uninstalling SafeGuard PortProtector Management Server To uninstall the Management Server: 1
Open the add \ remove programs on your Control Panel.
2
Select the SafeGuard PortProtector Management Server from the list, and click Remove as described below:
Note: Uninstalling SafeGuard PortProtector Management Server will delete the SafeGuard PortProtector database; therefore, if you wish to install the latest Server version, it is recommended to upgrade your Server rather than to perform an uninstall/install process.
40
SafeGuard® PortProtector 3.30, Installation guide
3.10 Changing your Database If you wish to change from using a SafeGuard PortProtector embedded database to an external MS SQL database, or vice versa, you can do so by using the Restore option as explained in Restoring an Existing Management Server on page 33 and selecting the new database type. Note: You can only change your database if you are using version 3.2 and above. Note: Changing your database will result in loss of previous logs. Previous policies are transferred to the new database, but policy associations to organizational objects (when using the "direct distribution from the Management Server to Clients" policy distribution mode) are lost.
41
SafeGuard® PortProtector 3.30, Installation guide
4 Installing SafeGuard PortProtector Management Console About This Chapter
This chapter describes how to install the SafeGuard PortProtector Management Console. It contains the following sections:
Prerequisites, describes the prerequisites of the Management Console.
Installing Prerequisite Software, describes how to install Microsoft .NET framework.
Installing SafeGuard PortProtector Management Console, describes two methods for installing the Console.
Launching SafeGuard PortProtector Management Console for the First Time, describes how to launch SafeGuard PortProtector Management Console.
Uninstalling SafeGuard PortProtector Management Console, describes how to uninstall SafeGuard PortProtector Management Console.
42
SafeGuard® PortProtector 3.30, Installation guide
4.1 Prerequisites 4.1.1 Operating System
Windows XP Professional (SP1-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
4.1.2 Hardware
Pentium 800 MHz
256 MB RAM
50 MB HDD space
4.1.3 Software
Microsoft .NET Framework 2.0 installed
4.2 Installing Prerequisite Software 4.2.1 Installing Microsoft .NET Framework 2.0 To install .NET Framework Refer to Installing Prerequisite Software on page in section 3.2
4.3 Installing SafeGuard PortProtector Management Console SafeGuard PortProtector Management Console can be installed and run from any computer on your network. The first console is installed on the same machine that hosts the Management Server as part of the Server installation, and additional consoles can be installed on any machine in your domain that meets the prerequisites. Additional consoles can be installed on your domain either through Sophos’s Management Console Installation web page (recommended), or by running the ManagementConsole.msi file from an external source, such as a CD. Note: Access to the Management Consoles is restricted by default to the local administrators group of the machine hosting the server. In order not to expose your server machine user and password unnecessarily, make sure you change this setting to a user group in your Active Directory before installing additional Management Consoles. You can change this setting from the Administration window in the Management Console.
43
SafeGuard® PortProtector 3.30, Installation guide
4.3.1 Installing the Console from the Installation Web Page SafeGuard PortProtector Management console features a 'One-click' deployment process which gives you easy access to installing the Management Console by pointing your browser to the SafeGuard PortProtector Management Server address. This method automatically keeps all your Management Consoles up-to-date with the latest software version of the Management Server, and is therefore the recommended installation method. To install the Management Console from the installation web page: 1
Access the address of the installation web page in the target machine
The link is in the following format: https://
:/SafeGuardPortProtector/consoleinstall.aspx Tip: You may also use a shorter link format: https://:/SafeGuardPortProtector (This address can be found in the General tab of the Administration window, which you can access from the Management Console's Tools menu). The installation page opens:
44
SafeGuard® PortProtector 3.30, Installation guide The page contains the following:
A link to the Microsoft .NET framework 2.0 installation package.
A link to the Management Console installation package.
Server details.
2
If the machine on which you wish to install an additional Console does not have .NET framework installed, enter the link and install it before proceeding with the Management Console installation.
3
Click the link to the Management Console installation package. The following window opens:
45
SafeGuard® PortProtector 3.30, Installation guide 4
46
Click Save and then run the program. The Management Console installation wizard opens:
SafeGuard® PortProtector 3.30, Installation guide 5
Click Next. The Select Installation Folder window opens:
6
In the Select Installation Folder window, select the folder in which the SafeGuard PortProtector Management console will be installed. The default folder is C:\Program Files\Sophos\SafeGuard PortProtector\. If you wish to install the Management Console in a different folder, click the Browse button and select the desired folder.
7
Select one of the following options by clicking its radio button:
Everyone: allow access to the application to any user who uses the computer
Just me: allow access to the application only to the logged on user.
47
SafeGuard® PortProtector 3.30, Installation guide
Click Next. The following window opens:
8
48
In the Confirm Installation window, click Next to perform the installation.
SafeGuard® PortProtector 3.30, Installation guide
9
Once the installation completes, the following window opens:
10 Click Close to exit. 11 Open the Management Console application by clicking the icon on your desktop or from Start > Programs > SafeGuard PortProtector > Management Console.
49
SafeGuard® PortProtector 3.30, Installation guide
12 Depending on the browser you are using, the following message may appear:
Fill in the server name and port as it appears in the installation web page, and click Connect. 13 The Login window appears:
Type your user name, Password and Domain and click Login. The application will open, displaying the main window.
50
SafeGuard® PortProtector 3.30, Installation guide
4.3.2 Installing SafeGuard PortProtector Management Console Manually To manually install the Management Console: 1
Locate the ManagementConsole.msi file on your CD and run it. The setup window opens:
2
Proceed with steps 5 through 13 as described above.
51
SafeGuard® PortProtector 3.30, Installation guide
4.4 Launching SafeGuard PortProtector Management Console for the First Time 1
Click the
icon on your desktop.
OR Go to Start > Programs > SafeGuard PortProtector > Management Console. The application open for the first time:
2
52
Enter your user name, password and domain. The following window opens:
SafeGuard® PortProtector 3.30, Installation guide
Each time the Management Console connects to the Server, it automatically downloads the latest version of the Management Console (if an update exists). Once the updated files are downloaded, the window closes, and the following window opens:
3
If you are evaluating the software, click Remind Me Later OR Click Enter License Key if you have a valid Sophos license, and enter your Sophos license key as described in the SafeGuard PortProtector User help, Chapter 7, Administration. SafeGuard PortProtector Management console opens, displaying the main window.
4.5 Uninstalling SafeGuard PortProtector Management Console To uninstall the Management Console: 1
From the Control Panel, open Add or Remove Programs.
2
From the list, select SafeGuard PortProtector Management Console and click Remove.
Note: Uninstalling SafeGuard PortProtector Management Console does not cause any information loss. You can re-install it at any time.
53
SafeGuard® PortProtector 3.30, Installation guide
5 Installing SafeGuard PortProtector Client About This Chapter
This chapter describes the various methods for installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and upgrade SafeGuard PortProtector Client. It contains the following sections:
Prerequisites, page 55, describes the prerequisites of the SafeGuard PortProtector Client.
Before Deploying SafeGuard PortProtector Client, page 55, describes the steps you need to take before installing SafeGuard PortProtector Clients.
Installing SafeGuard PortProtector Client, page 58, describes the following installation methods:
Automatic Client Installation (through Active Directory)
Automatic Client Installation (generic)
Manual Installation
Upgrading SafeGuard PortProtector Client, page 65, describes how to upgrade SafeGuard PortProtector Client from V2.0 to V3.x.
Defining Endpoint Behavior during Installation, Page 71, describes how to define the End Point reboot sequence after installation.
Uninstalling SafeGuard PortProtector Client, Page 73, describes how to uninstall SafeGuard PortProtector Client.
54
SafeGuard® PortProtector 3.30, Installation guide
5.1 Prerequisites 5.1.1 Operating System
Windows 2000 Professional (SP3-4) 32-bit
Windows 2000 Server (SP3-4) 32-bit
Windows 2000 Advanced Server (SP3-4) 32-bit
Windows XP Professional (SP1-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
Windows Vista Business/Enterprise/Ultimate (SP1-2) 32-bit
Windows 7 Business/Enterprise/Ultimate 32- bit
5.1.2 Hardware
Pentium 800 MHz
256 MB of RAM
50 MB HDD space
5.1.3 Software
None required
5.2 Before Deploying SafeGuard PortProtector Client In order to install SafeGuard PortProtector Client, you must first install the Management Server. This is necessary in order to raise the security level of the system, by "imprinting" each installed client with the encryption keys of the server. From the point of installation, SafeGuard PortProtector Client knows the keys which it uses when communicating with the Server. From this point on, the Client will not accept any policy or perform any communication with a Server that does not hold matching keys. This "imprinting" process is performed by initializing the Client with a file called ClientConfig.scc. This file is generated by the Server upon user request. This file should be available during Client installation. Before you can start deploying SafeGuard PortProtector Clients you need to define the path to which the Server will generate all the files needed for Client installation. The process of generating the installation files may be performed again at any time.
55
SafeGuard® PortProtector 3.30, Installation guide
To generate SafeGuard PortProtector Client installation files: 1
56
In the Management Console, from the Tools menu, open the Administration window as shown in the following figure:
SafeGuard® PortProtector 3.30, Installation guide
2
In the Administration window that opens, click the Clients tab on the left. The AdministrationClients window opens:
3
Select a shared folder as the Client installation folder. Once the files are created, the following message appears:
Important: Make sure you enter a network path and not a local path. 4
Click OK.
5
You are now ready to deploy SafeGuard PortProtector Clients on the computers in your organization. Once Clients have been deployed, you can distribute policies to them as described in SafeGuard PortProtector User help.
57
SafeGuard® PortProtector 3.30, Installation guide
5.3 Installing SafeGuard PortProtector Client There are three ways to install the SafeGuard PortProtector Client:
Automatically through the Active Directory Group Policy Management.
Automatically using any corporate software deployment tool, such as SMS and Tivoli.
Manually by running the installation wizard on each computer
5.3.1 Automatic Client Installation (Active Directory) Automatic SafeGuard PortProtector Client installation is performed using Active Directory's Group Policy Management (if installed) and Active Directory's Users and Computers. These options enable you to define a GPO that will distribute the SafeGuard PortProtector Client to the OUs (computer or user groups) of your choice. When this option is used, the clients are installed in Silent mode. To automatically install the SafeGuard PortProtector Client: 1
Open the Active Directory Users and Computers window.
2
Right-click the OU to which to install the SafeGuard PortProtector Client and select Properties. The User Properties window opens.
3
In the User Properties window, select the Group Policy tab. This tab looks different depending on whether the Group Policy Management Console is installed or not.
4
If the Group Policy Management Console is not installed, the following window is displayed:
58
SafeGuard® PortProtector 3.30, Installation guide 5
Click Add to add the SafeGuard PortProtector deployment GPO, name it, then right-click that GPO and select Edit. Go to Step 9 below.
6
If the Group Policy Management console is installed, click Open in the Group Policy tab to display the Group Management window, as shown below:
7
In the OU tree display on the left pane, select the OU to which to install the SafeGuard PortProtector Client. The right pane displays the GPO's that are already assigned to this OU.
8
Add a GPO that installs software to this OU. Right-click on the OU and select Create and Link a GPO Here, then name the GPO.
59
SafeGuard® PortProtector 3.30, Installation guide 9
Right-click the SG PP deployment GPO and select Edit. The Group Policy window is displayed. An example is shown below:
10 Under Computer Configuration in the tree on the left, right-click Software Settings and select New, and then select Package, as shown below (the right pane may display names of other software to be installed if any have been defined):
60
SafeGuard® PortProtector 3.30, Installation guide A file selection window is displayed. 11 Locate the shared folder in which you have selected the Client installation files to be created. This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc files. If you are deploying clients to an XP 64 bit machine make sure you are using the files under the XP64Bit sub-folder. 12 Browse to the full UNC path of the SafeGuard PortProtector Client installation file named SafeGuardPortProtectorClient.msi, select it and click Open. Make sure this path includes the ClientConfig.scc file. 13 Double-click the SafeGuardPortProtectorClient.msi file. The following window opens:
61
SafeGuard® PortProtector 3.30, Installation guide 14 Select Assigned and click OK. Wait a few moments while the MSI is added. a. When installing the SafeGuard PortProtector Client in a foreign language (German, Japanese): b. Select the Modifications tab from the dialog box and click Add.
Select the appropriate Transform file from the network share and press Open.
62
SafeGuard® PortProtector 3.30, Installation guide 15 Prepare the endpoints of your organization for automatic installation, as described in the Preparing an Endpoint for Automatic Installation section below. 16 In some rare cases, a restart may be required on the endpoint computer. If so, a message will be displayed.
5.3.1.1 Preparing an Endpoint for Automatic Installation In order to install the SafeGuard PortProtector Client, the target computers are required to have access to the shared network folder when the system is rebooted. If the target computers are running Windows XP, you must turn on the Always wait for computer network to startup at logon GPO, which can be found under Computer Configuration | Administrative Templates | System | Logon.
The next time a computer or user in this OU reboots, SafeGuard PortProtector client will be deployed to it. Note: In some cases, depending on the Domain configuration, it may take some time for the GPO containing the installation package, which is linked to the dedicated OU, to replicate to other domain controllers (usually up to 15 minutes). This may appear as endpoints that are not installing the SG PP Clients. In this case it is necessary to wait for the replication to finish before restarting the endpoints for installation.
63
SafeGuard® PortProtector 3.30, Installation guide
5.3.2 Automatic Client Installation (Generic) In order to install using a third-party corporate software management solution, follow the procedure below. To install perform generic automatic client installation: 1
Locate the shared folder in which you have selected the Client installation files to be created. This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc files.
2
Create a batch file containing the following command that installs the Protector Client silently: msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi /qn
When installing the Protector client in a foreign language, use the following command line parameters: msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi TRANSFORMS="\\InstallationPath\MSTFileName.mst"/qn
3
64
(This should be written in a single line.)
In some rare cases, a restart may be needed on the endpoint computer. If so, a message will be displayed.
SafeGuard® PortProtector 3.30, Installation guide
5.3.3 Manual Client Installation You can manually install the SafeGuard PortProtector Client on each computer in your organization that needs to be protected. To manually install the SafeGuard PortProtector Client: 1
Locate the shared folder in which you have selected the SafeGuard PortProtector Client installation files to be created. This folder contains the SafeGuardPortProtectorClient.msi installation file. We recommend that the ClientConfig.scc file necessary for the installation be in the same folder. To view the path to this folder, select Administration from the Management Console's Tools menu, then select the Clients tab, as shown in the following figure:
65
SafeGuard® PortProtector 3.30, Installation guide Run SafeGuardPortProtectorClient.msi. If you are deploying clients to an XP 64 bit machine make sure you are using the files under the XP64Bit sub-folder. The installation wizard opens:
2
66
Click Next to continue. The License Agreement window opens:
SafeGuard® PortProtector 3.30, Installation guide
3
In the License Agreement window, select the I accept the terms in the license agreement radio button and click Next. The Destination Folder window opens:
4
In the Destination Folder window, determine the folder to which you want to install SafeGuard PortProtector Client. If you want to install it to a folder other than the default, click Change, and in the Change Current Destination Folder window that opens, select the desired folder and click OK.
67
SafeGuard® PortProtector 3.30, Installation guide
5
Click Next. The Select Client Configuration File window opens:
6
Select the Client configuration file ClientConfig.SCC. This file is necessary in order for the Client to read encrypted company policies, as well as to set the default uninstall password. This file is generated by the SafeGuard PortProtector Management Server, and is typically found in the same folder as the Client installation file.
Note: If you are unsure where this file is, ask your system administrator, or generate a new one as explained in Before Deploying SafeGuard PortProtector Client on page 55.
68
SafeGuard® PortProtector 3.30, Installation guide
7
Click Next. The Ready to Install the Program window opens:
In this window, click Back to review or modify your installation settings, or click Cancel to cancel and exit the installation process. 8
Click Install to begin the installation. The following window opens:
69
SafeGuard® PortProtector 3.30, Installation guide This window contains a Status bar that displays the progress of the installation process. Installation may take several minutes. Note: During this installation, some of the devices attached to your computer may temporarily stop functioning. The devices will resume functioning once the installation is completed. When the installation is complete, the following window opens:
9
Click Finish to exit the installation wizard. SafeGuard PortProtector Client is now installed on the endpoint.
Note: In some cases, depending on the computer's hardware configuration, restart is required following installation in order for SafeGuard PortProtector Client to begin protecting the endpoint. A message will notify you when this is required.
70
SafeGuard® PortProtector 3.30, Installation guide
5.4 Upgrading SafeGuard PortProtector Client 5.4.1 Upgrading the Client via Active Directory In order for your endpoint to install the new version of the product, just add the new .msi file as a new GPO (Repeat the steps above). This will automatically update the endpoints on the next reboot.
5.4.2 Upgrading the Client Manually To upgrade the Client manually: 1
Double-click the SafeGuardPortProtectorClient.msi. SafeGuard PortProtector automatically uninstalls your previous version of the product and updates it with the new version.
2
Following the upgrade, you must reboot the computer on which it was performed (a message will appear requesting you to reboot, unless you have set this message not to appear as explained in the following section).
5.5 Defining Endpoint Behavior during Installation By default, the process of installing SafeGuard PortProtector Client involves restarting of most of the peripheral devices on the endpoint in order to immediately start enforcing the policy. This may cause temporary disconnection from the network in the final stages of the installation. Additionally, in some rare cases, this may also require the computer to reboot. Administrators who are using third party products to deploy software may find it useful to define that the "restart devices" process not be performed in order to avoid network disconnection during installation. You can control both device restart and reboot behavior by defining whether they should be performed during installation. If you choose not to perform these processes, the policy will not be enforced until the machine reboots upon user request.
71
SafeGuard® PortProtector 3.30, Installation guide
To define endpoint behavior during installation: 1
In order to determine the reboot method upon installation, open the ClientConfig.scc file:
2
Scroll down to the end of the file, and add a section at the end – [installparams], as shown in the image above.
3
Add the InstallMethod parameter and values according to the below table:
Parameter
Meaning
InstallMethod=0
The installation WILL perform "restart devices" and WILL display a reboot request message when required. This option ensures instant protection - following installation, all your endpoints immediately start enforcing the policy.
InstallMethod=1
The installation WILL perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required. This option allows you to perform a totally silent installation, with no messages to the end user. However, the policy may not be enforced until the next reboot.
72
SafeGuard® PortProtector 3.30, Installation guide
InstallMethod=2 – default
The installation WILL NOT perform "restart devices" and WILL display a reboot request message when required. This option allows you to significantly shorten the installation process and use third party applications for deploying the client without network disconnection. By enforcing reboot, you can make sure the policy is enforced immediately.
InstallMethod=3
The installation WILL NOT perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required. This option allows you to perform a totally silent installation, with no messages to the user and without causing network disconnections. However, the policy is not enforced until the next reboot.
Important: When using options 1 and 3, the operating system may become unstable when devices connect to the monitored ports. It is highly important that you make sure the endpoint performs a reboot as soon as possible after completion of the installation process.
5.6 Uninstalling SafeGuard PortProtector Client You can uninstall SafeGuard PortProtector either manually, or silently from the GPO. The process of uninstalling is password protected using a global password or a policy-specific password which you defined in the Policies World in SafeGuard PortProtector Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Building Polices).
73
SafeGuard® PortProtector 3.30, Installation guide
5.6.1 Uninstalling Manually To uninstall manually: 1
74
From the Control Panel's Add or Remove Programs, select SafeGuard PortProtector Client as follows:
SafeGuard® PortProtector 3.30, Installation guide 2
Select SafeGuard PortProtector Client and click Change. The install wizard opens:
3
Click Next to continue uninstalling. The Uninstall Password window opens:
75
SafeGuard® PortProtector 3.30, Installation guide 4
Enter the uninstall password that you defined in the Policies World in SafeGuard PortProtector Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Defining Policies) and click Next. The following window opens:
5
In order to review or change any settings before continuing, click Back, or click Cancel to exit the uninstall wizard. Once you have uninstalled it, SafeGuard PortProtector Client will no longer be available to protect the endpoint. Otherwise, continue to the next step.
76
SafeGuard® PortProtector 3.30, Installation guide 6
Click Remove to remove SafeGuard PortProtector Client. The uninstall process begins and the following status window appears:
The process may take several minutes. When it is completed, the following window appears:
77
SafeGuard® PortProtector 3.30, Installation guide 7
Click Finish. SafeGuard PortProtector Client is uninstalled and no longer protecting the computer.
Note: After uninstalling you must reboot the computer before you can reinstall SafeGuard PortProtector.
5.6.2 Uninstalling SafeGuard PortProtector via GPO Since the SafeGuard PortProtector uninstall procedure is password protected, it is not possible to use the automatic uninstall feature in the GPO software installation package. Therefore, to uninstall the SG PP, a startup script must be used. There are two ways to uninstall SafeGuard PortProtector Client. The first and recommended option is to unlink the SG PP Install GPO from the OU containing the client computers, and to apply a NEW GPO containing an uninstall script, as shown in steps 6-11 below. The second option is to edit the SG PP Deployment GPO. To uninstall a SG PP GPO: 1
Edit the relevant Group Policy applied to the client computers from which the SafeGuard PortProtector is to be uninstalled.
2
Navigate to Computer Configuration Software Settings Software Installation.
3
Right-click the SafeGuard PortProtector object and select All Tasks Remove.
4
Check the Allow users to continue to use the software, but prevent new installations radio button.
5
Click the OK button.
6
Create a new GPO Name Protector Uninstall, right-click the new GPO and select Edit.
7
Navigate to Windows Settings under Computer Configuration and select Script and then Startup.
8
Click the Show Files button and create a new text document containing the following command:
msiexec.exe /x "\\full UNC path to SG PP shared install folder\SafeGuardPort ProtectorClient.msi" /qn UNINSTALL_PASSWORD=uninstall password Note: The uninstall command set in the batch file (shown above) must be set in one line. The actual uninstall process will take place only after the computer is rebooted. 9
Replace the full UNC path to the SafeGuard PortProtector's shared installation folder with the appropriate path.
10 Replace the uninstall password with the appropriate uninstall password.
78
SafeGuard® PortProtector 3.30, Installation guide
11 Save the file with a *.bat extension. 12 Close the folder, click the Add button and then the Browse button. 13 Select the newly created batch file and click the OK button.
5.6.3 SafeGuard PortProtector Client Cleanup Utility A Client cleanup utility is available for use when you cannot uninstall SafeGuard PortProtector Client from an endpoint using the processes described above. This may happen in the following cases: a. SafeGuard PortProtector Client is protecting the endpoint properly, but it cannot be found under the Control Panel's Add or Remove Programs option. b. Running the Client uninstall (Remove) wizard fails. c. The Client is not functioning properly (e.g. it is in Panic mode) and will not accept your Client Uninstall password. d. You have forgotten the Client Uninstall password and cannot update the Client's policy with a new policy in which you have set a new Uninstall password. To run the Client Cleanup utility: 1
Locate the file spec.exe in the system32 folder under your Windows (system root) folder.
2
Run spec.exe. The following window opens:
79
SafeGuard® PortProtector 3.30, Installation guide 3
Supply the computer-specific Cleanup Token to Sophos support ([email protected]). Once you receive your cleanup key from Sophos support, enter it in the Cleanup Key field..
4
In Operating System, select either the Current Operating System or Another Operating System on this machine. If you choice the second option, click Browse to find the other operating system on the computer. Note: if you choose the Windows 2000 operating system, the path is the following: C:\winnt\system32.
5
Click Cleanup Now. The Client cleanup process begins and a progress bar shows its progress. This may take a few minutes. Once cleanup is complete, the following window appears:
6
Restart the endpoint.
80
SafeGuard® PortProtector 3.30, Installation guide
6 Appendix A - OPSEC™ Interoperability About This Appendix
This appendix explains how Check Point™'s VPN-1®/FireWall-1® SecureClient™ (referred to from here on as SecureClient) interacts with SafeGuard PortProtector Client to enhance your network's security. It contains the following sections:
What is OPSEC™, page 82, describes Check Point's OPSEC™ and its benefits.
OPSEC™ and SafeGuard PortProtector, page 82, describes how Sophos interfaces with OPSEC™.
Preparing SafeGuard PortProtector Client, page 82, describes the preparations you need to do on the SafeGuard PortProtector side in order to apply OPSEC™.
Configuring your SCV Policy, page 83, describes the preparations you need to do on the VPN1®/FireWall-1® side in order to apply OPSEC™.
Installing Updated SCV Policy to SecureClients, page 89, explains how to install the updated SCV Policy to SecureClient.
SafeGuard PortProtector SCV Check Parameters, page 92, describes the checks that can be performed on SafeGuard PortProtector Client and provides examples.
Note: The instructions in this appendix assume that SecureClient is already installed on the required endpoints in your organization.
81
SafeGuard® PortProtector 3.30, Installation guide
6.1 What is OPSEC™ Check Point's OPSEC™ (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. SafeGuard PortProtector can plug into this framework to provide you with a comprehensive security solution. Using this solution, an SVC Check (a DLL) queries the security aspect of the configuration of a client, and reports to SecureClient whether the configuration is "Verified" or "Not Verified". When the configuration is not verified, SecureClient prohibits access to the organizational network.
6.2 OPSEC™ and SafeGuard PortProtector Sophos provides a DLL which can perform several checks of SafeGuard PortProtector Client, the results of which are reported to SecureClient. In addition to checking for the existence of SafeGuard PortProtector Client, these checks you may include one or more of the following parameters:
Policy ID
Policy update date/time
Version number
Protection Status
Server ID
An explanation of these parameters appears in SafeGuard PortProtector SCV Check Parameters, page 92. When one or more of the checks fail, the computer configuration is not verified, and SecureClient blocks the endpoint from accessing the organizational network.
6.3 Preparing SafeGuard PortProtector Client Sophos provides a DLL that interfaces with SecureClient, specifically with its SCV Policy, which you should install to the required endpoints: 1
If you haven't done so, install SafeGuard PortProtector Client as explained in,
2
Installing SafeGuard PortProtector Client, page 54.
3
Install SafeGuardPortProtectorScv to the required computers using GPO or manually (SafeGuardPortProtectorScv.msi can be found on your SafeGuard PortProtector installation CD). This installs a DLL that can perform your choice of one or more of the checks described above, in addition to checking whether SafeGuard PortProtector Client is installed on the computer. The DLL reports the result – "verified" or "not verified" - to SecureClient.
82
SafeGuard® PortProtector 3.30, Installation guide Important: SecureClient must already be installed on target computers before you install the SafeGuardPortProtectorScv DLL. Note: If you install SafeGuardPortProtectorScv manually and SecureClient is active, the latter will stop/start the service. In this case, reconnect it.
6.4 Configuring your SCV Policy The SCV Policy is SecureClient's security policy, into which third party applications such as SafeGuard PortProtector can plug in. An SCV Policy may include one or more SCV Checks, each relating to a different application. SafeGuard PortProtector's SCV Check, namely SafeGuardPortProtectorScv, must be added to the SCV Policy and then installed to the required SecureClients. This process includes three steps:
Step 1: Adding the SafeGuard PortProtector SCV Check to your SCV Policy
Step 2: Adding SafeGuard PortProtector parameters to your SafeGuard PortProtector SCV Check
Step 3: Installing your SCV Policy to the required SecureClients
Steps 1 and 2 may be performed using SCVEditor™ (recommended), explained immediately below, or using any text editor.
6.5 Configuring SCV Policy using SCVEditor™ As mentioned above, it is recommended that you configure your SCV Policy using SCVEditor™, as explained immediately below. If you wish to configure the SCV Policy using a text editor, refer to Configuring SCV Policy using a Text Editor on page 86.
6.5.1.1 Adding SafeGuard PortProtector SCV Check to SCV Policy The SafeGuard PortProtector SCV Check – SafeGuardPortProtectorScv – must be added to your SCV Policy (local.scv), located in the $FW1conf directory of the VPN-1®/FireWall-1® Management Server. The SafeGuard PortProtector SCV Check can be added to your SCV Policy using SCVEditor™.
83
SafeGuard® PortProtector 3.30, Installation guide
To add the SCV Check using SCVEditor™: 1
From SCVEditor™'s main window, open local.scv:
2
From the left-hand pane of the SCVEditor™ main window, right-click Products, and select Add. The following window opens:
3
Enter SafeGuardPortProtectorScv and click OK. SafeGuardPortProtectorScv now appears in the left-hand pane under Products, along with any products you may have added previously.
84
SafeGuard® PortProtector 3.30, Installation guide
4
From the left-hand pane, right-click SafeGuardPortProtectorScv and select Enforce. SafeGuardPortProtectorScv now appears in the bottom half of the right-hand pane of the main window:
5
In the Global SCV Parameters section of the main window, set Block connection on SCV unverified on/off and Expiration Time value as desired.
6
Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.1.2 Adding SafeGuard PortProtector Parameters to the SCV Check The SCV Check may include several parameters whose value you wish to check in order to verify SecureClient's connection. Refer to SafeGuard PortProtector SCV Check Parameters, page 92, for a list of available parameters including explanations and examples of how to define and use them. 1
To add parameters, right click in the blank workspace on the right-hand side and select New. The following window opens:
85
SafeGuard® PortProtector 3.30, Installation guide 2
Enter the parameter Name and its Value. In the figure above you can see how to add the MinimumVersion parameter and its value. In this example, if the SCV Check determines that the SafeGuard PortProtector Client version is not equal to or greater than 3.0.12444, the Client will not be verified and will not be allowed to connect to the organizational network.
3
Click OK. The parameter is now added to SafeGuardPortProtectorScv.
4
Perform steps 1 and 2 for each parameter you wish to add. Each parameter you have added is shown in the workspace as follows:
5
Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.2 Configuring SCV Policy using a Text Editor Another way to configure you SCV Policy is by editing local.scv directly using a text editor. Two examples are provided below.
Example 1 is a general SCV Policy example which describes the file syntax.
Example 2 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check with no parameters.
Example 3 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check with several parameters.
Note: If you make a mistake in the object file it will result in a corrupted file error (SCV state will be non-verified). Using SCVEditor™ will eliminate this problem.
86
SafeGuard® PortProtector 3.30, Installation guide
6.5.2.1 Example 1 The following is a general SCV Policy Example:
(SCVObject :SCVNames ( :(SCVGroup1 :type(group) :(samplescv1) :(samplescv) ) :(SCVGroup2 :type (group) :(emptyscv) ) :(samplescv :type (plugin) :parameters ( :n1param1(value1) :n1param2(value2) :n1param3(value3) ) ) :(emptyscv :type(plugin) :parameters ( :n2param1(value1) :n2param2(value2) ) ) ) 87
SafeGuard® PortProtector 3.30, Installation guide :SCVPolicy( :(SCVGroup1) ) )
SCV Policy Description The SCVPolicy set contains the groups of SCV checks that should be used. In SCVGroup1 there are two SCV checks defined (samplescv and samplescv1). The first SCV check from SCVGroup1 that is registered correctly will be used by SecureClient. samplescv and samplescv1 are similar SCV checks in this example, and at least one of them should be used to report SCV status. Since samplescv1 is not defined properly, samplescv will be used instead. The SCVPolicy does not contain the emptyscv SCV check, therefore it will not be used at all. samplescv contains three parameters which will be passed in the Start function.
6.5.2.2 Example 2 The following is an example of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. This SCV Check does not include any parameters and will only check for the existence of SafeGuard PortProtector Client on the endpoint in order to determine whether it is verified to connect to the organizational network. (SCVObject :SCVNames ( : (SafeGuardPortProtectorScv :type (plugin) :parameters () ) ) :SCVPolicy ( : (SafeGuardPortProtectorScv) ) :SCVGlobalParams ( :block_connections_on_unverified (true) :scv_policy_timeout_hours (24) ) )
88
SafeGuard® PortProtector 3.30, Installation guide
6.5.2.3 Example 3 The following example is of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. The SCV Check includes four parameters which should be checked in order to verify the Client and allow connection to the organizational network (refer to SafeGuard PortProtector SCV Check Parameters on page 92 for a list of available parameters including explanations and examples of how to define and use them).
(SCVObject :SCVNames ( : (SafeGuardPortProtectorScv :type (plugin) :parameters ( :PolicyId ("Policy1 0 / 1$$Sophos Initial Policy ") :ProtectionStatus ("STATUS_PROTECTED") :PolicyUpdatedSinceDate ("23.08.2006 17:17:00") :MinimumVersion ("3.0.12444") ) ) ) :SCVPolicy ( : (SafeGuardPortProtectorScv) ) :SCVGlobalParams ( :block_connections_on_unverified (true) :scv_policy_timeout_hours (24) ) )
89
SafeGuard® PortProtector 3.30, Installation guide
6.6 Installing Updated SCV Policy to SecureClients Once you have added SafeGuardPortProtectorScv to your SCV Policy and saved it, either through SCVEditor™ or using a text editor, you can install it to your SecureClients as explained below. To install the updated SCV Policy: 1
Open Check Point SmartDashboard™:
2
From the Policy menu, select Install, as shown in the previous figure. The Install Policy window opens:
90
SafeGuard® PortProtector 3.30, Installation guide
3
Select the desired settings and click OK. The installation begins and the Installation Process window opens, displaying installation progress. Once the installation is completed successfully, the following window is displayed:
4
Your SCV Policy is now installed to the selected gateways. When SecureClients perform their next logon to Policy Server, the updated SCV Policy will be installed to them. Once installed to SecureClients, they can now communicate with the SafeGuard PortProtector DLL described above and block connection to the organizational network when the SafeGuard PortProtector configuration is not verified. In the case where a configuration is not verified, an error message appears on the endpoint. The following figure shows an example of the message the end user will receive when a configuration is not verified due a parameter value mismatch:
The following figure shows an example of the message the end user will receive when a configuration is not verified due to a format error:
91
SafeGuard® PortProtector 3.30, Installation guide
6.7 SafeGuard PortProtector SCV Check Parameters Following is a description of the parameters which you may use to perform checks of SafeGuard PortProtector Client, in addition to checking its existence on the endpoint. Syntax and examples are provided for each parameter.
6.7.1 General There are 5 parameters you can use to check the status of SafeGuard PortProtector. All the parameters are optional. The parameters are compared with the current SafeGuard PortProtector information which is displayed in the SafeGuard PortProtector Client Options window.
6.7.2 Parameter Format and Description 6.7.2.1 MinimumVersion Description:
"Verified" for versions with the number greater than or equal to MinimumVersion.
Format:
0-255.0-255.0-65535
Examples:
3.0.12444
3.1.0
6.7.2.2 PolicyUpdatedSinceDate Description:
"Verified" if the last policy update was performed on or after
PolicyUpdatedSinceDate. Date is mandatory, time is optional. Format:
DD.MM.YYYY HH:MM:SS
Examples:
24.08.2006 12:32:00
12.06.2005
6.7.2.3 PolicyID Description: parameter.
"Verified" if the current policy is equal to one of the PolicyIDs described by the
Format:
PolicyID1$$PolicyID2$$PolicyID3 …
Notes: Policy version and ID should be added to the policy name. For example, if the policy name is “Policy1”, its version is 0 and its ID is 1, it should be “Policy1 0 / 1”. One space should be added to the Initial policy name: “Sophos Initial Policy “ Examples:
Company Policy 0 / 1
My Policy 5 / 10$$Sophos Initial Policy $$Policy2 0 / 1
92
SafeGuard® PortProtector 3.30, Installation guide
6.7.2.4 ProtectionStatus Description: "Verified" if the current protection status is one of the defined statuses. Currently there are three statuses: STATUS_PROTECTED, STATUS_ERROR and STATUS_SUSPENDED. Format:
Status1$$Status2$$Status3 …
Examples:
STATUS_PROTECTED
STATUS_SUSPENDED$$STATUS_PROTECTED$$STATUS_ERROR
6.7.2.5 ServerID Description: "Verified" if the Server Name is equal to one of the ServerIDs described by the parameter. This parameter is applicable to versions 3.1 and later. Format: Examples:
ServerID1$$ServerID2$$ServerID3 … Unknown
Unknown$$ABC$$ServerID
93
SafeGuard® PortProtector 3.30, Installation guide
7 Appendix B - NAC Interoperability
About This Chapter
This appendix explains how SafeGuard PortProtector Client interacts with Cisco Trust Agent (CTA) and Cisco Secure Access Control Server (ACS) to enhance your network's security. It contains the following sections:
What is NAC, page 95, describes Cisco's NAC (Network Access Control) and its benefits.
Posture Validation, page 95, explains how attributes, such as those reported by SafeGuard PortProtector Client through CTA , are validated by ACS.
SafeGuard PortProtector and NAC, page 82, describes how Sophos interfaces with NAC to provide comprehensive network protection.
Configuring Posture Validation Policies, page 96, describes the process of importing the SafeGuard PortProtector Client Attribute-Value Pairs (AVP) file and provides a link to Cisco documentation of posture validation policy configuration.
Attribute–Value Pairs (AVP) File, page 98, provides a sample AVP file which should be imported into ACS in order to check SafeGuard PortProtector Client attributes.
94
SafeGuard® PortProtector 3.30, Installation guide
7.1 What is NAC NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. It uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can limit network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.
7.1.1 Benefits of NAC
Dramatically improves any network's security—NAC ensures that all endpoints conform to the latest security policy; regardless of the size or complexity of the network. With NAC in place, you can focus operations on prevention, rather than on reaction. As a result, you can proactively protect against intruders and leakage.
Extends the value of your existing investments—Besides being integrated into the Cisco network infrastructure, NAC enjoys broad integration with antivirus, security, and management solutions from dozens of leading manufacturers.
NAC provides deployment scalability and comprehensive span of control—NAC provides admission control across all access methods (LAN, WAN, wireless, and remote access).
Increases enterprise resilience—NAC prevents noncompliant and rogue endpoints from affecting network availability.
Reduces operational expenses—NAC reduces the expense of identifying and repairing noncompliant, rogue, and infected systems.
7.2 Posture Validation The term posture is used to refer to the collection of attributes that play a role in the conduct and "health" of the endpoint device that is seeking access to the network, and that can be checked. Some of these attributes relate to the endpoint device-type and operating system; other attributes belong to various security applications that might be present on the endpoint, such as SafeGuard PortProtector Client (refer to SafeGuard PortProtector Client Attributes on page 96 for a list of SafeGuard PortProtector Client attributes). Posture validation refers to the act of applying a set of rules to the posture data to provide an assessment (posture token) of the level of trust that you can place in that endpoint. The posture token is one of the conditions in the authorization rules for network access. Posture validation, together with the traditional user authentication, provides a complete security assessment of the endpoint device and the user. Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, supports posture validation when ACS is deployed as part of a broad Cisco Network Access Control (NAC) solution. CTA, which includes a Posture Agent (PA), delivers the SafeGuard PortProtector Client posture attributes to ACS, which performs the evaluation of the posture attributes.
95
SafeGuard® PortProtector 3.30, Installation guide
7.3 SafeGuard PortProtector and NAC During installation of the SafeGuard PortProtector Client, a DLL is installed (SProtectorPP.dll) that communicates the status of various SafeGuard PortProtector attributes (see below) to CTA. CTA, which includes a Posture Agent, delivers the posture attributes to ACS, which performs evaluation of the posture attributes. If one or more of the attribute checks fail, the endpoint's access to the organizational network is blocked.
7.3.1 SafeGuard PortProtector Client Attributes In addition to checking for the existence of a SafeGuard PortProtector Client on the endpoint, the following parameters may be checked and reported to the CTA Posture Agent:
Software version
SafeGuard PortProtector policy name
SafeGuard PortProtector policy ID
SafeGuard PortProtector policy revision
SafeGuard PortProtector policy type
SafeGuard PortProtector policy update time
7.4 Configuring Posture Validation Policies A Posture Validation policy is where you define validation checks for SafeGuard PortProtector Client attributes. These checks are performed on the attributes communicated by SafeGuard PortProtector Client by means of SProtectorPP.dll to the CTA Posture Agent, and reported by CTA to ACS. In order to enable you to configure policies for SafeGuard PortProtector Client attributes, the SafeGuard PortProtector Attribute-Value Pairs (AVP) file, which defines these attributes, needs to be imported into ACS. Note: Basic instructions are provided below. For additional details please refer to Cisco ACS documentation, available from : http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008 053d5e4.pdf OR http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008 052e956.html
96
SafeGuard® PortProtector 3.30, Installation guide
To import the AVP file into ACS policy: 1
If you have not yet done so, install SafeGuard PortProtector Client on relevant endpoints. This automatically copies two files into c:\Program Files\Common Files\PostureAgent\Plugins:
SProtectorPP.inf: includes a description of SafeGuard PortProtector Client attributes and their identification.
SProtectorPP.dll: performs checks of SafeGuard PortProtector Client attributes, the posture of which is reported to CTA.
2
Prepare a SafeGuard PortProtector AVP file according to the example provided in Attribute– Value Pairs (AVP) File on page 98.
3
Open a command window on ACS.
4
Navigate to %\Program Files\Cisco Systems\CiscoSecure ACS 4.0\bin.
5
Drop the AVP file (AVPfilename) into this folder.
6
Run csutil –addAVP AVPfilename. The system will begin adding each attribute from the AVP file. When the process is completed, the following message appears:
---AVP Summary--(N) AVPs have been added to the dictionary . 7
Restart csauth, csadmin and cslogd services. The attributes are now imported into ACS.
8
Set up a profile, and create posture validation policies in the Posture Validation Page. This is explained in User help for Cisco Secure ACS for Windows available from http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a 008053d5e4.pdf OR http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a 008052e984.html#wp1196118
97
SafeGuard® PortProtector 3.30, Installation guide
7.5 Attribute–Value Pairs (AVP) File The AVP file describes the SafeGuard PortProtector Client attributes necessary for posture validation. The file should be imported into ACS as explained in the previous section. The example provided below contains all available SafeGuard PortProtector Client attributes. You may delete the sections that apply to attributes which you do not wish to check.
[attr#0] vendor-id=24493 vendor-name=Sophos application-id=5 application-name=HIPS attribute-id=32768 attribute-name=Software-Name attribute-profile=in out attribute-type=string
[attr#1] vendor-id=24493 vendor-name=Sophos application-id=5 application-name=HIPS attribute-id=32769 attribute-name=Version attribute-profile=in out attribute-type=version
[attr#2] vendor-id=24493 vendor-name= Sophos application-id=5 application-name=HIPS 98
SafeGuard® PortProtector 3.30, Installation guide attribute-id=32770 attribute-name=Policy-Name attribute-profile=in out attribute-type=string
[attr#3] vendor-id=24493 vendor-name= Sophos application-id=5 application-name=HIPS attribute-id=32771 attribute-name=Policy-ID attribute-profile=in out attribute-type=string
[attr#4] vendor-id=24493 vendor-name= Sophos application-id=5 application-name=HIPS attribute-id=32772 attribute-name=Policy-Revision attribute-profile=in out attribute-type=string
[attr#5] vendor-id=24493 vendor-name= Sophos application-id=5 application-name=HIPS attribute-id=32773 99
SafeGuard® PortProtector 3.30, Installation guide attribute-name=Policy-Type attribute-profile=in out attribute-type=unsigned integer
[attr#6] vendor-id=24493 vendor-name= Sophos application-id=5 application-name=HIPS attribute-id=32774 attribute-name=Policy-Update-Time attribute-profile=in out attribute-type=date
100
