Transcript Policy Manager Server

IMPLEMENTING
F-SECURE POLICY MANAGER
Agenda
Main topics
• Pre-deployment phase
• Is the implementation possible?
• Implementation scenarios and examples
• Installing the environment
• Most critical installation steps
• Console configuration tips
• Point application rollout
• Point application rollout planning and piloting
• Most common rollout methods and examples
Page 2
PRE-DEPLOYMENT PHASE
Before you begin...
Checklist
1. Network requirements
•
Does the network support the required protocols?
•
Is the network fast enough?
2. System requirements
•
Does the existing hardware meet the requirements?
•
Are the installed operating systems and service packs supported?
3. Policy Manager Implementation
•
How many Policy Manager Servers, Consoles and Proxy Servers
does the infrastructure require?
•
Where to place them for best performance?
Page 4
Network Requirements
Network
• 10Mbit Ethernet or faster
• In installations with more than 5000 managed hosts, 100Mbit networks
are recommended
Required Protocols
• UDP
• Used for virus definitions updates directly from F-Secure Root Update
Server
• TCP
• Used for F-Secure Intelligent Installations (a.k.a push installations)
• Used for general Apache Web Server traffic
Page 5
System Requirements:
Policy Manager Server
Operating system
• Windows 2000 Server and
Advanced Server (SP3 or higher),
Windows Server 2003 Standard,
Web Edition, or Small Business
Server
Memory
• 256 MB RAM (512 MB or more
recommended, especially when
Web Reporting is enabled)
Disk space
Processor
• 50 MB required (recommended
500 MB or more)
• Intel Pentium III 450 MHz or faster
(1 GHz or more recommended,
especially when managing big
environments or when Web
Reporting is enabled)
Page 6
System Requirements:
Policy Manager Console
Operating system
• Windows 2000 Professional (SP3
or higher), Windows XP
Professional (SP2 or higher) or
Windows 2003 Small Business
Server
Memory
• Dedicated computer
• 256 MB RAM (512 or more
recommended)
• Single computer (same as PMS)
• 1 GB or more recommended
Processor
• Intel Pentium III 450 MHz or faster
(750 MHz or more recommended)
Disk space
• 50 MB required
Page 7
System Requirements:
Anti-Virus Client Security 6.x
Operating system
• Microsoft Windows 2000 Professional (SP4 or higher)
• Microsoft Windows XP Professional and Home Edition (SP1 or higher)
Memory
• 128 MB (Windows 2000), 256 MB (Windows XP)
• 256 MB an more recommended
Disk space
• 120 MB (150 MB required during installation)
Page 8
Policy Manager Implementation
Policy Manager Server and Console can be implemented in two
different ways
• Both components on a single computer (recommended)
• Dedicated computers for each component
Single
Computer
Dedicated
Computers
Page 9
Policy Manager Implementation
Depending on the size and structure of the company, it might be
necessary to
• Install more than one Policy Manager Console
• Global company with slow internet connection
• Install more than one Policy Manager Server
• Single Policy Manager Server scales up to 10000 hosts
• It can handle significantly more host, but will be difficult to administer
(policy distribution time increases)
• Install Policy Manager Proxies for virus definitions updates
• Solves bandwidth bottle-necks
Page 10
Policy Manager Server Location
Location of the Policy Manager Server
• Place it in the internal network (recommended)
• Well protected from external attacks
• Access from external network only possible with authenticated,
encrypted connections (e.g. VPN+)
• Place it in a DMZ network
• Server has a public IP address, FSMA can access the server from the
external network without using VPN+
• In general, the security in a DMZ is less restricted as it is in an internal
network. The Server contains sensitive infomation of your policy
domain and policies. There might be a security risk.
Page 11
Implementation in Basic Environment
Root Update
Server
Managed hosts
Policy Manager
Server & Console
Page 12
Implementation in Global Environment
Root Update Server
Managed Hosts
PMC
Subsidiary Germany
PM Proxy
Managed Hosts
PMC & PMS
Headquarters Finland
Page 13
POLICY MANAGER INSTALLATION
Starting the Installation
If you have a valid license of any F-Secure product you are entitled to
use F-Secure Policy Manager
You are entitled to use as many Console, Server and Reporting Option
installations as you need
Page 15
Installation Order
1. Policy Manager Server
2. Policy Manager Console
3. Point Applications
Page 16
Critical Steps:
Server Installation
Select components to install
• Policy Manager Console
• Don’t forget to deselect in
case you want to run it on a
dedicated computer
• Policy Manager Update Server &
Agent
• Without this components,
database updates will not be
possible
Page 17
Critical Steps:
Server Installation
Configure Apache Modules
• In general, default port settings
work fine
• However, in some situations the
ports are already taken and need
to be changed
• The system will automatically
inform
• Already taken ports
• Ports which might cause
problems
Page 18
Critical Steps:
Console Initialization
Important: In this step you define
the administration module
• The host module address has to
be specified separately in the
policy
Page 19
Critical Steps:
Console Initialization
Management key-pair
generation
• Make sure to backup
these keys after console
initialization completed!
Page 20
Console Configuration Tips
• Lock most important settings
• Prevents problems with IPF overwriting
• Define Policy Manager Server Address
• Empty by default!
Page 21
POINT APPLICATION ROLLOUT
Before you Start the Rollout...
Checklist
• Remove all conflicting software from target hosts
• Sidegrade detects and removes certain vendors automatically (AVCS
only!)
• Test sidegrade during piloting phase!
• Check target host for third party firewalls (e.g. XP firewalls) and disable
them (e.g through AD group policy)
• Start piloting
• Test different rollout methods and choose the one suited best for your
environment
• Never rollout without careful testing – or to the whole domain at once!
Page 23
Rollout Methods
Intelligent Installations
•
Autodiscover windows hosts (recommended)
•
Installation package created with PMC
•
Transfers package separately to each host (no multicasting)
•
Certain inbound traffic on hosts needs to be allowed
•
•
RPC (TCP 135) and SMB (TCP 445)
Push install to Windows host
•
Advantage: needs no name resolution, if IP addresses are used
•
Disadvantage: IP addresses have to be typed manually
Page 24
Rollout Methods
Pre-configured package
•
Using PMC to create a pre-configured package
•
•
JAR: Installation of exported package by ilaunchr.exe through
windows login script
•
•
No inbound traffic on hosts required
Make sure to run login sript silent (script includes password in cleartext!)
MSI: Installation of exported package through windows group policy
in active directory
Page 25
Centrally Manageable Products
Microsoft Platforms
Desktops &
laptops
File &
Print
Servers
Server
Computing
Web &
DNS
Servers
Email
Servers
Gateways
Virus & Spy
Protection
Intrusion
prevention
Anti-Virus
Anti-Virus
Anti-Virus
Anti-Virus
AntiSpam
Content
Filtering
Anti-Virus for HTTP,
SMTP, FTP and POP
Anti-Spam
Content Filtering
Linux Platforms
F-Secure solutions and services provided
F-Secure Anti-Virus for Workstations
F-Secure Anti-Virus Client Security
F-Secure Anti-Virus for Windows Servers
F-Secure Anti-Virus for Linux Servers
F-Secure Anti-Virus for SAMBA Servers
F-Secure Anti-Virus for Citrix Servers
(and for Microsoft Terminal Server)
F-Secure Anti-Virus for MS Exchange
F-Secure Anti-Virus for MIMEsweeper
F-Secure Internet Gatekeeper
F-Secure Spam Control for Internet
Gatekeeper
F-Secure Spam Control for Microsoft
Exchange
Page 26
Summary
Main topics
•
•
•
Pre-deployment phase
•
Is the implementation possible?
•
Implementation scenarios and examples
Installing the environment
•
Most critical installation steps
•
Console configuration tips
Point application rollout
•
Point application rollout planning and piloting
•
Most common rollout methods and examples
Page 27