Policy Based Installation Walk Through

Download Report

Transcript Policy Based Installation Walk Through

ADMINISTRATION HANDS-ON
About the Hands-On
This hands-on section is structured in a way that allows you to work
independently, but still giving you the possibility to consult step-bystep instructions.
Each given task will be divided into two sections
• Actual Task
• Conditions, goals and short instructions
• Allowing you to work independently
• Detailed instructions (step-by-step work through)
• In case you can not come up with own solutions
Page 2
Real Infrastructure
Environment
• Policy Manager and Console on single computer
• One managed host (AVCS 6)
Root Update
Server
F-Secure
AVCS 6
F-Secure
PMS / PMC
Page 3
Imaginary Infrastructure
During this hands-on we will create an imaginary infrastructure
• 2 offices (Helsinki and Munich)
• 3 imaginary workstations (Helsinki: wks02 / Munich: wks03 and wks04)
• 1 real workstation in Helsinki (wks01)
• 1 file server in each office (Helsinki: filesrv01 / Munich: filesrv02)
• 1 DNS server in each office (Helsinki: dnssrv01 / Munich: dnssrv02)
wks03 wks04
dnssrv02 filesrv02
wksXX wks02
dnssrv01 filesrv01 PMS/PMC
AVCS 6
Subsidiary
Munich
Headquarters
Helsinki
Page 4
Tasks Overview
Task 1: Creating a domain structure
Task 2: Updating point applications
Task 3: Creating autoregistration import rules
Task 4: Managing policies on multiple levels
Task 5: Configuring Apache Server
Task 6: Working with reports
Task 7: Troubleshooting scenario
Page 5
Task 1: Creating The Domain Structure
Servers
• Place DNS Server and File Server in both sites
• In which site sub-domain do you place them?
• Helsinki
• FILESRV01 (IP: 192.168.100.52, Windows 2003
Server)
• DNSSRV01 (IP: 192.168.100.53, Windows 2000
Server)
• Munich
• FILESRV02 (IP: 192.168.160.82, Windows 2003
Server)
• DNSSRV02 (IP: 192.168.160.83, Windows 2000
Server)
=> Task continues on next page
Page 6
Task 1: Creating The Domain Structure
Workstations
• Now create the 3 imaginary hosts and place them into
the Development sub-domain of each site
• Helsinki
• WKS02 (WINS name: wks02, Windows NT 4.0)
• Munich
• WKS03 (WINS name: wks03, Windows XP Pro)
• WKS04 (WINS name: wks04, Windows XP Pro)
=> After you have completed this task, continue on page 13
Page 7
Creating the Domain Structure
Step-By-Step Walk Through
Create two domains, “Finland” and “Germany”
• Select the root domain, F-Secure
• Choose Edit/New Policy Domain… from the menu (or right-click the root)
Page 8
Further Structure The Sub-Domains
Level 2
• Create the “Helsinki” domain
Level 3
• Create domains “Servers/HEL” and “Workstations/HEL”
Level 4
• Servers/HEL: Create domains “FileServers/HEL” and
“DirectoryServers/HEL”
• Workstations/HEL: Create domains “Accounting/HEL”,
“CustomerSupport/HEL” and “Development/HEL”
Apply the same structure to the German domain
Page 9
Creating The File Servers
Add file servers in both sites in the “FileServers/XX” domain
• Helsinki: FILESRV01 (IP address 192.168.100.52)
• Munich: FILESRV02 (IP address 192.168.160.82)
Page 10
Creating The DNS Servers
Add DNS servers in both sites in the “DirectoryServers/XX” domain
• Identity type: Primary IP address
• Helsinki: DNSSRV01 (IP address 192.168.100.53, Alias: dnssrv01)
• Munich: DNSSRV02 (IP address 192.168.160.83, Alias: dnssrv02)
Page 11
Creating The Workstations
Now create the 3 new hosts and place them into
the Development sub-domain of each site
• Helsinki
• WKS02 (WINS name: wks02, Windows NT 4.0)
• Munich
• WKS03 (WINS name: wks03, Windows XP Pro)
• WKS04 (WINS name: wks04, Windows XP Pro)
Page 12
Task 2: Point Application Update
During the installation hands-on, you were instructed to install AVCS 6
without HTTP scanning
Now it’s time to update Web Traffic Scanning to your host
• What installation method should be used?
• Intelligent installation (a.k.a push installation)
• Policy based installation
=> Change to next page, once you decided on the installation method
Page 13
Task 2: Point Application Update
Since FSMA is already installed on your host, it is best to use a policy
based installation to upgrade your host
Configure the policy based installation package as follows
• Application Selection: Include Web Traffic Scanning
• Autoregistration Properties: Add a custom property
• Property Name: Development/HEL
• Property Value: 1
=> After completing this task, continue on page 28
Page 14
Policy Based Installation Walk Through
Start by choosing the version to install
• Choose “Reinstall 6.x)
Page 15
Policy Based Installation Walk Through
F-Secure installation wizard opens
• Click “Next”
Page 16
Policy Based Installation Walk Through
Accept the prefilled keycode
• Click “Next”
Page 17
Policy Based Installation Walk Through
Mark Web Traffic Scanning
• Click “Next”
Page 18
Policy Based Installation Walk Through
Accept the default language “English”
• Click “Next”
Page 19
Policy Based Installation Walk Through
Check the prefilled PMS server URL and correct if necessary
• Click “Next”
Page 20
Policy Based Installation Walk Through
Add the following custom property
• Property Name: Development/HEL
• Property Value: 1
Page 21
Policy Based Installation Walk Through
Choose “Uninstall conflicting products” (default)
• Click “Next”
Page 22
Policy Based Installation Walk Through
Accept prefilled restart options from last distribution
• Click “Finish”
Page 23
Policy Based Installation Walk Through
Wait while the installation package is created
• This step might take some minutes (depending on your system)
• Do not press “Cancel”
• After completion, distribute the policies!
Page 24
Policy Based Installation Walk Through
F-Secure Setup will start and reinstall AVCS 6.x to your computer
Wait until the Reboot message appears on your screen
• Reboot the computer and change back to the PMC
Page 25
Installation Checkup
Once the computer is rebooted, the policy based installation progress
should show a successful installation
• Most common failure reasons are wrong key codes or insufficient disk
space on the host (see setup error on screenshot)
Page 26
Installation Checkup
Open the AVCS advanced user interface and check, if the Web Traffic
Scanning is installed
• Default setting is “disabled”
Page 27
Task 3
Create An Autoregistration Import Rule
Start by forcing a new host autoregistration by deleting wks01 from the
policy domain
• After deleting, distribute the policies!
Your task is now to create an autoregistration import rule which places
the wks01 to the “Development/HEL” sub-domain
• Create a rule using the custom properties as as an import criteria
• Test the rule…. did it work?
=> After completing this task, continue on page 33
Page 28
Autoregistration Import Rule Creation
Walk Through
Start the autoregistration wizard
• Click “Import autoregistered hosts”
Page 29
Autoregistration Import Rule Creation
Walk Through
Check if the deleted host has already sent the autoregistration request
• If yes, the autoregistration request will be included in the custom property
• Do not import the host now, since we first have to create the import rule!
Page 30
Autoregistration Import Rule Creation
Walk Through
Change the active tab to “Import Rules”
• Press “Add” to create a new rule
• Select the target domain level (Development/HEL)
• Press “OK”
Page 31
Autoregistration Import Rule Creation
Walk Through
Add a custom property
• Uncheck all other property fields for better understanding
• Enter the custom property name (Development/HEL)
• Confirm with “OK”
Page 32
Autoregistration Import Rule Creation
Walk Through
Your autoregistration import rule is ready
• Press import to apply the rule
• Your host should be placed in the “Development/HEL” sub-domain
• Rename the host to wks01 to match the course binder examples
(Domain/Host properties, WINS Name)
Page 33
Task 4
Managing Policies On Multiple Levels
Change to Anti-Virus Mode (View menu)
Define the following policy settings on different levels
• Accounting/HEL
• Real-time Scanning/File Scanning/Action on infection:
“Disinfect Automatically”
• Host level (wks01)
• Activate “Scan network drives”
=> Task continues on the next page
Page 34
Task 4
Managing Policies On Multiple Levels
Now, move host wks01 to the sub-domain “Accounting/HEL”
• Check the real-time file scanning settings. Did the setting inheritance from
the parent domain (Accounting/HEL) work?
• If not, what do you think is the reason?
=> Change to next page, once you have the answers
Page 35
Task 4
Managing Policies On Multiple Levels
Settings defined on the host level will never be overwritten by parent
domain settings
• Try to change the policies as follows (as easy as possible)
• Disable “Scan network drives” for the whole F-Secure domain
• Enable “Scan network drives” only for the sub-domain
“Development/HEL”
• Move the host wks01 back to sub-domain “Development/HEL”
• Check the real-time file scanning settings. Did the inheritance work now
and why?
• Call the instructor and present your solution
=> After you completed this task, continue on page 40
Page 36
Managing Policies On Multiple Levels
Walk Through
After you copied the host wks01 to the
domain “Accounting/HEL”, the settings
are as follows
• “Action on infection” is inherited from the
parent domain
• Reason: The setting has not been
defined on the host level, therefore
the inheritance works
• “Scan network drives” is not inherited!
• Reason: The setting has been defined
on the host level, therefore no
inheritance
Page 37
Managing Policies On Multiple Levels
Walk Through
Instructions, how to disable network drive
scanning for the whole policy domain
• Mark the root domain (F-Secure)
• Right-click “Scan network drives”
• Choose “Force value” (confirm with “Yes”)
Check the file scanning settings on the
host wks01
• All settings should be gray, since they are
inherited from the root domain
Page 38
Managing Policies On Multiple Levels
Walk Through
Finally, activate network drive scanning for
the domain “Development/HEL”
• Mark “Development/HEL”
• Enable “Scan network drives” and force the
value
Distribute the policies!
Copy the host wks01 back to sub-domain
“Development/HEL”
• Now, the inheritance will work, since we have
no settings defined on the host level
Page 39
Task 5: Configuring Apache Server
By default, Policy Manager Server
administration connection are limited to the local
computer
• Web reporting module access is by default not
limited!
You will now change the Apache configuration
• Remove admin module access limitation (allow
connections from everywhere)
• Restrict web reporting module to allow
connections from the local computer and from
your managed host
=> If you completed the configuration, continue on page 44
Page 40
Apache Server Configuration
Walk Through
Browse to the apache configuration file
(httpd.conf)
• Open the file with WordPad (open with)
Page 41
Apache Server Configuration
Walk Through
Configure the httpd.conf as follows
Apache Admin Module
• Replace “Listen 127.0.0.1:8080” with
“Listen 8080”
Web Reporting Module
• No access limitation defined (by default)
• Create an access list, like shown on the
screenshot (replace <host IP address>
with your real host IP)
• Save the settings and close the file
Page 42
Apache Server Configuration
Walk Through
Close your Policy Manager Console and restart the Policy Manager
Server service
Page 43
Apache Server
Configuration Checkup
After you finished the Apache configuration, close the Policy Manager
Console and inform the instructor to test your solution
• Don’t forget to restart the Policy Manager Server service!
After the instructor tested your system and gives you the OK, re-open
your console
• Is there anything unusual happening?
Page 44
Apache Server
Signs For Data Integrity Problems
Yes, the instructor has opened your console with a different key-pair,
therefore you get a key change notification at console startup
• You can reassign the original keys
Page 45
Apache Server
Signs For Data Integrity Problems
Take a look at the alerts. Are there any unusual entries?
• Also check your managed host. Anything strange there?
Page 46
Apache Server
Signs For Data Integrity Problems
The instructor has resigned your policy domain with a different key and
distributed the policies
• Changes have not passed the signature verification on the hosts, the policy
has been rejected!
• Redistribute the policies with your keys, and everything should be back to
normal
Page 47
Working with Reports
Policy Manager provides you both with automatic status reports (e.g.
virus alerts) and built in reporting tools
Policy Manager Reporting Tools
• Web Reporting
• Graphical reporting system (available through web browser)
• Embedded reporting
• Textual reporting (available only from console)
Page 48
Task 6
Using Web Reporting
Open Web Reporting on your managed host.
Try to answer the following questions
1. What is the latest alert reported by your host? Can you explain the
reason for this alert?
2. What is the UID (Unique Identifier) of your host?
3. When did the host last connect to the server?
4. What version of Automatic Update Agent (AUA) is installed on your host?
5. What’s the percentage of hosts with real-time protection?
=> After you have completed this task, continue on page 55
Page 49
Using Web Reporting
Walk Through
Question 1: What is the latest alert reported by your host?
Answer: Failed signature check on host wks01
Reason: The policy domain has been resigned with different keys
Page 50
Using Web Reporting
Walk Through
Question 2: What is the UID of your host?
Answer: Host Properties/Detailed Host Properties/UID
Page 51
Using Web Reporting
Walk Through
Question 3: When did the host last connect to the server?
Answer: Host Properties/Update Details/Latest Connection to Server
Page 52
Using Web Reporting
Walk Through
Question 4: What version of AUA is installed on your host?
Answer: Installed Software/Automatic Update Agent/Version
Page 53
Using Web Reporting
Walk Through
Question 5: What’s the percentage of hosts with real-time protection?
Answer: Only 13 % of your policy domain have enabled real-time scanning
Page 54
Task 7: Troubleshooting Scenario
One of the most common troubleshooting cases is that managed
hosts cannot reach the Policy Manager Server
You will now create a scenario where your host will receive a wrong
server address. As soon as the new policy will be fetched by the host,
its connection to the server will be lost
• Choose ”Development/HEL” and assign a wrong server URL
• Distribute the policies
=> Task continues on next page
Page 55
Task 7: Troubleshooting Scenario
Make sure the client fetched the new policy
• Check the local GUI (advanced interface)
• The new (wrong) server address should be visible and locked
=> Task continues on next page
Page 56
Task 7: Troubleshooting Scenario
Let’s try to change the server address directly from the policy.bpf
• Stop the F-Secure Management Agent (net stop fsma)
• Open c:\program files\f-secure\common\policy.bpf with WordPad
• Search the address and change it back to the correct address
• Save the changes and restart FSMA
Did the changes succeed?
• If not, what’s the reason?
=> Task continues on next page
Page 57
Task 7: Troubleshooting Scenario
Your change did not pass the signature verification
• DAAS system has successfully blocked the unauthorized change of the
base policy file
What next? Did you reach a dead end?
• Try to come up with a solution, without reinstalling the host with a push
installation
=> After completing this task, continue on page 61
Page 58
Troubleshooting Scenarion Solution
Walk Through
Change back to the Policy Manager Console
• Mark “Development/HEL” and correct the server address
• Distribute the policies
• Mark host wks01 and export the policy manually
• Save the policy to c:\ root
Page 59
Troubleshooting Scenarion Solution
Walk Through
Change to the managed host
• Create a network share to the
PMS (map \\<server ip>\c$)
• Open the local user interface
• Choose Central Management
• Press “Import policy manually”
Page 60
Troubleshooting Scenarion Solution
Connection Testing
After you have imported the new policy manually, try to connect to the
server, the connection should be successfull
Page 61
Hands-On Completed
That was it! You have now completed the whole hands-on section.
Next on the agenda: the Certification Exam
Page 62