Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Home window>>System configuration

Sentriant AG Software Users Guide, Version 5.1 SR1
Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800
http://www.extremenetworks.com
Published: August 2008
Part number: 120449-00 Rev 03
AccessAdapt, Alpine, Altitude, BlackDiamond, EPICenter, Essentials, Ethernet Everywhere, Extreme Enabled,
Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive,
Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ScreenPlay, Sentriant,
ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager,
UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the
Summit logos, the Powered by ExtremeXOS logo, and the Color Purple, among others, are trademarks or
registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries.
Adobe, Flash, and Macromedia are registered trademarks of Adobe Systems Incorporated in the U.S. and/or
other countries. AutoCell is a trademark of AutoCell. Avaya is a trademark of Avaya, Inc. Internet Explorer is a
registered trademark of Microsoft Corporation, and Microsoft Windows Server is a trademark of Microsoft
Corporation. Mozilla Firefox is a registered trademark of the Mozilla Foundation. RSA Ace/Server and RSA
SecurID are registered trademarks of RSA Security, Inc. sFlow is a registered trademark of sFlow.org. Solaris and
Java are trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Specifications are subject to change without notice.
All other registered trademarks, trademarks, and service marks are property of their respective owners.
© 2008 Extreme Networks, Inc. All Rights Reserved.
Table of Contents
List of Figures ............................................................................................................................... 15
List of Tables ................................................................................................................................ 21
Chapter 1: Introduction.................................................................................................................. 23
Sentriant AG Home Window .......................................................................................................23
System Monitor.........................................................................................................................24
Sentriant AG v5.x for v4.x Users .................................................................................................26
Overview ..................................................................................................................................29
The Sentriant AG Process.....................................................................................................31
About Sentriant AG .............................................................................................................31
NAC Policy Definition ....................................................................................................31
Endpoint Testing ...........................................................................................................31
Compliance Enforcement ...............................................................................................32
Automated and Manual Repair........................................................................................32
Targeted Reporting ........................................................................................................33
Technical Support .....................................................................................................................33
Additional Documentation..........................................................................................................33
Installing and Upgrading............................................................................................................34
Important Browser Settings ........................................................................................................34
Pop-up Windows .................................................................................................................34
Active Content ....................................................................................................................35
Minimum Font Size .............................................................................................................37
Page Caching......................................................................................................................38
Temporary Files ..................................................................................................................38
Conventions Used in This Document ...........................................................................................39
Navigation Paragraph...........................................................................................................39
Note Paragraph ...................................................................................................................40
Caution Paragraph...............................................................................................................40
Warning Paragraph ..............................................................................................................40
Bold Font ...........................................................................................................................40
Task Paragraph ...................................................................................................................40
Italic Text...........................................................................................................................41
Courier Font .......................................................................................................................41
Angled Brackets ..................................................................................................................41
Square Brackets..................................................................................................................42
Terms ................................................................................................................................42
Copying Files ............................................................................................................................42
SCP ...................................................................................................................................43
PSCP .................................................................................................................................43
Users’ Guide Online Help...........................................................................................................43
Chapter 2: Clusters and Servers ..................................................................................................... 47
Single-server Installation......................................................................................................48
Sentriant AG Software Users Guide, Version 5.1 SR1
3
Multiple-server Installations .................................................................................................48
Chapter 3: System Configuration .................................................................................................... 51
Introduction .............................................................................................................................51
Enforcement Clusters and Servers...............................................................................................52
Enforcement Clusters ................................................................................................................53
Adding an Enforcement Cluster ............................................................................................53
Editing Enforcement Clusters ...............................................................................................55
Viewing Enforcement Cluster Status......................................................................................55
Deleting Enforcement Clusters..............................................................................................56
Enforcement Servers .................................................................................................................57
Adding an ES......................................................................................................................57
Cluster and Server Icons ......................................................................................................58
Editing ESs ........................................................................................................................59
Changing the ES Network Settings ........................................................................................60
Changing the ES Date and Time ...........................................................................................61
Modifying the ES SNMP Settings..........................................................................................62
Modifying the ES root Account Password ...............................................................................62
Viewing ES Status ...............................................................................................................62
Deleting ESs.......................................................................................................................63
ES Recovery .......................................................................................................................64
Management Server...................................................................................................................64
Viewing Network Settings .....................................................................................................64
Modifying MS Network Settings ............................................................................................66
Selecting a Proxy Server.......................................................................................................67
Setting the Date and Time ...................................................................................................67
Automatically Setting the Time.............................................................................................68
Manually Setting the Time ...................................................................................................68
Selecting the Time Zone ......................................................................................................69
Enabling SNMP ..................................................................................................................69
Modifying the MS root Account Password ..............................................................................70
Checking for Sentriant AG Upgrades .....................................................................................70
Changing the Sentriant AG Upgrade Timeout .........................................................................71
User Accounts ..........................................................................................................................71
Adding a User Account ........................................................................................................71
Searching for a User Account ...............................................................................................74
Sorting the User Account Area..............................................................................................75
Copying a User Account .......................................................................................................75
Editing a User Account ........................................................................................................76
Deleting a User Account ......................................................................................................77
User Roles................................................................................................................................78
Adding a User Role .............................................................................................................78
Editing User Roles ..............................................................................................................81
Deleting User Roles .............................................................................................................82
Sorting the User Roles Area..................................................................................................82
License ....................................................................................................................................82
Updating Your License Key ..................................................................................................82
Test Updates ............................................................................................................................83
Manually Checking for Test Updates .....................................................................................84
Selecting Test Update Times................................................................................................85
Viewing Test Update Logs ....................................................................................................85
4
Sentriant AG Software Users Guide, Version 5.1 SR1
Quarantining, General................................................................................................................86
Selecting the Quarantine Method..........................................................................................87
Selecting the Access Mode...................................................................................................88
Quarantining, 802.1X................................................................................................................88
Entering Basic 802.1X Settings............................................................................................89
Authentication Settings .......................................................................................................89
Selecting the RADIUS Authentication method..................................................................89
Configuring Windows Domain Settings.............................................................................90
Configuring OpenLDAP Settings......................................................................................92
Adding 802.1X Devices .......................................................................................................95
Testing the Connection to a Device .......................................................................................96
Cisco IOS ...........................................................................................................................97
Cisco CatOS .......................................................................................................................99
CatOS User Name in Enable Mode ................................................................................101
Enterasys .........................................................................................................................102
Extreme ExtremeWare........................................................................................................103
Extreme XOS ....................................................................................................................105
Foundry............................................................................................................................106
HP ProCurve Switch ..........................................................................................................108
HP ProCurve WESM xl or HP ProCurve WESM zl ..................................................................111
HP ProCurve 420 AP or HP ProCurve 530 AP ......................................................................114
Nortel ..............................................................................................................................116
Other ...............................................................................................................................117
Quarantining, DHCP ................................................................................................................119
DHCP Server Configuration ................................................................................................119
Setting DHCP Enforcement ................................................................................................119
Adding a DHCP Quarantine Area.........................................................................................121
Sorting the DHCP Quarantine Area......................................................................................123
Editing a DHCP Quarantine Area.........................................................................................123
Deleting a DHCP Quarantine Area .......................................................................................124
Quarantining, Inline ................................................................................................................124
Post-connect ..........................................................................................................................124
Allowing the Post-connect Service Through the Firewall ........................................................124
First Time Selection ..........................................................................................................125
Setting Sentriant AG Properties ..........................................................................................125
Configuring a Post-connect System .....................................................................................125
Launching Post-connect Systems........................................................................................127
Post-connect in the Endpoint Activity Window......................................................................127
Adding Post-connect System Logos and Icons ......................................................................128
Maintenance...........................................................................................................................129
Initiating a New Backup.....................................................................................................130
Restoring From a Backup ...................................................................................................131
Downloading Support Packages ................................................................................................131
Cluster Setting Defaults ...........................................................................................................131
Testing Methods ...............................................................................................................132
Selecting Test Methods................................................................................................132
Ordering Test Methods.................................................................................................133
Recommended Test Methods........................................................................................133
Selecting End-user Options ................................................................................................134
Accessible Services ...........................................................................................................134
Exceptions........................................................................................................................136
Always Granting Access to Endpoints and Domains.........................................................136
Sentriant AG Software Users Guide, Version 5.1 SR1
5
Always Quarantine Endpoints and Domains....................................................................137
Notifications .....................................................................................................................138
Enabling Notifications .................................................................................................138
End-user Screens ..............................................................................................................140
Specifying an End-user Screen Logo .............................................................................140
Specifying the End-user Screen Text .............................................................................141
Specifying the End-user Test Failed Pop-up Window .......................................................142
Agentless Credentials ........................................................................................................143
Adding Windows Credentials.........................................................................................143
Testing Windows Credentials ........................................................................................144
Editing Windows Credentials ........................................................................................145
Deleting Windows Credentials.......................................................................................145
Sorting the Windows Credentials Area ...........................................................................145
Logging ..................................................................................................................................146
Setting ES Logging Levels ..................................................................................................146
Setting 802.1X Devices Logging Levels ...............................................................................147
Advanced Settings ..................................................................................................................147
Setting the Agent Read Timeout .........................................................................................147
Setting the RPC Command Timeout ....................................................................................148
Chapter 4: Endpoint Activity......................................................................................................... 149
Filtering the Endpoint Activity Window ......................................................................................150
Filtering by Access Control or Test Status ............................................................................150
Filtering by Time ...............................................................................................................151
Limiting Number of Endpoints Displayed.............................................................................152
Searching .........................................................................................................................152
Access Control States ..............................................................................................................153
Endpoint Test Status ...............................................................................................................154
Enforcement Cluster Access Mode ............................................................................................157
Viewing Endpoint Access Status ...............................................................................................158
Selecting Endpoints to Act on ..................................................................................................159
Acting on Selected Endpoints...................................................................................................160
Manually Retest an Endpoint..............................................................................................160
Immediately Grant Access to an Endpoint............................................................................160
Immediately Quarantine an Endpoint ..................................................................................161
Clearing Temporary Endpoint States....................................................................................161
Viewing Endpoint Information...................................................................................................162
Troubleshooting Quarantined Endpoints ....................................................................................164
Chapter 5: End-user Access ......................................................................................................... 169
Test Methods Used .................................................................................................................169
Agent Callback..................................................................................................................169
Endpoints Supported ...............................................................................................................170
Browser Version ......................................................................................................................171
Firewall Settings .....................................................................................................................172
Managed Endpoints...........................................................................................................172
Unmanaged Endpoints.......................................................................................................172
Making Changes to the Firewall ..........................................................................................172
Windows Endpoint Settings......................................................................................................172
IE Internet Security Setting ................................................................................................172
6
Sentriant AG Software Users Guide, Version 5.1 SR1
Agent-based Test Method...................................................................................................173
Ports Used for Testing .................................................................................................173
Windows Vista Settings ................................................................................................173
Agentless Test Method.......................................................................................................173
Configuring Windows 2000 Professional for Agentless Testing .........................................173
Configuring Windows XP Professional for Agentless Testing .............................................174
Configuring Windows Vista for Agentless Testing ............................................................175
Ports Used for Testing .................................................................................................180
Allowing the Windows RPC Service through the Firewall ..................................................180
ActiveX Test Method..........................................................................................................183
Ports Used for Testing .................................................................................................183
Windows Vista Settings ................................................................................................183
Mac OS X Endpoint Settings ....................................................................................................183
Ports Used for Testing .......................................................................................................183
Allowing Sentriant AG through the OS X Firewall ..................................................................183
End-user Access Windows........................................................................................................186
Opening Window ...............................................................................................................187
Windows NAC Agent Test Windows .....................................................................................188
Automatically Installing the Windows Agent ...................................................................188
Removing the Agent ....................................................................................................190
Manually Installing the Windows Agent..........................................................................191
How to View the Windows Agent Version Installed...........................................................192
Mac OS Agent Test Windows ..............................................................................................193
Installing the MAC OS Agent ........................................................................................193
Verifying the Mac OS Agent ..........................................................................................196
Removing the Mac OS Agent ........................................................................................199
ActiveX Test Windows ........................................................................................................200
Agentless Test Windows .....................................................................................................201
Testing Window.................................................................................................................203
Test Successful Window ....................................................................................................203
Testing Cancelled Window..................................................................................................204
Testing Failed Window .......................................................................................................204
Error Windows...................................................................................................................206
Customizing Error Messages .....................................................................................................206
Chapter 6: NAC Policies .............................................................................................................. 213
Standard NAC Policies.............................................................................................................214
NAC Policy Group Tasks ..........................................................................................................214
Add a NAC Policy Group ....................................................................................................214
Editing a NAC Policy Group................................................................................................215
Deleting a NAC Policy Group ..............................................................................................216
NAC Policy Tasks ....................................................................................................................217
Enabling or Disabling a NAC Policy .....................................................................................217
Selecting the Default NAC Policy ........................................................................................217
Creating a New NAC Policy ................................................................................................217
Editing a NAC Policy .........................................................................................................223
Copying a NAC Policy ........................................................................................................223
Deleting a NAC Policy........................................................................................................224
Moving a NAC Policy Between NAC Policy Groups ................................................................224
Assigning Endpoints and Domains to a Policy ......................................................................224
NAC Policy Hierarchy ........................................................................................................225
Setting Retest Time...........................................................................................................225
Sentriant AG Software Users Guide, Version 5.1 SR1
7
Setting Connection Time....................................................................................................225
Defining Non-supported OS Access Settings ........................................................................226
Setting Test Properties ......................................................................................................226
Selecting Action Taken ......................................................................................................226
About Sentriant AG Tests.........................................................................................................227
Viewing Information About Tests.........................................................................................228
Selecting Test Properties ...................................................................................................228
Entering Software Required/Not Allowed........................................................................228
Entering Service Names Required/Not Allowed ...............................................................229
Entering the Browser Version Number ...........................................................................229
Test Icons ........................................................................................................................230
Chapter 7: Quarantined Networks ................................................................................................. 231
Endpoint Quarantine Precedence..............................................................................................231
Using Ports in Accessible Services and Endpoints ......................................................................232
Always Granting Access to an Endpoint .....................................................................................234
Always Quarantining an Endpoint..............................................................................................235
New Users..............................................................................................................................235
Shared Resources ...................................................................................................................236
Untestable Endpoints and DHCP Mode .....................................................................................236
Windows Domain Authentication and Quarantined Endpoints ......................................................237
Chapter 8: High Availability and Load Balancing ........................................................................... 239
High Availability......................................................................................................................239
Load Balancing .......................................................................................................................243
Chapter 9: Inline Quarantine Method ............................................................................................ 245
Chapter 10: DHCP Quarantine Method .......................................................................................... 247
Configuring Sentriant AG for DHCP ...........................................................................................248
Setting up a Quarantine Area..............................................................................................249
Router Configuration .........................................................................................................249
Configuring the Router ACLs ........................................................................................249
Configuring Windows Update Service for XP SP2..................................................................249
Chapter 11: 802.1X Quarantine Method........................................................................................ 251
About 802.1X.........................................................................................................................251
Sentriant AG and 802.1X.........................................................................................................252
Setting up the 802.1X Components ..........................................................................................256
Setting up the RADIUS Server ............................................................................................256
Using the Sentriant AG IAS Plug-in to the Microsoft IAS RADIUS Server ..........................256
Configuring the Microsoft IAS RADIUS Server ................................................................258
Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in Sentriant AG
RADIUS Server ...........................................................................................................279
Using the Built-in Sentriant AG RADIUS Server for Authentication ...................................282
Enabling Sentriant AG for 802.1X.......................................................................................282
Sentriant AG User Interface Configuration .....................................................................282
Setting up the Supplicant ..................................................................................................283
Windows XP Professional Setup ....................................................................................284
Windows XP Home Setup .............................................................................................285
8
Sentriant AG Software Users Guide, Version 5.1 SR1
Windows 2000 Professional Setup ................................................................................286
Windows Vista Setup ...................................................................................................288
Setting up the Authenticator ..............................................................................................290
Cisco® 2950 IOS........................................................................................................291
Cisco® 4006 CatOS ....................................................................................................291
Enterasys® Matrix 1H582-25 ......................................................................................292
Extreme® Summit 48si ...............................................................................................292
ExtremeWare ..............................................................................................................293
ExtremeXOS................................................................................................................294
Foundry® FastIron® Edge 2402...................................................................................294
HP ProCurve 420AP ....................................................................................................295
HP ProCurve 530AP ....................................................................................................295
HP ProCurve 3400/3500/5400 ....................................................................................297
Nortel® 5510.............................................................................................................297
Creating Custom Expect Scripts ....................................................................................298
Chapter 12: API........................................................................................................................... 303
Overview ................................................................................................................................303
Setting Sentriant AG Properties ................................................................................................304
Setting Firewall Rules..............................................................................................................305
Sentriant AG Events Generated.................................................................................................305
Examples of Events Generated............................................................................................306
Java Program and Command for Events ...............................................................................308
Sentriant AG Requests Supported.............................................................................................308
Examples of Requests........................................................................................................309
Post-connect Request Example...........................................................................................311
Java Program and Command for Requests ...........................................................................312
Chapter 13: Remote Device Activity Capture ................................................................................. 313
Creating a DAC Host................................................................................................................313
Downloading the EXE File ..................................................................................................314
Running the Windows Installer ...........................................................................................314
Adding Additional Interfaces ..............................................................................................321
Configuring the MS and ES for DAC ....................................................................................322
Adding Additional ESs .......................................................................................................322
Starting the Windows Service .............................................................................................323
Viewing Version Information ...............................................................................................324
Removing the Software ......................................................................................................324
Sentriant AG to Infoblox Connector ...........................................................................................326
Configuring the Infoblox Server...........................................................................................326
Configuring Sentriant AG ...................................................................................................326
Chapter 14: Reports .................................................................................................................... 329
Generating Reports..................................................................................................................330
Viewing Report Details.............................................................................................................332
Printing Reports......................................................................................................................334
Saving Reports to a File ...........................................................................................................334
Converting an HTML Report to a Word Document .......................................................................334
Sentriant AG Software Users Guide, Version 5.1 SR1
9
Chapter 15: DHCP Plug-in............................................................................................................ 337
Installation Overview ...............................................................................................................338
DHCP Plug-in and the Sentriant AG User Interface.....................................................................340
Installing the Plug-in .........................................................................................................340
Enabling the Plug-in and Adding Servers .............................................................................343
Viewing DHCP Server Plug-in Status ...................................................................................345
Editing DHCP Server Plug-in Configurations.........................................................................346
Deleting a DHCP Server Plug-in Configuration......................................................................346
Disabling a DHCP Server Plug-in Configuration ....................................................................347
Enabling a DHCP Server Plug-in Configuration .....................................................................347
Chapter 16: System Administration............................................................................................... 349
Launching Sentriant AG...........................................................................................................349
Launching and Logging into Sentriant AG ............................................................................349
Logging out of Sentriant AG ...............................................................................................349
Important Browser Settings ................................................................................................349
Restarting Sentriant AG System Processes.................................................................................349
Managing your Sentriant AG License .........................................................................................350
Entering a New License Key ...............................................................................................350
Downloading New Tests ...........................................................................................................351
System Settings ......................................................................................................................352
DNS/Windows Domain Authentication and Quarantined Endpoints .........................................352
Matching Windows Domain Policies to NAC Policies .............................................................353
Setting the Access Mode....................................................................................................353
Naming Your Enforcement Cluster ......................................................................................354
Changing the MS Host Name..............................................................................................354
Changing the ES Host Name ..............................................................................................354
Changing the MS or ES IP Address .....................................................................................354
Resetting your System .......................................................................................................355
Resetting your Test Data ....................................................................................................356
Changing Properties ..........................................................................................................357
Specifying an Email Server for Sending Notifications ............................................................358
Entering Networks Using CIDR Format ......................................................................................358
Database ................................................................................................................................359
Creating a Backup File.......................................................................................................359
Restoring from Backup ......................................................................................................359
Restoring to a new Server.............................................................................................359
Restoring to the Same Server .......................................................................................360
Restoring the Original Database..........................................................................................361
Generating a Support Package ............................................................................................361
System Requirements..............................................................................................................361
Supported VPNs......................................................................................................................363
Adding Custom Tests...............................................................................................................363
Introduction......................................................................................................................363
References .......................................................................................................................363
Changing the Error Messages in a Test Script.......................................................................364
Creating a Custom Test Class Script from Scratch ................................................................368
BasicTests API..................................................................................................................376
End-user Access Windows........................................................................................................384
How Sentriant AG Handles Static IP Addresses ..........................................................................385
10
Sentriant AG Software Users Guide, Version 5.1 SR1
Managing Passwords ...............................................................................................................386
Resetting the Sentriant AG Server Password.........................................................................387
Resetting the Sentriant AG Database Password ....................................................................388
Changing the Sentriant AG Administrator Password ..............................................................388
When the Password is Known .......................................................................................388
When the Password is Unknown....................................................................................388
NTLM 2 Authentication ...........................................................................................................389
Working with Ranges ...............................................................................................................389
Creating and Replacing SSL Certificates....................................................................................390
Creating a New Self-signed Certificate.................................................................................391
Using an SSL Certificate from a known Certificate Authority (CA)...........................................392
Moving an ES from One MS to Another......................................................................................393
Recovering Quickly from a Network Failure ................................................................................394
VLAN Tagging .........................................................................................................................395
iptables Wrapper Script ...........................................................................................................397
Updating Rules without an Internet Connection .........................................................................398
Downloading the Files........................................................................................................398
Updating Rules .................................................................................................................398
Supporting Network Management System ..................................................................................399
Enabling ICMP Echo Requests ...........................................................................................399
Enable Temporary Ping ................................................................................................399
Enable Persistent Ping.................................................................................................399
Restricting the ICMP Request.......................................................................................400
Changing the Community Name for SNMPD.........................................................................400
SNMP MIBs......................................................................................................................402
Chapter 17: Patch Management ................................................................................................... 403
Flagging a Test to Launch a Patch Manager ...............................................................................403
Selecting the Patch Manager....................................................................................................404
Specifying the Number of Retests.............................................................................................404
Specifying the Retest Frequency...............................................................................................404
SMS Patch Management..........................................................................................................405
SMS Concepts ........................................................................................................................405
Sentriant AG/SMS/Sentriant AG Process ....................................................................................405
Sentriant AG Setup .................................................................................................................406
Learning More About SMS .......................................................................................................406
Appendix A: Configuring the Post-connect Server.......................................................................... 407
Overview ................................................................................................................................407
Extracting the ZIP File .............................................................................................................407
Windows...........................................................................................................................407
Linux ...............................................................................................................................408
ZIP File Contents ....................................................................................................................408
Setting up a Post-connect Host ................................................................................................409
Windows...........................................................................................................................409
Linux ...............................................................................................................................410
Viewing Logs ..........................................................................................................................412
Testing the Service..................................................................................................................412
Sentriant AG Software Users Guide, Version 5.1 SR1
11
Windows .......................................................................................................................................................412
Linux ............................................................................................................................................................412
Configuring Your Sensor...........................................................................................................413
Allowing Sentriant AG Through the Firewall ...............................................................................413
Appendix B: Tests Help................................................................................................................ 415
Browser Security Policy—Windows............................................................................................415
Browser Version ................................................................................................................417
Internet Explorer (IE) Internet Security Zone ........................................................................417
Internet Explorer (IE) Local Intranet Security Zone ...............................................................418
Internet Explorer (IE) Restricted Site Security Zone ..............................................................418
Internet Explorer (IE) Trusted Sites Security Zone ................................................................419
Operating System—Windows ....................................................................................................420
IIS Hotfixes ......................................................................................................................420
Internet Explorer Hotfixes ..................................................................................................421
Microsoft Office Hotfixes....................................................................................................421
Microsoft Applications Hotfixes ..........................................................................................422
Microsoft Servers Hotfixes..................................................................................................422
Microsoft Tools Hotfixes.....................................................................................................422
Service Packs ...................................................................................................................423
Windows 2000 SP4 Hotfixes ..............................................................................................423
Windows 2003 SP1 Hotfixes ..............................................................................................423
Windows 2003 SP2 Hotfixes ..............................................................................................424
Windows Automatic Updates ..............................................................................................424
Windows Media Player Hotfixes ..........................................................................................425
Windows Vista™ SP0 Hotfixes ...........................................................................................425
Windows XP SP1 Hotfixes .................................................................................................426
Windows XP SP2 Hotfixes .................................................................................................426
Security Settings—OS X ..........................................................................................................427
Mac AirPort WEP Enabled ..................................................................................................427
Mac AirPort Preference ......................................................................................................427
Mac AirPort User Prompt ...................................................................................................427
Mac Anti-virus ..................................................................................................................428
Mac Bluetooth ..................................................................................................................428
Mac Firewall .....................................................................................................................428
Mac Internet Sharing .........................................................................................................429
Mac QuickTime® Updates .................................................................................................429
Mac Security Updates........................................................................................................430
Mac Services ....................................................................................................................430
Security Settings—Windows.....................................................................................................430
Allowed Networks ..............................................................................................................431
Microsoft Excel Macros ......................................................................................................431
Microsoft Outlook Macros...................................................................................................432
Microsoft Word Macros ......................................................................................................432
Services Not Allowed .........................................................................................................433
Services Required .............................................................................................................434
Windows Bridge Network Connection...................................................................................435
Windows Wireless Network SSID Connections ......................................................................435
Windows Security Policy ....................................................................................................435
Windows Startup Registry Entries Allowed ...........................................................................436
Wireless Network Connections ............................................................................................437
Software—Windows.................................................................................................................438
12
Sentriant AG Software Users Guide, Version 5.1 SR1
Anti-spyware .....................................................................................................................438
Anti-virus .........................................................................................................................438
High-risk Software.............................................................................................................439
Microsoft Office Version Check ...........................................................................................439
P2P .................................................................................................................................439
Personal Firewalls .............................................................................................................440
Software Not Allowed ........................................................................................................440
Software Required.............................................................................................................441
Worms, Viruses, and Trojans ..............................................................................................441
Appendix C: Database Design (Data Dictionary)............................................................................. 443
test_result table ......................................................................................................................444
Device table ...........................................................................................................................445
sa_cluster...............................................................................................................................447
sa_node .................................................................................................................................447
sa_user ..................................................................................................................................448
cluster_to_user .......................................................................................................................448
user_group .............................................................................................................................448
user_to_groups .......................................................................................................................449
group_to_permission ...............................................................................................................449
Appendix D: Ports used in Sentriant AG......................................................................................... 451
Appendix E: MS Disaster Recovery ............................................................................................... 457
Overview ................................................................................................................................457
Installation Requirements ..................................................................................................457
Installing the Standby MS ..................................................................................................457
Ongoing Maintenance ........................................................................................................458
Failover process ................................................................................................................458
Appendix F: Licenses................................................................................................................... 461
Sentriant® End-User License Agreement ...................................................................................461
Other Licenses........................................................................................................................463
Apache License Version 2.0, January 2004 .........................................................................464
ASM ................................................................................................................................465
Open SSH ........................................................................................................................466
Postgresql ........................................................................................................................468
Postgresql jdbc ................................................................................................................469
xstream ............................................................................................................................469
Libeay (Open SSL) ............................................................................................................469
Junit Common Public License - v 1.0 .................................................................................470
Open SSL.........................................................................................................................472
The GNU General Public License (GPL) Version 2, June 1991...............................................473
Pullparser ........................................................................................................................476
Xpp3................................................................................................................................476
The GNU Lesser General Public License (LGPL) Version 2.1 .................................................477
Ojdbc ..............................................................................................................................481
JavaMail Sun Microsystems, Inc. ........................................................................................483
jcharts .............................................................................................................................485
PyXML Python License (CNRI Python License) .....................................................................485
IO-Stty and IO-Tty .............................................................................................................486
Sentriant AG Software Users Guide, Version 5.1 SR1
13
Concurrent .......................................................................................................................487
Crypto ++ .........................................................................................................................487
WinPcap...........................................................................................................................488
Activation .........................................................................................................................490
JAVA OPTIONAL PACKAGE ................................................................................................491
jsp-api package.................................................................................................................492
Appendix G: Glossary................................................................................................................... 497
Index .......................................................................................................................................... 507
14
Sentriant AG Software Users Guide, Version 5.1 SR1
List of Figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
Sentriant AG Home Window .....................................................................................24
System Monitor Window ...........................................................................................25
System Monitor Window Legend ...............................................................................26
Internet Explorer Security Warning Message...............................................................35
IE Security Message Options ....................................................................................35
IE Security Warning Pop-up Window..........................................................................36
IE Internet Options, Advanced Tab............................................................................36
Online help.............................................................................................................44
Index tab ................................................................................................................45
Search tab ..............................................................................................................46
Single-server Installation ..........................................................................................48
Multiple-server Installation .......................................................................................49
Multiple-server, Multiple-cluster Installation ..............................................................50
System Configuration, Enforcement Clusters & Servers................................................53
Add Enforcement Cluster .........................................................................................54
Enforcement Cluster, General ...................................................................................56
System Configuration, Enforcement Clusters & Servers................................................57
Add Enforcement Server ..........................................................................................58
Enforcement Cluster Legend.....................................................................................59
Enforcement Server .................................................................................................60
Enforcement Server, Status ......................................................................................63
System Configuration, Management Server ................................................................65
Management Server Network Settings........................................................................66
Date & Time ...........................................................................................................68
System Configuration, User Accounts ........................................................................72
Add User Account ...................................................................................................73
Copy User Account ..................................................................................................76
User Account ..........................................................................................................77
System Configuration, User Roles .............................................................................79
Add User Role.........................................................................................................80
User Role ...............................................................................................................81
System Configuration, License ..................................................................................83
System Configuration, Test Updates ..........................................................................84
Test Update Log......................................................................................................86
Test Update Log Window Legend ..............................................................................86
System Configuration, Quarantining ..........................................................................87
System Configuration, Windows Domain ....................................................................91
System Configuration, OpenLDAP .............................................................................93
Add 802.1X Device .................................................................................................95
Add 802.1X Device, Test Connection Area Option 1 ...................................................96
Add 802.1X Device, Test Connection Area Option 2 ...................................................96
Sentriant AG Software Users Guide, Version 5.1 SR1
15
List of Figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
16
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
Add Cisco IOS Device ..............................................................................................98
Add Cisco CatOS Device.........................................................................................100
Add Enterasys Device ............................................................................................102
Add ExtremeWare Device .......................................................................................104
Add Extreme XOS Device .......................................................................................105
Add Foundry Device...............................................................................................107
Add HP ProCurve Device ........................................................................................109
Add HP ProCurve WESM xl/zl Device .......................................................................112
Add HP ProCurve 420/530 AP Device .....................................................................114
Add Nortel Device .................................................................................................116
Add Other Device ..................................................................................................118
System Configuration, Quarantining, DHCP Enforcement...........................................120
Add a Quarantine Area ...........................................................................................121
Quarantine Area ....................................................................................................123
Post-connect Configuration Message .......................................................................125
System Configuration, Post-connect ........................................................................126
Post-connect Launch Window .................................................................................127
Post-connect Quarantine Details .............................................................................128
System Configuration, Maintenance ........................................................................130
Backup Successful Message ...................................................................................131
System Configuration, Testing Methods ...................................................................132
System Configuration, Accessible Services...............................................................135
System Configuration, Exceptions ...........................................................................137
System Configuration, Notifications.........................................................................139
System Configuration, End-user Screens..................................................................141
System Configuration, Agentless Credentials ............................................................143
Agentless Credentials, Add Windows Administrator Credentials ..................................144
System Configuration, Logging Option .....................................................................146
System Configuration, Advanced Option ..................................................................148
Endpoint Activity, All Endpoints Area ......................................................................149
Endpoint Activity, Menu Options.............................................................................151
Timeframe Drop-down List .....................................................................................152
Display Endpoints Drop-down .................................................................................152
Search Criteria ......................................................................................................153
Highlighted Fields .................................................................................................153
Endpoint Mouseover Pop-up Window .......................................................................155
Failed Endpoint.....................................................................................................157
Failed Endpoint Allow All Mode ..............................................................................158
Failed Endpoint Allow All Mode Mouse Over.............................................................158
Access Control and Endpoint Test Status .................................................................159
Endpoint, General Option .......................................................................................162
Endpoint Activity, Endpoint Test Results Option.......................................................163
Local Area Connection Properties ............................................................................174
Local Area Connection Properties ............................................................................175
Windows Vista, Welcome Center..............................................................................176
Windows Vista, System ..........................................................................................177
Sentriant AG Software Users Guide, Version 5.1 SR1
List of Figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
88: Windows Vista, System Properties ...........................................................................178
89: Windows Vista, Computer Name/Domain Changes.....................................................179
90: Windows Vista, Windows Security............................................................................179
91: Mac System Preferences ........................................................................................184
92: Mac Sharing .........................................................................................................185
93: Mac Ports .............................................................................................................186
94: End-user Opening Window......................................................................................187
95: End-user Installing Window ....................................................................................188
96: End-user Agent Installation Failed...........................................................................189
97: End-user Agent Installation Window (Start) ..............................................................190
98: End-user Agent Installation Window (Finish) ............................................................190
99: Add/Remove Programs ...........................................................................................191
100: Security Certificate ................................................................................................192
101: Run or Save to Disk ...............................................................................................192
102: Start Mac OS Installer ...........................................................................................193
103: Mac OS Installer 1 of 5..........................................................................................194
104: Mac OS Installer 2 of 5..........................................................................................194
105: Mac OS Installer 3 of 5..........................................................................................195
106: Mac OS Installer 4 of 5..........................................................................................195
107: Mac OS Installer 5 of 5..........................................................................................196
108: Applications, Utilities Folder ..................................................................................197
109: Activity Monitor.....................................................................................................198
110: Mac Terminal........................................................................................................199
111: End-user ActiveX Plug-in Failed ..............................................................................200
112: End-user Login Credentials.....................................................................................201
113: End-user Login Failed ............................................................................................202
114: End-user Testing ...................................................................................................203
115: End-user Testing Successful...................................................................................203
116: End-user Testing Cancelled ....................................................................................204
117: End-user Testing Failed Example 1 .........................................................................205
118: End-user Testing Failed, Printable Results ...............................................................206
119: End-user Error.......................................................................................................206
120: NAC Policies.........................................................................................................213
121: NAC Policies Window Legend .................................................................................214
122: Add NAC Policy Group ...........................................................................................215
123: Edit NAC Policy Group ...........................................................................................216
124: Default NAC Policy ................................................................................................217
125: Add a NAC Policy, Basic Settings Area ....................................................................218
126: Add a NAC Policy, Domains and Endpoints ..............................................................220
127: Add NAC Policy, Tests Area ....................................................................................222
128: NAC Policy Test Icons............................................................................................230
129: System Configuration, Accessible Services...............................................................233
130: System Configuration, Exceptions ...........................................................................234
131: Inline Installations.................................................................................................240
132: DHCP Installation..................................................................................................241
133: 802.1X Installation ...............................................................................................242
Sentriant AG Software Users Guide, Version 5.1 SR1
17
List of Figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
18
134: Inline Installations.................................................................................................246
135: DHCP Installation..................................................................................................248
136: 802.1X Components..............................................................................................252
137: Sentriant AG 802.1X Enforcement ..........................................................................254
138: 802.1X Communications........................................................................................255
139: Windows Components Wizard .................................................................................257
140: Networking Services ..............................................................................................257
141: IAS, Register Server in Active Directory ...................................................................258
142: IAS, Properties Option ...........................................................................................259
143: IAS, Properties......................................................................................................259
144: IAS, New Client, Name and Address........................................................................260
145: IAS, New Client, Additional Information ..................................................................261
146: IAS, New Remote Access Policy..............................................................................262
147: IAS, Remote Access Policy, Access Method .............................................................262
148: IAS, Remote Access Policy, Group Access ...............................................................263
149: IAS, Remote Access Policy, Find Group ...................................................................263
150: Remote Access Policy, Select Group .......................................................................264
151: IAS, Remote Access Policy, Authentication Method ..................................................264
152: Error Message .......................................................................................................266
153: Protected EAP Properties .......................................................................................267
154: IAP, Remote Access Policy, Properties ....................................................................268
155: IAS, Remote Access Policy, Configure .....................................................................268
156: IAS, Remote Access Policy, Add Attribute................................................................269
157: IAS, Remote Access Logging Properties ...................................................................271
158: Sentriant AG-to-IAS Connector................................................................................272
159: IAS, Add/Remove Snap-in ......................................................................................273
160: IAS, Add/Remove Snap-in, Certificates ....................................................................273
161: IAS, Import Certificate ...........................................................................................274
162: Active Directory, Properties ....................................................................................276
163: Active Directory, Store Passwords............................................................................276
164: Active Directory Users and Computers .....................................................................278
165: Active Directory, User Account Properties ................................................................278
166: Enabling 802.1X in the User Interface ....................................................................283
167: Windows XP Pro Local Area Connection, General Tab ................................................284
168: Windows XP Pro Local Area Connection Properties, Authentication Tab ......................285
169: Windows 2000 Local Area Connection Properties, General Tab ..................................287
170: Windows 2000 Local Area Connection Properties, Authentication Tab ........................287
171: Wired AutoConfig Properties ...................................................................................288
172: Windows Vista Local Area Connection, Networking Tab .............................................289
173: Windows Vista Local Area Connection Properties, Authentication Tab .........................290
174: Nortel Initialization Script ......................................................................................298
175: Nortel Re-authentication Script ..............................................................................299
176: Nortel Exit Script ..................................................................................................299
177: Sentriant AG API Communication ...........................................................................304
178: The DAC InstallShield Wizard Welcome Window .......................................................315
179: RDAC Installer, Setup Type ....................................................................................315
Sentriant AG Software Users Guide, Version 5.1 SR1
List of Figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
180: RDAC Installer, Choose Destination Location............................................................316
181: RDAC Installer, Confirm New Folder ........................................................................316
182: RDAC Installer, Select Features ..............................................................................317
183: RDAC Installer, NIC Selection ................................................................................317
184: RDAC Installer, TCP Port Filter Specification ...........................................................318
185: RDAC Installer, Enforcement Server Specification ....................................................318
186: RDAC Installer, Ready to Install the Program ...........................................................319
187: RDAC Installer, InstallShield Wizard Complete .........................................................320
188: Example wrapper.conf File .....................................................................................321
189: NAC Endpoint Activity Capture Service ....................................................................324
190: RDAC Uninstall Complete ......................................................................................325
191: Reports ................................................................................................................331
192: NAC Policy Results Report .....................................................................................332
193: Test Details Report ................................................................................................333
194: DHCP Plug-in .......................................................................................................337
195: System Configuration, Quarantining, DHCP..............................................................341
196: DHCP Plug-in InstallShield Wizard window ..............................................................342
197: DHCP Plug-in Customer Information window ............................................................342
198: DHCP Plug-in Ready to Install the Program window ..................................................343
199: DHCP Plug-in InstallShield Wizard Complete window................................................343
200: Add DHCP Plug-in Configuration.............................................................................344
201: DHCP Plug-in Server Added Example ......................................................................345
202: DHCP Plug-in Legend ............................................................................................345
203: DHCP Plug-in Configuration ...................................................................................346
204: Restore System .....................................................................................................360
205: Login ...................................................................................................................360
206: Test Script Code....................................................................................................364
207: Example InstallCustomTests Output ........................................................................366
208: testTemplate.py ....................................................................................................369
209: checkOpenPorts.py script .......................................................................................372
210: snmpd.conf Example File .......................................................................................401
211: Initiate a Patch Manager Check Box ........................................................................403
212: Microsoft Office Hotfixes Critical Updates................................................................421
Sentriant AG Software Users Guide, Version 5.1 SR1
19
List of Figures
20
Sentriant AG Software Users Guide, Version 5.1 SR1
List of Tables
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
Sentriant AG v5.x for v4.x Users ...............................................................................26
Test Methods ..........................................................................................................29
Sentriant AG Technical Support................................................................................33
Default Menu Options ..............................................................................................51
Default User Roles ..................................................................................................74
User Role Permissions .............................................................................................80
Accessible Services and Endpoints Tips...................................................................136
Troubleshooting Quarantined Endpoints...................................................................164
Default Test Names and Descriptions ......................................................................208
Expect Script Commands and Parameters ................................................................299
Report Types and Fields.........................................................................................329
DHCP Plug-in Configuration File Values...................................................................339
Service Stop and Restart Commands .......................................................................350
CIDR Naming Conventions .....................................................................................358
Sentriant AG System Requirements.........................................................................361
BasicTests API ......................................................................................................377
Sentriant AG Passwords .........................................................................................386
Browser Vulnerabilities...........................................................................................415
Ports in Sentriant AG .............................................................................................451
Sentriant AG Software Users Guide, Version 5.1 SR1
21
List of Tables
22
Sentriant AG Software Users Guide, Version 5.1 SR1
1
Introduction
This chapter provides the following:
●
A description of the Home window (“Sentriant AG Home Window” on page 23)
●
A description of the System monitor window (“Sentriant AG Home Window” on page 23)
●
A quick-reference for v4.1 users
(“Sentriant AG v5.x for v4.x Users” on page 26)
●
An overview of Sentriant AG and the key features
(“Overview” on page 29)
●
How to get help (“Technical Support” on page 33)
●
Other documents (“Additional Documentation” on page 33)
●
Where to get installation and upgrading information (“Installing and Upgrading” on page 34)
●
How to read this document (“Conventions Used in This Document” on page 39)
●
How to copy files between systems (“Copying Files” on page 42)
NOTE
Downloading and Upgrading discussed in this Users Guide only apply to Off the Shelf servers and not to the Extreme
Networks, Inc. Sentriant AG 200 appliance.
Sentriant AG Home Window
The Sentriant AG Home window (Figure 1) is a centralized management user interface that allows you
to quickly assess the status of your network. The following list and figure describe and show the key
features:
1 Important status announcements—If there is anything that needs your immediate attention, a status
announcement is displayed at the top of the window. Click clear to remove the announcement.
2 My account—Click this icon to open the user account editing window. See “User Accounts” on page
71 for details on creating and editing user accounts. You must have administrator privileges to create
user accounts; however, any user can edit their own account.
3 Top 5 failed tests area—The Top 5 failed tests area indicates the tests that fail the most. Click on an
endpoint number or the Test results report option to view details.
4 Window actions—Use these buttons to refresh the window, log out of the user interface, and access
online help.
5 Navigation pane—The menu items shown in this pane vary depending on your permission level.
See “User Roles” on page 78 for more information on permissions. You must have administrator
privileges to create and edit user roles. Once you select a menu item from the navigation pane, use
the bread crumbs at the top of the windows to navigate throughout the user interface (see Figure 2.
System Monitor Window on page 25).
Sentriant AG Software Users Guide, Version 5.1 SR1
23
Introduction
6 Endpoint test status area—The Endpoint tests area displays the total number of endpoints that
Sentriant AG has attempted to test, and what the test status is for each endpoint. Click the number
of endpoints to view details.
7 Access control status area—The Access control area displays the total number of endpoints that
have attempted to connect to your network, and what the access state is as a percentage and as a
number. Click on the number of endpoints to view details.
8 Enforcement server (ES) status area—The Enforcement server status area provides status on your
ESs. Click the System monitor option to view details.
Figure 1: Sentriant AG Home Window
3. Top 5 failed
tests area
1. Important status
announcements
5. Navigation
pane
6. Test
status area
2. My account
7. Access control
status area
4. Window actions
8. Enforcement server
status area
System Monitor
The System monitor window provides the following information:
24
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
●
Enforcement cluster name—The Enforcement clusters are listed by name in the order they were
created. Click on a cluster name to view cluster details. You must have cluster-editing permissions to
view and edit cluster details.
●
Server name by cluster—The servers for each cluster are listed by name in the order they were
created. Click on a server name to view server details. You must have cluster-editing permissions to
view and edit server details.
●
Cluster access mode—The cluster access mode is either normal or allow all. See “Enforcement
Clusters and Servers” on page 52 for instructions on making the access mode selection.
●
Health status—Health status shows ok for servers with no problems, and either warning or error for
servers with problems. Click the server name to view details.
●
Upgrade status—Upgrade status shows the status of any upgrades in process.
●
% memory used—The amount of memory currently used by each server is shown as a percentage of
total memory available.
●
Endpoints tested/minute—The number of endpoints tested over the last 15 minutes or less.
●
Endpoints queued—The number of tests running or scheduled to run on that ES.
●
System load average—The number of processes waiting to run (top command). In Linux, entering
top at the command line returns a real-time look at processor activity.
Figure 2: System Monitor Window
Breadcrumbs for navigation
Sentriant AG Software Users Guide, Version 5.1 SR1
25
Introduction
The following figure shows the legend for the System monitor window icons:
Figure 3: System Monitor Window Legend
Sentriant AG v5.x for v4.x Users
The user interface has been completely redesigned in this release of Sentriant AG. The following table
provides a quick-reference for users familiar with Sentriant AG v4.x. The first column shows the v4.x
task with the corresponding v5.x user interface location in the second column.
Table 1: Sentriant AG v5.x for v4.x Users
26
Sentriant AG 4.x
Sentriant AG 5.x
Notes
System configuration
button
System configuration menu option
The System configuration button was
previously towards the top right of
the main window. The System
configuration menu option is now at
the bottom left of the home window.
General tab
•
License key—System
configuration>>License
•
Name of network—System
configuration>>Enforcement clusters &
servers
The General tab tasks are now on
two different windows: System
configuration and NAC policies.
•
Default NAC policy—NAC policy
•
Administrator login—System
configuration>>User accounts
The Network name no longer applies;
use cluster and server names
instead.
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
Table 1: Sentriant AG v5.x for v4.x Users (continued)
Sentriant AG 4.x
Sentriant AG 5.x
Notes
System tab
•
Interface and DNS configuration—
System configuration>>Select a
server>>Configuration
System tab tasks are on the System
configuration window.
•
Date & time settings—System
configuration>>Management server
•
Accessible services and endpoints—
System configuration>>Accessible
services OR System
configuration>>Enforcement clusters &
servers>>Select add an Enforcement
cluster or Select an existing
cluster>>Accessible services
Quarantine tab
•
Quarantine method—System
configuration>>Quarantining>>Select a
cluster to override the default setting
•
Quarantine area—System
configuration>>Quarantining>>DHCP
quarantine method>>Add a quarantine
area
•
Routing on the endpoint—System
configuration>>Quarantining>>DHCP
quarantine method>>Add a quarantine
area
Accessible services are set as cluster
defaults. These defaults can be
overridden when creating or editing a
cluster.
The default quarantine method for all
clusters is 802.1X. This default can
be overridden for all clusters and per
cluster.
The DHCP quarantine option has two
selections now: Static routes on the
endpoints or Router access control
lists.
Notification tab
System configuration>>Notifications OR
System configuration>>Select an
Enforcement cluster>>Notifications
Notifications are set as cluster
defaults, but can be overridden when
creating or editing a cluster.
Tests tab
•
Check for test updates—System
configuration>>Test updates
Exemptions is now called exceptions.
•
Endpoint testing exemptions—System
configuration>>Exceptions
Thresholds tab
The thresholds and stoplight have been
removed.
The home window now provides
system status.
End-user access tab
•
End-user testing methods—System
configuration>>Testing methods
•
End-user testing options—System
configuration>>Testing methods
End-user tab tasks are on the System
configuration window. They are set as
cluster defaults, but can be
overridden when creating or editing a
cluster.
•
End-user testing screen
customization—System
configuration>>End-user screens
•
Enable test failed pop-up—System
configuration>>End-user screens
Sentriant AG Software Users Guide, Version 5.1 SR1
27
Introduction
Table 1: Sentriant AG v5.x for v4.x Users (continued)
Sentriant AG 4.x
Sentriant AG 5.x
Notes
Credentials tab
System configuration>>Agentless
credentials
Windows domain credentials are on
the System configuration window
(Agentless credentials). They are set
as cluster defaults, but can be
overridden when creating or editing a
cluster.
RDBMS and LDAP credentials have
been removed.
28
Monitor and report zone
Home window
System status is shown on the home
window and on the System monitor
window.
Manage system
zone>>System mode
System configuration>>Enforcement
clusters & servers>>Select or add an
Enforcement cluster>>General
Access policies zone
Home window>>NAC policies
Access policies are now called NAC
policies.
View activity tab
Home window>>Endpoint activity
Devices are now called Endpoints.
N/A
Home window>>System monitor
Access policy
editor>>Viewing last
device results
Endpoint activity
Reports tab
Home window>>Reports
Proxy settings (command
line)
System configuration>>Management server
and via the command line for times when
the license has not yet been validated.
Proxy servers can be configured for
test updates and license validation
only.
nac.properties file
updates
Use a script to update properties files
(nac-es.properties and nacms.properties).
Property file updates should no
longer be made directly, but
imported using the
setProperty.py script.
Backing up data
(command line)
System configuration>>Maintenance
Restoring data (command
line)
System configuration>>Maintenance
Diagnostics link
Not currently available. May be added in a
future release.
Tests tab>>View test
update logs
System configuration>>Test updates>>View
test update log.
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
Overview
Sentriant AG protects the network by ensuring that endpoints are free from threats and in compliance
with the organization's IT security standards. Sentriant AG systematically tests endpoints—with or
without the use of a client or agent—for compliance with organizational security policies, quarantining
non-compliant machines before they damage the network.
Sentriant AG ensures that the applications and services running on endpoints (such as LAN, RAS, VPN,
and WiFi endpoints) are up-to-date and free of worms, viruses, trojans, P2P and other potentially
damaging software. It dramatically reduces the cost and effort of securing your network's weakest
links—the endpoints your IT group might not adequately control.
There are advantages and disadvantages inherent with each of the test method technologies. Having a
choice of testing solutions enables you to maximize the advantages and minimize the disadvantages.
NOTE
Agentless testing uses an existing Windows service (RPC). ActiveX testing uses an ActiveX control. Extreme
Networks, Inc. agent testing installs an agent (Sentriant AG Agent) and runs as a new Windows service.
The trade-offs in the test methods are described in the following table:
Table 2: Test Methods
Trade-offs
Test method
Agentless
Pros
Cons
•
Truly agentless, no install or
download.
•
•
No extra memory load on the client
machine.
Requires RPC Service to be
available to the Sentriant AG server
(ports 139 or 445).
•
Requires file and print sharing to be
enabled.
•
Not supported by legacy Windows™
operating systems and non-Windows
operating systems.
•
If the endpoint is not on a domain,
the user must specify local
credentials. A user often does not
know what credentials to enter.
•
Can begin testing, view test results,
and give network access without any
end-user interaction for endpoints on
your Windows domains.
•
Easiest of the three test methods to
deploy.
•
Saves administration time and is
therefore less expensive than
agent-based solutions.
Sentriant AG Software Users Guide, Version 5.1 SR1
29
Introduction
Table 2: Test Methods (continued)
Trade-offs
Test method
ActiveX plug-in
Sentriant AG
Agent
Pros
Cons
•
No installation or upgrade to
maintain.
•
No retesting of endpoint once
browser is closed.
•
Supports all Windows operating
systems.
•
Not supported by non-Windows
operating systems.
•
Only Internet Explorer application
access required through personal
firewall. Must open port 1500.
•
Browser security settings must allow
ActiveX control operation of signed
and safe controls. This is the
default for the Internet zone. Raise
the Internet zone setting and make
Sentriant AG part of the trusted
zone.
•
Requires interaction from
end-users—they must download the
control before they can access
network.
•
Always available for retesting.
•
Install and upgrade to maintain.
•
The agent is automatically updated
with product updates.
•
•
Supports all Windows platforms.
Requires one-time interaction from
end-users—they must download and
install before they can access
network.
The following list highlights key features:
●
Enforcement options—Sentriant AG provides multiple enforcement options for quarantining
endpoints that do not comply with your security policy (Inline, DHCP, and 802.1X). This enables
Sentriant AG to enforce compliance across complex, heterogeneous networks.
●
High availability and load balancing—A multi-server Sentriant AG deployment is mutually
supporting. Should one server fail, other nodes within a cluster will automatically provide coverage
for the affected network segment.
Load balancing is achieved by an algorithm that spreads the endpoint testing load across all ESs in a
cluster.
30
●
Multiple-user, role-based access—In enterprise deployments numerous individuals, each with
varying responsibilities, typically require access to information within Sentriant AG. Role-based
access enables system administrators to control who has access to the data, the functions they are
allowed to perform, and the information they can view and act on. Role-based access ensures the
integrity of the enterprise-wide Sentriant AG deployment and creates the separation of duties that
conforms to security best-practices.
●
Extensible—Sentriant AG’s easy-to-use open API allows administrators to create custom tests for
meeting unique organizational requirements. The API is fully exposed and thoroughly documented.
Custom tests are created using scripts and can be seamlessly added to existing policies.
●
Compatible with existing heterogeneous network infrastructure—No upgrades to your existing
network infrastructure are required.
●
Variety of enforcement options—Permit, deny, or quarantine based on test results.
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
●
Self-remediation—Reduces IT administration by empowering users to bring their machines into
compliance.
●
Subscription-based licensing—Includes all test updates and software upgrades.
The Sentriant AG Process
Sentriant AG administrators create NAC policies that define which applications and services are
permitted, and specify the actions to be taken when endpoints do not comply. Sentriant AG
automatically applies the NAC policies to endpoints as they log into the network, and periodically as
the endpoints remain logged into the network. Based on results, endpoints are either permitted or
quarantined to a specific part of the network, thus enforcing the organizational security standards.
Sentriant AG tracks all testing and connection activity and produces a range of reports for auditors,
managers, and IT staff.
Sentriant AG performs pre-connect testing; when an endpoint passes the NAC policy tests (or is
otherwise granted access), the endpoint is allowed access to the network. If you have external Intrusion
Detection System/Intrusion Prevention System (IDS/IPS) systems that monitor your network for
attacks, you can configure these external systems in Sentriant AG so they can request that Sentriant AG
quarantine an endpoint after it has been connected (post-connect).
About Sentriant AG
NAC Policy Definition
NAC policies consist of individual tests that evaluate the security status of endpoints attempting to
access the network. Specific tests assess operating systems, verify that key hotfixes and patches have
been installed, ensure antivirus and other security applications are present and up-to-date, detect the
presence of worms, trojans, and viruses, and check for potentially dangerous applications such as file
sharing, peer-to-peer (P2P), or spyware. See “Tests Help” on page 415 for more information.
Key features include:
●
Out-of-the-box NAC policies—High, medium, and low security are ready to use with no additional
configuration required.
●
Standard and custom tests—Sentriant AG comes with a broad range of tests. You can also create
custom tests through the Sentriant AG application programming interface (API).
●
Automatic test updates—Sentriant AG is automatically updated with tests that cover newly released
patches, hotfixes, software updates, worms, and trojans, and recommended security settings for
common applications. New tests are automatically added to the test database as frequently as hourly,
ensuring immediate protection against newly discovered threats.
●
Organization-specific policies—Any number of NAC policies can be created and tailored to your
organizational needs. Create policies for like endpoints (for example, all Windows 2000
workstations), for an IP range or specific IPs, or by geographic location.
Endpoint Testing
Sentriant AG automatically tests all endpoints attempting to access your network through a LAN, RAS,
VPN, or WiFi connection. Tests are fast and you are kept informed of test progress and results. After the
Sentriant AG Software Users Guide, Version 5.1 SR1
31
Introduction
initial compliance tests, Sentriant AG periodically tests endpoints that have been granted access to
ensure that real-time system changes do not violate the NAC policy.
NOTE
Sentriant AG passes approximately 9 to 16 kilobytes of total data between a single endpoint and a single
Sentriant AG server for a single testing session with the High Security NAC policy (approximately 20 tests). It
typically takes between 5 and 10 seconds to run all tests in a policy on a 100Mb LAN. If your endpoints are taking
longer to test, there might be a configuration problem with DNS on the Sentriant AG server.
NOTE
If the end-user selects ActiveX test and then closes the browser, their endpoint is not retested until the end-user
opens another browser session, reloading the ActiveX agent.
Key features include:
●
Multiple test method options—Agentless, ActiveX, or Sentriant AG Agent. Select the most
appropriate method for your environment or endpoint.
●
Rapid testing and robust endpoint management—Thousands of endpoints can be tested and
managed simultaneously.
●
Continual testing—Endpoints are retested on an administrator-defined interval as long as they
remain connected to the network.
Compliance Enforcement
Based on endpoint test results, Sentriant AG takes the appropriate action. Endpoints that test compliant
with the applied policy are permitted access. Non-compliant endpoints are either quarantined, or are
given access for a temporary period. Implement the necessary fixes during this period.
Key features include:
●
Flexible enforcement options—Grant or quarantine access criteria is designated by the
administrator and driven by the criticality of selected tests and corporate security standards.
●
Manual overrides—Administrators can retest, quarantine, or grant access to endpoints on demand.
●
User notifications—Users of non-compliant endpoints receive immediate notification about the
location of the endpoint deficiencies, as well as step-by-step information about implementing the
corrections to achieve compliance.
●
Administrator notifications—Administrators receive a variety of notifications and alerts based on
testing and access activity.
●
Graduated enforcement—Allows controlled system rollout.
Automated and Manual Repair
32
●
Self-remediation—End-users are notified of where their endpoints are deficient and provided with
remediation instructions.
●
Access grace period—Non-compliant endpoints are granted access for a temporary, administratordefined period to facilitate remediation.
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
●
Patch Management—Sentriant AG can integrate with patch management software, automating the
process to get an endpoint updated and on the network.
Targeted Reporting
Sentriant AG reports provide concise security status information on endpoint compliance and access
activity. Specific reports are available for auditors, managers, and IT staff members.
For more information, see “Reports” on page 329.
Technical Support
Table 3 lists the available technical support options.
Table 3: Sentriant AG Technical Support
Option
Contact
Hours
Email
Technical
Assistance
Center (TAC)
support@extremenetworks.com
Seven days a week
Call Technical
Assistance
Center (TAC)
(800) 998-2408
Web support
http://
www.extremenetworks.com/
services/resources/
24x7x365
Seven days a week
24x7x365
Additional Documentation
Sentriant AG documentation is available in a number of media formats and is accessible in a variety of
ways:
●
Sentriant AG Hardware Quick Start Guide—The Sentriant AG Hardware Quick Guide provides
information on installing the appliance in your network and any initial configuration required.
●
Sentriant AG Hardware Installation Guide—The Sentriant AG Hardware Installation Guide is
designed to get Sentriant AG200 appliance up and running on your network quickly. It provides
instructions on installation and on system configuration.
●
Sentriant AG Software Installation Guide—The Sentriant AG Software Installation Guide is designed
to get Sentriant AG configured on your network providing additional instructions on installation and
on system configuration.
●
Online help—Online help is an essential component that assists in the installation, configuration,
and ongoing management of Sentriant AG. You can access the online help by clicking the question
mark displayed in the upper-right corner of the primary interface elements. See “Users’ Guide
Online Help” on page 43 for additional information.
Sentriant AG Software Users Guide, Version 5.1 SR1
33
Introduction
●
Sentriant AG Software Quick Start Card—The Sentriant AG Software Quick-start Card provides a
high-level overview of the physical deployment options, software installation, post-installation
configuration, the User Guide, and how to get support.
Installing and Upgrading
Installation instructions are provided in the Software Installation Guide.
Upgrading is described in“Checking for Sentriant AG Upgrades” on page 70.
CAUTION
Installing third-party software on the Sentriant AG server is not supported. If you install additional software on the
Sentriant AG server, you need to remove it in order to troubleshoot any Sentriant AG issues, and it will likely be
partially or fully overwritten during Sentriant AG release upgrades or patch installs, compromising the third-party
software functionality. Additionally, installing third-party software and/or modifying the Sentriant AG software can
violate your license agreement. Please refer to the Extreme Networks, Inc. EULA: “Sentriant® End-User License
Agreement” on page 461.
Important Browser Settings
Pop-up Windows
The Sentriant AG reports capability uses a pop-up window. In order for you to run reports on
Sentriant AG, you must allow pop-up windows from the Sentriant AG server.
To allow pop-up windows in IE 6.0 with SP2:
IE browser>>Tools>>Pop-up blocker>>Pop-up blocker settings
1 Enter the IP address or partial IP address of the Sentriant AG MS.
2 Click Add.
3 Click Close.
To allow pop-up windows in Mozilla:
Mozilla browser>>Edit>>Preferences>>Privacy & Security>>Popup Windows
1 Select the Block unrequested popup windows check box.
2 Click Allowed sites.
3 Enter the IP address or partial IP address of the Sentriant AG MS.
34
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
4 Click Add.
5 Click OK.
6 Click OK.
To allow pop-up windows in Windows or Linux Firefox:
Firefox browser>>Tools>>Options>>Content
1 Clear the Block Popup Windows check box.
2 Click OK.
To allow pop-up windows in Mac Firefox:
Firefox menu>>Preferences>>Content
1 Clear the Block Popup Windows check box.
2 Close the Content window.
Active Content
The Windows® XP Service Pack 2 (SP2) installation changes some of the Internet Explorer (IE)
browser’s security settings. This change in settings displays an active content message (Figure 4), at the
top of the browser window when you access the Sentriant AG help feature.
Figure 4: Internet Explorer Security Warning Message
To view the Sentriant AG online help in IE:
1 Click on the message box to display the options (Figure 5).
Figure 5: IE Security Message Options
Sentriant AG Software Users Guide, Version 5.1 SR1
35
Introduction
2 Select Allow Blocked Content. The Security Warning window appears:
Figure 6: IE Security Warning Pop-up Window
3 Click Yes on the Security Warning window.
To change the IE security settings to always allow active content:
IE browser>>Tools>>Internet Options>>Advanced tab
Figure 7: IE Internet Options, Advanced Tab
1 In the Internet Options pop-up window, scroll down to the security section.
2 Select the Allow active content to run in files on my computer check box.
3 Click OK.
36
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
Minimum Font Size
In order to properly display the Sentriant AG user interface, do not specify the minimum font size.
To clear the IE minimum font size:
IE browser>>Tools>>Internet options>>General tab>>Accessibility button
1 Make sure all of the check boxes are cleared on this window.
2 Click OK.
3 Click OK.
To clear the Mozilla minimum font size:
Mozilla browser>>Edit>>Preferences>>Appearance>>Fonts
1 Select None from the Minimum font size drop-down list.
2 Click OK.
To clear the Windows or Linux Firefox minimum font size:
Firefox browser>>Tools>>Options>>Content>>Fonts & Colors, Advanced
1 Select None in the Minimum font size drop-down list.
2 Select the Allow pages to choose their own fonts, instead of my selections above check box.
3 Click OK.
4 Click OK.
To clear the Mac Firefox minimum font size:
Firefox menu>>Preferences>>Content>>Fonts & Colors, Advanced
1 Select None in the Minimum font size drop-down list.
2 Select the Allow pages to choose their own fonts, instead of my selections above check box.
3 Click OK.
4 Close the Content window.
Sentriant AG Software Users Guide, Version 5.1 SR1
37
Introduction
Page Caching
To set the IE page caching options:
Internet Explorer browser>>Tools>>Internet Options
1 Select the General tab
2 Click Settings.
3 In the Check for new versions of stored pages area, select the Automatically radio button.
4 Click OK.
5 In the Internet Options dialog box, click the Advanced tab.
6 Scroll down to the Security area. Clear the Do not save encrypted pages to disk check box.
7 Click OK.
To set the Mozilla page caching options:
Mozilla browser>>Edit>>Preferences
1 Click the plus (+) symbol next to Advanced to expand the topic.
2 Select Cache.
3 In the Compare the page in the cache to the page on the network area, select the Every time I view
the page radio button.
4 Click ok.
Temporary Files
Periodically delete temporary files from your system to improve browser performance.
To delete temporary files in IE:
Internet Explorer>>Tools>>Internet Options>>General tab
1 Click Delete Files.
2 Select the Delete all offline content check box.
3 Click OK.
4 Click OK.
38
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
To delete temporary files in Mozilla:
Mozilla browser>>Edit>>Preferences
1 Select the plus (+) symbol next to Advanced to expand the topic.
2 Select Cache.
3 Click Clear Cache.
To delete temporary files in Windows or Linux Firefox:
Firefox browser>>Tools>>Options>>Privacy
1 In the Private Data area, click Settings. The Clear Private Data window appears.
2 Select the Cache check box.
3 Click OK.
4 Click Clear Now.
5 Click OK.
To delete temporary files in Mac Firefox:
Firefox menu>>Preferences>>Privacy
1 In the Private Data area, click Settings. The Clear Private Data window appears.
2 Select the Cache check box.
3 Click OK.
4 Click Clear Now.
5 Close the Privacy window.
Conventions Used in This Document
The conventions used in this document are described in this section:
Navigation Paragraph
Navigation paragraphs provide a quick visual on how to get to the screen or area discussed.
Sentriant AG Software Users Guide, Version 5.1 SR1
39
Introduction
Example:
Home window>>Configure system
Note Paragraph
Notes notify you of important information.
Example:
NOTE
If there is no activity for 30 minutes, the configuration window times out and you must log in again.
Caution Paragraph
Cautions notify you of conditions that can cause errors or unexpected results.
Example:
CAUTION
Do not rename the files or they will not be seen by Sentriant AG.
Warning Paragraph
Warnings notify you of conditions that can lock your system or cause damage to your data.
Example:
WARNING!
Do not log in using SSH—this kills your session and causes your session to hang.
Bold Font
Bold font indicates the text that appears on a window or screen.
Example:
6 If the Domains connection method is enabled (Credentials tab, enabled check box), you must
specify your Windows domain controller here.
Task Paragraph
Task paragraphs summarize the instructions that follow.
40
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
Example:
To enter LDAP information:
Italic Text
Italic text is used in the following cases:
●
Showing emphasis—
Low – You are not protected from potentially unsafe macros. (Not recommended).
●
Introducing new terms—
The SMS server contains a database of logical groups with common attributes called collections. SMS
operates only on clients (endpoints) that are members of a collection.
●
Indicating document titles—
Sentriant AG Software Installation Guide
●
Indicating a variable entry in a command—
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99. Do not
type the angled brackets.
Courier Font
Courier font is used in the following cases:
●
Indicating path names—
Change the working directory to the following:
C:\Program Files\<MyCompany>\Sentriant AG Agent
●
Indicating text; enter exactly as shown—
Enter the following URL in the browser address field:
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99. Do not
type the angled brackets.
●
Indicating file names—
SAIASConnector.ini
Angled Brackets
Angled brackets enclose variable text that needs to be replaced with your specific values.
Sentriant AG Software Users Guide, Version 5.1 SR1
41
Introduction
Example:
https://<IP_address>/index.html
In this case, you must replace <IP_address> with the actual IP address, such as 10.0.16.99. Do not type
the angled brackets.
Square Brackets
Square brackets are used in the following cases:
●
Indicating keys to press on the keyboard—
[Ctrl]+[Shift]+[r]
●
Indicating a variable section in a *.INI file—
[Global]
NASList=192.168.200.135
●
Indicating a list in a properties file—
Compliance.ObjectManager.DHCPConnectorServers=[192.168.51.130, 192.168.99.1]
Terms
Terms are defined in the “Glossary” on page 497.
Example:
MAC
Media Access Control—The unique number that identifies a physical
endpoint. Generally referred to as the MAC address.
Copying Files
Whenever you copy a file from one machine to another, copy it using a secure copy utility that uses the
Secure Shell (SSH) protocol. The exact syntax of the copy command will vary based on the utility you
use.
Example:
7 Copy the /usr/local/nac/properties/NACAVPs.txt file from the Sentriant AG server to the ACS
server using PSCP (or other secure copy utility).
42
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
SCP
scp is a Linux/UNIX command used to copy files between Linux/UNIX machines. It has the following
syntax:
scp user@source:/directory/file user@destination:/directory/file
scp is included with Linux/UNIX.
PSCP
pscp is a program used to copy files between Windows and Linux/UNIX machines.
To use pscp, you must first save it from the following location to the Windows machine:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Next, open a DOS (command) window on the Windows machine, and enter the commands as follows:
To copy a file from a Linux machine to a Windows machine, enter the following:
<pscp directory>\pscp fred@example.com:/etc/hosts c:\temp\example-hosts.txt
You will be prompted to enter a password for the Linux/UNIX machine.
To copy a file from a Windows machine to a Linux machine, enter the following:
<pscp directory>\pscp c:\documents\foo.txt fred@example.com:/tmp/foo
You will be prompted to enter a password for the Linux/UNIX machine.
NOTE
You can either enter the path to the PSCP.EXE file as part of the command, or cd to the directory where you saved
the PSCP.EXE file before entering the pscp command.
Users’ Guide Online Help
In Sentriant AG, the help links in the product open an HTML version of the Sentriant AG documents.
The PDF version is still available from the Online Help by clicking the Open Users’ guide or Open
Installation guide PDF links in the HTML document. This section briefly describes the key components
to the HTML version. The online help contains the same content as this Users’ guide.
When you click a help link from within Sentriant AG, the help topic opens in a new window, as shown
in the following figure:
Sentriant AG Software Users Guide, Version 5.1 SR1
43
Introduction
Figure 8: Online help
The following options are available:
●
Previous – Click the upward pointing icon to go to the previous page.
●
Next – Click the downward pointing icon to go to the next page.
●
Print topic – Click the printer icon to print the current topic.
●
Bread crumbs – Click on any of the non-graylinks in the bread crumbs trail to go to that section.
●
Open PDF – Click the Open PDF file link to open the PDF file.
NOTE
To print the entire document, open and print the PDF file. Selecting the print icon in the HTML version will print
only the topic you are viewing.
Click anywhere in the Contents pane to navigate through the document.
To view the index:
44
Online help document>>Show navigation icon>>Index tab
Sentriant AG Software Users Guide, Version 5.1 SR1
Introduction
Figure 9: Index tab
1 Click on a letter link at the top of the index column to see the index entries.
2 Click on an index entry to see the location in the text.
3 Click on cross reference items in highlighted text to see more information on these items.
To search for a term:
Online help document>>Shown navigation icon>>Search tab
Sentriant AG Software Users Guide, Version 5.1 SR1
45
Introduction
Figure 10: Search tab
1 Enter a term in the search box.
2 Click Go.
3 Click on one of the results returned to display it in the right-side pane.
4 Click on the red arrow to see the contents of the collapsed section of the document.
NOTE
Red arrows that point to the right denote collapsed sections. The default is for these sections to show as closed.
Clicking on these red arrows turns them downward to open their content.
46
Sentriant AG Software Users Guide, Version 5.1 SR1
2
Clusters and Servers
Sentriant AG introduces clusters and servers. A cluster is a logical grouping of one or more ESs that are
managed by one MS.
A single-server installation is one where the MS and ES are on one server. The ES is assigned to a
Default cluster. This configuration is illustrated in Figure 11.
A multiple-server installation is one where the MS is on one server and there are one or more ESs on
separate servers. Each ES must be assigned to a cluster. This configuration is illustrated in Figure 12.
The responsibilities of the MS and ES are as follows:
●
●
MS
■
Configuration
■
NAC policies
■
Quarantining
■
Endpoint activity
■
License
■
Test updates
ES
■
Testing
■
Access control
The quarantine method is defined per cluster; all of the ESs in a given cluster use the same quarantine
method (Inline, DHCP, or 802.1X). When using multiple clusters, each cluster can have a different
quarantine method. Clusters cooperate to test and control access to the network, although the ESs in
each cluster are not able to communicate with any ES in any other cluster.
Sentriant AG Software Users Guide, Version 5.1 SR1
47
Clusters and Servers
Single-server Installation
The simplest installation is where the MS and ES are installed on the same physical server as shown in
the following figure:
Figure 11: Single-server Installation
Multiple-server Installations
By using at least three servers, one for the MS and two for ESs, you gain the advantage of high
availability and load balancing.
48
Sentriant AG Software Users Guide, Version 5.1 SR1
Clusters and Servers
High availability is where ESs take over for any other ES or servers that become unavailable. Load
balancing is where the testing of endpoints is spread evenly over all of the ESs. A three-server
installation is shown in the following figure:
Figure 12: Multiple-server Installation
Sentriant AG Software Users Guide, Version 5.1 SR1
49
Clusters and Servers
When your network is more complex, you can continue to add clusters as shown in the following
figure:
Figure 13: Multiple-server, Multiple-cluster Installation
The system configuration area allows you to select default settings for all clusters, as well as override
the default settings on a per-cluster basis. See “System Configuration” on page 51 for task-based
instructions.
The following recommendations should be followed when configuring your network for best
performance results:
●
A maximum of 300,000 endpoints per MS (4 GB RAM required)
●
A maximum of five ESs per cluster
●
A maximum of 3000 endpoints per ES
●
There is no inherent limitation in the number of clusters per MS
When these recommendations are followed, the following applies:
50
●
80% of the 3000 endpoints will be tested in 30 seconds or less
●
All endpoints are returned to the proper status within 15 minutes after a network recovery (power
failure, all endpoints attempting to reconnect, 3000 endpoints per ES)
Sentriant AG Software Users Guide, Version 5.1 SR1
3
System Configuration
The System configuration window allows the system administrator to set the operating parameters for
Sentriant AG.
Introduction
User logins and associated user roles determine the access permissions for specific functionality within
Sentriant AG. The following table shows the default home window menu options that are available by
user role:
Table 4: Default Menu Options
User role
Home window menu options available
System Administrator
•
Endpoint activity
•
NAC policies
•
System monitor
•
Reports
•
System configuration
•
Endpoint activity
•
System monitor
•
Reports
•
Enforcement clusters & servers
•
Endpoint activity
•
Reports
•
Endpoint activity
•
Reports
Cluster Administrator
Help Desk Technician
View-Only User
Only a system administrator can assign access permissions and access the System configuration
window. See Figure 1 on page 24 for the Sentriant AG home window of a user with system
administration permissions. If you do not see the System configuration menu option, you do not have
system administrator permissions.
Sentriant AG configuration includes the following:
●
Enforcement clusters & servers —“Enforcement Clusters and Servers” on page 52
●
MS—“Management Server” on page 64
●
User accounts—“User Accounts” on page 71
Sentriant AG Software Users Guide, Version 5.1 SR1
51
System Configuration
●
User roles—“User Roles” on page 78
●
License—“License” on page 82
●
Test updates—“Test Updates” on page 83
●
Quarantining—“Quarantining, General” on page 86
●
Maintenance—“Maintenance” on page 129
●
Cluster setting defaults
■
Testing Methods—“Testing Methods” on page 132
■
Accessible services—“Accessible Services” on page 134
■
Exceptions—“Exceptions” on page 136
■
Notifications—“Notifications” on page 138
■
End-user screens—“End-user Screens” on page 140
■
Agentless credentials—“Agentless Credentials” on page 143
■
Logging—“Logging” on page 146
■
Advanced—“Advanced Settings” on page 147
NOTE
You can override any of the cluster default settings on a per-cluster basis.
Enforcement Clusters and Servers
The Enforcement clusters & servers menu option (Figure 16 on page 56) is where you configure
Enforcement clusters and servers. You can perform the following tasks:
●
●
52
Enforcement clusters
■
Add, edit, or delete Enforcement clusters
■
Set operating parameters for specific Enforcement clusters, which differ from the default
Enforcement cluster and server settings set up on the System configuration window
■
View available Enforcement clusters and associated servers
■
View status of Enforcement clusters and servers
■
Select cluster access mode (normal or allow all)
ESs
■
Add, edit, or delete ESs
■
Set ES network settings, date and time, and password
■
View available ESs
■
View status, memory usage, and disk space usage of ESs
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Enforcement Clusters
Adding an Enforcement Cluster
To add an Enforcement cluster:
Home window>>System configuration>>Enforcement clusters & servers
Figure 14: System Configuration, Enforcement Clusters & Servers
Sentriant AG Software Users Guide, Version 5.1 SR1
53
System Configuration
1 Click Add an Enforcement cluster in the Enforcement clusters & servers area. The Add
Enforcement cluster window appears. The General area is displayed by default.
Figure 15: Add Enforcement Cluster
a Enter a name for the Enforcement cluster in the Cluster name field.
b Select a NAC policy group from the NAC policy group drop-down list (see “NAC Policies” on
page 213).
2 Click Quarantining in the Add Enforcement cluster window. Complete the steps described in
“Quarantining, General” on page 86.
NOTE
You can also access the quarantine area Enforcement cluster by clicking Quarantining in the System configuration
window (see “Quarantining, General” on page 86 for more information).
3 The following cluster settings take on default values set from the System configuration window. To
set up operating parameters that differ from those default settings, select the menu item of the
settings you want to change, then select the For this cluster, override the default settings check box,
and make the desired changes. Refer to the sections listed below to set up the default values, or for
more information on the specific settings.
54
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
■
Testing methods—See “Testing Methods” on page 132
■
Accessible services—See “Accessible Services” on page 134
■
Exceptions—See “Exceptions” on page 136
■
Notifications—See “Notifications” on page 138
■
End-user screens—See “End-user Screens” on page 140
■
Agentless credentials—See “Agentless Credentials” on page 143
■
Logging—See “Logging” on page 146
■
Advanced—See “Advanced Settings” on page 147
Editing Enforcement Clusters
To edit the Enforcement clusters settings:
Home window>>System configuration>>Enforcement clusters & servers
1 Click the cluster you want to edit. The Enforcement cluster window appears, as shown in Figure 16
on page 56.
2 Click a menu option to access the cluster settings:
■
General
■
Quarantining
■
Testing methods
■
Accessible services
■
Exceptions
■
Notifications
■
End-user screens
■
Agentless credentials
■
Logging
■
Advanced
3 Enter or change information in the fields you want to modify, as described in “Adding an
Enforcement Cluster” on page 53.
4 Click ok.
Viewing Enforcement Cluster Status
There are two ways Sentriant AG provides Enforcement cluster status:
●
The icons next to the cluster name (see Figure 17 on page 57)
●
The Enforcement cluster window (see the following steps)
Sentriant AG Software Users Guide, Version 5.1 SR1
55
System Configuration
To view Enforcement cluster statistics:
Home window>>System configuration>>Enforcement clusters & servers
Click a cluster name, for example Austin. The Enforcement cluster window appears:
Figure 16: Enforcement Cluster, General
The statistics shown in this window are per cluster, where the statistics shown in the Home window are
system-wide. See “System Monitor” on page 24 for column descriptions.
Deleting Enforcement Clusters
NOTE
Enforcement clusters need to be empty before the delete option appears next to the name in the Sentriant AG user
interface.
To delete Enforcement clusters:
Home window>>System configuration>>Enforcement clusters & servers
1 Click delete next to the cluster you want to remove. The Delete Enforcement cluster confirmation
window appears.
56
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
2 Click yes. The System configuration window appears (Figure 14).
Enforcement Servers
Adding an ES
To add an ES:
Home window>>System configuration>>Enforcement clusters & servers
Figure 17: System Configuration, Enforcement Clusters & Servers
Sentriant AG Software Users Guide, Version 5.1 SR1
57
System Configuration
1 Click Add an Enforcement server in the Enforcement clusters & servers area. The Add
Enforcement server window appears.
Figure 18: Add Enforcement Server
2 Select a cluster from the Cluster drop-down list.
3 Enter the IP address for this ES in the IP address text box.
4 Enter the fully qualified hostname to set on this server in the Host name text box.
5 Enter one or more DNS resolver IP addresses, separated by a commas, semicolons, or spaces in the
DNS IP addresses text box. For example, 10.0.16.100,10.0.1.1
6 Enter the password to set for the root user of the ES server’s operating system in the Root password
text box.
7 Re-enter the password to set for the root user of the ES server’s operating system in the Re-enter
root password text box.
8 Click ok.
Cluster and Server Icons
To view the cluster and server icons:
Home window>>System configuration>>Enforcement clusters & servers
1 Move the mouse over the legend icon. The legend pop-up window appears.
58
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
2 Move the mouse away from the legend icon to hide pop-up window.
Figure 19: Enforcement Cluster Legend
Editing ESs
To edit ES settings:
Home window>>System configuration>>Enforcement clusters & servers
1 Click the ES you want to edit. The Enforcement server window appears, as shown in Figure 20 on
page 60.
Sentriant AG Software Users Guide, Version 5.1 SR1
59
System Configuration
2 Click the Configuration menu option to access the Enforcement Server’s settings. The Configuration
area is displayed:
Figure 20: Enforcement Server
3 Edit the following settings:
■
ES Network settings—“Changing the ES Network Settings” on page 60
■
ES Date and time—“Changing the ES Date and Time” on page 61
■
ES SNMP settings—“Modifying the ES SNMP Settings” on page 62
■
Other settings—“Modifying the ES root Account Password” on page 62
4 Click ok.
Changing the ES Network Settings
CAUTION
Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP
address, and later restore your system, it will restore the previous IP address which can show an ES error condition
and cause authentication problems. See “Maintenance” on page 129 for instructions on backing up and restoring
your system.
60
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
To change the ES network settings:
Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration
Modify any of the following Network settings you want to change:
●
Enter a new ES in the Host name text field. For example, garp.mycompany.com
●
Enter a new ES address in the IP address text field. For example, 192.168.153.35
●
Enter a new netmask in the Network mask text field. For example, 255.255.255.0
●
Enter a new gateway in the Gateway IP address text field. For example 192.168.153.2
●
Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the
DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1
NOTE
The Sentriant AG ESs host name must be a fully qualified domain name (FQDN). For example, the FQDN should
include the host and the domain name—including the top-level domain.
For example, waldo.mycompany.com. Select names that are short, easy to remember, have no spaces or underscores,
and the first and last character cannot be a dash (-).
NOTE
You cannot change the ES IP address for a single-server installation. You can change the MS IP address for a singleserver installation.
Changing the ES Date and Time
To change the ES date and time:
Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration
1 Select a Region from the Region drop-down list in the Date and time area.
2 Select a time zone from the Time zone drop-down list.
3 Click ok.
NOTE
See “Selecting the Time Zone” on page 69 for information on changing the time zone settings for the MS.
WARNING!
Manually changing the date/time by a large amount (other than a time zone change) will require a restart of all
servers. Rolling back the clock will have adverse effects on the system.
Sentriant AG Software Users Guide, Version 5.1 SR1
61
System Configuration
Modifying the ES SNMP Settings
To change the ES SNMP settings:
Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration
1 Select the Enable SNMP check box.
2 Enter a Read community string, such as Public2.
3 Enter the Allowed source network. This value must be either default or a network specified in
CIDR notation.
Modifying the ES root Account Password
To change the ES root account password:
Home window>>System configuration>>Enforcement clusters & servers>>Select an ES>>Configuration
1 Enter the new password in the Root password text box in the Other settings area.
2 Re-enter the password in the Re-enter root password text box.
3 Click ok.
Viewing ES Status
There are two ways Sentriant AG provides ES status:
●
The icons next to the server name (see Figure 19 on page 59)
●
The Status window (see the following steps). The Enforcement server window allows you to view
the following information:
■
Health status
■
Upgrade status
■
Process/thread status
■
System load average for the server
■
Current endpoints being tested/minute for the server
■
Percentage of memory used on the server
■
Disk space usage for the server
To view ES status:
62
Home window>>System configuration>>Enforcement clusters & servers
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
1 Click the server for which you want to view the status. The Enforcement server window appears:
Figure 21: Enforcement Server, Status
2 Click ok or cancel.
Deleting ESs
NOTE
Servers need to be powered down for the delete option to appear next to the name in the Sentriant AG user
interface.
To delete ESs:
Home window>>System configuration>>Enforcement clusters & servers
Sentriant AG Software Users Guide, Version 5.1 SR1
63
System Configuration
1 Click delete next to the server you want to remove from the cluster. The Delete Enforcement server
confirmation window appears.
2 Click yes. The System configuration window appears.
ES Recovery
If an existing ES goes down and comes back up, it can participate in its assigned cluster, even if the MS
is not available.
When a new ES is created, the MS must be available before the ES can participate in a cluster.
Management Server
Viewing Network Settings
To view MS status:
64
Home window>>System configuration>>Management server
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 22: System Configuration, Management Server
1 Server status is shown in the Network settings area.
2 Click ok or cancel.
Sentriant AG Software Users Guide, Version 5.1 SR1
65
System Configuration
Modifying MS Network Settings
CAUTION
Back up your system immediately after changing the MS or ES IP address. If you do not back up with the new IP
address, and later restore your system, it will restore the previous IP address which can show an ES error condition
and cause authentication problems. See “Maintenance” on page 129 for instructions on backing up and restoring
your system.
To modify MS network settings:
Home window>>System configuration>>Management server
WARNING!
Changing the MS network settings will cause the network interface to restart.
1 Click edit network settings in the Network settings area.
Figure 23: Management Server Network Settings
2 Enter the values you want to modify:
■
Enter a new name in the Host name text field. For example, garp.mycompany.com
NOTE
Select names that are short, easy to remember, have no spaces or underscores, and the first and last character
cannot be a dash (-).
66
■
Enter a new address in the IP address text field. For example, 192.168.153.35
■
Enter a new netmask in the Network mask text field. For example, 255.255.255.0
■
Enter a new gateway in the Gateway IP address text field. For example 192.168.153.2
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
■
Enter one or more DNS resolver IP addresses, separated by commas, semicolons, or spaces in the
DNS IP addresses text box. For example: 10.0.16.100,10.0.1.1
3 Click ok.
Selecting a Proxy Server
Connecting to the Internet is necessary for updating tests, validating license keys, and sending support
packages.
To select a proxy server:
Home window>>System configuration>>Management server
1 Select Use a proxy server for Internet connections.
2 Enter the IP address or hostname of the server that will act as the proxy for Internet connections in
the Proxy server IP address text field.
3 Enter the port used for connecting to the proxy server in the Proxy server port text field.
4 If your proxy server requires authentication, select the Proxy server is authenticated check box.
a Authentication method—Select the scheme used to authenticate credentials on the proxy server.
The following methods are supported:
●
Basic (not recommended)—The original and most compatible authentication scheme for HTTP.
Also the least secure because it sends the user ID and password to the server unencrypted.
●
Digest—Added in the HTTP 1.1 protocol, this scheme is significantly more secure than basic
authentication because it never transfers the actual password across the network, but instead
uses it to encrypt a "nonce" value sent from the server.
●
Negotiable—Using this scheme, the client and the proxy server negotiate a scheme for
authentication. Ultimately, either the basic or digest scheme will be used.
b Enter the ID of a user account on the proxy server in the User name text box.
c
Enter the password of the user account specified in the User name text box in the Password text
box.
d Re-enter the password.
5 Click ok.
Setting the Date and Time
The Date and time area allows you to configure the following:
●
Allow automatic synchronization with an NTP server
●
Manually set date and time for the MS
●
Edit date and time:
■
Set time zone
Sentriant AG Software Users Guide, Version 5.1 SR1
67
System Configuration
■
Set date
■
Set time
NOTE
Date and time settings are applied to the MS; however, you can set the time zone for each ES.
Automatically Setting the Time
To automatically set the time:
Home window>>System configuration>>Management server
1 Select Automatically receive NTP updates from and enter one or more Network Time Protocol
(NTP) servers, separated by commas. The NTP protocol allows Sentriant AG to synchronize its date
and time with other endpoints on your network. For example, time.nist.gov.
2 Click ok.
NOTE
Use of NTP is strongly recommended.
Manually Setting the Time
To manually set the time:
Home window>>System configuration>>Management server
1 Select Manually set date & time.
2 Click edit. The Date and time window appears:
Figure 24: Date & Time
3 Select the correct date and time.
68
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
4 Click ok.
5 Click ok.
CAUTION
Manually changing the date/time (other than a time zone change) a large amount will require a restart of all servers.
Rolling back the clock will have adverse effects on the system.
Selecting the Time Zone
To set the time zone:
Home window>>System configuration>>Management server
1 Select the following:
a Select a region from the Region drop-down list in the Date and time area.
b Select a time zone from the Time zone drop-down list.
2 Click ok.
Enabling SNMP
To select SNMP settings:
Home window>>System configuration>>Management server>>SNMP settings
1 Select the Enable SNMP check box to select the SNMP settings.
a Enter the SNMP read community string.
b Enter the SNMP allowed source network. The value must be either “default” or a network
specified in CIDR notation.
2 Select the Outgoing SNMP notifications check box.
3 Enter a comma-separated list of IP address or hostnames that can receive the SNMP notifications.
4 Enter the community string used to authorize SNMP notifications from Sentriant AG.
5 Select one or both of the following:
a Select the Resend notifications check box and enter the resend interval, for example 60.
Sentriant AG Software Users Guide, Version 5.1 SR1
69
System Configuration
NOTE
NAC policy tests can be configured such that if an endpoint fails the test, it will be granted network access
temporarily. In these cases, it might be desirable not to send an SNMP notification.
b Select the Do not send notifications when an endpoint has been granted temporary network
access check box to disable these notifications.
Modifying the MS root Account Password
To change the MS root account password:
Home window>>System configuration>>Management server
1 Enter the new password in the Root password text box in the Other settings area.
2 Re-enter the password in the Re-enter root password text box.
3 Click ok.
Checking for Sentriant AG Upgrades
To check for system upgrades:
Home window>>System configuration>>Management server
1 Click check for upgrades in the System upgrade area. A progress window appears.
2 If your license is expired, you will get a System upgrade error window that provides instructions on
how to renew your license.
3 A status window appears indicating if upgrades are available.
a If no upgrades are available, click ok to clear the status window.
b Click ok to return to System configuration.
c
If an upgrade is available, click yes to upgrade your system.
CAUTION
Installation of an upgrade can take several hours to download all the software. You can continue to use Sentriant AG
during the download process. Sentriant AG will automatically shutdown and restart after the software downloads.
70
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
NOTE
Since upgrading can take longer than the default timeout (45 minutes) setting of the Sentriant AG Update, Extreme
Networks, Inc. recommends that you increase the timeout value when you have limited bandwidth by performing the
steps described in “Changing the Sentriant AG Upgrade Timeout”.
Changing the Sentriant AG Upgrade Timeout
Since upgrading can take longer than the default timeout (45 minutes) setting of the Sentriant AG
Update, Extreme Networks, Inc. recommends that you increase the timeout value when you have
limited bandwidth by performing these steps.
To change the inactivity timeout value for upgrades:
Command window
1 Log in to the Sentriant AG server as root, either using SSH or directly with a keyboard.
2 Enter the following at the command line:
setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout=<minutes>
Where:
<minutes> is the number of minutes of inactivity Sentriant AG will wait before assuming the
upgrade failed. For example, 30. The default value is 45.
User Accounts
Sentriant AG allows you to create multiple user accounts. User accounts provide and limit access to
Sentriant AG functions based on permissions (user roles) and clusters assigned. See “User Roles” on
page 78 for more information on setting permissions for the user roles.
The User accounts menu option allows you to do the following:
●
View user accounts
●
Search by user ID, user name, or email address
●
Add a user account
●
Edit a user account
●
Delete a user account
Adding a User Account
To add a user account:
Home window>>System configuration>>User accounts
Sentriant AG Software Users Guide, Version 5.1 SR1
71
System Configuration
Figure 25: System Configuration, User Accounts
72
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
1 Click Add a user account. The Add user account window appears:
Figure 26: Add User Account
2 Enter the following information:
■
User ID—The user ID used to log into Sentriant AG
■
Password—The password used to log into Sentriant AG
■
Full name—The name associated with the user account
■
Email address—The email address used for notifications
3 Select an Account status:
■
enabled—This status allows an account to log into the user interface
■
disabled—This status prevents an account from logging into the user interface
4 In the User roles area, select one of the following default roles for the user account: (See “User
Roles” on page 78 for more information about user roles and permissions associated with user roles.)
■
Cluster Administrator
■
View-Only User
■
System Administrator
■
Help Desk Technician
■
You can select a custom user role if you have created any.
Sentriant AG Software Users Guide, Version 5.1 SR1
73
System Configuration
NOTE
Users must be assigned at least one role.
5 In the Clusters area, select a cluster or clusters.
NOTE
Users must be assigned at least one Enforcement cluster.
6 Click ok.
Table 5: Default User Roles
User Role Name
Description
Cluster Administrator
For their clusters, users having this role can configure their
assigned clusters, view endpoint activity, change endpoint
access control, retest endpoints, and generate reports.
View-Only User
Users having this role can view endpoint activity and generate
reports about their clusters.
System Administrator
Users having this role have all permissions.
Help Desk Technician
For their clusters, users having this role can view endpoint
activity, change endpoint access control, retest endpoints, and
run reports.
User-defined role
Create your own user roles and definitions.
Searching for a User Account
To search for a user account:
Home window>>System configuration>>User accounts
1 Select one of the following from the Search drop-down list:
■
user ID
■
full name
■
email address
2 Enter the text to search for in the for field.
3 Click search.
74
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
NOTE
Click reset to clear the text field and to refresh the display to show all accounts after a search.
Sorting the User Account Area
To sort the user account area:
Home window>>System configuration>>User accounts
Click the column heading for user id, full name, email address, user roles, or clusters. The user
accounts reorder according to the column heading selected. Click the column heading again to change
from ascending to descending.
Copying a User Account
To copy a user account:
Home window>>System configuration>>User accounts
Sentriant AG Software Users Guide, Version 5.1 SR1
75
System Configuration
1 Click copy next to the user account you want to duplicate. The Copy user account window appears.
The account information is duplicated from the original account.
Figure 27: Copy User Account
2 Enter the User ID of the new account.
3 Enter the Password.
4 Re-enter the password.
5 Select the Account status (enable or disable).
6 Select the User role for the account.
7 Select the Clusters that the user account can access.
8 Click ok.
Editing a User Account
To edit a user account:
76
Home window>>System configuration>>User accounts
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
1 Click the name of the user account that you want to edit. The User account window appears:
Figure 28: User Account
2 Change or enter information in the fields you want to change. See “Adding a User Account” on
page 71 for information on user account settings.
3 Click ok.
Deleting a User Account
You must always have at least one account with System Administrator permissions.
CAUTION
Do not delete or edit the account with which you are currently accessing the interface. Doing so can produce an
error and lock you out of the interface until your session has timed out.
To delete a user account:
Home window>>System configuration>>User accounts
1 Click delete next to the user account you want to remove. The Delete user account confirmation
window appears.
Sentriant AG Software Users Guide, Version 5.1 SR1
77
System Configuration
2 Click yes.
User Roles
The User roles menu option allows you to configure the following:
●
View current user roles and details associated with those roles
●
Add a new user role
●
●
■
Name the new user role
■
Provide a detail description for the new user role
■
Assign permissions to the new user role
Edit a user role
■
Edit the name of the user role
■
Edit the detail description of the user role
■
Edit the assigned permissions for the user role
Delete a user role
Adding a User Role
To add a user role:
78
Home window>>System configuration>>User roles
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 29: System Configuration, User Roles
Sentriant AG Software Users Guide, Version 5.1 SR1
79
System Configuration
1 Click add a user role in the User roles area. The Add user role window appears.
Figure 30: Add User Role
2 Enter a descriptive name in the Role name field.
3 Enter a description of the role in the Description field.
4 Select the permissions for the user role. For more information about permissions, the following table:
Table 6: User Role Permissions
80
Permission
Description
Configure clusters
Allows you to add clusters, configure the settings of all your assigned clusters,
and delete any of your clusters.
Configure servers
Allows you to configure all servers within your clusters
Configure the system
Allows you to configure all system-level settings
View system alerts
Allows you to view system alerts on your home screen
Generate reports
Allows you to generate reports about any of your assigned clusters
Manage NAC policies
Allows you to manage the NAC policies for all of your clusters
View endpoint activity
Allows you to view details about all endpoints in your clusters
Monitor system status
Allows you to monitor the system status
Control Access
Allows you to quarantine or grant network access to endpoints in your clusters
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Table 6: User Role Permissions(continued)
Permission
Description
Retest endpoints
Allows you to have endpoints in your clusters retested
Editing User Roles
NOTE
You cannot edit the System Administrator user role.
To edit user roles:
Home window>>System configuration>>User roles
1 Click the role you want to edit. The user role window appears:
Figure 31: User Role
2 Enter the information in the fields you want to change. See “Adding a User Role” on page 78 for
information on user role settings.
3 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
81
System Configuration
Deleting User Roles
NOTE
You cannot delete the System Administrator role.
To delete user roles:
Home window>>System configuration>>User roles
1 Click delete next to the user role you want to remove. The Delete user role confirmation window
appears.
2 Click yes.
Sorting the User Roles Area
To sort the user roles area:
Home window>>System configuration>>User roles
1 Click user role name or description column heading. The selected category sorts in ascending or
descending order.
2 Click ok.
License
The License menu option allows you to configure the following:
●
Enter and submit a new license key
●
View license start and end dates
●
View number of days remaining on license, and associated renewal date
●
View remaining endpoints and servers available under license
Updating Your License Key
To update your license key:
82
Home window>>System configuration>>License
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 32: System Configuration, License
1 The license key should be pre-populated from the first-time login (as described in the Software
Installation Guide). If you need to update your license key, in the New license key field, enter your
Sentriant AG license key, which Extreme Networks, Inc. sends to you by email. Copy and paste the
license key directly from the text file.
NOTE
The double-equal sign (==) is part of the license key. Include it with the rest of the numbers.
2 Click Submit Now.
Sentriant AG is enabled through the license key.
The license key is validated, and it appears in the Registered license key field.
3 Click ok on the license validated pop-up window.
Test Updates
The Test updates menu option allows you to configure the following:
●
View last successful test update date/time
Sentriant AG Software Users Guide, Version 5.1 SR1
83
System Configuration
●
Check for test updates (forces an immediate check for test updates)
●
Set time or times for downloading test updates
●
View test update logs
Manually Checking for Test Updates
To manually check for test updates:
Home window>>System configuration>>Test updates
Figure 33: System Configuration, Test Updates
1 In the Last successful test update area, click check for test updates.
2 Click ok.
NOTE
It is important to check for test updates during the initial configuration of Sentriant AG.
84
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
NOTE
See “Updating Rules without an Internet Connection” on page 398 to update tests with no Internet connection.
Selecting Test Update Times
To select test update times:
Home window>>System configuration>>Test updates
1 Using the hour check boxes, select the time periods in which you would like Sentriant AG to check
for available test updates.
By default, Sentriant AG checks once every hour using the Extreme Networks, Inc. Secure Rule
Distribution Center. All times listed are dependent upon the clock setting and time zone of the
hardware on which Sentriant AG is running.
2 Click ok.
Viewing Test Update Logs
To view test update logs:
Home window>>System configuration>>Test updates
Sentriant AG Software Users Guide, Version 5.1 SR1
85
System Configuration
1 Click the View test update log link just to the right of the Check for test updates button. The Test
update log window appears:
Figure 34: Test Update Log
The Test update log window legend is shown in the following figure:
Figure 35: Test Update Log Window Legend
Quarantining, General
The Quarantining menu option allows you to configure the following by cluster:
86
●
Select the quarantine method
●
Select the access mode
●
Basic 802.1X settings
●
Authentication settings
●
Add, edit, delete 802.1X devices
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Selecting the Quarantine Method
To select the quarantine method:
Home window>>System configuration>>Quarantining
Figure 36: System Configuration, Quarantining
1 Select a cluster.
2 In the Quarantine method area, select one of the following quarantine methods:
Sentriant AG Software Users Guide, Version 5.1 SR1
87
System Configuration
■
802.1X—When using the 802.1X quarantine method, Sentriant AG must sit in a place on the
network where it can communicate with your RADIUS server, which communicates with your
switch or router, which performs the quarantining.
■
DHCP—When configured with a DHCP quarantine area, Sentriant AG must sit inline with your
DHCP server. All endpoints requesting a DHCP IP address are issued a temporary address on a
quarantine subnetwork. Once the endpoint is allowed access, the IP address is renewed, and the
main DHCP server assigns an address to the main LAN. With a multiple subnetwork or VLAN
network, one quarantine area must be configured for each subnetwork. See “Remote Device
Activity Capture” on page 313 for information on using multiple DHCP servers.
■
Inline—When using the inline quarantine method, Sentriant AG must be placed on the network
where all traffic to be quarantined passes through Sentriant AG. It must be inline with an
endpoint like a VPN.
3 Click ok.
Selecting the Access Mode
To select the access mode:
Home window>>System configuration>>Quarantining
1 Select one of the following in the Access mode area:
■
normal—Either allows or quarantines endpoints depending on the setup of the enforcement
sever.
■
allow all—Endpoints are tested; however, they are always given access to the production
network.
NOTE
If you are setting up a cluster for the first time, and you have not yet added an ES, select allow all until you have
finished configuring Sentriant AG.
Quarantining, 802.1X
The 802.1X quarantine (enforcement) method is enabled by default.
To select the 802.1X quarantine method:
Home window>>System configuration>>Quarantining
1 Select a cluster.
2 In the Quarantine method area, select the 802.1X radio button.
3 Click ok.
88
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Entering Basic 802.1X Settings
To enter basic 802.1X settings:
Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button
1 In 802.1X enforcement mode, the Enforcement servers must be able monitor DHCP conversations
and detect endpoints by sniffing network traffic as it flows between the DHCP server and the
endpoints. Select an Endpoint detection location radio button as follows:
■
Remote—In more complex deployments, it is often impossible (in the case of multiple
Enforcement servers or multiple DHCP servers) or undesirable to span switch ports. In this case
the DHCP traffic monitoring and endpoint detection can be run remotely by installing and
configuring the endpoint activity capture software on each DHCP server involved in the 802.1X
deployment. In this case, choose the remote option.
■
Local—In simple configurations, it is possible to span, or mirror, the switch port into which the
DHCP server is connected. The eth1 interface of the Enforcement server is then plugged into the
spanned port and endpoint traffic is monitored on the eth1 interface. In this case, choose the local
option.
2 Enter one or more non-quarantined subnets, separated by commas in the Quarantine subnets text
field. All subnets should be entered using CIDR addresses.
3 Select a RADIUS server type by selecting one of the following radio buttons:
■
Local—Enables a local RADIUS server on the ES which can be configured to perform
authentication itself or proxy to another server.
■
Remote IAS—Disables the local RADIUS server so that an IAS server configured with the NAC
IAS plug-in to point to an ES can be used instead. When possible, a local RADIUS server that
proxies to the IAS server should be the preferred configuration.
4 Click ok.
Authentication Settings
Selecting the RADIUS Authentication method
To select the RADIUS authentication method:
Home window>>System configuration>>Quarantining>>802.1X quarantine method radio button
1 Select the Local radio button in the Basic 802.1X settings area.
2 Select an End-user authentication method:
■
Manual—RADIUS server authentication settings are configured manually from the command
line. See “Enabling Sentriant AG for 802.1X” on page 282 for configuration information.
Sentriant AG Software Users Guide, Version 5.1 SR1
89
System Configuration
■
Windows domain—Authentication requests are handled by a Windows domain through NTLM
protocol. The ES must be able to join to the domain for this to work. See “Configuring Windows
Domain Settings” on page 90 for more information.
■
OpenLDAP—User credentials are queried from an OpenLDAP directory service. See
“Configuring OpenLDAP Settings” on page 92 for more information.
■
Proxy—Authentication requests are proxied to a remote RADIUS server configured to allow the
ES as a client NAS.
3 Click ok.
Configuring Windows Domain Settings
To configure Windows domain settings:
90
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Local radio button
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
1 Select Windows domain from the End-user authentication method drop-down list.
Figure 37: System Configuration, Windows Domain
2 Enter the Fully Qualified Domain Name (FQDN) of the domain to be joined in the Domain name
text field.
3 Enter the user name of an account with sufficient administrative rights to join an ES to the domain in
the Administrator user name text field.
Sentriant AG Software Users Guide, Version 5.1 SR1
91
System Configuration
4 Enter the password of the account entered into the Administrator user name field in the
Administrator password text field.
5 Enter the list of domain controllers, separated by commas, for this domain in the Domain
controllers text field.
6 To test the Windows domain settings:
a Select one of the following from the Server to test from drop-down list in the Test Windows
domain settings area:
●
The ES in this cluster to test from, or
●
The MS
NOTE
If you have a single-server installation, the Server to test from drop-down list is not available.
b To verify a specific set of user credentials in addition to the Windows domain settings, select the
Verify credentials for an end-user check box, and specify the following:
1) Enter the user name of the end-user in the User name text box.
2) Enter the password of the end-user in the Password text box.
3) Re-enter the password of the end-user in the Re-enter password text box.
c
Click test settings.
7 Click ok.
Configuring OpenLDAP Settings
To configure OpenLDAP settings:
92
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio
button>>Local radio button
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
1 Select OpenLDAP from the End-user authentication method drop-down list.
Figure 38: System Configuration, OpenLDAP
Sentriant AG Software Users Guide, Version 5.1 SR1
93
System Configuration
2 Enter the LDAP server hostname or IP address and optional port number in the Server text field. For
example: 10.0.1.2:636
3 Enter the DN under which LDAP searches should be done in the Identity text field. For example:
cn=admin,o=My Org,c=UA
4 Enter the password that authenticates the DN entered into the Identity text field in the Password
text field.
5 Type the same password you entered into the Password field in the Re-enter password field.
6 Enter the base DN of LDAP searches in the Base DN text field. For example: o=My Org,c=UA
7 Enter the LDAP search filter used to locate user objects from name supplied by endpoint in the Filter
text field. For example: (uid=%u)
8 Enter the LDAP attribute which contains end-user passwords in the Password attribute text field.
This is initially set to userPassword to use the universal password of the eDirectory user.
9 To use a secure Transport Layer Security (TLS) connection with the LDAP server that is verified with
a certificate authority:
a Select the Use a secure connection (TLS) check box.
b Enter a PEM-encoded file name that contains the CA certificate used to sign the LDAP server's
TLS certificate in the New certificate text field. Click Browse to search for file names. The current
certificate selected is shown by Current certificate.
10 To test the OpenLDAP settings:
a Select one of the following from the Server to test from drop-down list in the Test Windows
domain settings area:
●
The ES in this cluster to test from, or
●
The MS
b To verify a specific set of user credentials in addition to the OpenLDAP settings, select the Verify
credentials for an end-user check box, and specify the following:
1) Enter the user name of the end-user in the User name text box.
2) Enter the password of the end-user in the Password text box.
3) Re-enter the password of the end-user in the Re-enter password text box.
c
Click test settings.
11 Click ok.
94
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Adding 802.1X Devices
To add an 802.1X device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Figure 39: Add 802.1X Device
1 Enter the IP address of the 802.1X device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
NOTE
See your system administrator to obtain the shared secret for your switch.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select an 802.1X device from the Device type drop-down list.
6 Enter the configuration settings for the specific device:
■
Cisco IOS—See “Cisco IOS” on page 97.
■
Cisco CatOS—See “Cisco CatOS” on page 99.
■
Enterasys—See “Enterasys” on page 102.
■
Extreme ExtremeWare—See “Extreme ExtremeWare” on page 103.
■
Extreme XOS—See “Extreme XOS” on page 105.
■
Foundry—See “Foundry” on page 106.
■
HP ProCurve switch—See “HP ProCurve Switch” on page 108.
Sentriant AG Software Users Guide, Version 5.1 SR1
95
System Configuration
■
HP ProCurve WESM—See “HP ProCurve WESM xl or HP ProCurve WESM zl” on page 111.
■
HP ProCurve 420/530 AP—See “HP ProCurve 420 AP or HP ProCurve 530 AP” on page 114.
■
Nortel—See “Nortel” on page 116.
■
Other—See “Other” on page 117.
7 Click ok.
Testing the Connection to a Device
The test connection area has different options based on the switch you select:
●
Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches—See Figure 40.
●
ProCurve, Nortel, Other switches—See Figure 41.
To test the connection to an 802.1X device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button
NOTE
You must have already added devices for them to appear in the 802.1X devices area. You can also test the device as
you add it.
1 In the 802.1X devices area, click edit next to the device you want to test. The 802.1X device window
appears. The Test connection to this device area is near the bottom of the window:
Figure 40: Add 802.1X Device, Test Connection Area Option 1
Figure 41: Add 802.1X Device, Test Connection Area Option 2
96
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
2 For ProCurve, Nortel, Other switches (Figure 40),:
a Select the Method to execute the re-authentication command in test:
●
802.1X
●
MAC auth
b Enter the port of the endpoint being tested in the Port text field.
c
Enter the MAC address of the endpoint being tested in the MAC address text field.
3 For Cisco CATOS, Cisco IOS, Enterasys, Extreme, Foundry switches (Figure 41) if you want to
include the re-authentication command as part of the test, select the Re-authenticate an endpoint
during test check box and:
a Enter the port of the endpoint being tested in the Port text field.
b Enter the MAC address of the endpoint being tested in the MAC address text field.
NOTE
You must enter the port, the MAC address, or both, depending on the re-authentication OID.
4 Click test connection to this device.
Cisco IOS
To add a Cisco IOS device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
97
System Configuration
Figure 42: Add Cisco IOS Device
1 Enter the IP address of the Cisco IOS device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Cisco IOS from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
98
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
10 Enter the Cisco port mask in the text field. This specifies which characters within the endpoint
identifier returned by the Cisco device contain the bank and port information of the endpoint. All
offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and characters 4 and 5 for the
port. If the Cisco device were to return 50210 for an endpoint, a port mask of 2/34 would indicate
that the endpoint is on bank 2 and port 10 (2/10), where 210 are the third, fourth and fifth bytes in
the identifier.
11 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
12 Select the Show scripts plus symbol to show the following scripts:
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
13 Click ok.
NOTE
Click revert to defaults to restore the default settings.
Cisco CatOS
To add a Cisco CatOS device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
99
System Configuration
Figure 43: Add Cisco CatOS Device
1 Enter the IP address of the Cisco CatOS device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Cisco CatOS from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
100
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
10 Enter the password with which to enter enable mode.
11 Re-enter the enable mode password.
12 Enter the networks (using CIDR notation) that this device is in direct control over in the Network
list text field. This is only necessary if the device does not send its IP address with its supplicant
request.
13 Enter the Cisco port mask in the text field. This specifies which characters within the endpoint
identifier returned by the Cisco device contain the bank and port information of the endpoint. All
offsets start at 0, so a mask of 2/34 indicates character 3 for the bank and characters 4 and 5 for the
port. If the Cisco device were to return 50210 for an endpoint, a port mask of 2/34 would indicate
that the endpoint is on bank 2 and port 10 (2/10), where 210 are the third, fourth and fifth bytes in
the identifier.
14 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
15 Select the Show scripts plus symbol to show the following scripts:
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
16 Click ok.
NOTE
Click revert to defaults to restore the default settings.
CatOS User Name in Enable Mode
If you have your CatOS switch configured to run in enable mode with a user name, the expect script
supplied with Sentriant AG will not run “out of the box.”
Workaround: Do not use a user name with your switch, or modify the expect script in the console to
include the user name.
To modify the expect script in the Sentriant AG user interface:
Home window>>System configuration>>Quarantining menu option
1 Click edit next to an 802.1X device. (You can also perform these steps while you are adding an
802.1X device.)
2 Click the plus sign next to Show scripts.
3 Add the correct expect script syntax to the text box for enable mode user name. See your switch
documentation for more information on the correct syntax.
4 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
101
System Configuration
Enterasys
To add an Enterasys device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Figure 44: Add Enterasys Device
1 Enter the IP address of the Enterasys device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Enterasys from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
102
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
9 Re-enter the console password.
10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
11 Select the Show scripts plus symbol to show the following scripts:
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
12 Click ok.
NOTE
Click revert to defaults to restore the default settings.
Extreme ExtremeWare
To add an ExtremeWare device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
103
System Configuration
Figure 45: Add ExtremeWare Device
1 Enter the IP address of the ExtremeWare device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Extreme ExtremeWare from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
10 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
11 Select the Show scripts plus symbol to show the following scripts:
104
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
12 Click ok.
NOTE
Click revert to defaults to restore the default settings.
Extreme XOS
To add an Extreme XOS device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Figure 46: Add Extreme XOS Device
1 Enter the IP address of the Extreme XOS device in the IP address text field.
Sentriant AG Software Users Guide, Version 5.1 SR1
105
System Configuration
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Extreme XOS from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
10 Select the Show scripts plus symbol to show the following scripts:
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
11 Click ok.
NOTE
Click revert to defaults to restore the default settings.
Foundry
To add a Foundry device:
106
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 47: Add Foundry Device
1 Enter the IP address of the Foundry device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Foundry from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
10 Enter the password with which to enter enable mode.
Sentriant AG Software Users Guide, Version 5.1 SR1
107
System Configuration
11 Re-enter the enable mode password.
12 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
13 Select the Show scripts plus symbol to show the following scripts:
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
14 Click ok.
NOTE
Click revert to defaults to restore the default settings.
HP ProCurve Switch
To add an HP ProCurve switch:
108
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 48: Add HP ProCurve Device
1 Enter the IP address of the HP ProCurve device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select ProCurve Switch from the Device type drop-down list.
6 Select whether to connect to this device using telnet, SSH, or SNMPv2 in the Connection method
drop-down list.
7 SSH settings:
a Enter the User name used to log into this device's console.
b Enter the Password used to log into this device's console.
Sentriant AG Software Users Guide, Version 5.1 SR1
109
System Configuration
c
To help confirm accuracy, type the same password you entered into the Password field in the Reenter Password field.
d Enter the Enable mode user name that is used to enter enable mode on this device.
e Enter the Password used to enter enable mode on this device.
f
To help confirm accuracy, type the same password you entered into the Enable password field in
the Re-enter Password field.
g Enter the amount of time, in milliseconds, before an idle open SSH session is reset. The default is
60000 (60 seconds) in the Reconnect idle time field.
8 Telnet settings:
a Enter the User name used to log into this device's console.
b Enter the Password used to log into this device's console.
c
To help confirm accuracy, type the same password you entered into the Password field in the Reenter Password field.
d Enter the Enable mode user name that is used to enter enable mode on this device.
e Enter the Password used to enter enable mode on this device.
f
To help confirm accuracy, type the same password you entered into the Enable password field in
the Re-enter Password field.
g Enter the amount of time, in milliseconds, before an idle open telnet session is reset. The default
is 60000 (60 seconds) in the Reconnect idle time field.
9 SNMPv2 settings:
a Enter the Community string used to authorize writes to SNMP objects.
b Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The
strings "${Port}" and "${MAC}" will be substituted for the port and MAC address of the endpoint
to be re-authenticated.
c
110
Select the type of the re-authentication OID from the OID type drop-down list:
●
INTEGER
●
unsigned INTEGER
●
TIMETICKS
●
IPADDRESS
●
OBJID
●
STRING
●
HEX STRING
●
DECIMAL STRING
●
BITS
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
●
NULLOBJ
d Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text
field.
e Select the Use a different OID for MAC authentication check box to re-authenticate using a
different OID when the supplicant request is for a MAC authenticated device.
1) Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${PORT}" and
"${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC address of the endpoint
to be re-authenticated.
2) Select the type of the re-authentication OID from the OID type drop-down list:
■
INTEGER
■
unsigned INTEGER
■
TIMETICKS
■
IPADDRESS
■
OBJID
■
STRING
■
HEX STRING
■
DECIMAL STRING
■
BITS
■
NULLOBJ
3) Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value
text field.
NOTE
Click revert to defaults to restore the default settings.
HP ProCurve WESM xl or HP ProCurve WESM zl
To add an HP ProCurve WESM xl or HP ProCurve WESM zl device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
111
System Configuration
Figure 49: Add HP ProCurve WESM xl/zl Device
1 Enter the IP address of the HP ProCurve WESM device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select ProCurve WESM from the Device type drop-down list.
6 Enter the Community string used to authorize writes to SNMP objects.
7 Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings
"${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of
the endpoint to be re-authenticated.
NOTE
Figure 49: Add HP ProCurve WESM xl/zl Device on page 112 shows an example for WESM zl.
112
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
8 Select the type of the re-authentication OID from the OID type drop-down list:
■
INTEGER
■
unsigned INTEGER
■
TIMETICKS
■
IPADDRESS
■
OBJID
■
STRING
■
HEX STRING
■
DECIMAL STRING
■
BITS
■
NULLOBJ
9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text
field.
10 Select the Use a different OID for MAC authentication check box to re-authenticate using a
different OID when the supplicant request is for a MAC authenticated device.
a Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${Port}" and
"${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC address of the endpoint to
be re-authenticated.
b Select the type of the re-authentication OID from the OID type drop-down list:
c
●
INTEGER
●
unsigned INTEGER
●
TIMETICKS
●
IPADDRESS
●
OBJID
●
STRING
●
HEX STRING
●
DECIMAL STRING
●
BITS
●
NULLOBJ
Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text
field.
NOTE
Click revert to defaults to restore the default settings.
Sentriant AG Software Users Guide, Version 5.1 SR1
113
System Configuration
HP ProCurve 420 AP or HP ProCurve 530 AP
To add an HP ProCurve 420 AP or HP ProCurve 530 AP device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Figure 50: Add HP ProCurve 420/530 AP Device
1 Enter the IP address of the HP ProCurve AP or HP ProCurve 530 AP device in the IP address text
field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select ProCurve 420 AP or ProCurve 530 AP from the Device type drop-down list.
6 Enter the Community string used to authorize writes to SNMP objects.
114
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
7 Enter the OID used to re-authenticate an endpoint in the Re-authenticate OID text field. The strings
"${Port}" and "${MAC_DOTTED_DECIMAL}" will be substituted for the port and MAC address of
the endpoint to be re-authenticated.
8 Select the type of the re-authentication OID from the OID type drop-down list:
■
INTEGER
■
unsigned INTEGER
■
TIMETICKS
■
IPADDRESS
■
OBJID
■
STRING
■
HEX STRING
■
DECIMAL STRING
■
BITS
■
NULLOBJ
9 Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text
field.
10 Select the Use a different OID for MAC authentication check box to re-authenticate using a
different OID when the supplicant request is for a MAC authenticated device.
a Enter the Re-authenticate OID used to re-authenticate an endpoint. The strings "${Port}" and
"${MAC_DOTTED_DECIMAL}" are substituted for the port and MAC address of the endpoint to
be re-authenticated.
b Select the type of the re-authentication OID from the OID type drop-down list:
c
●
INTEGER
●
unsigned INTEGER
●
TIMETICKS
●
IPADDRESS
●
OBJID
●
STRING
●
HEX STRING
●
DECIMAL STRING
●
BITS
●
NULLOBJ
Enter the OID re-authentication value used to re-authenticate an endpoint in the OID value text
field.
NOTE
Click revert to defaults to restore the default settings.
Sentriant AG Software Users Guide, Version 5.1 SR1
115
System Configuration
Nortel
To add a Nortel device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Figure 51: Add Nortel Device
1 Enter the IP address of the Nortel device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Nortel from the Device type drop-down list.
6 Select telnet or SSH from the Connection method drop-down list.
116
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
7 Enter the User name with which to log into the device's console.
8 Enter the Password with which to log into the device's console.
9 Re-enter the console password.
10 Enter the Enable mode user name.
11 Enter the password with which to enter enable mode.
12 Re-enter the enable mode password.
13 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
14 Select the Device is stacked check box if the device is in a stacked configuration.
15 Select the Show scripts plus symbol to show the following scripts:
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
16 Click ok.
NOTE
Click revert to defaults to restore the default settings.
Other
To add a non-listed 802.1X device:
Home window>>System configuration>>Quarantining>>802.1X Quarantine method radio button>>Add
an 802.1X device
Sentriant AG Software Users Guide, Version 5.1 SR1
117
System Configuration
Figure 52: Add Other Device
1 Enter the IP address of the new device in the IP address text field.
2 Enter a shared secret in the Shared secret text field. The shared secret is used to encrypt and sign
packets between the device and RADIUS server.
3 Re-enter the shared secret in the Re-enter shared secret text field.
4 Enter an alias for this device that appears in log files in the Short name text field.
5 Select Other from the Device type drop-down list.
6 Enter the User name with which to log into the device's console.
7 Enter the Password with which to log into the device's console.
8 Re-enter the console password.
9 Enter the Reconnect idle time. This is the amount of time in milliseconds that a telnet /SSH console
can remain idle or unused before it is reset.
118
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
10 Select the Show scripts plus symbol to show the following scripts:
NOTE
You must enter the script contents yourself for the 802.1X device you are adding.
■
Initialization script—The expect script used to log into the console and enter enable mode.
■
Re-authentication script—The expect script used to perform endpoint re-authentication.
■
Exit script—The expect script used to exit the console.
11 Click ok.
NOTE
Click revert to defaults to restore the default settings.
Quarantining, DHCP
To select the DHCP quarantine method:
Home window>>System configuration>>Quarantining
1 Select a cluster.
2 In the Quarantine method area, select the DHCP radio button.
3 Click ok.
DHCP Server Configuration
Inline DHCP server is selected by default. If you want to use the DHCP plug-in, which allows you to
use multiple DHCP servers, see the instructions in “DHCP Plug-in” on page 337.
Setting DHCP Enforcement
NOTE
See “Configuring Windows Update Service for XP SP2” on page 249 for information on using Windows Update
Service for devices in quarantine.
To set DHCP enforcement:
Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button
Sentriant AG Software Users Guide, Version 5.1 SR1
119
System Configuration
Figure 53: System Configuration, Quarantining, DHCP Enforcement
1 Inline DHCP server is selected by default. If you wish to use multiple DHCP servers, see the
instructions in “DHCP Plug-in” on page 337.
2 Select one of the following radio buttons:
■
Enforce DHCP requests from all IP addresses—Allows DHCP requests from all IP addresses.
■
Restrict enforcement of DHCP requests to quarantine and non-quarantine subnets—Specify
individual DHCP relay agent IP addresses, separated by carriage returns in the DHCP relay IP
addresses to enforce text box.
These addresses must be a subset of either the quarantined or non-quarantined subnets. This
120
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
limits the enforcement scope to DHCP requests relayed via these IP addresses, allowing you to
restrict enforcement to only those DHCP requests which are forwarded via particular routers or
Layer 3 switches. If set, DHCP traffic coming from a source IP not listed will be passed without
intervention.
NOTE
Construction of the DHCP relay packet's source IP address is vendor-dependent. Some implementations (for
example, Extreme) use the IP address of the interface closest to the DHCP server as the source IP for DHCP
forwarding, which means the resultant packet may not have a source IP that corresponds to those used on the
endpoint's physical subnet. Check your switch vendor's implementation to be sure you are entering correct IP
information.
3 Click ok.
Adding a DHCP Quarantine Area
To add a quarantine area:
Home window>>System configuration>>Quarantining>>DHCP quarantine method radio button>>DHCP
quarantine areas area
1 Click add a quarantine area. The Add quarantine area window appears.
Figure 54: Add a Quarantine Area
2 In the Add quarantine area window, enter the following information:
■
Quarantined subnet—The CIDR network that represents the IP space and netmask.
■
DHCP IP Range—The start and end DHCP IP addresses to be assigned to quarantined
endpoints.
Sentriant AG Software Users Guide, Version 5.1 SR1
121
System Configuration
■
Gateway—The gateway temporarily assigned to endpoints.
■
Domain suffix—The domain name assigned to DHCP clients.
■
Non-quarantined subnets—All subnetworks on your LAN except those specified in the
quarantined subnet field, separated by a carriage return.
NOTE
The quarantine area subnets and non-quarantined subnets should be entered using Classless Inter-domain Routing
address (CIDR) notation (see “Entering Networks Using CIDR Format” on page 358).
3 Choose a DHCP quarantine option:
■
Router access control lists (ACLs)—This option restricts the network access of non-compliant
endpoints by assigning DHCP settings on a quarantined network. The network, gateway, and
ACLs restricting traffic must be configured on your router, which is accomplished by multinetting
or adding a virtual interface to the router that acts as the quarantine gateway IP address. The
quarantine area DHCP settings must reflect this configuration on your router. The subnets
specified in each area must be unique; that is, neither the quarantined nor the non-quarantined
subnets in one area can be quarantined or non-quarantined in another.
■
Static routes assigned on the endpoint —This option restricts the network access of noncompliant endpoints by vending DHCP settings with no gateway and a netmask of
255.255.255.255. Static routes and a Web proxy server built into Sentriant AG allow the endpoint
access to specific networks, IP addresses, and Web sites. These networks, IP addresses, and Web
sites are configured in the accessible endpoint list setting (System Configuration>>Accessible
Services). The quarantine areas can either be a subset of your existing DHCP scopes or a separate
network multinetted on your router.
For endpoints to see the outside Web sites listed in Accessible Services, the browser being used
on the endpoint must have the Auto-proxy setting turned on. Furthermore for the Windows
Update service to work, the endpoint will need manual proxy settings pointing to TCP port 3128
on the Enforcement Server assigned to this endpoint. See “Configuring Windows Update Service
for XP SP2” on page 249 for more information about this problem.
NOTE
The quarantine areas can either be a subset of your existing DHCP scopes or a separate network multinetted on your
router. If this option is not selected, enforcement must occur using ACLs on your router.
NOTE
To set up multiple quarantine areas, click Add a quarantine area, then enter the information detailed in step 2 for
each additional quarantine area.
4 Click ok.
122
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Sorting the DHCP Quarantine Area
To sort the quarantine area:
Home window>>System configuration>>Quarantining>>DHCP radio button
1 Click one of the following the column headings to sort the quarantine area by category:
■
subnet
■
dhcp ip range
■
gateway
■
non-quarantine subnets
■
domain suffix
■
d (indicates the quarantine option selected in step 3 on page 122)
2 The DHCP quarantine area sorts by the column name clicked.
Editing a DHCP Quarantine Area
To edit a DHCP quarantine area:
Home window>>System configuration>>Quarantining>>DHCP radio button
1 Click edit next to the quarantine area you want to edit. The Quarantine area window appears:
Figure 55: Quarantine Area
2 Edit the information in the fields you want to change. See “Adding a DHCP Quarantine Area” on
page 121 for information on Quarantine area options.
3 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
123
System Configuration
Deleting a DHCP Quarantine Area
To delete a DHCP quarantine area:
Home window>>System configuration>>Quarantining
1 Click delete next to the quarantine area you want to remove. The Delete quarantine area
confirmation window appears
2 Click yes.
Quarantining, Inline
To select the Inline quarantine method:
Home window>>System configuration>>Quarantining
1 Select a cluster.
2 In the Quarantine method area, select the Inline radio button.
3 Click ok.
Post-connect
Post-connect in Sentriant AG provides an interface where you can configure external systems, such as
IDS/IPS, that request quarantining of an endpoint based on activity that occurs after the endpoint has
connected to the network (post-connect).
Allowing the Post-connect Service Through the Firewall
The firewall must be opened for each post-connect service that communicates with Sentriant AG.
To open the firewall for your post-connect service:
Command line window
1 Log in to the Sentriant AG MS as root using SSH or directly with a keyboard.
2 Enter the following command at the command prompt:
iptables -I INPUT -s<host> -m tcp -p tcp --dport 61616 -j ACCEPT
Where <host> is the external server IP address.
124
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
First Time Selection
The first time you select the Post-connect menu option, you are prompted to configure your external
system:
Home>>Post-connect
Figure 56: Post-connect Configuration Message
Configure your post-connect system as described in “Configuring a Post-connect System” on page 125.
Then launch your post-connect system as described in “Launching Post-connect Systems” on page 127.
Setting Sentriant AG Properties
Most Sentriant AG properties are set by default. To change or set properties, you must change the
properties as described in “Changing Properties” on page 357.
You must set the following properties for <product name variable> to communicate with your external
post-connect server (see “Configuring the Post-connect Server” on page 407):
●
Compliance.ActiveMQJMSProvider.url=ssl\://0.0.0.0\:61616
●
Compliance.JMSProvider.UserName=<username>
●
Compliance.JMSProvider.Password=<password>
Where:
<username> is the user name you use to log in to the external post-connect server.
<password> is the password you use to log in to the external post-connect server.
Configuring a Post-connect System
To configure an external post-connect system:
Home>>System configuration>>Post-connect
Sentriant AG Software Users Guide, Version 5.1 SR1
125
System Configuration
Figure 57: System Configuration, Post-connect
1 Enter the name of your post-connect service in the Service name text field. This is the name used in
the Post-connect and Endpoint activity windows.
2 Enter the URL of the post-connect service in the Service URL text field. When the post-connect
configuration is complete, you will be able to launch this URL from the Sentriant AG Post-connect
window.
For example, https://192.168.40.15/index.jsp.
3 Select the Automatically log into service check box to log into the post-connect service automatically
when it is launched by clicking the post-connect service name on the Sentriant AG Post-connect
window (Home>>Post-connect).
a Enter the user name of the account to be used for logging into the post-connect service in the
User name text field.
b Enter the password of the account to be used for logging into the post-connect service in the
Password text field.
c
To help confirm accuracy, enter the same password you entered into the Password text field in the
Re-enter password text field.
4 Select the Notify administrators when a post-connect service quarantines an endpoint check box if
you want administrators to be notified when a post-connect service quarantines an endpoint.
126
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Notifications will be sent by email from the enforcement cluster quarantining the endpoint in
accordance with its notifications settings.
5 Click ok to save your changes and return to the Home window.
Launching Post-connect Systems
After you have configured a post-connect system, you must launch it before Sentriant AG can
communicate with it.
To launch a post-connect system:
Home>>Post-connect
Figure 58: Post-connect Launch Window
1 Click on the post-connect system name. A new browser window opens.
2 If you have not elected to automatically log in to this external system (see step 3 above), you will be
presented with that system’s login window.
Post-connect in the Endpoint Activity Window
When an external service requests that an endpoint be quarantined, it sends the request to Sentriant AG,
which quarantines the endpoint based on the hierarchy rules described in “Endpoint Quarantine
Precedence” on page 231.
Sentriant AG Software Users Guide, Version 5.1 SR1
127
System Configuration
The icons on the Endpoint activity window show that the endpoint is quarantined by an external
service. When you hover the cursor over the icon, the quarantine details are presented in a pop-up
window:
Figure 59: Post-connect Quarantine Details
Post-connect service name
Post-connect service logo
Adding Post-connect System Logos and Icons
The post-connect logo that appears in the mouseover help (see Figure 59), and the icon that appears in
the Endpoint activity window is the logo for your post-connect system. If you have more than one postconnect system, you will see more than one logo and more than one icon.
You can use your own custom logos and icons for your post-connect service.
To change the mouseover logo and icons:
Command line window
1 Create logo and icon files in the following formats and approximate sizes:
JPG
GIF
PNG
Logo file—approximately 154 pixels wide x 24 pixels high
Icon file—approximately 18 x 18 pixels
2 Copy the logo and icon files to the following directory on the Sentriant AG MS
(see “Copying Files” on page 42):
/usr/local/nac/webapps/ROOT/images
3 Log in to the Sentriant AG MS as root using SSH or directly with a keyboard.
4 Modify the following properties in the nac-ms.properties file
(see “Changing Properties” on page 357):
128
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Compliance.PostConnect.Agents.<PRODUCTID>.Logo=<Logo filename>
Compliance.PostConnect.Agents.<PRODUCTID>.Icon=<Icon filename>
Compliance.PostConnect.Agents.<PRODUCTID>.Name=<Friendly Product Name>
Where:
<PRODUCTID> is the identifier for the post-connect service.
For example, PostConnectServiceName
<Logo filename> is the name of the logo file.
For example, logo_post_connect.gif
<Icon filename> is the name of the icon file.
For example, icon_quarantined_post_connect.png
<Friendly Product Name> is a user-friendly name for the post-connect service.
For example, MyCompany PostConnectServiceName
5 Modify the <PRODUCTID> in the connector.properties file (see “Changing Properties” on page
357):
product=PostConnectServiceName
Maintenance
The Maintenance window allows you to back up the MS database, properties files, keystore files, and
subscription files in a file with the following name:
backup-<year-month-day>Thh-mm-ss.tar.bz2
where:
●
year is the year the system was backed up = 2007
●
month is the month the system was backed up = 03
●
day is the day the system was backed up = 04
●
hh is the hour when the system was backed up = 12
●
mm is the minutes when the system was backed up = 11
●
ss is the seconds when the system was backed up = 22
For example, a file backed up on March 4, 2007 at 12:11:22 has the following name:
backup-2007-03-04T12-11-22.tar.bz2
The following file are backed up:
●
Database
●
/usr/local/nac/properties directory
Sentriant AG Software Users Guide, Version 5.1 SR1
129
System Configuration
●
/usr/local/nac/keystore directory
●
/usr/local/nac/subscription directory
Initiating a New Backup
To initiate a new backup:
Home window>>System configuration>>Maintenance
Figure 60: System Configuration, Maintenance
1 Click begin backup now in the Backup area. The Operation in progress confirmation window
appears.
2 Depending on your browser settings, a pop-up window may appear asking if you want to save or
open the file. Select Save to disk and click OK.
NOTE
A system backup does not work using Internet Explorer 7 as a browser window. Use Internet Explorer 6, Mozilla or
Firefox for system backup if you encounter a problem.
130
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
3 The System backup completed successfully message appears at the top of the System configuration
window:
Figure 61: Backup Successful Message
Restoring From a Backup
See “Restoring from Backup” on page 359 for information about restoring from a backup file.
NOTE
If you are using Backup and Restore to move configuration files from one physical server to another, you must have
the same version of Sentriant AG installed on both servers.
Downloading Support Packages
Support packages are useful when debugging your system with the Technical Assistance Center (TAC).
If a support package is necessary, the Technical Assistance Center (TAC) will instruct you to generate
one and will provide instructions on how to upload the generated package (a TAR file).
To save a support package to your local computer:
Home window>>System configuration>>Maintenance
1 In the Support packages area, click download support packages now. A progress window appears.
2 Once the support package is generated, you will be prompted to save the file on your computer. For
example, select a directory and click Save.
NOTE
If you cannot access the GUI, enter the following command at the command line to generate a support package:
generate-support-package.py
Cluster Setting Defaults
The following sections describe how to globally set the default settings for all clusters. For information
on overriding the default settings for a specific cluster, see “Enforcement Clusters and Servers” on page
52.
Sentriant AG Software Users Guide, Version 5.1 SR1
131
System Configuration
Testing Methods
The Testing methods menu option allows you to configure the following:
●
Select testing methods
●
Define order of that the test method screens appear to the end-user
●
Select end-user options
Selecting Test Methods
To select test methods:
Home window>>System configuration>>Testing methods
Figure 62: System Configuration, Testing Methods
1 Select one or more of the following
a Sentriant AG Agent—This test method installs a service (Sentriant AG Agent) the first time the
user connects.
132
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
b ActiveX plug-in—This test method downloads an ActiveX control each time the user connects to
the network. Testing is accomplished through the browser. If the browser window is closed,
retesting is not performed.
c
Agentless—This test method uses an existing Windows service (RPC).
2 Click ok.
Ordering Test Methods
The Sentriant AG backend attempts to test an endpoint transparently in the following order:
1 Sentriant AG tries to test with the agent-based test method.
2 If no agent is available, Sentriant AG tries to test with the ActiveX test method.
3 If ActiveX is not available and if credentials for the endpoint or domain exist, Sentriant AG tries to
test with the agentless test method.
4 If the endpoint can not be tested transparently, then Sentriant AG uses the end-user access screens to
set up a test method and sequence for interacting with the end-user. This order of presentation is
defined on the Testing methods window.
At least one testing method is required. When testing an endpoint, the end-user screen presented first,
is the one that is selected as first here. If this method fails due to a personal firewall or other problem,
the second method selected here is presented to the end-user if one has been selected. Finally, if a third
method has been selected, it will be presented to the end-user if the second method fails. These
system-level settings may be overridden and customized for each cluster.
To order test methods:
Home window>>System configuration>>Testing methods
1 For each test method selected in step 1, Use the arrows next to the testing method name to move the
testing methods up or down in the selection order. The order of the testing methods determines the
order in which the testing should proceed.
2 Click ok.
Recommended Test Methods
Agentless testing is not recommended as the first test method to be used for testing on domains other
than your Windows domain for the following reasons:
●
Many times guest users do not know the username and password to their machine if they are
automatically logged in
●
If the end-user is not on a Windows domain they have to change the “Network access... Classic
mode” setting
●
The user they log in as has to have certain permissions to resources on the system which they may
not have
Sentriant AG Software Users Guide, Version 5.1 SR1
133
System Configuration
●
A guest user may be uncomfortable supplying their Windows username and password to an
unknown system
Windows endpoints on your Windows domain are tested automatically when you specify the domain
admin credentials in the System configuration>>Agentless credentials>>Add administrator
credentials window.
The agent-based test method is recommended for any environment where enforcement is enabled on
Windows Vista endpoints.
Selecting End-user Options
To select end-user options:
Home window>>System configuration>>Testing methods
1 Select one or more of the following options:
■
Allow end-users to have their administrator login information saved for future access
(Agentless testing method only)—This option allows the end-users to elect to save their login
credentials so they do not have to enter them each time they connect.
■
Allow end-users to cancel installation (agent-based testing method only)—This option allows
end-users to cancel the installation of the agent.
■
Allow end-users to cancel testing (all testing methods)—This option allows users to cancel the
test process.
2 Click ok.
Accessible Services
The Accessible services menu option allows you to define which services and endpoints are available
to quarantined endpoints.
To define accessible endpoints and services:
134
Home window>>System configuration>>Accessible services
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 63: System Configuration, Accessible Services
1 Enter one or more Web sites, host names, IP addresses, ports, endpoints, or networks, that are
accessible to connecting endpoints when they fail their compliance tests. You can enter these
endpoints and services in the following formats separated by a carriage return. Enter a range of IPs
using CIDR addresses. You might also need to specify the DHCP server IP address in this field. If
the Domains connection method is enabled (System
Configuration>>Quarantining>>802.1X>>Windows domain End-user authentication method), you
must specify your Windows domain controller.
Examples:
Web sites—www.mycompany.com
Host names—bagle.com
IP addresses—10.0.16.100
Ports—10.0.16.100:53
Networks—10.0.16.1/24
Range of IP addresses—10.0.16.1/30
You do not need to enter the IP address of the Sentriant AG server here. If you do, it can cause
redirection problems when end-users try to connect. You do need to add any update server names,
such as the ones that provide anti-virus and software updates. Sentriant AG ships with many of the
default server names pre-populated, such as windowsupdate.com.
2 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
135
System Configuration
The following table provides additional information about accessible services and endpoints.
Table 7: Accessible Services and Endpoints Tips
Topic
Tip
Modes and IP
addresses
When using inline mode, enter IP addresses rather than
domain names.
When using DHCP mode, use domain names for sites the
user needs to access, such as update servers, and use IP
addresses for endpoints that sit behind Sentriant AG, such
as authentication servers.
Ranges
Use a hyphen for a range of IP addresses (10.0.16.1/30)
and a colon for a range of ports (10.0.16.1:80:90).
DHCP server IP
address
In inline mode, you might need to specify the DHCP server
IP address in this field.
Domain controller
name
Regardless of where the Domain Controller (DC) is installed,
you must specify the DC name on the Quarantine tab in the
Quarantine area domain suffix field for each quarantine area
defined.
DHCP server and
Domain controller
In DHCP mode, when your DHCP server and Domain
Controller are behind Sentriant AG, you must specify ports
88, 135 to 159, 389, 1025, 1026, and 3268 as part of
the address. If you do not specify a DHCP address, users
are blocked. If you specify only the IP address with no port,
endpoints are not quarantined, even for failed tests. If your
domain controller is not situated behind Sentriant AG, you
must configure your router to allow routes from the
quarantine area to your domain controller on ports 88, 135159, 389, 1025, 1026, and 3268.
Windows update server
In inline mode, if an endpoint is quarantined and needs to
access the Windows Update server, it is not able to unless
you enter 207.46.0.0/16 here. This is because iptables
needs an IP address, and would not be able to resolve the
default of windowsupdate.com.
Exceptions
The Exceptions menu option allows you to define the following:
●
The endpoints and domains that are always allowed access (whitelist)
●
The endpoints and domains that are always quarantined (blacklist)
Always Granting Access to Endpoints and Domains
To always grant access to endpoints and domains:
136
Home window>>System configuration>>Exceptions
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 64: System Configuration, Exceptions
1 To exempt endpoints from testing, in the Whitelist area, enter the endpoints by MAC or IP address,
or NetBIOS name.
2 To exempt end-user domains from testing, in the Whitelist area, enter the domain names.
3 Click ok.
CAUTION
If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window, the Whitelist
option is used.
Always Quarantine Endpoints and Domains
To always quarantine endpoints and domains:
Home window>>System configuration>>Exceptions
1 To always quarantine endpoints when testing, in the Blacklist area, enter the endpoints by MAC or
IP address, or NetBIOS name.
Sentriant AG Software Users Guide, Version 5.1 SR1
137
System Configuration
2 To always quarantine domains when testing, in the Blacklist area, enter the domains.
NOTE
In DHCP mode, the Sentriant AG firewall quarantines based on MAC address (everything entered must be translated
to the corresponding endpoint's MAC address). This translation occurs each time activity from the endpoint is
detected. To reduce translation time, use the MAC address initially.
CAUTION
If you enter the same endpoint in both the Whitelist and the Blacklist areas in the Exceptions window, the Whitelist
option is used.
NOTE
In the System configuration>>Exceptions window, in the Whitelist and Blacklist areas, you cannot specify a MAC
address OUI wildcard.
Notifications
The Notifications menu option allows you to configure email notifications sent to announce test alerts
and system errors. You can configure the following:
●
Send email notifications
●
Elect not to send notifications
Enabling Notifications
To enable email notifications:
138
Home window>>System configuration>>Notifications
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 65: System Configuration, Notifications
1 To send email notifications, you must provide Sentriant AG with the IP address of a Simple Mail
Transfer Protocol (SMTP) email server. This SMTP email server must allow SMTP messages from the
Sentriant AG machine. Use the following steps to configure the SMTP email server function:
a Select the radio button next to Send email notifications.
b In the Send emails to text box, enter the email address of the person or group (alias) who should
receive the notifications.
c
In the Via SMTP server IP address text box, enter the IP address of the SMTP email server from
which Sentriant AG sends email notifications. This must be a valid IP address that is reachable
from where the Sentriant AG machine is located on your network.
d In the Send emails from text box, enter the email address from which notifications should
originate. You might have to enter a valid email address (for example, one within your
organization) for the SMTP email server to send notifications.
2 Click ok.
To disable email notifications:
Home window>>System configuration
Sentriant AG Software Users Guide, Version 5.1 SR1
139
System Configuration
1 Select a cluster. The Enforcement cluster window appears.
2 Select the Notifications menu item.
3 Select the For this cluster, override the default settings check box.
4 Select Do not send email notifications.
5 Click ok.
End-user Screens
The End-user screens menu option allows you to configure the end-user screens with the following:
●
Define logo image to be displayed
●
Specify text to be displayed on end-user screens
●
Optionally define a pop-up window as an end-user notification when an endpoint fails one or more
tests
The end-user screens are shown in “End-user Access” on page 169.
Specifying an End-user Screen Logo
To specify an end-user screen logo:
140
Home window>>System configuration>>End-user screens
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Figure 66: System Configuration, End-user Screens
1 Enter the customization information:
Organization logo image—Enter a path to your organization’s logo, or click Browse to select a file
on your network. Extreme Networks, Inc. recommends you place your logo here to help end-users
feel secure about having their computers tested. The logo should be no larger than 450x50 pixels.
2 Click ok.
Specifying the End-user Screen Text
To specify the end-user screen text:
Home window>>System configuration>>End-user screens
1 Enter the customization information:
a Introduction (opening screen)—Enter the introduction text for the default window. Extreme
Networks, Inc. recommends you provide text here that sets the stage for the end-user’s
experience.
Sentriant AG Software Users Guide, Version 5.1 SR1
141
System Configuration
b Test successful message (final screen) —Enter the text for the final, test successful window.
Extreme Networks, Inc. recommends that this text informs the end-user that the test was
successful and provides any additional helpful information such as instructions, notices, and so
on.
c
Footer (most screens) —Enter the text for the footer that appears on most of the end-user
windows. Extreme Networks, Inc. recommends that this text includes a way to contact you if they
need further assistance. You can format the text in this field with HTML characters.
2 Click ok.
Specifying the End-user Test Failed Pop-up Window
To specify the end-user test failed pop-up window:
Home window>>System configuration>>End-user screens
1 Select the Pop up an end-user notification when an endpoint fails one or more tests check box to
turn the pop-up window on (clear the check box to turn it off).
2 Enter the customization information:
a Notification pop-up URL—In the Notification pop-up URL text box, the
default is:
https://ServerIpaddress:89
This URL points to port 89 on the Sentriant AG ES (the default end-user screen that shows the
test failed results), and is where the user is directed to when they click the Get details button on
the new pop-up window.
NOTE
Enter a different URL if you have a custom window you want the users to see. For example, you might have a
location that provides links to patch or upgrade their software.
b Test failed pop-up message—In the Test failed pop-up message text box, enter the message the
end-user views on the standard pop-up window.
NOTE
You can verify your changes to the end-user access screens immediately by pointing a browser window to port 88 of
your Sentriant AG installation. For example, if the IP address of your Sentriant AG installation is 10.0.16.18, point
the browser window to:
http://10.0.16.18:88
3 Click ok.
142
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
Agentless Credentials
When Sentriant AG accesses and tests endpoints, it needs to know the administrator credentials for that
endpoint. If your network uses a Windows domain controller and the connecting endpoint is a member
of a configured domain, Sentriant AG uses the information supplied to access and test the endpoint.
NOTE
Setting windows credentials here sets them as default settings for all clusters. You can override these settings on a
per-cluster basis by selecting a cluster first, and then making changes in Agentless credentials.
Adding Windows Credentials
To add Windows credentials:
Home window>>System configuration>>Agentless credentials
Figure 67: System Configuration, Agentless Credentials
Sentriant AG Software Users Guide, Version 5.1 SR1
143
System Configuration
1 Click Add administrator credentials. The Add Windows administrator credentials window
appears:
Figure 68: Agentless Credentials, Add Windows Administrator Credentials
2 In the Add Windows administrator credentials window, enter the following:
■
Windows domain name—Enter the domain name of the Windows machine, for example:
mycompanyname. You can also enter a group name, for example: WORKGROUP or HOME.
■
Administrator user ID—Enter the domain administrator or local administrator login name of the
Windows machine, for example: jsmith.
■
Administrator password—Enter the password for the administrator login name used in the ID
text field.
NOTE
When using a domain account to test many domain endpoints, be sure to select a domain account with domain
administrator privileges. A lesser domain account may be able to authenticate to the endpoints but will not have the
privileges to complete testing.
3 Click ok.
Testing Windows Credentials
To test Windows credentials:
Home window>>System configuration>>Agentless credentials
1 In the Test these credentials area, enter the IP address of the endpoint.
NOTE
When using a multi-server installation, the credentials are stored on the ES, but the test is initiated from the MS.
You will need to have a route identified between the MS and the ES in order for this test to work.
144
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
2 Click test. The operation in progress window appears. Testing the credentials might take a few
minutes to complete.
3 When the credentials testing is complete, the test status is displayed at the top of the credentials
window.
NOTE
Sentriant AG saves authentication information encrypted on the Sentriant AG server. When a user connects with the
same browser, Sentriant AG looks up this information and uses it for testing.
NOTE
When using the Windows administrator account connection method, Sentriant AG performs some user-based tests
with the administrator account's user registry settings, rather than those of the actual user logged into the endpoint.
This only affects Internet Explorer security tests, MS Office Macro Settings tests, and individual user's Windows
startup settings.
Editing Windows Credentials
To edit Windows credentials:
Home window>>System configuration>>Agentless credentials
1 Click edit next to the name of the Windows administrator credentials you want to edit.
2 Enter or change information in the fields you want to change. (See “Adding Windows Credentials”
on page 143 for more information about Windows administrator credentials.
3 Click ok.
Deleting Windows Credentials
To delete Windows credentials:
Home window>>System configuration>>Agentless credentials
1 Click delete next to the name of the Windows administrator credentials you want to remove. The
Delete Windows administrative credentials conformation window appears.
2 Click yes.
Sorting the Windows Credentials Area
To sort the Windows credentials area:
Home window>>System configuration>>Agentless credentials
1 Sort the Windows administrator credentials by clicking on a column heading.
Sentriant AG Software Users Guide, Version 5.1 SR1
145
System Configuration
2 Click ok.
Logging
Setting ES Logging Levels
You can configure the amount of diagnostic information written to log files, ranging from error (errorlevel messages only) to trace (everything).
To set ES logging levels:
Home window>>System configuration>>Logging
Figure 69: System Configuration, Logging Option
1 To configure the amount of diagnostic information written to log files, select a logging level from the
Enforcement servers drop-down list:
146
■
error—Log error-level messages only
■
warn—Log warning-level and above messages only
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration
■
info—Log info-level and above messages only
■
debug —Log debug-level and above messages only
■
trace—Log everything
CAUTION
Setting the log level to trace may adversely affect performance.
2 Click ok.
Setting 802.1X Devices Logging Levels
You can configure the amount of diagnostic information written to log files related to 802.1X reauthentication, ranging from error (error-level messages only) to trace (everything).
To set 802.1X logging levels:
Home window>>System configuration>>Logging
1 To configure the amount of diagnostic information written to log files related to 802.1X reauthentication, select a logging level from the 802.1X devices drop-down list:
■
error—Log error-level messages only
■
warn—Log warning-level and above messages only
■
info—Log info-level and above messages only
■
debug—Log debug-level and above messages only
■
trace—Log everything
CAUTION
Setting the log level to trace may adversely affect performance.
2 Click ok.
Advanced Settings
This section describes setting the timeout periods. Endpoint detection is described in “Working with
Ranges” on page 389.
Setting the Agent Read Timeout
To set the Agent read timeout period:
Home window>>System configuration>>Advanced
Sentriant AG Software Users Guide, Version 5.1 SR1
147
System Configuration
Figure 70: System Configuration, Advanced Option
1 Enter a number of seconds in the Agent connection timeout period text field. The agent connection
timeout period is the time in seconds that Sentriant AG waits on a connection to the agent. Use a
larger number for systems with network latency issues.
2 Enter a number of seconds in the Agent read timeout period text field. The agent read time is the
time in seconds that Sentriant AG waits on an agent read. Use a larger number for systems with
network latency issues.
3 Click ok.
Setting the RPC Command Timeout
To set the RPC command timeout period:
Home window>>System configuration>>Advanced
1 Enter a number of seconds in the RPC command timeout period text field. The RPC command
timeout is the time in seconds that Sentriant AG waits on an rpcclient command to finish. Use a
larger number for systems with network latency issues.
2 Click ok.
148
Sentriant AG Software Users Guide, Version 5.1 SR1
4
Endpoint Activity
Use the Endpoint activity window, to monitor end-user connection activity.
Home window>>Endpoint activity
The Endpoint activity window has the following sections:
●
Endpoint selection area—The left column of the window provides links that allow you to quickly
filter the results area by Access control status or Endpoint test status.
●
Search criteria area—The top right area of the window allows you to filter the results by cluster,
NetBIOS name, IP address, MAC address, User ID, domain, NAC policy, operating system, and time.
●
Search results area—The lower right area of the window displays the combined results of the
selection made in the left column and the search criteria entered in the top portion of the window.
Figure 71: Endpoint Activity, All Endpoints Area
2. Search criteria area
3. Search results area
1. Endpoint selection area
Sentriant AG Software Users Guide, Version 5.1 SR1
149
Endpoint Activity
Filtering the Endpoint Activity Window
You can modify the results shown in the Endpoint activity window to include activity for the following:
●
Access control status
●
Endpoint test status
●
Cluster
●
NetBIOS name
●
IP address
●
MAC address
●
User ID
●
Windows domain
●
NAC policy
●
Operating system
●
Timeframe
●
Number of endpoints to display
NOTE
Most Vista endpoints will not provide a User ID to list in the user id column.
Filtering by Access Control or Test Status
150
Home window>>Endpoint activity window
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
Select a method for filtering the results window; by a specific access control status or endpoint status as
shown in the following figure:
Figure 72: Endpoint Activity, Menu Options
NOTE
This part of the window reflects the total number of endpoints in the network at the current time. The filters do not
affect this area.
Filtering by Time
Filtering by time is available only for disconnected endpoints.
To filter the disconnected endpoints by time:
Home window>>Endpoint Activity
Sentriant AG Software Users Guide, Version 5.1 SR1
151
Endpoint Activity
Figure 73: Timeframe Drop-down List
1 Select Disconnected in the Access control status area.
2 Select one of the options from the Timeframe drop-down list.
3 Click search. The results area updates to match the time frame selected, and the Timeframe selected
is highlighted to show that this filter option has been applied. Click reset to clear the filter.
Limiting Number of Endpoints Displayed
To limit the number of endpoints displayed:
Home window>>Endpoint Activity
Figure 74: Display Endpoints Drop-down
Select a number from the drop down list. The results area updates to show only the number of
endpoints selected with page navigation breadcrumbs.
Searching
To search the Endpoint activity window.
152
Home window>>Endpoint activity>>Search criteria area
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
Figure 75: Search Criteria
1 Select any or all of the following:
■
A Cluster from the drop-down list
■
A NAC policy from the drop-down list
■
Enter any text string in any of the text boxes (you can also leave these blank)
2 Select one of the following from the Endpoints must match drop-down list:
■
all—Endpoints that match all of the search criteria are displayed.
■
any—Endpoints that match at least one of the search criteria are displayed.
3 Click Search. The results area updates to match the search criteria specified, and the background of
the fields used in the search are highlighted as shown below:
Figure 76: Highlighted Fields
4 To refresh the Endpoint activity window to show all endpoint activity, click reset.
NOTE
The search box is not case-sensitive. Searching matches entire words. You must enter wildcard characters (*) to
match substrings. For example, 192.168.*.
Access Control States
Sentriant AG provides on-going feedback on the access status of endpoints in the Endpoint activity
window as follows:
Sentriant AG Software Users Guide, Version 5.1 SR1
153
Endpoint Activity
NOTE
To view access status, see “Viewing Endpoint Access Status” on page 158.
●
Quarantined—
■
By NAC Policy—The endpoint has been assigned a quarantined IP address. For example, an
endpoint could have been quarantined because it failed a test or it could not be tested.
■
By administrator—The administrator has selected Temporarily quarantine for an assigned time
frame.
■
Post-connect—The endpoint has been assigned a quarantined IP address because a post-connect
service requested the quarantine.
■
Blacklisted—The endpoint has been assigned a quarantined IP address because it was designated
to always be quarantined in the System Configuration>>Exceptions>>Blacklist window.
●
Awaiting quarantine—A temporary state indicating that an endpoint is in the process of being
quarantined.
●
Granted access—
■
By NAC Policy—The endpoint has been assigned a non-quarantined IP address. For example, an
endpoint could have access because it passed a test, or could not be tested but is allowed access.
■
Temporarily by NAC policy—The endpoint has been assigned a non-quarantined IP address. For
example, an endpoint could have access because it failed a test but was allowed temporary
access.
■
By administrator—The administrator has selected Temporarily grant access and assigned a time
frame.
■
By Access Mode —Endpoints are tested in allow all mode; however, they are always given access
to the production network.
■
Whitelisted—The endpoint has been assigned a non-quarantined IP address because it was
designated to always have access in the System Configuration>>Exceptions>>Whitelist window.
●
Awaiting access—A temporary state indicating that an endpoint is in the process of being allowed
access.
●
Disconnected—Sentriant AG cannot communicate with the endpoint.
Endpoint Test Status
Sentriant AG provides on-going feedback on the test status of endpoints in the left pane of the
Endpoint activity window as follows:
NOTE
To view access status, see “Viewing Endpoint Access Status” on page 158.
154
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
●
Failed—Sentriant AG shows this status after the endpoint has failed testing. Click on the plus (+)
symbol to show the test failed categories.
●
Passed—Sentriant AG shows this status after the endpoint has passed the test and is connected to
the network.
●
Not tested—Sentriant AG shows this status when a device cannot be tested.
●
Connecting—Sentriant AG shows this status briefly after the endpoint has been tested while the
endpoint is being assigned a non-quarantined IP address.
If you hover the mouse cursor over the icons in the Endpoint activity window, you will get additional
information about the status of the endpoint.
Figure 77: Endpoint Mouseover Pop-up Window
The following lists the possible test statuses:
●
Unknown error—This is most likely a problem that cannot be resolved without contacting Extreme
Networks, Inc.. Try to force a retest from the Sentriant AG user interface. If that does not work, call
Extreme Networks, Inc. Technical Assistance Center (TAC) and be prepared to generate a support
package (see “Generating a Support Package” on page 361).
●
Connecting—Sentriant AG shows this status briefly after the endpoint has been tested while the
endpoint is being assigned a non-quarantined IP address.
●
Awaiting credentials—Sentriant AG shows this status briefly while the agentless credentials are
being verified.
●
Bad credentials—Sentriant AG shows this status when the agentless credentials could not be
verified. The end-user is presented with a window stating why the credentials may have failed, and
is given the opportunity to re-enter the credentials, cancel the test, or try the next test method
(specified on the End-user access window).
●
Testing (agentless test)—Sentriant AG shows this status briefly while the agentless test is being
performed.
●
Passed—Sentriant AG shows this status after the endpoint has passed the test and is connected to
the network.
●
Failed—Sentriant AG shows this status after the endpoint has failed testing.
●
Could not be tested—Sentriant AG shows this status after the endpoint could not be tested.
●
License limit exceeded—Sentriant AG shows this status when the number of endpoints allowed on
your license has been exceeded. The endpoint is not tested or allowed access.
●
License expired—Sentriant AG shows this status when your license has expired. No endpoints are
tested or allowed access to the network.
●
Test canceled—Sentriant AG shows this status when the end-user cancels the test.
Sentriant AG Software Users Guide, Version 5.1 SR1
155
Endpoint Activity
156
●
Endpoint always granted access—Sentriant AG shows this status when an endpoint has been listed
in the System configuration>>Exceptions window to always grant access (Whitelist). These
endpoints are never tested and always allowed access.
●
Endpoint always quarantined—Sentriant AG shows this status when an endpoint has been listed in
the System configuration>>Exceptions window to always quarantine. These endpoints are never
tested and always quarantined. (Blacklist)
●
Awaiting test initiation—Sentriant AG shows this status when one of the following conditions
occurs:
■
Sentriant AG does not have credentials and there is no agent
■
Sentriant AG does not have credentials and the endpoint is firewalled
■
Sentriant AG is waiting for credentials or an agent
■
No testing has taken place yet
●
Installing test service—Sentriant AG shows this status briefly while the agent is being installed.
●
Installation canceled—Sentriant AG shows this status when the end-user has cancelled the
installation of the agent.
●
Testing (agent)—Sentriant AG shows this status briefly while the endpoint is being tested by the
agent-based method.
●
Testing (ActiveX plug-in)—Sentriant AG shows this status briefly while the endpoint is being tested
by the ActiveX method.
●
Installing ActiveX plug-in—Sentriant AG shows this status briefly while the ActiveX plug-in is
being installed.
●
ActiveX plug-in installation failed—Sentriant AG shows this status when installation of the ActiveX
plug-in failed. The installation probably failed due to browser settings (see “Important browser
settings” in the Sentriant AG Installation Guide). The end-user has the option to retry or cancel which
presents the user with the next testing method specified on the End-user access screen.
●
Validating installation—Sentriant AG shows this status while Sentriant AG is validating that the
agent is working.
●
Installation failed—Sentriant AG shows this status when the agent cannot be installed. This is likely
due to permission problems on the endpoint.
●
Agent not active—Sentriant AG shows this status when an endpoint that was previously running
the agent is no longer running the agent. This is likely due to a firewall being turned on.
●
Awaiting ip transition—Sentriant AG shows this status during a transition from a quarantined IP
address and a non-quarantined IP address and vice versa.
●
Connection failed- endpoint busy or file and print sharing disabled—During the connection to the
endpoint, the endpoint is not able to complete the requested testing by Sentriant AG. This condition
can occur when then endpoint is busy running other processes or programs, or it might be in an
overloaded condition. Retesting the endpoint again at a later time generally resolves this problem.
Defragmenting the hard disk can also help this situation on slower endpoints.
●
Connection Failed (unsigned SMB)—Testing of the endpoint failed due to an unsigned SMB.
●
Connection failed—no logon server—During the connection process, the endpoint was not able to
validate the user ID and password credentials supplied by Sentriant AG because the endpoint does
not have network access to any authentication servers. This can be due to a routing issue which is
not allowing the endpoint to reach the necessary servers on the network. Also, if Sentriant AG is
inline with the domain controller, you might need to open up the appropriate ports (135 through
138, 445, 389, 1029) in the Sentriant AG accessible endpoints configuration for your domain controller
IP address. Once the endpoint can reach the necessary servers, retest the endpoint.
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
●
Connection failed—endpoint/domain trust failure—The supplied credentials failed to authenticate
because a previous trust relationship established between the endpoint and the Windows directory is
broken in some way. Resolve this problem by adding the endpoint again as a member of the
appropriate Windows domain, then retest the endpoint.
●
Connection failed—timed out—Sentriant AG timed out while trying to connect to or retrieve
information from the endpoint. This could be due to a slow or saturated network, or the endpoint
might have been shutdown or rebooted while it was being tested by Sentriant AG. If the endpoint is
still on the network, retest it with Sentriant AG.
●
Connection failed—session setup—Sentriant AG shows this status when the RPC client had
problems communicating with the endpoint.
●
Failed testing - insufficient test privileges—The credentials Sentriant AG used to test the endpoint
do not have sufficient privileges to read the registry or enumerate the services. An easy way to
debug this is to run regedit and connect to the remote endpoint using the same admin credentials
supplied to Sentriant AG. You should be allowed to browse the HKLM\Software and
HKLM\System keys on the endpoint. Retest the end point after increasing the credential permission
levels or using a different set of credentials with the necessary permissions.
●
Connection failed—no route to host—The endpoint is unreachable on the network by Sentriant AG.
This can be due to either a network routing issue or because the endpoint has powered off or is in
the process of rebooting. Retest the endpoint once the routing issues have been resolved or the
endpoint is back on the network.
●
Failed testing —patching endpoint—The endpoint failed testing and patching is in progress.
●
Patching endpoint failed—The endpoint is unable to be patched.
●
Patching endpoint complete—Patching of endpoint is successful.
●
Endpoint disconnected before could be tested—Sentriant AG shows this status when the endpoint
disconnects from the network before testing could be completed.
Enforcement Cluster Access Mode
The access mode of each cluster can be one of the following:
●
normal—Endpoints are tested and allowed access or quarantined based on policies, exceptions, and
administrator overrides.
●
allow all—Endpoints are tested as in normal mode; however, all endpoints are allowed access.
When you change the access mode from normal to allow all, the icons and endpoint status shown on
the Endpoint activity window change as described in this section.
An endpoint attempts to connect to the network and is quarantined. Figure 78 shows that the Endpoint
test status is Failed (red X in the et column), and that the endpoint is quarantined (red symbol with X
in the ac column).
Figure 78: Failed Endpoint
Sentriant AG Software Users Guide, Version 5.1 SR1
157
Endpoint Activity
The admin changes the access mode from normal to allow all (System
Configuration>>Quarantining>>Access mode area, allow all radio button).
Figure 79 shows that the previously quarantined endpoint is now allowed access (green icon in the ac
column); however, the Endpoint test status still shows Failed (red X in the et column).
Figure 79: Failed Endpoint Allow All Mode
Hover the mouse over the green icon in the ac column and a window pops up (Figure 80) providing a
description of the endpoint access control status as well as what the access control status would be in
normal mode. In this case, the endpoint is allowed access because of the change to allow all mode;
however, when the mode is changed back to normal, the endpoint will again be quarantined for the
reason listed.
Figure 80: Failed Endpoint Allow All Mode Mouse Over
Viewing Endpoint Access Status
To view access status for a endpoint:
Home window>>Endpoint activity window
1 Locate the endpoint you are interested in.
158
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
2 The first column is the selection column, the second column is the Endpoint test status column, and
the third column is the Access control status column. The icons shown in the following figure
provide status:
Figure 81: Access Control and Endpoint Test Status
Default
Post-connect
service icon
Configurable
Post-connect
service icon
Configurable
Post-connect
service name
This legend is updated dynamically with any post-connect
service name and icons you have installed.
NOTE
If an endpoint is seen by two different clusters simultaneously, the endpoint state can get lost. This could happen,
for example, if you had a Training cluster and an Engineering cluster and an endpoint that was connected in the
Engineering cluster also attempted to connect by way of the Training cluster. An error would occur in this case.
Make efforts when you are configuring your clusters to avoid allowing this condition.
Selecting Endpoints to Act on
To select endpoint to act on:
Home window>>Endpoint activity
Click a box or boxes in the first column to select the endpoints of interest.
Sentriant AG Software Users Guide, Version 5.1 SR1
159
Endpoint Activity
NOTE
Click the box at the top of the column to select all of the endpoints.
Acting on Selected Endpoints
Once you have filtered the Endpoint activity window and selected which endpoints to take action on,
you can perform the following actions:
●
Retest an endpoint (“Manually Retest an Endpoint” on page 160)
●
Allow temporary access for a specific period of time (“Immediately Grant Access to an Endpoint” on
page 160)
●
Temporarily quarantine the endpoint for a specific period of time (“Immediately Quarantine an
Endpoint” on page 161)
●
Clear the temporary quarantine or access state (“Clearing Temporary Endpoint States” on page 161)
Manually Retest an Endpoint
To manually retest an endpoint:
Home window>>Endpoint activity
1 Select a box or boxes to select the endpoints of interest.
2 Click retest.
Immediately Grant Access to an Endpoint
To immediately grant access to an endpoint:
Home window>>Endpoint activity
1 Select a box or boxes to select the endpoints of interest.
2 Click change access.
3 Select the Temporarily grant access for radio button.
4 Select minutes, hours, or days from the drop-down list.
5 Enter the number of minutes, hours, or days that the endpoint is allowed access.
6 Click ok.
160
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
NOTE
To quarantine again, select the endpoint, click change access, select Clear temporary access control status, and
click ok.
NOTE
If an endpoint that has been granted or denied access temporarily by the administrator disconnects, the next time
the endpoint attempts to connect it will be retested; the previous temporary status no longer applies.
Immediately Quarantine an Endpoint
To immediately quarantine an endpoint:
Home window>>Endpoint activity
1 Select a box or boxes to select the endpoints of interest.
2 Click change access.
3 Select the Temporarily Quarantine for radio button.
4 Select minutes, hours, or days from the drop-down list.
5 Enter the number of minutes, hours, or days that the endpoint will be temporarily quarantined.
6 Click ok.
NOTE
To quarantine again, select the endpoint, click change access, select Clear temporary access control status, and
click ok.
Clearing Temporary Endpoint States
Endpoints can have a temporary state designated through the Quarantine for or Allow access for radio
buttons.
To clear a temporary state set by the admin:
Home window>>Endpoint activity
1 Select a box or boxes to select the endpoints of interest.
2 Click change access.
3 Select the Clear temporary access control status radio button.
Sentriant AG Software Users Guide, Version 5.1 SR1
161
Endpoint Activity
4 Click ok.
Viewing Endpoint Information
To view information about an endpoint:
Home window>>Endpoint activity
1 Click on an endpoint name to view the Endpoint window:
Figure 82: Endpoint, General Option
162
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
2 Click Test results to view the details of the test:
Figure 83: Endpoint Activity, Endpoint Test Results Option
NOTE
Click on any underlined link (for example, change access) to make changes such as changing access or test
credentials.
Sentriant AG Software Users Guide, Version 5.1 SR1
163
Endpoint Activity
Troubleshooting Quarantined Endpoints
The following table describes the various components that affect an endpoint attempting to access the
network:
Table 8: Troubleshooting Quarantined Endpoints
Enforcement Mode
DHCP mode
Endpoint
enforcement
How endpoints are quarantined and
redirected to Sentriant AG
How quarantined endpoints reach
accessible devices
DHCP server (Sentriant AG) gives the
endpoint:
DHCP server (Sentriant AG) also
sends:
•
Quarantine range IP address (*)
•
•
255.255.255.255 netmask
(effectively blocks outgoing
traffic from the endpoint)
A static route to the Sentriant AG
server IP via a gateway (*)
•
Static routes to any IP addresses
defined in Accessible services
•
No default gateway
•
Sentriant AG server's IP as DNS
server (will resolve everything
except accessible devices to the
Sentriant AG IP address)
•
The switch is configured with
additional IP helper addresses to
forward broadcast DHCP requests
to ESs as well as production
DHCP servers.
Sentriant AG DNS—Sentriant AG
will add any names listed in
Accessible services to the
named.conf file so the endpoint
will be able to resolve the names (to
get the real IP). Unless there are
corresponding static routes, the
endpoint will not be able to access
them directly.
Sentriant AG Web Proxy—The
Sentriant AG server also advertises a
Web proxy server for endpoints that
autodetect Web proxies. This proxy
will redirect all Web requests through
Sentriant AG, and traffic destined for
names in Accessible services will be
proxied through Sentriant AG.
NOTE:
Windows update does not honor
autoproxy. Workarounds include:
•
Adding Windows update
hostnames AND IP addresses to
Accessible services, or
•
Manually setting Sentriant AG as
the proxy (this would require
reversing this setting it once a
system was out of quarantine).
NOTES:
164
•
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
•
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Accessible services (System configuration>>Cluster setting defaults area>>Accessible services).
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
Table 8: Troubleshooting Quarantined Endpoints (continued)
Enforcement Mode
DHCP mode
Network
enforcement
How endpoints are quarantined and
redirected to Sentriant AG
How quarantined endpoints reach
accessible devices
DHCP server (Sentriant AG) gives the
endpoint:
Sentriant AG (fake root) DNS—As
in endpoint enforcement (for access
to names in Accessible services). The
DNS server forwards requests for
accessible services to a real DHCP
server for resolution.
•
Quarantine range IP address
•
Appropriate netmask for
quarantine subnet
•
Appropriate default gateway
•
Sentriant AG server's IP as DNS
server (will resolve everything
except Accessible services to the
Sentriant AG IP address)
•
The switch is configured with
additional IP helper addresses to
forward broadcast DHCP requests
to ESs as well as production
DHCP servers.
ACLs on the switch prevent
quarantined systems from talking to
production systems, but allow for the
following specific traffic:
•
Quarantine --> Sentriant AG (OK)
•
Production --> Quarantine (OK)
•
Quarantine -|-> Production (NO)
•
Quarantine -?-> Internet
(Maybe*)
Switches must be configured for
multinetting (multinetting segment) so
there can be two networks on the
same physical device (or devices)
that cohabitate, but they should not
be able to talk to one another as
enforced by the switch (using ACLs).
Each port on the switch will be
allowed to be on either the
production or quarantine network,
and the switch will have a secondary
IP address assigned to the gateway
port (so there will be different
gateway IP addresses for the
production and quarantine networks).
NOTES:
•
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
•
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Accessible services (System configuration>>Cluster setting defaults area>>Accessible services).
Sentriant AG Software Users Guide, Version 5.1 SR1
165
Endpoint Activity
Table 8: Troubleshooting Quarantined Endpoints (continued)
Enforcement Mode
Inline /
Gateway
VPN split
tunnel
(multihomed
endpoint)
How endpoints are quarantined and
redirected to Sentriant AG
How quarantined endpoints reach
accessible devices
Sentriant AG acts as the man-in-themiddle, iptables rewrites packets,
and forwards traffic to the
Sentriant AG system itself.
No need to allow public sites
(endpoint can get there directly,
without going through VPN and
Sentriant AG).
The production network is protected
from VPN users by iptables acting as
a firewall. VPN users can only get
through iptables by becoming
compliant with a Sentriant AG policy,
after which a hole is opened for their
VPN IP address.
iptables does NOT rewrite traffic
destined for (internal) IP addresses
in Accessible services.
The names listed in Accessible
services are not used.
NOTE: In this configuration, the
user has to try and access an
internal site in order to be
redirected to Sentriant AG
(unless they have the
Sentriant AG Agent installed)
Inline /
Gateway
VPN not split
tunnel
(all traffic
through VPN)
Sentriant AG acts as the man-in-themiddle, iptables rewrites packets,
and forwards traffic to the
Sentriant AG system itself.
The production network is protected
from VPN users by iptables acting as
a firewall. VPN users can only get
through iptables by becoming
compliant with a Sentriant AG policy,
after which a hole is opened for their
VPN IP address.
iptables(?) does NOT rewrite traffic
destined for IP addresses in
Accessible services.
The names listed in Accessible
services are not used.
NOTES:
166
•
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
•
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Accessible services (System configuration>>Cluster setting defaults area>>Accessible services).
Sentriant AG Software Users Guide, Version 5.1 SR1
Endpoint Activity
Table 8: Troubleshooting Quarantined Endpoints (continued)
Enforcement Mode
802.1X
How endpoints are quarantined and
redirected to Sentriant AG
How quarantined endpoints reach
accessible devices
DHCP server (MS DHCP server, and
so on) gives the endpoint:
Sentriant AG DNS—As in endpoint
enforcement (for access to names in
Accessible services)
•
Quarantine range IP address
•
Appropriate netmask for
quarantine subnet
•
Appropriate default gateway
•
Sentriant AG server's IP as DNS
server (will resolve everything
except Accessible services to the
Sentriant AG IP address)
•
Very low DHCP lease time (~3
minutes)
ACLs on the switch prevent
quarantined systems from talking to
production systems, but allow for the
following specific traffic:
•
Quarantine --> Sentriant AG (OK)
•
Production -?-> Quarantine
(Maybe*)
•
Quarantine -|-> Production (NO)
•
Quarantine -?-> Internet
(Maybe**)
ACLs on network devices must be
configured to limit where endpoints
on the quarantine VLAN can go.
Iptables prerouting chains rewrite
traffic coming from quarantine
subnets (as defined in the user
interface) and destined for
Sentriant AG (due to Sentriant AG
DNS) so that:
Sentriant AG:80 --> Sentriant AG:88
Sentriant AG:443 -->
Sentriant AG:89
Traffic coming from non-quarantine
ranges will not be rewritten, so that
users can get to the Sentriant AG
user interface on port 443.
NOTES:
•
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the
endpoint no real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you
there.
•
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in
Accessible services (System configuration>>Cluster setting defaults area>>Accessible services).
Sentriant AG Software Users Guide, Version 5.1 SR1
167
Endpoint Activity
168
Sentriant AG Software Users Guide, Version 5.1 SR1
5
End-user Access
End-users can connect to your network from a number of different types of computers (see “Endpoints
Supported” on page 170), be tested for compliance based on your definitions in the standard (high,
medium, or low security) or custom NAC policies (see “NAC Policies” on page 213), and are allowed or
denied access based on test results and your quarantine settings (see “Quarantining, General” on page
86). During the login process the end-users are presented with the end-user access windows, which
display the testing status and required remediation steps.
This section describes the end-user access windows and options, and details any settings that need to be
made on the endpoints.
Test Methods Used
Sentriant AG tests endpoints using one of the following methods:
●
Agent-based
●
Agentless
●
ActiveX
See “Testing Methods” on page 132 for a description of each of these methods.
Agent Callback
The Agent Callback to Sentriant AG feature allows the Sentriant AG agent to inform the ES that an
endpoint is now active on the network and available to be tested. This feature allows faster detection of
endpoints in a network utilizing static IP addresses.
Upon notification of a new network connection, the agent queries DNS for all available ESs and
attempts to execute an HTTP request against each ES until a successful request has occurred. This
request causes the ES to schedule the endpoint for testing.
The following terms are used in association with this feature:
●
Agent—The software residing on the endpoint that performs the tests.
●
Enforcement Server (ES)—The server that communicates with the agent to initiate tests, and
quarantines or allows network access based on the test results.
●
Endpoint—The computer being tested by Sentriant AG.
●
SRV record—A DNS record that contains information regarding a specific service on a network. For
example, HTTP or mail.
●
A record— A DNS record that contains information regarding a specific host name.
To enable this feature, add either SRV records or A records to your DNS system.
The agent performs a DNS query against the server for the following SRV names:
Sentriant AG Software Users Guide, Version 5.1 SR1
169
End-user Access
●
_nac
●
_sentriantag
●
_extreme
●
_nac1
●
_nac2
If no contact can be made, try the following A names:
NOTE
The endpoints DNS suffix must be correctly configured for your domain for the Agent Callback feature to work
correctly.
●
nac
●
sentriantag
●
extreme
●
nac1
●
nac2
See the following links for more information about DNS record types:
http://www.ietf.org/IESG/Implementations/RFC1886-Implementation/DNSrecords.html
Endpoints Supported
This Sentriant AG release supports the following:
●
●
170
Agent-based testing
■
Windows 2000
■
Windows Server (2000, 2003)
■
Windows XP Professional
■
Windows XP Home
■
Mac OS (version 10.3.7 or later)
■
Vista Ultimate
■
Vista Home Basic
■
Vista Home Premium
■
Vista Business
■
Vista Enterprise
Agentless testing
■
Windows 2000
■
Windows Server (2000, 2003)
■
Windows XP Professional
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
●
■
Vista Ultimate
■
Vista Business
■
Vista Enterprise
ActiveX testing
■
Windows 2000
■
Windows Server (2000, 2003)
■
Windows XP Professional
■
Windows XP Home
■
Vista Ultimate
■
Vista Home Basic
■
Vista Home Premium
■
Vista Business
■
Vista Enterprise
NOTE
This release supports only the 32-bit version of Vista operating systems.
NOTE
Other operating system support (for example Linux) will be included in future releases. Windows ME and Windows
95 are not supported in this release.
NOTE
If the end-user switches the Windows view while connected, such as from Classic view to Guest view, the change
may not be immediate due to the way sessions are cached.
Browser Version
The browser that should be used by the endpoint is based on the test method as follows:
●
ActiveX test method—Microsoft Internet Explorer (IE) version 6.0 or later.
●
Agentless test methods—IE, Firefox, or Mozilla.
●
Agent-based test methods—
■
Windows or Linux—IE, Firefox, or Mozilla
■
Mac OS X—Firefox or Safari.
Sentriant AG Software Users Guide, Version 5.1 SR1
171
End-user Access
Firewall Settings
Sentriant AG can perform tests through firewalls on both managed and unmanaged endpoints.
Managed Endpoints
Typically, a managed endpoint’s firewall is controlled with the Domain Group Policy for Windows, or a
central policy manager for other firewalls. In this case, the network administrator opens up the agent
port or agentless ports only to the Sentriant AG server using the centralized policy.
If the Domain Group Policy is not used for Windows endpoints, the appropriate ports are opened
during the agent installation process by the Sentriant AG installer.
Unmanaged Endpoints
For unmanaged endpoints, the NAC Agent and the ActiveX control test methods automatically open
the necessary ports for testing.
End-users connecting with Windows XP, but a non-SP2 firewall (such as Norton) must configure that
firewall to allow connection to Sentriant AG on port 1500, or the installation of the agent fails.
Making Changes to the Firewall
See the following sections for instructions:
●
“Allowing the Windows RPC Service through the Firewall” on page 180
●
“Allowing Sentriant AG through the OS X Firewall” on page 183
Windows Endpoint Settings
IE Internet Security Setting
If the end-user has their IE Internet security zone set to High, the endpoint is not testable. Using one of
the following options will allow the endpoint to be tested:
172
●
The end-user could change the Internet security to Medium (Tools>>Internet
options>>Security>>Custom level>>Reset to Medium).
●
The end-user could add the IP address of the Sentriant AG server to the Trusted sites zone, and then
set the Trusted sites zone to Medium.
●
The end-user could customize the High setting to allow the options necessary for Sentriant AG to
test successfully. These options are as follows:
■
The NAC Agent test uses ActiveX
■
The ActiveX test uses ActiveX
■
All of the tests use JavaScript
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Agent-based Test Method
Ports Used for Testing
You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for
agent-based testing.
NOTE
See “Ports used in Sentriant AG” on page 451 for a complete description of the ports used in Sentriant AG.
Windows Vista Settings
All Windows Vista endpoints must have administrator permissions in order for the agent to install
successfully. If the end-user is not logged in to the endpoint with administrator permissions, the
following occurs:
●
If User Account Control (UAC) is enabled, Windows Vista prompts you for credentials. After the
credentials are entered, the agent installs.
●
If UAC is disabled, the agent installation fails without notifying the end-user.
See the following link for details on UAC:
http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac084c21f5c6c2d91033.mspx?mfr=true
Agentless Test Method
This section describes the settings you need to make on Windows 2000, Windows XP, and Windows
Vista when using the Agentless test method.
Configuring Windows 2000 Professional for Agentless Testing
The agentless test method requires file and printer sharing to be enabled.
To enable file and printer sharing on Windows 2000 Professional:
Windows endpoint>>Start>>Settings>>Control Panel
1 Double-click Network and Dial-up connections.
2 Right-click Local area connection.
Sentriant AG Software Users Guide, Version 5.1 SR1
173
End-user Access
3 Select Properties. The Local area connection properties window appears:
Figure 84: Local Area Connection Properties
4 On the General tab, in the Components checked are used by this connection area, verify that File
and Printer sharing is listed and that the check box is selected.
5 Click OK.
Configuring Windows XP Professional for Agentless Testing
The agentless test method requires file and printer sharing to be enabled.
To enable file and printer sharing on Windows XP Professional:
Windows endpoint>>Start>>Settings>>Control Panel
1 Double-click Network connections.
2 Right-click Local area connection.
174
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
3 Select Properties. The Local area connection properties window appears:
Figure 85: Local Area Connection Properties
4 On the General tab, in the This connection uses the following area, verify that File and Printer
sharing is listed and that the check box is selected.
5 Click OK.
For more information on file and printer sharing, refer to the following:
●
To configure File and Printer Sharing for Microsoft Networks—http://technet2.microsoft.com/
windowsserver/en/library/bcdae91f-537c-4707-8fae-1eec881908371033.mspx?mfr=true
●
To configure File and Printer Sharing for Windows Vista—http://technet.microsoft.com/en-us/
library/bb727037.aspx
Configuring Windows Vista for Agentless Testing
In order for a Windows Vista endpoint to be tested agentlessly, you must configure the following:
●
Network discovery—See the End-user Access chapter, Windows Endpoint Settings section in the
users guide.
●
File sharing—See the End-user Access chapter, Windows Endpoint Settings section in the users
guide.
●
Domain membership—Join the endpoint to a domain if it has not previously been a domain
member. Domain administrator credentials (rather than local administrator credentials) are required
for agentless testing.
To join a Windows Vista endpoint to a domain:
Home window>>System configuration>>Quarantining
1 Log in to the Windows Vista endpoint.
Sentriant AG Software Users Guide, Version 5.1 SR1
175
End-user Access
2 Click Start>>Welcome Center. The Welcome Center window appears:
Figure 86: Windows Vista, Welcome Center
176
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
3 Double-click View computer details. The Control Panel>System and Maintenance>System window
appears.
Figure 87: Windows Vista, System
4 Click Change settings.
Sentriant AG Software Users Guide, Version 5.1 SR1
177
End-user Access
5 Click Continue if the User Account Control window appears. The System Properties window
appears.
Figure 88: Windows Vista, System Properties
6 Select the Computer Name tab.
178
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
7 Click Change. The Computer Name/Domain Changes window appears.
Figure 89: Windows Vista, Computer Name/Domain Changes
8 Select the Member of Domain radio button.
9 Enter the domain name in the text box.
10 Click OK. The Windows Security window appears.
Figure 90: Windows Vista, Windows Security
11 Enter your User name and Password for the domain.
12 Click OK. A confirmation window appears once the computer has been successfully joined to the
domain.
Sentriant AG Software Users Guide, Version 5.1 SR1
179
End-user Access
13 Click OK to close the confirmation window.
14 You are prompted that you need to restart your Windows Vista endpoint. Click OK.
15 Click Close to close the System Properties window.
16 You are again prompted to restart your Windows Vista endpoint. Click Restart Now.
NOTE
Windows Vista endpoints are not tested until they are logged in to the domain.
Ports Used for Testing
You might need to configure some firewalls and routers to allow Sentriant AG to access the following
ports for agentless testing:
●
137
●
138
●
139
●
445
NOTE
See “Ports used in Sentriant AG” on page 451 for a complete description of the ports used in Sentriant AG.
Allowing the Windows RPC Service through the Firewall
If end-users enable the XP SP2 Professional firewall, they need to change the configuration to allow the
agentless testing.
NOTE
These firewall configuration methods can be configured using the Windows Group policy and pushed out to all users
of a Windows domain.
The following method is the recommended method:
To configure the Windows XP Professional firewall to allow the RPC service to connect:
Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Advanced tab>>Settings
button
1 Click Add.
2 In the Service Settings window, enter the following information:
180
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Description: Sentriant AG Server 137
IP: <IP of the Sentriant AG Server>
External port number: 137
Select UDP.
3 Click OK.
4 Click Add.
5 In the Service Settings window, enter the following information:
Description: Sentriant AG Server 138
IP: <IP of the Sentriant AG Server>
External port number: 138
Select UDP.
6 Click OK.
7 Click Add.
8 In the Service Settings window, enter the following information:
Description: Sentriant AG Server 139
IP: <IP of the Sentriant AG Server>
External port number: 139
Select TCP.
9 Click OK.
10 Click Add.
11 In the Service Settings window, enter the following information:
Description: Sentriant AG Server 445
IP: <IP of the Sentriant AG Server>
External port number: 445
Select TCP.
12 Make sure all four rules are selected.
13 Click OK.
The following method is an alternate method:
To configure the Windows XP Professional firewall to allow the RPC service to connect:
Windows endpoint>>Start>>Settings>>Control Panel>>Windows Firewall>>Exceptions tab
1 Select File and Print Sharing. (Verify that the check box is also selected.)
2 Click Edit.
3 Verify that the check boxes for all four ports are selected.
Sentriant AG Software Users Guide, Version 5.1 SR1
181
End-user Access
4 Select TCP 139.
5 Click Change Scope.
6 Select Custom List.
7 Enter the Sentriant AG Server IP address and the 255.255.255.0 mask.
8 Click OK.
9 Select UDP 137.
10 Click Change Scope.
11 Select Custom List.
12 Enter the Sentriant AG Server IP address and the 255.255.255.0 mask.
13 Click OK.
14 Select TCP 445.
15 Click Change Scope.
16 Verify that the My network (subnet) only radio button is selected.
17 Click OK.
18 Select UDP 138.
19 Click Change Scope.
20 Verify that the My network (subnet) only radio button is selected.
21 Click OK.
22 Click OK.
23 Click OK.
NOTE
You can add more security by specifying the endpoints allowed for File and Print Sharing as follows:
Select File and Print Sharing, Click Edit, Select Change Scope, and select either My Network or Custom List (and
then specify the endpoints).
182
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
ActiveX Test Method
Ports Used for Testing
You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for
ActiveX testing.
NOTE
See “Ports used in Sentriant AG” on page 451 for a complete description of the ports used in Sentriant AG.
Windows Vista Settings
All Windows Vista endpoints must have administrator permissions in order for the ActiveX component
to install successfully. If the end-user is not logged in to the endpoint with administrator permissions,
the following occurs:
●
If User Account Control (UAC) is enabled, Windows Vista prompts you for credentials. After the
credentials are entered, the ActiveX component installs.
●
If UAC is disabled, the ActiveX component installation fails without notifying the end-user.
See the following link for details on UAC:
http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac084c21f5c6c2d91033.mspx?mfr=true
Mac OS X Endpoint Settings
This release of Sentriant AG supports only the agent-based method of testing for Mac OS X.
Ports Used for Testing
You might need to configure some firewalls and routers to allow Sentriant AG to access port 1500 for
agent-based testing.
NOTE
See “Ports used in Sentriant AG” on page 451 for a complete description of the ports used in Sentriant AG.
Allowing Sentriant AG through the OS X Firewall
To verify that Sentriant AG can test the end-user through the end-user’s firewall:
Mac endpoint>>Apple Menu>>System Preferences
Sentriant AG Software Users Guide, Version 5.1 SR1
183
End-user Access
Figure 91: Mac System Preferences
184
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
1 Select the Sharing icon. The Sharing window opens.
Figure 92: Mac Sharing
2 Select the Firewall tab.
3 The firewall settings must be one of the following:
■
Off
■
On with the following:
●
OS X NAC Agent check box selected
●
Port 1500 open
To change the port:
Mac endpoint>>Apple Menu>>System Preferences>>Sharing icon>>Firewall tab
1 Select OS X NAC Agent.
Sentriant AG Software Users Guide, Version 5.1 SR1
185
End-user Access
2 Click Edit. The port configuration window appears:
Figure 93: Mac Ports
3 Enter 1500 in the Port Number, Range or Series text field.
4 Click OK.
End-user Access Windows
Several end-user access templates come with Sentriant AG. The End-user window provides a way to
customize these templates from within the user interface (see “End-user Screens” on page 140). For
optimal end-user experience, brand these windows as your own and keep them friendly and helpful. It
is important to convey to your end-users what is happening during and after the testing process.
If you want to make more customizations than are available using the End-user window, the files are
located in the following directory:
/usr/local/nac/webapps/HoldingArea
There are two ways you can edit the Sentriant AG end-user access templates outside of the Extreme
Networks, Inc. user interface configuration window:
●
UNIX command line and vi text editor—Connect to the Sentriant AG server using SSH, then edit
the files with vi.
●
HTML editor on your local machine—Connect to the Sentriant AG server using SSH, copy the files
to your local machine, edit the files with any HTML or text editor, copy the files back to the
Sentriant AG server.
You can also create additional HTML files.
186
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
NOTE
Upgrading the Sentriant AG software does not overwrite your template changes. Your updated templates are
preserved.
CAUTION
Do not rename the files or they will not be seen by Sentriant AG.
End-users begin the login process by opening their browser. If their home page is defined on the
Accessible services window, they are allowed to access that page.
Opening Window
When the end-user directs their browser to go to a location that is not listed in the Accessible services
and endpoints list, the testing option window appears:
Figure 94: End-user Opening Window
The end-users select Get connected. One of the following windows appears, depending on which test
method and order is specified in the System configuration>>Testing methods window:
●
Windows NAC Agent test—Installation window (first-time connection only) (see “Windows NAC
Agent Test Windows” on page 188)
●
ActiveX test—Testing window (see “ActiveX Test Windows” on page 200)
●
Agentless test—Testing window (see “Agentless Test Windows” on page 201)
If the Allow end users to cancel installation option on the System Configuration>>Testing methods
window is selected, the end-users have the option of clicking Cancel installation. If they click Cancel
installation, an Installation cancelled window appears.
NOTE
The logo and the text in Figure 94 is customizable as described in “End-user Screens” on page 140.
Sentriant AG Software Users Guide, Version 5.1 SR1
187
End-user Access
Windows NAC Agent Test Windows
Automatically Installing the Windows Agent
When the test method used is NAC Agent test, the first time the user attempts to connect, the agent
installation process should begin automatically, and the installing window appears:
Figure 95: End-user Installing Window
NOTE
The end-user can also manually install the agent as described in “Manually Installing the Windows Agent” on
page 191.
188
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
If Active Content is disabled in the browser, the following error window appears:
Figure 96: End-user Agent Installation Failed
NOTE
To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active
Content” section.
If this is the first time the end-user has selected NAC Agent test, a security acceptance window appears.
In order to proceed with the test, the user must select to Install the digital signature.
Sentriant AG Software Users Guide, Version 5.1 SR1
189
End-user Access
Once the user has accepted the digital signature, the agent installation begins. The user must click Next
to start the agent installation:
Figure 97: End-user Agent Installation Window (Start)
The user must click Finish to complete the agent installation and begin testing:
Figure 98: End-user Agent Installation Window (Finish)
As soon as the installation is complete, the endpoint is tested. See “Testing Window” on page 203.
Removing the Agent
To remove the agent:
190
Windows endpoint>>Start button>>Settings>>Control panel>>Add/remove programs
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Figure 99: Add/Remove Programs
1 Find the Sentriant AG Agent in the list of installed programs.
2 Click Remove.
NOTE
The Sentriant AG Agent also appears in the services list:
Start button>>Settings>>Control panel>>Administrative tools>>Services
Manually Installing the Windows Agent
To manually install the agent (using Internet Explorer):
Windows endpoint>>IE browser window
1 Point the browser to the following URL:
https://<enforcement_server_ip>:89/setup.exe
Sentriant AG Software Users Guide, Version 5.1 SR1
191
End-user Access
The security certificate window appears:
Figure 100: Security Certificate
2 Click Yes to accept the security certificate. You are prompted to select Save to disk or Run the file:
Figure 101: Run or Save to Disk
3 Click Run to begin the install process.
4 The Agent Installation Wizard starts (Figure 97 on page 190).
How to View the Windows Agent Version Installed
To see what version of the agent the endpoint is running:
Windows endpoint>>Command line window
1 Change the working directory to the following:
C:\Program Files\Extreme\Sentriant AG Agent
2 Enter the following command:
SAService version
192
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
The version number is returned. For example: 4,0,0,567
Mac OS Agent Test Windows
When the test method selected is agent-based, the first time the end-user logs in to their Macintosh
computer and opens a browser window, Sentriant AG attempts to test the endpoint. If the agent is
required, they receive the Installation Failed window shown in Figure 96.
Installing the MAC OS Agent
To install the Mac OS agent:
The Mac OS agent must be installed manually and works with Mac OS X version 10.3.7 or later. Both
the PowerPC and Intel Macintosh computers are supported. To check your version of Mac OS, select
Apple Menu>>About This Mac.
1 Click the download the testing software link (Figure 96).
2 Double-click the downloaded file to unzip it.
3 Double-click the extracted file to launch the installer program. A confirmation window appears:
Figure 102: Start Mac OS Installer
Sentriant AG Software Users Guide, Version 5.1 SR1
193
End-user Access
4 Click Continue. The installer appears:
Figure 103: Mac OS Installer 1 of 5
5 Click Continue. The Select a Destination window appears:
Figure 104: Mac OS Installer 2 of 5
194
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
6 Click Continue. The Easy Install window appears:
Figure 105: Mac OS Installer 3 of 5
7 Click Install. The Authenticate window appears:
Figure 106: Mac OS Installer 4 of 5
Sentriant AG Software Users Guide, Version 5.1 SR1
195
End-user Access
8 Enter your password. Click OK. The agent is installed and the confirmation window appears:
Figure 107: Mac OS Installer 5 of 5
9 Click Close.
Verifying the Mac OS Agent
To verify that the Mac OS agent is running properly:
196
Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Figure 108: Applications, Utilities Folder
Sentriant AG Software Users Guide, Version 5.1 SR1
197
End-user Access
1 Double-click Activity Monitor. The Activity Monitor window appears:
Figure 109: Activity Monitor
2 Verify that the osxnactunnel process is running.
3 If the osxnactunnel process is not running, start it by performing the following steps:
198
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
a Select Applications window>>Utilities>>Mac OS X Terminal. A terminal window opens:
Figure 110: Mac Terminal
b Enter the following at the command line:
OSXNACAgent -v
The build and version number are returned.
c
If an error message is returned indicating that the agent could not be found, the agent was not
installed properly. Re-install the agent as described in “Installing the MAC OS Agent” on
page 193.
d If the agent is installed but not running, enter the following at the command line:
sudo OSXNACAgentDaemon restart
e Check the Activity Monitor window again to see if the osxnactunnel process is running. If it is
still not functioning properly after re-installing the agent and attempting to restart the process,
contact your network administrator for assistance.
Removing the Mac OS Agent
To remove the Mac OS agent:
Mac endpoint>>Double-click Desktop icon>>Aplication folder>>Utilities folder
1 Select Mac OS X Terminal. A terminal window opens (Figure 110).
Sentriant AG Software Users Guide, Version 5.1 SR1
199
End-user Access
2 Enter the following at the command line:
remove_osxnacagent
3 Remove the firewall entry:
a Select Apple Menu>>System Preferences>>Sharing->Firewall tab.
b Select OS X NAC Agent.
c
Click Delete.
ActiveX Test Windows
For the ActiveX test, the Testing window appears (see “Testing Window” on page 203) and an ActiveX
component is downloaded. If there is an error running the ActiveX component, an error window
appears:
Figure 111: End-user ActiveX Plug-in Failed
NOTE
To enable active content, see the instructions in the Installation Guide, in the “Important Browser settings, Active
Content” section.
200
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
NOTE
Install any needed patches before installing the Agent.
Agentless Test Windows
If the end-users select Agentless test, Sentriant AG needs login credentials in order to test the endpoint.
Credentials can be obtained from the following:
●
Automatically connect the user through domain authentication (“Agentless Credentials” on
page 143)
●
Require the user to log in. End-users must set up their local endpoints to have a Windows
administrator account with a password in order to be tested by Sentriant AG.
NOTE
Sentriant AG uses the Windows Messenger Service when using agentless testing. If you have disabled this service
(http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx), agentless testing will not work.
NOTE
If the end-user has not defined a login/password combination, the default login is usually administrator with a blank
password.
If the end-users are required to log in, or if the automatic connection methods fail, they must log in
using the following window:
Figure 112: End-user Login Credentials
If the Allow end-users to have their administrator login information saved for future access option is
selected on the System Configuration>>Testing methods window, the end-user login window presents
a check box option to the end-users, allowing them to save their login credentials.
Sentriant AG Software Users Guide, Version 5.1 SR1
201
End-user Access
If the login credentials are correct, the Testing window is displayed (see “Testing Window” on
page 203).
If the end-users do not enter the correct information in the login window fields, a login failure window
appears:
Figure 113: End-user Login Failed
NOTE
You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages”
on page 206 for more details.
202
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Testing Window
The following figure shows the window that appears during the testing process:
Figure 114: End-user Testing
The possible outcomes from the test are as follows:
●
Test successful window (see “Test Successful Window” on page 203)
●
Testing cancelled window (see “Testing Cancelled Window” on page 204)
●
Testing failed window (see “Testing Failed Window” on page 204)
●
Other error window (see “Error Windows” on page 206)
Test Successful Window
When the end-users’ endpoints meet the test criteria defined in the NAC policy, they are allowed access
to the network, and a window indicating successful testing appears:
Figure 115: End-user Testing Successful
NOTE
You can customize the logo and text that appears on this window as described in “End-user Screens” on page 140.
Sentriant AG Software Users Guide, Version 5.1 SR1
203
End-user Access
Testing Cancelled Window
If the Allow end users to cancel testing option on the System configuration>>Testing methods
window is selected, the end-user has the option of clicking Cancel testing. If the end-users click Cancel
testing, a window appears indicating that testing is cancelled:
Figure 116: End-user Testing Cancelled
Testing Failed Window
When the end-user’s endpoints fail to meet the test criteria defined in the NAC policy, the end-users are
not allowed access to the network (are quarantined) and the following testing failed window appears.
204
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
For each NAC policy, you can specify a temporary access period should the end-users fail the tests. See
“Selecting Action Taken” on page 226 for more information.
Figure 117: End-user Testing Failed Example 1
NOTE
You can elect to allow access to specific services and endpoints by including them in the Accessible services and
endpoints area of the System configuration>>Accessible services window (see “Accessible Services” on page 134).
NOTE
You can customize the logo and contact paragraph that appear on this window. See “Customizing Error Messages”
on page 206 for more details.
Sentriant AG Software Users Guide, Version 5.1 SR1
205
End-user Access
End-users can click Printable version to view the testing results in a printable format, as shown in the
following figure:
Figure 118: End-user Testing Failed, Printable Results
Error Windows
End-users might see any of the following error windows:
●
Unsupported endpoint
●
Unknown error
The following figure shows an example of an error window:
Figure 119: End-user Error
Customizing Error Messages
The default error message strings (remediation messages) are defined in the following file:
/usr/local/nac/scripts/BaseClasses/Strings.py
206
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
You can create custom error message strings that appear in the test result reports, and on the test results
access window that the end-user views by editing or creating the following file:
/usr/local/nac/scripts/Custom/BaseClasses/CustomStrings.py
To customize the error messages:
1 Create a file using a text editor, and name it as follows:
/usr/local/nac/scripts/Custom/BaseClasses/CustomStrings.py
using the following format:
class CustomStrings:
stringTable = {
"name1" : "message1",
"name2" : "message2",
}
Where:
The name value (name1) matches the name of the test (see Table 9 on page 208).
The message value (message1)is the text you want to appear in the reports and on the end-user
access windows.
For example:
class CustomStrings:
stringTable = {
"checkAntiVirusUpdates.String.1" : "The required anti-virus software was
not found.
Install the software from this location <a href='http://
myserver.someplace.com/dir/application.exe'>Location Name</a>",
"name2" : "message2",
}
NOTE
A “%s” in the description text is a special variable that is interpolated into extra information (passed from
Sentriant AG) such as lists of missing patches, or missing software.
CAUTION
Normally Sentriant AG uses Strings.py. If you create a CustomStrings.py file, make sure that the number of
placeholders (%s) for a given entry is equal to the placeholders for that entry in Strings.py. If CustomStrings.py has
a different (smaller) number of placeholders than the entry in Strings.py had, tests will result in an "unknown error,"
which can result in endpoints getting quarantined when they should not be.
Sentriant AG Software Users Guide, Version 5.1 SR1
207
End-user Access
NOTE
While editing the description avoid the use of double quotes “”. Use single quotes instead. Double quotes will get
interpreted by the software and can cut the string short or cause the replacement to fail.
2 Once your custom strings script is complete, and you are ready to push it out to all of the ESs:
a Verify that the scripts and base classes are under the Custom directory tree as specified above.
b Enter the following on the command line of the Sentriant AG MS:
installCustomTests
This command compiles the Python source files, builds an RPM, updates the policy groups, and sends
these changes to all ESs.
Table 9: Default Test Names and Descriptions
Test name
Description
checkAntiVirusUpdates.String.1
The required anti-virus software was not found.
Install anti-virus software and keep the virus
definitions up-to-date. Supported Anti Virus
software: %s,
checkAntiVirusUpdates.String.2
%s is installed but the service is not running and
the virus signatures are not up-to-date (installed:
%s required: %s).,
checkAntiVirusUpdates.String.3
%s is installed but the service is not running.,
checkAntiVirusUpdates.String.4
208
(version: %s),
checkAntiVirusUpdates.String.5
%s is installed but the virus signatures are not upto-date (installed: %s required: %s).,
checkAntiVirusUpdates.String.6
The %s service is running and virus signatures are
up-to-date.,
checkAutoUpdateStatus.String.1
The OS is not relevant to this test.,
checkAutoUpdateStatus.String.2
The auto_update_level_required parameter is
required.,
checkAutoUpdateStatus.String.3
Automatic Updates have not been configured. For
Windows 2000, install Service Pack 4, then enable
Automatic Updates by selecting: Control
Panel>>Automatic Updates. For Windows XP:
select Control Panel>>System>>Automatic Updates
tab.,
checkAutoUpdateStatus.String.4
Automatic Updates are set to: %s,
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Table 9: Default Test Names and Descriptions (continued)
Test name
Description
checkAutoUpdateStatus.String.5
Automatic Updates must be configured to %s. For
Windows 2000, install Service Pack 4, then enable
Automatic Updates by selecting: Control
Panel>>Automatic Updates. For Windows XP:
select Control Panel>>System>>Automatic Updates
tab.,
checkAutoUpdateStatus.String.6
The Automatic Update client has been disabled.
Ask your local System Administrator for instructions
on how to enable it.,
checkHotFixes.String.1
An unsupported operating system was
encountered.,
checkHotFixes.String.2
The OS is not relevant to this test.,
checkHotFixes.String.3
The service pack level is not relevant to this test.,
checkHotFixes.String.4
The %s installed are not current. Run Windows
Update to install the most recent service packs and
hotfixes. The missing hotfixes are: %s. You may
need to run Windows Update multiple times to
install all the hotfixes. Some of the hotfixes listed
may be contained in a cumulative patch.,
checkHotFixes.String.5
All required %s are installed.,
checkHotFixes.String.6
There are no %s installed. Run Windows Update to
install the most recent service packs and hotfixes.
You may need to run Windows Update multiple
times to install all the hotfixes.,
checkIESecurityZoneSettings.String.1
There was no security zone specified.,
checkIESecurityZoneSettings.String.2
Internet Explorer %s security zone settings are
acceptable.,
checkIESecurityZoneSettings.String.3
There was no security level specified.,
checkIESecurityZoneSettings.String.4
An invalid security level '%s' was specified.,
checkIESecurityZoneSettings.String.5
Could not test Internet Explorer %s security zone
settings. On Windows 2000 you must be logged in
as the same user that is currently being tested.,
checkIESecurityZoneSettings.String.6
The required security level for your Internet
Explorer %s security zone is %s or greater. To
change the setting, select Tools>>Internet
Options>>Security>>%s>> select the setting and
click OK. If you are using a custom setting, higher
security settings are required for:<ul>%s</ul>*
indicates an Internet Explorer 6 or later setting,
checkIESecurityZoneSettings.String.7
There were no Internet Explorer %s security zone
settings found.,
checkIEVersion.String.1
Unable to retrieve IE version.,
Sentriant AG Software Users Guide, Version 5.1 SR1
209
End-user Access
Table 9: Default Test Names and Descriptions (continued)
210
Test name
Description
checkIEVersion.String.2
Internet Explorer version %s is acceptable.,
checkIEVersion.String.3
The required Internet Explorer browser was not
found or is not current. Install the latest version.,
checkMicrosoftOfficeMacroSecurityLevel.String.1
The office_program and the security_level_required
parameters are required.,
checkMicrosoftOfficeMacroSecurityLevel.String.2
The specified office_program or
security_level_required values are invalid.,
checkMicrosoftOfficeMacroSecurityLevel.String.3
There are no Microsoft Office products installed or
the user is not logged in as the same user that is
being tested.,
checkMicrosoftOfficeMacroSecurityLevel.String.4
All macro settings are acceptable.,
checkMicrosoftOfficeMacroSecurityLevel.String.5
Microsoft Office %s is not installed.,
checkMicrosoftOfficeMacroSecurityLevel.String.6
The Microsoft %s macro security level setting must
be set to %s or above. To change the security level,
open %s and do the following: Select \'Options...\'
under the \'Tools\' menu. Choose the \'Security\'
tab. Press the \'Macro Security...\' button. Select
the \'Security Level\' tab. Finally, select the security
level %s or higher.,
checkNetBiosInfo.String.1
An unsupported operating system was
encountered.,
checkPersonalFirewalls.String.1
The required personal firewall software was not
found. Install a personal firewall and keep it up-todate. Supported firewall software: %s,
checkPersonalFirewalls.String.2
%s is installed but not running.,
checkPersonalFirewalls.String.3
%s service is installed and running.,
checkServicePacks.String.1
An unsupported operating system was
encountered.,
checkServicePacks.String.2
The OS is not relevant to this test.,
checkServicePacks.String.3
There are no service packs installed. Run Windows
Update to install the most recent service packs.,
checkServicePacks.String.4
There are no service packs installed. Run Windows
Update to install the most recent service packs.,
checkServicePacks.String.5
All required service packs are installed,
checkServicePacks.String.6
The service packs installed are not current. Run
Windows Update to install the most recent service
packs. The current installed service pack is %s.
You must be running service pack %s or later.,
checkServicesNotAllowed.String.1
All services found are allowed.,
Sentriant AG Software Users Guide, Version 5.1 SR1
End-user Access
Table 9: Default Test Names and Descriptions (continued)
Test name
Description
checkServicesNotAllowed.String.2
The following services are not allowed: %s. Stop
the service by selecting Control
Panel>>Administrative Tools (located in the
Performance and Maintenance category
folder)>>Services application>>right-click on the
service and select properties. Change the startup
type to manual and click stop. Click OK to save
your changes.,
checkServicesNotAllowed.String.3
%s, # placeholder for link location for each service.
checkServicesRequired.String.1
All required services were found.,
checkServicesRequired.String.2
The following required services were not found: %s.
Start the service by selecting Control
Panel>>Administrative Tools>>Services
application>>right-click on the service and select
properties. Change the startup type to automatic
and click start. Click OK to save your changes. If
the service does not exist contact your
administrator.,
checkServicesRequired.String.3
%s, # placeholder for link location for each service.
checkSoftwareNotAllowed.String.1
Could not import the re module required by this
test.,
checkSoftwareNotAllowed.String.2
All software found is allowed.,
checkSoftwareNotAllowed.String.3
Do not specify the
HKEY_LOCAL_MACHINE\SOFTWARE registry key.,
checkSoftwareNotAllowed.String.4
The following software is not allowed: %s. Uninstall
the software listed. Also, remove any file types
listed by double-clicking My Computer>>select
Tools>>Folder Options>>File Types and remove the
file type mentioned.,
checkSoftwareNotAllowed.String.5
%s, # placeholder for link location for each
software package.
checkSoftwareRequired.String.1
Could not import the re module required by this
test.,
checkSoftwareRequired.String.2
All required software is installed.,
checkSoftwareRequired.String.3
The required software was not found: %s.,
checkSoftwareRequired.String.4
%s, # placeholder for link location for each
software package.
checkUniqueId.String.1
An unsupported operating system was
encountered.,
checkUniqueId.String.2
Could not determine unique ID,
checkWindowsSecurityPolicy.String.1
All Windows security policies are acceptable.,
Sentriant AG Software Users Guide, Version 5.1 SR1
211
End-user Access
Table 9: Default Test Names and Descriptions (continued)
212
Test name
Description
checkWindowsSecurityPolicy.String.2
An unsupported operating system was
encountered.,
checkWindowsSecurityPolicy.String.3
The OS is not relevant to this test.,
checkWindowsSecurityPolicy.String.4
The security setting required parameter '%s' is
invalid,
checkWindowsSecurityPolicy.String.5
The following Windows security policies are
configured incorrectly: %s. Set the Windows
security policies by selecting Start>>Control
Panel>>Administrative Tools>>Local Security
Policy>>Local Policy>>Security Options>>doubleclick the policy and select enable or disable.,
checkWindowsStartupRegistryEntriesAllowed.String
.1
All Windows startup registry entries are acceptable.,
checkWindowsStartupRegistryEntriesAllowed.String
.2
The following Windows startup registry entries are
not allowed in the
HKEY_LOCAL_MACHINE>>Software>>Microsoft>>
Windows Run and RunOnce registry keys: %s.
Contact your network administrator for removal of
these items from the registry.,
checkWormsVirusesAndTrojans.String.1
No worms, viruses or trojans were found.,
checkWormsVirusesAndTrojans.String.2
The following worms, viruses, or trojans were
found: %s. Contact your network administrator for
assistance on removing them.,
checkAntiSpyware.String.1
The %s software is installed and a scan was run
recently on %s.,
checkAntiSpyware.String.2
The %s software was found but a scan has not
performed within the last %s days.,
checkAntiSpyware.String.3
The required anti-spyware software was not found.
Supported anti-spyware software: %s,
checkAntiSpyware.String.4
The %s software was found but a signature update
has not been performed within the last %s days.,
checkAntiSpyware.String.5
The %s software was found but a scan has never
been performed.,
checkBadIP.String.1
There were no unauthorized network connections
found.,
checkBadIP.String.2
An unsupported operating system was
encountered.,
checkBadIP.String.3
The IP addresses %s are on unauthorized
networks.,
checkBadIP.String.4
The IP address %s is on an unauthorized network.,
Sentriant AG Software Users Guide, Version 5.1 SR1
6
NAC Policies
NAC policies are collections of tests that evaluate remote endpoints attempting to connect to your
network. You can use the standard tests installed with Sentriant AG, or you can create your own custom
tests.
NOTE
The default NAC policy is indicated by the check mark on the icon to the left of the NAC policy name. See
“Selecting the Default NAC Policy” on page 217 for instructions on selecting and charging the default NAC policy.
The NAC policies window (shown in Figure 120) is where you create NAC policies and groups, disable
NAC policies, delete NAC policies, and access specific NAC policies.
Once you access a specific policy, you can perform the following tasks:
●
Basic settings—Edit NAC policies, assign NAC policies to a group, enable or disable the NAC
policy, select which OSs are not tested, but allowed access, set retest frequency, and set quarantine
times.
●
Domains and endpoints—Assign endpoints and domains to a policy.
●
Tests—Select tests, select test properties, select test failure actions.
To view the NAC policies window:
Home window>>NAC policies
Figure 120: NAC Policies
Sentriant AG Software Users Guide, Version 5.1 SR1
213
NAC Policies
The following figure shows the legend explaining the NAC policies icons:
Figure 121: NAC Policies Window Legend
Standard NAC Policies
Sentriant AG ships with three standard NAC policies:
●
High security
●
Low security
●
Medium security
NAC policies are organized in groups. Groups include the clusters defined for your system, a Default
group, and any other groups you create. Each standard policy has tests pre-selected. You can modify
these policies, or create custom policies.
NAC Policy Group Tasks
Add a NAC Policy Group
To add a NAC policy group:
214
Home window>>NAC policies
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
1 Click Add a NAC policy group. The Add NAC policy group window opens:
Figure 122: Add NAC Policy Group
2 Type a name for the group in the Name of NAC policy group text box.
3 Optional: Select the check box next to any NAC policy to move to this group.
4 Optional: Select the check box next to any cluster to move to this group.
5 Click ok.
Editing a NAC Policy Group
To edit an existing NAC policy group:
Home window>>NAC policies
Sentriant AG Software Users Guide, Version 5.1 SR1
215
NAC Policies
1 Click on an existing NAC policy group name (for example, Default). The NAC policy group
window opens.
Figure 123: Edit NAC Policy Group
2 Make any changes required. See “Add a NAC Policy Group” on page 214 for details on NAC policy
group options.
3 Click OK to save or Cancel to return without saving.
Deleting a NAC Policy Group
To delete a NAC policy group:
Home window>>NAC policies
1 Move any NAC policies associated with the group to a different NAC policy group:
a Click on a NAC policy name.
b Select the new group from the NAC policy group drop-down list.
c
Click ok.
NOTE
You can either move or delete the NAC policies associated with the group.
2 Repeat step 1 until there are no NAC policies associated with the group.
3 Select delete next to the NAC policy group you want to delete. A confirmation window appears.
4 Click yes on the Delete NAC policy group confirmation window.
216
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
NAC Policy Tasks
Enabling or Disabling a NAC Policy
Select which NAC polices are enabled or disabled.
To enable/disable a NAC policy:
Home window>>NAC policies
Click on the enable or disable link. An X indicates disabled.
Selecting the Default NAC Policy
To select the default NAC policy:
Home window>>NAC policies
Click on the up or down arrow to move the NAC policy. The default NAC policy is the one toward the
bottom of the list with the highest selection number as shown in the following figure:
Figure 124: Default NAC Policy
Creating a New NAC Policy
Create custom policies that are based on existing policies, or create new policies from scratch.
To create a new NAC policy:
Home window>>NAC policies
Sentriant AG Software Users Guide, Version 5.1 SR1
217
NAC Policies
1 Click Add a NAC policy. The Add NAC policy window opens as shown in the following figure:
Figure 125: Add a NAC Policy, Basic Settings Area
2 Enter a policy name.
3 Enter a description in the Description text box.
4 Select a NAC policy group.
5 Select either the enabled radio button or the disabled radio button.
6 Select the Operating systems that will not be tested but are allowed network access.
218
■
Windows ME, Windows 98, Windows 95, Windows NT
■
UNIX
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
■
All other unsupported OSs
NOTE
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-assigned IP address, Sentriant AG
cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an
endpoint with an unsupported OS has a static IP address, Sentriant AG cannot affect this endpoint in any way. In
both of these cases, the System Monitor window may show the quarantined icon next to these endpoints; however, if
you hover your mouse over the red circle, the actual status shows that the endpoint should be quarantined, but the
quarantine action was unsuccessful.
CAUTION
Allowing untested endpoints on your network contains risks. See “Untestable Endpoints and DHCP Mode” on
page 236 for more information.
NOTE
A security best practice is to not allow unsupported operating systems (untested endpoints) on your network. It is
more secure to allow untested endpoints access to your network on a case-by-case basis by adding them to the
System configuration>>Exceptions>>Whitelist window.
7 In the Retest frequency area, enter how frequently Sentriant AG should retest a connected machine.
NOTE
A lower number ensures higher security, but puts more load on the Sentriant AG server.
8 In the Inactive endpoints area, enter how long an end-user can be inactive before they are
quarantined. To allow end-users to remain connected indefinitely select never quarantine inactive
endpoints.
Sentriant AG Software Users Guide, Version 5.1 SR1
219
NAC Policies
9 Click the Domains and endpoints menu option to open the Domains and endpoints window,
shown in the following figure:
Figure 126: Add a NAC Policy, Domains and Endpoints
10 Click on a cluster name.
11 Enter the names of Windows domains to be tested by this cluster for this NAC policy, separated by a
carriage return.
12 Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP
address, MAC address, NetBIOS name, or host name. Enter a range of IPs using a dash (-) between
or by using CIDR notation (see Table 14, “CIDR Naming Conventions,” on page 358).
220
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
NOTE
You can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this
policy.
NOTE
Move the mouse cursor over the question mark (?) by the word Endpoints, then click on the CIDR notation link to
see the CIDR conversion table pop-up window.
Sentriant AG Software Users Guide, Version 5.1 SR1
221
NAC Policies
13 Click the Tests menu option to open the Tests window:
Figure 127: Add NAC Policy, Tests Area
222
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
NOTE
The icons to the right of the tests indicate the test failure actions. See “Test Icons” on page 230.
14 Select a test to include in the NAC policy by clicking on the check box next to the test name.
15 Select a test by clicking on the test name to view the properties. For more information about test
properties, see “Selecting Test Properties” on page 228.
16 Select the test properties for this test. For more information about the specific tests, see “Tests Help”
on page 415.
17 Select an action to take when an endpoint fails this test (see “Selecting Action Taken” on page 226).
18 Click ok.
NOTE
Selecting the Send an email notification option sends an email to the address you identified in Sentriant AG
Home window>>System Configuration>>Notifications area. This option is defined per cluster.
Editing a NAC Policy
To edit an existing NAC policy:
Home window>>NAC policies
1 Click on a NAC policy name.
2 Change any of the options desired. See “Creating a New NAC Policy” on page 217 for details on the
options available.
3 Click ok.
Copying a NAC Policy
To copy an existing NAC policy:
Home window>>NAC policies
1 Click the copy link to the right of the NAC policy you want to copy.
2 Enter a new NAC policy name.
3 Change any of the options desired. See “Creating a New NAC Policy” on page 217 for details on the
options available.
4 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
223
NAC Policies
Deleting a NAC Policy
To delete an existing NAC policy:
Home window>>NAC policies
1 Click the delete link to the right of the NAC policy you want to delete. A confirmation window
appears.
2 Click yes.
Moving a NAC Policy Between NAC Policy Groups
To move a NAC policy between NAC policy groups:
Home window>>NAC policies
1 To open the NAC policies window, click a NAC policy name.
2 Select a new NAC policy group from the NAC policy group drop-down list.
3 Click ok.
Assigning Endpoints and Domains to a Policy
Select which endpoints are associated with each policy.
To assign endpoints and domains to a policy:
Home window>>NAC policies>>Select a NAC Policy>>Domains and endpoints menu option
1 Enter a single endpoint or list of endpoints separated by a carriage return using the endpoint IP
address, MAC address, or NetBIOS name. Enter a range of IPs using a dash (-) between them, or by
using CIDR notation (see “Entering Networks Using CIDR Format” on page 358).
2 In the Windows domains area, enter a domain name or list of domain names separated by a carriage
return.
3 Click ok.
NOTE
Adding an endpoint or domain to multiple policies results in the endpoint being assigned to the first enabled NAC
policy in the list.
224
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
NAC Policy Hierarchy
If an endpoint is listed in more than one NAC policy, the order of use is as alphabetical by name of
NAC policy (not including the default NAC policy).
Setting Retest Time
Retest endpoints connected to your network frequently to guard against potential changes in the remote
endpoint configurations.
To set the time to wait before retesting a connected endpoint:
Home window>>NAC policies>>Select a NAC Policy>>Basic settings menu option
1 In the Retest frequency area, enter how frequently in minutes, hours, or days Sentriant AG should
retest a connected endpoint.
NOTE
A lower number ensures higher security, but puts more load on the Sentriant AG server.
2 Click ok.
Setting Connection Time
When an endpoint is inactive for a period of time, you can elect to automatically move the endpoint to
a quarantined state. Quarantining inactive endpoints guards against unauthorized access to the
network. When the endpoint becomes active again, the usual process occurs for moving the endpoint
out of quarantine. For example, if the endpoint was in good standing prior to the inactivity quarantine,
the end-user may just need to log in again; however, other changes (such as a policy change or new
required hotfix) may require the end-user to perform some action before being allowed on the network
again.
To set the time an end-user can be inactive:
Home window>>NAC policies>>Select a NAC Policy>>Basic settings menu option
1 In the Inactive endpoints area, enter how long an end-user can be inactive before they are
quarantined.
NOTE
A lower number ensures higher security.
2 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
225
NAC Policies
Defining Non-supported OS Access Settings
To define what actions to take for endpoints with non-supported operating systems:
Home window>>NAC policies>>Select a NAC Policy>>Basic settings area
1 In the Operating systems area, select the check box beside any operating system that you will allow
access without being tested.
2 Click ok.
Setting Test Properties
Test properties are specific to the particular test. Select the properties you want applied. Tests are
explained in detail in “Tests Help” on page 415.
To set the test properties for a specific test:
Home window>>NAC policies>>Select a NAC Policy>>Tests menu option
1 Click on the name of test to display the test’s options.
NOTE
Click a test name to display the options; select the test check box to enable the test for the policy you are
modifying.
2 Select the test failure actions to apply for this test:
■
Send email notification
■
Quarantine access
3 Select any test properties if applicable.
4 Click ok.
Selecting Action Taken
Actions can be passive (send an email), active (quarantine) or a combination of both.
To select the action to take:
Home window>>NAC policies>>Select a NAC Policy>>Tests menu option
1 Click on the name of test to display the test’s options.
226
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
NOTE
Click a test name to display the options; select the test check box to enable the test for the policy you are
modifying.
2 Select one of the following when an endpoint fails this test:
■
Send an email notification—Sends an email to the email address specified (see “Notifications”
on page 138).
NOTE
An email is sent for each retest.
■
Quarantine access—Specify when the endpoint should be denied access.
●
immediately
●
grant temporary access
If you select a temporary access period here, the end-users are allowed temporary access for the
specified time, after which they are denied access until they pass the test. The temporary access
period allowed is shown on the end-user results window (see “End-user Access” on page 169).
NOTE
The minimum amount of time you can grant temporary access is 10 minutes.
3 To use a patch manager:
a select the Initiate patch manager to fix the problem and retest the endpoint when it finishes
check box.
b Select a patch manager from the Patch manager drop down list.
c
Enter a number for the times to retest before failing in the Maximum number of retest attempts
text box. For example. 10.
d Enter a number of seconds between retests in the Retest interval text box. For example 30.
4 Click ok if you are done in the Tests window, or continue making changes to other tests.
About Sentriant AG Tests
Sentriant AG tests are assigned to NAC policies. NAC policies are used to test endpoints attempting to
connect to your network. Sentriant AG tests might be updated as often as hourly; however, at the time
of this release, the tests shown in “Tests Help” on page 415 were included (see “Viewing Information
About Tests” on page 228 for instructions on viewing the latest list of tests).
Sentriant AG Software Users Guide, Version 5.1 SR1
227
NAC Policies
Viewing Information About Tests
To view the most current list of tests and descriptions:
Home window>>NAC policies>>Select a NAC Policy>>Tests menu option
Click on a test name. The test description and selectable properties are shown for the selected test.
If the icons (Figure 128 on page 230) are red, the test is enabled and the actions selected will take effect
immediately. If the icons are gray, the test is not enabled, and the actions will not take effect. To enable
the test, select the check box next to the test name.
Selecting Test Properties
Tests either have standard properties (non-selectable), selectable properties, or text entry fields.
Select the check box or radio button that applies for each test. A check box indicates that you can make
multiple selections. A radio button indicates that you can make one choice from the list.
Entering Software Required/Not Allowed
Sentriant AG checks the Windows registry on the endpoint for the existence of software. Most software
vendors record their product information in the HKEY_LOCAL_MACHINE\Software registry key using the
following format:
<vendor>\<software package>\<version>
For example, Mozilla\Mozilla Firefox 1.5.0.6
You can enter any combination of these keys in the Sentriant AG text entry fields to detect a vendor,
software package and version on an endpoint (for example, you can also enter Mozilla\Firefox or
simply Mozilla) and Sentriant AG searches for them in the HKEY_LOCAL_MACHINE\Software registry
key sub-tree.
NOTE
The entries are not case sensitive. This test simply checks to see if the registry key exists in
HKEY_LOCAL_MACHINE\Software or HKEY_CURRENT_USER\Software. So, these values must match the registry
keys as displayed in the registry editor. If you just specify Mozilla (or mozilla) and
HKEY_LOCAL_MACHINE\Software\Mozilla exists in the registry, the test would match.
To find the software registry keys on the endpoint:
1 Select Start>>Run
2 Type:
regedit
3 Click OK.
4 Expand the HKEY_LOCAL_MACHINE key.
228
Sentriant AG Software Users Guide, Version 5.1 SR1
NAC Policies
5 Expand the SOFTWARE key.
6 View the sub-trees for various vendors software and versions.
NOTE
If you’re looking for a registry key, you enter a trailing slash. If you’re looking for a registry value, you do not enter a
trailing slash.
Entering Service Names Required/Not Allowed
Services are Windows operating system applications that run automatically, without manual
intervention.
To find the services names on the endpoint:
Service names must be entered exactly as they appear in Control panel>>Administrative
tools>>Services application.
NOTE
Enter the names of software and services in the Sentriant AG text entry field separated by a carriage return.
For example, the following are examples of services:
●
Telnet
●
Utility Manager
●
Windows Installer
Entering the Browser Version Number
To specify the minimum browser version the end-user needs:
1 For Mozilla Firefox:
a Clear the Check For Mozilla Firefox [1.5] check box.
b Type a version number in the text entry field.
2 For Internet Explorer on Windows XP and Windows 2003:
a Clear the Check For Internet Explorer for Windows XP and Windows 2003 [6.0.2900.2180] check
box.
b Type a version number in the text entry field.
3 For Internet Explorer on Windows 2000:
a Clear the Check For Internet Explorer for Windows 2000 [6.0.2800.1106] check box.
Sentriant AG Software Users Guide, Version 5.1 SR1
229
NAC Policies
b Type a version number in the text entry field.
Test Icons
The NAC policy tests show icons that represent the test failure action selected as shown in the following
figure:
Figure 128: NAC Policy Test Icons
230
Sentriant AG Software Users Guide, Version 5.1 SR1
7
Quarantined Networks
This chapter describes the following general Sentriant AG quarantine information:
●
“Endpoint Quarantine Precedence” on page 231
●
“Using Ports in Accessible Services and Endpoints” on page 232
●
“Always Granting Access to an Endpoint” on page 234
●
“Always Quarantining an Endpoint” on page 235
●
“New Users” on page 235
●
“Shared Resources” on page 236
●
“Untestable Endpoints and DHCP Mode” on page 236
Endpoint Quarantine Precedence
Endpoints are quarantined in the following hierarchical order:
1 Access mode (normal operation or allow all)
2 Temporarily quarantine for/Temporarily grant access for radio buttons
3 Endpoint testing exceptions (always grant access, always quarantine)
4 Post-connect (external quarantine request)
5 NAC policies
NOTE
In DHCP mode, if an endpoint with an unsupported OS already has a DHCP-assigned IP address, Sentriant AG
cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires. If an
endpoint with an unsupported OS has a static IP address, Sentriant AG cannot affect this endpoint in any way. In
both of these cases, the System Monitor window may show the quarantined icon next to these endpoints; however, if
you hover your mouse over the post-connect service icon, the actual status shows that the endpoint should be
quarantined, but the quarantine action was unsuccessful.
The following describes the process in more detail:
●
Access mode (1) overrides the items below it in the previous list (2, 3, 4, and 5). Use the Access
mode radio buttons (System monitor>>select a cluster>>Quarantining) to act globally on all
endpoints in an Enforcement cluster.
●
The Temporarily quarantine for/Temporarily grant access for radio buttons (Endpoint
activity>>select an endpoint check box>>Change access) override the items below them in the list
(3, 4, and 5).
■
Use Temporarily quarantine for to temporarily quarantine endpoints that:
Sentriant AG Software Users Guide, Version 5.1 SR1
231
Quarantined Networks
■
●
Have been designated Whitelist (System configuration>>Exceptions)
●
Are defined in NAC policies and have passed tests
Use Temporarily grant access for to allow temporary access to endpoints that:
●
Have been designated Blacklist (System configuration>>Exceptions).
●
Are defined in NAC policies and have failed tests
NOTE
Use the Clear temporary access control status radio button to remove the temporary access or temporary quarantine
state enabled by the Temporarily quarantine for/Temporarily grant access for radio buttons.
●
Endpoint testing exceptions overrides items following it in the list (4, and 5). Use Endpoint testing
exceptions (System configuration>>Exceptions) to always allow or always quarantine endpoints
that are defined in NAC policies. For example, a NAC policy might have a range of IP addresses
defined for testing, but you want to exclude specific IP addresses within that range from the tests, so
you could specify them here as Whitelist or Blacklist.
●
Post-connect overrides the item following it in the list (5).
NOTE
The change access button on the System Configuration>>Endpoint activity window is enabled only when the action
is possible; for example, when an endpoint or endpoints are selected.
Using Ports in Accessible Services and Endpoints
To use a port number when specifying accessible services and endpoints (cluster default):
232
Home window>>System configuration>>Accessible services
Sentriant AG Software Users Guide, Version 5.1 SR1
Quarantined Networks
The following figure shows the Accessible services window:
Figure 129: System Configuration, Accessible Services
In order to grant access for quarantined endpoints to needed services, add entries to the Accessible
services list. For inline enforcement mode, enter the IP addresses of the servers that provide the
services. A port or ports can be added to limit the access to the servers from quarantined endpoints.
For all other deployment modes, the Fully Qualified Domain Name (FQDN) of the target servers should
be added to the list (for example mycompany.com). If the specified servers are not behind an ES, a
network firewall must be used to control access to only the desired ports.
1 For inline enforcement mode, in the Accessible services and endpoints area, enter an endpoint
followed by a colon (:), followed by a port number as shown as follows:
10.0.16.100:53
Separate multiple endpoint entries with a carriage return (new line):
10.0.16.100:53
10.0.16.100:80
10.0.16.100:81
10.0.16.100:82
2 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
233
Quarantined Networks
NOTE
Enter a range of ports as follows:
10.0.16.100:53:65
Always Granting Access to an Endpoint
To always grant access to a endpoint without testing:
Home window>>System configuration>>Exceptions
The following figure shows the Exceptions window.
Figure 130: System Configuration, Exceptions
1 In the Whitelist area:
a In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names
separated by carriage returns.
b In the Windows domains area, enter one or more domain names separated by carriage returns.
234
Sentriant AG Software Users Guide, Version 5.1 SR1
Quarantined Networks
2 Click ok.
CAUTION
If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without
testing option is used.
CAUTION
Please read “Untestable Endpoints and DHCP Mode” on page 236 so that you fully understand the ramifications of
allowing untested endpoints on your network.
Always Quarantining an Endpoint
To always quarantine a an endpoint without testing (cluster default):
Home window>>System configuration>>Exceptions
1 In the Blacklist area:
a In the Endpoints area, enter one or more MAC addresses, IP addresses, or NetBIOS names
separated by carriage returns.
b In the Windows domains area, enter one or more domain names separated by carriage returns.
2 Click ok.
CAUTION
If you enter the same endpoint for both options in the Endpoint testing exceptions area, the Allow access without
testing option is used.
New Users
The process Sentriant AG follows for allowing end-users to connect is:
●
Inline mode—An IP address is assigned to the endpoint outside of Sentriant AG. When the end-user
attempts to connect to the network, Sentriant AG either blocks access or allows access by adding the
endpoint IP address to the internal firewall.
●
DHCP mode—New end-users boot their computers. The boot process looks for an IP address and,
because they are new end-users and no information is known about the endpoints, a temporary
quarantined IP address is assigned. The end-users log in on the Windows login screen. The endusers start IE and Sentriant AG attempts to test the endpoint. The endpoints either retain the
quarantined IP address, or are assigned a non-quarantined network IP address based on the testing
result.
Sentriant AG Software Users Guide, Version 5.1 SR1
235
Quarantined Networks
●
802.1X mode—An endpoint attempts to connect to the network. The end-user’s identity is verified
via an authentication server. If the endpoint is not authenticated, it is quarantined (allowed access to
a limited VLAN). If the endpoint is authenticated, it is tested by Sentriant AG. If the endpoint fails
the Sentriant AG testing, it is quarantined (allowed access to a limited VLAN). If the endpoint passes
the Sentriant AG testing, it is allowed access to the network (VLAN).
Shared Resources
If the end-users typically make connections to shared services and endpoints during the boot process,
these shares are unable to connect while the endpoint has the quarantined IP address, unless the
services and endpoints are listed in the Accessible services and endpoints area (see “Accessible
Services” on page 134). Once the endpoints are assigned a non-quarantined IP address, the users can
gain access to the shares by logging out of Windows and logging back into Windows. Rebooting the
endpoints also works, but is not necessary.
Untestable Endpoints and DHCP Mode
If you have an endpoint that does not have a supported operating system, you can allow access or
quarantine the endpoint. The current supported operating systems are listed in “Endpoints Supported”
on page 170.
If you allow an untested endpoint to have access, there are several important items to keep in mind.
The IP address granted by your DHCP server has a lease expiration period that cannot be affected by
the Sentriant AG server. Once an untested endpoint has been allowed access and assigned a nonquarantined IP address by your DHCP server, that endpoint has continual access through that IP
address until the IP address lease expires. For example, you are not be able to quarantine that endpoint
(or affect any other action on that endpoint) with Sentriant AG until the lease expires. It is not unusual
for system administrators to set a lease expiration time of three or more days.
NOTE
The access status column on the Endpoint activity window shows unable to quarantine, and the action cannot
complete until the IP address lease expires.
NOTE
It is strongly recommended that if you are going to allow untested endpoints on your network, you set extremely
short lease times (use hours rather than days) on your DHCP server.
This process results in the following condition for an untested endpoint:
When new end-users log in for the first time, are tested, and are allowed access, there is up to a threeminute delay between the time the Sentriant AG server determines that they are allowed access and the
point at which they are actually allowed access, potentially causing concern to the end-user. This
uncertainty is due to the three-minute lease on the temporary quarantined IP address assigned during
236
Sentriant AG Software Users Guide, Version 5.1 SR1
Quarantined Networks
the initial login process. Once the lease expires (in at most, three minutes), a new IP address (the nonquarantined IP address) can be assigned and access is actually granted.
To define access settings for non-supported operating systems, see “Defining Non-supported OS Access
Settings” on page 226.
Windows Domain Authentication and Quarantined
Endpoints
In order to satisfy the following scenarios:
●
A guest user gets redirected
●
A user is redirected if their home page is the Intranet
●
The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved.
●
Windows domain authentication can take place from quarantine with minimal configuration
Perform the following steps:
1 Configure the domain suffixes in the quarantine areas to a placeholder, such as the following:
quarantine.bad
2 Enter the full domain controller hostnames in the System configuration>>Accessible services area
(for example, dc01.mycompany.com, dc02.mycompany.com).
3 Ensure that each ES has a valid, fully qualified domain name (FQDN) and that the domain portion
matches the domain for the registered windows domain.
4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve (both A
and PTR records) each ES.
5 Ensure that the following ports on the domain controller/active directory (DC/AD) servers are
available from quarantine:
■
88
■
389
■
135-139
■
1025
Sentriant AG will then lookup the Kerberos and LDAP services, and resolve those services within its
own DNS server used for quarantined devices.
For example:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88
dc01.lvh.com
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389
dc01.lvh.com
Sentriant AG Software Users Guide, Version 5.1 SR1
237
Quarantined Networks
238
Sentriant AG Software Users Guide, Version 5.1 SR1
8
High Availability and Load Balancing
High Availability
High availability occurs when one or more ESs takes over for an ES that has become unavailable in a
multiple-server installation.
Once an ES becomes unavailable, the other ESs take over enforcement from the ES that is now
unavailable. All ESs participate in enforcement. The MS provides notification in the user interface at the
top of the Home window. For example, if an ES is unavailable, the notification indicates that at the top
of the Home window.
When Sentriant AG is installed inline in a multiple-server configuration (Figure 131), the multiple ESs
form a network loop (an undesired condition). The Spanning Tree Protocol (STP) detects the loop and
closes one of the offending ports on the switch based on the switch configuration. If an ES becomes
Sentriant AG Software Users Guide, Version 5.1 SR1
239
High Availability and Load Balancing
unavailable, the switch reconnects so that there is always a path from the VPN to an ES. All of the ES
firewalls continuously stay in sync with each other.
Figure 131: Inline Installations
240
Sentriant AG Software Users Guide, Version 5.1 SR1
High Availability and Load Balancing
Figure 132: DHCP Installation
Sentriant AG Software Users Guide, Version 5.1 SR1
241
High Availability and Load Balancing
Figure 133: 802.1X Installation
242
Sentriant AG Software Users Guide, Version 5.1 SR1
High Availability and Load Balancing
Load Balancing
Load balancing distributes the testing of endpoints across all Sentriant AG ESs in a cluster. Sentriant AG
uses a hashing algorithm based on MAC or IP addresses to divide the endpoints between the ESs.
If the MAC address is unavailable (untestable endpoint) the IP address is used to determine which ES
should test an endpoint. If an ES detects an endpoint for which it is not responsible, it notifies the
correct ES of the endpoint and that ES takes over testing.
If an ES fails, any services that are protected by that ES may become inaccessible, depending on the
nature of the ES failure. However, the redundant services that are protected by the other ESs are still
available.
NOTE
Protected services are services that are running on any servers that sit on the eth1 side of the failed ES, such as
AD, DNS, DHCP, NTP, file server, print server, and so on.
Sentriant AG Software Users Guide, Version 5.1 SR1
243
High Availability and Load Balancing
244
Sentriant AG Software Users Guide, Version 5.1 SR1
9
Inline Quarantine Method
Inline is the most basic Sentriant AG installation. When deploying Sentriant AG inline, Sentriant AG
monitors and enforces all endpoint traffic. Sentriant AG allows endpoints to access the network or
blocks endpoints from accessing the network based on their Internet Protocol (IP) address with a builtin firewall (iptables).
When Sentriant AG is installed in a single-server installation, Sentriant AG becomes a Layer 2 bridge
that requires no changes to the network configuration settings.
As shown in (Figure 134), Sentriant AG is installed inline in a multiple-server configuration, the
multiple ESs form a Layer 2 bridge that spans two switches, resulting in a network loop. This is an
undesirable situation. To prevent this, you may have to configure the switch that connects the
Sentriant AG ESs to use Spanning Tree Protocol (STP), if STP is not already configured. The STP
automatically detects the loop, and closes one of the offending ports on the switch based on the switch
configuration. If an ES becomes unavailable, the switch automatically reconnects the previously closed
port so that there is always a path from the VPN to an ES.
See the Sentriant AG Installation Guide for more information on installing Sentriant AG in inline mode.
Sentriant AG Software Users Guide, Version 5.1 SR1
245
Inline Quarantine Method
Figure 134: Inline Installations
NOTE
You can install Sentriant AG at any “choke point” in your network; a VPN is not required.
246
Sentriant AG Software Users Guide, Version 5.1 SR1
10 DHCP Quarantine Method
When configured with a Dynamic Host Configuration Protocol (DHCP) quarantine area, all endpoints
requesting a DHCP IP address are issued a temporary address on a quarantine subnetwork. Once the
endpoint is allowed access, the IP address is renewed and the main DHCP server assigns an address to
the main LAN.
With a multiple subnetwork or VLAN network, one quarantine area must be configured for each
subnetwork.
Quarantine areas are defined on a per-cluster basis and pushed down to all ESs joined to that cluster.
Sentriant AG Software Users Guide, Version 5.1 SR1
247
DHCP Quarantine Method
See the Sentriant AG Installation Guide for more information on installing Sentriant AG in DHCP mode.
Figure 135: DHCP Installation
Configuring Sentriant AG for DHCP
The primary configuration required for using Sentriant AG and DHCP is setting up the quarantine area
(see “Setting up a Quarantine Area” on page 249). You should also review the following topics related
to quarantining endpoints:
248
●
Endpoint quarantine precedence (see “Endpoint Quarantine Precedence” on page 231).
●
Untested endpoints (see “Untestable Endpoints and DHCP Mode” on page 236).
●
Unsupported operating systems (see “Defining Non-supported OS Access Settings” on page 226).
●
Endpoint testing exceptions (see “Always Granting Access to an Endpoint” on page 234 and
“Always Quarantining an Endpoint” on page 235).
Sentriant AG Software Users Guide, Version 5.1 SR1
DHCP Quarantine Method
●
Action to take for failed tests (see “Selecting Action Taken” on page 226)
●
DHCP quarantine options:
●
■
Router Access Control List (ACL) settings (see “Configuring the Router ACLs” on page 249).
■
Static routes assigned to the endpoint (see “Adding a DHCP Quarantine Area” on page 121)
“Deploying Sentriant AG using DHCP” in the Sentriant AG Installation Guide.
Setting up a Quarantine Area
Set up a restricted area of your network that users can access when you do not want to allow full access
to the network. See “Quarantining, General” on page 86 for instructions.
Router Configuration
If you do not elect to enforce using static routes on the endpoint (“Quarantining, General” on page 86),
you will need to configure router ACLs.
This option restricts the network access of non-compliant endpoints by assigning DHCP settings on a
quarantined network. The network, gateway, and ACLs restricting traffic must be configured on your
router, which is accomplished by multinetting or adding a virtual interface to the router that acts as the
quarantine gateway IP address. The quarantine area DHCP settings must reflect this configuration on
your router.
Configuring the Router ACLs
In order to sufficiently restrict access to and from the quarantine area, you must configure your router
Access Control Lists (ACLs) as follows:
●
Allow traffic to and from the Sentriant AG server and the quarantined network.
●
If you want to allow access to other endpoints outside of the quarantine area (for example a
Software Update Service (SUS) server), allow access to the server and port to and from the
quarantined network.
●
All other traffic should be denied both to and from the quarantined network.
NOTE
Restrict access to and from the quarantined network at the switch level as well.
Configuring Windows Update Service for XP SP2
If you plan to use Endpoint Routing Enforcement, note that most endpoints running Windows XP
Service Pack 2 cannot run Windows Update successfully from within quarantine, because of a
WinHTTP bug that as of this writing has not been fixed (see http://support.microsoft.com/kb/919477/ for
more details.) Endpoints not in quarantine are not affected.
The problem occurs because the Windows Update (WU) client software uses WinHTTP to connect to
Microsoft's download sites; Internet Explorer connects to http://windowsupdate.microsoft.com; however,
Sentriant AG Software Users Guide, Version 5.1 SR1
249
DHCP Quarantine Method
an error is displayed once the user clicks on the Express or Custom download buttons that invoke the
WU client software.
Short of a Microsoft fix, the only way to update XP SP2 endpoints in quarantine is to deploy a local
update server (such as Microsoft's free Windows Server Update Services, WSUS -- see
http://www.microsoft.com/technet/windowsserver/wsus/default.mspx) and make sure that this server is
listed in Accessible Services and Devices (“Accessible Services” on page 134).
250
Sentriant AG Software Users Guide, Version 5.1 SR1
11 802.1X Quarantine Method
About 802.1X
802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three
components as follows:
●
Supplicant—The client; the endpoint that wants to access the network.
●
Authenticator– The access point, such as a switch, that prevents access when authentication fails.
The authenticator can be simple and dumb.
●
Authentication server—The server that authenticates the user credentials; usually a Remote
Authentication Dial-In User Service (RADIUS) server.
802.1X is an authentication framework that sends Extensible Authentication Protocol (EAP) messages
packaged in Ethernet frames over LANs (EAPOL). This method provides a savings in overhead
resources because it does not use all of the resources the typical Point-to-Point protocol requires.
EAP supports multiple authentication methods such as:
●
Kerberos—An authentication system that uses an encrypted ticket to authenticate users.
●
One-time passwords—An authentication system that uses a set of rotating passwords, each of which
is used for only one login session.
●
Certificates—A method for identifying a user that links a public key to the user’s or company’s
identity, allowing them to send digitally signed electronic messages.
●
Tokens—A credit-card or key-fob sized authentication endpoint that displays a number that is
synchronized with the authentication server. The number changes over time, and the user is required
to enter the current number as part of the authentication process.
●
Public key authentication—In an asymmetric encryption system, two keys are required; a public
key and a private key. Either key can encrypt and decrypt messages, but cannot encrypt and decrypt
the same message; that is, if the public key encrypts a message, the private key must decrypt the
message.
The typical 802.1X connections are shown in Figure 136 on page 252; The typical communication flow is
as follows:
1 A Client (supplicant) requests access from the access point (AP) (authenticator).
2 The AP (authenticator) opens a port for EAP messages, and blocks all others.
3 The AP (authenticator) requests the client’s (supplicant’s) identity.
4 The Client (supplicant) sends its identity.
5 The AP (authenticator) passes the identity on to the authentication server.
6 The authentication server performs the authentication and returns an accept or reject message to the
AP (authenticator).
Sentriant AG Software Users Guide, Version 5.1 SR1
251
802.1X Quarantine Method
7 The AP (authenticator) allows or blocks the client’s (supplicant’s) access to the network by
controlling which ports are open or closed.
Figure 136: 802.1X Components
Sentriant AG and 802.1X
When configured as 802.1X-enabled, Sentriant AG can be installed with three different configurations
depending on your network environment:
●
Microsoft IAS and Sentriant AG IAS Plug-in
With this method, the switch is configured with the IAS server IP address as the RADIUS server
host. When the switch performs the RADIUS authentication, IAS authenticates the user. If successful,
IAS then calls the Sentriant AG plug-in, which asks Sentriant AG for the health status of the
endpoint. You can configure up to six Sentriant AG server URLs. The plug-in reads the list of servers
over and over (iterates) attempting to connect to one of them. Once a connection is made, the
Sentriant AG plug-in uses that server URL until it is no longer available, at which point it iterates
over the list of servers again. If necessary, the Sentriant AG plug-in overwrites the RADIUS attributes
to specify the VLAN to place the endpoint into. IAS then returns the results to the switch.
●
Proxying RADIUS requests to an existing RADIUS server
With this method, the switch is configured with the Sentriant AG IP address as the RADIUS server
host. When the switch performs the RADIUS authentication against the Sentriant AG server,
Sentriant AG proxies the request to another RADIUS server. As long as that server supports the
appropriate authentication methods used by the client it should allow and authenticate the proxied
252
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
requests. On successful authentication, when the end RADIUS server returns the proxied request
Sentriant AG overrides the RADIUS attributes which specify to the switch which VLAN to place the
endpoint in if necessary. Sentriant AG then returns the authentication results to the switch.
●
Using the built-in Sentriant AG RADIUS server
With this method, all authentication takes place on the Sentriant AG server. The switch is configured
with the Sentriant AG IP address as the RADIUS server host. Sentriant AG performs the
authentication based on the FreeRADIUS configuration, inserts RADIUS attributes specifying into
which VLAN to place the endpoint, and returns the result to the switch.
When Sentriant AG is used in an 802.1X network, the configuration is as shown in Figure 137, and the
communication flow is shown in Figure 138 on page 255.
Sentriant AG Software Users Guide, Version 5.1 SR1
253
802.1X Quarantine Method
Figure 137: Sentriant AG 802.1X Enforcement
254
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
Figure 138: 802.1X Communications
Sentriant AG Software Users Guide, Version 5.1 SR1
255
802.1X Quarantine Method
Setting up the 802.1X Components
In order to use Sentriant AG in an 802.1X environment, Extreme Networks, Inc. recommends
configuring your environment first, then installing and configuring Sentriant AG.
This section provides instructions for the following:
●
“Setting up the RADIUS Server” on page 256
●
“Enabling Sentriant AG for 802.1X” on page 282
●
“Setting up the Supplicant” on page 283
●
“Setting up the Authenticator” on page 290
Setting up the RADIUS Server
Switches support 802.1X authentication by authenticating against a RADIUS server. The Sentriant AG
802.1X solution must be integrated with the RADIUS authentication to “intervene” in the authentication
process, test endpoints, and assign them to the appropriate VLAN. Sentriant AG can be deployed and
integrated with RADIUS in the following three ways:
●
Install the Sentriant AG Plug-in to the Microsoft® IAS RADIUS server (see “This section provides
instructions for how to install the Microsoft IAS to the Sentriant AG IAS plug-in.” on page 256).
●
Proxy requests from the built-in Sentriant AG RADIUS server to any other RADIUS server (see
“Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in Sentriant AG RADIUS
Server” on page 279).
●
Use the built-in Sentriant AG RADIUS server for authentication (see “Enabling Sentriant AG for
802.1X” on page 282).
Any of these solutions can be customized to work with your existing LDAP or Active Directory user
databases. This section provides instructions of configuring these three options.
Using the Sentriant AG IAS Plug-in to the Microsoft IAS RADIUS Server
This section provides instructions for how to install the Microsoft IAS to the Sentriant AG IAS plug-in.
NOTE
For an explanation of how the components communicate, see “Sentriant AG and 802.1X” on page 252.
Microsoft® Windows Server™ 2003 Internet Authentication Service (IAS) is Microsoft’s implementation
of a Remote Authentication Dial-In User Service (RADIUS) server. This section provides instructions on
configuring this server to use with Sentriant AG.
For details on the Windows Server 2003 IAS, refer to the following link:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ias.mspx
In addition to installing the Windows Server 2003 software, you also need to have a database of users
for authentication purposes. The Windows IAS implementation of RADIUS can use the following:
●
256
Active Directory (recommended)
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
●
A Windows NT domain
●
The local Security Accounts Manager (SAM)
To add IAS to the Windows Server 2003 installation:
Windows desktop>>Start>>Settings>>Control Panel>>Add or remove programs
1 In the left column, click Add/Remove Windows Components. The Windows Components Wizard
window appears, as shown in the following figure.
Figure 139: Windows Components Wizard
2 Select the Networking Services check box.
3 Click Details. The Networking Services window appears, as shown in the following figure.
Figure 140: Networking Services
4 Select the check box for Internet Authentication Service and any other Windows Internet
Authentication Service (IAS) components you want to install.
Sentriant AG Software Users Guide, Version 5.1 SR1
257
802.1X Quarantine Method
5 Click OK.
6 Click Next.
7 Click Finish.
8 Install any IAS and 802.1X updates that are available.
http://www.microsoft.com/downloads/search.aspx?displaylang=en
Configuring the Microsoft IAS RADIUS Server
For an explanation of how the components communicate, see “Sentriant AG and 802.1X” on page 252.
Now that you have the RADIUS server installed, you need to log into it and perform the configuration
steps described in this section.
To configure the RADIUS server:
1 Log into the RADIUS server.
2 From the RADIUS server main window, select Start>>Settings>>Control Panel>>Administrative
Tools>>Internet Authentication Service.
3 Configure IAS to use Active Directory:
a Right-click on Internet Authentication Service (Local).
b Select Register Server in Active Directory (Figure 141).
c
Click OK if a registration completed window appears.
4 Configure the RADIUS server parameters:
Figure 141: IAS, Register Server in Active Directory
a Right-click on Internet Authentication Service (local)
258
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
b Select Properties (Figure 142). The Properties window appears (Figure 143).
Figure 142: IAS, Properties Option
Figure 143: IAS, Properties
c
General tab—
1) Enter a descriptive name in the Server Description text box. For example, IAS.
2) Select the Rejected authentication requests check box.
3) Select the Successful authentication requests check box.
d Ports tab—
1) Enter the authentication port numbers in the Authentication text box. The authentication port
(1812) is used to verify the user.
Sentriant AG Software Users Guide, Version 5.1 SR1
259
802.1X Quarantine Method
2) Enter the accounting port numbers in the Accounting text box. The accounting port (1813) is
used to track the user’s network use.
e Click OK.
5 Define the authenticators that use this RADIUS server for authentication.
a Right-click on RADIUS Clients.
b Select New RADIUS Client. The New RADIUS Client window appears:
Figure 144: IAS, New Client, Name and Address
c
Enter a descriptive name for the Friendly name, such as Foundry.
d Enter the IP address of the authenticator in the Client address text box.
NOTE
Click Verify to test the connection.
260
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
e Click Next.
Figure 145: IAS, New Client, Additional Information
f
Select RADIUS Standard from the Client Vendor drop-down list
g Enter a password in the Shared secret text box. This password also needs to be entered when you
configure the authenticator.
NOTE
See your system administrator to obtain the shared secret for your switch.
h Re-enter the password in the Confirm shared secret text box.
i
Select the Request must contain the Message Authenticator attribute check box.
j
Click Finish.
6 Repeat step 5 for every authenticator in your system that uses this RADIUS server.
7 Create a Remote Access Policy:
If you already have an 802.1X environment configured, you already have a Remote Access Policy
defined; however, you can create as many as you need.
a Right-click on Remote Access Policy.
b Select New Remote Access Policies.
Sentriant AG Software Users Guide, Version 5.1 SR1
261
802.1X Quarantine Method
c
Click Next. The New Remote Access Policy Wizard window appears:
Figure 146: IAS, New Remote Access Policy
d Select the Use the wizard radio button.
e Enter a meaningful name in the Policy Name text field.
f
Click Next.
Figure 147: IAS, Remote Access Policy, Access Method
g Select the Ethernet radio button. (The Ethernet option will not work for authenticating wireless
clients with this policy.)
262
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
h Click Next.
Figure 148: IAS, Remote Access Policy, Group Access
i
You can configure your Access policy by user or group. This example uses the group method.
Select the Group radio button.
j
Click Add. The Select Groups pop-up window appears:
Figure 149: IAS, Remote Access Policy, Find Group
Sentriant AG Software Users Guide, Version 5.1 SR1
263
802.1X Quarantine Method
k Click Advanced.
Figure 150: Remote Access Policy, Select Group
l
Click Find Now to populate the Search Results area.
m Select Domain Guests.
n Click OK.
o Click OK.
p Click Next.
Figure 151: IAS, Remote Access Policy, Authentication Method
264
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
NOTE
If you choose PEAP as your authentication mechanism in step q, see step 8 before completing step r and step s.
Adding a certificate, if your server does not already have one, and configuring PEAP is explained in step 8.
q Select the EAP type from the drop-down list.
Important: The type selected here must match the type selected for the endpoint described in
step 5, step 7 on page 285.
r
Click Next.
s
Click Finish.
8 The PEAP authentication method requires that a specific type of SSL certificate is available for use
during authentication. These steps assume there is a Domain Certificate Authority (CA) available to
request a certificate.
Click Configure.
If you receive the error message shown in Figure 142, complete these steps to request a certificate.
These steps assume there is a Domain Certificate Authority (CA) available to request a certificate. If
there is not a CA available, the certificate needs to be imported manually.
NOTE
To import the certificate manually:
1. Right-click on the Personal folder>>select All Tasks>>Import.
2. When the wizard opens, click Next.
3.Enter the path to the Sentriant AG certificate, for example:
https://esupport.extremenetworks.com
4.Click Next, Next, and Finish.
Sentriant AG Software Users Guide, Version 5.1 SR1
265
802.1X Quarantine Method
9 To request a certificate from a Domain Certificate Authority:
Figure 152: Error Message
a Open the Microsoft management console by choosing Start>>Run and entering mmc.
b Choose File>>Add/Remove Snap-in.
c
Click Add.
d Choose the certificates snap-in and click Add.
e Select Computer account and click Next.
f
Select Local Computer and click Finish.
g Click Close and OK to exit out of the properties.
h Open the Certificates folder under the Console Root.
i
Right-click on the Personal folder and select All Tasks>>Request New Certificate.
NOTE
To import the certificate manually:
1. Right-click on the Personal folder>>select All Tasks>>Import.
2. When the wizard opens, click Next.
3.Enter the path to the Sentriant AG certificate, for example:
https://esupport.extremenetworks.com
4.Click Next, Next, and Finish.
j
266
Follow the instructions to generate a certificate request. If there are no certificate templates
available you need to edit the certificate template permissions (in mmc add the certificate
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
template snap-in, right-click on the template, select properties, and change the permissions for
your user) on the certificate authority. The Computer or RAS and IAS templates both work.
k Once the Certificate is granted by the certificate authority, return to the IAS policy editor to
continue the setup.
l
Click Configure to configure the certificate for use with the PEAP authentication method. The
Protected EAP Properties window appears (Figure 153).
m Select the certificate you created in the previous steps, select the EAP types you want to use, and
click OK.
n Once the Certificate is granted by the certificate authority, edit the IAS policy.
o On the authentication tab click authentication methods.
p Select PEAP and click Edit.
q Select the new certificate and click Apply.
r
Click Configure to configure the certificate for use with the PEAP authentication method. The
Protected EAP Properties window appears, as shown in the following figure:
Figure 153: Protected EAP Properties
Sentriant AG Software Users Guide, Version 5.1 SR1
267
802.1X Quarantine Method
10 Configure the new Remote Access Policy.
Figure 154: IAP, Remote Access Policy, Properties
a Select Remote Access Policies.
b In the right pane, right-click the new policy name and select Properties. The Guest Policy
Properties window appears:
Figure 155: IAS, Remote Access Policy, Configure
c
Click Edit Profile. The Edit Dial-in Profile window appears.
1) Authentication tab—Select the check boxes for the authentication methods you will allow.
This example does not use additional selections.
2) Advanced tab—Add three RADIUS attributes:
268
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
NOTE
The attributes you select might be different for different switch types. Contact Extreme Networks, Inc. Technical
Assistance Center (TAC) at (800) 998-2408 or support@extremenetworks.com if you would like assistance.
a) Click Add.
Figure 156: IAS, Remote Access Policy, Add Attribute
b) Select Tunnel-Medium-Type. (Adding the first of the three attributes.)
c) Click Add.
d) Click Add again on the next window.
e) From the Attribute value drop-down list, select 802 (includes all 802 media.
f) Click OK.
g) Click OK.
h) Select Tunnel-Pvt-Group-ID.
i) Click Add.
j) Click Add again on the next window. (Adding the second of the three attributes.)
k) In the Enter the attribute value area, select the String radio button and type the VLAN ID
(usually a number such as 50) in the text box.
l) Click OK.
m) Click OK.
Sentriant AG Software Users Guide, Version 5.1 SR1
269
802.1X Quarantine Method
n) Select Tunnel-Type. (Adding the third of the three attributes.)
o) Click Add.
p) Click Add again on the next window.
q) From the Attribute value drop-down list, select Virtual LANS (VLAN).
r) Click OK.
s) Click OK.
t) Click OK.
11 Repeat step 9 for every VLAN group defined in Active Directory.
IMPORTANT: The order of the connection attributes should be most-specific at the top, and mostgeneral at the bottom.
12 Turn on remote access logging
a Click on Remote Access Logging.
b In the right pane, right-click Local File.
270
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
c
Select Properties. The Local File Properties window appears:
Figure 157: IAS, Remote Access Logging Properties
d Settings tab—Select any of the request and status options you are interested in logging.
e Log file tab—
1) In the Format area, select the IAS radio button.
2) In the Create a new log file area, select a frequency, such as Daily.
3) Select the When disk is full, delete older log files check box.
4) Click OK.
13 Install the Sentriant AG-to-IAS connector—The Sentriant AG IAS Connector is a DLL file that is
installed on your Windows Server 2003 machine where the IAS component is enabled. The connector
is called by IAS after the RADIUS authentication of an endpoint and during the authorization phase.
The connector contacts Sentriant AG and asks for the posture of the endpoint. Depending on the
posture of the endpoint, the plug-in can return RADIUS attributes to your switch instructing it into
which VLAN to place an endpoint. The following figure illustrates this process:
Sentriant AG Software Users Guide, Version 5.1 SR1
271
802.1X Quarantine Method
NOTE
If you have an existing Sentriant AG v4.1 certificate (compliance.keystore.cer), you need to replace it with the v5.x
certificate.
Figure 158: Sentriant AG-to-IAS Connector
a Copy the following Sentriant AG IAS Connector files from https://esupport.extremenetworks.com
to the WINDOWS/system32 directory on your Windows Server 2003 machine.
support/ias/SAIASConnector.dll
support/ias/SAIASConnector.ini
NOTE
SAIASConnector.ini is installed within Sentriant AG using standard system defaults. Utilities for this such as
DebugAttributes and DebugLevel should be modified only in conjunction with technical assistance through Extreme
Networks, Inc. Technical Assistance Center (TAC) at (800) 998-2408 or support@extremenetworks.com.
b Import the Sentriant AG server’s certificate so the connector can communicate with Sentriant AG
over SSL:
1) On the Windows Server 2003 machine, click Start.
2) Select run.
3) Enter mmc.
272
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
4) Click OK.
Figure 159: IAS, Add/Remove Snap-in
5) Select File>>Add/Remove Snap-in.
6) Click Add.
Figure 160: IAS, Add/Remove Snap-in, Certificates
7) Select Certificates.
8) Click Add.
9) Select the Computer account radio button.
10) Click Next.
11) Select the Local computer: (the computer this console is running on) radio button.
12) Click Finish.
13) Click Close.
Sentriant AG Software Users Guide, Version 5.1 SR1
273
802.1X Quarantine Method
14) Click OK.
Figure 161: IAS, Import Certificate
15) Right-click on Console Root>>Certificates (Local Computer)>>Trusted Root Certificate
Authorities.
16) Select All tasks>>import.
17) Click Next.
18) Click Browse and choose the certificate. The Sentriant AG server certificate
(compliance.keystore.cer)is located at https://esupport.extremenetworks.com.
19) Click Next.
20) Click Next.
21) Click Finish.
14 Configure the Sentriant AG-to-IAS connector—
a Modify the INI file for your network environment.
Sentriant AG returns one of following postures for an endpoint attempting to authenticate. For
each posture received, a different RADIUS response to the switch can be configured using
RADIUS attributes. This response determines into what VLAN the endpoint is placed.
Healthy—The endpoint passed all tests or no failed tests were configured to quarantine.
Checkup—The endpoint failed a test and the action is configured to grant temporary access.
Quarantined—The endpoint failed a test and the action is configured to quarantine.
Unknown—The endpoint has not been tested.
274
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
Infected—The endpoint failed the Worms, Virus, and Trojans test.
To configure the response, edit the SAIASConnector.ini file. This file was copied from https://
esupport.extremenetworks.com in step 13, step a on page 272.
b Enable the Authorization DLL file. At startup, IAS checks the registry for a list of third-party DLL
files to call.
1) Click Start.
2) Select Run.
3) Enter regedit.
4) Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
5) Create an AuthSrv folder if it does not already exist. (Edit>>New>>Key)
6) Create a Parameters folder inside the AuthSrv folder if it does not already exist. (New>>Key)
7) Right-click on the Parameters folder name.
8) Select New>>Multi-string value.
9) Type AuthorizationDLLs for the name and press Enter on the keyboard.
10) Right-click AuthorizationDLLs, and select Modify.
11) Enter the following value in the Value Data text box.
C:\Windows\System32\SAIASConnector.dll
12) Click OK.
c
Restart the IAS server (Start>>Settings>>Control Panel>>Services>>Internet Authentication
Services>>Restart). A log file (SAIASConnector.log) is created in the WINDOWS\system32
directory for debugging purposes.
15 Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol
(CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time, perform
the following workaround for MSCHAPv1:
a Configure passwords:
Sentriant AG Software Users Guide, Version 5.1 SR1
275
802.1X Quarantine Method
1) From the Windows Server 2003 machine, select Start>>Settings>>Control
Panel>>Administrative Tools>>Active Directory Users and Computers.
Figure 162: Active Directory, Properties
2) Right-click on your directory name and select Properties.
3) Select the Group Policy tab.
4) Click Open.
5) Right-click Default Domain Policy and select Edit (click OK if you get a global changes popup message).
Figure 163: Active Directory, Store Passwords
6) Navigate to Computer Configuration>>Windows Settings>>Security Settings>>Account
Policies>>Password Policy.
7) Select Password Policy.
8) Right-click Store passwords using reversible encryption.
9) Select the Enabled check box.
276
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
10) Click OK.
11) Close the Group Policy Object Editor window.
12) Close the Group Policy Management window.
13) Close the <Active Directory Name> Properties window.
16 Create active directory user accounts.
a From the Windows Server 2003 machine, select Start>>Settings>>Control
Panel>>Administrative Tools>>Active Directory Users and Computers.
b Right-click on the user’s entry under the appropriate domain under Active Directory Users and
Computers.
c
Enter the user information requested.
d Click Next.
e Enter the password information.
f
Click Next.
g Click Finish.
h Repeat from step a for all users that need to authenticate using Active Directory.
17 Configure user accounts for Dial-in access and Password Reversible Encryption:
a From the Windows Server 2003 machine, select Start>>Settings>>Control
Panel>>Administrative Tools>>Active Directory Users and Computers.
b Click the plus symbol next to the domain to expand the selection.
Sentriant AG Software Users Guide, Version 5.1 SR1
277
802.1X Quarantine Method
c
Select the Users folder.
Figure 164: Active Directory Users and Computers
d Right-click a user name and select Properties. The Properties windows appears:
Figure 165: Active Directory, User Account Properties
e Select the Dial-in tab.
278
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
f
In the Remote Access Permission area, select the Allow Access radio button.
g Select the Account tab.
h Verify that you are using Microsoft’s version of the challenge-handshake authentication protocol
(CHAP) MSCHAPv2. If for some reason, you cannot upgrade to MSCHAPv2 at this time,
perform the following workaround for MSCHAPv1:
In the Account options area, select the Store password using reversible encryption check box.
NOTE
If there are existing user accounts in your Active Directory installation when you enable reversible encryption, the
passwords must be reset (either by the user or by the system administrator) before reversible encryption takes effect.
i
Click OK.
j
Repeat from step a for each user account.
Proxying RADIUS Requests to an Existing RADIUS Server Using the Built-in
Sentriant AG RADIUS Server
NOTE
For an explanation of how the components communicate, see “Sentriant AG and 802.1X” on page 252.
To configure Sentriant AG to proxy RADIUS requests to an existing RADIUS server:
1 To configure the RADIUS server to proxy requests to your existing RADIUS server:
a Log in to the ES as root via SSH.
b Open the following file with a text editor such as vi:
/etc/raddb/proxy.conf
c
Append the following section replacing the parameters in <> with your RADIUS servers
information:
realm NULL {
type= radius
authhost= <RADIUS host or IP>:<RADIUS auth port>
accthost= <RADIUS host or IP>:<RADIUS acct port>
secret= <the shared secret for your RADIUS server>
}
d Save and exit the file.
Sentriant AG Software Users Guide, Version 5.1 SR1
279
802.1X Quarantine Method
NOTE
The realm NULL section must go after the realm LOCAL section, or you can comment out the realm LOCAL section.
2 Configure your RADIUS server to allow the Sentriant AG IP address as a client with the shared
secret specified in the previous step. See your RADIUS server’s documentation for instructions on
how to configure allowed clients.
3 Configure the SAFreeRADIUSConnector.conf file with the appropriate RADIUS attributes and
VLANS. See comments in the following sample file for instructions.
#
# FreeRADIUS Connector configuration file
#
#
# TO DO - Change localhost to your server's IP if this is not the built-in
FreeRADIUS server
#
ServerUrl=https://localhost/servlet/AccessControlServlet
DebugLevel=4
Debug=on
Username=nacuser
Password=nacpwd
#
# TO DO - Modify the vlan ids and names to match your switch configuration
#
#
# Use these attributes for all non-Extreme switches
#
#
# Uncomment these two sections if you want the connector to specify the normal user
vlan
# rather than specifying it for each user in the users configuration file.
#
#"HealthyRadiusAttributes"
#
Tunnel-Medium-Type := 6,
#
Tunnel-Private-Group-ID := 50,
#
Tunnel-Type := VLAN,
#
#"CheckupRadiusAttributes"
#
Tunnel-Medium-Type := 6,
#
Tunnel-Private-Group-ID := 50,
#
Tunnel-Type := VLAN,
280
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
"QuarantineRadiusAttributes"
Tunnel-Medium-Type := 6,
Tunnel-Private-Group-ID := 15,
Tunnel-Type := VLAN,
"InfectedRadiusAttributes"
Tunnel-Medium-Type := 6,
Tunnel-Private-Group-ID := 15,
Tunnel-Type := VLAN,
"UnknownRadiusAttributes"
Tunnel-Medium-Type := 6,
Tunnel-Private-Group-ID := 5,
Tunnel-Type := VLAN,
#
# Use these attributes for Extreme switches
#
#"HealthyRadiusAttributes"
#
Extreme-Netlogin-Vlan := HealthyVlanName
#
#"CheckupRadiusAttributes"
#
Extreme-Netlogin-Vlan := HealthyVlanName
#
#"QuarantineRadiusAttributes"
#
Extreme-Netlogin-Vlan := QuarantineVlanName
#
#"InfectedRadiusAttributes"
#
Extreme-Netlogin-Vlan := QuarantineVlanName
#
#"UnknownRadiusAttributes"
#
Extreme-Netlogin-Vlan := TempOrGuestVlanName
#
# TO DO - Uncomment if you want different switches to have different attributes.
#
Posture is Healthy, Checkup, Quarantine, Infected, or Unknown.
#
This entry must come after the default set of attributes in the file.
#
#"<POSTURE>RadiusAttributes-<NAS IP ADDRESS>"
#
Tunnel-Medium-Type := 6,
#
Tunnel-Private-Group-ID := 15,
#
Tunnel-Type := VLAN,
Sentriant AG Software Users Guide, Version 5.1 SR1
281
802.1X Quarantine Method
4 Test the RADIUS server proxy:
radtest <user> <passwd> <radius-server[:port]> <nas-port-number><secret>
Using the Built-in Sentriant AG RADIUS Server for Authentication
If you selected the Manual End-user authentication method in the Authentication settings area of the
System configuration>>Quarantining>>802.1X window, configure Sentriant AG according to the
instructions in this section.
To configure Sentriant AG to handle RADIUS requests:
Add users to the RADIUS server by modifying the /etc/raddb/users file. Add user entries to the
beginning of the file in the following format:
Clear text authentication:
<user name> Auth-Type := Local, User-Password =="password"
EAP, PEAP, or MD5-Challenge authentication (the built-in windows 802.1X supplicant uses these
methods):
<user name> Auth-Type := EAP, User-Password =="password"
For example:
dave Auth-Type := EAP, User-Password =="d@9ij8!e"
Enabling Sentriant AG for 802.1X
To enable Sentriant AG for use in an 802.1X network, you need to select it in the user interface, and
make a few changes to the properties using JMS and an XML file.
Sentriant AG User Interface Configuration
To enable 802.1X in the Sentriant AG user interface:
282
Home window>>System configuration>>Quarantining
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
1 In the Select a quarantine method area, select the 802.1X quarantine method radio button.
Figure 166: Enabling 802.1X in the User Interface
2 In 802.1X enforcement mode, the ESs must be able watch DHCP conversations and detect endpoints
by sniffing network traffic as it flows between the DHCP server and the endpoints. Select one of the
following radio buttons:
■
remote—In more complex deployments, it is often impossible (in the case of multiple ESs or
multiple DHCP servers) or undesirable to span switch ports. In this case the DHCP traffic
monitoring and endpoint detection can be run remotely by installing and configuring the
endpoint activity capture software on each DHCP server involved in the 802.1X deployment. In
this case, choose the remote option.
■
local—In simple configurations, it is possible to span, or mirror, the switch port into which the
DHCP server is connected. The eth1 interface of the ES is then plugged into the spanned port and
endpoint traffic is monitored on the eth1 interface. In this case, choose the local option.
3 Click ok.
Setting up the Supplicant
Now you must enable the endpoint for 802.1X. If you do not, the endpoint can never pass the initial
challenge from the switch, as the switch searches for an 802.1X-enabled endpoint. This sections
describes how to set up the following endpoints for 802.1X:
●
Windows XP Professional endpoint
●
Windows XP Home endpoint
●
Windows 2000 Professional endpoint
●
Windows Vista endpoint
NOTE
The exact instructions for Windows XP and Windows Vista tasks will vary slightly depending on whether you are using
Classic or Category view.
To determine which view you are using in the Control Panel, select Start>>Control Panel. At the top left you will see
either Switch to Classic View or Switch to Category View.
To determine which view you are using in the Start Menu, Right-click Start>>Select Properties. If the Start menu
radio button is selected, you are using Category View. If the Classic Start menu radio button is selected you are
Sentriant AG Software Users Guide, Version 5.1 SR1
283
802.1X Quarantine Method
using Classic View.
The instructions in this section assume you are using Classic View in both cases.
Windows XP Professional Setup
To enable a Windows XP Professional endpoint for 802.1X:
Windows desktop>>Start>>Settings>>Network Connections
1 Right-click on Local Area Connection.
2 Select Properties. The Local Area Connection windows appears:
Figure 167: Windows XP Pro Local Area Connection, General Tab
3 Select the General tab.
4 Select the Show icon in notification area when connected check box. This enables the Windows XP
balloon help utility, which can assist you when entering information and troubleshooting errors.
284
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
5 Select the Authentication tab.
Figure 168: Windows XP Pro Local Area Connection Properties, Authentication Tab
6 Select the Enable IEE 802.1X authentication for this network check box.
7 Select an EAP type from the drop-down list. For this example, select
MD5-Challenge.
Important: This EAP type must match the EAP type selected in step 7, step q on page 265.
8 Clear or select the Authenticate as computer when computer information is available check box.
The choice is yours.
9 Click OK.
10 Select to reboot if prompted.
Windows XP Home Setup
To enable a Windows XP Home endpoint for 802.1X:
1 Start the wireless service:
Windows desktop>>Start>>Settings>>Control Panel>>Administrative Tools>>Services
a Select Wireless Zero Configuration. If the Status column does not already show Started, start the
service:
1) Right click on Wireless Zero Configuration.
2) Select Start.
Sentriant AG Software Users Guide, Version 5.1 SR1
285
802.1X Quarantine Method
b Close the Services window.
2 Configure the network connections:
Windows desktop>>Start>>Settings>>Control Panel>>Network Connections
3 Right-click on Local Area Connection. Select Properties. The Local Area Connection windows
appears (Figure 167 on page 284).
4 Select the General tab.
5 Select the Show icon in notification area when connected check box. This enables the Windows XP
balloon help utility, which can assist you when entering information and troubleshooting errors.
6 Select the Authentication tab (Figure 168 on page 285).
a Select the Enable IEE 802.1X authentication for this network check box.
b Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Important: This EAP type must match the EAP type selected in “Setting up the RADIUS Server”,
step 7, step q on page 265.
c
Clear or select the Authenticate as computer when computer information is available check box.
The choice is yours.
7 Click OK.
8 Select to reboot if prompted.
Windows 2000 Professional Setup
To enable a Windows 2000 Professional endpoint for 802.1X:
1 Start the wireless service:
Windows desktop>>Start>>Settings>>Control Panel>>Administrative Tools>>Services
a Select Wireless Configuration. If the Status column does not already show Started, start the
service:
1) Right click on Wireless Configuration.
2) Select Start.
b Close the Services window.
2 Configure the network connections:
286
Windows desktop>>Start>>Settings>>Control Panel>>Network and Dial-up Connections
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
a Right-click on Local Area Connection. Select Properties. The Local Area Connection windows
appears.
Figure 169: Windows 2000 Local Area Connection Properties, General Tab
b Select the General tab.
c
Select the Show icon in taskbar when connected check box.
d Select the Authentication tab.
Figure 170: Windows 2000 Local Area Connection Properties, Authentication Tab
e Select the Enable network access control using IEE 802.1X check box.
f
Select an EAP type from the drop-down list. For this example, select MD5-Challenge.
Sentriant AG Software Users Guide, Version 5.1 SR1
287
802.1X Quarantine Method
IMPORTANT: This EAP type must match the EAP type selected in “Setting up the RADIUS
Server”, step 7, step q on page 265.
g Clear or select the Authenticate as computer when computer information is available check box.
The choice is yours.
h Click OK.
3 Select to reboot if necessary.
Windows Vista Setup
NOTE
Frequently when performing actions on Windows Vista, the User Account Control window pops up and asks you to
select Continue to authorize the action. The instructions in this section do not include this step.
To enable a Windows Vista endpoint for 802.1X:
Windows desktop>>Start>>Control Panel>>Administrative Tools>>Services
1 Start the wired service:
a Double-click on Wired AutoConfig. The Wired AutoConfig Properties window appears.
Figure 171: Wired AutoConfig Properties
b Select Automatic from the Startup type drop-down list.
c
288
Click Start in the Service status area.
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
d Click OK.
e Close the Services window.
2 Configure the network connections:
Windows desktop>>Start>>Settings>>Network Connections
3 Right-click on Local Area Connection.
4 Select Properties. The Local Area Connection windows appears:
Figure 172: Windows Vista Local Area Connection, Networking Tab
Sentriant AG Software Users Guide, Version 5.1 SR1
289
802.1X Quarantine Method
5 Select the Authentication tab.
Figure 173: Windows Vista Local Area Connection Properties, Authentication Tab
6 Select the Enable IEE 802.1X authentication check box.
7 Select an EAP type from the Choose a network authentication method drop-down list. For this
example, select
Protected EAP (PEAP).
Important: This EAP type must match the EAP type selected in step 7, step q on page 265.
8 Clear or select the Cache user information for subsequent connections to this network check box.
The choice is yours.
9 Click OK.
10 Select to reboot if prompted.
Setting up the Authenticator
This section provides sample configurations for the following switches:
290
●
“Cisco® 2950 IOS” on page 291
●
“Cisco® 4006 CatOS” on page 291
●
“Enterasys® Matrix 1H582-25” on page 292
●
“Extreme® Summit 48si” on page 292
●
“ExtremeWare” on page 293
●
“ExtremeXOS” on page 294
●
“Foundry® FastIron® Edge 2402” on page 294
●
“HP ProCurve 420AP” on page 295
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
●
“HP ProCurve 530AP” on page 295
●
“HP ProCurve 3400/3500/5400” on page 297
●
“Nortel® 5510” on page 297
The lines that apply to 802.1X are shown in green italic text. Make sure that you add this information
when configuring your switch.
Cisco® 2950 IOS
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
dot1x timeout quiet-period
dot1x guest-vlan 5
dot1x reauthentication
spanning-tree portfast
!
interface FastEthernet0/2
switchport mode access
dot1x port-control auto
dot1x timeout quiet-period
dot1x guest-vlan 5
dot1x reauthentication
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
dot1x port-control auto
dot1x timeout quiet-period
dot1x guest-vlan 5
dot1x reauthentication
spanning-tree portfast
!
interface FastEthernet0/4
switchport mode access
dot1x port-control auto
dot1x timeout quiet-period
dot1x guest-vlan 5
dot1x reauthentication
spanning-tree portfast
30
30
30
30
ip http server
radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 key mysecretpassword
radius-server retransmit 3
!
Cisco® 4006 CatOS
set dot1x re-authperiod 100
Sentriant AG Software Users Guide, Version 5.1 SR1
291
802.1X Quarantine Method
set feature dot1x-radius-keepalive disable
#radius
set radius server 172.17.20.150 auth-port 1812 primary
set radius key mysecretpassword
!
#module 2 : 48-port
set port dot1x 2/15
set port dot1x 2/17
set port dot1x 2/18
set port dot1x 2/19
set port dot1x 2/15
set port dot1x 2/17
set port dot1x 2/18
set port dot1x 2/19
set port dot1x 2/15
set port dot1x 2/17
set port dot1x 2/18
set port dot1x 2/19
10/100BaseTx Ethernet
port-control auto
port-control auto
port-control auto
port-control auto
re-authentication enable
re-authentication enable
re-authentication enable
re-authentication enable
guest-vlan 40
guest-vlan 40
guest-vlan 40
guest-vlan 40
Enterasys® Matrix 1H582-25
! dot1x
set
set
set
set
!
dot1x
dot1x
dot1x
dot1x
auth-config authcontrolled-portcontrol forced-auth fe.0.5-24
auth-config maxreq 10000 fe.0.1-4
auth-config keytxenabled true fe.0.1-4
enable
! radius
set radius timeout 30
set radius server 1 10.11.100.10 1812 02108000AE5BA9C47EDC24F2CA6529EE4CCC8930B
BD70F5AAA2CF0C5DBAA5DA97FADFE95
set radius enable
!
Extreme® Summit 48si
NOTE
When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS
users file.
NOTE
Change the admin password to a non-blank password.
create vlan "Operations"
create vlan "CommandControl"
create vlan "Quarantine"
292
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
create vlan "Guest"
create vlan "Temp"
# RADIUS configuration
#
enable radius
configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa"
configure radius primary server 10.10.100.10 1812 client-ip 10.10.100.1
# Network Login Configuration
configure vlan Temp dhcp-address-range 10.10.5.100 - 10.10.5.150
configure vlan Temp dhcp-options default-gateway 10.10.5.1
configure vlan Temp dhcp-options dns-server 10.10.100.11
configure vlan Temp dhcp-options wins-server 10.10.100.10
enable netlogin port 33 vlan Temp
enable netlogin port 34 vlan Temp
enable netlogin port 35 vlan Temp
enable netlogin port 36 vlan Temp
enable netlogin port 37 vlan Temp
enable netlogin port 38 vlan Temp
enable netlogin port 39 vlan Temp
enable netlogin port 40 vlan Temp
configure netlogin redirect-page "https://10.10.100.100:89"
ExtremeWare
NOTE
When authenticating via the onboard FreeRADIUS server, you need to add the administrative line in the RADIUS
users file.
NOTE
Change the admin password to a non-blank password.
create vlan "Quarantine"
create vlan "Test"
# RADIUS configuration
#
enable radius
configure radius primary shared-secret encrypted "ouzoisgprdr#s{fqa"
configure radius primary server 10.50.32.10 1812 client-ip 10.50.32.254
# Network Login
enable netlogin
enable netlogin
enable netlogin
enable netlogin
enable netlogin
enable netlogin
enable netlogin
enable netlogin
Configuration
port 1 vlan Default
port 2 vlan Default
port 3 vlan Default
port 4 vlan Default
port 5 vlan Default
port 6 vlan Default
port 7 vlan Default
port 8 vlan Default
Sentriant AG Software Users Guide, Version 5.1 SR1
293
802.1X Quarantine Method
configure netlogin mac auth-retry-count 3
configure netlogin mac reauth-period 1800
ExtremeXOS
#
create vlan "Quarantine"
create vlan "Test"
enable radius netlogin
configure radius netlogin timeout 3
configure radius-accounting netlogin timeout 3
# Module netLogin configuration.
#
configure netlogin vlan Test
enable netlogin dot1x mac
enable netlogin ports 1-8 dot1x
configure netlogin dot1x timers server-timeout 30 quiet-period 60 reauth-period
100 supp-resp-timeout 30
configure netlogin dot1x eapol-transmit-version v1
configure netlogin dot1x guest-vlan Guest
enable netlogin logout-privilege
enable netlogin session-refresh 3
configure netlogin base-url "network-access.com"
configure netlogin redirect-page "http://www.extremenetworks.com"
configure netlogin banner ""
Foundry® FastIron® Edge 2402
dot1x-enable
auth-fail-action restricted-vlan
auth-fail-vlanid 5
mac-session-aging no-aging permitted-mac-only
enable ethe 1 to 4
aaa authentication dot1x default radius
radius-server host 10.11.100.10 auth-port 1812 acct-port 1813 default key 1 $6\ndUnoS!--+sU@
interface ethernet 1
dot1x port-control auto
sflow-forwarding
!
interface ethernet 2
dot1x port-control auto
sflow-forwarding
!
interface ethernet 3
dot1x port-control auto
294
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
sflow-forwarding
!
interface ethernet 4
dot1x port-control auto
sflow-forwarding
!
HP ProCurve 420AP
This section shows how to configure the security settings on the 420AP so that user access may be
controlled using Dynamic VLAN provisioning.
HP ProCurve Access Point 420#configure
HP ProCurve Access Point 420(config)#interface ethernet
Enter Ethernet configuration commands, one per line.
HP ProCurve Access Point 420(if-ethernet)#no ip dhcp
HP ProCurve Access Point 420(if-ethernet)#ip address <IP of Access Point Netmask
Gateway>
HP ProCurve Access Point 420(if-ethernet)#end
HP ProCurve Access Point 420(config)#management-vlan 200 tagged
HP ProCurve Access Point 420(config)#interface wireless g
Enter Wireless configuration commands, one per line.
HP ProCurve Access Point 420(if-wireless-g)#ssid index 1
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#closed-system
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server
address <IP of RADIUS Server>
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server key
<Shared RADIUS secret>
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#radius-authentication-server vlanformat ascii
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#ssid Enterprise420
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#vlan 100 tagged
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#security-suite 6 wpa-wpa2
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#enable
HP ProCurve Access Point 420(if-wireless-g-ssid-1)#end
HP ProCurve Access Point 420(if-wireless-g)#end
HP ProCurve Access Point 420(config)#radius-accounting address <IP of RADIUS Server>
HP ProCurve Access Point 420(config)#radius-accounting key <Shared RADIUS secret>
HP ProCurve Access Point 420(config)#radius-accounting enable
HP ProCurve Access Point 420(config)#vlan enable dynamic
Reboot system now? <y/n>: y
Dynamic WEP. Enter the same commands as the previous configuration; however, substitute securitysuite 5 instead of security-suite 6 wpa-wpa2.
HP ProCurve 530AP
This section shows how to configure the security settings on the 530AP so that user access may be
controlled using Dynamic VLAN provisioning.
ProCurve
ProCurve
ProCurve
ProCurve
Access
Access
Access
Access
Point
Point
Point
Point
530#conf
530(config)#interface ethernet
530(ethernet)#ip address <IP of Access Point > Netmask
530(ethernet)#ip default-gateway <IP of Gateway>
Sentriant AG Software Users Guide, Version 5.1 SR1
295
802.1X Quarantine Method
ProCurve Access Point 530(ethernet)#management-vlan 200
ProCurve Access Point 530(ethernet)#untagged-vlan 200
ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530
ProCurve Access Point 530(radio1-wlan1)#closed
ProCurve Access Point 530(radio1-wlan1)#vlan 100
ProCurve Access Point 530(radio1-wlan1)#security wpa-8021x
ProCurve Access Point 530(radio1-wlan1)#radius primary ip <IP of RADIUS Server>
The RADIUS shared secret key must also be set to enable communication between this
device and the RADIUS server.
ProCurve Access Point 530(radio1-wlan1)#radius primary key <Shared RADIUS secret>
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip <IP of RADIUS
Server>
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary key<Shared RADIUS
secret>
ProCurve Access Point 530(radio1-wlan1)#wpa-cipher-aes
ProCurve Access Point 530(radio1-wlan1)#write mem
ProCurve Access Point 530(radio1-wlan1)#enable
ProCurve Access Point 530(radio1-wlan1)#enable
ProCurve Access Point 530(config)#radio 1
ProCurve Access Point 530(radio1)#enable
ProCurve Access Point 530(radio1)#radio 2
ProCurve Access Point 530(radio2)#enable
ProCurve Access Point 530(config)#write mem
ProCurve Access Point 530(config)#exit
Dynamic WEP.
ProCurve Access Point 530#conf
ProCurve Access Point 530(config)#interface ethernet
ProCurve Access Point 530(ethernet)#ip address <IP of Access Point > Netmask
ProCurve Access Point 530(ethernet)#ip default-gateway <IP of Gateway>
ProCurve Access Point 530(ethernet)#management-vlan 200
ProCurve Access Point 530(ethernet)#untagged-vlan 200
ProCurve Access Point 530(radio1-wlan1)#ssid Enterprise530
ProCurve Access Point 530(radio1-wlan1)#closed
ProCurve Access Point 530(radio1-wlan1)#vlan 100
ProCurve Access Point 530(radio1-wlan1)#security dynamic-wep
ProCurve Access Point 530(radio1-wlan1)#radius primary ip <IP of RADIUS Server>
The RADIUS shared secret key must also be set to enable communication between this
device and the RADIUS server.
ProCurve Access Point 530(radio1-wlan1)#radius primary key <Shared RADIUS secret>
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary ip <IP of RADIUS
Server>
The RADIUS shared secret key must also be set to enable communication between this
device and the RADIUS server.
ProCurve Access Point 530(radio1-wlan1)#radius-accounting primary key<Shared RADIUS
secret>
ProCurve Access Point 530(radio1-wlan1)#wep-key-ascii
ProCurve Access Point 530(radio1-wlan1)#wep-key-1 1q2w3e4r5t6y7
ProCurve Access Point 530(radio1-wlan1)#write mem
ProCurve Access Point 530(radio1-wlan1)#enable
ProCurve Access Point 530(radio2-wlan1)#enable
ProCurve Access Point 530(config)#radio 1
ProCurve Access Point 530(radio1)#enable
ProCurve Access Point 530(radio1)#radio 2
ProCurve Access Point 530(radio2)#enable
ProCurve Access Point 530(config)#write mem
296
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
ProCurve Access Point 530(config)#exit
HP ProCurve 3400/3500/5400
radius-server host 10.60.1.3 key hpsecret
aaa accounting network start-stop radius
aaa authentication port-access eap-radius
aaa port-access authenticator 1-8
aaa port-access authenticator 1-8 auth-vid 100
aaa port-access authenticator 1-8 unauth-vid 101
aaa port-access authenticator active
Nortel® 5510
NOTE
When the Nortel switch is used in unstacked mode, a range of ports is defined as 1-24.
When the Nortel switch is used in stacked mode, a range of ports is defined as 1/1-24; <unit>/<port-port>. See the
Nortel switch user manuals for more information.
RADIUS Server setup:
radius-server host 10.0.0.5
radius-server secondary-host 0.0.0.0
radius-server port 1812
! radius-server key ********
Enable 802.1X:
eapol enable
interface FastEthernet ALL
eapol port 1-2 status auto traffic-control in-out re-authentication enable re-a
uthentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3
0 supplicant-timeout 30 server-timeout 30 max-request 2
Vlan Info:
vlan create 10 name "production" type port
vlan create 11 name "guest" type port
vlan create 12 name "quarantine" type port
! *** EAP ***
!
eapol enable
interface FastEthernet ALL
eapol port 1-2 status auto traffic-control in-out re-authentication enable reauthentication-period 3600 re-authenticate quiet-interval 60 transmit-interval 3 0
supplicant-timeout 30 server-timeout 30 max-request 2
! *** Port Mirroring ***
!
Sentriant AG Software Users Guide, Version 5.1 SR1
297
802.1X Quarantine Method
port-mirroring mode XrxOrXtx monitor-port 9 mirror-port-X 12
!
Creating Custom Expect Scripts
Expect is a tool that uses simple scripts to automate interactive applications.
Sentriant AG utilizes expect scripts when communicating with 802.1X devices. You can add 802.1X
devices in the Sentriant AG user interface (Home>>System configuration>>Quarantining menu
option>>Add 802.1X device). There are 11 pre-defined devices, and one generic device. You can use the
default expect script values, modify them, or enter new values. The expect scripts used are as follows:
●
Initialization script—This script is used to log in to the device, enter enable mode and set up the
state necessary to execute the re-authentication command. It is executed the first time a connection to
the device is opened or if the connection to the device is reset.
●
Re-authentication script—This script is used to perform endpoint re-authentication. It is executed
once for each endpoint re-authentication while the connection to the device remains active (until the
connection goes bad or the idle time inactivity timeout is reached).
●
Exit script—This script is used to exit the console. It is executed when the idle time timeout is
reached.
When testing configuration settings from the Sentriant AG user interface, all three scripts are executed
once in sequence and the connection is closed. If any output is returned by a command sent in the reauthentication script, it is logged and returned to the user. If an expect command times out the current
expect buffer is logged and returned to the user.
As an example, the following figures show the initial scripts used for a Nortel device in the
Sentriant AG user interface.
Figure 174: Nortel Initialization Script
expect Enter Ctrl-Y to begin.
send -noreturn \031
expect -ifset USERNAME Username:
send -ifset USERNAME ${USERNAME}
expect -ifset PASSWORD Password:
send -ifset PASSWORD ${PASSWORD}
expect press <Return> or <Enter> to select option.
send -noreturn c
expect >
send enable
expect -ifset ENABLE_USERNAME Username:
send -ifset ENABLE_USERNAME ${USERNAME}
expect -ifset ENABLE_PASSWORD Password:
send -ifset ENABLE_PASSWORD ${ENABLE_PASSWORD}
expect #
send configure terminal
expect (config)#
298
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
Figure 175: Nortel Re-authentication Script
send interface FastEthernet ${PORT}
expect (config-if)#
send eapol re-authenticate
expect (config-if)#
send exit
expect (config)#
Figure 176: Nortel Exit Script
send exit
expect #
send exit
expect press <Return> or <Enter> to select option.
send -noreturn l
Expect Script Commands.
expect [OPTIONS] TEXT
send [OPTIONS] TEXT
| "Waits for TEXT to appear on connection input"
| "Writes TEXT to connection output"
The expect scripts use the following commands:
Table 10: Expect Script Commands and Parameters
Command
Description and parameters
expect [OPTIONS]
TEXT
Waits for TEXT to appear on the connection input.
Where OPTION is one of three optional parameters:
•
regex
Interprets the expect string as a (Java 1.5) regular
expression.
•
ifmatched
Skips the command if the value captured from the last
regular expression doesn't match the specified expression
(the expression may contain spaces if wrapped in double
quotes).
•
ifset
Skips the command if the specified variable is not set.
Sentriant AG Software Users Guide, Version 5.1 SR1
299
802.1X Quarantine Method
Table 10: Expect Script Commands and Parameters
Command
Description and parameters
send [OPTIONS] TEXT
Writes text to the connection output followed by a carriage
return.
Where OPTION is one of three optional parameters:
•
noreturn
Omits the carriage return.
•
ifmatched
Skips the command if the value captured from the last
regular expression doesn't match the specified expression
(the expression may contain spaces if wrapped in double
quotes).
•
ifset
Skips the command if the specified variable is not set.
Expect Script Variables. Variables referenced with the syntax ${VARIABLE_NAME} will be substituted with
the value of the variable at execution time.
The following variables may be referenced anywhere:
●
USERNAME—The username used to log in to the device
●
PASSWORD—The password used to log in to the device
●
ENABLE_USERNAME—The username used to enter enable mode
●
ENABLE_PASSWORD—The password used to enter enable mode
●
IS_TELNET—Set to "true" for a telnet connection (otherwise unset)
●
IS_SSH—Set to "true" for an SSH connection (otherwise unset)
The following variables may be referenced from re-authentication script:
300
●
PORT—The endpoint's port
●
PORT_ID—The endpoint's port ID, usually the same as PORT
●
MAC—The MAC address of the endpoint in colon/hex format (hh:hh:hh:hh:hh:hh)
●
MAC_DOTTED_DECIMAL—The MAC address of the endpoint in dotted decimal format
(ddd.ddd.ddd.ddd.ddd.ddd)
●
MAC_DOTTED_HEX—The MAC address of the endpoint in dotted hex format (hhhh.hhhh.hhhh)
●
IP_ADDRESS—The IP address of the endpoint in dotted decimal format
●
IS_MAC_AUTH—Set to "true" if the username from the switch is a MAC address (otherwise unset)
●
IS_DOT1X—Set to "true" if the username from the switch is not a MAC address (otherwise unset)
Sentriant AG Software Users Guide, Version 5.1 SR1
802.1X Quarantine Method
Escape Sequences. Special characters can be included by escaping them as "\XXX" where XXX is an
octal value representing an ASCII character, or as "\uXXXX" where XXXX is a hexadecimal value
representing a unicode character.
Comments. Lines that start with the # character are ignored.
Examples. Initialization script:
expect Enter Ctrl-Y to begin.
send -noreturn \031
expect -ifset IS_TELNET Username:
send -ifset IS_TELNET ${USERNAME}
expect -ifset IS_TELNET Password:
send -ifset IS_TELNET ${PASSWORD}
expect press or to select option.
send -noreturn c
expect >
send enable
expect -ifset ENABLE_USERNAME Username:
send -ifset ENABLE_USERNAME ${ENABLE_USERNAME}
expect -ifset ENABLE_PASSWORD Password:
send -ifset ENABLE_PASSWORD ${ENABLE_PASSWORD}
expect #
send configure terminal
expect (config)#
Reauthorization script:
send interface FastEthernet ${PORT}
expect (config-if)#
send eapol re-authenticate
expect (config-if)#
send exit
expect (config)#
Exit script:
send exit
expect #
send exit
expect press or to select option.
send -noreturn l
The conditions in the above scripts are driven by the values of the variables entered by the user, but
sometimes it is necessary to drive conditions from interactions with the switch. For example, if a switch
can be configured with either a blank password or no password (no password prompt) then the text
field for password is insufficient to specify the correct configuration. Instead the script can use a regular
expression to expect either a password prompt or no prompt, and drive subsequent commands from the
result.
Sentriant AG Software Users Guide, Version 5.1 SR1
301
802.1X Quarantine Method
The following script works when any combination of Username and Password prompt appear (and thus
also works with both telnet and SSH without needing to check which the user selected):
Initialization script:
expect -regex (Username:|Password:|>)
send -ifmatched Username: ${USERNAME}
expect -ifmatched Username: -regex (Password:|>)
send -ifmatched Password: ${PASSWORD}
expect -ifmatched Password: >
Reauthorization script:
send set dot1x port ${PORT} init
expect >
Exit script:
send exit
302
Sentriant AG Software Users Guide, Version 5.1 SR1
12 API
Overview
The Sentriant AG Application Programming Interface (API) is based on the Java Message Service (JMS).
Sentriant AG ships with version 3.1 of the ActiveMQ JMS provider (http://activemq.apache.org/), an
open source implementation of JMS.
Sentriant AG API communication is illustrated in Figure 177, where:
●
JMS Message Bus—Sentriant AG ships with ActiveMQ Java Messanging Service (JMS).
●
XML file—This Extensible Markup Language (XML) file is created by you and contains one or more
requests.
●
JMS Event Receiver—An external program that subscribes (listens) to topics and can take action
base on the information received.
●
JMS Requestor—An external program that makes requests of Sentriant AG.
●
Script—A script that can be invoked when an event occurs.
●
JJS—A proprietary messaging framework that is used for communication between the MS and ESs
and for intra-cluster communication (ES-to-ES).
The JMS bus is used to send requests (such as test endpoints, change access status, and set configuration
properties that cannot be set via the Sentriant AG user interface), and to publish events (such as test
results and endpoint status change) to external third parties.
Sentriant AG Software Users Guide, Version 5.1 SR1
303
API
.
Figure 177: Sentriant AG API Communication
Sentriant AG is continually testing endpoints that attempt to connect to your network and publishes
information about those endpoints as Events to Topics. An endpoint attempts to connect that is
untestable. Sentriant AG quarantines the endpoint and publishes a DeviceChangeEvent to that topic.
Setting Sentriant AG Properties
Most Sentriant AG properties are set by default. To change or set properties, you must change the
properties as described in“Changing Properties” on page 357.
You can set the following properties:
●
304
Compliance.JMSProvider.ForwardJMSEvents
Sentriant AG Software Users Guide, Version 5.1 SR1
API
●
Compliance.System.JMSProvider.UserName
●
Compliance.System.JMSProvider.Password
Test results are published when they happen.
To change or set API properties:
Sentriant AG MS command line window
1 Create the XML file in the following directory with a text editor such as vi:
/usr/local/nac/bin
2 Edit any properties.
3 Save and exit the file.
4 Enter the following command:
sendRequest.sh -f /usr/local/nac/bin/<filename.xml>
Where <filename.xml> is the name of the XML file created.
Setting Firewall Rules
The iptables firewall needs a new rule that allows an external server to send requests to, or receive
events from the JMS message bus. By default, the MS does not allow other servers access to the JMS
bus. To allow a host to send or receive messages, a rule must be added to the onboard firewall.
To add the firewall rule:
Command line window
Enter the following command:
iptables -I INPUT -s<host> -m tcp -p tcp --dport 61616 -j ACCEPT
Where <host> is the external server IP address.
Sentriant AG Events Generated
The following Sentriant AG events can be generated:
●
DeviceTestedEvent—Identifies the endpoint that was tested and the results of the tests
●
DeviceChangeEvent—Identifies the endpoint and it’s current state
Sentriant AG Software Users Guide, Version 5.1 SR1
305
API
Examples of Events Generated
The following shows examples of information returned for generated events:
------------------------------------------------------------------------<MNMDeviceChangeEvent>
<device>
<uniqueId>5928e8f98d4ce49c6c03529ca4325b5e</uniqueId>
<ip>10.1.13.29</ip>
<mac>00:11:43:4F:15:D6</mac>
<netbiosName>SSLJDOE</netbiosName>
<domainName>MyCompany</domainName>
<userName>administrator</userName>
<loggedOnUser>administrator</loggedOnUser>
<os>Windows</os>
<osDetails>XP SP2</osDetails>
<policyId>LowSecurity</policyId>
<lastTestTime>1157042366000</lastTestTime>
<lastTestStatusId>PASSED</lastTestStatusId>
<gracePeriod>-1</gracePeriod>
<gracePeriodStart>0</gracePeriodStart>
<createTime>1156536669000</createTime>
<lastActivityTime>1157045939456</lastActivityTime>
<lastConnectTime>1157044195000</lastConnectTime>
<lastDisconnectTime>0</lastDisconnectTime>
<postureToken>healthy</postureToken>
<nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId>
<clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId>
<accessStatusId>QUARANTINED_BY_POLICY</accessStatusId>
<nextTestTime>1157049566000</nextTestTime>
<nadPort></nadPort>
<nadIP></nadIP>
<sessionAccess>-1</sessionAccess>
<sessionAccessEnd>0</sessionAccessEnd>
<otherDeviceProperties>
<entry>
<string>OS</string>
<string>Windows</string>
</entry>
</otherDeviceProperties>
<lastUpdateTime>1157045949373</lastUpdateTime>
<testingMethod>NONE</testingMethod>
</device>
<ip>10.1.70.101</ip>
<id>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</id>
<originalTimeStamp>1157045949373</originalTimeStamp>
</MNMDeviceChangeEvent>
<MNMDeviceTestedEvent>
<device>
<uniqueId>58511c4a0895a1c33792de48264262f4</uniqueId>
<ip>10.1.1.13</ip>
<mac>00:11:25:AB:92:7A</mac>
<netbiosName>UNITY</netbiosName>
<domainName>MyCompany</domainName>
<userName>administrator</userName>
<password>changeme</password>
<loggedOnUser>administrator</loggedOnUser>
<os>Windows</os>
<osDetails>2000 SP4</osDetails>
<policyId>LowSecurity</policyId>
<lastTestTime>1157046206801</lastTestTime>
<lastTestStatusId>FAILED</lastTestStatusId>
<gracePeriod>604800</gracePeriod>
306
Sentriant AG Software Users Guide, Version 5.1 SR1
API
<gracePeriodStart>1157042301000</gracePeriodStart>
<createTime>1157042283000</createTime>
<lastActivityTime>1157046201262</lastActivityTime>
<lastConnectTime>1157040486000</lastConnectTime>
<lastDisconnectTime>0</lastDisconnectTime>
<postureToken>checkup</postureToken>
<nodeId>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</nodeId>
<clusterId>5b227ee9-5085-4bbc-9c6f-dd57900eaa1f</clusterId>
<accessStatusId>ALLOWED_BY_POLICY</accessStatusId>
<nextTestTime>1157053406845</nextTestTime>
<nadPort></nadPort>
<nadIP></nadIP>
<sessionAccess>-1</sessionAccess>
<sessionAccessEnd>0</sessionAccessEnd>
<otherDeviceProperties>
<entry>
<string>OS</string>
<string>Windows</string>
</entry>
</otherDeviceProperties>
<lastUpdateTime>1157046206846</lastUpdateTime>
<testingMethod>AGENTLESS</testingMethod>
</device>
<testResults>
<TestResultInfo>
<timestamp>1157046206801</timestamp>
<gracePeriod>604800</gracePeriod>
<testName>Windows 2000 hotfixes</testName>
<testClass>Check2000HotFixes</testClass>
<testModule>check2000HotFixes</testModule>
<testGroup>OperatingSystem</testGroup>
<actionsTaken>access allowed, temporary access period continuing from 8/31/
06 10:38 AM, email not sent</actionsTaken>
<debugInfo>918899, 921883, 912812-IE6SP120060322, 842773, 921398, 922616, 917422, Update Rollup 1, 920683, 914388, 92067
0, 917159, 917008, 920958, 911562</debugInfo>
<severity>2</severity>
<statusCode>1</statusCode>
<resultCode>fail</resultCode>
<resultMessage>The hotfixes installed are not current. Run Windows Update to ins
tall the most recent service packs and hotfixes. The missing hotfixes are: 91889
9, 921883, 912812-IE6SP120060322, 842773, 921398, 922616, 917422, Update Rollup 1, 920683, 914388, 92067
0, 917159, 917008, 920958, 911562. You may need to run Windows Update multiple t
imes to install all the hotfixes. Some of the hotfixes listed may be contained i
n a cumulative patch.</resultMessage>
<policyId>LowSecurity</policyId>
<mostSeriousInRun>true</mostSeriousInRun>
<previousResultCode>fail</previousResultCode>
</TestResultInfo>
<TestResultInfo>
<timestamp>1157046206801</timestamp>
<gracePeriod>604800</gracePeriod>
<testName>Service packs</testName>
<testClass>CheckServicePacks</testClass>
<testModule>checkServicePacks</testModule>
<testGroup>OperatingSystem</testGroup>
<actionsTaken>none</actionsTaken>
<severity>2</severity>
<statusCode>1</statusCode>
<resultCode>pass</resultCode>
<resultMessage>All required service packs are installed</resultMessage>
<policyId>LowSecurity</policyId>
<mostSeriousInRun>false</mostSeriousInRun>
Sentriant AG Software Users Guide, Version 5.1 SR1
307
API
<previousResultCode>pass</previousResultCode>
</TestResultInfo>
<TestResultInfo>
<timestamp>1157046206801</timestamp>
<gracePeriod>0</gracePeriod>
<testName>Worms, viruses, and trojans</testName>
<testClass>CheckWormsVirusesAndTrojans</testClass>
<testModule>checkWormsVirusesAndTrojans</testModule>
<testGroup>Software</testGroup>
<actionsTaken>none</actionsTaken>
<debugInfo>None</debugInfo>
<severity>1</severity>
<statusCode>1</statusCode>
<resultCode>pass</resultCode>
<resultMessage>No worms, viruses or trojans were found.</resultMessage>
<policyId>LowSecurity</policyId>
<mostSeriousInRun>false</mostSeriousInRun>
<previousResultCode>pass</previousResultCode>
</TestResultInfo>
</testResults>
<ip>10.1.70.101</ip>
<id>b198ada2-06ce-4e30-bbb9-bcc11ffa777b</id>
<originalTimeStamp>1157046206882</originalTimeStamp>
</MNMDeviceTestedEvent>
-------------------------------------------------------------------------
Java Program and Command for Events
Sentriant AG ships with a sample shell script that invokes Java code that can be used to listen for JMS
events. Invoke the program by entering the following command:
eventListener.sh [-u broker URL] [-t topicName] [-l login -p password]
Where:
●
broker URL—The URL of the JMS message bus. If not specified, it defaults to tcp://
localhost:61616
●
topicName—The topic on which events are published. By default, all Sentriant AG events are
published on the topic nac.requests
●
login and password—Not set by default
The following python script is provided with Sentriant AG that can be invoked when an event occurs:
●
/usr/local/nac/bin/snmpScript.py—Generates an SNMP trap when an event is received.
Sentriant AG Requests Supported
The following Sentriant AG requests are supported:
●
TemporarilyAllowAccess—Specifies to temporarily allow access to the specified endpoint or
endpoints.
●
TemporarilyDenyAccess—Specifies to temporarily deny access to the specified endpoint or
endpoints.
308
●
ClearTemporaryAccess—Specifies to clear temporary states for the specified endpoint or endpoints.
●
DeviceInfoRequest—Requests the endpoint identification
Sentriant AG Software Users Guide, Version 5.1 SR1
API
●
PutDeviceInfo—Sets endpoint properties
Examples of Requests
The following shows examples of information for requests supported:
-----------------------------------------------------------------------<TemporarilyAllowAccessRequest>
<requestParameters>
<entry>
<string>DURATION</string>
<int>24</int>
</entry>
<entry>
<string>DEVICE_LIST</string>
<list>
<DeviceType>
<ip>192.168.1.128</ip>
</DeviceType>
</list>
</entry>
</requestParameters>
</TemporarilyAllowAccessRequest>
<TemporarilyDenyAccessRequest>
<requestParameters>
<entry>
<string>DURATION</string>
<int>24</int>
</entry>
<entry>
<string>DEVICE_LIST</string>
<list>
<DeviceType>
<ip>192.168.1.128</ip>
</DeviceType>
</list>
</entry>
</requestParameters>
</TemporarilyDenyAccessRequest>
<ClearTemporaryAccessRequest>
<requestParameters>
<entry>
<string>DEVICE_LIST</string>
<list>
<DeviceType>
<ip>192.168.1.128</ip>
</DeviceType>
</list>
</entry>
</requestParameters>
</ClearTemporaryAccessRequest>
<DeviceInfoRequest>
Sentriant AG Software Users Guide, Version 5.1 SR1
309
API
<requestParameters>
<entry>
<string>DEVICE_LIST</string>
<list>
<DeviceType>
<ip>192.168.1.128</ip>
</DeviceType>
</list>
</entry>
</requestParameters>
</DeviceInfoRequest>
<PutDeviceInfoRequest>
<requestParameters>
<entry>
<string>DEVICE_LIST</string>
<list>
<DeviceType>
<ip>192.168.1.128</ip>
<otherDeviceProperties>
<entry>
<string>key1</string>
<string>value1</string>
</entry>
<entry>
<string>key2</string>
<string>value2</string>
</entry>
</otherDeviceProperties>
</DeviceType>
</list>
</entry>
</requestParameters>
</PutDeviceInfoRequest>
-------------------------------------------------------------
The DeviceInfoRequest command replies with output that includes a special NacResponse XML file as
shown below:
------------------------------------------------------------<NacResponse>
<resultStatus>true</resultStatus>
<response class="DeviceList">
<devices>
<DeviceInfo>
<uniqueId>00:0C:29:5D:30:B5</uniqueId>
<ip>192.168.1.128</ip>
<mac>00:0C:29:5D:30:B5</mac>
<netbiosName>WINXPPROVM</netbiosName>
<domainFromNMB>WORKGROUP</domainFromNMB>
<credentialsEnabled>false</credentialsEnabled>
<os>Windows</os>
<osDetails>XP SP1+, 2000 SP3</osDetails>
<policyId>LowSecurity</policyId>
<lastTestTime>0</lastTestTime>
<lastTestStatusId>AWAITING_TEST_INITIATION</lastTestStatusId>
310
Sentriant AG Software Users Guide, Version 5.1 SR1
API
<gracePeriod>0</gracePeriod>
<gracePeriodStart>0</gracePeriodStart>
<createTime>1186594414243</createTime>
<lastActivityTime>1186603364486</lastActivityTime>
<lastConnectTime>1186594301738</lastConnectTime>
<lastDisconnectTime>0</lastDisconnectTime>
<postureToken>unknown</postureToken>
<nodeId>158251f6-2ce8-4d34-b9e8-d724c175d34a</nodeId>
<clusterId>4e193379-a492-4fd8-a31c-37e722b14449</clusterId>
<accessStatusId>QUARANTINED_BY_POLICY</accessStatusId>
<nextTestTime>1186597121116</nextTestTime>
<nadPort/>
<nadPortId/>
<nadIP/>
<nadUser/>
<sessionAccess>-1</sessionAccess>
<sessionAccessEnd>0</sessionAccessEnd>
<otherDeviceProperties>
<entry>
<string>key1</string>
<string>value1</string>
</entry>
<entry>
<string>OS</string>
<string>Windows XP SP1+, 2000 SP3</string>
</entry>
<entry>
<string>key2</string>
<string>value2</string>
</entry>
</otherDeviceProperties>
<lastUpdateTime>1186603474724</lastUpdateTime>
<testingMethod>NONE</testingMethod>
<expectingIpTransitionStartTime>-1</expectingIpTransitionStartTime>
<expectingIpTransitionEndTime>-1</expectingIpTransitionEndTime>
<expectingIpTransition>false</expectingIpTransition>
<lastFetchUniqueIdTime>0</lastFetchUniqueIdTime>
<lastResolveTime>0</lastResolveTime>
<requireRetest>true</requireRetest>
</DeviceInfo>
</devices>
</response>
<ip>192.168.1.12</ip>
<id>MNM</id>
<originalTimeStamp>1186603494295</originalTimeStamp>
</NacResponse>
------------------------------------------------------------------------
Post-connect Request Example
The following example shows the additional fields necessary (noted in italic green text) to change a
temporarilyDenyAccess request to a post-connect request.
------------------------------------------------------------------------
Sentriant AG Software Users Guide, Version 5.1 SR1
311
API
<TemporarilyDenyAccessRequest>
<requestParameters>
<entry>
<string>DURATION</string>
<int>10</int>
</entry>
<entry>
<string>EXTERNAL_QUARANTINE_PRODUCT_ID</string>
<string>StrataGuard</string>
</entry>
<entry>
<string>EXTERNAL_QUARANTINE_INSTANCE_NAME</string>
<string>Warehouse Monitor</string>
</entry>
<entry>
<string>EXTERNAL_QUARANTINE_REASONS</string>
<list>
<string>WEB-CLIENT Microsoft ANI file parsing overflow</string>
<string>DOS Ipswitch WS_FTP log server long unicode string</string>
</list>
</entry>
<entry>
<string>DEVICE_LIST</string>
<list>
<DeviceType>
<ip>10.1.102.2</ip>
</DeviceType>
</list>
</entry>
</requestParameters>
</TemporarilyDenyAccessRequest>
------------------------------------------------------------------------
NOTE
The EXTERNAL_QUARANTINE_PRODUCT_ID entry in the previous post-connect example is configured in the
connector.properties file. See “Adding Post-connect System Logos and Icons” on page 128 for more information.
Java Program and Command for Requests
Sentriant AG ships with a sample shell script that invokes Java code that can be used to send JMS
requests. Invoke the program by entering the following command:
sendRequest.sh [-u broker URL] [-t topicName] [-l login -p password] -f <request.xml>
Where:
●
broker URL—The URL of the JMS message bus. If not specified, it defaults to tcp://
localhost:61616
●
topicName—The topic on which events are published. By default, all Sentriant AG events are
published on the topic nac.events
●
login and password—Not set by default
●
-f <request.xml>—An XML file that contains requests as shown in “Examples of Requests” on
page 309.
312
Sentriant AG Software Users Guide, Version 5.1 SR1
13 Remote Device Activity Capture
This section describes two ways to achieve Remote Device Activity Capture (RDAC):
●
Creating a DAC host
●
Using the Infoblox connector
Creating a DAC Host
Sentriant AG auto-discovers endpoints on your network so that the testing and transition from
quarantine to non-quarantine areas happens quickly and smoothly after an endpoint is booted up.
Sentriant AG also relies on auto-discovery functionality to track DHCP IP address transitions so that it
can continue to communicate seamlessly with endpoints after an IP change. The utility used for autodiscovery is Device Activity Capture (DAC). DAC listens or sniffs the network for, most importantly,
DHCP traffic, but can be configured to discover other types of IP traffic if needed (such as from static IP
addresses). DAC listens for DHCP ACK (a unicast from the DHCP server to the endpoint) messages so
that it knows exactly when an endpoint has received a new IP address and can be tested with a TCP/IP
connection. DAC works in a number of configurations:
●
DHCP (Router) and Inline Mode—DAC runs on the Enforcement Servers (ES) and discovers
endpoints when they generate traffic across the ES bridge. There is no need for you to do any extra
configuration of DAC in these modes.
●
802.1X Mode
■
Mirror Port—DAC runs on the ESs. The eth1 interface of the ES is connected to a mirror port on
a switch that mirrors DHCP traffic. The eth1 interface can also be configured to listen on a mirror
port for other types of traffic to discover endpoints with static IP addresses. Select the local radio
button in the Home window>>System configuration>>802.1X Quarantine
method>>Quarantining window to enable this mode.
■
Remote DAC (RDAC)—DAC runs as a standalone service on a Windows DHCP server and
relays DHCP information back to the ESs. DAC can also be configured to run on a non-DHCP
server to discover endpoints with static IP addresses. Select the remote radio button in the Select
the local radio button in the Home window>>System configuration>>802.1X Quarantine
method>>Quarantining window to enable this mode.
This section explains how to install DAC on a remote system. For Windows servers, use the Windows
installer to set up the first interface, then manually add other interfaces.
NOTE
When DAC is installed on the ES, it is sometimes referred to as Embedded DAC (EDAC). When DAC is installed
remotely, it is sometimes referred to as Remote DAC (RDAC).
Your DAC host can be a Windows server. This section provides instructions on setting up a Windows
host.
Sentriant AG Software Users Guide, Version 5.1 SR1
313
Remote Device Activity Capture
First, download the executable file to your Windows server, then run the installer to install the first
interface. For this release, if you want to add additional interfaces, you must install them manually. A
future release will expand the options in the installer to include multiple interfaces. Add any additional
interfaces and start the service.
Downloading the EXE File
To download the EXE file to a Windows machine:
Browser window
Download and save the EXE file to a Windows machine. Copying files is described in “Copying Files”
on page 42. The EXE file can be downloaded directly from the MS:
/usr/local/nac/webapps/ROOT/installers
Running the Windows Installer
The Windows installer performs the following tasks:
●
Installs the DAC software
●
Installs the JavaJRE software if needed
●
Installs the WinPcap software if needed
●
Modifies the wrapper.conf file
●
Installs DAC as a Windows service
NOTE
If you have already installed DAC, you must uninstall it before attempting to install a newer version. See the
“Removing the Software” on page 324 for instructions.
NOTE
If you have made configuration changes to the wrapper.conf file in a previous version of DAC, when you remove and
re-install DAC, your changes are not saved. You will need to re-enter any changes, such as adding additional
interfaces or ESs to the wrapper.conf file after installing DAC. You can save your previous wrapper.conf file before
you uninstall DAC for reference; do not save the old wrapper.conf file and copy it over the new wrapper.conf file.
To run the Windows installer:
Windows server
1 Navigate to the EXE file downloaded in “Downloading the EXE File” on page 314.
314
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
2 Double-click on the EXE file. The DAC InstallShield Wizard Welcome window appears:
Figure 178: The DAC InstallShield Wizard Welcome Window
3 Click Next. The Setup Type window appears:
Figure 179: RDAC Installer, Setup Type
4 Select Complete to install the DAC software, the JavaJRE software, and the WinPcap software. If you
already have JavaJRE or WinPcap installed, select Custom.
Sentriant AG Software Users Guide, Version 5.1 SR1
315
Remote Device Activity Capture
5 Click Next. The Choose Destination Location window appears:
Figure 180: RDAC Installer, Choose Destination Location
6 In most cases, you should accept the default location. (Click Change to select a different location.)
Click Next. The Confirm New Folder window appears:
Figure 181: RDAC Installer, Confirm New Folder
316
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
7 Click Yes. If you selected Custom in step 4 on page 315, the Select Features window appears;
otherwise the NIC Selection window appears (Figure 183):
Figure 182: RDAC Installer, Select Features
8 Select the features to install. Click Next. The NIC Selection window appears:
Figure 183: RDAC Installer, NIC Selection
Sentriant AG Software Users Guide, Version 5.1 SR1
317
Remote Device Activity Capture
9 All of the interfaces installed on your Windows server are listed in this window. Select the one you
want to use and click Next. The TCP Port Filter Specification window appears:
Figure 184: RDAC Installer, TCP Port Filter Specification
10 In most cases you should accept the default entry. Click Next. The Enforcement Server Specification
window appears:
Figure 185: RDAC Installer, Enforcement Server Specification
318
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
11 Enter the IP address of the Enforcement Server (ES) to use. Click Next. The Ready to Install the
Program window appears:
Figure 186: RDAC Installer, Ready to Install the Program
12 Click Install.
13 If you selected Complete in step 4 on page 315, the InstallShield Wizard launches the Java installer
first and then the WinPcap installer.
If you selected Custom in step 4 on page 315, the installers for only the selected feature will launch.
You will be notified by the Java and WinPcap installers if you already have the software installed.
Follow the instructions on the installer windows.
Sentriant AG Software Users Guide, Version 5.1 SR1
319
Remote Device Activity Capture
When the installation is complete, the InstallShield Wizard Complete window appears:
Figure 187: RDAC Installer, InstallShield Wizard Complete
14 The following folders and files are created:
■
DAC
VERSION
●
●
●
●
bin
InstallSSDAC.bat
rdac
SSDAC.bat
UninstallSSDAC.bat
wrapper.exe
conf
wrapper.conf
lib
DAC_keystore
Jpcap.dll
libjpcap.so
SA_DeviceActivityCapturer.jar
wrapper.dll
wrapper.jar
log
wrapper.log
15 Perform the steps detailed in “Adding Additional Interfaces” if you have additional interfaces to
add.
16 Perform the steps detailed in “Configuring the MS and ES for DAC” on page 322.
17 Go to “Starting the Windows Service”.
320
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
Adding Additional Interfaces
For this release, if you want to add additional interfaces, you must install them manually. A future
release will expand the options in the installer to include multiple interfaces.
To add additional interfaces to the DAC host:
Windows server
1 Open the DAC/conf/wrapper.conf file with a text editor.
a Locate the Application Parameters section in the wrapper.conf file. You will see a list of entries
like the following:
wrapper.app.parameter.X
Where X is the numerical value representing the order in which the parameter will be added to
the command.
b Change any parameters necessary for your specific setup. The interface and IP address
parameters are the only parameters that require a change; however, changing other parameters
can assist you for debugging purposes.
Figure 188: Example wrapper.conf File
# Application parameters. Add parameters as needed starting from 1
wrapper.app.parameter.1=RemoteDac
wrapper.app.parameter.2=-d
wrapper.app.parameter.3=-l
wrapper.app.parameter.4=../log/DAC.log
wrapper.app.parameter.5=-k
wrapper.app.parameter.6=../lib/DAC_keystore
wrapper.app.parameter.7=-h
#replace wrapper.app.parameter.8 with the Enforcement Server IP address.
#for multiple Enforcement Servers add more parameters and increment the ones below
#example:
#wrapper.app.parameter.8=<ip 1>
#wrapper.app.parameter.9=<ip 2>
#wrapper.app.parameter.10=<ip 2>
#wrapper.app.parameter.11=-i
#wrapper.app.parameter.12="\Device\NPF_{9F658297-43BF-4EA0-A1E3-3FA2FFD55C70}"
#wrapper.app.parameter.13=-f
#etc...
wrapper.app.parameter.8=172.17.100.100
wrapper.app.parameter.9=-i
#replace wrapper.app.parameter.10 with your interface
#to find your interfaces please run the following from the lib directory
#java -jar SA_DeviceActivityCapturer.jar -L
#this will list all available interfaces replace the following parameter with your
interface
wrapper.app.parameter.10="\Device\NPF_{54052575-E4CC-46A5-B626-9167DD4F9BE3}"
wrapper.app.parameter.11=-f
wrapper.app.parameter.12="udp src port 67"
Sentriant AG Software Users Guide, Version 5.1 SR1
321
Remote Device Activity Capture
2 Perform the steps detailed in “Configuring the MS and ES for DAC” on page 322.
3 Go to “Starting the Windows Service”.
Configuring the MS and ES for DAC
1 Create a keystore file containing a unique key, signed certificate, and a CA certificate that is required
for SSL communication.
a On the Sentriant AG MS, enter the following command at the command line:
/usr/local/nac/bin/SSL-createRemoteDACCertificate
b When the command completes, copy the DAC_keystore file (from /tmp or wherever you
specified) to C:\Program Files\Extreme\DAC\lib\.
c
After copying the DAC_keystore file from the MS, delete the file from its temporary location on
the MS.
NOTE
Note that for each remote DAC host, this step must be repeated as each host should have its own unique key.
2 Add a firewall rule to the ES or ESs to which the DAC host will be sending packets. On each ES:
a Enter the following command to dump the Lokkit iptables chain:
iptables -nvL RH-Lokkit-0-50-INPUT --line-numbers
b Add a rule AFTER the RELATED, ESTABLISHED rule. The rule numbers are listed in the first
column of the output from the previous statement. For example, if the RELATED, ESTABLISHED
rule is rule 5, the INSERT command would look like the following:
iptables -I RH-Lokkit-0-50-INPUT 6 -p tcp --dport 8999 -s <DAC host IP> -m
state --state NEW -j ACCEPT
If you want this addition to survive a reboot, you must use the iptables-save command and
dump the iptables ruleset to /etc/sysconfig/iptables with the following command:
/sbin/iptables-save > /etc/sysconfig/iptables
Adding Additional ESs
For this release, if you want to add additional ESs, you must install them manually. A future release will
expand the options in the installer to include multiple ESs. To add additional interfaces to the DAC host:
322
Windows server
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
1 Open the DAC/conf/wrapper.conf file with a text editor.
a Locate the Application Parameters section in the wrapper.conf file.
You will see a list of entries like the following:
wrapper.app.parameter.X
Where X is the numerical value representing the order in which the
parameter will be added to the command.
b Add additional ESs:
1) Locate the line that represents the initial ES, for example:
wrapper.app.parameter.8=172.17.100.100
2) Add another line just below the initial ES with the new IP address
or addresses:
wrapper.app.parameter.9=172.17.100.150
wrapper.app.parameter.10=172.50.50.7
3) Increment the rest of the wrapper.app.parameter numbers by the
number of ESs added. For this example of adding two ESs, increment
by two; change 10 to 12, 11 to 13, and so on
wrapper.app.parameter.11=-i
wrapper.app.parameter.12="\Device\NPF_{54052575-E4CC-46A5-B626-9167DD4F9BE3}"
wrapper.app.parameter.13=-f
wrapper.app.parameter.14="udp src port 67"
Starting the Windows Service
You can start the Windows service manually, or you can reboot the Windows server, which starts the
service automatically.
To start the Windows service manually:
Windows server
Sentriant AG Software Users Guide, Version 5.1 SR1
323
Remote Device Activity Capture
1 Select Start>>Settings>>Control Panel>>Administrative Tools>>Services. The Services window
appears:
Figure 189: NAC Endpoint Activity Capture Service
2 Right-click on the NAC Endpoint Activity Capture service and select Start.
The service is set to automatic start at the next reboot by default.
Viewing Version Information
To view version information:
Windows server
1 Select Start>>Settings>>Control Panel>>Add or Remove Programs.
2 Click once on the DAC listing.
3 Click Click here for support information. The Support Info window appears.
4 The version and other support information is displayed. Click Close.
5 Close the Add or Remove Programs window.
Removing the Software
Each of the three software packages must be removed individually.
To remove the RDAC software:
324
Windows server
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
1 Select Start>>Settings>>Control Panel>>Add or Remove Programs.
2 Click once on the DAC listing.
3 Click Remove.
4 Click Yes when asked if you want to completely remove the application and features. When the
uninstallation is complete, the Uninstall Complete window appears:
Figure 190: RDAC Uninstall Complete
5 Select one of the options and click Finish.
To remove the JavaJRE software:
Windows server
1 Select Start>>Settings>>Control Panel>>Add or Remove Programs.
2 Click once on the J2SE Runtime Environment listing.
3 Click Remove.
4 Click Yes when asked if you want to completely remove the application and features. When the
uninstallation is complete, the Uninstall Complete window appears:
5 Select one of the options and click Finish.
To remove the WinPcap software:
Windows server
Sentriant AG Software Users Guide, Version 5.1 SR1
325
Remote Device Activity Capture
1 Select Start>>Settings>>Control Panel>>Add or Remove Programs.
2 Click once on the WinPcap listing.
3 Click Remove.
4 Click Yes when asked if you want to completely remove the application and features. When the
uninstallation is complete, the Uninstall Complete window appears:
5 Select one of the options and click Finish.
Sentriant AG to Infoblox Connector
Infoblox™ is a DHCP server appliance that writes to syslog when it vends IP addresses. These syslog
messages (DHCPACK syslog lines) are translated and forwarded to the Sentriant AG Device Activity
Capturer (DAC) by way of the connector (syslog-to-dac.py).
NOTE
Please verify that your Infoblox software is current (NIOS™ 4.1r5-0 or later).
NOTE
After you upgrade or perform a new installation, the connector file (syslog-to-dac.py) is in the following directory:
/usr/local/nac/bin
Configuring the Infoblox Server
You must configure syslog on the Infoblox server to send debug level DHCP logs to the Sentriant AG
ES IPs on TCP port 514, using the local3 facility. The actual steps to set this up may vary by NIOS.
Contact Infoblox support for assistance (http://www.infoblox.com/support/).
If the Infoblox DHCP is clustered, there is a floating/management IP and multiple LAN IPs (one for each
of the nodes in the DHCP cluster). In this configuration:
●
The switches must be configured to forward DHCP requests (using iphelper, for example) to the
floating/management IP (not the individual LAN IPs)
●
The iptables firewall on the ESs should be configured to allow syslog traffic from the individual
LAN IPs (one entry per Infoblox DHCP node).
Configuring Sentriant AG
To configure Sentriant AG
326
Home window>>System configuration>>Select an enforcement cluster>>Quarantining
Sentriant AG Software Users Guide, Version 5.1 SR1
Remote Device Activity Capture
1 In the Quarantine method area, select the 802.1X radio button.
2 In the Basic 802.1X settings area, select the remote Endpoint detection location radio button.
3 Click ok.
Command line window
NOTE
Perform the following steps on each ES in your system.
4 Log in as root to the Sentriant AG ES using SSH or directly with a keyboard.
5 Enter the following command:
egrep DeviceActivityCapture /usr/local/nac/properties/nac-es.properties
The expected results are:
Compliance.DeviceActivityCapture.RunningRemotely=true
It can take a minute or two Contact Technical Assistance Center (TAC)
(support@extremenetworks.com) if your results are different.
NOTE
It can take a minute or two after changing the property in the user interface for the change to propagate to all ESs.
6 Edit the configuration file:
a Open the following file with a text editor such as vi:
/etc/syslog-ng/syslog-ng.conf
b In the ### SOURCE ENTRIES HERE ### area, add the following line:
source rdac
c
{ tcp(); };
In the ### DESTINATION ENTRIES HERE ### area, add the following line:
destination d_dac { program("/usr/local/nac/bin/syslog-to-dac.py"); };
d In the ### LOG ENTRIES HERE ### area, add the following line:
log { source(rdac); filter(f_mesg); destination(d_dac); };
Sentriant AG Software Users Guide, Version 5.1 SR1
327
Remote Device Activity Capture
e Save and exit the file.
f
Enter the following at the command line to restart the service:
service syslog-ng restart
7 Add the iptables firewall rule to allow this syslog traffic:
a Stop iptables by entering the following at the command line:
service nac-es stop
fw_control stop
b Open the following file with a text editor such as vi:
/etc/sysconfig/iptables
c
Add the following line before the # REJECT lines in the RH-Lokkit-0-50-INPUT section, and after
the RELATED,ESTABLISHED line:
d -A RH-Lokkit-0-50-INPUT -s <INFOBLOX_IP> -p tcp -m tcp --dport 514 -m state -state NEW -j ACCEPT
Where:
<INFOBLOX_IP> is the IP address of the Infoblox server.
e Restart iptables by entering the following at the command line:
fw_control start
service nac-es start
328
Sentriant AG Software Users Guide, Version 5.1 SR1
14 Reports
Sentriant AG generates the following types of reports:
Table 11: Report Types and Fields
Report
Description
Report columns
NAC policy results
Lists each NAC policy and the last
pass/fail policy results
•
policy name
•
test status
•
# of times
•
% of total
•
details
•
mac address
•
ip address
•
cluster
•
netbios
•
user
•
test status
•
date/time
•
ip address
•
netbios
•
user
•
policy
•
test name
•
actions
•
test status
•
message
•
test name
•
test status
•
# of times
•
% of total
•
details
Endpoint list
Test details
Test results
Lists each endpoint and the last
pass/fail policy results
Comprehensive list of all test
results, including remediation
messages.
Lists each test and the test's pass/
fail status.
Sentriant AG Software Users Guide, Version 5.1 SR1
329
Reports
Table 11: Report Types and Fields (continued)
Report
Description
Report columns
Test results by IP address
Lists the number of tests that
passed or failed for each IP
address.
•
ip address
•
cluster
•
netbios
•
user
•
test status
•
# of times
•
% of total
•
details
•
netbios
•
cluster
•
ip address
•
user
•
test status
•
# of times
•
% of total
•
details
•
user
•
cluster
•
ip address
•
netbios
•
test status
•
# of times
•
% of total
•
details
Test results by NetBIOS
name
Test results by user
Lists the number of tests that
passed or failed for each netbios
name.
Lists the number of tests that
passed or failed for each user.
NOTE
Click the underlined links in reports for more information about the tests.
Sort the report by clicking the report column heading.
Generating Reports
To generate a report:
330
Home window>>Reports
Sentriant AG Software Users Guide, Version 5.1 SR1
Reports
The following figure shows the Reports window.
Figure 191: Reports
1 In the Report drop-down list, select the report to run.
2 Select the Report period.
3 Select the Rows per page.
4 In the Endpoint search criteria area, select any of the following options to use for filtering the
report:
a Cluster
b Endpoint NetBIOS
c
Endpoint IP address
d Endpoint MAC address
e Endpoint test status
f
Access control status
g Endpoints must match:
1) All of the selected criteria
2) Any of the selected criteria
Sentriant AG Software Users Guide, Version 5.1 SR1
331
Reports
5 Select Generate report. After a short period of time the compiled report is displayed in a separate
browser window. The following figure shows an example report.
Figure 192: NAC Policy Results Report
CAUTION
The reports capability uses pop-up windows; if you have blocked pop-up windows in your browser, you will not be
able to view reports. See “Important browser settings” in the Software Installation Guide for more information.
Viewing Report Details
To view report details:
Home window>>Reports
1 Select the options for the report you want to run.
2 Click Generate report.
3 Click the details link. The Test details window appears:
332
Sentriant AG Software Users Guide, Version 5.1 SR1
Reports
Figure 193: Test Details Report
Sentriant AG Software Users Guide, Version 5.1 SR1
333
Reports
Printing Reports
To print a report:
Home window>>Reports
1 Select the options for the report you want to run.
2 Click Generate report.
3 Select Print.
4 Select the printer options and properties.
5 Select Print.
Saving Reports to a File
To save a report:
Home window>>Reports
1 Select the options for the report you want to run.
2 Click Generate report.
3 Select File>>Save Page As from the browser menu.
4 Enter a name and location where you want to save the file.
5 Select Web page, complete.
6 Click Save. The file is saved as an HTML file that can be viewed in a browser window.
Converting an HTML Report to a Word Document
To convert an HTML report:
1 Run the report (see “Generating Reports” on page 330.)
2 Save an HTML version of it (see “Saving Reports to a File” on page 334).
3 Open the HTML report in Microsoft Word.
4 Select File>>Save as.
5 In the Save as type drop-down list, select .doc.
334
Sentriant AG Software Users Guide, Version 5.1 SR1
Reports
6 Click Save.
This creates a standalone file that retains all of its graphics and formatting.
7 To print, you might need to reduce the border sizes in File>>Page Setup dialog box for the report to
print correctly.
Sentriant AG Software Users Guide, Version 5.1 SR1
335
Reports
336
Sentriant AG Software Users Guide, Version 5.1 SR1
15 DHCP Plug-in
The Dynamic Host Configuration Protocol (DHCP) plug-in is an optional feature that allows you to use
one or more DHCP servers (without an installation of Sentriant AG in front of each DHCP server) as
shown in the following figure:
Figure 194: DHCP Plug-in
The DHCP plug-in is a Microsoft DHCP plug-in that utilizes the Microsoft DHCP Server Callout
Application Programming Interface (API). Installed on each DHCP server in your network, the plug-in
processes or ignores DHCP packets based on the end-user device Media Access Control (MAC) address.
Sentriant AG tests endpoints that request access to the network and either assigns a quarantined
Internet Protocol (IP) address (failed), or adds the MAC address of the end-user device as an authorized
device (allowed) to the Access Control List (ACL) on the appropriate DHCP server.
The following connection and communication actions apply:
●
If the connection between the DHCP server and the Sentriant AG server is lost and re-established,
the existing ACL on the DHCP server is discarded and Sentriant AG re-transmits the entire ACL.
Sentriant AG Software Users Guide, Version 5.1 SR1
337
DHCP Plug-in
●
If the DHCP server cannot communicate with Sentriant AG at any time, the DHCP server goes in to
an allow all or deny all state, depending on the failopen parameter setting in the config.xml file
(true = allow all, false = deny all).
●
Sentriant AG attempts to connect to known DHCP servers on start-up, and continuously attempts to
connect at regular intervals indefinitely.
Installation Overview
When Sentriant AG does not sit inline with the DHCP server, you need to set up a remote host for
Device Activity Capture (DAC) to allow Sentriant AG to listen on the network. This is done by
installing a small program on the DHCP server or other remote (non-Sentriant AG) host, which then
sends relevant endpoint device information back to Sentriant AG.
NOTE
Windows Server 2003 is the only server supported for this release.
To install the DHCP plug-in:
1 The DHCP plug-in requires that you first configure your system with RDAC as described in
“Creating a DAC Host” on page 313.
2 On the Sentriant AG MS, enter the following commands and follow the on-screen instructions:
a /usr/local/nac/bin/MakeDHCPCert
This command generates a file named server.pem in the current directory. This file contains a
key and certificate signed by the CA. The DHCP plug-in responds to SSL connections from
Sentriant AG by providing this certificate.
b Copy the server.pem file (from the directory where it was created in step a above) to the
C:\WINDOWS\system32\dhcp directory.
c
After copying the server.pem file from the Sentriant AG server, delete the file from its temporary
location on the Sentriant AG server
3 Download and install the DHCP plug-in as described in “Installing the Plug-in” on page 340.
338
Sentriant AG Software Users Guide, Version 5.1 SR1
DHCP Plug-in
4 The DHCP Plug-in is configured using confg.xml that resides on the Windows 2003 Server in
c:\WINDOWS\SYSTEM32\DHCP\confg.xml. The following Table 12 shows options used in
confg.xml:
Table 12: DHCP Plug-in Configuration File Values
Group
Item
Description
listener
failopen
failopen=“true” means that if the Sentriant AG
DHCP connection goes down, the DHCP server
goes in to allow all mode.
failopen=“false” means that if the Sentriant AG
DHCP connection goes down, the DHCP server
goes in to deny all mode.
port
Specifies the port on which the Dynamic Link
Library (DLL) file should listen for Sentriant AG
connections.
looprate
The rate in seconds at which the DHCP server
will check for a broken connection.
certificates
certfile
A Privacy Enhanced Mail (PEM) formatted file
containing the server key and certificate along
with any CA trusted entities.
logging
location
The location to save the DLL’s log file. The log
file is an ASCII file.
level
The level of verbosity in the log.
1 - Errors only (logs unexpected behavior, such
as unable to parse configuration file)
2 - Errors and warnings (logs mode changes,
such as No Connection to Sentriant AG or Entering
allow all mode)
3 - Errors, warnings, and information messages
(logs major processing steps, such as clearing
ACL)
4 - Errors, warnings, information, and debug
messages
maxsize
The size in kB at which the log file should be
rotated.
When the maximum size specified is exceeded
the current log file is closed and renamed as
<current file name>.<integer>.
NOTE: If the current log file is open for
reading, Windows cannot rename the
file. In that case, the DLL is unable to
rotate the log file, and attempts to reopen the current log file and continue
logging to it.
The following text shows a DHCP plug-in example configuration file with default values:
<?xml version="1.0" encoding="utf-8" ?>
Sentriant AG Software Users Guide, Version 5.1 SR1
339
DHCP Plug-in
<dhcpconnector>
<listener failopen="true">
<port>*:4433</port>
<looprate>10</looprate>
</listener>
<certificates>
<cadir />
<certfile>c:\windows\system32\dhcp\server.pem</certfile>
<clientCN enforce="false">nac</clientCN>
</certificates>
<logging>
<location>c:\windows\system32\dhcp\nac_DHCP.log</location>
<level>3</level>
<maxsize>1024</maxsize>
</logging>
</dhcpconnector>
DHCP Plug-in and the Sentriant AG User Interface
In order to use the DHCP plug-in, you need to select DHCP as the quarantine (enforcement) method,
select the DHCP servers using the DHCP plug-in check box, and add your DHCP servers.
Installing the Plug-in
To install the DHCP plug-in:
Home window>>System configuration>>Quarantining
1 Select the DHCP radio button in the Quarantine area.
340
Sentriant AG Software Users Guide, Version 5.1 SR1
DHCP Plug-in
2 Select the DHCP servers using the DHCP plug-in radio button.
Figure 195: System Configuration, Quarantining, DHCP
3 Click download the DHCP plug-in. A Windows save window appears.
4 Browse to a location on the DHCP server you will remember and save the file.
5 On the DHCP server, navigate to the location of the saved file and double-click it.
Sentriant AG Software Users Guide, Version 5.1 SR1
341
DHCP Plug-in
6 Double-click the *.exe installer file. The InstallShield Wizard starts.
Figure 196: DHCP Plug-in InstallShield Wizard window
7 Click Next. The Customer Information window appears.
Figure 197: DHCP Plug-in Customer Information window
8 Enter your User Name and Company Name.
342
Sentriant AG Software Users Guide, Version 5.1 SR1
DHCP Plug-in
9 Click Next. The Ready to Install the Program window appears.
Figure 198: DHCP Plug-in Ready to Install the Program window
10 Click Install. The progress is displayed on a Status window. When installation is complete, the
InstallShield Wizard Complete window appears.
Figure 199: DHCP Plug-in InstallShield Wizard Complete window
11 Click Finish.
Enabling the Plug-in and Adding Servers
To enable the DHCP plug-in and add the DHCP servers:
Home window>>System configuration>>Quarantining
1 Select the DHCP radio button in the Quarantine area.
2 Select the DHCP servers using the DHCP plug-in radio button (Figure 195).
Sentriant AG Software Users Guide, Version 5.1 SR1
343
DHCP Plug-in
NOTE
Changes made while one or more DHCP servers cannot be communicated with will be sent to those DHCP servers as
soon as communication is re-established.
3 Select Add a DHCP plug-in configuration. The Add DHCP plug-in configuration window appears
as shown in the following figure:
Figure 200: Add DHCP Plug-in Configuration
4 Enter the IP address or host name of the DHCP server where the plug-in is to be installed in the
DHCP server hostname or IP address text box.
5 Enter the port number on the DHCP server that listens for plug-in requests in the Plug-in listening
port text field.
6 Enter a brief description of this DHCP server's purpose in the Server description text field.
7 Select a Plug-in logging level, where:
■
error—Log error-level messages only (least amount of detail)
■
warning—Log warning-level and above messages only
■
info—Log debug-level and above messages only
■
debug—Log everything (most amount of detail)
CAUTION
Setting the log level to debug may adversely affect performance.
344
Sentriant AG Software Users Guide, Version 5.1 SR1
DHCP Plug-in
8 Click ok. The added DHCP server appears as shown in the following figure:
Figure 201: DHCP Plug-in Server Added Example
9 Continue to add DHCP servers until you have added all of them. The possible DHCP server plug-in
status states are shown in the following figure:
Figure 202: DHCP Plug-in Legend
NOTE
Sentriant AG automatically attempts to connect to the DHCP server. The possible DHCP server status states are
shown in Figure 202.
10 Click ok to save the changes and return to the Home window.
Viewing DHCP Server Plug-in Status
DHCP server plug-in status is displayed in the following locations:
●
System configuration>>Quarantining>>DHCP window
●
System monitor>>select a cluster>>Quarantining window
Sentriant AG Software Users Guide, Version 5.1 SR1
345
DHCP Plug-in
●
Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio
button>>DHCP servers using the DHCP plug-in radio button>>Click edit next to a DHCP server
configuration
Editing DHCP Server Plug-in Configurations
To edit DHCP Server Plug-in Configurations:
Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP
servers using the DHCP plug-in radio button
1 Click edit next to the DHCP server you wish to edit. The DHCP Plug-in configuration window
appears:
Figure 203: DHCP Plug-in Configuration
2 Make any necessary modifications.
3 Click ok to return to the System Configuration>>Quarantining window.
4 Click ok to save the changes and return to the Home window.
Deleting a DHCP Server Plug-in Configuration
To delete a DHCP Server Plug-in Configuration:
346
Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP
servers using the DHCP plug-in radio button
Sentriant AG Software Users Guide, Version 5.1 SR1
DHCP Plug-in
1 Click remove next to the DHCP server plug-in configuration you wish to delete.
2 Click yes at the Remove DHCP plug-in configuration prompt.
3 Click ok to save the changes and return to the Home window.
Disabling a DHCP Server Plug-in Configuration
Disable a DHCP server plug-in configuration when you do not wish to use it, but wish to save the
configuration and certificates.
To disable a DHCP Server Plug-in Configuration:
Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP
servers using the DHCP plug-in radio button
1 Click disable next to the DHCP server plug-in configuration you wish to disable.
2 Click yes at the Disable DHCP plug-in configuration prompt.
3 Click ok to save the changes and return to the Home window.
Enabling a DHCP Server Plug-in Configuration
Enable a DHCP server plug-in configuration that was previously created and disabled.
To enable a DHCP Server Plug-in Configuration:
Home window>>System configuration>>Quarantining>>DHCP Quarantine method radio button>>DHCP
servers using the DHCP plug-in radio button
1 Click enable next to the DHCP server plug-in configuration you wish to enable.
2 Click yes at the Enable DHCP plug-in configuration prompt.
3 Click ok to save the changes and return to the Home window.
Sentriant AG Software Users Guide, Version 5.1 SR1
347
DHCP Plug-in
348
Sentriant AG Software Users Guide, Version 5.1 SR1
16 System Administration
Launching Sentriant AG
Launching and Logging into Sentriant AG
To launch and log into Sentriant AG:
Browser window on the workstation
1 Using https://, point your browser to the Sentriant AG MS IP address or host name. The login
page appears.
2 Enter the User name and Password that you defined the first time you logged in.
3 Click log in. The Sentriant AG Home window appears.
Logging out of Sentriant AG
To log out of Sentriant AG:
Any Sentriant AG window
Click Logout in the upper right corner of the Sentriant AG home window. When the logout procedure
completes, the Extreme Networks, Inc. login window appears.
Important Browser Settings
There are several browser configuration settings to make, depending on which browser you are using.
Please see “Important browser settings” in the Installation Guide for details.
Restarting Sentriant AG System Processes
This section lists the commands to stop and restart services associated with Sentriant AG installations
for MS, ES, or Single-server Installations. Restart instead of start is used for services already running in
Sentriant AG.When running Sentriant AG and monitoring systems on your network, you may
encounter a warning on a server stating that a Connection cannot be established. Recommend restart.
The following table provides specific commands for stopping and restarting your services with
Sentriant AG.
If stopping and restarting your system is not successful or you are being required to restart more than
once, contact Technical Assistance Center (TAC) at: support@extremenetworks.com,
Sentriant AG Software Users Guide, Version 5.1 SR1
349
System Administration
http://www.extremenetworks.com/services/resources/, or (800) 998-2408.
Table 13: Service Stop and Restart Commands
Command
Description
service watchdog stop
This command stops all the NAC software processes on
the server
(MS and/or ES processes, as necessary).
service watchdog start
This command starts all the (stopped) NAC software
processes on the server
(MS and/or ES processes, as necessary).
service watchdog
restart
This command restarts all the NAC software processes
on the server
(MS and/or ES processes, as necessary)
service nac-es status
This command shows the current status of the ES
processes on the server
(Applies only to an ES or a single server installation)
service nac-ms status
This command shows the current status of the MS
processes on the server
(Applies only to an MS or a single server installation)
reboot
This command stops all services gracefully and reboots
the server
shutdown -hy 0
This command shuts down the system gracefully so it
will be ready for poweroff
Managing your Sentriant AG License
Sentriant AG is licensed on a concurrent-IP basis. If the number of licensed IP addresses is at the
maximum, an endpoint trying to connect is not scanned, and is denied/granted access based on the
policy for untestable endpoints. A notification that the endpoint limit has been exceeded appears in the
interface, and the administrator receives an email (if notifications are enabled).
Entering a New License Key
Extreme Networks, Inc. distributes license keys as text files. Due to the license key’s length, copy and
paste the license key directly out of the text file.
To enter a new license key:
Home window>>System Configuration>>License
1 Open the text file containing the license key. Copy the key, including the double equal signs (==).
350
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
2 Paste the license key into the New license key field.
3 Click Submit now. The license key is validated, and it appears in the registered license key field.
NOTE
Endpoints connecting when the license limit is exceeded are allowed or denied based on the setting for untestable
endpoints.
NOTE
If the license key information (such as an expired notice) does not update, clear the browser cache and refresh the
page.
Downloading New Tests
To download the latest tests from the Extreme Networks, Inc. server:
Home window>>System configuration>>Test updates>>Check for test updates button
NOTE
If you are not receiving test updates, try the following checks:
- Verify that the system time is correct
- Attempt to connect using telnet:
At a command prompt on the MS, enter:
telnet http://update.sentriantag.extremenetworks.com 443
If you do not get a “connected” response, the firewall might be blocking the traffic.
NOTE
Your outbound SSL connection needs to access:
For license validation and test updates:
http://update.sentriantag.extremenetworks.com port 443
For software and operating system updates
http://download.sentriantag.extremenetworks.com
Sentriant AG Software Users Guide, Version 5.1 SR1
351
System Administration
System Settings
DNS/Windows Domain Authentication and Quarantined Endpoints
In order to satisfy the following scenarios:
●
A guest user gets redirected
●
A user is redirected if their home page is the Intranet
●
The only host that is resolved is the domain controller (DC); and no other intranet hosts are resolved.
●
Windows domain authentication can take place from quarantine with minimal configuration
Perform the following steps:
1 Configure the domain suffixes in the quarantine areas to a placeholder, such as the following:
quarantine.bad
2 Enter the full domain controller hostnames in the System configuration>>Accessible services area
(for example, dc01.mycompany.com, dc02.mycompany.com).
3 Ensure that each ES has a valid, fully qualified domain name (FQDN) and that the domain portion
matches the domain for the registered windows domain.
4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve (both A
and PTR records) each ES.
5 Ensure that the following ports on the domain controller/active directory (DC/AD) servers are
available from quarantine:
■
88
■
389
■
135-139
■
1025
Sentriant AG will then lookup the Kerberos and LDAP services, and resolve those services within its
own DNS server used for quarantined devices.
For example:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 88
dc01.lvh.com
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.lvh.com. 86400 IN SRV 0 100 389
dc01.lvh.com
When a browser is configured with an Intranet site as its home page, it will get redirected as shown in
the following example process:
-> lookup intranet.mycompany.com
<- get an NXDomain (since dc01.mycompany.com is in the forwarders, all other mycompany.com
hostnames get an NXDomain; that is the way named works).
352
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
-> lookup intranet.mycompany.com.quarantine.bad
<- get Sentriant AG IP address
When the end-user logs in, they will be able to authenticate from quarantine even if credentials are not
cached:
-> lookup the _kerberos and _ldap service location
<- receive dc01.mycompany.com & dc02.mycompany.com
-> lookup the dc01 IP address
<- receive the dc IP address forwarded through Sentriant AG named to the real DNS server (since
dc01.mycompany.com is in the accessible services list).
-> authenticate
Matching Windows Domain Policies to NAC Policies
Using a Windows domain might affect the end-user’s ability to change their system configuration to
pass the tests. For example, in a corporate environment, each machine gets their domain information
from the domain controller, and the user is not allowed to change any of the related settings, such as
receiving automatic updates and other IE security settings.
The Sentriant AG administrator needs to make sure the global policy on their network matches the
NAC policy defined, or skip the test.
For example, if the global network policy is to not allow Windows automatic updates, any user
attempting to connect through the High security NAC policy fails the test, and is not able to change
their endpoint settings to pass the test.
For example, to change the NAC policy to not run the Windows automatic update test:
Home window>>NAC policies
1 Select the NAC policy that tests the domain's endpoints.
2 Select the Tests menu option.
3 Clear the Windows automatic updates check box.
4 Click ok.
Setting the Access Mode
The access mode selection is a quick way to select enforcement (normal mode) for all traffic into an
Enforcement cluster, or open it up for trial-use purposes (allow all).
To change the access mode:
Home window>>System monitor>>Select an Enforcement cluster
Sentriant AG Software Users Guide, Version 5.1 SR1
353
System Administration
1 Select one of the following from the Access mode area:
■
normal—Access is regulated by the NAC policies
■
allow all—All requests for access are granted, but endpoints are still tested
2 Click ok.
Naming Your Enforcement Cluster
To name your Enforcement cluster:
Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement
cluster
1 In the Cluster name text field, enter a name. Choose a name that describes the cluster, such as a
geographic location (like a street or city name), a building, or your company name.
2 Click ok.
Changing the MS Host Name
To change the MS host name:
See “Modifying MS Network Settings” on page 66.
Changing the ES Host Name
To change the ES host name:
See “Changing the ES Network Settings” on page 60.
Changing the MS or ES IP Address
To change the MS or ES IP address:
The preferred method is to use the user interface:
●
“Modifying MS Network Settings” on page 66
●
“Changing the ES Network Settings” on page 60
However, if you cannot access the user interface, use the following instructions:
1 Log in to the MS or ES as root using SSH or directly with a keyboard.
2 Enter the following command at the command line:
network-settings.py <ip address> <netmask> <gateway>
Where:
354
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
<ip address> is the new IP address for the MS or ES. For example, 192.168.40.10
<netmask> is the netmask. For example, 255.255.255.0
<gateway> is the gateway. For example, 10.1.1.1
Resetting your System
There are times when you may wish to revert to the as-shipped state for your system; reverting the
configuration and database to that of a freshly installed system.
NOTE
You must reset the system before you can change the personality of the server; that is, before you can change an
MS to and ES or an ES to a MS.
To reset your system to the as-shipped state:
Command line window
1 Log in as root to the Sentriant AG MS or ES, either using SSH or directly with a keyboard.
2 Enter the following command at the command line:
resetSystem.py [both | ms | es]
Where:
No arguments—The system is reset to the same type (either a single-server installation with the MS
and ES on the same server, an MS, or an ES), the database is cleared, and the property files are
restored to their defaults
both—The system is reset to be a single-server installation (MS and ES on one server), the database
is cleared, and the property files are restored to their defaults
ms—The system is reset to be an MS, the database is cleared, and the property files are restored to
their defaults
es—The system is reset to be an ES, the database is cleared, and the property files are restored to
their defaults.
NOTE
The resetSystem.py file is in the following directory:
cd /usr/local/nac/bin
Sentriant AG Software Users Guide, Version 5.1 SR1
355
System Administration
Resetting your Test Data
There are times when you may wish to revert to the as-shipped state for test data; clearing the database
of all endpoints and test results, and resetting SAPQ and DHCP leases.
To reset your test data to the as-shipped state:
Command line window
1 For single-server installations:
a Log in as root to the Sentriant AG MS, either using SSH or directly with a keyboard.
b Run the script by entering the following at the command line:
resetTestData.py
2 For multiple-server installations:
a Stop the nac-es service on all ESs:
1) Log in as root to each Sentriant AG ES, either using SSH or directly with a keyboard.
2) Enter the following at the command line:
service nac-es stop
b Stop the nac-ms service on the MS:
1) Log in as root to the Sentriant AG MS, either using SSH or directly with a keyboard.
2) Enter the following at the command line:
service nac-ms stop
c
Run the script on each ES:
1) Log in as root to each Sentriant AG ES, either using SSH or directly with a keyboard.
2) Enter the following at the command line:
resetTestData.py
d Run the script on the MS:
1) Log in as root to each Sentriant AG MS, either using SSH or directly with a keyboard.
2) Enter the following at the command line:
356
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
resetTestData.py
NOTE
The resetTestData.py file is in the following directory:
cd /usr/local/nac/bin
Changing Properties
To change the property values in the properties files:
Command line window
1 Log in as root to the Sentriant AG MS using SSH.
2 Enter the following at the command line:
setProperty.py <DESTINATION> <TYPE> <VALUES>
Where:
■
<DESTINATION> is one or more of:
-c <cluster name> Set properties on all Enforcement Servers in cluster
-e <ES hostname>
-a
-m
■
Set properties on Enforcement Server
Set properties on all Enforcement Servers
Set properties on Management Server
<TYPE> is one of:
blank, nothing specified
-l
Properties are log4j properties
■
<VALUES> is one of:
-f <filename>
Filename of lines containing key=value
Standard input containing key=value
<key>=<value> One or more key=value settings
Note: a <value> of '-' will delete the property
For example, to change the upgrade timeout to 30 minutes, enter the following command:
setProperty.py -m Compliance.UpgradeManager.UpgradeTimeout=30
Sentriant AG Software Users Guide, Version 5.1 SR1
357
System Administration
Specifying an Email Server for Sending Notifications
Sentriant AG Enforcement clusters send alerts and notifications when certain events occur. You must
specify an SMTP email server for sending these notifications. The server must allow SMTP messages
from the Sentriant AG ES.
To specify an email server for sending notifications:
See “Notifications” on page 138.
Entering Networks Using CIDR Format
Networks and network endpoints can be specified in Sentriant AG using Classless Inter Domain
Routing (CIDR) format. CIDR is a commonly used method for specifying Internet objects. Table 14
presents common CIDR naming conventions.
Table 14: CIDR Naming Conventions
358
Block
Netmask
Networks
Hosts
/32
255.255.255.255
1/256 of a Class C Network
1
/31
255.255.255.254
1/128
2
/30
255.255.255.252
1/64
4
/29
255.255.255.248
1/32
8
/28
255.255.255.240
1/16
16
/27
255.255.255.224
1/8
32
/26
255.255.255.192
1/4
64
/25
255.255.255.128
1/2
128
/24
255.255.255.0
1 Class C network
256
/23
255.255.254.0
2 Class C networks
512
/22
255.255.252.0
4 Class C networks
1,024
/21
255.255.248.0
8 Class C networks
2,048
/20
255.255.240.0
16 Class C networks
4,096
/19
255.255.224.0
32 Class C networks
8,192
/18
255.255.192.0
64 Class C networks
16,384
/17
255.255.128.0
128 Class C networks
32,768
/16
255.255.0.0
1 Class B network
65,536
/15
255.254.0.0
2 Class B networks
131,072
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Table 14: CIDR Naming Conventions (continued)
Block
Netmask
Networks
Hosts
/14
255.252.0.0
3 Class B networks
262,144
/13
255.248.0.0
8 Class B networks
512,000
Database
Creating a Backup File
To create a backup file of system configuration and data:
See “Initiating a New Backup” on page 130.
Restoring from Backup
NOTE
You must have backed up your system at least one time before you can restore from a backup. See “Initiating a
New Backup” on page 130.
You can restore backed-up data to the same physical server or to a new physical server.
Restoring to a new Server
To restore system configuration and data from a backup file to a new server:
1 Contact Technical Assistance Center (TAC) at support@extremenetworks.com or (800) 998-2408 and
request that the secret key for that license be cleared.
2 Install Sentriant AG on the new server:
a The Sentriant AG version must be the same as the previously installed Sentriant AG version.
b The Sentriant AG server IP address must be the same as the previously installed Sentriant AG
server IP address.
c
Create an admin user when prompted during the installation process. See the Sentriant AG
Installation Guide for installation instructions.
d Enter the original license key when prompted during the installation process. If you have not
already arranged to have the secret key cleared (step 1), you will not be able to validate the
license key at this step.
e After the installation is complete, log in to the Sentriant AG user interface and check for rule
updates (System configuration>>Test updates>>Check for test updates).
Sentriant AG Software Users Guide, Version 5.1 SR1
359
System Administration
3 Restore the data by following the instructions in “Restoring to the Same Server”.
Restoring to the Same Server
To restore system configuration and data from a backup file to the same server:
Home window>>System configuration>>Maintenance
1 Click restore system from backup file. The Restore system window appears:
Figure 204: Restore System
2 Enter the backup file name or click Browse and navigate to the backup file.
3 Click ok. A status window appears.
4 The system data is restored and the login window appears:
Figure 205: Login
360
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Restoring the Original Database
CAUTION
Running this script resets your entire system, not just the database. See “Resetting your System” on page 355 for
more information.
To reset a Sentriant AG database to its pristine state:
Command window
1 Log in as root to the Sentriant AG MS using SSH.
2 Enter the following commands:
resetSystem.py
This script shuts down all of the services, cleans the database, iptables, and DHCP server, and
restarts everything.
Generating a Support Package
To generate a support package:
See “Downloading Support Packages” on page 131.
System Requirements
The following hardware and software is required to install and operate Sentriant AG.
Table 15: Sentriant AG System Requirements
Item
Required
Server—A dedicated server or servers for product installation
with the following minimum system requirements:
Processor
Intel Dual Core
5100 series) processor
(or greater)
RAM
2GB RAM (or greater)
Disk space
80GB SATA disk (or greater)
Sentriant AG Software Users Guide, Version 5.1 SR1
(Core 2 Duo/Xeon
at 1.86GHz
361
System Administration
Table 15: Sentriant AG System Requirements(continued)
Item
Required
Multiple-server installation:
MS installation—One server-class
network interface cards (NICs)
10/100/1000
(Intel)
and—
ES installation—
DHCP—Two server-class network
interface cards (NICs)
Inline—Two server-class network
interface cards (NICs)
802.1X-enabled installation—One
server-class network interface cards
Single-server installation—Two
server-class network interface cards
(NICs)
Open PCI slot
Optional
An Internet connection or a Web proxy
server that allows outbound HTTPS
communications from the MS.
yes
Workstation—A workstation running one of the following
browsers with 128-bit encryption:
•
Windows –
Mozilla version 1.7
Mozilla Firefox version 1.5
Internet Explorer 6.0 and 7.0
•
Linux –
Mozilla version 1.7
yes
License—A subscription license key
yes
Product updates—The latest Sentriant AG product updates
yes
NOTE
If you have an Off the Shelf server, your system will need to conform to the requirements listed in Table 15.
NOTE
It is strongly recommended that you use the server-class Intel NIC cards. If you use a different NIC card, you might
be unable to connect, or experience unpredictable results and availability.
362
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
NOTE
Your license key is emailed to you. If you did not receive one, contact Extreme Networks, Inc. Technical Assistance
Center (TAC) (support@extremenetworks.com or (800) 998-2408).
Supported VPNs
Sentriant AG works with any VPN endpoint, since Sentriant AG does not directly interface or interoperate with VPN endpoints. The following commonly deployed VPN solutions have been tested:
●
Cisco VPN Concentrators
●
OpenSSL VPNs
●
Protocols supported:
■
IPSec
■
L2TP
■
PPTP
■
SSL
Adding Custom Tests
Introduction
Sentriant AG is an efficient, flexible and extensible testing platform. All tests are implemented in the
object oriented programming language called Python. Python is a well- respected, clean, and efficient
scripting language. Because the language is object oriented and the Sentriant AG test platform is
extensible, new tests can be developed easily.
Existing tests can also be extended using inheritance—a programming language’s ability to derive one
class/script from another class and override and extend methods of that class.
You need some programming experience to extend and add tests. If you have previously used Perl to
complete these tasks, you might find that Python is a better choice as a programming language for the
tasks described in the following sections.
CAUTION
You should familiarize yourself with Python and with the rest of the Sentriant AG product before attempting to create
custom test scripts.
References
This version of Sentriant AG uses Python v2.4.1.
Sentriant AG Software Users Guide, Version 5.1 SR1
363
System Administration
●
Python home:
http://www.python.org/
●
Python 2.4.1 tutorial:
http://www.python.org/doc/2.4.1/tut/tut.html
●
Python language reference:
http://www.python.org/doc/2.4.1/
Sample test scripts are at https://esupport.extremenetworks.com in the /sampleScripts folder.
Changing the Error Messages in a Test Script
Using Python, try changing the error messages in an existing test script. This task can help you to
familiarize yourself with the Sentriant AG scripting API. Each Sentriant AG test script defines a test
class. To change an error message, create a new script that derives a new test class from an existing test
class and modify the return hash of the runTest method.
For example, to change an error message:
1 Log in as root to the Sentriant AG server using SSH.
2 Open the /sampleScripts/myCheckSoftwareNotAllowed.py file at https://
esupport.extremenetworks.com in a text editor.
3 Examine the code. The comments explain each section of code. The following example shows the
contents of the file.
Figure 206: Test Script Code
#!/usr/bin/python
from checkSoftwareNotAllowed import CheckSoftwareNotAllowed
#
# This allows a script to be tested from the command line.
#
if __name__ == '__main__':
import myCheckSoftwareNotAllowed
t = myCheckSoftwareNotAllowed.MyCheckSoftwareNotAllowed()
t.processCommandLine()
#
# The class definition. MyCheckSofwareNotAllowed is derived
# from the existing test CheckSoftwareNotAllowed and inherits
# all the existing tests functionality.
#
class MyCheckSoftwareNotAllowed(CheckSoftwareNotAllowed):
364
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Figure 206: Test Script Code (continued)
#
# Override the testId to be unique from all other test ids
#
testId = "MyCheckSoftwareNotAllowed"
#
# Rename your derived test
#
testName = "My check software not allowed"
#
# All test classes must define the runTest method with the self and
debug
# parameters
#
def runTest(self,debug=0):
#
# Get the result hash from the CheckSoftwareNotAllowed test
# and modify the result message based on the result code.
#
result = CheckSoftwareNotAllowed.runTest(self,debug)
if result["result_code"] == "fail":
result["result_message"] = "The MyCheckSoftwareNotAllowed test
failed."
elif result["result_code"] == "pass":
result["result_message"] = "The MyCheckSoftwareNotAllowed test
passed."
return result
4 You can change the result["result_message"] to whatever text you want. This message is what
the end-user sees in the access windows. This text also appears in the management user interface
when you run reports.
5 Every test must return a hash with the following keys:
status_code – 0 test did not run, error occurred, 1 test ran
result_code – pass, fail
result_message – the text to display to the user
NOTE
Do not change the status_code or the result_code for this example.
6 Once you have completed your edits and saved the myCheckSoftwareNotAllowed.py file, copy it to
the following directory on the Sentriant AG MS:
/usr/local/nac/scripts/Custom/Tests
Sentriant AG Software Users Guide, Version 5.1 SR1
365
System Administration
7 If you have created new base classes, copy them to the following directory on the Sentriant AG MS:
/usr/local/nac/scripts/Custom/BaseClasses
CAUTION
When updating or modifying files, use the Custom directory tree (Custom/BaseClasses, Custom/Tests). The Custom
directory tree is a mirror (with symbolic links) to the live test tree (scripts/BaseClasses and scripts/Tests). The live
tree is not modified directly, but is modified with the installCustomTests script and the RPM mechanism.
8 Once your custom test script is complete, and you are ready to push it out to all of the ESs, verify
that the scripts and base classes are under the Custom directory tree as specified above, and enter
the following on the command line of the Sentriant AG MS:
installCustomTests
This command compiles the Python source files, builds an RPM, updates the policy groups, and
sends these changes to all ESs. An example of the output from the installCustomTests command
is shown as follows:
NOTE
This command affects all ESs, even those that are not currently up and running. Once a stopped ES comes back up,
the ES is updated.
Figure 207: Example InstallCustomTests Output
# installCustomTests
Creating custom test script RPM version 5.0-51
Found 5 python files
+ Compiling python scripts
+ Generating test script XML files
If you continue, this will generate an RPM file containing your custom scripts
and will send the new custom script RPM to the Management Server and all
Enforcement Servers.
--> Press Enter to proceed or Ctrl-C to abort <-+ Generating RPM spec file
+ Creating RPM file 'NAC-custom-testscripts-5.0-51.i386.rpm'
+ Creating update package file (/tmp/customUpdatePkg.29285.tar.gz)
+ Creating XML file to send custom scripts to the MS (/tmp/
installCustomTest.29285.xml)
+ Sending XML message to MS to install and distribute custom scripts
00:22:34 INFO channel status changed: Channel: TcpTransportChannel:
Socket[addr=localhost/127.0.0.1,port=61616,localport=44041] has connected
366
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Figure 207: Example InstallCustomTests Output (continued)
00:22:34 DEBUG TCP consumer thread starting
00:22:34 DEBUG Created temporary queue: TemporaryQueue-{TD{ID:perf-ms1-406121162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0
00:22:34 DEBUG Sending request:
<UpdateRequest>
<requestParameters>
<entry>
<string>UPDATE_DATA</string>
<string>/tmp/customUpdatePkg.29285.tar.gz</string>
</entry>
</requestParameters>
</UpdateRequest>
00:22:34 DEBUG Sending message: ACTIVEMQ_TEXT_MESSAGE: id = 0 ActiveMQMessage{
, jmsMessageID = ID:perf-ms1-40612-1162365754580-7:0, bodyAsBytes =
org.activemq.io.util.ByteArray@1112783, readOnlyMessage = false,
jmsClientID = 'ID:perf-ms1-40612-1162365754580-1:0' , jmsCorrelationID =
'null' , jmsDestination = nac.requests, jmsReplyTo = TemporaryQueue{TD{ID:perf-ms1-40612-1162365754580-1:0}TD}ID:perf-ms1-406121162365754580-6:0, jmsDeliveryMode = 2, jmsRedelivered = false, jmsType =
'null' , jmsExpiration = 1162365784872, jmsPriority = 4, jmsTimestamp =
1162365754872, properties = null, readOnlyProperties = false,
entryBrokerName = 'null' , entryClusterName = 'null' , consumerNos = null,
transactionId = 'null' , xaTransacted = false, consumerIdentifer = 'null'
, messageConsumed = false, transientConsumed = false, sequenceNumber = 0,
deliveryCount = 1, dispatchedFromDLQ = false, messageAcknowledge = null,
jmsMessageIdentity = null, producerKey = ID:perf-ms1-40612-11623657545807: }, text = <UpdateRequest>
<requestParameters>
<entry>
<string>UPDATE_DATA</string>
<string>/tmp/customUpdatePkg.29285.tar.gz</string>
</entry>
</requestParameters>
</UpdateRequest>
00:22:34 DEBUG Waiting for a response on :TemporaryQueue-{TD{ID:perf-ms140612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0
Sentriant AG Software Users Guide, Version 5.1 SR1
367
System Administration
Figure 207: Example InstallCustomTests Output (continued)
00:22:36 DEBUG Message received: ACTIVEMQ_TEXT_MESSAGE: id = 0
ActiveMQMessage{ , jmsMessageID = ID:perf-ms1-51331-1162363440379-15:3,
bodyAsBytes = org.activemq.io.util.ByteArray@1362012, readOnlyMessage =
true, jmsClientID = '93baaf5a-b0ed-4fc2-a3ae-ec6460caedc0' ,
jmsCorrelationID = 'null' , jmsDestination = TemporaryQueue-{TD{ID:perfms1-40612-1162365754580-1:0}TD}ID:perf-ms1-40612-1162365754580-6:0,
jmsReplyTo = null, jmsDeliveryMode = 2, jmsRedelivered = false, jmsType =
'null' , jmsExpiration = 1162365766750, jmsPriority = 4, jmsTimestamp =
1162365756750, properties = null, readOnlyProperties = true,
entryBrokerName = '172.30.1.50' , entryClusterName = 'default' ,
consumerNos = [0], transactionId = 'null' , xaTransacted = false,
consumerIdentifer = 'ID:perf-ms1-40612-1162365754580-1:0.1.1' ,
messageConsumed = false, transientConsumed = false, sequenceNumber = 3,
deliveryCount = 1, dispatchedFromDLQ = false, messageAcknowledge =
org.activemq.ActiveMQSession@73a34b, jmsMessageIdentity = null,
producerKey = ID:perf-ms1-51331-1162363440379-15: }, text =
<NACResponse><resultStatus>true</resultStatus><response
class="string">9X</response><ip>172.30.1.50</ip><id>MNM</
id><originalTimeStamp>1162365756707</originalTimeStamp></NACResponse>
00:22:36 DEBUG Received: <NACResponse><resultStatus>true</
resultStatus><response class="string">9X</response><ip>172.30.1.50</
ip><id>MNM</id><originalTimeStamp>1162365756707</originalTimeStamp></
NACResponse>
Done
NOTE
The output between the “+ Sending XML message to MS to install and distribute custom scripts” message and the
“Done” message in Figure 207 is output from the command that installed the custom scripts and shows the status
of the sending the XML JMS request to the MS.
Creating a Custom Test Class Script from Scratch
Creating a custom test script is similar to the previous error message example; however, you must
define a few more things and then add your own test functionality. Examine the test script template
shown in Figure 208. The comments explain each section of code. Once you are comfortable with the
template, the following section contains an example that shows how to create a checkOpenPorts.py test
script, which tests an endpoint for specified open ports.
NOTE
This template file is found at https://esupport.extremenetworks.com in /sampleScripts/testTemplate.py, so you can
edit it instead of retyping it.
368
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Figure 208: testTemplate.py
#!/usr/bin/python
from BaseClasses.SABase import SABase as SABase
#
# This allows a script to be tested from the command line.
#
if __name__ == '__main__':
import testTemplate
t = testTemplate.TestTemplate()
t.processCommandLine()
#
# The class definition. All classes must be derived from the SABase class.
#
class TestTemplate(SABase):
#
# Make up a test id. Just make sure it doesn't match any existing test
ids.
#
testId = "TestId"
#
# Make up test name. Just make sure it doesn't match any existing test
names.
#
testName = "Test Name"
#
# Assign the test to an existing group or create a new group.
# Groups are configured and created in the policies.xml file <group>
# section (See the Adding new groups section).
#
testGroupId = "TestGroup"
#
# This is the HTML that will be displayed in the test properties page
# in the policy editor.
#
testConfig = \
"""
<HTML>Test Config HTML</HTML>
"""
#
# These are any default values you want to assign to the input
parameters
# in the testConfig HTML.
#
defaultConfigValues = {}
Sentriant AG Software Users Guide, Version 5.1 SR1
369
System Administration
Figure 208: testTemplate.py (continued)
#
# A short summary for the test. This will show up in the description
field
# when editing NAC policies in the management UI.
#
testSummary = \
"""
My short description
"""
#
#
# This is field is unused at the moment.
# field in the policy editor.
#
testDescription = ''
#
# These are the arguments to run the test. This is displayed in the
command
# line help.
#
testArguments = \
"""
My test arguments
"""
#
# All tests must define the runTest method with the self and the debug
# parameters.
#
def runTest(self,debug=0):
#
# All tests must call the initialize routine
#
self.initTest()
#
# Create a hash to store the return results.
# All tests must fill return a hash with the following keys:
#
#
status_code
- 0 if an unexpected error occurred, 1 if
successful
#
result_code
- pass, fail or some error
#
result_message - the message to display to the end-user
#
returnHash = {}
returnHash["status_code"] = 1
returnHash["result_code"] = "pass"
returnHash["result_message"] = "Some nice text that a user can read
here."
370
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Figure 208: testTemplate.py (continued)
try:
#
# Replace 'pass' with your test here. Modify the returnHash
accordingly.
#
pass
except:
#
# Set the return status when exception occurs
#
import sys
returnHash['status_code'] = 0
returnHash['result_code'] = "unknown_error"
returnHash['result_message'] = sys.exc_type, sys.exc_value
return(returnHash)
#
# Always use the doReturn function; this allows superclass to add or
modify
# any items in the returnHash as necessary.
#
return(self.doReturn(returnHash))
1 Use the template, as shown in Figure 208, to create a new test script. As an example, the new test
script is called checkOpenPorts.py, and it fails if any of the specified ports are open on the target
host being tested. Before examining the code, consider the following information about the test
scripts:
■
All test scripts contain a self.inputParams hash table that has all input parameters configured
through the policy properties HTML. For example, if the testConfig variable for the test is set
to:
<input id="myparam" name="myparam" value="">
Then, the self inputParams contains a myparams key that is set to the value of the HTML input
element set in the policy editor.
■
All test scripts contain a self.session member variable that is set by Sentriant AG when the test
class is instantiated. It contains a reference to a Session object, which is a built-in Python class
defined by Sentriant AG and is used internally by the BasicTests class described later in this
section. However, to retrieve the host name or IP address, use host() method:
self.session.host()
when developing scripts.
Sentriant AG Software Users Guide, Version 5.1 SR1
371
System Administration
■
All tests contain a reference to the BasicTests class called self.bt. The self.bt class gives you
access to commonly used functions for testing endpoints including registry operations and
service operations. See “BasicTests API” on page 376 for more information on the BasicTests
API. This example does not use this API.
2 Figure 209 shows the code for the new checkOpenPorts.py test. The file is included at
https://esupport.extremenetworks.com as /sampleScripts/checkOpenPorts.py. Review the code.
The comments explain each section of the code.
Figure 209: checkOpenPorts.py script
#!/usr/bin/python
from BaseClasses.SABase import SABase as SABase
#
# This allows a script to be tested from the command line.
#
if __name__ == '__main__':
import checkOpenPorts
t = checkOpenPorts.CheckOpenPorts()
t.processCommandLine()
#
# The class definition. All classes must be derived from the SABase class.
#
class CheckOpenPorts(SABase):
#
# Make up a test id. Just make sure it doesn't match any existing test
ids
#
testId = "CheckOpenPorts"
#
# Make up test name. Just make sure it doesn't match any existing test
names.
#
testName = "Open ports"
#
# Assign the test to an existing group or create a new group.
# Groups are configured and created in the policies.xml file <group>
# section (See the Adding new groups section).
#
testGroupId = "MyCustomTests"
#
# This is the HTML that will be displayed in the test properties page
# in the policy editor. All this HTML isn't REALLY necessary, but we
# to keep the Sentriant AG Web UI pretty.
#
372
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Figure 209: checkOpenPorts.py script (continued)
testConfig = \
"""
<div id="test_parameters">
<table height="100%" width="100%" border="0" cellspacing="0"
cellpadding="0">
<tbody>
<tr>
<td colspan="2" style="padding: 5px 3px 5px 3px;">
Enter a list of ports that are not allowed to be open on the
endpoint. Add ports separated by a comma. For example, 23,80.
</td>
</tr>
<tr>
<td style="padding: 3px 0px 3px 3px;">
<textarea name="ports_not_allowed" rows="5" cols="30"
wrap="on" style="border: 1px solid #A894D1;
font-family: Arial, Helvetica, sans-serif; font-size:
8pt; padding: 1px 2px 1px 2px;"></textarea>
</td>
</tr>
</tbody>
</table>
</div>
"""
#
# These are any default values you want to assign to the input parameters
# in the testConfig HTML. The first time this test is configured for a
# policy or if the test is never configured for a policy, this will be
# the default. Notice the key in this hash corresponds to the input
element
# above in the testConfig.
#
defaultConfigValues = { "ports_not_allowed" : "23,80" }
#
# Make up a detailed description for the test.
#
testDescription = \
"""
This test takes a list of ports that should NOT be found open on
the remote host. If any port is found open, this test will
fail. This script will only succeed if none of the undesired ports
are found open.
"""
#
# Make up a summary for the test. This will show up in the description
# field in the policy editor.
#
testSummary = "This test takes a list of ports that should NOT be found
open on the remote host. If any port is found open, this test will fail.
This script will only succeed if none of the undesired ports are found
open."
Sentriant AG Software Users Guide, Version 5.1 SR1
373
System Administration
Figure 209: checkOpenPorts.py script (continued)
#
# These are the arguments to run the test. This is displayed in the
command
# line help.
#
testArguments = \
"""
--host=<hostname, IP, or NETBIOS>
--input ports_not_allowed=<comma delimited list of ports>
Example: <this script> --host=somehost --input
"ports_not_allowed=23,80"
"""
#
# All tests must define the runTest method with the self and the debug
# parameters.
#
def runTest(self,debug=0):
#
# All tests must call the initialize routine
#
self.initTest()
if debug:
print "Starting checkOpenPorts(host="+self.session.host()+",
session="+self.session.id()+")"
#
# Create a hash to store the return results.
# All tests must fill return a hash with the following keys:
#
#
status_code
- 0 if an unexpected error occurred, 1 if
successful
#
result_code
- pass, fail or some error
#
result_message - the message to display to the end-user
#
returnHash = {}
returnHash["status_code"] = 1
returnHash["result_code"] = "pass"
returnHash["result_message"] = "The ports were not open."
try:
ports = []
if self.inputParams.has_key("ports_not_allowed"):
ports = self.inputParams["ports_not_allowed"].split(",")
else:
# No ports not allowed, pass
return(self.doReturn(returnHash))
374
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Figure 209: checkOpenPorts.py script (continued)
if debug:
print "Checking ports " + str(ports) + " on host " +
self.session.host()
#
# Do your test here. Modify the returnHash accordingly.
#
portsOpen = ""
#
# Use a Python socket to connect directly to the target host
#
import socket
for p in ports:
hp = self.session.host()+":"+str(p)
s = None
try:
if debug:
print "Connecting to " + hp
#
# Try to open the port. Throws an exception if connection
# is refused or times out (set timeout to 5 seconds).
#
# Note that Sentriant AG uses a restricted Python socket
# library that doesn't allow connections to arbitrary
# hosts. Normally, the first element of the tuple passed
# to socket.connect() is the IP or hostname; in SA, you
# must pass the Session object form which the socket
# object will get the target host IP/name.
#
s = socket.socket()
s.settimeout(5)
s.connect((self.session, int(p)))
# Uh oh, no exception. The port was open
s.close()
if debug:
print "Connected to "+hp+". Port open!"
#
# Add the port to our list of open ports for use later
#
portsOpen += str(p) + ","
except:
if s is not None:
try:
s.close()
except:
pass
Sentriant AG Software Users Guide, Version 5.1 SR1
375
System Administration
Figure 209: checkOpenPorts.py script (continued)
import sys
print "checkOpenPorts(host="+self.session.host()+",
session="+self.session.id()+"): ", sys.exc_type, sys.exc_value
if debug:
print "Could not connect to "+hp+". Port not open."
# Good, it wasn't open
#
# There are ports open, so set the returnHash values
# to indicate that the endpoint failed the test.
#
if portsOpen != "":
returnHash["status_code"] = 1
returnHash["result_code"] = "fail"
returnHash["result_message"] = "The following ports that are
not allowed open were open: " + portsOpen.rstrip(", ")
except:
#
# Set the return status when exception occurs
#
import sys
returnHash['status_code'] = 0
returnHash['result_code'] = "unknown_error"
returnHash['result_message'] = sys.exc_type, sys.exc_value
return(returnHash)
#
# Always use the doReturn function. This will record test timings as
well as
# encode the result_message into a format compatible with
Sentriant AG
#
return(self.doReturn(returnHash))
3 Once you have completed your test script modifications, save the script as described in step 6 on
page 365.
4 Save any new classes as described in step 7 on page 366.
5 Push the new test out to all ESs as described in step 8 on page 366.
6 For the final test, connect to:
http://<Sentriant AG ip>:88
and test your Windows endpoint. If you have ports open that are not allowed, this test fails.
BasicTests API
Every Sentriant AG test has a base functionality described as follows:
…
try:
376
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
self.bt.getregKeyExists( “HKEY_LOCAL_MACHINE\\Software\\America
Online\\AIM”)
except:
import sys
returnHash["status_code"] = 0
returnHash["result_code"] = "unknown_error"
returnHash["result_message"] = sys.exc_type,
sys.exc_value
…
The following table describes the BasicTests API.
Table 16: BasicTests API
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
Boolean
checkHotfixSp(nt=0, win2k=0, xp=0, win2003=0, vista=0)
It checks for the servicepack installed.
Returns the following:
integer
•
true if Service pack installed is lower than argument.
•
false if Service Pack installed is grater that or equal to
argument.
compareVersions(versionValue1, versionValue2)
Returns the following:
Dict
•
-1, if value1 is lesser than value2.
•
1, if value1 is higher than value2.
•
0, both are equal.
copyHash(self,fromHash,toHash,debug=0):
Copies the contents of “fromHash” to “toHash”.
getBestMacEntry(os, bogusMacList=[], debug=0)
Boolean
getBizTalkServerExists()
Checks for Biz Talk Server on the machine. Returns the
following:
•
True, if installed
•
None, if not installed
Sentriant AG Software Users Guide, Version 5.1 SR1
377
System Administration
Table 16: BasicTests API (continued)
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
Boolean
getCapicomExists()
Checks for Capicom on the machine. Returns the following
•
•
String
True, if installed
None, if not installed
getCommonFilesDir()
Returns the path of the “Common Files” directory.
Dict
getDotNetRegKeys()
Returns .NET updates installed on the end point.
List
getDotNetVersion()
Returns the Dot NET version installed on the machine.
String
getExchangeVersion()
Based on exchange server and its service pack installed
retruns a string.
Dict
getExpressionWebInstalled()
String
getFileContentsMac(param, startbyte, endbyte)
Returns the contents of the file name given from startbyte to
endbyte.
Boolean
getFileExistsMac(param)
Returns True if the file which is given to the function is
present at the endpoint.
If the given file is not present at the endpoint function returns
False.
378
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Table 16: BasicTests API (continued)
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
Dict
getFileInfo(self, filename, debug=0)
Returns Dict containing
•
File exists
•
File version
•
File modified date
•
File version
•
Company name
•
File size
•
File description
•
File create date
getFileStatMac(param)
Returns the file stat of the file name given to the function.
Boolean
getFrontpageExtentions2002()
Checks whether Front Page Extension 2002 is installed on the
machine. Returns the following
•
True, if installed
•
false, if not installed
getHostname()
Returns the host name of the endpoint.
String
getIEVersion()
Returns IE version present on the endpoint.
String
getIISVersion()
Returns the IIS version.
String
getMacVersion()
Returns the current user visible version.
Sentriant AG Software Users Guide, Version 5.1 SR1
379
System Administration
Table 16: BasicTests API (continued)
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
List
getMcmsHotFixList()
Returns the hotfixes of Microsoft Content Management Server
(MCMS).
String
getMCMSVersion()
Returns for either of the following Microsoft Content
Management Server versions installed on the machine and
returns the value.
List
•
2001
•
2002
getMDACRegKeys()
Returns the Microsoft Data Access Component (MDAC)
updates are installed on the end point.
String
getMDACVersion()
Returns the version of Microsoft Data Access Component
(MDAC) installed on the end point.
String
getMsnVersion()
Returns the MSN version.
Boolean
getMVMInstalled()
Checks whether MVM is installed or not. Returns the
following.
Boolean
•
True, if MVM is installed
•
None, if MVM is not installed.
getOfficeInstalled()
Checks whether Microsoft Office is installed or not. Returns
the following.
380
•
True, if Microsoft Office is installed
•
None, if Microsoft Office not installed.
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Table 16: BasicTests API (continued)
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
String
getOfficeVersion()
Checks for which of the following Microsoft Office Version is
installed on the end point. Returns the following.
String
•
Office2000
•
OfficeXP
•
Office2003
•
Office2007
GetOsFull()
If the OS is XP, check for Home Edition. Otherwise same as
getOs.
String
getOutlookVersion()
Returns the Microsoft Outlook Version Installed on the end
point.
String
getPatchLevel()
Returns the combination of user visible version and the build
version.
String
getProcesses(param)
Returns all processes running on the endpoint.
String
getProgramFilesDir()
Returns the path of the “Program Files” directory.
String
getServicePack()
Returns the Service Pack installed on the end point.
String
getSystemRoot()
Returns the Path of the installed operating System.
Sentriant AG Software Users Guide, Version 5.1 SR1
381
System Administration
Table 16: BasicTests API (continued)
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
String
getUser()
Returns the user name of the current user logged in.
If none of the user has logged in function returns the string
“No user logged in.”
String
getVirtualpcInstalled()
Returns the any of the following Microsoft Virtual PC installed
on the machine.
String
•
2004
•
2004 SP1
getVirtualServerInstalled()
Retruns any of the following Microsoft Virtual Server installed.
String
•
2005
•
2005R2
getVisualDotNetVersion()
Returns the one of the following present versions of Visual Dot
net on the target.
String
•
2003
•
2003 SP1
getVisualStudioVersion()
Returns the one of the following present versions of Visual
Studio on the machine.
List
•
2005
•
2005 SP1
getwinServiceForUnixKeys()
Retruns installed hotfixes of Windows Service for UNIX.
String
getWinServiceForUnixVersion()
Returns the version of Windows Service for UNIX.
382
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Table 16: BasicTests API (continued)
The BasicTests API accesses these functions with the SABase self.bt member. All methods throw
an exception that should be caught if an unexpected error occurs.
Return Value
Public Method
String
getWMPVersion()
Returns the Version of Windows Media Player installed on the
end point.
Boolean
isWindowsDefenderInstalled()
Checks for the presence of Windows Defender Anti-Virus on
the machine.
Returns the following.
List
•
True, if Installed
•
False, if not installed
listExchangeRegKeys()
Returns the updates installed for Microsoft Exchange.
List
listHotfixesRegKeys()
Returns all the hotfixes installed on the endpoint.
List
listMediaPlayerRegKeys()
Returns updates installed for MediaPlayer.
List
listVisualStudioDotNetRegKeys()
Returns the update installed for Visual Studio Dot Net 2003.
List
listVisualStudioRegKeys()
Returns the update installed for Visual Studio 2005.
Boolean
runScript (self,scriptName,md5,debug=0)
NOTE
Service Name
The serviceName parameters can be the registry name or the display name. For example, TlntSvr or Telnet can be
used to identify the Telnet service.
For performance reasons, it is important to use the same case when specifying the same service name in multiple
calls. Even though the windows process table is not case-sensitive, the test result cache is case-sensitive.
Sentriant AG Software Users Guide, Version 5.1 SR1
383
System Administration
NOTE
Registry key parameters use HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USER to specify the subtree
of the registry. For example, HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion.
Registry Key
For performance reasons, it is important to use the same case when specifying the same registry key in multiple
calls. Even though the windows registry is not case-sensitive, the test result cache is case-sensitive.
NOTE
Environment variable templates can be used in filenames. For example, %AppData%\\Adobe.
File Name
For performance reasons, it is important to use the same case when specifying the same file name in multiple calls.
Even though the windows file system is not case-sensitive, the test result cache is case-sensitive.
End-user Access Windows
The end-user access windows are completely customizable. You can enter general text through the
Sentriant AG interface and edit the file that contains the messages that are returned to the end-user.
NOTE
If you need more end-user access window customization than is described in this Users’ Guide, please contact
Extreme Networks, Inc. Technical Assistance Center (TAC) at support@extremenetworks.com.
To edit the end-user access window logo and general text:
See “End-user Screens” on page 140.
To edit the end-user test results message text:
Command line window
See “Customizing Error Messages” on page 206.
CAUTION
Make changes to the description only. For example, in the following text:
"checkServicePacks.String.3" : "There are no service packs installed. Run Windows Update to install the most recent
service packs."
Do not make changes to the text at the beginning of the line: "checkServicePacks.String.3" :
384
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
To view the end-user access windows:
IE browser window
Point the IE browser to port 88 of your Sentriant AG ES. For example, if the IP address of your
Sentriant AG ES is 10.0.16.18, point an IE browser window to:
http://10.0.16.18:88
NOTE
If you would like to use a port other than 88, contact Extreme Networks, Inc. Technical Assistance Center (TAC) at
support@extremenetworks.com for assistance in making the necessary changes.
How Sentriant AG Handles Static IP Addresses
The following list details how Sentriant AG handles static IP addresses:
●
Inline Mode—Sentriant AG can detect, test, and quarantine static IP addresses. The end-user cannot
circumvent a quarantine.
●
DHCP mode
■
Sentriant AG can detect and test static IP addresses but cannot quarantine static IP addresses.
■
Sentriant AG can detect static IP endpoints in two different ways:
■
●
Any type of traffic from the endpoint can be detected if that endpoint has any network traffic
visible by Sentriant AG
●
By using the Agent Callback feature (see “Agent Callback” on page 169).
An endpoint with a static IP address can be automatically tested only if the endpoint:
●
Has credentials stored for agentless testing.
●
Already has the agent installed.
If you do not use the items in the previous list, you cannot capture the users attention in their browser
to force them to supply credentials or install an agent and get tested.
■
●
If an endpoint has a static IP address and it can’t be tested automatically, the endpoint shows up
as awaiting test initiation in the Endpoint activity window.
Any mode—An administrator can manually test any endpoint by pointing the endpoint’s browser to
http://Sentriant AG Enforcement server IP address>:88. This includes endpoints with static
IP addresses.
Sentriant AG Software Users Guide, Version 5.1 SR1
385
System Administration
Managing Passwords
The passwords associated with your Sentriant AG installation are listed in the following table:
Table 17: Sentriant AG Passwords
Sentriant AG
password
Set during
Recovery process
Sentriant AG
Management
or
Enforcement
server
Initial install process *
See “Resetting the Sentriant AG
Server Password” on page 387.
Sentriant AG
database
Initial install process *
See “Resetting the Sentriant AG
Database Password” on page 388.
Sentriant AG
user interface,
administrator
account
Initial install process *
•
For known passwords—
Sentriant AG Home window >>
System configuration >> User
accounts
•
For unknown passwords—See
“Changing the Sentriant AG
Administrator Password” on
page 388.
endpoint /
domain
administrator
Manually entered on the endpoint by
the end-user.
Password recovery on endpoints is
beyond the scope of this document.
If the end-user has not defined a
login/password combination, the
default login is usually
“administrator” with a blank
password.
Known passwords are entered on the
System
configuration>>Windows>>Agentless
credentials window to allow
Sentriant AG to test the endpoint.
Windows
domain
Manually entered after installation on
the System
configuration>>Quarantining>>802.1
X Quarantine method radio button
window.
Windows domain password recovery
is beyond the scope of this
document.
OpenLDAP
Manually entered after installation on
the System
configuration>>Quarantining>>802.1
X Quarantine method radio button
window.
OpenLDAP password recovery is
beyond the scope of this document.
* See the Sentriant AG Installation Guide for the installation process.
386
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
Table 17: Sentriant AG Passwords
Sentriant AG
password
Novell
eDirectory
Set during
Recovery process
Manually entered after installation on
the System
configuration>>Quarantining>>802.1
X Quarantine method radio button
window.
Novell eDirectory password recovery
is beyond the scope of this
document.
* See the Sentriant AG Installation Guide for the installation process.
Resetting the Sentriant AG Server Password
If you can remember the Sentriant AG user interface password, but cannot remember the root login
password for the Sentriant AG MS or ES, log in to the Sentriant AG user interface and navigate to one
of the following windows:
To reset the MS Password:
Home>>System configuration>>Management server
1 In the Other settings area, enter the new password.
2 Click ok.
To reset the ES Password:
Home>>System configuration>>Enforcement clusters & servers>>Click a server name>>Configuration
1 In the Other settings area, enter the new password.
2 Click ok.
If you cannot remember either password, this process allows you to enter a new one:
To reset the Sentriant AG server root password:
1 At the Sentriant AG MS or ES server (not through the Web or SSH), reboot the MS or ES server by
pressing:
[CTRL]+[ALT]+[DELETE]
2 As the machine boots, you are presented with a list of kernels. Interrupt the boot process by pressing
the [a] key.
3 Press [e] to edit the line.
4 Enter a space and type:
single
Sentriant AG Software Users Guide, Version 5.1 SR1
387
System Administration
5 Press [b]. You are now in Single User Mode.
6 Enter the following command:
passwd
7 Enter a new password at the New Password prompt.
8 Press [ENTER].
9 Retype the password at the Retype new password prompt.
10 Press [b]. The password is changed.
11 Press [b] to continue booting.
Resetting the Sentriant AG Database Password
The Sentriant AG database password is set during the install process. You cannot change your database
password with Sentriant AG later. If your database password gets changed by some other method after
Sentriant AG is installed, Sentriant AG will not be able to communicate with the database. In this case,
contact Technical Assistance Center (TAC) for assistance.
Changing the Sentriant AG Administrator Password
When the Password is Known
To reset the Sentriant AG administrator user interface User Name and Password when known:
See “Modifying the MS root Account Password” on page 70.
When the Password is Unknown
To reset the Sentriant AG administrator user interface User Name and Password when unknown:
Command line window
1 Create a text file with the following lines:
Compliance.ObjectManager.AdminUser=
Compliance.ObjectManager.AdminPassword=
Compliance.UI.FirstTimeConfigCompleted=true
Enter characters following the equal sign that are the password (for example, CwR0(tW).
2 Save the file and copy it to the Sentriant AG server (either MS or ES).
3 Log into the Sentriant AG server as root.
388
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
4 Enter the following command:
setProperty.py -f<filename>
5 From a workstation, open a browser window and point to the Sentriant AG MS.
6 Enter a new User Name and Password when prompted.
NTLM 2 Authentication
If your network is configured for Windows NT LAN Manager version 2 (NTLMv2) challenge/response
authentication only, make the following change to the smb.conf file:
To enable Sentriant AG for NTLM v2:
Command line window
1 Log in as root to the Sentriant AG server (using SSH or login directly).
2 Open the following file with a text editor such as vi:
/etc/samba-tng/smb.conf
3 Add the following line:
client ntlmv2 = auto
4 Save and exit the file.
Working with Ranges
In Sentriant AG implementations, particularly in trial installations where you are connecting and
disconnecting cables to a number of different types of endpoints, you can filter the activity by
specifying the following:
●
Ranges to monitor—This property filters results in the display window, it does not keep
Sentriant AG from testing other systems.
●
Ranges to ignore—Does not test the ranges listed.
●
Ranges to enforce—This property is only valid for DHCP mode. It modifies the iptables NFQUEUE
rule such that only the networks set to be enforced will ever get quarantine addresses.
To specify ranges to monitor:
Home window>>System configuration>>Select an Enforcement Cluster>>Advanced menu option
In the Endpoint detection area, enter the range of addresses to monitor in the IP addresses to monitor
text field. Separate ranges with a hyphen or use CIDR notation.
Sentriant AG Software Users Guide, Version 5.1 SR1
389
System Administration
To specify ranges to ignore:
Home window>>System configuration>>Enforcement clusters & servers>>Select an Enforcement
Cluster>>Advanced menu option
In the Endpoint detection area, enter the range of addresses to ignore in the IP addresses to ignore text
field. Separate ranges with a hyphen or use CIDR notation.
To specify ranges to enforce:
Home window>>System configuration>>Quarantining menu option
1 Select the DHCP radio button in the Quarantine method area.
2 Select the Restrict enforcement of DHCP requests to quarantined or non-quarantined subnets
radio button.
3 Enter IP addresses in the DHCP relay IP addresses to enforce text box. Enter individual DHCP relay
agent IP addresses, separated by carriage returns. These addresses are monitored in addition to the
quarantined or non-quarantined subnets.
NOTE
When using Extreme switches running ExtremeWare or ExtremeXOS prior to release 11.6, DHCP relay IP addresses
to enforce will NOT work when the quarantine subnet is a subset of the production network. This is because
Extreme switches forward the packets from the IP address closest to Sentriant AG and not the IP address of the
interface closest to the endpoint, so all the DHCPRelay packets will appear to come from a production network IP
address.
For example, the following scenario will not work:
Sentriant AG IP: 10.241.88.20
Production Network: 10.241.90.0/24
Quarantine Network: 10.241.90.160/27 (161-189 for range)
Gateway IP: 10.241.90.190
Non-Quarantine Networks: 10.241.90.0/25, 10.241.90.128/27, 10.241.90.192/26
Creating and Replacing SSL Certificates
The Secure Sockets Layer (SSL) protocol uses encryption by way of certificates to provide security for
data or information sent over HTTP.
Certificates are digitally signed statements that verify the authenticity of a server for security purposes.
They use two keys; one public key to encrypt information and one private key to decipher that
information.
keytool is a key and certificate management utility that allows you to create your own public and
private keys when you use self-authentication. These keys and certificates are stored in a keystore file.
390
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
NOTE
All of the steps in these sections (“Creating a New Self-signed Certificate,” and “Using an SSL Certificate from a
known Certificate Authority (CA)” in the users guide) should be performed on the MS and each ES.
In order to avoid SSL certificate warnings in the browser when connecting to the Sentriant AG server
(either as a Sentriant AG user interface user, or from a redirected endpoint) you will need to install SSL
certificates that have been signed by a Certificate Authority (CA) recognized by the browser, such as
Thawte, Verisign, or your organization's own local SSL CA. To install certificates, follow the steps below
for the MS and each ES. (Once is sufficient for single-server installations.) Start by removing your
existing keystore and generating a new self-signed certificate as described in “Creating a New Selfsigned Certificate” on page 391, using compliance as the alias wherever a key alias is needed. Once
you've generated a self-signed certificate with the fully-qualified Domain Name of your server, continue
with the instructions for “Using an SSL Certificate from a known Certificate Authority (CA)” on page
392.
Creating a New Self-signed Certificate
To generate a private keystore containing a new private key/public certificate pair:
Command line window
1 Log in as root to the Sentriant AG server via SSH or directly using a keyboard.
2 Remove the existing keystore by entering the following at the command line:
rm -f /usr/local/nac/keystore/compliance.keystore
3 Enter the following at the command line:
keytool -genkey -keyalg RSA -alias <key_alias> -keystore /usr/local/nac/keystore/
compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
4 The keytool utility prompts you for the following information:
■
Keystore password—Enter a password. You may want to use changeit to be consistent with the
default password of the J2SE SDK keystore.
■
First and Last Name—Enter the fully-qualified name of your server. This fully-qualified name
includes the host name and the domain name. For testing purposes on a single machine, this will
be localhost.
■
Organizational unit—Enter the appropriate value.
■
Organization—Enter the name of your organization.
■
City or locality—Enter the city or location.
Sentriant AG Software Users Guide, Version 5.1 SR1
391
System Administration
■
State or province—Enter the unabbreviated state or province.
■
Two-letter country code—Enter a two-letter country code. The two-letter country code for the
United States is US.
5 Review the information you've entered so far, enter Yes if it is correct.
6 The keytool utility prompts you for the following information:
Key password for key_alias—Do not enter a password; press [Return] to use the same password
that was given for the keystore password.
7 Import the CA’s root certificates into the java cacerts file by entering the following command on the
command line of the Sentriant AG server:
keytool -import -alias <CA_alias> -file <ca_root_cert_file> -keystore /usr/local/nac/
keystore/cacerts
Where:
<CA_alias> is an alias unique to your cacerts file and preferably identifies the CA to which it
pertains
<ca_root_cert_file> is the file containing the CA's root certificate
8 keytool prompts for the password for the cacerts file, which should be the default: changeit.
9 If you are prompted, enter yes to trust the certificate.
Using an SSL Certificate from a known Certificate Authority (CA)
To generate a Certificate Signing Request (CSR) to be submitted to a Certificate Authority (CA), first create a new
self-signed certificate following the instructions in the previous section, then continue as follows:
1 Log in as root to the Sentriant AG server via SSH or directly using a keyboard.
2 Enter the following at the command line:
keytool -certreq -alias <key_alias> -keyalg RSA -file <csr_filename> -keystore /usr/local/nac/keystore/
compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
<csr_filename> is the name of the file to store the certificate request
3 keytool prompted for the password for the <keystore_filename> file, which is the password used
when the keystore was created.
4 Submit the CSR (see “Copying Files” on page 42) to your chosen CA (such as Thawte or Verisign)
along with anything else they might require:
392
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
http://www.verisign.com/
http://www.thawte.com/
5 If you are using a non-traditional CA (such as your own private Certificate Authority/Public Key
Infrastructure (CA/PKI), or if you are using a less well-known CA, you will need to import the CA’s
root certificates into the java cacerts file by entering the following command on the command line of
the Sentriant AG server:
keytool -import -alias <CA_alias> -file <ca_root_cert_file> -keystore /usr/local/nac/
keystore/cacerts
Where:
<CA_alias> is an alias unique to your cacerts file and preferably identifies the CA to which it
pertains
<ca_root_cert_file> is the file containing the CA's root certificate
6 keytool prompts for the password for the cacerts file, which should be the default: changeit.
7 If you are prompted, enter yes to trust the certificate.
8 Once you get your signed certificate back from the CA, import it into your keystore (see “Copying
Files” on page 42), replacing the previously self-signed public certificate for your key by entering the
following command on the command line of the Sentriant AG server:
keytool -import -alias <key_alias> -trustcacerts -file <signed_cert_file> -keystore /
usr/local/nac/keystore/compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
<signed_cert_file> is the name of the file containing your CA-signed certificate
9 keytool prompts for the password for the keystore_filename file, which is the password used when
the keystore was created.
10 Save and exit the file.
Moving an ES from One MS to Another
If you have an existing ES, you can move it to a different MS by performing the steps in this section.
To move an ES to a different MS:
Command line window
Sentriant AG Software Users Guide, Version 5.1 SR1
393
System Administration
1 Log in to the ES as root using SSH or directly with a keyboard.
2 Enter the following command at the command line:
service nac-es stop
3 Log in the MS user interface that currently manages the ES you want to move.
4 Select System Configuration>>Enforcement clusters & servers.
5 Click delete next to the ES you want to move.
6 In the command line window of the ES, enter the following command:
resetSystem.py
7 Log in to the MS user interface of the server that you want to manage the ES.
8 Add the ES by following the directions in “Adding an ES” on page 57.
Recovering Quickly from a Network Failure
If you have a network with a very large number of endpoints (around 3000 endpoints per ES), and your network
goes down, perform the following steps to make sure that your endpoints can reconnect as quickly as possible:
1 Place all of the clusters that have a large number of endpoints in allow all mode:
a Select System configuration.
b Click a cluster name.
c
Select the allow all radio button.
d Click ok.
2 Leave the cluster in allow all mode for a full test cycle. If your test cycle is to retest endpoints every
two hours, leave the cluster in allow all mode for two hours. To check the length of your test cycle:
a Select NAC policies.
b Click a policy name.
c
Select the Basic settings menu option.
d In the Retest frequency area, check the Retest endpoints every X hours text field.
394
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
NOTE
The retest frequency can be different for each policy.
3 Move the clusters back to normal mode:
a Select System configuration.
b Click a cluster name.
c
Select the normal radio button.
d Click ok.
VLAN Tagging
In some cases, such as when the DHCP server is in a separate VLAN than the span/mirror port, the
mirrored port traffic is 802.1q tagged. In this case, in order for Sentriant AG to recognize the traffic, the
following workaround must be performed.
1 Set up the virtual interface:
a Log in to each ES that is monitoring a port using SSH or directly with a keyboard.
b Enter the following command at the command line:
cd /etc/sysconfig/network-scripts
c
For 802.1X mode:
1) Enter the following at the command line:
cp ifcfg-eth1 ifcfg-eth1.1
2) Open the ifcfg-eth1.1 file with a text editor such as vi.
3) Change the following line:
DEVICE=eth1
To:
DEVICE=eth1.1
d For DHCP mode:
Sentriant AG Software Users Guide, Version 5.1 SR1
395
System Administration
1) Enter the following at the command line:
cp ifcfg-eth0 ifcfg-eth0.1
2) Open the ifcfg-eth0.1 file with a text editor such as vi.
3) Change the following line:
DEVICE=eth0
To:
DEVICE=eth0.1
e Append the following line to the bottom of the file:
VLAN=yes
f
Modify the IPADDR line if needed.
g Save and exit the file.
h Restart the network interface by entering the following at the command line:
service network restart
2 Change the interface the EDAC listens on:
a Log in to the MS using SSH or directly with a keyboard.
b For 802.1X mode, enter the following command at the command line:
setProperty.py -c <cluster name>
Compliance.ObjectManager.NACModeTcpdumpInterface=eth1:1
c
For DHCP mode, enter the following command at the command line:
setProperty.py –c <cluster name>
Compliance.ObjectManager.DDHCPModeDHCPInterface=eth1:1
3 Verify the change:
a Log in to each ES using SSH or directly with a keyboard.
b Enter the following command at the command line:
ifconfig
396
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
c
Verify that the virtual interface you created is listed.
d Open the following file:
/var/log/nac/nac-es.log
e Verify that the EDAC is using the virtual interface you created. The log should contain a line
similar to the following:
[070509-MDT 10:53:11.366 DeviceActivityCapture-INFO ] Listening on: eth1:1
iptables Wrapper Script
To avoid creating conflicts between iptables and the nac-es service, do not run the following
commands manually:
●
/etc/init.d/iptables
●
service iptables start
●
service iptables stop
●
service iptables restart
The nac-es service must be shutdown before making changes to the iptables firewall. This script
ensures that errors are not introduced by making changes when nac-es is running.
Use the following commands to control iptables from the command line:
To stop iptables:
fw_control stop
To start iptables:
fw_control start
To restart iptables:
fw_control restart
To save iptables config:
fw_control save
To get iptables status (iptables -L):
fw_control status
NOTE
Note that this last command can be used even if the nac-es service is running since it makes no changes to the
iptables rules.
Sentriant AG Software Users Guide, Version 5.1 SR1
397
System Administration
Updating Rules without an Internet Connection
Enabling test updates in Sentriant AG without an Internet connection (air gap environment) is a threestep process as follows:
1 Log-in to http://eSupport.extremenetworks.com to get the necessary RPM file.
2 Copy the RPM file to your Sentriant AG server.
3 Run the update script at the command line.
Downloading the Files
To download the RPM file:
Browser window
1 Get the latest test update RPM file:
a On a computer with Internet access login to:
http://eSupport.extremenetworks.com
If you do not have an eSupport account, please contact Extreme Networks, Inc. Technical
Assistance Center (TAC) (support@extremenetworks.com or (800) 998-2408).
b Navigate to the Sentriant AG section.
c
Click on the link to download the latest AirgapTests RPM.
d Save this file to a location on your computer that you will remember.
2 Copy the RPM file to a directory on the Sentriant AG server that you will remember (for multipleserver installations, copy the RPM file to the MS):
a See “Copying Files” on page 42, or copy the file to a USB fob and then copy the file from the
USB fob to the Sentriant AG server.
b Go to “Updating Rules”.
Updating Rules
After you have downloaded the latest RPM file, you can use the InstallAirgapTests script to update
the rules.
To update the rules:
Command line
1 Log in as root to the Sentriant AG server using SSH or directly with a keyboard.
398
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
2 Enter the following command at the command line:
installAirgapTests <path to RPM file>/<RPM Filename>
Supporting Network Management System
This section describes Network Management System (NMS) settings.
Enabling ICMP Echo Requests
The default configuration for Sentriant AG is to not respond to ICMP Echo (ping) requests.
Enable Temporary Ping
To temporarily (until reboot) enable ICMP echo requests:
Command line
1 Log in to the Sentriant AG server as root using SSH or directly with a keyboard.
2 Enter the following command at the command line:
:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Pings will again be disabled after the next reboot.
Enable Persistent Ping
To persistently enable ICMP echo requests:
Command line
1 Log in to the Sentriant AG server as root using SSH or directly with a keyboard.
2 Open the rc.local file with a text editor such as vi. For example:
/etc/rc.d/rc.local
3 In the # Ignore All ICMP requests area, change the following line:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
To:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Sentriant AG Software Users Guide, Version 5.1 SR1
399
System Administration
4 Save and exit the file.
5 At the command line, enter the following:
/etc/rc.d/rc.local
Restricting the ICMP Request
If you wish to restrict the ping request to a specific interface, such as the interface facing the protected
network, then after following the procedures above, follow the instructions in this section to add rules
to the firewall chain so that ping requests are only viable through the interface specified.
To restrict ping entries to a specific interface:
Command line
1 At the MS command line, enter the following iptables entries in this order:
iptables -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -i ethx -j
ACCEPT
iptables -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -j DROP
Where:
ethx is the interface that you wish to be "pingable". For example, eth0.
2 In order for these changes to persist through reboots, enter the following command at the command
line:
iptables-save > /etc/sysconfig/iptables.save
Changing the Community Name for SNMPD
Sentriant AG includes snmpd and it is started by default. You need to change the notpublicsnmp
community name to something specific for your community.
To change the community name:
Command line window
1 Log in as root to the Sentriant AG MS using SSH.
400
Sentriant AG Software Users Guide, Version 5.1 SR1
System Administration
2 Open the following file with a text editor such as vi:
/etc/snmp/snmpd.conf
Figure 210: snmpd.conf Example File
------------------------------------------------------------------------------------# Thu Jul 05 15:14:53 MDT 2007
# This file is generated automatically. Please do not edit. Edit the
snmpd.conf.template file instead.
#
# This is a template for the snmpd.conf file.
# The following variables will be replaced:
#
SOURCE - replaced with the source CIDR network that is allowed to access
#
COMMUNITY - replaced with the community string for which permissions are being
set
#
com2sec allowed_net default
notpublicsnmp
group
allowed_net_mon
v1
allowed_net
group
allowed_net_mon
v2c
allowed_net
group
allowed_net_mon
usm
allowed_net
view
all
included
system
access allowed_net_mon
""
any
noauth
exact all none none
view all
included .1
80
view mib2
included .iso.org.dod.internet.mgmt.mib-2 fc
-------------------------------------------------------------------------------------
3 Ignore the comment that asks you to not edit this file. Change the following line:
com2sec allowed_net default notpublicsnmp
to:
com2sec allowed_net <IP address range> <customer-specific community>
where:
<IP address range> = the IP address range of your network; CIDR notation is supported.
For example: 10.0.16.0/24
<customer-specific community> = your customer-specific community name.
For example: Public2
4 Save and exit the file.
NOTE
iptables already allows snmpd through UDP port 161.
NOTE
Please be careful with this functionality as a lot of information is available.
Sentriant AG Software Users Guide, Version 5.1 SR1
401
System Administration
SNMP MIBs
A Management Information Base (MIB) is a database that manages devices in a network. Simple
Network Management Protocol (SNMP) is a protocol used for communication between devices that
uses MIBs to obtain SNMP message formats.
Sentriant AG supports SNMP v2c for incoming SNMP notifications. The following MIBs (located in /
usr/share/snmp/mibs/ ) define the data that Sentriant AG can read:
●
HOST-RESOURCES-MIB
●
IF-MIB
●
IP-MIB
●
IPV6-MIB
●
NET-SNMP-AGENT-MIB
●
NET-SNMP-MIB
●
RFC1213-MIB
●
SNMP-FRAMEWORK-MIB
●
SNMP-MPD-MIB
●
SNMP-TARGET-MIB
●
SNMP-USER-BASED-SM-MIB
●
SNMPv2-MIB
●
SNMP-VIEW-BASED-ACM-MIB
●
TCP-MIB
●
UCD-DLMOD-MIB
●
UCD-SNMP-MIB
●
UDP-MIB
Enter the following MIB to define outgoing SNMP notifications:
/usr/share/snmp/mibs/NAC-MIB.txt
See the following link for more information on SNMP and MIBs:
402
●
http://en.wikipedia.org/wiki/Management_information_base
●
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
Sentriant AG Software Users Guide, Version 5.1 SR1
17 Patch Management
Sentriant AG can integrate with patch management software. When an endpoint fails due to a missing
patch, Sentriant AG wakes the patch manager client, checks for the completion of the patch, and then
retests upon completion.
The patch management capability uses the following test statuses:
●
fail – patching endpoint
●
patching failed – <reason>
●
patching completed
Flagging a Test to Launch a Patch Manager
To flag a test to launch a patch manager:
Home window>>NAC Policies>>Select or create a NAC policy>>Tests menu option
Figure 211: Initiate a Patch Manager Check Box
1 Select the check box for a test in the left column.
2 Click on the test name in the left column.
3 Select the Initiate patch manager check box.
Sentriant AG Software Users Guide, Version 5.1 SR1
403
Patch Management
4 Click ok.
Selecting the Patch Manager
To select the patch manager:
Home window>>NAC Policies>>Select or create an access policy>>Tests menu option
1 Select the check box for a test in the left column.
2 Click on the test name in the left column.
3 Select the Initiate patch manager check box.
4 Select a patch manager from the Select a patch manager drop-down list.
5 Click ok.
Specifying the Number of Retests
To select the maximum number of retest attempts:
Home window>>NAC Policies>>Select or create an access policy>>Tests menu option
1 Select the check box for a test in the left column.
2 Click on the test name in the left column.
3 Select the Initiate patch manager check box.
4 Enter a number in the Maximum number of retest attempts text box. For example, 10 (the system
minimum is 1 and the maximum is 2147483647).
5 Click ok.
Specifying the Retest Frequency
To specify the retest interval:
Home window>>NAC Policies>>Select or create an access policy>>Tests menu option
1 Select the check box for a test in the left column.
2 Click on the test name in the left column.
3 Select the Initiate patch manager check box.
404
Sentriant AG Software Users Guide, Version 5.1 SR1
Patch Management
4 Enter a number in the retest interval text box. For example, 30 (the system minimum is 1 and the
maximum is 2147483647).
5 Click ok.
SMS Patch Management
Repair vulnerabilities using patch management with SMS.
NOTE
Windows SMS 2003 is the only version supported.
SMS Concepts
Microsoft Systems Management Server (SMS) 2003 provides a means to manage software updates for
Microsoft platform endpoints. The SMS server contains a database of logical groups with common
attributes called collections. SMS operates only on clients endpoints) that are members of a collection.
Software installation packages come ready to install from Microsoft or you can create your own. A
package contains the files and instructions for distributing the software. An advertisement is a notification
that says an update (package) is available.
NOTE
Detailed instructions on using and configuring SMS are beyond the scope of this document. See “Learning More
About SMS” on page 406 for links to helpful SMS information.
NOTE
SMS server has a setting that allows users to interact with and cancel patch installation. Extreme Networks, Inc.
recommends that you do not allow users to cancel patch installation. Once a patch installation has been canceled,
the patch does not automatically attempt to install later and the endpoint will never pass the NAC policy test
without manual intervention by the SMS administrator. If an end-user cancels a patch installation, the SMS
administrator must re-run the advertisement to patch the endpoint.
Sentriant AG/SMS/Sentriant AG Process
When an agent-based test fails on the endpoint, Sentriant AG wakes up the endpoint client (SMS) which
patches the endpoint. Sentriant AG retests the endpoint. If the test fails again, Sentriant AG keeps
looping until patching completes. If the test passes, Sentriant AG allows the endpoint access to the
network.
Sentriant AG Software Users Guide, Version 5.1 SR1
405
Patch Management
NOTE
SMS patch management works with agent-based testing only.
NOTE
Endpoints must be identified in SMS and have the SMS client installed.
Sentriant AG Setup
To set up Sentriant AG for use with SMS:
1 Install and configure Sentriant AG (see the Sentriant AG Installation guide).
2 Log into the Sentriant AG user interface.
3 Add the following IP addresses to the Sentriant AG home window>>System
configuration>>Accessible services area:
a SMS server IP address
b Domain Controllers IP addresses and authentication ports
Learning More About SMS
The following links provide additional information about SMS:
406
●
Microsoft SMS home page
http://www.microsoft.com/smserver/
●
SMS overview
http://www.microsoft.com/smserver/evaluation/default.asp
●
Available SMS documentation
http://www.microsoft.com/smserver/techinfo/productdoc/default.asp
●
Pre-requisites to using SMS
http://www.microsoft.com/technet/itsolutions/techguide/msm/swdist/pmsms/2003/
pmsms031.mspx#XSLTsection126121120120
●
Concepts, planning, and deployment guide
http://www.microsoft.com/resources/documentation/sms/2003/all/cpdg/en-us/default.mspx
Sentriant AG Software Users Guide, Version 5.1 SR1
A
Configuring the Post-connect Server
Overview
This section describes how to configure the remote server for use with the Sentriant AG post-connect
feature. The post-connect server can be a Windows server or a Linux server. This section details the
following:
●
“Extracting the ZIP File” on page 407
■
“Windows” on page 407
■
“Linux” on page 408
●
“ZIP File Contents” on page 408
●
“Setting up a Post-connect Host” on page 409
■
“Windows” on page 409
■
“Linux” on page 410
●
“Viewing Logs” on page 412
●
“Testing the Service” on page 412
●
“Configuring Your Sensor” on page 413
Extracting the ZIP File
Windows
To download and extract the ZIP file to a Windows machine:
1 Create a directory for the contents of the ZIP file on the Windows machine. Extreme Networks, Inc.
recommends C:\Program Files\Extreme. These instructions assume that you used the C:\Program
Files\Extreme directory.
2 Copy the ZIP file to a Windows machine. The ZIP file can be downloaded directly from:
usr/local/nac/webapps/ROOT/installers/postconnect.zip
3 Extract the contents of the ZIP file with an extraction program such as WinZip® or Windows zip
utility. Do not extract in a UNIX-like terminal window such as cygwin as this may cause
permission/ownership issues.
Sentriant AG Software Users Guide, Version 5.1 SR1
407
Configuring the Post-connect Server
Linux
To download and extract the ZIP file to a Linux machine:
1 Create a directory for the contents of the ZIP file on the Linux machine. Extreme Networks, Inc.
recommends /usr/local. These instructions assume that you used the /usr/local directory.
2 Copy the ZIP file to a Linux machine. The ZIP file can be downloaded directly from:
/usr/local/nac/webapps/ROOT/installers/postconnect.zip
3 Extract the contents of the ZIP file by entering the following at the command line:
cd /usr/local
unzip postconnect.zip
ZIP File Contents
The following folders and files are extracted:
●
408
postconnect
■
bin
Connector.bat
Connector_ActionScript.py
InstallConnectorService.bat
postconnect
UninstallConnectorService.bat
wrapper.exe
■
conf
wrapper.conf
■
lib
activemq-core-4.1.1.jar
backport-util-concurrent-2.1.jar
commons-logging-1.0.3.jar
concurrent-1.3.4.jar
connector.jar
connector.properties
geronimo-spec-j2ee-management-1.0-rc4.jar
jms.jar
JMSConnection.properties
log4j-1.2.13.jar
log4j.properties
wrapper.dll
wrapper.jar
■
log
Sentriant AG Software Users Guide, Version 5.1 SR1
Configuring the Post-connect Server
Setting up a Post-connect Host
Windows
Your post-connect host can be a Linux or Windows server. This section provides instructions on setting
up a Windows host.
To set up a Windows post-connect host:
1 Install WinPcap on a Windows machine if it is not already installed:
a Log into your Windows server.
b Install WinPcap (a packet capturing and filtering system):
1) Navigate to http://www.winpcap.org/.
2) Download and install the WinPcap auto-installer (driver+DLLs) image.
2 Install Java on a Windows machine if it is not already installed:
a Log into your Windows server.
b Install Java:
1) Navigate to http://java.sun.com/javase/downloads/index.jsp.
2) Download and install the Java 1.5 update 10 or greater.
3 Install Python 2.5 or later if it is not already installed:
a Log into your Windows machine.
b Install Python:
1) Navigate to http://www.python.org/download/.
2) Download and install the Python for Windows version.
4 Copy the cacerts file to the Windows server:
a Log in the Sentriant AG MS as root using SSH or directly with a keyboard.
b Copy the /usr/local/nac/keystore/cacerts file from the MS into the \lib folder on the postconnect server where you extracted the ZIP file. See “Copying Files” on page 42 for information
on how to copy files securely.
5 Edit the connector.properties file:
a Open the \postconnect\lib\connector.properties file with a text editor.
Sentriant AG Software Users Guide, Version 5.1 SR1
409
Configuring the Post-connect Server
b Change the instance name to something recognizable by you. For example:
instance=My Warehouse Sensor
c
Change the product to be the product you are running. For example:
product=IDS Product Name
d Save and exit the file.
6 Edit the JMSConnection.properties file:
a Open the \postconnect\lib\JMSConnection.properties file with a text editor.
b Enter the MS IP address. For example:
URL=ssl://172.16.128.100:61616
c
Enter the MS username. For example:
USER_NAME=root
d Enter the MS password. For example:
PASSWORD=7884!25H
7 Install the service:
a Navigate to the \postconnect\bin directory.
b Double-click on the InstallConnectorService.bat file.
8 Start the service:
a On your Windows server, select Start>>Settings>>Control Panel>>Administrative
Tools>>Services.
b Right-click on NAC Post-Connect Service and select Start.
Linux
Your post-connect host can be a Linux or Windows server. This section provides instructions on setting
up a Linux host.
To set up a Linux post-connect host:
1 Install Java on a Linux machine if it is not already installed:
a Log into your Linux machine.
b Install Java:
1) Navigate to http://java.sun.com/javase/downloads/index.jsp.
2) Download and install the Java 1.5 update 10 or later.
2 Install Python 2.5 or later if it is not already installed:
410
Sentriant AG Software Users Guide, Version 5.1 SR1
Configuring the Post-connect Server
a Log into your Linux machine.
b Install Python:
1) Navigate to http://www.python.org/download/.
2) Download and install the Python for UNIX version.
3 Copy the cacerts file to the Linux server:
a Log in the Sentriant AG MS as root using SSH or directly with a keyboard.
b Copy the /usr/local/nac/keystore/cacerts file from the MS into the /usr/local/
postconnect/lib folder on the post-connect server where you extracted the ZIP file. See
“Copying Files” on page 42 for information on how to copy files securely.
4 Log in to the Linux post-connect server.
a Modify the startup script:
1) Open the following file with a text editor such as vi:
/usr/local/postconnect/bin/postconnect
2) Set the JAVA_HOME variable to wherever you have installed Java. For example:
export JAVA_HOME='/opt/jdk1.5.0_10'
3) Save and exit the file.
4) Copy the postconnect file to your /etc/init.d folder by entering the following command at
the command line:
cp /usr/local/postconnect/bin/postconnect /etc/init.d/
b Edit the connector.properties file:
1) Open the /usr/local/postconnect/lib/connector.properties file with a text editor such
as vi.
2) Change the instance name to something recognizable by you. For example:
instance=My Warehouse Sensor
3) Change the product to be the product you are running. For example:
product=IDS Product Name
4) Save and exit the file.
c
Edit the JMSConnection.properties file:
1) Open the /usr/local/postconnect/lib/JMSConnection.properties file with a text editor
such as vi.
Sentriant AG Software Users Guide, Version 5.1 SR1
411
Configuring the Post-connect Server
2) Enter the MS IP address. For example:
URL=ssl://172.16.128.100:61616
3) Enter the MS username. For example:
USER_NAME=root
4) Enter the MS password. For example:
PASSWORD=7884!25H
d Start the service by entering the following at the command line:
service postconnect start
Viewing Logs
To view post-connect logs:
The log files are as follows:
●
/usr/local/postconnect/log/connector.log—Verify that the connector is running.
●
/usr/local/postconnect/log/script.log—The script writes to this file.
Testing the Service
To test the post-connect service:
Command line
Enter the following at the command line:
Windows
/usr/local/postconnect/bin/Connector_ActionScript.py <endpoint IP> "Reason 1" "Reason
2"
Linux
/usr/local/postconnect/bin/Connector_ActionScript.py <endpoint ip> "Reason 1" "Reason
2"
Where:
<endpoint IP> is the IP address of an endpoint known to Sentriant AG. For example, 192.168.40.40
“Reason 1” and “Reason 2” are text strings that describe the reasons to quarantine the specified
endpoint. For example, “P2P Software Installed”, or “Latest Windows XP Service Pack not applied”.
412
Sentriant AG Software Users Guide, Version 5.1 SR1
Configuring the Post-connect Server
Configuring Your Sensor
Configure your post-connect sensor to call Connector_ActionScript.py with the IP address of the
endpoint to quarantine and the reasons to quarantine.
Allowing Sentriant AG Through the Firewall
Sentriant AG needs to communicate with the post-connect server through port 61616. See “Allowing the
Windows RPC Service through the Firewall” on page 180 for instructions on how to open a port on a
Windows machine.
Sentriant AG Software Users Guide, Version 5.1 SR1
413
Configuring the Post-connect Server
414
Sentriant AG Software Users Guide, Version 5.1 SR1
B
Tests Help
The tests performed on endpoints attempting to connect to the network are listed on the Sentriant AG
Home window>>NAC policies>>Select a NAC policy>>Tests. These tests are updated when you
download the latest versions by selecting Sentriant AG Home window>>System Configuration>>Test
Updates>>Check for Test Updates.
This appendix describes tests available to NAC policies. Each section covers one test and describes the
following sections:
●
Description—An overview of the check performed in this test.
●
Test Properties—Information on configuring the criteria which an endpoint must meet to pass the
test.
●
How Does this Affect Me?—An explanation of the risks that the test attempts to mitigate.
●
What Do I Need to Do?—Steps an administrator or user can take to help the endpoint pass the test.
Browser Security Policy—Windows
The Browser security policy tests verify that any endpoint attempting to connect to your system meets
your specified security requirements. Browser vulnerabilities are related to cookies, caches, and scripts
(JavaScript, Java, and Active scripting / ActiveX). You can specify generally what level of security to
enforce (High, Medium, Medium-low, or Low) or you can specify exactly what feature to allow or disallow.
Installing the most recent version of your browser also helps protect your system against exploits
targeting the latest vulnerabilities. Table 18 provides more information about types of browser
vulnerabilities:
Table 18: Browser Vulnerabilities
Item
Description
Cookies
Cookies are text files created by Web sites and stored on your
computer. They contain user-specific information—
information about what Web pages you visited, information
you filled out in online forms, and your preferences for a
particular Web site. Cookies are good when they enhance your
Web experience (online shopping carts work because of
cookies) and can be bad if unencrypted information is stored
in them, which could be misused if an attacker gains access
to them.
The following link provides detailed information about cookies:
•
http://www.cookiecentral.com/content.phtml?area=2&id=1
Sentriant AG Software Users Guide, Version 5.1 SR1
415
Tests Help
Table 18: Browser Vulnerabilities
Item
Description
Cache
Cache is a user-specifiable amount of disk space where
temporary files are stored. These files contain graphics and
Web pages you visit. The primary purposes for storing Web
page information is to save time reloading pages and graphics,
and to reduce network traffic by not having to repeatedly send
the information over the network. Risk occurs if there is
sensitive information from encrypted pages stored in the
cache, which could be misused if an attacker gains access to
the cache files.
Scripts
Scripts and scripting languages are executable code that
provides a more interactive Web experience. Some scripts are
downloaded to your computer (ActiveX, Java), others are run
via the browser (JavaScript).
JavaScript
JavaScript is a scripting language used to enhance Web
pages. JavaScript programs are embedded in Web pages and
enable active functionality; for example, JavaScript allows you
to create images that change when you move the mouse over
them and clocks with moving parts.
The following links provide more detailed information about
JavaScript:
Active scripting / ActiveX
•
http://www.javascript.com/
•
http://javascript.internet.com/
•
http://www.javascriptkit.com/
Active scripting / ActiveX extends other programming
languages (such as Java) by providing re-usable "controls" that
enable developers to make Web pages "active". ActiveX is
Microsoft's brand for active scripting.
The following links provide more detailed information about
ActiveX:
Java
•
http://www.active-x.com/articles/whatis.htm
•
http://www.active-x.com/
•
http://www.newportinc.com/software/activex/whatisAX.htm
Java is a programming language and a collection of platforms
that are targeted toward a specific hardware platform. Java
programs are not limited by the operating system (OS) as they
are interpreted (run) by another program called the Java
Virtual Machine (JVM). This enables Java programs to be
portable—that is, they can be run on a server, desktop,
personal digital assistant (PDA), or in the browser.
The following links provide more information about Java:
416
•
http://java.sun.com/learning/new2java/index.html
•
http://www.javaworld.com/channel_content/jw-topicalindex.shtml
•
http://java.sun.com/
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
Browser Version
Description. This test verifies that the endpoint attempting to connect to your system has the latest
browser version installed.
Test Properties. Select the check box for the required browser software. Enter a version in the text box. If
no version is specified in the text box, the default version shown in the square brackets is required.
How Does this Affect Me?. Older browsers may not have adequate security or fixes against
vulnerabilities.
What Do I Need to Do?. Install a required browser or update your browser to the required version. See
the following links for browser information:
http://www.mozilla.com/en-US/firefox/
http://www.microsoft.com/windows/ie/ie6/default.mspx
Internet Explorer (IE) Internet Security Zone
Description. This test verifies that the endpoint attempting to connect to your system is configured
according to your specified Internet security zone standards.
Test Properties. Select the Internet Explorer Internet security zone settings required on your network.
●
High. Disables all ActiveX Controls and plug-ins, disables file downloads, prompts for font
downloads, disables or prompts for Miscellaneous options, disables Scripting, requires login
●
Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of
enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login
for intranet
●
Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a
mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic
login for intranet
●
Low. A mix of enabled and prompt for ActiveX controls, enables downloads, a mix of enabled and
prompt for Miscellaneous options, enables Scripting, enables automatic login
How Does this Affect Me?. The Internet security zone defines a security level for all external Web sites
that you visit (unless you have specified exceptions in the trusted and restricted site configurations).
The default setting is Medium.
The following link provides details about the specific security options:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/security.mspx?mfr=true
What Do I Need to Do?. Perform the following steps:
1 Select Tools>>Internet Options>>Security>>Internet
2 Select Default Level to return to the default settings.
Sentriant AG Software Users Guide, Version 5.1 SR1
417
Tests Help
3 Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings.
Internet Explorer (IE) Local Intranet Security Zone
Description. This test verifies that the endpoint attempting to connect to your system is configured
according to your specified local intranet security zone standards.
Test Properties. Select the Internet Explorer local intranet security zone settings required on your
network.
●
High. Disables all ActiveX Controls and plug-ins, disables file downloads, prompts for font
downloads, disables or prompts for Miscellaneous options, disables Scripting, requires login
●
Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of
enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login
for intranet
●
Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a
mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic
login for intranet
●
Low. A mix of enabled and prompt for ActiveX controls, enables downloads, a mix of enabled and
prompt for Miscellaneous options, enables Scripting, enables automatic login
How Does this Affect me?. The intranet security zone defines a security level for all internal Web sites
that you visit (unless you have specified exceptions in the trusted and restricted site configurations).
The default setting is Medium-low.
The following link provides details about the specific security options:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/security.mspx?mfr=true
What Do I Need to Do?. Perform the following steps:
1 Select Tools>>Internet Options>>Security>>Intranet
2 Select one of the following:
- Default Level to return to the default settings.
- Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings.
Internet Explorer (IE) Restricted Site Security Zone
Description. This test verifies that the endpoint attempting to connect to your system is configured
according to your specified restricted site security zone standards.
Test Properties. Select the Internet Explorer restricted sites security zone settings required on your
network.
●
418
High. Disables all ActiveX Controls and plug-ins, disables file downloads, prompts for font
downloads, disables or prompts for Miscellaneous options, disables Scripting, requires login
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
●
Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of
enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login
for intranet
●
Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a
mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic
login for intranet
●
Low. A mix of enabled and prompt for ActiveX controls, enables downloads, a mix of enabled and
prompt for Miscellaneous options, enables Scripting, enables automatic login
How Does this Affect Me?. The restricted sites security zone defines a security level for all restricted Web
sites that you visit. The default setting is High. You also define the specific sites by name and IP
address that are restricted. For example, you could specify www.unsafesite.com as a restricted site.
The following link provides details about the specific security options:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/security.mspx?mfr=true
What Do I Need to Do?. Perform the following steps:
1 Select Tools>>Internet Options>>Security>>Restricted sites
2 Select one of the following:
-Default Level to return to the default settings.
- Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings.
3 Select Sites.
4 Enter a domain name or IP address in the Add this Web site to the zone text box.
5 Click Add.
6 Click OK.
Internet Explorer (IE) Trusted Sites Security Zone
Description. This test verifies that the endpoint attempting to connect to your system is configured
according to your specified trusted sites security zone standards.
Test properties. Select the Internet Explorer trusted sites security zone settings required on your
network.
●
High. Disables all ActiveX Controls and plug-ins, disables file downloads, prompts for font
downloads, disables or prompts for Miscellaneous options, disables Scripting, requires login.
●
Medium. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a mix of
enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic login
for intranet
●
Medium-low. A mix of enabled, disabled and prompt for ActiveX controls, enables downloads, a
mix of enabled, disabled and prompt for Miscellaneous options, enables Scripting, enables automatic
login for intranet
Sentriant AG Software Users Guide, Version 5.1 SR1
419
Tests Help
●
Low. A mix of enabled and prompt ActiveX controls, enables downloads, a mix of enabled and
prompt for Miscellaneous options, enables Scripting, enables automatic login
How Does this Affect Me? The trusted sites security zone defines a security level for all trusted Web sites
that you visit. The default setting is Low. You also define the specific sites by name or IP address that
are trusted. For example, you could specify www.mycompany.com as a trusted site.
The following link provides details about the specific security options:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/security.mspx?mfr=true
What do I need to do? Perform the following steps:
1 Select Tools>>Internet Options>>Security>>Trusted sites
2 Select one of the following:
-Default Level to return to the default settings.
- Select Custom Level to specify High, Medium, Medium-low, or Low or to create custom settings.
3 Select Sites.
4 Enter a domain name or IP address in the Add this Web site to the zone text box.
5 Select the Require server verification (https:) for all sites in this zone check box if encrypted
communications are required.
6 Click Add.
7 Click OK.
Operating System—Windows
The Operating System (OS) tests verify that any endpoint attempting to connect to your system meets
your specified OS requirements. Installing the most recent version of your OS helps protect your
system against exploits targeting the latest vulnerabilities.
IIS Hotfixes
Description. Checks for updates to Microsoft Internet Information Services (IIS).
Test Properties. Select the check box for each IIS update to verify. Select the All Critical Updates check
box for the most secure option.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Use the Windows 2000 IIS Hotfix Checking Tool to verify that you have the
latest hotfixes:
420
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6C8AFC1C-5008-4AC884E1-1632937DBD74
Internet Explorer Hotfixes
Description. Checks for hotfixes to Microsoft Internet Explorer (IE).
Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit
endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical
patches that have been released or will be released by Microsoft.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/
default.asp) if automatic update is not enabled, or is not working.
Microsoft Office Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system had the latest
Microsoft Office hotfixes installed.
Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit
endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical
patches that have been released or will be released by Microsoft.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Figure 212: Microsoft Office Hotfixes Critical Updates
Sentriant AG Software Users Guide, Version 5.1 SR1
421
Tests Help
Microsoft Applications Hotfixes
Description. Checks for hotfixes to Microsoft Applications.
Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit
endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical
patches that have been released or will be released by Microsoft.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Microsoft Servers Hotfixes
Description. Checks for hotfixes to Microsoft Servers.
Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit
endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical
patches that have been released or will be released by Microsoft.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Microsoft Tools Hotfixes
Description. Checks for hotfixes to Microsoft Tools.
Test Properties. Select the hotfixes required on your network. If needed select Deep Check to permit
endpoint tests to run at the file level. Selecting the All critical updates option requires all the critical
patches that have been released or will be released by Microsoft.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-
422
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
us or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Service Packs
Description. This test verifies that the endpoint attempting to connect to your system has the latest
operating system (OS) service packs installed.
Test Properties. The service packs are listed here by operating system.
How Does this Affect Me?. Service packs are programs that update the software and may include
performance enhancements, bug fixes, security enhancements, and so on. If needed select Deep Check
to permit endpoint tests to run at the file level. There is usually more than one fix in a service pack,
whereas a hotfix is usually one fix.
What Do I Need to Do?. Manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/
default.asp) if automatic update is not enabled, or is not working.
Windows 2000 SP4 Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system has the Windows
2000 SP4 hotfixes installed.
Test Properties. Select the hotfixes from the list presented that are required on your network. This list
will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to
run at the file level. The most secure option is to select the All critical updates option, as this requires
all the critical patches that have been released or that will be released by Microsoft. You don't have to
keep checking by patch number.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Windows 2003 SP1 Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system has the latest
Windows 2003 SP1 hotfixes installed.
Test Properties. Select the hotfixes from the list presented that are required on your network. This list
will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to
run at the file level. The most secure option is to select the All critical updates option, as this requires
all the critical patches that have been released or that will be released by Microsoft. You don't have to
keep checking by patch number.
Sentriant AG Software Users Guide, Version 5.1 SR1
423
Tests Help
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Windows 2003 SP2 Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system has the latest
Windows 2003 SP2 hotfixes installed.
Test Properties. Select the hotfixes from the list presented that are required on your network. This list
will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to
run at the file level. The most secure option is to select the All critical updates option, as this requires
all the critical patches that have been released or that will be released by Microsoft. You don't have to
keep checking by patch number.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Windows Automatic Updates
Description. This test verifies that the endpoint attempting to connect to your system has Windows
Automatic Updates enabled.
Test Properties. Select the minimum setting for Windows automatic updates that is required of
endpoints attempting to connect to your network.
●
On – Download and install automatically
●
On – Download automatically but notify before installing (Recommended)
●
On – Notify before downloading and installing
●
Off – No action taken (Not recommended)
How Does this Affect Me?. Microsoft periodically releases software updates to "patch holes"
(vulnerabilities) and incorporate other fixes and updates. Although you can manually initiate an update
check (http://v4.windowsupdate.microsoft.com/en/default.asp), automatically checking for updates
ensures a higher level of security. Updates can be service packs or hotfixes.
Read more about Windows Update here: http://www.microsoft.com/security/protect/update.asp.
424
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
What Do I Need to Do?. Enable automatic updates. See the following link for instructions:
http://www.microsoft.com/protect/computer/updates/mu.mspx
Enable automatic updates for Windows 2000:
1 Select Start>>Settings>>Control Panel>>Automatic Updates
2 Select Keep my computer up to date.
3 Select Download the updates automatically and notify me when they are ready to be installed.
4 Click OK.
Windows Media Player Hotfixes
Description. Checks for Windows Media Player hotfixes.
Test Properties. Select the hotfixes required on your network. Selecting All critical updates requires all
the critical patches that have been released or will be released by Microsoft.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a patch includes multiple hotfixes.
What Do I Need to Do? . Manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/
default.asp) if automatic update is not enabled, or is not working.
Windows Vista™ SP0 Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system has the latest
Windows Vista SP0 hotfixes installed. The following versions of Windows Vista are currently supported:
●
Vista Ultimate
●
Vista Home Premium
●
Vista Home Basic
●
Vista Business
●
Vista Enterprise
Test Properties. Select the hotfixes from the list presented that are required on your network. This list
will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to
run at the file level. The most secure option is to select the All critical updates option, as this requires
all the critical patches that have been released or that will be released by Microsoft. You don't have to
keep checking by patch number.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a service pack includes multiple hotfixes.
Sentriant AG Software Users Guide, Version 5.1 SR1
425
Tests Help
What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Windows XP SP1 Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system has the latest
Windows XP SP1 hotfixes installed.
Test Properties. Select the hotfixes from the list presented that are required on your network. This list
will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to
run at the file level. The most secure option is to select the All critical updates option, as this requires
all the critical patches that have been released or that will be released by Microsoft. You don't have to
keep checking by patch number.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a service pack includes multiple hotfixes.
What Do I Need to Do?. Manually initiate an update check at http://www.update.microsoft.com/
microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=enus or by clicking on one of the update numbers underlined at the right side of the window as shown in
Figure 212.
Windows XP SP2 Hotfixes
Description. This test verifies that the endpoint attempting to connect to your system has the latest
Windows XP SP2 hotfixes installed.
Test Properties. Select the hotfixes from the list presented that are required on your network. This list
will occasionally change as tests are updated. If needed select Deep Check to permit endpoint tests to
run at the file level. The most secure option is to select the All critical updates option, as this requires
all the critical patches that have been released or that will be released by Microsoft. You don't have to
keep checking by patch number.
How Does this Affect Me?. Hotfixes are programs that update the software and may include performance
enhancements, bug fixes, security enhancements, and so on. There is usually only one fix in a hotfix,
whereas a service pack includes multiple hotfixes.
What Do I Need to Do?. Manually initiate an update check (http://v4.windowsupdate.microsoft.com/en/
default.asp) if automatic update is not enabled, or is not working.
426
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
Security Settings—OS X
Mac AirPort WEP Enabled
Description. This test verifies that WEP encryption is enabled for Airport.
Test Properties. There are no properties to set for this test.
How Does this Affect Me?. Wired Equivalent Privacy (WEP) is a wireless network security standard that
provides the same level of security as the security in a wired network. WEP encrypts data as it is sent
from one endpoint to another. Whenever you use a wireless technology, you should make sure that it is
secure so that others cannot access your network.
What Do I Need to Do? . Configure the Mac endpoint to use WEP encryption. Select Mac Help, or refer
to the following link for assistance on configuring AirPort:
http://www.apple.com/support/airport/
Mac AirPort Preference
Description. This test verifies that the Mac AirPort® joins only preferred networks.
Test Properties. There are no properties to set for this test.
How Does this Affect Me?. If you move between different locations, and you use an AirPort network in
each one, you can choose your preferred AirPort network for each network location you create. When
you move to a different location, your Mac will connect to your preferred AirPort network.
What Do I Need to Do? . Configure the Mac endpoint to join only preferred networks. Select Mac Help,
or refer to the following link for assistance on configuring AirPort:
http://www.apple.com/support/airport/
Mac AirPort User Prompt
Description. This test verifies that the user is prompted before joining an open network.
Test Properties. There are no properties to set for this test.
How Does this Affect Me?. If you move between different locations, this option prompts you before
automatically joining any network.
What Do I Need to Do? . Configure the Mac endpoint to prompt before joining open networks. Select
Mac Help, or refer to the following link for assistance on configuring AirPort:
http://www.apple.com/support/airport/
Sentriant AG Software Users Guide, Version 5.1 SR1
427
Tests Help
Mac Anti-virus
Description. This test passes if at least one of the required anti-virus software programs for Mac
endpoints is installed.
Test Properties. Select the anti-virus software allowed on your network. Any endpoint that does not
have at least one of the anti-virus software packages selected will fail this test.
How Does this Affect Me?. Anti-virus software scans your computer, email, and other files for known
viruses, worms, and trojan horses. It searches for known files and automatically removes them. A virus
is a program that infects other programs and files and can spread when a user opens a program or file
containing the virus. A virus needs a host (the program or file) to spread.
A worm is a program that can also perform malicious acts (such as delete files and send email);
however, it replicates itself and does not need a host (program or file) to spread. Frequently, worms are
used to install a backdoor (a way for an attacker to gain access without having to login).
A trojan horse is a stand-alone program that is not what it seems. For example, it may seem to be
calendar program, but when you open it, it erases all your files and displays a message, such as "Ha ha,
I deleted your files!" Trojan horse programs do not spread or replicate themselves.
What Do I Need to Do?. Make sure you have an anti-virus program installed, and that the virus
definitions are kept up-to-date.
The following link provides more information on anti-virus software and protecting your computer:
http://www.us-cert.gov/cas/tips/ST04-005.html
Mac Bluetooth
Description. This test verifies that Bluetooth is either completely disabled or if enabled is not
discoverable.
Test Properties. There are no properties to set for this test.
How Does this Affect Me?. Bluetooth is a wireless technology that allows computers and other endpoints
(such as mobile phones and personal digital assistants (PDAs)) to communicate. Whenever you use a
wireless technology, you should make sure that it is secure so that others cannot access your network.
What Do I Need to Do? . Disable Bluetooth, or configure Bluetooth so that it is not discoverable on the
endpoint.
Select Mac Help, or refer to the following for assistance on configuring Bluetooth:
http://www.apple.com/bluetooth/
http://www.bluetooth.com/bluetooth/
Mac Firewall
Description. This test verifies that the firewall is enabled.
428
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
Test Properties. There are no properties to set for this test.
How Does this Affect Me?. See the description of firewalls under “How Does this Affect Me?” on page
440.
What Do I Need to Do? . Enable the firewall on the endpoint.
Mac endpoint>>Apple Menu>>System Preferences>>Sharing>>Firewall
1 Select the services and ports you want to allow in the Allow area.
2 Click Start.
Mac Internet Sharing
Description. This test verifies that the internet sharing is disabled.
Test Properties. There are no properties to set for this test.
How Does this Affect Me?. Mac internet sharing allows one computer to share its internet connection
with other computers. This can present security risks by allowing other users to access the network.
What Do I Need to Do? . Disable internet sharing on the endpoint.
Mac endpoint>>Apple Menu>>System Preferences>>Sharing
1 Select the Internet tab.
2 Click Stop.
Mac QuickTime® Updates
Description. This test verifies that the QuickTime updates have been applied on this endpoint.
Test Properties. When an endpoint fails this test, it can be granted temporary access in the following
ways:
●
Select the Quarantine access check box and enter a temporary access period. This is the amount of
time the endpoint will have access starting from when the endpoint was detected by Sentriant AG.
●
Enter an Allowed grace period in the Test properties area. This is the amount of time that has
elapsed since the security update was issued.
How Does this Affect Me?. Security updates are programs that update the software and may include
performance enhancements, bug fixes, security enhancements, and so on.
What Do I Need to Do? . Initiate an update from within QuickTime (Help>>Update Existing Software)
or click on one of the links shown in the Test Properties area. For more information on Mac OS X
software updates, see the following page: http://docs.info.apple.com/article.html?artnum=106704.
Sentriant AG Software Users Guide, Version 5.1 SR1
429
Tests Help
Mac Security Updates
Description. This test verifies that the security updates have been applied on this endpoint.
Test Properties. .When an endpoint fails this test, it can be granted temporary access in the following
ways:
●
Select the Quarantine access check box and enter a temporary access period. This is the amount of
time the endpoint will have access starting from when the endpoint was detected by Sentriant AG.
●
Enter an Allowed grace period in the Test properties area. This is the amount of time that has
elapsed since the security update was issued.
How Does this Affect Me?. Security updates are programs that update the software and may include
performance enhancements, bug fixes, security enhancements, and so on.
What Do I Need to Do? . Initiate an update by clicking on one of the links shown in the Test Properties
area. For more information on Mac OS X software updates, see the following page: http://
docs.info.apple.com/article.html?artnum=106704.
Mac Services
Description. This test verifies that the services checked here are allowed on the endpoint.
Test Properties. Select one or more check boxes for services that are allowed on the endpoint.
How Does this Affect Me?. Services are operating system applications that run automatically, without
manual intervention.
What Do I Need to Do? . Enable or disable services on the endpoint.
Mac endpoint>>Apple Menu>>System Preferences>>Sharing
1 Select the Services tab.
2 Select a service, such as Personal File Sharing.
3 Click Stop to turn off sharing for that service, or Start to turn on sharing for that service.
Security Settings—Windows
The Security settings tests verify that any endpoint attempting to connect to your system meets your
specified security settings requirements.
430
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
Allowed Networks
Description. Checks for the presence of an unauthorized connection on a endpoint. These might include
connections to a rogue wireless access point, VPN, or other remote network.
Test Properties. Enter a list of IP ranges that are legitimate for your network. Add the ranges separating
the start and end IP with a "-". For example, 10.10.1.20-10.10.1.254.
How Does this Affect Me?. Unauthorized connections to your network can allow attackers access to
sensitive information on your network or allow them to disrupt network services.
What Do I Need to Do? . Enter the IP address ranges that are allowed for your network.
Microsoft Excel Macros
Description. This test verifies that the endpoint attempting to connect to your system has the Microsoft
Excel macro security level specified by your security standards.
Test Properties. Select the minimum Microsoft Excel macro setting for that is required in order for a
endpoint to connect to your network.
●
Very High. Only macros installed in trusted locations will be allowed to run. All other signed and
unsigned macros are disabled.
●
High. Only signed macros from trusted sources will be allowed to run. Unsigned macros are
automatically disabled
●
Medium. You can choose whether or not to run potentially unsafe macros.
●
Low. (not recommended). You are not protected from potentially unsafe macros. Use this setting only
if you have virus scanning software installed, or you have checked the safety of all documents you
open.
How Does this Affect Me?. Macros are simple programs that are used to repeat commands and
keystrokes within another program. A macro can be invoked (run) with a simple command that you
assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
When you open an infected document, the macro virus runs. A macro virus can save itself to other files
(such as the Normal template) and can potentially infect all of your files. If a user on another computer
opens the infected file, the virus can spread to their computer as well.
What Do I Need to Do? . Set the Microsoft Excel macro security level as follows:
1 Open Excel.
2 Select Tools>>Macro>>Security>>Security Level tab.
3 Select High, Medium, or Low.
4 Click ok.
Sentriant AG Software Users Guide, Version 5.1 SR1
431
Tests Help
Microsoft Outlook Macros
Description. This test verifies that the endpoint attempting to connect to your system has the Microsoft
Outlook macro security level specified by your security standards.
Test Properties. Select the minimum Microsoft Outlook macro setting for that is required in order for an
endpoint to connect to your network.
●
Very High. Only macros installed in trusted locations will be allowed to run. All other signed and
unsigned macros are disabled.
●
High. Only signed macros from trusted sources will be allowed to run. Unsigned macros are
automatically disabled.
●
Medium. You can choose whether or not to run potentially unsafe macros.
●
Low. (not recommended). You are not protected from potentially unsafe macros. Use this setting only if
you have virus software installed, or you have checked the safety of all documents you open.
How Does this Affect Me?. Macros are simple programs that are used to repeat commands and
keystrokes within another program. A macro can be invoked (run) with a simple command that you
assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
When you open an infected document, the macro virus runs. A macro virus can save itself to other files
(such as the Normal template) and can potentially infect all of your files. If a user on another computer
opens the infected file, the virus can spread to their computer as well.
What Do I Need to Do? . Set the Microsoft Outlook macro security level as follows:
1 Open Outlook.
2 Select Tools>>Macro>>Security>>Security Level tab.
3 Select High, Medium, or Low.
4 Click ok.
Microsoft Word Macros
Description. This test verifies that the endpoint attempting to connect to your system has the Microsoft
Word macro security level specified by your security standards.
Test Properties. Select the minimum Microsoft Word macro setting for that is required in order for an
endpoint to connect to your network.
432
●
Very High. Only macros installed in trusted locations will be allowed to run. All other signed and
unsigned macros are disabled.
●
High. Only signed macros from trusted sources will be allowed to run. Unsigned macros are
automatically disabled.
●
Medium. You can choose whether or not to run potentially unsafe macros.
●
Low. (not recommended). You are not protected from potentially unsafe macros. Use this setting only
if you have virus scanning software installed, or you have checked the safety of all documents you
open.
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
How Does this Affect Me?. Macros are simple programs that are used to repeat commands and
keystrokes within another program. A macro can be invoked (run) with a simple command that you
assign, such as [ctrl]+[shift]+[r]. Some viruses are macro viruses and are hidden within a document.
When you open an infected document, the macro virus runs. A macro virus can save itself to other files
(such as the Normal template) and can potentially infect all of your files. If a user on another computer
opens the infected file, the virus can spread to their computer as well.
What Do I Need to Do?. Set the Microsoft Word macro security level as follows:
1 Open Word.
2 Select Tools>>Macro>>Security>>Security Level tab.
3 Select High, Medium, or Low.
4 Click ok.
Services Not Allowed
Description. This test verifies that the endpoint attempting to connect to your system is running only
compliant services.
Test Properties. Enter a list of services that are not allowed on connecting endpoints. Separate additional
services with a carriage return. Use the service names found in the Start>>Settings>>Control
Panel>>Administrative Tools>>services application. For example:
Telnet
Messenger
Remote Desktop Help Session Manager
How Does this Affect Me?. Services are Windows operating system applications that run automatically,
without manual intervention.
Services explained:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx
How to identify the services running in a process:
http://www.microsoft.com/resources/documentation/windows/2000/server/scriptguide/en-us/
sas_ser_arwi.mspx
Tips on Windows XP services:
http://www.theeldergeek.com/services_guide.htm
What do I need to do?. For services you never use, disable the service. For services you may use
occasionally, change the startup type from automatic to manual.
How to change the service startup type:
1 Select Start>>Settings>>Control Panel>>Administrative Tools>>Services.
2 Right-click on a service and select Properties.
Sentriant AG Software Users Guide, Version 5.1 SR1
433
Tests Help
3 Select Manual or Disabled from the Startup type drop-down list.
4 Click OK.
5 Close the Services window.
6 Close the Administrative Tools window.
Services Required
Description. This test verifies that the endpoint attempting to connect to your system is running the
services specified by your security standards.
Test Properties . Enter a list of services that are required for connecting endpoints. Separate additional
services with a carriage return. Use the service names found in the Start>>Settings>>Control
Panel>>Administrative Tools>>services application. For example:
Telnet
Messenger
Remote Desktop Help Session Manager
How Does this Affect Me?. Services are Windows operating system applications that run automatically,
without manual intervention.
Services explained:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx
How to identify the services running in a process:
http://www.microsoft.com/resources/documentation/windows/2000/server/scriptguide/en-us/
sas_ser_arwi.mspx
Tips on Windows XP services:
http://www.theeldergeek.com/services_guide.htm
What Do I Need to Do?. For services you always use, change the startup type to automatic.
How to change the service startup type:
1 Select Start>>Settings>>Control Panel>>Administrative Tools>>Services.
2 Right-click on a service and select Properties.
3 Select Automatic from the Startup type drop-down list.
4 Click OK.
5 Close the Services window.
6 Close the Administrative Tools window.
434
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
Windows Bridge Network Connection
Description. This test verifies that the endpoint attempting to connect to the network does not have a
bridged network connection present. A bridged network connection allows the connecting endpoint to
transparently send traffic to and from another network. An example use of this type of connection
would be to bridge a high-speed cellular network connection in and out of the local network. A bridged
network connection poses a significant security risk.
Test Properties. Any endpoint which has a Windows bridge Network Connection will fail this test.
How Does this Affect Me?. Using network bridges can be useful in some environments; however, they
also create a security risk.
What Do I Need to Do? . Do not use network bridges.
The following articles describe bridge networking:
http://technet2.microsoft.com/windowsserver/en/library/df594316-cd92-4c38-97734c6d74e02a431033.mspx?mfr=true
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/
hnw_understanding_bridge.mspx?mfr=true
http://www.microsoft.com/windowsxp/using/networking/expert/crawford_02april22.mspx
Windows Wireless Network SSID Connections
Description. Checks for the presence of an unauthorized connection on an endpoint. This might include
connections to a rogue wireless access point, VPN, or other remote network.
Test Properties. Enter a list of allowed Wireless SSIDs that are legitimate for your network. Enter the
SSIDs as a comma-delimited list. For example, HomeNet, WorkNet. The following wireless adapters are
supported: NetGear, LinkSYS, D-Link.
How Does this Affect Me?. In order to use wireless networks, you must specify the network names to
which the wireless endpoints connect.
What Do I Need to Do? . The following link provides more information on SSID naming and wireless
networking.
http://en.wikipedia.org/wiki/SSID
Windows Security Policy
Description. This test verifies that the endpoint attempting to connect to your system follows the
Windows local security policy best practices.
Test Properties. Select the Windows local security policy options you want to require on your network.
Sentriant AG Software Users Guide, Version 5.1 SR1
435
Tests Help
●
Enable "Network access: Do not allow storage of credentials or .NET Passports for network
authentication"
●
Disable "Network access: Let Everyone permissions apply to anonymous users"
●
Enable "Accounts: Limit local account use of blank passwords to console logon only"
How Does this Affect Me?. Certain configurations, such as the ones listed above, create potential holes
that can leak sensitive information if your system is compromised. Selecting the above policy options
creates a more secure network environment. The following links provide detailed information on these
security settings:
●
Enable "Network access: Do not allow storage of credentials or .NET Passports for network
authentication"
http://technet2.microsoft.com/windowsserver/en/library/66a6776a-b1ef-43dd-8f18d694fd07494b1033.mspx?mfr=true
●
Disable "Network access: Let Everyone permissions apply to anonymous users"
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/
loc_sec_set.mspx?mfr=true
●
Enable "Accounts: Limit local account use of blank passwords to console logon only"
http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/en-us/Default.asp?url=/resources/
documentation/IIS/6/all/proddocs/en-us/636.asp
What Do I Need to Do?. To select the security policies:
1 Select Start>>Settings>>Control Panel>>Administrative Tools.
2 Double-click Local Security Policy.
3 Double-click Local Policies.
4 Double-click Security Options.
5 Double-click a security policy.
6 Select Enabled or Disabled.
7 Click OK.
8 Close the Local Security Settings window.
9 Close the Administrative Tools window.
Windows Startup Registry Entries Allowed
Description. This test verifies that the endpoint attempting to connect to your system does not contain
non-compliant registry entries in the run and runOnce Windows registry keys.
Test Properties. Enter a list of registry key and values that are allowed in the run and runOnce
Windows registry keys. If the endpoint has any other values in those keys, the test will fail.
Separate entries by semicolons in the format <key> or <key>::<value>.
For example:
436
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
updater::C:\Program Files\Common files\Updater\wupdater.exe
will allow Windows update to run on startup.
How Does this Affect Me?. The Microsoft Windows Registry contains information that Windows uses
during normal operations, including system options, property settings, applications installed, types of
documents each application can create, ports used, and so on. Information is stored in keys, such as run
and runOnce. The run and runOnce keys cause programs to run automatically. Many worms and
viruses are started by a call from the Windows Registry. If you limit what can start up when you log in,
you can reduce the potential for worms and viruses to run on your system.
The following links provide a description of the Microsoft Windows Registry and the Run keys:
●
http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986
●
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/
q137/3/67.asp&NoWebContent=1
●
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314866
●
http://www.winguides.com/registry/
What Do I Need to Do?. Verify that the run and runOnce registry keys run only compliant programs.
CAUTION
Modifying registry entries incorrectly can cause serious problems that may require you to reinstall your operating
system.
1 Back up the registry as described at the following links:
XP and Windows Server 2003 – http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
2000 – http://support.microsoft.com/default.aspx?scid=kb;EN-US;322755
NT 4.0 – http://support.microsoft.com/default.aspx?scid=kb;EN-US;323170
2 Open the Registry editor by selecting Start>>Run.
3 Type regedit and click OK.
Wireless Network Connections
Description. Checks for the presence of an unauthorized connection on an endpoint. This might include
connections to a rogue wireless access point, VPN, or other remote network.
Test Properties. Select one of the items listed to specify wireless and wired connections. The following
wireless adapters are supported: NetGear, LinkSYS, D-Link.
How Does this Affect Me?. Wireless and wired networking is enabled by default. If you want to not
allow one or the other, you must specify that here.
What Do I Need to Do?. The following link provides more information on wireless networking:
http://www.pcworld.com/article/id,112138/article.html
Sentriant AG Software Users Guide, Version 5.1 SR1
437
Tests Help
Software—Windows
The Software tests verify that any endpoint attempting to connect to your system meets your specified
software requirements. Installing the most recent version of your software helps protect your system
against exploits targeting the latest vulnerabilities.
Anti-spyware
Description. This test verifies that the endpoint attempting to connect to your system has anti-spyware
tools installed and that the anti-spyware definitions are up-to-date.
Test Properties. Select the anti-spyware software allowed on your network. Any endpoint that does not
have at least one of the anti-spyware software packages selected will fail this test. You can also enter a
value in the Last scan performed within text field, which requires the anti-spyware software to have
executed a scan on the endpoint within the set number of days.
How Does this Affect Me?. Spyware is software that gathers and transmits information (about the user,
computer, and/or network) without the user's knowledge. It is usually installed without the user's
knowledge through seemingly harmless downloads such as freeware, shareware, instant messages, and
email attachments. Spyware is intentionally difficult to detect and remove. Those who create and release
spyware don't want you to know it's there or be able to easily uninstall it. The information gathered
can be exploited for mischief, for financial gain, and for gaining unauthorized access to your network.
Spyware also consumes system resources and can cause system instability and crashes.
What Do I Need to Do?. Make sure you have an anti-spyware program installed, that the spyware
definitions are kept up-to-date, and that your system is scanned often.
Anti-virus
Description. This test verifies that the endpoint attempting to connect to your system has the latest antivirus software installed, that it is running, and that the virus definitions are up-to-date.
Test Properties. Select the anti-virus software allowed on your network. Any endpoint that does not
have at least one of the anti-virus software packages selected will fail this test.
How Does this Affect Me?. Anti-virus software scans your computer, email, and other files for known
viruses, worms, and trojan horses. It searches for known files and automatically removes them. A virus
is a program that infects other programs and files and can spread when a user opens a program or file
containing the virus. A virus needs a host (the program or file) to spread.
A worm is a program that can also perform malicious acts (such as delete files and send email);
however, it replicates itself and does not need a host (program or file) to spread. Frequently, worms are
used to install a backdoor (a way for an attacker to gain access without having to login).
A trojan horse is a stand-alone program that is not what it seems. For example, it may seem to be
calendar program, but when you open it, it erases all your files and displays a message, such as "Ha ha,
I deleted your files!" Trojan horse programs do not spread or replicate themselves.
438
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
What Do I Need to Do?. Make sure you have an anti-virus program installed, and that the virus
definitions are kept up-to-date.
The following link provides more information on anti-virus software and protecting your computer:
http://www.us-cert.gov/cas/tips/ST04-005.html
High-risk Software
Description. This test verifies that the endpoint attempting to connect to your system does not have
High-risk software installed.
Test Properties. Select the high-risk software not allowed on your network. Any endpoint that has at
least one of the high-risk software packages selected fails this test.
How Does this Affect Me?. Some software provides security risks, such as allowing data to be stored on
external servers, or not encrypting sensitive data.
What Do I Need to Do? . Remove or disable any disallowed high-risk software.
Microsoft Office Version Check
Description. This check fetches the version and service pack information of the Microsoft Office software
installed.
Test Properties. Select the check box for one or more Microsoft Office packages. Any software package
selected that does not have the latest version installed fails the test.
How Does this Affect Me?. Some companies may support only the software listed. Using the most
recently updated version of software can help protect your system from known vulnerabilities.
What Do I Need to Do? . Verify that you have updated software by visiting the following link:
http://office.microsoft.com/en-us/downloads/default.aspx
P2P
Description. This test verifies that the endpoint attempting to connect to your system has only approved
peer-to-peer (P2P) software installed.
Test Properties. Select the P2P software allowed on your network. If none of the P2P packages are
selected, this means that you do not allow P2P software and any endpoint with P2P software enabled
will fail this test.
How Does this Affect Me?. A Peer-to-peer (P2P) network is one that is comprised of peer nodes
(computers) rather than clients and servers. These peer nodes function both as clients and servers to
other nodes and can perform any client or server function. P2P software allows users to connect directly
to other users and is used for file sharing. Many P2P software packages are considered spyware and
their use is generally discouraged.
Sentriant AG Software Users Guide, Version 5.1 SR1
439
Tests Help
What Do I Need to Do?. Remove or disable any disallowed P2P software.
Personal Firewalls
Description. This test verifies that the endpoint attempting to connect to your system has the latest
personal firewall software installed and running.
Test Properties. Select the personal firewalls that meet your requirements. Any endpoint that does not
have at least one of the personal firewalls selected will fail this test.
How Does this Affect Me?. A firewall is hardware or software that views information as it flows to and
from your computer. You configure the firewall to allow or block data based on criteria such as port
number, content, source IP address, and so on.
The following links provide more detailed information about firewalls:
●
http://computer.howstuffworks.com/firewall.htm
●
http://www.pcstats.com/articleview.cfm?articleid=1450&page=4
●
http://www.microsoft.com/technet/network/wf/default.mspx
●
http://www.firewallguide.com/
What Do I Need to Do?. Make sure you have a personal firewall installed.
Software Not Allowed
Description: . This test verifies that the endpoint attempting to connect to your system does not have
the software packages listed installed.
Test Properties
Enter a list of applications that are not allowed on connecting endpoints, separated with a carriage
return. The format for an application is vendor\software package[\version]. Using this format stores
the value in the HKEY_LOCAL_MACHINE\Software key.
For example:
Adobe\Acrobat Reader, Adobe\Acrobat Reader\6.0
You can also specify which key to use for the specific value by entering the key at the beginning of the
value. For example:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Messenger
How Does this Affect Me?. Some software is generally not appropriate for corporate use, and can create
vulnerabilities in your system, for example, peer-to-peer (P2P) software and instant messenging (IM)
software.
What Do I Need to Do?. Remove the software that is not allowed.
440
Sentriant AG Software Users Guide, Version 5.1 SR1
Tests Help
Software Required
Description. This test verifies that the endpoint attempting to connect to your system has the required
software packages installed.
Test Properties. Enter a list of applications that are required on all connecting endpoints, separated with
a carriage return. The format for an application is vendor\software package[\version]. Using this
format stores the value in the HKEY_LOCAL_MACHINE\Software key.
For example:
Adobe\Acrobat Reader, Adobe\Acrobat Reader\6.0
You can also specify which key to use for the specific value by entering the key at the beginning of the
value. For example:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Messenger
How Does this Affect Me?. Connecting to a network may be impossible if the correct software is not
installed and operational.
What Do I Need to Do?. Contact the vendor and install the missing software.
Worms, Viruses, and Trojans
Description:. This test verifies that the endpoint attempting to connect to your system does not have any
of the worms, viruses, or trojans listed.
Test Properties. This area of the window displays the current list of worms, viruses, and trojans. No
selection actions are required.
How Does this Affect Me?. A virus is a program that infects other programs and files and can spread
when a user opens a program or file containing the virus. A virus needs a host (the program or file) to
spread. A worm is a program that can also perform malicious acts (such as delete files and send email);
however, it replicates itself—it does not need a host (program or file) to spread. Frequently, worms are
used to install a backdoor (a way for an attacker to gain access without having to login). A trojan horse
is a stand-alone program that is not what it seems. For example, it may seem to be calendar program,
but when you open it, it erases all your files and displays a message, such as "Ha ha, I deleted your
files!" Trojan horse programs do not spread or replicate themselves.
What Do I Need to Do?. Make sure you are running an anti-virus software program, and that it is kept
up-to-date.
Sentriant AG Software Users Guide, Version 5.1 SR1
441
Tests Help
442
Sentriant AG Software Users Guide, Version 5.1 SR1
C
Database Design (Data Dictionary)
This section provides information on the following tables for the Sentriant AG database:
●
“test_result table” on page 444
●
“Device table” on page 445
●
“sa_cluster” on page 447
●
“sa_node” on page 447
●
“sa_user” on page 448
●
“cluster_to_user” on page 448
●
“user_group” on page 448
●
“user_to_groups” on page 449
●
“group_to_permission” on page 449
Sentriant AG Software Users Guide, Version 5.1 SR1
443
Database Design (Data Dictionary)
test_result table
test_result
This table is a history of test results for all endpoints.
444
test_result_id
INT4 DEFAULT
nextval('test_result_test_result_id_s
eq')
PRIMARY KEY
run_id
INT4 NOT NULL
An ID used for associating test results to a
particular test run.
timestamp
INT4 NOT NULL
The time the test was run.
device_unique_id
VARCHAR(100) NOT NULL
A foreign key into the device table.
ip_address_str
VARCHAR(30) NOT NULL
The IP address of the endpoint tested.
netbios
VARCHAR(50) DEFAULT NULL
The NetBIOS of the endpoint tested.
hostname
VARCHAR(50) DEFAULT NULL
The host name of the endpoint tested.
logged_on_user
VARCHAR(50) DEFAULT NULL
The user that was logged on to the endpoint at
the time of the test.
test_name
VARCHAR(50) NOT NULL
A descriptive name of the test.
test_class
VARCHAR(50) NOT NULL
A reference to the Python script that executed the
test. For example, CheckHotFix.
test_module
VARCHAR(50) NOT NULL
A reference to the Python script that executed the
test. For example, checkHotFix.
group_name
VARCHAR(50) NOT NULL
The type of test, for example, operating system,
software, security setting, or browser security
policy.
policy_id
VARCHAR(50) NOT NULL
A unique ID that identifies the policy.
policy_name
VARCHAR(50) NOT NULL
The name of the policy.
actions_taken
TEXT DEFAULT NULL
A text description of what happened, for example,
email sent.
severity
INT2 DEFAULT NULL
A number describing the severity of the test.
result_code
VARCHAR(50) NOT NULL
The string 'pass' or 'fail' indicating the result of
the test.
status_code
VARCHAR(20) NOT NULL
A number that indicates whether the test ran or
not. For example, 0—Test did not run, or 1—Test
ran.
result_message
TEXT DEFAULT NULL
Information about the results of the test.
debug_info
TEXT DEFAULT NULL
Information about the results of the test.
cluster_id
VARCHAR(64)
A unique ID that identifies the cluster that ran the
test.
last_result_code
VARCHAR(50)
A string 'pass' or 'fail' indicating the result of the
previous test for the same script and endpoint.
Sentriant AG Software Users Guide, Version 5.1 SR1
Database Design (Data Dictionary)
Device table
device
This table contains information about known endpoints.
unique_id
VARCHAR(100) NOT NULL
PRIMARY KEY
ip_address_str
VARCHAR(30) NOT NULL
The IP address (string in dotted quad notation) of
the endpoint.
mac_address
VARCHAR(30) DEFAULT NULL
The MAC address of the endpoint.
netbiosname
VARCHAR(50) DEFAULT NULL
The NetBIOS of the endpoint.
hostname
VARCHAR(50) DEFAULT NULL
The host name of the endpoint.
domainname
VARCHAR(50) DEFAULT NULL
The domain name of the endpoint.
username
VARCHAR(50) DEFAULT NULL
The user name used during the test.
os
VARCHAR(100) DEFAULT NULL
The operating system of the endpoint (eg,
'Windows', 'Linux')
os_details
VARCHAR(100)
The specific version of the operating system of the
endpoint.
password
VARCHAR(50) DEFAULT NULL
The password used during the test.
logged_on_user
VARCHAR(100)
The user logged onto endpoint last time it was
tested.
policy_id
VARCHAR(50) DEFAULT NULL
The identification number of the last policy used.
last_run_id
INT4 DEFAULT NULL
A foreign key into the test_result table that
references the last test run for this endpoint.
prev_run_id
INT4
A foreign key into the test_result table that
references the run before the last test run for this
endpoint.
last_test_dt
INT4 DEFAULT NULL
The time of the last test.
last_status
VARCHAR(50) DEFAULT NULL
A text description of what happened, for example
pass or fail.
last_status_id
INT4 NOT NULL DEFAULT 0
An internal code that represents last_status.
grace_period
INT4 DEFAULT NULL
The duration of time that the endpoint has
temporary access.
grace_period_start
INT4 DEFAULT NULL
The time the grace period starts. grace_period
added to grace_period_start determines the time
the endpoint will go into quarantine.
last_test_result_id
INT4 DEFAULT NULL
The test result ID of the failed test with the most
severe action taken. For example, -1 indicates all
tests passed. If two tests failed, this contains the
ID of the test that had the most severe action
taken. An email sent is a less severe action than a
quarantine immediately.
crt_dt
INT4 NOT NULL
The date the endpoint was first seen. (create date)
last_activity_dt
INT4 NOT NULL
The date the endpoint was last seen.
Sentriant AG Software Users Guide, Version 5.1 SR1
445
Database Design (Data Dictionary)
device (continued)
last_connect_dt
INT4 NOT NULL
The date the endpoint was first seen if it has
never been disconnected, or the last time the
endpoint reconnected.
last_disconnect_dt
INT4 NOT NULL
The date the endpoint was disconnected for
inactivity.
last_posture_token
VARCHAR(50) DEFAULT NULL
When running in 802.1X mode, the last posture
token returned to the ACS.
last_testing_node_id
VARCHAR(64)
The unique ID of the node that tested this
endpoint last.
last_testing_cluster_
id
VARCHAR(64)
The unique ID of the cluster that tested this
endpoint last.
access_status_id
INT2
An internal code that represents the access status.
next_test_dt
INT4
The date of the next test.
nad_port
VARCHAR(20)
The port of the network access endpoint that
connects the user.
nad_ip
VARCHAR(30)
The IP address of the network access endpoint
that connects the user.
session_access
INT4
The amount of time in seconds this endpoint has
been temporarily granted access or quarantined by
an administrator.
session_access_end
INT4
The date an administratively configured access
status ends.
other_properties
TEXT
Miscellaneous properties such as LDAP attributes.
access_modified_by
VARCHAR(64)
The MS user who administratively changed this
endpoint's access status.
last_update_dt
INT8
The date this record was last updated.
last_testing_method
VARCHAR(10)
The method used to test the endpoint, one of:
AGENTLESS, ONE_TIME, INSTALL, NONE
expecting_access_tr
ansition
BOOL DEFAULT false
If this is true, the device is expected to be moving
between either the quarantine or production
networks.
ext_quarantine_prod
uct_id
VARCHAR(32)
The identifier of the product that externally
quarantined this device.
ext_quarantine_insta VARCHAR(32)
nce_name
446
The instance name of the system that externally
quarantined this device.
Sentriant AG Software Users Guide, Version 5.1 SR1
Database Design (Data Dictionary)
sa_cluster
sa_cluster
This table contains information about all known clusters.
cluster_id
VARCHAR(64)
PRIMARY KEY
cluster_name
VARCHAR(30)
The name of the cluster.
policy_set_id
INT4
The unique ID of the policy set used by
the cluster.
devices
TEXT
Not used.
current_licenses
INT4
The number of endpoint licenses
allocated to the cluster.
domains
TEXT
Not used.
config
TEXT
XML data representing the cluster's
configuration settings.
sa_node
sa_node
This table contains information about all known Enforcement servers, or nodes.
node_id
VARCHAR(64)
PRIMARY KEY
cluster_id
VARCHAR(64)
The unique ID of the cluster this node belongs to.
ip_address_str
VARCHAR(30)
The IP address of the node.
host_name
TEXT
The hostname of the node.
config
TEXT
XML data representing the node's configuration
settings.
test_update_version
VARCHAR(50)
The update version of the test scripts used by the
node.
last_test_update_tim INT8
e
The time the last test update was applied to the
node.
shutdown_message
Description of why the node last shutdown.
TEXT
Sentriant AG Software Users Guide, Version 5.1 SR1
447
Database Design (Data Dictionary)
sa_user
sa_user
This table contains information about users.
user_id
INT4
PRIMARY KEY
username
VARCHAR(64)
The login of the user.
passwd
VARCHAR(64)
MD5 hash of the user's password.
full_name
VARCHAR(64)
The full name of the user.
email
VARCHAR(256)
The email address of the user.
enabled
INT4
1 if the user is enabled, 0 if not.
cluster_to_user
cluster_to_user
This table contains information about users assigned to clusters.
cluster_id
VARCHAR(64)
The unique ID of a cluster in the many-to-many
relationship.
user_id
INT4
The unique ID of a user in the many-to-many
relationship.
user_group
user_group
This table contains information about user roles.
448
group_id
INT4
PRIMARY KEY
group_name
VARCHAR(64)
The name of the user role.
group_desc
VARCHAR(4096)
The description of the user role.
Sentriant AG Software Users Guide, Version 5.1 SR1
Database Design (Data Dictionary)
user_to_groups
user_to_groups
This table contains information about a user and their assigned role.
group_id
INT4
The unique ID of the user role in the many-tomany relationship.
user_id
INT4
The unique ID of the user in the many-to-many
relationship.
group_to_permission
group_to_permission
This table contains information about the user role and its associated permissions.
group_id
INT4
The unique id of the user role in the many-tomany relationship
permission_enum
VARCHAR(64)
One of: CONFIG_CLUSTER, CONFIG_SERVER,
CONFIG_SYSTEM, VIEW_ALERTS, REPORTS,
POLICY, DEVICE, MONITOR, ENDPOINT_ACCESS,
RETEST
Sentriant AG Software Users Guide, Version 5.1 SR1
449
Database Design (Data Dictionary)
450
Sentriant AG Software Users Guide, Version 5.1 SR1
D
Ports used in Sentriant AG
The following table provides information about Ports used in Sentriant AG:
Table 19: Ports in Sentriant AG
Port
Parties
Description
Comments
Ports used for testing endpoints:
88 (TCP)
89 (TCP)
Endpoint to
ES
When using agent-based testing, the
endpoint must point (using a browser
window) to destination port 88 on the
ES for testing, which is redirected to
destination port 89 (end-user access
screens) on the ES.
Not configurable
53 (TCP)
53 (UDP)
Endpoint to
ES
Domain Name Server (DNS). When an
endpoint is quarantined in DHCP mode,
it uses the ES for its name server.
Not configurable
3128 (TCP)
Endpoint to
ES
Any endpoint configured to use an
autoproxy (DHCP endpoint enforcement
mode only), and when using agent-based
testing and static routes, the destination
port is 3128 (squid) on the ES.
Not configurable
137 (UDP)
138 (UDP)
139 (TCP)
ES to endpoint
These ports are opened by default when
File and Print Sharing is enabled, but
are not used by Sentriant AG.
Configure on the firewall/
router between ES and
endpoint
445 (TCP)
ES to endpoint
This port is first used for NMB lookup
(identify yourself) on Windows endpoints.
If this port is not open, the endpoint
cannot be tested.
Configure on the firewall/
router between ES and
endpoint
Then, this port is used for testing
endpoints with the Agentless method.
NOTE: This port is opened by default
when File and Print Sharing is
enabled.
1500 (TCP)
ES to endpoint
Ports used for testing endpoints with the
Agent-based method.
Configure on the firewall/
router between ES and
endpoint
The administration user interface (as
opposed to the end user access screens)
uses port 443 on the MS for
communication.
Not configurable
Ports used by the admin user browser:
443 (TCP)
Admin user
browser to MS
Sentriant AG Software Users Guide, Version 5.1 SR1
451
Ports used in Sentriant AG
Table 19: Ports in Sentriant AG (continued)
Port
Parties
Description
Comments
Ports used for internal communications:
7483 (TCP)
ES to MS
MS to ES
22 (TCP)
MS to ES
Message bus communications between
the ES and MS occur on port 7483.
Not configurable
Port 22 (SSH) is used for miscellaneous
communications, such as upgrades,
support packages, adding/removing the
ES.
Not configurable
Ports used for external communications:
443 (TCP)
ES to MS
When the admin user selects to upgrade
by way of the user interface, the upgrade
files use port 443.
Not configurable
N/A
MS to admin
user client
browser
Support packages are downloaded to the
admin client browser (no external
network interaction)
N/A
80 (TCP)
MS to Internet
For software and operating system
updates:
Configure on the firewall/
router between MS and
Internet
http://
download.sentriantag.extremenetworks.co
m port 80
NOTE: The ES communicates to the
Internet through the MS.
443 (TCP)
MS to Internet
For license validation and test updates:
http://
update.sentriantag.extremenetworks.com
port 443
Configure on the firewall/
router between MS and
Internet
NOTE: The ES communicates to the
Internet through the MS.
8999 (TCP)
DAC host to
ESs
In environments with Windows- or Linuxbased Remote Device Activity Capture
(RDAC), RDAC listens to network traffic
and sends device activity information
(such as DHCP traffic information) to
Sentriant AG."
Not configurable
514 (TCP)
Infoblox
connector to
syslog service
on the ESs
In environments with the Infoblox syslog
connector, the Infoblox server sends
DHCP information to Sentriant AG using
syslog.
Configurable by making
changes to both of the
following:
61616 (TCP)
452
MS to postconnect server
JMS API port used by external systems
to the MS such as post-connect.
•
Infoblox server
•
syslog-ng.conf file on the
MS
Not configurable
Sentriant AG Software Users Guide, Version 5.1 SR1
Ports used in Sentriant AG
Table 19: Ports in Sentriant AG (continued)
Port
Parties
Description
Comments
123 (UDP)
MS to NTP
server
Destination port 123 for NTP.
Not configurable
123 (UDP)
ES to MS
NTP communication between the ES and
MS occurs on destination port 123.
Not configurable
The port used for connecting to the
proxy server.
Configure in the Sentriant AG
user interface:
Ports used for NTP:
Ports used for proxy servers:
Varies
MS to proxy
server
System configuration
>>Management server option
>>Proxy server area
>>Proxy server port text field
Example: 8080
Ports used for LDAP:
Varies
ES to LDAP
server
When using 802.1X mode with local
RADIUS, connecting to Active Directory,
the LDAP server IP address and optional
port number.
Configure in the Sentriant AG
user interface:
System configuration
>>Quarantining
>>802.1X Quarantine
method
>>Local RADIUS server type
>>OpenLDAP End-user
authentication method
>>Server text field
Example: 10.0.1.2:636
Ports used for re-authentication:
22 (TCP)
ES to switch
23 (TCP)
161 (TCP)
Used when you select the test
connection to device button, and when
an endpoint is re-authenticated by the
switch. (SSH)
Not configurable
Sentriant AG user interface:
System configuration
>>Quarantining
>>802.1X Quarantine method
>>Add 802.1X device
>>Select any device type
>>Select the SSH Connection method
1812 (TCP)
Switch to ES
Used to relay credentials to RADIUS
when you are using the local RADIUS
server.
Sentriant AG Software Users Guide, Version 5.1 SR1
Not configurable
453
Ports used in Sentriant AG
Table 19: Ports in Sentriant AG (continued)
Port
Parties
Description
Comments
Ports used for DHCP and domain controllers:
88 (TCP)
135-159 (TCP)
135-159 (UDP)
ES to DC/
DHCP server
389 (TCP)
1025 (TCP)
1026 (TCP)
3268 (TCP)
88 (TCP)
135-159 (TCP)
135-159 (UDP)
389 (TCP)
1025 (TCP)
1026 (TCP)
3268 (TCP)
MS/ES to DC/
DHCP server
DHCP Server and Domain Controller
behind Sentriant AG:
Configure in the Sentriant AG
user interface:
In DHCP mode, when your DHCP server
and Domain Controller are behind
Sentriant AG, you must specify ports 88,
135 to 159, 389, 1025, 1026, and
3268 as part of the address. If you do
not specify a DHCP address, users are
blocked. If you specify only the IP
address with no port, endpoints are not
quarantined, even for failed tests.
Home window
>>System configuration
>>Accessible services
DHCP Server and Domain Controller NOT
behind Sentriant AG:
Configure on the router
between Domain Controller
and Quarantine Area
In DHCP mode, if your domain controller
is not situated behind Sentriant AG, you
must configure your router to allow
routes from the quarantine area to your
domain controller on ports 88, 135-159,
389, 1025, 1026, and 3268.
Ports used for accessible services and endpoints:
Varies
ES to endpoint
In order to grant access for quarantined
endpoints to needed services, add
entries to the Accessible services list.
For inline enforcement mode, enter the
IP addresses of the servers that provide
the services. A port or ports can be
added to limit the access to the servers
from quarantined endpoints.
For all other deployment modes, the
Fully Qualified Domain Name (FQDN) of
the target servers should be added to the
list (for example mycompany.com). If the
specified accessible servers are not
behind an ES, a network firewall must
be used to control access to only the
desired ports.
In DHCP mode, if your DHCP server has
other services besides DHCP for which
you need to allow access, be sure to
NOT allow port 67.
Configure in the Sentriant AG
user interface:
Home window>>System
configuration>>Accessible
services
Example:
10.0.16.100:53
Separate multiple endpoint
entries with a carriage return
(new line):
10.0.16.100:53
10.0.16.100:80
10.0.16.100:81
10.0.16.100:82
Enter a range of ports as
follows:
10.0.16.100:53:65
For example, add the entries
192.168.1.1:1:66 and
192.168.1.1:68:65535 to open all
ports besides 67.
454
Sentriant AG Software Users Guide, Version 5.1 SR1
Ports used in Sentriant AG
Table 19: Ports in Sentriant AG (continued)
Port
Parties
Description
Comments
admin user to
MS or ES
Used for SNMP monitoring of the server.
Not Configurable
MS to SNMP
Traps for SNMP
Ports used for SNMPD:
161 (UDP)
162 (UDP/TCP)
NOTE: See “Enabling SNMP” on page
69 for instructions on enabling
SNMP.
Sentriant AG Software Users Guide, Version 5.1 SR1
Not configurable
455
Ports used in Sentriant AG
456
Sentriant AG Software Users Guide, Version 5.1 SR1
E
MS Disaster Recovery
Overview
If the Primary Management Server (primary MS) goes down due to an unrecoverable hardware failure,
management server duties can be migrated to an online Standby Management Server (standby MS)
using a simple backup and restore process. After failover, the standby MS is able to perform all
necessary MS functions, including communicating with Enforcement Servers (ESs), reporting, and
making configuration changes. The Sentriant AG backup/restore process migrates the endpoint activity
database, GUI users/passwords, and other product configuration items, but does not include system
level customizations such as root and non-root user accounts or passwords.
Installation Requirements
The following items are required as part of the installation of Sentriant AG and are essential elements
for recovery of an MS.
●
Primary and Standby Management Servers must each have their own unique license keys, with
equivalent settings (number of ESs and endpoints)
●
Primary and Standby Management Servers must be assigned an Internet Protocol (IP) address within
the same network (so that when the standby MS temporarily assumes the primary MS's IP, it is
accessible on the network)
Installing the Standby MS
A standby MS may need to be installed for the recovery of a failed MS. Allow for proper configuration
your hardware and software to accommodate the following items in setup of a standby MS:
●
●
The standby MS should be installed to match the primary MS configuration:
■
Same version of Sentriant AG
■
Same version of test update RPM (RedHat Package Manager)
■
Same version of BIND (DNS server software) plus any other customizations
Standby MS should be installed with its own:
■
IP address (different than that of the Primary MS)
■
License to use without an Internet Connection
■
Administrative UI user
NOTE
Only an administrative user needs to be created. Other UI users are migrated as part of the backup and restore
process. Be sure to keep this UI login information safe, as it is Needed to transition MS services to the standby MS.
Sentriant AG Software Users Guide, Version 5.1 SR1
457
MS Disaster Recovery
Ongoing Maintenance
Certain considerations must be noted regarding the ongoing maintenance of your system in the
recovery process for an MS:
●
As part of an ongoing maintenance plan or during backup, check the status of the NAC-testscripts
RPM by entering the following from the command line:
rpm -q NAC-testscripts
●
If changes are made to the license without an internet connection (such as increasing the number of
ESs or endpoints), you will need to make changes to the standby license as well. For a license
without an internet connection you will need to contact Technical Assistance Center (TAC) at (800)
998-2408 or support@extremenetworks.com for a package to update the license key. In normal
environments however, the license key will update automatically.
●
Rule updates must be applied to both the primary and standby MS (so they have the same version)
●
Sentriant AG upgrades must be applied to both the primary and standby MS
●
Regular backups need to be taken of the primary MS, and stored in a safe location
Failover process
Once a standby MS is established for MS recovery and all system requirements and ongoing
maintenance issues are addressed, begin the MS recovery as follows:
To migrate MS duties to the standby MS:
1 Shutdown the primary MS server by entering the following from the command line:
shutdown -hy 0
2 Locate the most recent backup of the primary MS. See “Restoring to a new Server” on page 359.
This will be the backup that you were instructed during initial installation to store in a safe place.
3 Copy the backed up file of the primary MS to a Personal Computer (PC) with access to the standby
MS. See “Copying Files” on page 42.
4 Navigate to System configuration>>Maintenance
5 Click the restore system from backup to upload the primary MS backup file. See “Restoring from
Backup” on page 293. Wait for the restore to complete.
6 Log in to the standby MS Enter the following at the command line:
service nac-ms restart
7 Log in to the UI of the standby MS again (at this point, all UI users from the primary should be able
to log in).
8 Navigate to System configuration>>Management server>>edit network settings
458
Sentriant AG Software Users Guide, Version 5.1 SR1
MS Disaster Recovery
9 Change the IP address to be that of the old or primary MS. See “Modifying MS Network Settings”
on page 48.
10 Navigate to System configuration>>Enforcement clusters and servers
11 Ensure that communication has been restored to all ESs. See “Viewing ES Status” on page 62.
12 Navigate to System configuration>>Management server>>edit network settings.
13 Change the IP address back to the standby MS IP (so that if and when the primary MS comes back
up, its IP address will not cause a conflict) See “Modifying MS Network Settings” on page 66
Sentriant AG Software Users Guide, Version 5.1 SR1
459
MS Disaster Recovery
460
Sentriant AG Software Users Guide, Version 5.1 SR1
F
Licenses
Sentriant® End-User License Agreement
Extreme Networks, Inc. (“Extreme Networks”)
End-User License Agreement
NOTICE TO ALL USERS: PLEASE READ THIS CONTRACT CAREFULLY. BY CLICKING THE ACCEPT BUTTON OR INSTALLING
THE SOFTWARE, YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN CONTRACT SIGNED BY YOU
AND EXTREME NETWORKS. IF YOU DO NOT AGREE TO ALL THE TERMS OF THIS AGREEMENT, DO NOT INSTALL OR USE
THE SOFTWARE, AND RETURN IT TO THE SELLER FOR A REFUND OR CREDIT.
Certain Definitions.
As used in this Agreement “Software” means (a) all of the contents of the files, disk(s), CD-ROM(s) or other media
(including electronic media) with which this Agreement is provided, or such contents as are hosted by Extreme Networks or
its business partners (collectively “Authorized Partner(s)”), including but not limited to (i) Extreme Networks or third party
computer information or software; (ii) related explanatory materials in printed, electronic, or online form
(“Documentation”); and (b) upgrades, modified or subsequent versions (collectively “Updates”), and Software, if any,
licensed to you by Extreme Networks or an Authorized Partner as part of a maintenance contract or service subscription.
“Use” or “Using” means to access, install, download, copy or otherwise benefit from using the Software.
2. License Grant.
Subject to the payment of the applicable license fees, and subject to the terms and conditions of this Agreement, Extreme
Networks hereby grants to you a non-exclusive, non-transferable license to Use one copy of the object code version of the
Software for your internal business purposes (subject to any restrictions or usage terms specified on the applicable price
list or product packaging included as part of the Documentation) for the time period specified in the applicable product
description or packaging for the Software (“License Period”). Software embedded in hardware products may only be Used
in conjunction with such hardware products. Some third party materials included in the Software may be subject to other
terms and conditions, which are typically found in a “Read Me” file or “About” file in the Software. In this case, you hereby
agree to any additional terms and conditions relating to the third party software or hardware that are specific to Extreme
Networks' suppliers as described in the documentation delivered with the Product. You may make one (1) copy of the
Software for back-up or archival purposes, provided that such copy contains all of the Software’s proporietary notices
unaltered.
3. Term.
This Agreement is effective for the License Period, unless terminated earlier as set forth herein. This Agreement will
terminate automatically if you fail to comply with any of the limitations or other requirements of this Agreement. Upon any
termination or expiration, you must cease Use of the Software and destroy all copies of the Software.
4. Updates.
This license is limited to the version of the Software delivered by Extreme Networks and does not include Updates, unless a
separate maintenance contract is purchased or unless an Update is otherwise provided by Extreme Networks in its sole
discretion. After the specified maintenance period ends, you have no further rights to receive any Updates without
purchase of a new license to the Software.
5. Ownership Rights.
The Software is protected by United States’ and other copyright laws, international treaty provisions and other applicable
laws in the country in which it is being used. Extreme Networks and its suppliers own and retain all right, title and interest
in and to the Software, including all copyrights, patents, trade secret rights, trademarks and other intellectual property
rights therein. Your possession or Use of the Software does not transfer to you any title to the intellectual property in the
Software, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. Any copy of
the Software authorized to be made under this Agreement must contain the same proprietary notices that appear on and
in such Software.
6. Evaluation Product Additional Terms.
Sentriant AG Software Users Guide, Version 5.1 SR1
461
Licenses
If the product you have received with this license has been identified as “Beta” Software, then the provisions of this section
apply. To the extent that any provision in this section is in conflict with any other term or condition in this Agreement, this
section shall supersede such other term(s) and condition(s) with respect to the Beta Software, but only to the extent
necessary to resolve the conflict. You acknowledge that the Beta Software may contain bugs, errors and other problems
that could cause system or other failures and data loss. Consequently, Beta Software is provided to you "AS-IS", and
Extreme Networks disclaims any warranty or liability obligations to you of any kind. WHERE LEGAL LIABILITY CANNOT BE
EXCLUDED, BUT MAY BE LIMITED, EXTREME NETWORKS’ LIABILITY AND THAT OF ITS SUPPLIERS AND AUTHORIZED
PARTNERS SHALL BE LIMITED TO THE SUM OF FIFTY DOLLARS (U.S. $50) IN TOTAL. You acknowledge that Extreme
Networks has not promised or guaranteed to you that Beta Software will be announced or made available to anyone in the
future; that Extreme Networks has no express or implied obligation to you to announce or introduce the Beta Software;
and that Extreme Networks may not introduce a product similar to or compatible with the Beta Software. Accordingly, you
acknowledge that any research or development that you perform regarding the Beta Software or any product associated
with the Beta Software is done entirely at your own risk. During the term of this Agreement, you will provide feedback to
Extreme Networks upon request regarding testing and use of the Beta Software, including error or bug reports. If you have
been provided the Beta Software pursuant to a separate written agreement, your use of the Beta Software is also governed
by such agreement. Your Use and evaluation of the Beta Software is deemed the Confidential Information of Extreme
Networks, and will not be disclosed to any third party without Extreme Networks’ prior written consent. Upon receipt of a
later unreleased version of the Beta Software or release by Extreme Networks of a publicly released commercial version of
the Beta Software, whether as a stand-alone product or as part of a larger product, you agree to return or destroy all
earlier Beta Software received from Extreme Networks and to abide by the terms of the End User License Agreement for
any such later versions of the Beta Software. Your Use of the Beta Software is limited to 30 days unless otherwise agreed
to in writing by Extreme Networks.
7. Restrictions.
You may not sell, lease, license, rent, loan, resell or otherwise transfer the Software, with or without consideration. If you
enter into a contract with a third party in which the third party manages your information technology resources (“Managing
Party”), you may transfer all your rights to Use the Software to such Managing Party, provided that (a) the Managing Party
only Uses the Software for your internal operations and not for the benefit of another third party; (b) the Managing Party
agrees to comply with the terms and conditions of this Agreement, and (c) you provide Extreme Networks with written
notice that a Managing Party will be Using the Software on your behalf. You may not permit third parties to benefit from
the use or functionality of the Software via a timesharing, service bureau or other arrangement. You may not reverse
engineer, decompile, or disassemble the Software, except to the extent the foregoing restriction is expressly prohibited by
applicable law. You may not modify, or create derivative works based upon, the Software in whole or in part. You may not
copy the Software or Documentation except as expressly permitted in Section 2 above. You may not remove any
proprietary notices or labels on the Software. All rights not expressly set forth hereunder are reserved by Extreme
Networks.
8. Warranty and Disclaimer.
a. Limited Warranty. Extreme Networks warrants that for sixty (60) days from the date of original purchase the media (e.g.,
CD ROM), if any, on which the Software is contained will be free from defects in materials and workmanship. Extreme
Networks’ and its suppliers' entire liability and your exclusive remedy for any breach of the foregoing warranty shall be, at
Extreme Networks’ option, either (i) return of the purchase price paid for the license, if any, or (ii) replacement of the
defective media in which the Software is contained. You must return the defective media to Extreme Networks at your
expense. This limited warranty is void if the defect has resulted from accident, abuse, or misapplication. Any replacement
media will be warranted for the remainder of the original warranty period. Outside the United States, this remedy is not
available to the extent Extreme Networks is subject to restrictions under United States export control laws and regulations,
or prohibited by other laws and regulations.
b. Software Warranty and Disclaimer. Extreme Networks warrants the Software solely to End Users and subject to the terms
and conditions of the Extreme Networks standard warranty card provided with the Software. Except for the limited
warranty set forth therein, THE SOFTWARE IS PROVIDED "AS IS" AND EXTREME NETWORKS MAKES NO WARRANTY AS TO
USE OR PERFORMANCE. EXCEPT TO THE EXTENT SUCH EXCLUSIONS OR LIMITATIONS ARE PROHIBITED BY APPLICABLE
LAW, EXTREME NETWORKS, ITS SUPPLIERS AND AUTHORIZED PARTNERS MAKE NO WARRANTY, CONDITION,
REPRESENTATION, OR TERM (EXPRESS OR IMPLIED, WHETHER BY STATUTE, COMMOM LAW, CUSTOM, USAGE OR
OTHERWISE) AS TO ANY MATTER INCLUDING, WITHOUT LIMITATION, NONINFRINGEMENT OF THIRD PARTY RIGHTS,
MERCHANTABILITY, SATISFACTORY QUALITY, INTEGRATION, OR FITNESS FOR A PARTICULAR PURPOSE. You assume
responsibility for selecting the Software to achieve your intended results, and for your Use thereof. WITHOUT LIMITING
THE FOREGOING PROVISIONS, EXTREME NETWORKS MAKES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE
OR FREE FROM INTERRUPTIONS OR OTHER FAILURES, OR THAT THE SOFTWARE WILL MEET YOUR REQUIREMENTS.
9. Limitation of Liability.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL
EXTREME NETWORKS OR ITS AUTHORIZED PARTNERS OR SUPPLIERS BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR
LOSS OF PROFITS, LOSS OF GOODWILL OR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OR
DAMAGES FOR GROSS NEGLIGENCE OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF
GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY OTHER DAMAGE OR LOSS. IN NO
EVENT SHALL EXTREME NETWORKS OR ITS AUTHORIZED PARTNERS OR SUPPLIERS BE LIABLE FOR ANY DAMAGE IN
EXCESS OF THE PRICE PAID FOR THE SOFTWARE, IF ANY, EVEN IF EXTREME NETWORKS OR ITS AUTHORIZED PARTNERS
OR SUPPLIERS SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This limitation shall not apply to
liability for death or personal injury to the extent that applicable law prohibits such limitation. Extreme Networks is acting
on behalf of its suppliers for the purpose of disclaiming, excluding and/or limiting obligations, warranties and liability as
provided in this Agreement, but in no other respects and for no other purpose. The foregoing provisions shall be
enforceable to the maximum extent permitted by applicable law.
10. Notice to United States Government End Users.
462
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
The Software and accompanying Documentation are deemed to be "commercial computer software" and "commercial
computer software documentation," respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as
applicable. Any use, modification, reproduction, release, performance, display or disclosure of the Software and
accompanying Documentation by the United States Government shall be governed solely by the terms of this Agreement
and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.
11. Export Controls.
You are advised that the Software is of United States origin and subject to United States Export Administration
Regulations; diversion contrary to United States law and regulation is prohibited. You agree not to directly or indirectly
export, import or transmit the Software to any country, end user or for any Use that is prohibited by applicable United
States regulation or statute (including but not limited to those countries embargoed from time to time by the United States
government); or contrary to the laws or regulations of any other governmental entity that has jurisdiction over such
export, import, transmission or Use.
12. High Risk Activities.
The Software is not fault-tolerant and is not designed or intended for use in hazardous environments requiring fail-safe
performance, including without limitation, in the operation of nuclear facilities, aircraft navigation or communication
systems, air traffic control, weapons systems, direct life-support machines, or any other application in which the failure of
the Software could lead directly to death, personal injury, or severe physical or property damage (collectively, "High Risk
Activities"). EXTREME NETWORKS EXPRESSLY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR HIGH
RISK ACTIVITIES.
13. Governing Law.
This Agreement will be governed by and construed in accordance with the substantive laws of the State of California. This
Agreement will not be governed by the conflict of laws rules of any jurisdiction or the United Nations Convention on
Contracts for the International Sale of Goods, the application of which is expressly excluded. The state and federal courts
sitting in Santa Clara County, California shall have exclusive jurisdiction over all disputes relating to this Agreement.
14. Open Source Software.
This product includes or may include some software programs that are licensed (or sublicensed) to the user under certain
Open Source Software licenses (“OSS Licenses”). If any portion of the Software is subject to an OSS License, and such
OSS License requires that Extreme Networks provide rights that are broader than the rights granted in this Agreement,
then the rights to that portion of the Code shall be governed by the broader rights required by such OSS License. THOSE
PORTIONS OF THE SOFTWARE THAT CONSIST OF OPEN SOURCE CODE ARE PROVIDED WITHOUT WARRANTY OR
INDEMNITY OF ANY KIND.
15. Audit for Compliance.
Extreme Networks reserves the right to periodically audit you to ensure that you are in compliance with the terms of this
Agreement. During standard business hours and upon prior written notice, Extreme Networks may visit You and You will
make available to Extreme Networks or its representatives any records pertaining to the Software. The cost of any
requested audit will be solely borne by Extreme Networks, unless such audit discloses an underpayment or amount due to
Extreme Networks in excess of five percent (5%) of the initial license fee for the Software or you are using the Software in
an unauthorized manner, in which case you shall pay the cost of the audit, in addition to any other amounts owed.
16. Miscellaneous.
This Agreement sets forth all rights for the user of the Software and is the entire Agreement between the parties. This
Agreement supersedes any other communications, representations or advertising relating to the Software and
Documentation. This Agreement may not be modified except by a written addendum issued by a duly authorized
representative of Extreme Networks. No provision hereof shall be deemed waived unless such waiver shall be in writing
and signed by Extreme Networks. If any provision of this Agreement is held invalid, the remainder of this Agreement shall
continue in full force and effect.
(09/01/2006)
Other Licenses
Sentriant AG and open-source licensing information is available through the following method:
Below are copies of the licenses and the applicable acknowledgements and attribution notices in connection with the third
party software used in Sentriant AG v5.1. The source code for this third party software is located
Sentriant AG Software Users Guide, Version 5.1 SR1
463
Licenses
at www.extremenetworks.com/GLOBAL_DOCS/termsofsale.asp. Please see the Release Notes for this software for additional
information and copies of third party licenses.
Apache License Version 2.0, January 2004
http://www.apache.org/licenses/
The Apache Software License Version 2.0 applies to the following software packages: activemq,
Commons-codec, Commons-collections, Commons-dbcp, Commons-digester, Commonsfileupload, Commons-httpclient, Commons-lang, Commons-logging, Commons-pool, Genonimospec-jms, Geronimo-spec-j2ee-management, Geronimo-spec-jta, Log4j, Mockfu, Tomcat, Xerces,
Ant, Cglib, activeio, backport-util-concurrent, SNMP4j, commons-beanutils, commons-el,
commons-io-, commons-modeler, jsp-api.jar, jasper-runtime.jar, jstl.jar, tiles.jar, Myfaces
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of
this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under
common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to
cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent
(50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code,
documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as
indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work
and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original
work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from,
or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or
additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by
the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the
purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the
Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control
systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and
improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the
copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by
Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a
perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative
Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or
Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a
perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to
make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those
patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination
of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against
any entity (including across-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within
the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License
for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or
without modifications, and in Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the
Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as
part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work,
provided that such additional attribution notices cannot be construed as modifying the License.
464
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and
conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole,
provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion
in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or
conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license
agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product
names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions
under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or
otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall
any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of
any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to
damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or
losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to
offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent
with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole
responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor
harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such
warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on
the same "printed page" as the copyright notice for easier identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS"
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
language governing permissions and limitations under the License.
ASM
The following is a BSD license template. To generate your own license, change the values of
OWNER, ORGANIZATION and YEAR from their original values as given here, and substitute your
own.
Note: The advertising clause in the license appearing on BSD Unix files was officially rescinded by the Director of the Office
of Technology Licensing of the University of California on July 22 1999. He states that clause 3 is "hereby deleted in its
entirety."
Note the new BSD license is thus equivalent to the MIT License, except for the no-endorsement final clause.
<OWNER> = Regents of the University of California
<ORGANIZATION> = University of California, Berkeley
<YEAR> = 1998
In the original BSD license, both occurrences of the phrase "COPYRIGHT HOLDERS AND CONTRIBUTORS" in the disclaimer
read "REGENTS AND CONTRIBUTORS".
Here is the license template:
Copyright (c) <YEAR>, <OWNER>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
Sentriant AG Software Users Guide, Version 5.1 SR1
465
Licenses
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Open SSH
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all
components are under a BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1) Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
All rights reserved
As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions
of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the
RFC file, it must be called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes
parts that are not under my direct control. As far as I know, all included source code is used in accordance with the relevant
license agreements and can be used freely for any purpose (the GNU license being the most restrictive); see below for
details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which
he talks about have been removed from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at
any major bookstore, scientific library, and patent office worldwide. More information can be found e.g. at " http://
www.cs.hut.fi/crypto ".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own
responsibility. You will be responsible for any legal consequences yourself; I am not making any claims whether possessing
or using this is legal or not in your country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
466
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR
ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY
OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style
license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided
that this copyright notice is retained.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT
SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL
DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky futo@core-sdi.com <http://www.core-sdi.com >
3) ssh-keyscan was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and
the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and
distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
*
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we
pulled these parts from original Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
Sentriant AG Software Users Guide, Version 5.1 SR1
467
Licenses
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
*
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION)* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as
copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution. *
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp
Postgresql
Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group Portions Copyright (c) 1994-1996 Regents of the
University of California
Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and
without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the
following two paragraphs appear in all copies.
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE
AND ITS DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED
HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE
MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
468
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
Postgresql jdbc
Copyright (c) 1997-2005, PostgreSQL Global Development Group
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the PostgreSQL Global Development Group nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
xstream
XStream is open source software, made available under a BSD license.
Copyright (c) 2003-2006, Joe Walnes
Copyright (c) 2006-2007, XStream Committers
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of XStream nor the names of its contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Libeay (Open SSL)
Copyright (C) 1997 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions
are aheared to. The following conditions apply to all code found in this distribution, be it the RC4,
RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this
distribution is covered by the same copyright terms except that the holder is Tim Hudson
(tjh@cryptsoft.com).
Please note that MD2, MD5 and IDEA are publically available standards that contain sample implementations, I have recoded them in my own way but there is nothing special about those implementations. The DES library is another mater :-).
Sentriant AG Software Users Guide, Version 5.1 SR1
469
Licenses
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the
form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be
left out if the rouines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must
include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this
code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
The reason behind this being stated in this direct manner is past experience in code simply being copied and the attribution
removed from it and then being distributed as part of other packages. This implementation was a non-trivial and unpaid
effort.
Junit Common Public License - v 1.0
THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC LICENSE ("AGREEMENT").
ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS
AGREEMENT.
1. DEFINITIONS
"Contribution" means:
a) in the case of the initial Contributor, the initial code and documentation distributed under this Agreement, and
b) in the case of each subsequent Contributor:
i) changes to the Program, and
ii) additions to the Program;
where such changes and/or additions to the Program originate from and are distributed by that particular Contributor. A
Contribution 'originates' from a Contributor if it was added to the Program by such Contributor itself or anyone acting on
such Contributor's behalf. Contributions do not include additions to the Program which: (i) are separate modules of
software distributed in conjunction with the Program under their own license agreement, and (ii) are not derivative works
of the Program.
"Contributor" means any person or entity that distributes the Program.
"Licensed Patents " mean patent claims licensable by a Contributor which are necessarily infringed by the use or sale of its
Contribution alone or when combined with the Program.
"Program" means the Contributions distributed in accordance with this Agreement.
"Recipient" means anyone who receives the Program under this Agreement, including all Contributors.
2. GRANT OF RIGHTS
a) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royaltyfree copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, distribute and sublicense
the Contribution of such Contributor, if any, and such derivative works, in source code and object code form.
b) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royaltyfree patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Contribution
of such Contributor, if any, in source code and object code form. This patent license shall apply to the combination of the
Contribution and the Program if, at the time the Contribution is added by the Contributor, such addition of the Contribution
causes such combination to be covered by the Licensed Patents. The patent license shall not apply to any other
combinations which include the Contribution. No hardware per se is licensed hereunder.
c) Recipient understands that although each Contributor grants the licenses to its Contributions set forth herein, no
assurances are provided by any Contributor that the Program does not infringe the patent or other intellectual property
rights of any other entity. Each Contributor disclaims any liability to Recipient for claims brought by any other entity based
on infringement of intellectual property rights or otherwise. As a condition to exercising the rights and licenses granted
470
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if
any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient's
responsibility to acquire that license before distributing the Program.
d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the
copyright license set forth in this Agreement.
3. REQUIREMENTS
A Contributor may choose to distribute the Program in object code form under its own license agreement, provided that:
a) it complies with the terms and conditions of this Agreement; and
b) its license agreement:
i) effectively disclaims on behalf of all Contributors all warranties and conditions, express and implied, including warranties
or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a
particular purpose;
ii) effectively excludes on behalf of all Contributors all liability for damages, including direct, indirect, special, incidental and
consequential damages, such as lost profits;
iii) states that any provisions which differ from this Agreement are offered by that Contributor alone and not by any other
party; and
iv) states that source code for the Program is available from such Contributor, and informs licensees how to obtain it in a
reasonable manner on or through a medium customarily used for software exchange.
When the Program is made available in source code form:
a) it must be made available under this Agreement; and
b) a copy of this Agreement must be included with each copy of the Program.
Contributors may not remove or alter any copyright notices contained within the Program.
Each Contributor must identify itself as the originator of its Contribution, if any, in a manner that reasonably allows
subsequent Recipients to identify the originator of the Contribution.
4. COMMERCIAL DISTRIBUTION
Commercial distributors of software may accept certain responsibilities with respect to end users, business partners and
the like. While this license is intended to facilitate the commercial use of the Program, the Contributor who includes the
Program in a commercial product offering should do so in a manner which does not create potential liability for other
Contributors. Therefore, if a Contributor includes the Program in a commercial product offering, such Contributor
("Commercial Contributor") hereby agrees to defend and indemnify every other Contributor ("Indemnified Contributor")
against any losses, damages and costs (collectively "Losses") arising from claims, lawsuits and other legal actions brought
by a third party against the Indemnified Contributor to the extent caused by the acts or omissions of such Commercial
Contributor in connection with its distribution of the Program in a commercial product offering. The obligations in this
section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to
qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, and b)
allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any
related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense.
For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then
a Commercial Contributor. If that Commercial Contributor then makes performance claims, or offers warranties related to
Product X, those performance claims and warranties are such Commercial Contributor's responsibility alone. Under this
section, the Commercial Contributor would have to defend claims against the other Contributors related to those
performance claims and warranties, and if a court requires any other Contributor to pay any damages as a result, the
Commercial Contributor must pay those damages.
5. NO WARRANTY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY
WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program
and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and
costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and
unavailability or interruption of operations.
6. DISCLAIMER OF LIABILITY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY
LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR
DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
7. GENERAL
If any provision of this Agreement is invalid or unenforceable under applicable law, it shall not affect the validity or
enforceability of the remainder of the terms of this Agreement, and without further action by the parties hereto, such
provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
If Recipient institutes patent litigation against a Contributor with respect to a patent applicable to software (including a
cross-claim or counterclaim in a lawsuit), then any patent licenses granted by that Contributor to such Recipient under this
Agreement shall terminate as of the date such litigation is filed. In addition, if Recipient institutes patent litigation against
any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Program itself (excluding combinations of
the Program with other software or hardware) infringes such Recipient's patent(s), then such Recipient's rights granted
under Section 2(b) shall terminate as of the date such litigation is filed.
All Recipient's rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions
of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such
noncompliance. If all Recipient's rights under this Agreement terminate, Recipient agrees to cease use and distribution of
the Program as soon as reasonably practicable. However, Recipient's obligations under this Agreement and any licenses
granted by Recipient relating to the Program shall continue and survive.
Sentriant AG Software Users Guide, Version 5.1 SR1
471
Licenses
Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is
copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new
versions (including revisions) of this Agreement from time to time. No one other than the Agreement Steward has the right
to modify this Agreement. IBM is the initial Agreement Steward. IBM may assign the responsibility to serve as the
Agreement Steward to a suitable separate entity. Each new version of the Agreement will be given a distinguishing version
number. The Program (including Contributions) may always be distributed subject to the version of the Agreement under
which it was received. In addition, after a new version of the Agreement is published, Contributor may elect to distribute
the Program (including its Contributions) under the new version. Except as expressly stated in Sections 2(a) and 2(b)
above, Recipient receives no rights or licenses to the intellectual property of any Contributor under this Agreement,
whether expressly, by implication, estoppel or otherwise. All rights in the Program not expressly granted under this
Agreement are reserved.
This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of
America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of
action arose. Each party waives its rights to a jury trial in any resulting litigation.
Open SSL
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay
license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source
licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License
--------------Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
*
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
*
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
*
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This
product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/ )"
*
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this
software without prior written permission. For written permission, please contact openssl-core@openssl.org.
*
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior
written permission of the OpenSSL Project.
*
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/ )"
*
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
* ========================================================== *
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim
Hudson (tjh@cryptsoft.com).
Original SSLeay License
----------------------/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
472
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
* All rights reserved.
*
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as
to conform with Netscapes SSL.
*
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The
following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL
code. The SSL documentation included with this distribution is cvered by the same copyright terms except that the holder
is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the
form of a textual message at program startup or in documentation (online or textual) provided with the package.
*
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This
product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left
out if the rouines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must
include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
*
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this
code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
The GNU General Public License (GPL) Version 2, June 1991
The following license applies to SAPQ, samba-tng, bridgeutil, dialog, watchdog, and lcd4 linux
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU
General Public License is intended to guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and
to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the
GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make
sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you
receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs;
and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender
the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you
modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the
rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal
permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty
for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what
they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a
free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have
made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
Sentriant AG Software Users Guide, Version 5.1 SR1
473
Licenses
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may
be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work,
and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a
work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as
"you".
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The
act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a
work based on the Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided
that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty;
keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of
the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in
exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and
copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of
these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any
change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program
or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for
such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright
notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute
the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program
itself is interactive but does not normally print such an announcement, your work based on the Program is not required to
print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the
Program, and can be reasonably considered independent and separate works in themselves, then this License, and its
terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same
sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless
of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the
intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the
Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the
terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to
be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative
is allowed only for noncommercial distribution and only if you received the program in object code or executable form with
such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work,
complete source code means all the source code for all modules it contains, plus any associated interface definition files,
plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source
code distributed need not include anything that is normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering
equivalent access to copy the source code from the same place counts as distribution of the source code, even though third
parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any
attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your
rights under this License. However, parties who have received copies, or rights, from you under this License will not have
their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to
modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this
License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your
acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or
works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a
license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may
not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for
enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to
patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the
conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to
satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you
474
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the
Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and
this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section
is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest
validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution
system, which is implemented by public license practices. Many people have made generous contributions to the wide
range of software distributed through that system in reliance on consistent application of that system; it is up to the
author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose
that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted
interfaces, the original copyright holder who places the Program under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus
excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time.
Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or
concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which
applies to it and "any later version", you have the option of following the terms and conditions either of that version or of
any later version published by the Free Software Foundation. If the Program does not specify a version number of this
License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different,
write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the
Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of
preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software
generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE
EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS
AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER,
OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO
YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF
THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO
OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this
is to make it free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most
effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where
the full notice is found.
One line to give the program's name and a brief idea of what it does.
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of
course, the commands you use may be called something other than `show w' and `show c'; they could even be mouseclicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for
the program, if necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers)
written by James Hacker.
Sentriant AG Software Users Guide, Version 5.1 SR1
475
Licenses
signature of Ty Coon, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into proprietary programs. If your program is a
subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what
you want to do, use the GNU Library General Public License instead of this License.
Pullparser
Indiana LICENSE FOR THE Extreme! Lab PullParser
Copyright 2002 The Trustees of Indiana University.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1) All redistributions of source code must retain the above copyright notice, the list of authors in the original source code,
this list of conditions and the disclaimer listed in this license;
2) All redistributions in binary form must reproduce the above copyright notice, this list of conditions and the disclaimer
listed in this license in the documentation and/or other materials provided with the distribution;
3) Any documentation included with all redistributions must include the following acknowledgement:
"This product includes software developed by the Indiana University Extreme! Lab. For further information please visit http:/
/www.extreme.indiana.edu/ "
Alternatively, this acknowledgment may appear in the software itself, and wherever such third-party acknowledgments
normally appear.
4) The name "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab" shall not be used to endorse or promote products
derived from this software without prior written permission from Indiana University. For written permission, please contact
http://www.extreme.indiana.edu/ .
5) Products derived from this software may not use "Indiana Univeristy" name nor may "Indiana Univeristy" appear in their
name, without prior written permission of the Indiana University.
Indiana University provides no reassurances that the source code provided does not infringe the patent or any other
intellectual property rights of any other entity. Indiana University disclaims any liability to any recipient for claims brought
by any other entity based on infringement of intellectual property rights or otherwise.
LICENSEE UNDERSTANDS THAT SOFTWARE IS PROVIDED "AS IS" FOR WHICH NO WARRANTIES AS TO CAPABILITIES OR
ACCURACY ARE MADE. INDIANA UNIVERSITY GIVES NO WARRANTIES AND MAKES NO REPRESENTATION THAT SOFTWARE
IS FREE OF INFRINGEMENT OF THIRD PARTY PATENT, COPYRIGHT, OR OTHER PROPRIETARY RIGHTS. INDIANA
UNIVERSITY MAKES NO WARRANTIES THAT
SOFTWARE IS FREE FROM "BUGS", "VIRUSES", "TROJAN HORSES", "TRAP DOORS", "WORMS", OR OTHER HARMFUL CODE.
LICENSEE ASSUMES THE ENTIRE RISK AS TO THE PERFORMANCE OF SOFTWARE AND/OR ASSOCIATED MATERIALS, AND
TO THE PERFORMANCE AND VALIDITY OF INFORMATION GENERATED USING SOFTWARE.
Xpp3
Indiana University Extreme! Lab Software License
Version 1.1.1
Copyright (c) 2002 Extreme! Lab, Indiana University. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
476
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:
"This product includes software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/ )."
Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments
normally appear.
4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab" must not be used to endorse or promote products
derived from this software without prior written permission. For written permission, please contact http://
www.extreme.indiana.edu/ .
5. Products derived from this software may not use "Indiana Univeristy" name nor may "Indiana Univeristy" appear in their
name, without prior written permission of the Indiana University.
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE AUTHORS, COPYRIGHT HOLDERS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The GNU Lesser General Public License (LGPL) Version 2.1
The following license applies to jcifs, mm.mysql, P0f, jarapac, ncacn_np, ntlm-secruity jpcap, and
pythondialog
Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License,
version 2, hence the version number 2.1.]
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU
General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the
software is free for all its users.
This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries-of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think
carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular
case, based on the explanations below.
When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to
make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that
you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free
programs; and that you are informed that you can do these things.
To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to
surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or
if you modify it.
For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights
that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the
library, you must provide complete object files to the recipients, so that they can relink them with the library after making
changes to the library and recompiling it. And you must show them these terms so they know their rights.
We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives
you legal permission to copy, distribute and/or modify the library.
To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is
modified by someone else and passed on, the recipients should know that what they have is not the original version, so
that the original author's reputation will not be affected by problems that might be introduced by others.
Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a
company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder.
Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of
use specified in this license.
Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU
Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public
License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.
When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally
speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such
linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria
for linking other code with the library.
Sentriant AG Software Users Guide, Version 5.1 SR1
477
Licenses
We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary
General Public License. It also provides other free software developers Less of an advantage over competing non-free
programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the
Lesser license provides advantages in certain special circumstances.
For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so
that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more
frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain
by limiting the free library to free software only, so we use the Lesser General Public License.
In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a
large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more
people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.
Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a
program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version
of the Library.
The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference
between a "work based on the library" and a "work that uses the library". The former contains code derived from the
library, whereas the latter must be combined with the library in order to run.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright
holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also
called "this License"). Each licensee is addressed as "you".
A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application
programs (which use some of those functions and data) to form executables.
The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work
based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work
containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into
another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete
source code means all the source code for all modules it contains, plus any associated interface definition files, plus the
scripts used to control compilation and installation of the library.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The
act of running a program using the Library is not restricted, and output from such a program is covered only if its contents
constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true
depends on what the Library does and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium,
provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of
warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of
this License along with the Library.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in
exchange for a fee.
2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and
copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of
these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of
any change.
License.
c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this
d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application
program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good
faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and
performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the
application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be
optional: if the application does not supply it, the square root function must still compute square roots.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the
Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms,
do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as
part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License,
whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote
it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the
intent is to exercise the right to control the distribution of derivative or collective works based on the Library.
In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the
Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the
Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General
Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public
License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these
notices.
4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable
form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding
machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange.
478
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to
copy the source code from the same place satisfies the requirement to distribute the source code, even though third
parties are not compelled to copy the source along with the object code.
5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being
compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the
Library, and therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library
(because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered
by this License. Section 6 states terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the
work may be a derivative work of the Library even though the source code is not. Whether this is true is especially
significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is
not precisely defined by law.
If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small
inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally
a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of
Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the
Library itself.
6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to
produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the
terms permit modification of the work for the customer's own use and reverse engineering for debugging such
modifications.
You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use
are covered by this License. You must supply a copy of this License. If the work during execution displays copyright
notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the
copy of this License. Also, you must do one of these things:
a) Accompany the work with the complete corresponding machine-readable source code for the Library including
whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an
executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or
source code, so that the user can modify the Library and then relink to produce a modified executable containing the
modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not
necessarily be able to recompile the application to use the modified definitions.)
b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses
at run time a copy of the library already present on the user's computer system, rather than copying library functions into
the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the
modified version is interface-compatible with the version that the work was made with.
c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials
specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access
to copy the above specified materials from the same place.
copy.
e) Verify that the user has already received a copy of these materials or that you have already sent this user a
For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed
for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include
anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so
on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an
executable that you distribute.
7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other
library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution
of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these
two things:
a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any
other library facilities. This must be distributed under the terms of the Sections above.
b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and
explaining where to find the accompanying uncombined form of the same work.
8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this
License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will
automatically terminate your rights under this License. However, parties who have received copies, or rights, from you
under this License will not have their licenses terminated so long as such parties remain in full compliance.
9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to
modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this
License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your
acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or
works based on it.
10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a
license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions.
You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible
for enforcing compliance by third parties with this License.
11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to
patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the
conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to
satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you
Sentriant AG Software Users Guide, Version 5.1 SR1
479
Licenses
may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the
Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and
this License would be to refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section
is intended to apply, and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest
validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution
system which is implemented by public license practices. Many people have made generous contributions to the wide range
of software distributed through that system in reliance on consistent application of that system; it is up to the author/
donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that
choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted
interfaces, the original copyright holder who places the Library under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus
excluded. In such case, this License incorporates the limitation as if written in the body of this License.
13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time
to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems
or concerns.
Each version is given a distinguishing version number. If the Library specifies a version number of this License which
applies to it and "any later version", you have the option of following the terms and conditions either of that version or of
any later version published by the Free Software Foundation. If the Library does not specify a license version number, you
may choose any version ever published by the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible
with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation,
write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two
goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of
software generally.
NO WARRANTY
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT
PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE
LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER,
OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY
OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free
software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or,
alternatively, under the terms of the ordinary General Public License).
To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file
to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer
to where the full notice is found.
one line to give the library's name and an idea of what it does.
Copyright (C) year name of author
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later
version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for
more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free
Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Also add information on how to contact you by electronic and paper mail.
You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for
the library, if necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in
the library `Frob' (a library for tweaking knobs) written
by James Random Hacker.
signature of Ty Coon, 1 April 1990
Ty Coon, President of Vice
That's all there is to it!
Copyright notice above.
Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, USA
480
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
Ojdbc
Oracle Technology Network Development and Distribution License Terms
Export Controls on the Programs
Selecting the "Accept License Agreement" button is a confirmation of your agreement that you comply, now
and during the trial term, with each of the following statements:
-You are not a citizen, national, or resident of, and are not under control of, the government of Cuba, Iran,
Sudan, Libya, North Korea, Syria, nor any country to which the United States has prohibited export.
-You will not download or otherwise export or re-export the Programs, directly or indirectly, to the above
mentioned countries nor to citizens, nationals or residents of those countries.
-You are not listed on the United States Department of Treasury lists of Specially Designated Nationals,
Specially Designated Terrorists, and Specially Designated Narcotic Traffickers, nor are you listed on the
United States Department of Commerce Table of Denial Orders.
You will not download or otherwise export or re-export the Programs, directly or indirectly, to persons on the
above mentioned lists.
You will not use the Programs for, and will not allow the Programs to be used for, any purposes prohibited by
United States law, including, without limitation, for the development, design, manufacture or production of
nuclear, chemical or biological weapons of mass destruction.
EXPORT RESTRICTIONS
You agree that U.S. export control laws and other applicable export and import laws govern your use of the
programs, including technical data; additional information can be found on Oracle's Global Trade Compliance
web site (http://www.oracle.com/products/export ).
You agree that neither the programs nor any direct product thereof will be exported, directly, or indirectly, in
violation of these laws, or will be used for any purpose prohibited by these laws including, without limitation,
nuclear, chemical, or biological weapons proliferation.
Oracle Employees: Under no circumstances are Oracle Employees authorized to download software for the
purpose of distributing it to customers. Oracle products are available to employees for internal use or
demonstration purposes only. In keeping with Oracle's trade compliance obligations under U.S. and
applicable multilateral law, failure to comply with this policy could result in disciplinary action up to and
including termination.
Note: You are bound by the Oracle Technology Network ("OTN") License Agreement terms. The OTN License
Agreement terms also apply to all updates you receive under your Technology Track subscription.
The OTN License Agreement terms below supercede any shrinkwrap license on the OTN Technology Track
software CDs and previous OTN License terms (including the Oracle Program License as modified by the OTN
Program Use Certificate).
Oracle Technology Network Development and Distribution License Agreement
"We," "us," and "our" refers to Oracle USA, Inc., for and on behalf of itself and its subsidiaries and affiliates
under common control. "You" and "your" refers to the individual or entity that wishes to use the programs
from Oracle. "Programs" refers to the software product you wish to download and use and program
documentation. "License" refers to your right to use the programs under the terms of this agreement. This
agreement is governed by the substantive and procedural laws of California. You and Oracle agree to submit
to the exclusive jurisdiction of, and venue in, the courts of San Francisco, San Mateo, or Santa Clara
counties in California in any dispute arising out of or relating to this agreement.
We are willing to license the programs to you only upon the condition that you accept all of the
terms contained in this agreement. Read the terms carefully and select the "Accept" button at
the bottom of the page to confirm your acceptance. If you are not willing to be bound by these
terms, select the "Do Not Accept" button and the registration process will not continue.
License Rights
We grant you a nonexclusive, nontransferable limited license to use the programs for purposes of developing your
applications. You may also distribute the programs with your applications to your customers. If you want to use the
programs for any purpose other than as expressly permitted under this agreement you must contact us, or an Oracle
reseller, to obtain the appropriate license. We may audit your use of the programs. Program documentation is either
Sentriant AG Software Users Guide, Version 5.1 SR1
481
Licenses
shipped with the programs, or documentation may accessed online at http://otn.oracle.com/docs.
Ownership and Restrictions
We retain all ownership and intellectual property rights in the programs. You may make a sufficient number of copies of the
programs for the licensed use and one copy of the programs for backup purposes.
You may not:
- use the programs for any purpose other than as provided above;
- distribute the programs unless accompanied with your applications;
- charge your end users for use of the programs;
- remove or modify any program markings or any notice of our proprietary rights;
- use the programs to provide third party training on the content and/or functionality of the programs, except for training
your licensed users;
- assign this agreement or give the programs, program access or an interest in the programs to any individual or entity
except as provided under this agreement;
- cause or permit reverse engineering (unless required by law for interoperability), disassembly or decompilation of the
programs;
- disclose results of any program benchmark tests without our prior consent; or,
- use any Oracle name, trademark or logo.
Program Distribution
We grant you a nonexclusive, nontransferable right to copy and distribute the programs to your end users provided that you
do not charge your end users for use of the programs and provided your end users may only use the programs to run your
applications for their business operations. Prior to distributing the programs you shall require your end users to execute an
agreement binding them to terms consistent with those contained in this section and the sections of this agreement entitled
"License Rights," "Ownership and Restrictions," "Export," "Disclaimer of Warranties and Exclusive Remedies," "No Technical
Support," "End of Agreement," "Relationship Between the Parties," and "Open Source." You must also include a provision
stating that your end users shall have no right to distribute the programs, and a provision specifying us as a third party
beneficiary of the agreement. You are responsible for obtaining these agreements with your end users.
You agree to: (a) defend and indemnify us against all claims and damages caused by your distribution of the programs in
breach of this agreements and/or failure to include the required contractual provisions in your end user agreement as stated
above; (b) keep executed end user agreements and records of end user information including name, address, date of
distribution and identity of programs distributed; (c) allow us to inspect your end user agreements and records upon
request; and, (d) enforce the terms of your end user agreements so as to effect a timely cure of any end user breach, and
to notify us of any breach of the terms.
Export
You agree that U.S. export control laws and other applicable export and import laws govern your use of the programs,
including technical data; additional information can be found on Oracle's Global Trade Compliance web site located at http://
www.oracle.com/products/export/index.htmlcontent.html . You agree that neither the programs nor any direct product thereof
will be exported, directly, or indirectly, in violation of these laws, or will be used for any purpose prohibited by these laws
including, without limitation, nuclear, chemical, or biological weapons proliferation.
Disclaimer of Warranty and Exclusive Remedies
THE PROGRAMS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. WE FURTHER DISCLAIM ALL WARRANTIES,
EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT.
IN NO EVENT SHALL WE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES,
OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER
IN AN ACTION IN CONTRACT OR TORT, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. OUR
ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS (U.S. $1,000).
No Technical Support
Our technical support organization will not provide technical support, phone support, or updates to you for the programs
licensed under this agreement.
Restricted Rights
If you distribute a license to the United States government, the programs, including documentation, shall be considered
commercial computer software and you will place a legend, in addition to applicable copyright notices, on the
documentation, and on the media label, substantially similar to the following:
NOTICE OF RESTRICTED RIGHTS
"Programs delivered subject to the DOD FAR Supplement are 'commercial computer software' and use, duplication, and
disclosure of the programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable
Oracle license agreement. Otherwise, programs delivered subject to the Federal Acquisition Regulations are 'restricted
computer software' and use, duplication, and disclosure of the programs, including documentation, shall be subject to the
482
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
restrictions in FAR 52.227-19, Commercial Computer Software-Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle
Parkway, Redwood City, CA 94065."
End of Agreement
You may terminate this agreement by destroying all copies of the programs. We have the right to terminate your right to
use the programs if you fail to comply with any of the terms of this agreement, in which case you shall destroy all copies of
the programs.
Relationship Between the Parties
The relationship between you and us is that of licensee/licensor. Neither party will represent that it has any authority to
assume or create any obligation, express or implied, on behalf of the other party, nor to represent the other party as agent,
employee, franchisee, or in any other capacity. Nothing in this agreement shall be construed to limit either party's right to
independently develop or distribute software that is functionally similar to the other party's products, so long as proprietary
information of the other party is not included in such software.
Open Source
"Open Source" software - software available without charge for use, modification and distribution - is often licensed under
terms that require the user to make the user's modifications to the Open Source software or any software that the user
'combines' with the Open Source software freely available in source code form. If you use Open Source software in
conjunction with the programs, you must ensure that your use does not: (i) create, or purport to create, obligations of us
with respect to the Oracle programs; or (ii) grant, or purport to grant, to any third party any rights to or immunities under
our intellectual property or proprietary rights in the Oracle programs. For example, you may not develop a software
program using an Oracle program and an Open Source program where such use results in a program file(s) that contains
code from both the Oracle program and the Open Source program (including without limitation libraries) if the Open Source
program is licensed under a license that requires any "modifications" be made freely available. You also may not combine
the Oracle program with programs licensed under the GNU General Public License ("GPL") in any manner that could cause,
or could be interpreted or asserted to cause, the Oracle program or any modifications thereto to become subject to the
terms of the GPL.
Entire Agreement
You agree that this agreement is the complete agreement for the programs and licenses, and this agreement supersedes all
prior or contemporaneous agreements or representations. If any term of this agreement is found to be invalid or
unenforceable, the remaining provisions will remain effective.
Last updated: 03/09/05
Should you have any questions concerning this License Agreement, or if you desire to contact Oracle for any reason, please
write:
Oracle USA, Inc.
500 Oracle Parkway,
Redwood City, CA 94065
Oracle may contact you to ask if you had a satisfactory experience installing and using this OTN software download.
JavaMail Sun Microsystems, Inc.
Binary Code License Agreement
READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY
"AGREEMENT") CAREFULLY BEFORE OPENING THE SOFTWARE
MEDIA PACKAGE. BY OPENING THE SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU
ARE ACCESSING THE SOFTWARE ELECTRONICALLY, INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE
"ACCEPT" BUTTON AT THE END OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL THESE TERMS, PROMPTLY RETURN
THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR, IF THE SOFTWARE IS ACCESSED
ELECTRONICALLY, SELECT THE "DECLINE" BUTTON AT THE END OF THIS AGREEMENT.
1. LICENSE TO USE. Sun grants you a non-exclusive and non-transferable license for the internal use only of the
accompanying software and documentation and any error corrections provided by Sun (collectively "Software"), by the
number of users and the class of computer hardware for which the corresponding fee has been paid.
2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights
is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not
make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by
applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that Software is not
designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun
disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service
mark, logo or trade name of Sun or its licensors is granted under this Agreement.
3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced
by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and
workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's
entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for
Software.
Sentriant AG Software Users Guide, Version 5.1 SR1
483
Licenses
4.DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EX LIMITATION OF LIABILITY. TO THE EXTENT NOT
PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF
THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract,
tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing
limitations will apply even if the above stated warranty fails of its essential purpose.
6. Termination. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying
all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply with any
provision of this Agreement. Upon Termination, you must destroy all copies of Software.
7. Export Regulations. All Software and technical data delivered under this Agreement are subject to US export control laws
and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws and
regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as may
be required after delivery to you.
8. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S.
Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying
documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4
(for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions).
9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law.
No choice of law rules of any jurisdiction will apply.
10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with
the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will
immediately terminate.
11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes
all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over
any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties
relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless
in writing and signed by an authorized representative of each party.
JAVAMAIL(TM), VERSION 1.3.1 SUPPLEMENTAL LICENSE TERMS
These supplemental license terms ("Supplemental Terms") add to or modify the terms of the Binary Code License
Agreement (collectively, the "Agreement"). Capitalized terms not defined in these Supplemental Terms shall have the same
meanings ascribed to them in the Agreement. These Supplemental Terms shall supersede any inconsistent or conflicting
terms in the Agreement, or in any license contained within the Software.
1. Software Internal Use and Development License Grant. Subject to the terms and conditions of this Agreement, including,
but not limited to Section 3 (Java(TM) Technology Restrictions) of these Supplemental Terms, Sun grants you a nonexclusive, non-transferable, limited license to reproduce internally and use internally the binary form of the Software,
complete and unmodified, for the sole purpose of designing, developing and testing your Java applets and applications
("Programs").
2. License to Distribute Software. Subject to the terms and conditions of this Agreement, including, but not limited to
Section 3 (Java (TM) Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, nontransferable, limited license to reproduce and distribute the Software in binary code form only, provided that (i) you
distribute the Software complete and unmodified and only bundled as part of, and for the sole purpose of running, your Java
applets or applications ("Programs"), (ii) the Programs add significant and primary functionality to the Software, (iii) you do
not distribute additional software intended to replace any component(s) of the Software, (iv) you do not remove or alter any
proprietary legends or notices contained in the Software, (v) you only distribute the Software subject to a license agreement
that protects Sun's interests consistent with the terms contained in this Agreement, and (vi) you agree to defend and
indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses
(including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results
from the use or distribution of any and all Programs and/or Software.
3. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained
within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or
otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class
and associated API(s) which (i) extends the functionality of the Java platform, and (ii) is exposed to third party software
developers for the purpose of developing additional software which invokes such additional API, you must promptly publish
broadly an accurate specification for such API for free use by all developers. You may not create, or authorize your licensees
to create additional classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar
convention as specified by Sun in any naming convention designation.
4. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA,
JINI, FORTE, STAROFFICE, STARPORTAL and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, STAROFFICE,
STARPORTAL and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you
agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/
trademarks . Any use you make of the Sun Marks inures to Sun's benefit.
5. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of
484
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement.
6. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in
either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right.
For inquiries please contact: Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A
(LFI#132726/Form ID#011801)
jcharts
Copyright 2002 (C) Nathaniel G. Auvil. All Rights Reserved.
Redistribution and use of this software and associated documentation ("Software"), with or
without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain copyright statements and notices.
Redistributions must also contain a copy of this document.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The name "jCharts" or "Nathaniel G. Auvil" must not be used to endorse or promote
products derived from this Software without prior written permission of Nathaniel G.
Auvil. For written permission, please contact nathaniel_auvil@users.sourceforge.net
4. Products derived from this Software may not be called "jCharts" nor may "jCharts" appear
in their names without prior written permission of Nathaniel G. Auvil. jCharts is a
registered trademark of Nathaniel G. Auvil.
5. Due credit should be given to the jCharts Project (http://jcharts.krysalis.org).
THIS SOFTWARE IS PROVIDED BY Nathaniel G. Auvil AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
jCharts OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE
PyXML Python License (CNRI Python License)
CNRI OPEN SOURCE LICENSE AGREEMENT
IMPORTANT: PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY. BY CLICKING ON "ACCEPT" WHERE INDICATED
BELOW, OR BY COPYING, INSTALLING OR OTHERWISE USING PYTHON 1.6, beta 1 SOFTWARE, YOU ARE DEEMED TO HAVE
AGREED TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.
1. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston
White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using
Python 1.6, beta 1 software in source or binary form and its associated documentation, as released at the http://
www.python.org Internet site on August 4, 2000 ("Python 1.6b1").
2. Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-exclusive, royaltyfree, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute,
and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is
retained in Python 1.6b1, alone or in any derivative version prepared by Licensee.
Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python
1.6, beta 1, is made available subject to the terms and conditions in CNRIs License Agreement. This Agreement may be
located on the Internet using the following unique, persistent identifier (known as a handle): 1895.22/1011. This Agreement
may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011".
3. In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1or any part thereof, and
wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any
such work the nature of the modifications made to Python 1.6b1.
Sentriant AG Software Users Guide, Version 5.1 SR1
485
Licenses
4. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR
WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY
REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE
OF PYTHON 1.6b1WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL,
OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1, OR ANY
DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
6. This License Agreement will automatically terminate upon a material breach of its terms and conditions.
7. This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding
conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency,
partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI
trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party.
8. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee
agrees to be bound by the terms and conditions of this License Agreement.
IO-Stty and IO-Tty
The Artistic License
Preamble
The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright
Holder maintains some semblance of artistic control over the development of the package, while giving the users of the
package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable
modifications.
Definitions:
"Package" refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of
files created through textual modification.
"Standard Version" refers to such a Package if it has not been modified, or has been modified in accordance with
the wishes of the Copyright Holder.
"Copyright Holder" is whoever is named in the copyright or copyrights for the package.
"You" is you, if you're thinking about copying or distributing this Package.
"Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication charges, time of
people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing
community at large as a market that must bear the fee.)
"Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling
the item. It also means that recipients of the item may redistribute it under the same conditions they received it.
1. You may make and give away verbatim copies of the source form of the Standard Version of this Package without
restriction, provided that you duplicate all of the original copyright notices and associated disclaimers.
2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain or from the Copyright
Holder. A Package modified in such a way shall still be considered the Standard Version.
3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each
changed file stating how and when you changed that file, and provided that you do at least ONE of the following:
a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said
modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as ftp.uu.net,
or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package.
b) use the modified Package only within your corporation or organization.
c) rename any non-standard executables so the names do not conflict with standard executables, which must also be
provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from
the Standard Version.
d) make other distribution arrangements with the Copyright Holder.
4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of
the following:
a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or
equivalent) on where to get the Standard Version.
b) accompany the distribution with the machine-readable source of the Package with your modifications.
c) accompany any non-standard executables with their corresponding Standard Version executables, giving the nonstandard executables non-standard names, and clearly documenting the differences in manual pages (or equivalent),
together with instructions on where to get the Standard Version.
d) make other distribution arrangements with the Copyright Holder.
5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any fee you choose for
support of this Package. You may not charge a fee for this Package itself. However, you may distribute this Package in
aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution
provided that you do not advertise this Package as a product of your own.
486
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not
automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold
commercially, and may be aggregated with this
Package.
7. C or perl subroutines supplied by you and linked into this Package shall not be considered part of this Package.
8. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without
specific prior written permission.
9. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
LIMITATION, THE IMPLIEDWARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The End
Concurrent
TECHNOLOGY LICENSE FROM SUN MICROSYSTEMS, INC.
TO DOUG LEA
Whereas Doug Lea desires to utilized certain Java Software technologies in the util.concurrent technology; and Whereas
Sun Microsystems, Inc. (Sun) desires that Doug Lea utilize certain Java Software technologies in the util.concurrent
technology;
Therefore the parties agree as follows, effective May 31, 2002:
Java Software technologies means
classes/java/util/ArrayList.java, and
classes/java/util/HashMap.java.
The Java Software technologies are Copyright (c) 1994-2000 Sun Microsystems, Inc. All rights reserved.
Sun hereby grants Doug Lea a non-exclusive, worldwide, non-transferrable license to use, reproduce, create derivate works
of, and distribute the Java Software and derivative works thereof in source and binary forms as part of a larger work, and
to sublicense the right to use, reproduce and distribute the Java Software and Doug Lea's derivative works as the part of
larger works through multiple tiers of sublicensees provided that the following conditions are met:
-Neither the name of or trademarks of Sun may be used to endorse or promote products including
or derived from the Java Software technology without specific prior written permission; and
-Redistributions of source or binary code must contain the above copyright notice, this notice and and the following
disclaimers:
This software is provided "AS IS," without a warranty of any kind. ALL EXPRESS OR
IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN
MICROSYSTEMS, INC. AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A
RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL SUN
MICROSYSTEMS, INC. OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT,
INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF
THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN
MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
You acknowledge that Software is not designed, licensed or intended for use in the design, construction, operation or
maintenance of any nuclear facility.
signed [Doug Lea] dated
Crypto ++
Crypto++ License agreement
Crypto++ License agreement
Compilation Copyright (c) 1995-2003 by We Dai. All rights reserved. This copyright applies only to this software
distribution package as a compilation, and does not imply a copyright on any particular file in the package.
The following files are copyrighted by their respective original authors, and their use is subject to additional licenses
included in these files.
mars.cpp - Copyright 1998 Brian Gladman.
All other files in this compilation are placed in the public domain by Wei Dai and other contributors.
I would like to thank the following authors for placing their works into the public domain:
Joan Daemen - 3way.cpp
Leonard Janke - cast.cpp, seal.cpp
Steve Reid - cast.cpp
Phil Earn - des.cpp
Michael Paul Johnson - diamond.cpp
Andrew M. Kuchling - md2.cpp, md4.cpp
Colin Plumb - md5.cpp, md5mac.cpp
Seal Woods - rc6.cpp
Sentriant AG Software Users Guide, Version 5.1 SR1
487
Licenses
Chris Morgan - rijndael.cpp
Paulo Baretto - rijndael.cpp, skipjack.cpp, square.cpp
Richard De Moliner - safer.cpp
Matthew Skala - twofish.cpp
Permission to use, copy, modify, and distribute this compilation for any purpose, including commercial applications, is
hereby granted without fee, subject to the following restrictions:
1. Any copy or modification of this compilation in any form, except in object code form as part of an application software,
must include the above copyright notice and this license.
2. Users of this software agree that any modification or extension they provide to We Dai will be considered public domain
and not copyrighted unless it includes an explicit copyright notice.
3. Wei Day makes no warranty or representation that the operation of the software in this compilation will be error-free,
and Wei Dai is under no obligation to provide any services, by way of maintenance, update, or otherwise. THE SOFTWARE
AND ANY DOCUMENTATION ARE PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
WILL WEI DAI OR ANY OTHER CONTRIBUTOR BE LIABLE FOR DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
4. Users will not use We Dai or any other contributor's name in any publicity or advertising, without prior written consent in
each case.
5. Export of this software from the United States may require a specific license from the United States Government. It is
the responsibility of any person or organization contemplating export to obtain such a license before exporting.
6. Certain parts of this software may be protected by patents. It is the users' responsibility to obtain the appropriate
licenses before using those parts.
If this compilation is used in object code form in an application software, acknowledgement of the author is not required
but would be appreciated. The contribution of any useful modifications or extensions to Wei Dai is not required but would
also be appreciated.
WinPcap
Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy).
Copyright (c) 2005 - 2007 CACE Technologies, Davis (California).
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its
contributors.
This product includes software developed by the Kungliga Tekniska Hšgskolan and its contributors.
This product includes software developed by Yen Yen Lim and North Dakota State University.
Portions Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California. All
rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This
product includes software developed by the University of California, Berkeley and its contributors."
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
488
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
Portions Copyright (c) 1983 Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this
paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related
to such distribution and use acknowledge that the software was developed by the University of California, Berkeley. The
name of the University may not be used to endorse or promote products derived from this software without specific prior
written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Portions Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Hšgskolan (Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This
product includes software developed by the Kungliga Tekniska Hšgskolan and its contributors."
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions Copyright (c) 1997 Yen Yen Lim and North Dakota State University. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This
product includes software developed by Yen Yen Lim and North Dakota State University"
4. The name of the author may not be used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions Copyright (c) 1993 by Digital Equipment Corporation.
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted,
provided that the above copyright notice and this permission notice appear in all copies, and that the name of Digital
Equipment Corporation not be used in advertising or publicity pertaining to distribution of the document or software
without specific, written prior permission.
THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
DIGITAL EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR
ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
Portions Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sentriant AG Software Users Guide, Version 5.1 SR1
489
Licenses
Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source
code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary
code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided
with the distribution. The name of Juniper Networks may not be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Portions Copyright (c) 2001 Daniel Hartmeier All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTOR "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions Copyright 1989 by Carnegie Mellon.
Permission to use, copy, modify, and distribute this program for any purpose and without fee is hereby granted, provided
that this copyright and permission notice appear on all copies and supporting documentation, the name of Carnegie Mellon
not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice
be given in supporting documentation that copying and distribution is by permission of Carnegie Mellon and Stanford
University. Carnegie Mellon makes no representations about the suitability of this software for any purpose. It is provided
"as is" without express or implied warranty.
June 14, 2007
Activation
Sun Microsystems, Inc.
Binary Code License Agreement
READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY
"AGREEMENT") CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE. BY OPENING THE SOFTWARE MEDIA
PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCESSING THE SOFTWARE ELECTRONICALLY,
INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT.
IF YOU DO NOT AGREE TO ALL THESE TERMS, PROMPTLY RETURN THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE
FOR A REFUND OR, IF THE SOFTWARE IS ACCESSED ELECTRONICALLY, SELECT THE "DECLINE" BUTTON AT THE END OF
THIS AGREEMENT.
1. LICENSE TO USE. Sun grants you a non-exclusive and non-transferable license for the internal use only of the
accompanying software and documentation and any error corrections provided by Sun (collectively "Software"), by the
number of users and the class of computer hardware for which the corresponding fee has been paid.
2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property
rights is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you
may not make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is
prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that
Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear
facility. Sun disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any
trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement.
3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced
by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and
workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's
entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for
Software.
490
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS
ARE HELD TO BE LEGALLY INVALID.
5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS
BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR
PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO
THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the
amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated
warranty fails of its essential purpose.
6. Termination. This Agreement is effective until terminated. You may terminate this Agreement at any time by
destroying all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply
with any provision of this Agreement. Upon Termination, you must destroy all copies of Software.
7. Export Regulations. All Software and technical data delivered under this Agreement are subject to US export control laws
and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws and
regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as may
be required after delivery to you.
8. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S.
Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying
documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4
(for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions).
9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal
law. No choice of law rules of any jurisdiction will apply.
10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with
the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will
immediately terminate.
11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It
supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and
prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the
parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding,
unless in writing and signed by an authorized representative of each party.
JAVA OPTIONAL PACKAGE
JAVABEANS(TM) ACTIVATION FRAMEWORK, VERSION 1.0.2 SUPPLEMENTAL LICENSE TERMS
These supplemental license terms ("Supplemental Terms") add to or modify the terms of the Binary Code License
Agreement (collectively, the "Agreement"). Capitalized terms not defined in these Supplemental Terms shall have the same
meanings ascribed to them in the Agreement. These Supplemental Terms shall supersede any inconsistent or conflicting
terms in the Agreement, or in any license contained within the Software.
1. Software Internal Use and Development License Grant. Subject to the terms and conditions of this Agreement,
including, but not limited to Section 3 (Java(TM) Technology Restrictions) of these Supplemental Terms, Sun grants you a
non-exclusive, non-transferable, limited license to reproduce internally and use internally the binary form of the Software,
complete and unmodified, for the sole purpose of designing, developing and testing your Java applets and applications
("Programs").
2. License to Distribute Software. In addition to the license granted in Section 1 (Software Internal Use and Development
License Grant) of these Supplemental Terms, subject to the terms and conditions of this Agreement, including but not
limited to, Section 3 (Java Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, nontransferable, limited license to reproduce and distribute the Software in binary code form only, provided that you (i)
distribute the Software complete and unmodified and only bundled as part of your Programs, (ii) do not distribute
additional software intended to replace any component(s) of the Software, (iii) do not remove or alter any proprietary
legends or notices contained in the Software, (iv) only distribute the Software subject to a license agreement that protects
Sun's interests consistent with the terms contained in this Agreement, and (v) agree to defend and indemnify Sun and its
licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees)
incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution
of any and all Programs and/or Software.
Sentriant AG Software Users Guide, Version 5.1 SR1
491
Licenses
3. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained
within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or
otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class
and associated API(s) which (i) extends the functionality of the Java platform, and (ii) is exposed to third party software
developers for the purpose of developing additional software which invokes such additional API, you must promptly publish
broadly an accurate specification for such API for free use by all developers. You may not create, or authorize your
licensees to create additional classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or
similar convention as specified by Sun in any naming convention designation.
4. No Support. Sun is under no obligation to support the Software or to provide you with updates or error corrections. You
acknowledge that the Software may have defects or deficiencies which cannot or will not be corrected by Sun.
5. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA,
JINI, FORTE, and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET-related trademarks, service
marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo
Usage Requirements currently located at http://www.sun.com/policies/trademarks. Any use you make of the Sun Marks
inures to Sun's benefit.
6. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of
this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement.
7. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or
in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right.
For inquiries please contact: Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303
(LFI#115020/Form ID#011801)
jsp-api package.
Sun Java System Message Queue Platform Edition 3 2005Q1
Sun Java System Message Queue Enterprise Edition 3 2005Q1
IMPORTANT - PLEASE READ. THE LICENSES BELOW GOVERN YOUR USE OF THE SUN JAVA
SYSTEM MESSAGE QUEUE, PLATFORM EDITION AND SUN JAVA SYSTEM MESSAGE QUEUE,
ENTERPRISE EDITION.
READ THE TERMS OF THE AGREEMENT IN THE SECTION APPLICABLE TO YOU (THE "APPLICABLE
AGREEMENT") CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE. BY OPENING THE
SOFTWARE MEDIA PACKAGE, YOU AGREE TO ALL THE TERMS OF THE APPLICABLE AGREEMENT.
IF YOU ARE ACCESSING THE MESSAGE QUEUE PE OR MESSAGE QUEUE EE ELECTRONICALLY,
INDICATE YOUR COMPLETE ACCEPTANCE OF THIS AGREEMENT BY SELECTING THE "ACCEPT"
BUTTON DISPLAYED ALONG WITH THE APPLICABLE AGREEMENT OR OTHERWISE PROVIDING
THE AFFIRMATIVE RESPONSE REQUESTED. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE
APPLICABLE AGREEMENT, DO NOT INSTALL, COPY OR OTHERWISE USE THE MESSAGEQUEUE PE
OR OR MESSAGE QUEUE EE.
If you are accepting the Agreement on behalf of a corporation, partnership or other legal entity, the use of the terms "you"
and "your" in the Agreement will refer to such entity and the entity accepting the Agreement represents and warrants to
Sun that it has sufficient permissions, capacity, consents and authority to enter into the Agreement.
Sun Microsystems, Inc.
Binary Code License Agreement ("BCL")
Sun Java System Message Queue Platform Edition 3 2005Q1 and Sun Java System Message Queue Enterprise Edition 3
2005Q1 ("Message Queue PE" and "Message Queue EE", collectively "Software")
THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS ARE COLLECTIVELY TERMED THE
"AGREEMENT".
1. LICENSE TO USE. Sun grants you a non-exclusive and non-transferable license for the internal use only of the
accompanying software and documentation and any error corrections provided by Sun (collectively "Software"), by the
number of users and the class of computer hardware for which the corresponding fee has been paid.
492
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights
is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not
make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by
applicable law, you may not modify, decompile, or reverse engineer Software. Licensee acknowledges that Software is not
designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun disclaims
any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark,
logo or trade name of Sun or its licensors is granted under this Agreement.
3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced
by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and
workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's
entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for
Software.
4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS
ARE HELD TO BE LEGALLY INVALID.
5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE
LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR
PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO
THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the
amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated
warranty fails of its essential purpose.
6. Termination. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying
all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply with any
provision of this Agreement. Upon Termination, you must destroy all copies of Software.
7. Export Regulations. All Software and technical data delivered under this Agreement are subject to US export control
laws and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws
and regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as
may be required after delivery to you.
8. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S.
Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying
documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4
(for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions).
9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law.
No choice of law rules of any jurisdiction will apply.
10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with
the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will
immediately terminate.
11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes
all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over
any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties
relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless
in writing and signed by an authorized representative of each party.
For inquiries please contact: Sun Microsystems, Inc., 4140 Network Circle, Santa Clara, California 95054
Sun Microsystems, Inc.
Supplemental Terms and Conditions for Sun Java System Message Queue Platform Edition 3 2005Q1 and Sun Java System
Message Queue Enterprise Edition 3 2005Q1
These terms and conditions for the Software supplement the terms and conditions of the Agreement. Capitalized terms not
defined herein shall have the meanings ascribed to them in the BCL. These terms and conditions shall supersede any
inconsistent or conflicting terms and conditions in the BCL.
A. Third Party Code. Additional copyright notices and license terms applicable to portions of the Software are set forth in
the THIRDPARTYLICENSEREADME file. In addition to any terms and conditions of any third party opensource/freeware
license identified in the THIRDPARTYLICENSEREADME file, the disclaimer of warranty and limitation of liability provisions in
paragraphs 4 and 5 of the BCL shall apply to all Software in this distribution.
Sentriant AG Software Users Guide, Version 5.1 SR1
493
Licenses
B. License to Evaluate Message Queue EE. If you have not paid the applicable fees for Message Queue EE, Sun grants you
a non-exclusive, non-transferable, royalty-free and limited license to use Message Queue EE internally for the sole purpose
of evaluation, for a period of ninety (90) days from the date you begin using the Message Queue EE features. No license to
Message Queue EE is granted hereunder for any other purpose, including any commercial or production use of Message
Queue EE. Sun is under no obligation to provide you with support, updates, error corrections or any other service for
Software licensed for evaluation.
C. License to Use Software. The following terms and conditions apply to your use of Message Queue PE, and, if you have
paid the applicable fees for a commercial use license to Message Queue EE, Message Queue EE.
1. Definitions.
(a) "Broker" means the server side Software component that manages the routing of JMS messages.
(b) "Client Applications" means the application created by you using the APIs provided in the Software for connecting with
the Broker.
2. Additional Use Conditions.
(a) You may copy the documentation, without change, as necessary to fully utilize Software, provided the copies contain all
of the original proprietary notices.
(b) You may use any Sun ONE, Sun or third party products embedded in or bundled with Software only in conjunction with
Software (and the applications that run on Software), and not with other software products or on a stand-alone basis.
Except as otherwise explicitly provided, the use of each such bundled product shall be governed by its license agreement.
3. License to Distribute Redistributables. Subject to the terms and conditions of this Agreement, Sun grants you a nonexclusive, non-transferable, limited license to reproduce and distribute the binary form of those files specifically identified
as redistributable below in Paragraph 3.(a) ("Redistributables"), provided that: (i) you do not distribute additional software
intended to supersede any component(s) of the Redistributables, (ii) you do not remove or alter any proprietary legends
or notices contained in or on the Redistributables, (iii) you only distribute the Redistributables pursuant to a license
agreement that protects Sun's interests consistent with the terms contained in the Agreement, and (iv) you agree to
defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or
expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises
or results from the use or distribution of
(a). Only the following jar files may be redistributed in accordance with the license in Section C, Paragraph 3 of these
Supplemental Terms.
jms.jar
imq.jar
imqxm.jar
fscontext.jar
providerutil.jar
jndi.jar
ldap.jar
ldapbp.jar
jaas.jar
jsse.jar
jnet.jar
jcert.jar
Additionally the following files can be redistributed:
LICENSE
COPYRIGHT
All other files distributed with the product are NOT redistributable.
4. Java Technology Restrictions. You may not create or modify, or authorize your licensees to create or modify, additional
classes, interfaces, or sub- packages that are in any way identified as "java", "javax", "sun" or similar convention as
specified by Sun in any naming convention designation.
494
Sentriant AG Software Users Guide, Version 5.1 SR1
Licenses
5. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA,
JINI, JDK, FORTE, STAROFFICE, STARPORTAL and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE,
STAROFFICE, STARPORTAL and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun
Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://
www.sun.com/policies/trademarks. Any use you make of the Sun Marks inures to Sun's benefit.
6. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of
this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement.
7. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or
in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right.
8. Additional Restrictions. You may not publish or provide the results of any benchmark or comparison tests run on
Software to any third party without the prior written consent of Sun.
SOMQ3 2005Q1PE/EELICENSE (LFI#:142492)
Sentriant AG Software Users Guide, Version 5.1 SR1
495
Licenses
496
Sentriant AG Software Users Guide, Version 5.1 SR1
G
Glossary
802.1X
A port-based authentication protocol that can dynamically vary
encryption keys, and has three components: a supplicant, an
authenticator, and an authentication server.
ACL
Access control list—A list or set of rules that routers (and other
networking endpoints) use to control and regulate access through the
endpoint and subsequently onto the network. In Sentriant AG, using
this option restricts the network access of non-compliant endpoints by
assigning DHCP settings on a quarantined network.
ACPI
Advanced Configuration and Power Interface—A specification that
establishes standard interfaces.
ACS
Access Control Server—A server that controls access to your system. A
Cisco® access policy control platform.
AD
Active Directory—A directory service included with Microsoft®
Windows Server 2003 that allows administrators to manage end-user
access to the network.
ActiveX
A Microsoft technology that enables interactive Web content.
agent
An information exchange process that works in conjunction with
clients and servers to perform tasks.
agentless credentials
When Sentriant AG accesses and tests endpoints, it needs to know the
administrator credentials for that endpoint. If your network uses a
Windows domain controller and the connecting endpoint is a member
of a configured domain, Sentriant AG uses the information supplied to
access and test the endpoint.
AP
Access Point—The physical point at which an endpoint or device
connects to a network.
API
Application Programming Interface—The interface to an application’s
source code. Other computer programs can communicate with the
application through this interface.
Sentriant AG Software Users Guide, Version 5.1 SR1
497
Glossary
498
APIC
Advanced Programmable Interrupt Controller—A device that provides
support for multiple processors by allowing for multiple programable
interrupts.
authenticator
A component of 802.1X that is the access point, such as a switch, that
prevents access when authentication fails. The authenticator can be
simple and dumb.
Authentication server
A component of 802.1X that is the server that authenticates the user
credentials; usually a Remote Authentication Dial-In User Service
RADIUS) server.
BIOS
Basic Input/Output System
backdoor
A disguised or hidden entry point in a software program or system.
An open backdoor can be intentional (for maintenance use), or
unintentional. If a backdoor is discovered, malicious users or software
can gain entry and cause damage.
blacklist
A list of devices or endpoints that are denied access to a system or are
denied privileges. In Sentriant AG, endpoints and domains that are
always quarantined.
CA/PKI
Certificate Authority/Public Key Infastructure
cache
A location where information is stored that can be accessed quickly.
This location can be in memory or in a file.
CD
Compact disc
CHAP
Challenge-handshake Authentication Protocol—A protocol used to
authenticate users.
CIDR
Classless InterDomain Routing—A method of specifying networks and
subnetworks (subnets) that allows grouping and results in less router
overhead.
client
A computer that requests services from another (server).
cluster
A logical grouping of ESs.
compliance
Meets defined standards or conditions.
Sentriant AG Software Users Guide, Version 5.1 SR1
Glossary
CSR
Certificate Signing Request—A request sent by a system when
applying for a public key certificate.
CTA
Cisco Trust Agent
DAC
Device Activity Capture—A utility used that listens or sniffs the
network for DHCP traffic and can be configured to discover other
types of IP traffic if needed (such as from static IP addresses).
DC
Domain controller—A server that manages and controls the activities
(such as user access) in the domain.
DHCP
Dynamic Host Configuration Protocol—A method of assigning IP
addresses to endpoints as they connect to the network, and releasing
them as the endpoints disconnect from the network. DHCP allows
administrators to manage IP addresses from one location rather than
at each endpoint.
DLL
Dynamic Link Library—A shared library file used in Microsoft
systems. These files have the DLL extension.
DMA
Direct Memory Access—A feature in computers where memory can be
accessed without going through the CPU.
DN
Distinguished Name—In the Lightweight Directory Access Protocol
(LDAP), objects are referenced by their DN.
DNS
Domain name server—A computer that translates domain names (such
as mycompany.com) into IP addresses (such as 216.239.41.99).
EULA
End user license agreement—An agreement that is included with a
product or displayed on the screen when first used.
EAP
Extensible Authentication Protocol—An authentication protocol used
with Point-to-Point Protocol (PPP) and wireless networks. (802.1X)
EAPOL
EAP over LANs
EDAC
Embedded Device Activity Capture—See DAC
endpoint
A computer requesting access to a network.
enforcement
In Sentriant AG, the process of upholding the access rules set in the
NAC policies.
Sentriant AG Software Users Guide, Version 5.1 SR1
499
Glossary
500
ES
Enforcement server
FQDN
Fully Qualified Domain Name—A domain name that uniquely
identifies a host computer. It includes the host name and the domain
name. For example, myhost.mycompany.com.
HA
High Availability—A multiple-server Sentriant AG deployment is
mutually supporting. Should one server fail, other nodes within a
cluster will automatically provide coverage for the affected network
segment.
Hotfix
Hotfixes are programs that update the software and may include
performance enhancements, bug fixes, security enhancements, and so
on. There is usually only one fix in a hotfix, whereas a patch includes
multiple hotfixes.
HTML
Hyper text markup language—A language that tells a web browser
how to display the web page.
IAS
Internet Authentication Service—A service used to authenticate clients
with a RADIUS server.
ICMP
Internet Control Message Protocol—A protocol used to send error
messages.
IDE
Integrated Drive Electronics—A standard storage connection interface
known as Advanced Technology Attachment (ATA).
IDS/IPS
Intrusion Detection System/Intrusion Prevention System—IDS and IPS
systems detect and prevent attacks on your system. In Sentriant AG
you can configure these external systems so that they can request that
Sentriant AG quarantine an endpoint after it has been connected (postconnect) when unwanted behavior is detected.
IE
Internet Explorer
IM
Instant Messenging
Sentriant AG Software Users Guide, Version 5.1 SR1
Glossary
inline
An installation of Sentriant AG where it is placed on the network and
all traffic to be quarantined passes through Sentriant AG.
IP
Internet protocol—A protocol by which data is sent from one computer
to another on the Internet.
IPSec
IP security
iptables
A Linux package used to manage packet filtering and Network
Address Translation (NAT).
ISO image file
An image of a CD saved in ISO 9660 standard format.
IT
Information Technology
Java
A programming language derived from C and C++.
JMS
Java Message Service—A Java-based message interface.
JVM
Java Virtual Machine—A set of programs that converts Java bytecode
into machine language.
L2TP
Layer two tunneling protocol—An open standard protocol used to
create virtual private networks (VPN).
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol (LDAP)—A protocol that is
used to look up information from a database that usually contains
information about authorized users and their privileges.
load balancing
In Sentriant AG, Load balancing distributes the testing of endpoints
across all Sentriant AG ESs in a cluster.
MAC
Media Access Control—The unique number that identifies a physical
endpoint. Generally referred to as the MAC address.
Management server
When using Sentriant AG in a multiple-server installation, the server
that is used for managing ESs. (MS)
Sentriant AG Software Users Guide, Version 5.1 SR1
501
Glossary
502
MIB
Management Information Base—A database used to manage
components in a network.
MMC
MultiMediaCard—A portable storage device.
MS
Management server
multinet
A physical network of two or more logical networks.
NAC
Network Admission Control
NAC policies
In Sentriant AG, collections of individual tests that evaluate endpoints
attempting to access the network.
NAC policy group
A logical grouping of NAC policies.
NAT
Network Address Translation—The translation of an external IP
address to one or more internal IP addresses and the reverse.
NIC
Network Interface Card—A card that connects a computer to an
Ethernet network.
network mask
Also called a subnet mask. A number used in conjuction with IP
addresses to determine the subnet or subnetwork.
NMS
Network Management System—A computer or computers and
software used to manage a network.
non-compliance
Does not meet defined standards or conditions.
NTLM
Windows NT LAN Manager
NTP
Network time protocol—A protocol that ensures local timekeeping.
OS
Operating system
Sentriant AG Software Users Guide, Version 5.1 SR1
Glossary
P2P
Person-to-person or Peer-to-peer—A Peer-to-peer (P2P) network is one
that is comprised of peer nodes (computers) rather than clients and
servers. These peer nodes function both as clients and servers to other
nodes and can perform any client or server function. P2P software
allows users to connect directly to other users and is used for file
sharing. Many P2P software packages are considered spyware and
their use is generally discouraged.
PDA
Personal Digital Assistant—A small, portable electronic device that
includes features normally found on a computer, cell phone, music
player, and other functionality.
ping
Packet InterNet Groper—A utility used to test the connection to a host.
post-connect
Post-connect in Sentriant AG provides an interface where you can
configure external systems, such as IDS/IPS, that request quarantining
of an endpoint based on activity that occurs after the endpoint has
connected to the network (post-connect).
PPTP
Point-to-point tunneling protocol—A tunneling protocol used to
connect Windows NT clients and servers.
quarantine
In Sentriant AG, isolating endpoints or systems to prevent potential
infection of other endpoints or systems.
RADIUS
Remote Authentication Dial-In User Service
RAM
Random access memory
RAS
Remote access server
RDAC
Remote Device Activity Capture
RDBMS
Relational Database Management System (RDBMS)—Used to store
information in related tables.
RPC
Remote procedure call—a procedure where arguments or parameters
are sent to a program on a remote system. The remote program
executes and returns the results.
RPM
Redhat package manager
Sentriant AG Software Users Guide, Version 5.1 SR1
503
Glossary
504
root
An account on a UNIX or Linux system that has administrator
privileges.
SAM
Security Accounts Manager
server
A computer that provides services to another (client).
shared secret
Used for security and integrity purposes to verify RADIUS messages.
Both the sender and the receiver of the messages must know the
shared secret.
SMB
Server Message Block
SMS
Software Systems Management Server
SMTP
Simple mail transfer protocol—A TCP/IP protocol used in sending and
receiving email. Used in conjunction with POP3 or IMAP.
SNMP
Simple Network Management Protocol
SSH
Secure shell or secure socket shell—A UNIX-based command interface
and protocol used to securely gain access to a remote computer.
SSL
Secure socket layer—A commonly-used protocol that manages the
security of message transmissions over the Internet.
STP
Spanning tree protocol
subnet
A section of a network that shares part of the IP address of that
network.
supplicant
A component of 802.1X that is the client; the endpoint that wants to
access the network
SUS
Software Update Service
TAR
Tape ARchive—A type of file that contains multiple files and directory
structures.
TCP
Transfer Control Protocol
temporary access period
In Sentriant AG, a temporary period of time where an end-user is
allowed access.
TLS
Transport Layer Security
Sentriant AG Software Users Guide, Version 5.1 SR1
Glossary
UAC
User Access Control
UDP
User Datagram Protocol
VLAN
Virtual Local Area Network
VPN
Virtual private network—A secure method of using the Internet to gain
access to an organization's network.
WEP
Wireless Equivalent Privacy
whitelist
A list of devices or endpoints that are allowed access to a system or
are allowed privileges. In Sentriant AG, endpoints and domains that
are always allowed access.
Wi-Fi
Wireless Fidelity
WU
Windows Update
xml
eXtensible Markup Language
Sentriant AG Software Users Guide, Version 5.1 SR1
505
Glossary
506
Sentriant AG Software Users Guide, Version 5.1 SR1
Index
Numerics
3rd-party software, installing 34
802.1X 251, 252, 253
communication flow 253
configuring the RADIUS server 258
connections 251
enable 88, 282
enable Vista endpoint 288
enable XP endpoint 284, 285, 286
installing the RADIUS server 256
logging levels, set 147
setting up the authenticator 290
setting up the RADIUS server 256
setting up the supplicant 283
test connection 96
802.1X device
95
A
access
always grant 136
access mode, changing 353
access period, temporary 205
access point 251
access screens, view end-user 142
access status 153
and lease expiration 236
disconnected 154
quarantined 154
access_modified_by 446
access_status_id 446
accessible endpoints, define 134
accessible services
define 134
ACLs 249
act on a endpoint 159
action
quarantine 227
select 226
send an email 227
actions_taken 444
active content in the browser 35
Active Directory 256
and IAS 258
Sentriant AG Software Users Guide, Version 5.1 SR1
ActiveMQ 303
ActiveX 29, 30
testing method 133
add 95
Cisco CatOS device 99
Cisco IOS device 97
custom tests 363
Enforcement cluster 53
Enforcement server 57
Enterasys device 102
Extreme XOS device 105
ExtremeWare device 103
Foundry device 106
HP ProCurve 108
HP ProCurve 420 AP or HP ProCurve 530 AP
device 114
HP ProCurve WESM device 111
NAC policy group 214
non-listed 802.1X device 117
Nortel device 116
quarantine area 121
user account 71
user role 78
additional interfaces
add to DAC host 322
administrator account's user registry settings 145
agent 29, 30
manually install 191
remove Mac OS 199
removing 190
testing 188
testing method 132
verify Mac OS 196
version 192
Agent read timeout period, set 147
agent-based testing 188
agentless 29
login credentials 201
settings required 173, 174
test and Windows Messenger Service 201
test method 173, 174
testing method 133
allow
access without testing 234
allow pop-up windows 34
always
allow access to an endpoint without testing
234
507
Index
grant access 136
quarantine an endpoint without testing 235
always quarantine
domains 137
endpoints 137
AP 251
API 303
change or set properties 305
API communication 304
Application Programming Interface 303
assign endpoints and domains to a policy 224
authentication
information 145
server 251
Authenticator 251
authenticators, define 260
authorization DLL file 275
B
backup 130
system and data 359
BaseTests API 376
BasicTests API 377
bread crumbs 44
browser
allow pop-ups 34
end-user 171
end-user version 142
important settings 349
pop-ups required for reports 332
update 351
version 171
browser and active content 35
browser settings 34
button
check for test updates 351
configure system 53, 55, 56, 59, 61, 62, 63
copy policy 223
generate report 332
printable report 332
submit 83, 351
C
cancel testing 204
certificate 272
Certificates 251
change
community name 400
error message 364
MS or ES IP address 354
MS root password 70
properties 357
Sentriant AG Software Users Guide, Version 5.1 SR1
check for available test updates settings 85
CIDR 358
clear a temporary state 161
ClearTemporaryAccess 308
client 251
cluster_id 444, 447, 448
cluster_name 447
cluster_to_user database table 448
communication flow, 802.1X 253
community name
change 400
config 447
configuration
DHCP 248
timeout 40
Windows XP Professional firewall 180, 181
configure
post-connect system 125
proxy RADIUS requests 279, 282
Windows domain settings 90
configuring OpenLDAP settings 92
connections, 802.1X 251
connector, IAS 271
converting reports to MS Word doc 334
copy
existing NAC policy 223
user account 75
create
custom test script 368
new NAC policy 217
create date 445
credentials
delete Windows 145
edit Windows 145
for agentless test 201
login 143
sort Windows area 145
test Windows 144
Windows 143
crt_dt 445
current_licenses 447
custom test
adding 363
class script from scratch 368
customize
end-user access screens 141, 142
the error messages 207
D
DAC
add additional interface 321
DAC host
add additional interfaces 322
508
Index
data dictionary 443
database 443
date and time
change ES 61
DC
name 136
ports to specify 136
debug_info 444
default
NAC policy 214, 217
define accessible services and endpoints 134
delay
login 236
three minute 236
delete
cluster 56
DHCP Server Plug-in Configuration 346
ES 63
NAC policy 224
NAC policy group 216
quarantine area 124
user account 77
user role 82
details, view report 332
device database table 445
device_unique_id 444
DeviceAccessChangeEvent 305
DeviceInfoRequest 308
devices 447
DeviceTestedEvent 305
DHCP
configuration 248
ports to specify 136
server IP address 136
DHCP mode and MAC address 138
DHCP plug-in
add servers 343
enable 343
install 338, 340
DHCP Server Plug-in
disable configuration 347
edit Configuration 346
edit configurations 346
directory, end-user template 186
disable
DHCP Server Plug-in configuration 347
disable a NAC policy 217
disconnected 154
display limited endpoints 152
documentation 33
domain
controller 143
matching policies 353
509
Domain Controller
IP address 136
specifying the name 136
domainname 445
domains 447
domains, always quarantine 137
double-equal sign 83
download the latest tests 351
downloading support packages 131
E
EAP 251
type 265
EAPOL 251
edit
DHCP Server Plug-in Configurations 346
end-user access screen 384
Enforcement cluster 55
Enforcement server 59
existing NAC policy 215
NAC policy 223
quarantine area 123
test results messages 384
user account 76
user role 81
email 448
notification received by 223
notifications 139
server 358
set up notification 139
specifying server 358
email notifications
disable 139
enable 138
enable
802.1X 88, 282
a NAC policy 217
dll file 275
file and printer sharing 173, 174
ICMP echo requests temporarily 399
persistent ICMP echo requests 399
the Authorization DLL file 275
Windows Vista endpoint for 802.1X 288
Windows XP Professional endpoint for 802.1X
284, 285, 286
enabled 448
endpoint
act on 159
allow access without testing 234
always quarantine 137
assign to policy 224
end-user supported 170
immediately grant access 160
Sentriant AG Software Users Guide, Version 5.1 SR1
Index
immediately quarantine 161
managed 172
quarantine hierarchy 231
quarantine without testing 235
retest 160
unmanaged 172
view information 162
endpoints per ES 50
End-user
license agreement 461
end-user
access templates 186
access window 186
admin password 201, 386
endpoints supported 170
error
screens 206
file and print sharing 173, 174
firewall 172
footer 142
IE Internet security zone 172
introduction 141
opening screen 187
ports 180
required firewall settings 183
specify browser version 229
test successful message 142
test successful screen 203
testing failed screen 204
view access screens 142
end-user access screens
customize 141, 142
editing 384
viewing 385
end-user options, selecting 134
end-user screen
specify logo 140
specify test failed pop-up 142
specify text 141
end-user template directory 186
Enforcement cluster
add 53
delete 56
edit 55
view statistics 56
Enforcement server
add 57
change date and time 61
change network settings 61
change password 62
delete 63
edit 59
view status 62
Sentriant AG Software Users Guide, Version 5.1 SR1
enforcement, set DHCP 119
enforcing ranges 390
enter
license key 350
enter license key 350
error
ActiveX 200
license key 83
message, customize 207
messages, changing 364
error screens 206
ES
logging levels, set 146
moving 393
per cluster 50
per MS 50
Events 304
events
command 308
generated 306
EXE file download to Windows 314
extending existing tests 363
F
Figure
802.1X Communications 255
802.1X Components 252
802.1X Installation 242
Access Control and Endpoint Test Status 159
Active Directory Users and Computers 278
Active Directory, Properties 276
Active Directory, Store Passwords 276
Active Directory, User Account Properties 278
Activity Monitor 198
Add 802.1X Device 95
Add 802.1X Device, Test Connection Area Option 1 96
Add 802.1X Device, Test Connection Area Option 2 96
Add a NAC Policy, Basic Settings Area 218
Add a NAC Policy, Domains and Endpoints
220
Add a Quarantine Area 121
Add Cisco CatOS Device 100
Add Cisco IOS Device 98
Add DHCP Plug-in Configuration 344
Add Enforcement Cluster 54
Add Enforcement Server 58
Add Enterasys Device 102
Add Extreme XOS Device 105
Add ExtremeWare Device 104
Add Foundry Device 107
Add HP ProCurve 420/530 AP Device 114
510
Index
Add HP ProCurve Device 109
Add HP ProCurve WESM Device 112
Add NAC Policy Group 215
Add NAC Policy, Tests Area 222
Add Nortel Device 116
Add Other Device 118
Add User Account 73
Add User Role 80
Add/Remove Programs 191
Agentless Credentials, Add Windows Administrator Credentials 144
API Communication 304
Applications, Utilities Folder 197
Backup Successful Message 131
checkOpenPorts.py script 372
Copy User Account 76
Date & Time 68
Default NAC Policy 217
DHCP Installation 241, 248
DHCP Plug-in 337
DHCP Plug-in Configuration 346
DHCP Plug-in Customer Information window
342
DHCP Plug-in InstallShield Wizard Complete
window 343
DHCP Plug-in InstallShield Wizard window
342
DHCP Plug-in Legend 345
DHCP Plug-in Ready to Install the Program
window 343
DHCP Plug-in Server Added Example 345
Display Endpoints Drop-down 152
Edit NAC Policy Group 216
Enabling 802.1X in the User Interface 283
Endpoint Activity, All Endpoints Area 149
Endpoint Activity, Endpoint Test Results Option 163
Endpoint Activity, Menu Options 151
Endpoint Mouseover Pop-up Window 155
Endpoint, General Option 162
End-user ActiveX Plug-in Failed 200
End-user Agent Installation Failed 189
End-user Agent Installation Window (Finish)
190
End-user Agent Installation Window (Start)
190
End-user Error 206
End-user Installing Window 188
End-user Login Credentials 201
End-user Login Failed 202
End-user Opening Window 187
End-user Testing 203
End-user Testing Cancelled 204
End-user Testing Failed Example 1 205
511
End-user Testing Failed, Printable Results 206
End-user Testing Successful 203
Enforcement Cluster Legend 59
Enforcement Cluster, General 56
Enforcement Server 60
Enforcement Server, Status 63
Error Message 266
Example InstallCustomTests Output 366
Example wrapper.conf File 321
Failed Endpoint 157
Failed Endpoint Allow All Mode 158
Failed Endpoint Allow All Mode Mouse Over
158
Highlighted Fields 153
IAP, Remote Access Policy, Properties 268
IAS, Add/Remove Snap-in 273
IAS, Add/Remove Snap-in, Certificates 273
IAS, Import Certificate 274
IAS, New Client, Additional Information 261
IAS, New Client, Name and Address 260
IAS, New Remote Access Policy 262
IAS, Properties 259
IAS, Properties Option 259
IAS, Register Server in Active Directory 258
IAS, Remote Access Logging Properties 271
IAS, Remote Access Policy, Access Method
262
IAS, Remote Access Policy, Add Attribute 269
IAS, Remote Access Policy, Authentication
Method 264
IAS, Remote Access Policy, Configure 268
IAS, Remote Access Policy, Find Group 263
IAS, Remote Access Policy, Group Access 263
Initiate a Patch Manager Check Box 403
Inline Installations 240, 246
Local Area Connection Properties 174, 175
Login 360
Mac OS Installer 1 of 5 194
Mac OS Installer 2 of 5 194
Mac OS Installer 3 of 5 195
Mac OS Installer 4 of 5 195
Mac OS Installer 5 of 5 196
Mac Ports 186
Mac Sharing 185
Mac System Preferences 184
Mac Terminal 199
Management Server Network Settings 66
Microsoft Office Hotfixes Critical Updates 421
Multiple-server Installation 49
Multiple-server, Multiple-cluster Installation
50
NAC Endpoint Activity Capture Service 324
NAC Policies 213
NAC Policies Window Legend 214
Sentriant AG Software Users Guide, Version 5.1 SR1
Index
NAC Policy Results Report 332
NAC Policy Test Icon 230
NAC Policy Test Icons 230
Networking Services 257
Nortel Exit Script 299
Nortel Initialization Script 298
Nortel Re-authentication Script 299
Post-connect Configuration Message 125
Post-connect Launch Window 127
Post-connect Quarantine Details 128
Protected EAP Properties 267
Quarantine Area 123
RDAC Installer, Choose Destination Location
316
RDAC Installer, Confirm New Folder 316
RDAC Installer, Enforcement Server Specification 318
RDAC Installer, InstallShield Wizard Complete
320
RDAC Installer, NIC Selection 317
RDAC Installer, Ready to Install the Program
319
RDAC Installer, Select Features 317
RDAC Installer, Setup Type 315
RDAC Installer, TCP Port Filter Specification
318
RDAC Uninstall Complete 325
Remote Access Policy, Select Group 264
Reports 331
Restore System 360
Run or Save to Disk 192
Search Criteria 153
Security Certificate 192
Single-server Installation 48
snmpd.conf Example File 401
Start Mac OS Installer 193
System Configuration, Accessible Services
135, 233
System Configuration, Advanced Option 148
System Configuration, Agentless Credentials
143
System Configuration, End-user Screens 141
System Configuration, Enforcement Clusters &
Server 53
System Configuration, Enforcement Clusters &
Servers 53, 57
System Configuration, Exceptions 137, 234
System Configuration, License 83
System Configuration, Logging Option 146
System Configuration, Maintenance 130
System Configuration, Management Server 65
System Configuration, Notifications 139
System Configuration, OpenLDAP 93
System Configuration, Post-connect 126
Sentriant AG Software Users Guide, Version 5.1 SR1
System Configuration, Quarantining 87
System Configuration, Quarantining, DHCP
341
System Configuration, Quarantining, DHCP
Enforcement 120
System Configuration, Test Updates 84
System Configuration, Testing Methods 132
System Configuration, User Accounts 72
System Configuration, User Roles 79
System Configuration, Windows Domain 91
System Monitor Window 25
System Monitor Window Legend 26
Test Details Report 333
Test Script Code 364
Test Update Log 86
Test Update Log Window Legend 86
testTemplate.py 369
The DAC InstallShield Wizard Welcome Window 315
Timeframe Drop-down List 152
User Account 77
User Role 81
Windows 2000 Local Area Connection Properties, Authentication Tab 287
Windows 2000 Local Area Connection Properties, General Tab 287
Windows Components Wizard 257
Windows Vista Local Area Connection Properties, Authentication Tab 290
Windows Vista Local Area Connection, Networking Tab 289
Windows XP Pro Local Area Connection Properties, Authentication Tab 285
Windows XP Pro Local Area Connection, General Tab 284
Wired AutoConfig Properties 288
figure
Online help 44
Online help, Search tab 46
Figure 12
Enforcement cluster and server legend 59
File and Print Sharing 181
file and printer sharing, enabling 173, 174
file, print 44
filter
endpoint activity window 151
find services names 229
firewall
add rule 305
changing port 185
letting RPC service through 180
post-connect service 124
settings 172
testing the end-user through 183
512
Index
testing through 172
XP configuration 180, 181
firewall & end-user 172
full_name 448
G
generate
a CSR 392
report 330
grace_period 445
grace_period_start 445
group_desc 448
group_id 448, 449
group_name 444, 448
group_to_permission database table 449
H
hardware
required 361
help
online 33
tests 228
hierarchy
endpoint quarantine 231
NAC policy 225
high security 214
history of test results database table 444
host name in a NAC policy 220
host_name 447
hostname 444, 445
HTML help 43
HTML or text editor 186
import
certificate 272
the server’s certificate 272
inactive, set time 225
index
view pane 45
INI file, connector 274
inline 245
install
agent 188
agent manually 191
DHCP plug-in 338, 340
Mac OS agent 193
naming 354
Windows 314
IP address
change MS or ES IP 354
IP address, static 385
ip_address_str 444, 445, 447
IPSec 363
J
Java Message Service 303
JavaJRE
remove 325
I
IAS
add to Windows Server 2003 Installation 257
and Active Directory 258
Connector 271
IAS posture
Checkup 274
Healthy 274
Infected 275
Quarantined 274
Unknown 274
ICMP echo requests enable persistently 399
ICMP echo requests enable temporarily 399
icons, viewing 58
ignoring ranges 390
immediately
grant access to an endpoint 160
quarantine an endpoint 161
513
Sentriant AG Software Users Guide, Version 5.1 SR1
Index
JMS 303
JMS Event Receiver 303
JMS Message Bus 303
JMS Requestor 303
K
Kerberos 251
key features 31
known clusters database table 447
known devices database table 445
known enforcement servers database table 447
known nodes database table 447
L
L2TP 363
last_activity_dt 445
last_connect_dt 446
last_disconnect_dt 446
last_posture_token 446
last_result_code 444
last_run_id 445
last_status 445
last_status_id 445
last_test_dt 445
last_test_result_id 445
last_test_update_time 447
last_testing_cluster_id 446
last_testing_method 446
last_testing_node_id 446
last_update_dt 446
launch and log into 349
lease expiration 236
and access status 236
short times 236
license
agreement, violation of 34
concurrent IPs 350
entering new 350
key 83, 363
key errors 83
key, entering 350
keys 350
open-source 463
other 463
updating 82
viewing 463
license key
not updating 351
limit endpoints displayed 152
limit ping entries to specific interface 400
Linux 171
download and extract Zip file 408
Sentriant AG Software Users Guide, Version 5.1 SR1
set up post-connect 410
log
post-connect 412
log out 349
logged_on_user 444, 445
login 349
credentials 143, 201
delay 236
domain 143
save 134
saving 201
timeout 225
Logo 141
logs, view test update 85
low security 214
M
MAC address
in a NAC policy 220
in DHCP mode 138
Mac OS 170
install agent 193
Mac OS agent
remove 199
verify 196
mac_address 445
managed endpoint 172
Management Information Base (MIB) 402
manually test an endpoint 160
maximum
endpoints per ES 50
ES per cluster 50
ES per MS 50
medium security 214
minimum
browser version, specify 229
minimum font size 37
modify
expect script in product user interface 101
MS settings 66
the view 150
monitoring ranges 389
move
an ES 393
NAC policy to new set 224
MS failover 458
MS recover 458
MS, view status 64
N
NAC policies 213
window, view 213
514
Index
NAC Policy
change to not run Windows automatic update
test 353
NAC policy
add group 214
assign domains to 224
assign endpoint to 224
assign endpoints to 224
copy 223
create 217
create new 217
defined 31
delete 224
disable 217
edit 215, 223
enable 217
enable/disable 217
group, delete 216
hierarchy 225
high security 214
host name 220
low security 214
MAC address 220
medium security 214
move to new set 224
NetBIOS name 220
select default 217
nad_ip 446
nad_port 446
name
Enforcement server 354
MS host 354
NetBIOS in a NAC policy 220
netbios 444
netbiosname 445
network
naming, CIDR format 358
settings, change ES 61
next_test_dt 446
node_id 447
non-supported operating systems 226
notifications
server 358
specifying email server 358
NTLM v2, enabling 389
O
one-time passwords 251
online help 33
open
-source license 463
515
opening screen 187
operating systems
non-supported 226
not tested 218
supported 236
ordering test methods 133
os 445
os_details 445
other_properties 446
P
page caching 38
pane
index 45
passwd 448
password 445
change ES 62
change MS root 70
changing 388
configure for Active Directory 275
end-user admin 201, 386
ES reset 387
MS reset 387
reset 388
reset root 387
reset user interface 388
patch manage
select 404
patch manager
flag a test launch 403
selecting maximum retest 404
specify retest interval 404
PDF document 43
Perl 363
permission_enum 449
ping entries
restrict 400
policy_id 444, 445
policy_name 444
policy_set_id 447
pop-up window 34
pop-up windows, allowing 34
port
88 385
88,changing 385
changing firewall 185
enter a range 234
number in quarantined network 232
number, accounting 260
number, authentication 259
ports 29
controlled by AP 252
to specify for DHCP and DC 136
Sentriant AG Software Users Guide, Version 5.1 SR1
Index
post-connect
configure 125
set up Linux host 410
set up Windows host 409
test service 412
view logs 412
post-connect service
firewall open 124
posture
Checkup 274
Healthy 274
Infected 275
Quarantined 274
Unknown 274
posture token 446
PPTP 363
prev_run_id 445
print
file 44
topic 44
print a report 334
private keystore
generate new private key/public certificate pair
391
process flow 31
properties
changing 357
set test 226
test 228
protocol supported 363
proxy
RADIUS 282
RADIUS requests 279
server 67
Public key authentication 251
PutDeviceInfo 309
Python 363
Q
quarantine
endpoint without testing 235
method, select 87
network port number 232
set up multiple areas 122
quarantine area
add 121
delete 124
edit 123
sort 123
quarantine method
DHCP 119
Sentriant AG Software Users Guide, Version 5.1 SR1
quarantined 154
R
RADIUS 251
authentication method, setting 89
built-in 282
configure 258
server and SA plug-in 256
use existing server 279
using a proxy 256
using built-in 256
range
entering ports 234
of IP addresses 136
ranges
to enforce 390
to ignore 390
to monitor 389
RDAC
remove 324
reconnect
large network 394
refresh 153
regedit 228
registry 228
keys 228
remote access logging 270
Remote Access Policy, configure 268
remove
JavaJRE 325
Mac OS agent 199
RDAC 324
the agent 190
WinPcap 325
re-naming installation 354
report
convert HTML to Word 334
convert to DOC 334
generate 330
NAC policy results 329
options 331
print 334
save 332, 334
Test details 329
Test results 329
Test results by IP address 330
Test results by netbios name 330
Test results by user 330
view details 332
reports 329
converting to MS Word doc 334
enable browser pop-ups 332
516
Index
required
hardware 361
software 361
reset
a database 361
ES password 387
MS password 387
password 388
system 355
testdata 356
user interface password 388
restore
from back file to new server 359
original database 361
system and data 360
restrict
ping entries, specific interface 400
result_code 444
result_message 444
retest
an endpoint 160
set time 225
time 219
router 249
RPC 29
command timeout period, set 148
service 180, 181
run_id 444
S
sa_cluster database table 447
sa_node database table 447
sa_user database table 448
SAIASConnector.ini 275
save
a report 334
login 134
login information 201
search 152
for user account 74
select
default NAC policy 217
DHCP quarantine method 119
Inline quarantine method 124
maximum retest attempts in patch manager
404
test method 132
the action to take 226
server
certificate 272
for email notifications 358
names 135
517
services
find names 229
not allowed 229
required 229
services, Agent 191
session_access 446
session_access_end 446
set
802.1X logging levels 147
action to take 226
Agent read timeout period 147
DHCP
setting enforcement 119
ES logging levels 146
RADIUS authentication method 89
retest time 225
RPC command timeout period 148
the test properties 226
time an end-user can be inactive 225
time to wait before retesting 225
settings
802.1X, entering 89
modify MS 66
required for agentless 173, 174
severity 444
shared services 236
shutdown_message 447
Simple Network Management Protocol (SNMP)
402
SMS
setup 406
SMTP server IP address 139
SNMP settings, select 69
software
installing 3rd-party 34
not allowed 228
registry keys 228
required 228
sort
quarantine area 123
user account area 75
user role area 82
specifying an email server for notifications 358
specifyretest interval in patch manager 404
SSH 186
SSL 363
standard tests 213
static IP addresses 385
status access 153
status_code 444
Strings.py 206
Supplicant 251
support package
downloading 131
Sentriant AG Software Users Guide, Version 5.1 SR1
Index
generate 361
supported
end-user endpoints 170
operating systems 236
protocols 363
VPNs 363
switch
Cisco 2950 291
Enterasys Matrix 1H582-25 292
Extreme Summit 48si 292
Foundry Fast Ironedge 2402 294
restrict access at 249
sample configurations 290
switches
add Enterasys 102
add, Cisco CatOS 99
add, Cisco IOS 97
add, Extreme XOS 105
add, ExtremeWare 103
add, Foundry 106
add, HP ProCurve 108
add, HP ProCurve 420 AP or HP ProCurve 530
AP 114
add, HP ProCurve WESM 111
add, non-listed 802.1X 117
add, Nortel 116
system
requirements 361
system upgrades 70
T
technical support 33
contacting 33
template location 186
templates 186
changes during upgrade 187
edit and customize 186
renaming 40, 187
TemporarilyAllowAccess 308
TemporarilyDenyAccess 308
temporary
access period 205
state, clearing 161
temporary files 38
test
add custom 363
base functionality 376
connection to 802.1X device 96
creating a custom script 368
properties, selecting 228
set properties 226
status 154
successful screen 203
Sentriant AG Software Users Guide, Version 5.1 SR1
update times, select 85
updates, checking for 84
test method
ActiveX error 200
agent 188
agent-based 188
select 132
select order 133
test methods
defined 29
options 32
pros & cons 29
to display 134
test_class 444
test_module 444
test_name 444
test_result database table 444
test_result_id 444
test_update_version 447
testing
cancel 204
failed screen 204
ports
used 180
testing method
ActiveX 133
agent 132
agentless 133
tests 213
adding custom 363
entering IE version number 229
entering service names 229
entering software names 228
extending existing 363
help 228
standard 213
updating 351
viewing help 228
three-minute delay 236
time
between tests 219
set automatically 68
set manually 68
set retest 225
zone set 69
timeout 40
change upgrade 71
login 225
timestamp 444
Tokens 251
topic
print 44
518
Index
Topics 304
troubleshooting browser settings 349
U
unique_id 445
unmanaged endpoint 172
untested endpoint 218, 236
and lease expiration 236
update
server names 135
setting frequency 85
tests 351
update browser 351
upgrade timeout, changing 71
upgrades 70
user account
add 71
copy 75
delete 77
edit 76
search 74
sort area 75
user accounts
create Active Directory 277
Dial-in access & Encryption 277
user and their assigned role database table 449
user name, changing 388
user role
add 78
delete 82
edit 81
sort area 82
user role and its associated permissions database table 449
user roles database table 448
user_group database table 448
user_id 448, 449
user_to_groups database table 449
user-based tests 145
username 445, 448
users assigned to clusters database table 448
users database table 448
V
vi 186
view
access status 158
cluster and server icons 58
current list of tests 228
endpoint information 162
Enforcement cluster statistics 56
ES status 62
MS status 64
Sentriant AG Software Users Guide, Version 5.1 SR1
519
Index
NAC policies window 213
report details 332
test update logs 85
tests information 228
version information 324
VPNs supported 363
W
window
end-user access 186
Windows
2000 170, 171
95 171
change NAC Policy to not run Windows automatic update test 353
credentials 143
domain and end-user settings 353
domain settings, configure 90
download and extract Zip file 407
download EXE file 314
Group policy 180
install 314
ME 171
Messenger Service 201
registry 228
Server (2000, 2003) 170, 171
set up post-connect 409
start manually 323
Update server 136
XP Home 170, 171
XP Professional 170, 171
windowsupdate.com 135
WinPcap
remove 325
X-Z
XP firewall configuration 180, 181
Zip file
download and extract to Linux 408
download and extract to Windows 407
520
Sentriant AG Software Users Guide, Version 5.1 SR1
Related documents
Real Life examples of Geometry
Real Life examples of Geometry
Directions: Show all work and reasoning to receive full credit.
Directions: Show all work and reasoning to receive full credit.
Proposal for a Scientific Manuscript using the GWTG AHA Databases
Proposal for a Scientific Manuscript using the GWTG AHA Databases
Download