Policy Based Installation Walk Through
advertisement
ADMINISTRATION HANDS-ON About the Hands-On This hands-on section is structured in a way that allows you to work independently, but still giving you the possibility to consult step-bystep instructions. Each given task will be divided into two sections • Actual Task • Conditions, goals and short instructions • Allowing you to work independently • Detailed instructions (step-by-step work through) • In case you can not come up with own solutions Page 2 Real Infrastructure Environment • Policy Manager and Console on single computer • One managed host (AVCS 6) Root Update Server F-Secure AVCS 6 F-Secure PMS / PMC Page 3 Imaginary Infrastructure During this hands-on we will create an imaginary infrastructure • 2 offices (Helsinki and Munich) • 3 imaginary workstations (Helsinki: wks02 / Munich: wks03 and wks04) • 1 real workstation in Helsinki (wks01) • 1 file server in each office (Helsinki: filesrv01 / Munich: filesrv02) • 1 DNS server in each office (Helsinki: dnssrv01 / Munich: dnssrv02) wks03 wks04 dnssrv02 filesrv02 wksXX wks02 dnssrv01 filesrv01 PMS/PMC AVCS 6 Subsidiary Munich Headquarters Helsinki Page 4 Tasks Overview Task 1: Creating a domain structure Task 2: Updating point applications Task 3: Creating autoregistration import rules Task 4: Managing policies on multiple levels Task 5: Configuring Apache Server Task 6: Working with reports Task 7: Troubleshooting scenario Page 5 Task 1: Creating The Domain Structure Servers • Place DNS Server and File Server in both sites • In which site sub-domain do you place them? • Helsinki • FILESRV01 (IP: 192.168.100.52, Windows 2003 Server) • DNSSRV01 (IP: 192.168.100.53, Windows 2000 Server) • Munich • FILESRV02 (IP: 192.168.160.82, Windows 2003 Server) • DNSSRV02 (IP: 192.168.160.83, Windows 2000 Server) => Task continues on next page Page 6 Task 1: Creating The Domain Structure Workstations • Now create the 3 imaginary hosts and place them into the Development sub-domain of each site • Helsinki • WKS02 (WINS name: wks02, Windows NT 4.0) • Munich • WKS03 (WINS name: wks03, Windows XP Pro) • WKS04 (WINS name: wks04, Windows XP Pro) => After you have completed this task, continue on page 13 Page 7 Creating the Domain Structure Step-By-Step Walk Through Create two domains, “Finland” and “Germany” • Select the root domain, F-Secure • Choose Edit/New Policy Domain… from the menu (or right-click the root) Page 8 Further Structure The Sub-Domains Level 2 • Create the “Helsinki” domain Level 3 • Create domains “Servers/HEL” and “Workstations/HEL” Level 4 • Servers/HEL: Create domains “FileServers/HEL” and “DirectoryServers/HEL” • Workstations/HEL: Create domains “Accounting/HEL”, “CustomerSupport/HEL” and “Development/HEL” Apply the same structure to the German domain Page 9 Creating The File Servers Add file servers in both sites in the “FileServers/XX” domain • Helsinki: FILESRV01 (IP address 192.168.100.52) • Munich: FILESRV02 (IP address 192.168.160.82) Page 10 Creating The DNS Servers Add DNS servers in both sites in the “DirectoryServers/XX” domain • Identity type: Primary IP address • Helsinki: DNSSRV01 (IP address 192.168.100.53, Alias: dnssrv01) • Munich: DNSSRV02 (IP address 192.168.160.83, Alias: dnssrv02) Page 11 Creating The Workstations Now create the 3 new hosts and place them into the Development sub-domain of each site • Helsinki • WKS02 (WINS name: wks02, Windows NT 4.0) • Munich • WKS03 (WINS name: wks03, Windows XP Pro) • WKS04 (WINS name: wks04, Windows XP Pro) Page 12 Task 2: Point Application Update During the installation hands-on, you were instructed to install AVCS 6 without HTTP scanning Now it’s time to update Web Traffic Scanning to your host • What installation method should be used? • Intelligent installation (a.k.a push installation) • Policy based installation => Change to next page, once you decided on the installation method Page 13 Task 2: Point Application Update Since FSMA is already installed on your host, it is best to use a policy based installation to upgrade your host Configure the policy based installation package as follows • Application Selection: Include Web Traffic Scanning • Autoregistration Properties: Add a custom property • Property Name: Development/HEL • Property Value: 1 => After completing this task, continue on page 28 Page 14 Policy Based Installation Walk Through Start by choosing the version to install • Choose “Reinstall 6.x) Page 15 Policy Based Installation Walk Through F-Secure installation wizard opens • Click “Next” Page 16 Policy Based Installation Walk Through Accept the prefilled keycode • Click “Next” Page 17 Policy Based Installation Walk Through Mark Web Traffic Scanning • Click “Next” Page 18 Policy Based Installation Walk Through Accept the default language “English” • Click “Next” Page 19 Policy Based Installation Walk Through Check the prefilled PMS server URL and correct if necessary • Click “Next” Page 20 Policy Based Installation Walk Through Add the following custom property • Property Name: Development/HEL • Property Value: 1 Page 21 Policy Based Installation Walk Through Choose “Uninstall conflicting products” (default) • Click “Next” Page 22 Policy Based Installation Walk Through Accept prefilled restart options from last distribution • Click “Finish” Page 23 Policy Based Installation Walk Through Wait while the installation package is created • This step might take some minutes (depending on your system) • Do not press “Cancel” • After completion, distribute the policies! Page 24 Policy Based Installation Walk Through F-Secure Setup will start and reinstall AVCS 6.x to your computer Wait until the Reboot message appears on your screen • Reboot the computer and change back to the PMC Page 25 Installation Checkup Once the computer is rebooted, the policy based installation progress should show a successful installation • Most common failure reasons are wrong key codes or insufficient disk space on the host (see setup error on screenshot) Page 26 Installation Checkup Open the AVCS advanced user interface and check, if the Web Traffic Scanning is installed • Default setting is “disabled” Page 27 Task 3 Create An Autoregistration Import Rule Start by forcing a new host autoregistration by deleting wks01 from the policy domain • After deleting, distribute the policies! Your task is now to create an autoregistration import rule which places the wks01 to the “Development/HEL” sub-domain • Create a rule using the custom properties as as an import criteria • Test the rule…. did it work? => After completing this task, continue on page 33 Page 28 Autoregistration Import Rule Creation Walk Through Start the autoregistration wizard • Click “Import autoregistered hosts” Page 29 Autoregistration Import Rule Creation Walk Through Check if the deleted host has already sent the autoregistration request • If yes, the autoregistration request will be included in the custom property • Do not import the host now, since we first have to create the import rule! Page 30 Autoregistration Import Rule Creation Walk Through Change the active tab to “Import Rules” • Press “Add” to create a new rule • Select the target domain level (Development/HEL) • Press “OK” Page 31 Autoregistration Import Rule Creation Walk Through Add a custom property • Uncheck all other property fields for better understanding • Enter the custom property name (Development/HEL) • Confirm with “OK” Page 32 Autoregistration Import Rule Creation Walk Through Your autoregistration import rule is ready • Press import to apply the rule • Your host should be placed in the “Development/HEL” sub-domain • Rename the host to wks01 to match the course binder examples (Domain/Host properties, WINS Name) Page 33 Task 4 Managing Policies On Multiple Levels Change to Anti-Virus Mode (View menu) Define the following policy settings on different levels • Accounting/HEL • Real-time Scanning/File Scanning/Action on infection: “Disinfect Automatically” • Host level (wks01) • Activate “Scan network drives” => Task continues on the next page Page 34 Task 4 Managing Policies On Multiple Levels Now, move host wks01 to the sub-domain “Accounting/HEL” • Check the real-time file scanning settings. Did the setting inheritance from the parent domain (Accounting/HEL) work? • If not, what do you think is the reason? => Change to next page, once you have the answers Page 35 Task 4 Managing Policies On Multiple Levels Settings defined on the host level will never be overwritten by parent domain settings • Try to change the policies as follows (as easy as possible) • Disable “Scan network drives” for the whole F-Secure domain • Enable “Scan network drives” only for the sub-domain “Development/HEL” • Move the host wks01 back to sub-domain “Development/HEL” • Check the real-time file scanning settings. Did the inheritance work now and why? • Call the instructor and present your solution => After you completed this task, continue on page 40 Page 36 Managing Policies On Multiple Levels Walk Through After you copied the host wks01 to the domain “Accounting/HEL”, the settings are as follows • “Action on infection” is inherited from the parent domain • Reason: The setting has not been defined on the host level, therefore the inheritance works • “Scan network drives” is not inherited! • Reason: The setting has been defined on the host level, therefore no inheritance Page 37 Managing Policies On Multiple Levels Walk Through Instructions, how to disable network drive scanning for the whole policy domain • Mark the root domain (F-Secure) • Right-click “Scan network drives” • Choose “Force value” (confirm with “Yes”) Check the file scanning settings on the host wks01 • All settings should be gray, since they are inherited from the root domain Page 38 Managing Policies On Multiple Levels Walk Through Finally, activate network drive scanning for the domain “Development/HEL” • Mark “Development/HEL” • Enable “Scan network drives” and force the value Distribute the policies! Copy the host wks01 back to sub-domain “Development/HEL” • Now, the inheritance will work, since we have no settings defined on the host level Page 39 Task 5: Configuring Apache Server By default, Policy Manager Server administration connection are limited to the local computer • Web reporting module access is by default not limited! You will now change the Apache configuration • Remove admin module access limitation (allow connections from everywhere) • Restrict web reporting module to allow connections from the local computer and from your managed host => If you completed the configuration, continue on page 44 Page 40 Apache Server Configuration Walk Through Browse to the apache configuration file (httpd.conf) • Open the file with WordPad (open with) Page 41 Apache Server Configuration Walk Through Configure the httpd.conf as follows Apache Admin Module • Replace “Listen 127.0.0.1:8080” with “Listen 8080” Web Reporting Module • No access limitation defined (by default) • Create an access list, like shown on the screenshot (replace <host IP address> with your real host IP) • Save the settings and close the file Page 42 Apache Server Configuration Walk Through Close your Policy Manager Console and restart the Policy Manager Server service Page 43 Apache Server Configuration Checkup After you finished the Apache configuration, close the Policy Manager Console and inform the instructor to test your solution • Don’t forget to restart the Policy Manager Server service! After the instructor tested your system and gives you the OK, re-open your console • Is there anything unusual happening? Page 44 Apache Server Signs For Data Integrity Problems Yes, the instructor has opened your console with a different key-pair, therefore you get a key change notification at console startup • You can reassign the original keys Page 45 Apache Server Signs For Data Integrity Problems Take a look at the alerts. Are there any unusual entries? • Also check your managed host. Anything strange there? Page 46 Apache Server Signs For Data Integrity Problems The instructor has resigned your policy domain with a different key and distributed the policies • Changes have not passed the signature verification on the hosts, the policy has been rejected! • Redistribute the policies with your keys, and everything should be back to normal Page 47 Working with Reports Policy Manager provides you both with automatic status reports (e.g. virus alerts) and built in reporting tools Policy Manager Reporting Tools • Web Reporting • Graphical reporting system (available through web browser) • Embedded reporting • Textual reporting (available only from console) Page 48 Task 6 Using Web Reporting Open Web Reporting on your managed host. Try to answer the following questions 1. What is the latest alert reported by your host? Can you explain the reason for this alert? 2. What is the UID (Unique Identifier) of your host? 3. When did the host last connect to the server? 4. What version of Automatic Update Agent (AUA) is installed on your host? 5. What’s the percentage of hosts with real-time protection? => After you have completed this task, continue on page 55 Page 49 Using Web Reporting Walk Through Question 1: What is the latest alert reported by your host? Answer: Failed signature check on host wks01 Reason: The policy domain has been resigned with different keys Page 50 Using Web Reporting Walk Through Question 2: What is the UID of your host? Answer: Host Properties/Detailed Host Properties/UID Page 51 Using Web Reporting Walk Through Question 3: When did the host last connect to the server? Answer: Host Properties/Update Details/Latest Connection to Server Page 52 Using Web Reporting Walk Through Question 4: What version of AUA is installed on your host? Answer: Installed Software/Automatic Update Agent/Version Page 53 Using Web Reporting Walk Through Question 5: What’s the percentage of hosts with real-time protection? Answer: Only 13 % of your policy domain have enabled real-time scanning Page 54 Task 7: Troubleshooting Scenario One of the most common troubleshooting cases is that managed hosts cannot reach the Policy Manager Server You will now create a scenario where your host will receive a wrong server address. As soon as the new policy will be fetched by the host, its connection to the server will be lost • Choose ”Development/HEL” and assign a wrong server URL • Distribute the policies => Task continues on next page Page 55 Task 7: Troubleshooting Scenario Make sure the client fetched the new policy • Check the local GUI (advanced interface) • The new (wrong) server address should be visible and locked => Task continues on next page Page 56 Task 7: Troubleshooting Scenario Let’s try to change the server address directly from the policy.bpf • Stop the F-Secure Management Agent (net stop fsma) • Open c:\program files\f-secure\common\policy.bpf with WordPad • Search the address and change it back to the correct address • Save the changes and restart FSMA Did the changes succeed? • If not, what’s the reason? => Task continues on next page Page 57 Task 7: Troubleshooting Scenario Your change did not pass the signature verification • DAAS system has successfully blocked the unauthorized change of the base policy file What next? Did you reach a dead end? • Try to come up with a solution, without reinstalling the host with a push installation => After completing this task, continue on page 61 Page 58 Troubleshooting Scenarion Solution Walk Through Change back to the Policy Manager Console • Mark “Development/HEL” and correct the server address • Distribute the policies • Mark host wks01 and export the policy manually • Save the policy to c:\ root Page 59 Troubleshooting Scenarion Solution Walk Through Change to the managed host • Create a network share to the PMS (map \\<server ip>\c$) • Open the local user interface • Choose Central Management • Press “Import policy manually” Page 60 Troubleshooting Scenarion Solution Connection Testing After you have imported the new policy manually, try to connect to the server, the connection should be successfull Page 61 Hands-On Completed That was it! You have now completed the whole hands-on section. Next on the agenda: the Certification Exam Page 62
