safeguard portprotector installation guide
TRANSCRIPT
![Page 1: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/1.jpg)
SafeGuard PortProtector 3.30 SP6 Installation guide
Document date: March 2010
![Page 2: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/2.jpg)
SafeGuard® PortProtector 3.30, Installation guide
2
Important Notice This guide is delivered subject to the following conditions and restrictions:
This guide contains proprietary information belonging to Sophos. Such information is supplied
solely for the purpose of assisting explicitly and properly authorized SafeGuard PortProtector
users.
No part of its contents may be used for any other purpose, disclosed to any person or firm or
reproduced by any means, electronic or mechanical, without the express prior written
permission of Sophos.
The text and graphics are for the purpose of illustration and reference only. The specifications
on which they are based are subject to change without notice.
The software described in this guide is furnished under a license. The software may be used or
copied only in accordance with the terms of that agreement.
Information in this guide is subject to change without notice. Corporate and individual names
and data used in examples herein are fictitious unless otherwise noted.
The information in this document is provided in good faith but without any representation or
warranty whatsoever, whether it is accurate, or complete or otherwise and on express
understanding that Sophos shall have no liability whatsoever to other parties in any way arising
from or relating to the information or its use.
SafeGuard PortProtector and SafeGuard PortAuditor are OEM versions of Safend Protector and
Safend Auditor from Safend. Therefore some screenshots throughout this manual may still
contain the Safend branding but mean the same as within the SafeGuard OEM version.
Boston, USA | Oxford, UK © Copyright 2010. Sophos. All rights reserved. All trademarks are the property of their respective owners.
Other company and brand products and service names are trademarks or registered trademarks of their respective holders.
![Page 3: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/3.jpg)
SafeGuard® PortProtector 3.30, Installation guide
3
About This Guide This Installation Guide is comprised of the following chapters:
Chapter 1, Installation Workflow, suggests workflow for using the SafeGuard PortProtector
solution to protect your organization's endpoints.
Chapter 2, Preparing for Installation, describes the SafeGuard PortProtector architecture and
the SafeGuard PortProtector installation workflow. It then describes the system requirements
and prerequisites for installation and all the preparations that need to take place before
installing SafeGuard PortProtector.
Chapter 3, Installing SafeGuard PortProtector Management Server, describes how to install,
restore and upgrade the SafeGuard PortProtector Management Server, and how to launch the
SafeGuard PortProtector Management Console.
Chapter 4, Installing SafeGuard PortProtector Management Console, describes how to install
SafeGuard PortProtector Management Console.
Chapter 5, Installing SafeGuard PortProtector Client, describes the various methods for
installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and
upgrade SafeGuard PortProtector Client.
Appendix A - OPSEC™ Interoperability, describes Check Point's OPSEC™ and how it interfaces
with SafeGuard PortProtector.
Appendix B - NAC Interoperability, describes Cisco's NAC and how it interfaces with SafeGuard
PortProtector.
![Page 4: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/4.jpg)
SafeGuard® PortProtector 3.30, Installation guide
4
Contents
1 Installation Workflow ....................................................................................................................... 5
2 Preparing for Installation .................................................................................................................. 8
3 Installing SafeGuard PortProtector Management Server ............................................................. 12
4 Installing SafeGuard PortProtector Management Console .......................................................... 42
5 Installing SafeGuard PortProtector Client .................................................................................... 54
6 Appendix A - OPSEC™ Interoperability ........................................................................................ 81
7 Appendix B - NAC Interoperability ............................................................................................... 94
![Page 5: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/5.jpg)
SafeGuard® PortProtector 3.30, Installation guide
5
1 Installation Workflow
About This Chapter
Before installing SafeGuard PortProtector V3.3, it is important to fully understand the implementation process of the SafeGuard PortProtector solution. This chapter suggests a workflow for using the SafeGuard PortProtector solution to protect your organization's data. It contains the following section:
SafeGuard PortProtector Implementation Workflow describes the workflow for implementing
and using SafeGuard PortProtector.
![Page 6: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/6.jpg)
SafeGuard® PortProtector 3.30, Installation guide
6
1.1 SafeGuard PortProtector Implementation Workflow
The following is an overview of the workflow for implementing and using SafeGuard PortProtector.
![Page 7: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/7.jpg)
SafeGuard® PortProtector 3.30, Installation guide
7
Step 1: Install the SafeGuard PortProtector Management Server and Console, as described in
Chapter 2, Preparing for Installation and Chapter 3,
Installing SafeGuard PortProtector Management Server.
Step 2: Install Additional Management Consoles, as described in Chapter 4, Installing
SafeGuard PortProtector Management Console.
Step 3: Define General SafeGuard PortProtector Administration Settings, such as the method in
which policies are published, as described in Chapter 7, Administration in SafeGuard
PortProtector User help.
Step 4: Scan Computers and Detect Port/Device Usage. Use SafeGuard PortAuditor to detect
the ports that have been used in your organization and the devices and WiFi networks that are
or were connected to these ports, as described in SafeGuard PortAuditor User help.
Step 5: Define SafeGuard PortProtector Policies. In this stage you define the blocked, allowed
and restricted ports, devices and WiFi networks according to the security and productivity
requirements of your organization as described in Chapter 3, Defining Policies in SafeGuard
PortProtector User help.
Step 6: Install SafeGuard PortProtector Client on Endpoints, as described in Chapter 5,
Installing SafeGuard PortProtector Client.
Step 7: Distribute SafeGuard PortProtector Policies to Endpoints: in this stage, you can either
associate policies to users and computer and distribute directly to endpoints (via SSL), or use
Active Directory's GPO feature to distribute SafeGuard PortProtector Policies or any other
third-party tool, as described in Chapter 4, Distributing Policies in SafeGuard PortProtector User
help.
Step 8: Endpoints are Protected by SafeGuard PortProtector Policies: in this stage, only
approved devices and WiFi networks can be used, through permitted ports. Logs about port,
device and WiFi network use and attempted use, as well as tampering attempts, are created and
sent to the Management Server as described in Chapter 8, End-User Experience in SafeGuard
PortProtector User help.
Step 9: Monitoring Logs and Alerts, view and export the log entries generated by SafeGuard
PortProtector Clients, as described in Chapter 5, Viewing Logs in SafeGuard PortProtector User
help.
![Page 8: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/8.jpg)
SafeGuard® PortProtector 3.30, Installation guide
8
2 Preparing for Installation
About This Chapter
This chapter first describes the SafeGuard PortProtector architecture and the SafeGuard PortProtector installation workflow. It then specifies the system requirements and prerequisites for installing the different components of SafeGuard PortProtector, followed by instructions on how to prepare the network for installation. It contains the following sections:
System Requirements, page 9, describes the system requirements for each one of the SafeGuard
PortProtector components.
Preparing your Network, page 10, describes the preparation that needs to be done on your
network in order to allow the different SafeGuard PortProtector components to communicate
without interruptions.
Tips on preparing your Endpoints, page 11, describes the preparation that needs to be done on
your endpoints before installing SafeGuard PortProtector in order to optimize the security of
your network.
![Page 9: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/9.jpg)
SafeGuard® PortProtector 3.30, Installation guide
9
2.1 System Requirements
Following are the system requirements for the various system components:
SafeGuard PortProtector Client Requirements
SafeGuard PortProtector Console Requirements
SafeGuard PortProtector Server Requirements
Operating System
Windows XP Professional (SP 1-3)
Windows XP 64 bit Professional (SP 2-3) – note that there is a separate MSI from version 3.2 for 64 bit OS
Windows 2003 Server (SP 1-2)
Windows 2000 SP4 Rollup 1
Windows Vista Business/Enterprise /Ultimate (SP 1-2) 32-bit
Windows 7 Business/ Enterprise/Ultimate 32-bit
Windows XP Professional (SP 2)
Windows 2003 Server (SP 1-2)
Windows XP Professional (SP2 – not supported for production environments)
Windows 2003 Server (SP 1-2)
Hardware Pentium 800 MHz
256 MB RAM
50 MB HDD space
Pentium 800 MHz
256 MB of RAM
50 MB HDD space
The server hardware requirements depend on the number of installed SafeGuard PortProtector clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at [email protected].
Software Microsoft .NET Framework 2.0 (Make sure that the server and console are installed with the same .Net 2.0 SP)
Microsoft .NET Framework 2.0 (Make sure that the server and console are installed with the same .Net 2.0 SP)
Microsoft IIS
![Page 10: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/10.jpg)
SafeGuard® PortProtector 3.30, Installation guide
10
2.2 Preparing your Network
Before installing the system, be sure to enable the following communications in your network and personal firewalls.
To prepare your network:
1 In order to communicate freely between the SafeGuard PortProtector management Server and
the SafeGuard PortProtector Clients, make sure that the SSL port is open in your network
firewall. Sophos typically uses port 443 (SSL standard) for this. If you have chosen otherwise,
make sure to allow this port in your firewall.
2 In order for the SafeGuard PortProtector Management Console to be able to control clients
(send control commands to clients to send their logs and update their policy), it needs WMI
ports to be open on the personal firewalls of each endpoint. WMI uses port 135 and a series of
random ports.
2.2.1 Opening WMI ports on Windows XP (SP2) Firewall
If you are using Windows XP (SP2) firewall as the personal firewall on your endpoints, you can use the GPO mechanism to configure endpoints to accept incoming WMI communications. The following section is quoted from Microsoft documentation.
"Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only.
They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
Identical sets of policy settings are available for two profiles:
Domain profile. Used when computers are connected to a network that contains your
organization’s Active Directory domain.
Standard profile. Used when computers are not connected to a network that contains your
organization’s Active Directory domain, such as a home network or the Internet.
The relevant policy setting for WMI is:
Windows Firewall: Allow remote administration exception
This allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM.
The default is Not Configured".
![Page 11: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/11.jpg)
SafeGuard® PortProtector 3.30, Installation guide
11
2.3 Tips on Preparing Your Endpoints
Booting via an external boot device (floppy, CD etc.) will circumvent any security software. However, there are a few ways to either prevent this scenario from happening, or make it impossible to be able to read the data outside the Sophos protected operating system:
Changing the boot sequence: Change the boot sequence so that the machine does not boot first from the floppy, then the CD\DVD-ROM, and, finally, the hard disk drive. The hard disk drive should always be the first boot device. If the floppy or the CD\DVD-ROM is the initial boot device, anyone can use a bootable medium that can directly access the hard disk drive and reset the administrator password in seconds.
Physical seal \ chassis protection: Make sure that the hardware is sealed and that the hard disk drive cannot be simply disconnected.
Setting a password to protect the BIOS: This prevents users from entering the BIOS and re-enabling the boot access through devices other than the internal hard disk drive.
Disk Encryption: Several disk encryption software packages are available in the market. These are used to encrypt the entire disk, making sure that the data can be read only when loading the operating system (which contains a decrypt-able client). Booting from any external boot device will not prove useful since all data will be encrypted.
SafeGuard PortProtector Client has been tested to work along with the leading software products of this type, including PGP Wholedisk, Sophos SafeGuard Easy, WinMagic and Pointsec.
![Page 12: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/12.jpg)
SafeGuard® PortProtector 3.30, Installation guide
12
3 Installing SafeGuard PortProtector Management Server
About This Chapter
This chapter describes how to install SafeGuard PortProtector Management Server and contains the following sections:
Prerequisites, describes the requirements for installing the management server.
Installing Prerequisite Software, describes how to install Microsoft .NET framework and IIS.
Before Installing SafeGuard PortProtector Management Server, provides a checklist of issues you
need to verify before starting the installation process.
Installing the Management Server, describes how to install the SafeGuard PortProtector
Management Server for the first time and how to launch the SafeGuard PortProtector
Management Console.
Restoring an Existing Management Server, describes how to restore an existing SafeGuard
PortProtector Management Server in case of hardware upgrade or failure.
Upgrading the Management Server, explains how to upgrade SafeGuard PortProtector from
version 3.2 to version 3.3.
Post-Installation Settings (Checklist), lists a set of critical settings to define after installation.
Uninstalling SafeGuard PortProtector Management Server, explains how to uninstall SafeGuard
PortProtector Management Server.
Changing your Database, explains how to switch from using an embedded SafeGuard
PortProtector database to and external MS SQL database, and vice versa.
![Page 13: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/13.jpg)
SafeGuard® PortProtector 3.30, Installation guide
13
3.1 Prerequisites
3.1.1 Operating System
Windows XP Professional (SP0-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
3.1.2 Hardware
The server hardware requirements depend on the number of installed SafeGuard PortProtector Clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at [email protected].
3.1.3 Software
Microsoft .NET Framework 2.0 installed
Microsoft Internet Information Services (IIS)
3.2 Installing Prerequisite Software
3.2.1 Installing Microsoft .NET Framework 2.0
To install .NET Framework
Microsoft .NET Framework 2.0 is built in by default on Windows 2003, and can be downloaded for free from the Microsoft website for Windows XP.
Link to .NET framework 2.0 installation package:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en
![Page 14: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/14.jpg)
SafeGuard® PortProtector 3.30, Installation guide
14
3.2.2 Installing Microsoft IIS
To install Microsoft IIS:
1 In Control Panel on your computer, double-click Add or Remove Programs. The Add or Remove
Programs window opens.
2 Click Add/Remove Windows Components. The Windows Components Wizard window opens.
3 If you are installing the application on a machine running Windows 2003, check the
Application Server checkbox. If you are installing IIS on a machine running Window XP, check
the Internet Information Services checkbox, as shown below:
4 Click Next.
5 The Insert Disk window opens, asking for the utility disc or location that holds the relevant
Microsoft Windows installation components:
6 Insert the disc and click OK. The installation may take a few moments.
![Page 15: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/15.jpg)
SafeGuard® PortProtector 3.30, Installation guide
15
7 When the wizard notifies you that the installation is complete, as shown in the following figure,
click Finish to close the wizard. IIS is now installed.
3.3 Before Installing SafeGuard PortProtector Management Server
1 Verify that all system requirements and prerequisites are met.
2 Make sure that the SafeGuard PortProtector Server machine belongs to the same domain in
which you intend to deploy SafeGuard PortProtector policies.
3 Make sure that a MySQL DB is not installed on the SafeGuard PortProtector Management
Server machine.
![Page 16: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/16.jpg)
SafeGuard® PortProtector 3.30, Installation guide
16
3.4 Installing the Management Server
To install SafeGuard PortProtector Management Server:
1 Locate on your installation CD.
2 Double-click the file. The SafeGuard PortProtector Server Installation window appears:
3 Click Browse to select a destination folder for the extracted installation files.
Note: Make sure that the files are extracted to a local folder. The installation will not run from a network path.
4 Click Install.
![Page 17: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/17.jpg)
SafeGuard® PortProtector 3.30, Installation guide
17
5 Following extraction, you will be asked to select the SafeGuard PortProtector Server language, as
shown below:
6 Select the required language and click OK. The first step of the installation wizard appears:
![Page 18: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/18.jpg)
SafeGuard® PortProtector 3.30, Installation guide
18
Click Next and read the End User License Agreement. After accepting, click Next again. The
Installation Mode step opens:
Select one of the following options:
For a new installation select the New radio button and proceed to step 9 below.
For instructions regarding the Restore option, refer to Restoring an Existing Management
Server on page 33).
To join a server cluster, select the Join a Cluster radio button.
A server cluster enables the installation of several SafeGuard PortProtector Management Servers connected to a single external database, so that they seamlessly share the load of traffic from the endpoints, as well as to provide redundancy and high availability.
![Page 19: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/19.jpg)
SafeGuard® PortProtector 3.30, Installation guide
19
The following window opens:
7 Click Next. The Database window opens:
SafeGuard PortProtector can create its own internal database for storing configuration and data. Alternatively, you can use an existing external database.
Note: SafeGuard PortProtector supports MS SQL 2000 and up.
8 In the Database window, select the required radio button. Select the first radio button if you
want to use a database which resides on the same machine as the Management Server (the
database is managed by SafeGuard PortProtector Management Server). Select the second
option if you have an MS SQL database on another machine and you want to use it as your
SafeGuard PortProtector database.
Note: If you select to use an existing external database, this database must already be installed.
![Page 20: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/20.jpg)
SafeGuard® PortProtector 3.30, Installation guide
20
9 Click Next. If you selected to install an embedded database, skip to Step 14.
10 If you have selected to use an existing database server or to join a cluster, the following window
opens:
11 In the Database Credentials window, perform the following steps:
a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).
b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.
c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.
12 Click Next. The installation program validates access to the database.
Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation wizard.
![Page 21: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/21.jpg)
SafeGuard® PortProtector 3.30, Installation guide
21
Note:
If a valid SafeGuard PortProtector database already exists on this database server, the following window opens:
In this window, click Yes in order to overwrite the existing database. If you wish to use the existing database, click No and skip to Restoring an Existing Management Server on page 33.
13 The Destination Folder step opens:
![Page 22: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/22.jpg)
SafeGuard® PortProtector 3.30, Installation guide
22
14 Click Next to select the default installation folder: C:\Program Files\Sophos\SafeGuard
PortProtector, or click Change to select a different installation folder then click Next. The
Domain Credentials window opens:
15 In the Domain Credentials window, enter the domain user credentials: SafeGuard PortProtector
Management Server requires a domain account from your Active Directory in order to perform
tasks such as creating GPOs and for controlling clients via WMI. We recommend that you enter
an account with domain administrator privileges (you may change this user after installation).
![Page 23: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/23.jpg)
SafeGuard® PortProtector 3.30, Installation guide
23
16 Click Next.
Users' access to the Management Console is restricted for security reasons. SafeGuard
PortProtector does not require its own users and computers database. Instead, credentials are
checked against Active Directory and/or local user accounts on the Management Server
machine. Following installation, access to the Management Console is restricted to users who
have local administrative rights on the computer hosting the Server, as shown below:
17 Click Next. The Communication Port window opens.
SafeGuard PortProtector Management Server communicates with the SafeGuard PortProtector Management Consoles and Clients through SSL ports. Port definitions differ in Windows XP and Windows 2003. Windows XP
![Page 24: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/24.jpg)
SafeGuard® PortProtector 3.30, Installation guide
24
The Management Server will use the default SSL port which is defined by the website of the host computer for communicating both with SafeGuard PortProtector Clients and with the Management Console.
Note: If no website is found on the host computer, the same window appears, with the Communication Port (SSL) text box editable. If you are not using the standard port 443, change it as required.
![Page 25: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/25.jpg)
SafeGuard® PortProtector 3.30, Installation guide
25
Windows 2003
In Windows 2003, SafeGuard PortProtector uses two different ports to communicate with SafeGuard PortProtector Clients and with the Management Server.
The default ports are 443 for Clients communications and 4443 for Management Console communications. If you wish, you may change these default ports.
18 In order for SSL to operate, a certificate is needed to authenticate the Management Server. This
certificate is also used for encrypting the data sent on the communication port. If the computer
that is running the Server already has an active website that allows the SSL port activation, the
application will use the existing certificate. If no certificate exists, the application will create a
new certificate and will notify you of this.
![Page 26: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/26.jpg)
SafeGuard® PortProtector 3.30, Installation guide
26
Note: A Sophos generated certificate is not signed by a valid Certificate Authority (CA). Although this does not affect the overall security level of the system, using this certificate will cause Internet Explorer to display security alerts.
In order to avoid these alerts you will need to replace the certificate with a signed certificate you receive from a trusted Certificate Authority.
19 Click OK to continue with the installation.
20 Click Next.
In the following window, you will be asked to backup the encryption keys that are generated by
SafeGuard PortProtector.
To enhance the security of the system, encryption keys are generated during the installation.
These keys are unique to your organization and raise the tampering resistance of your system.
The keys are used to encrypt policies and logs as well as for mutual authentication between the
Server and the endpoints.
One example for the use of these unique keys is in that endpoints need to be initialized upon
installation with the organization's unique keys. From this point on, an endpoint will treat any
information (i.e. policy) that does not correlate to the keys as an attempt to circumvent its
protection.
For this reason it is highly recommended to backup the keys and store them on another machine/site in order to ensure smooth recovery in cases of server malfunction without the need to re-deploy Clients to endpoints.
![Page 27: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/27.jpg)
SafeGuard® PortProtector 3.30, Installation guide
27
In order to backup your encryption keys, you need to set a password that will be used to protect the keys:
If you do not want to backup your encryption keys during the installation, check the Do not backup encryption keys now checkbox and click Next.
To backup you encryption keys click Browse to select a path. Enter a password, confirm it.
Note: The password should be at least 7 characters long and should contain one upper case character and one digit.
21. Click Next.
![Page 28: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/28.jpg)
SafeGuard® PortProtector 3.30, Installation guide
28
In the following window, you will be asked to configure the schedule for automatic system backup to the network, which includes the encryption keys that are generated by SafeGuard PortProtector.
You may change the default Perform backups interval (Daily, Weekly, Monthly) and the time. The backup path supplied must reside on a network share, with write permissions for the user provided in the Domain Credentials window (step 16) in the setup wizard. Click Browse to select the Network backup path. Enter a Password and Confirm it. If there is a problem with the password you choose (or share permission), the following message will be displayed.
22. Click Next.
![Page 29: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/29.jpg)
SafeGuard® PortProtector 3.30, Installation guide
29
The Summary window opens:
![Page 30: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/30.jpg)
SafeGuard® PortProtector 3.30, Installation guide
30
21 Confirm the installation summary and click Install to perform the Server installation.
Installation begins, and the Installation Progress window opens:
![Page 31: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/31.jpg)
SafeGuard® PortProtector 3.30, Installation guide
31
22 Once installation has been completed, the following window opens:
23 The SafeGuard PortProtector Management Server has been installed. Check the checkbox at the
bottom of the screen if you wish to launch the SafeGuard PortProtector Management Console,
and click Finish.
Note: The installation process installs the SafeGuard PortProtector Management Console as well.
![Page 32: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/32.jpg)
SafeGuard® PortProtector 3.30, Installation guide
32
24 If you have chosen to launch the SafeGuard PortProtector Management Console, the Login
window opens:
Enter your User Name, Password and Domain and click Login. The application opens, displaying the main window.
25 Take the time to define preliminary settings in the Administration and Global Policy Settings.
Please refer to Post-Installation Settings (Checklist) on page 38 for a list of settings which you may
want to review and change.
![Page 33: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/33.jpg)
SafeGuard® PortProtector 3.30, Installation guide
33
3.5 Restoring an Existing Management Server
In some cases you will need to install SafeGuard PortProtector Management Server while maintaining your system unique encryption keys, in order to work with your existing SafeGuard PortProtector Clients. This may happen when you want to migrate the Server from a low-CPU machine to a stronger one, or when recovering from hardware malfunctions.
In order to restore an existing Management Server you will need to provide the encryption keys backup file and the password that was set to protect it.
To restore an existing Management Server:
1 Perform the steps described in Installing the Management Server on page 16 up to Step 7.
2 At this stage, you will be asked to choose the installation mode, as shown below:
![Page 34: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/34.jpg)
SafeGuard® PortProtector 3.30, Installation guide
34
3 Select the Restore radio button. The following window opens:
4 In the Restore window, select the appropriate radio button according to whether you wish to use
SafeGuard PortProtector backup files or connect to an existing external SafeGuard
PortProtector MS SQL database. If you select the second option, Connect to an existing
SafeGuard PortProtector MS SQL database, skip to step 8 below.
![Page 35: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/35.jpg)
SafeGuard® PortProtector 3.30, Installation guide
35
5 Click Next. The Backup Files window opens:
6 Enter the path to your keys backup file and the password protecting it.
If you have saved your previous installation configuration (policies, queries etc.), you can
restore the configuration as well. Do this by checking the checkbox and selecting the path to the
configuration backup file.
Note: To learn how to restore logs refer to Restoring Logs on page 37.
7 Skip to step 11 below.
![Page 36: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/36.jpg)
SafeGuard® PortProtector 3.30, Installation guide
36
8 If you have selected to use an existing database server, the following window opens:
9 In the Database Credentials window, perform the following steps:
a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).
b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.
c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.
10 Click Next. The installation program validates access to the database.
Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation wizard.
11 Follow the instructions in steps 15-27 in Installing the Management Server.
![Page 37: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/37.jpg)
SafeGuard® PortProtector 3.30, Installation guide
37
3.5.1 Restoring Logs
The need may arise to restore version 3.2 logs that you have previously backed up. This may happen in one of the following cases:
You wish to upgrade or replace your version 3.2 Management Server machine
Upgrading from version 3.2 to a higher version fails and rolls back to version 3.2 without logs.
Note: This utility only restores logs from and to an embedded SafeGuard PortProtector database, since backing up and restoring logs on an external database is handled by your DBA.
Log restoring is performed using the Log Restore Utility. Running this utility deletes the existing log tables, and restores the exact log schema from the backup file. Log views are created automatically when starting the Management Server.
To view Log Restore Tool version (optional):
1 Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder
under the "bin" folder (if you installed in the default destination folder the path is
\Program Files\Sophos\SafeGuard PortProtector\Management Server\Bin)
2 Run RestoreTool.exe using the following syntax:
RestoreTool version
The command returns the assembly version of RestoreTool.exe.
To restore logs:
1 Stop the Management Server.
2 Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder
under the "bin" folder (if you installed in the default destination folder the path is \Program
Files\Sophos\SafeGuard PortProtector\Management Server\Bin)
3 Run RestoreTool.exe using the following syntax:
RestoreTool restore -backupFile [-silent ] [-verbose ]
-backupFile specifies full backup (SLB) file path to restore from
-silent do not ask user for confirmation
-verbose verbose operation
![Page 38: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/38.jpg)
SafeGuard® PortProtector 3.30, Installation guide
38
The program notifies you of any errors in the restore process.
If there are no errors, your log data and structure are restored.
4 Start the Management Server.
3.6 Upgrading the Management Server
Upgrading from a previous version of SafeGuard PortProtector to this new version 3.3 SP5 is not supported. Customers will have to uninstall the older version and re-install the SP5 version. Also the policies will not be migrated. If customers have purchased professional services, we can help in the migration of policies.
3.7 Upgrading in a Clustered Environment
Upgrading in a clustered environment is not support due to the rebranding of the product.
3.8 Post-Installation Settings (Checklist)
The SafeGuard PortProtector Management Server installation package defines default settings for system behavior which you can find under Administration and Global Policy Settings (both available from the Tools menu in the SafeGuard PortProtector Management Console).
Once you complete installing SafeGuard PortProtector Management Server and access the Management Console, you may want to visit these windows and set the parameters relevant to your environment.
3.8.1 Checklist for the Most Critical Settings in the Administration Window:
1 Policy Publishing Method – Select the format and destination for publishing policies.
2 Encryption Keys Backup – If you haven't backed up the encryption keys during installation.
3 Client Installation Folder – Set a shared folder for creating client installation files. You will need
these files in order to install clients.
Refer to Chapter 7, Administration in SafeGuard PortProtector User help for an explanation of Administration settings.
![Page 39: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/39.jpg)
SafeGuard® PortProtector 3.30, Installation guide
39
3.8.2 Checklist for the Most Critical Settings in the Global Policy Settings Window:
1 Log Transfer Interval – Define the frequency in which logs will be sent from endpoints to the
Server.
Important:
Take extra care while configuring the Logs Transfer Interval in order not to burden your network and endpoints with excessive log sending.
Consider the following:
The number of endpoints in your network
The number of expected events from each endpoint (client and file logs)
The level of need for "real time" logs information in the Management
Console
During installation, the default log interval is set to 90 minutes. In the case of large scale deployments, please consult Sophos Support in order to optimize your settings.
2 Clients Uninstall Password – Change the default password to your own preference.
Important:
Upon product installation the password is set to "Password1". Since the password is one of the foundations for the tampering resistance of the client, it is highly recommended that you change it as soon as you start deploying the product in a production environment.
Important:
Make sure you have created a backup for the Server encryption keys. This will prevent situations in which you cannot uninstall Clients due to password loss.
Refer to Chapter 3, Defining Policies in SafeGuard PortProtector User help for an explanation of Global Policy settings.
![Page 40: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/40.jpg)
SafeGuard® PortProtector 3.30, Installation guide
40
3.9 Uninstalling SafeGuard PortProtector Management Server
To uninstall the Management Server:
1 Open the add \ remove programs on your Control Panel.
2 Select the SafeGuard PortProtector Management Server from the list, and click Remove as
described below:
Note: Uninstalling SafeGuard PortProtector Management Server will delete the SafeGuard PortProtector database; therefore, if you wish to install the latest Server version, it is recommended to upgrade your Server rather than to perform an uninstall/install process.
![Page 41: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/41.jpg)
SafeGuard® PortProtector 3.30, Installation guide
41
3.10 Changing your Database
If you wish to change from using a SafeGuard PortProtector embedded database to an external MS SQL database, or vice versa, you can do so by using the Restore option as explained in Restoring an Existing Management Server on page 33 and selecting the new database type.
Note: You can only change your database if you are using version 3.2 and above.
Note: Changing your database will result in loss of previous logs. Previous policies are transferred to the new database, but policy associations to organizational objects (when using the "direct distribution from the Management Server to Clients" policy distribution mode) are lost.
![Page 42: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/42.jpg)
SafeGuard® PortProtector 3.30, Installation guide
42
4 Installing SafeGuard PortProtector Management Console
About This Chapter
This chapter describes how to install the SafeGuard PortProtector Management Console. It contains the following sections:
Prerequisites, describes the prerequisites of the Management Console.
Installing Prerequisite Software, describes how to install Microsoft .NET framework.
Installing SafeGuard PortProtector Management Console, describes two methods for installing the
Console.
Launching SafeGuard PortProtector Management Console for the First Time, describes how to
launch SafeGuard PortProtector Management Console.
Uninstalling SafeGuard PortProtector Management Console, describes how to uninstall SafeGuard
PortProtector Management Console.
![Page 43: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/43.jpg)
SafeGuard® PortProtector 3.30, Installation guide
43
4.1 Prerequisites
4.1.1 Operating System
Windows XP Professional (SP1-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
4.1.2 Hardware
Pentium 800 MHz
256 MB RAM
50 MB HDD space
4.1.3 Software
Microsoft .NET Framework 2.0 installed
4.2 Installing Prerequisite Software
4.2.1 Installing Microsoft .NET Framework 2.0
To install .NET Framework
Refer to Installing Prerequisite Software on page in section 3.2
4.3 Installing SafeGuard PortProtector Management Console
SafeGuard PortProtector Management Console can be installed and run from any computer on your network. The first console is installed on the same machine that hosts the Management Server as part of the Server installation, and additional consoles can be installed on any machine in your domain that meets the prerequisites.
Additional consoles can be installed on your domain either through Sophos’s Management Console Installation web page (recommended), or by running the ManagementConsole.msi file from an external source, such as a CD.
Note: Access to the Management Consoles is restricted by default to the local administrators group of the machine hosting the server. In order not to expose your server machine user and password unnecessarily, make sure you change this setting to a user group in your Active Directory before installing additional Management Consoles. You can change this setting from the Administration window in the Management Console.
![Page 44: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/44.jpg)
SafeGuard® PortProtector 3.30, Installation guide
44
4.3.1 Installing the Console from the Installation Web Page
SafeGuard PortProtector Management console features a 'One-click' deployment process which gives you easy access to installing the Management Console by pointing your browser to the SafeGuard PortProtector Management Server address. This method automatically keeps all your Management Consoles up-to-date with the latest software version of the Management Server, and is therefore the recommended installation method.
To install the Management Console from the installation web page:
1 Access the address of the installation web page in the target machine
The link is in the following format:
https://<servername>:<serverport>/SafeGuardPortProtector/consoleinstall.aspx
Tip:
You may also use a shorter link format:
https://<servername>:<serverport>/SafeGuardPortProtector
(This address can be found in the General tab of the Administration window, which you can access from the Management Console's Tools menu).
The installation page opens:
![Page 45: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/45.jpg)
SafeGuard® PortProtector 3.30, Installation guide
45
The page contains the following:
A link to the Microsoft .NET framework 2.0 installation package.
A link to the Management Console installation package.
Server details.
2 If the machine on which you wish to install an additional Console does not have .NET
framework installed, enter the link and install it before proceeding with the Management
Console installation.
3 Click the link to the Management Console installation package. The following window opens:
![Page 46: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/46.jpg)
SafeGuard® PortProtector 3.30, Installation guide
46
4 Click Save and then run the program. The Management Console installation wizard opens:
![Page 47: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/47.jpg)
SafeGuard® PortProtector 3.30, Installation guide
47
5 Click Next. The Select Installation Folder window opens:
6 In the Select Installation Folder window, select the folder in which the SafeGuard PortProtector
Management console will be installed. The default folder is C:\Program Files\Sophos\SafeGuard
PortProtector\. If you wish to install the Management Console in a different folder, click the
Browse button and select the desired folder.
7 Select one of the following options by clicking its radio button:
Everyone: allow access to the application to any user who uses the computer
Just me: allow access to the application only to the logged on user.
![Page 48: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/48.jpg)
SafeGuard® PortProtector 3.30, Installation guide
48
Click Next. The following window opens:
8 In the Confirm Installation window, click Next to perform the installation.
![Page 49: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/49.jpg)
SafeGuard® PortProtector 3.30, Installation guide
49
9 Once the installation completes, the following window opens:
10 Click Close to exit.
11 Open the Management Console application by clicking the icon on your desktop or from
Start > Programs > SafeGuard PortProtector > Management Console.
![Page 50: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/50.jpg)
SafeGuard® PortProtector 3.30, Installation guide
50
12 Depending on the browser you are using, the following message may appear:
Fill in the server name and port as it appears in the installation web page, and click Connect.
13 The Login window appears:
Type your user name, Password and Domain and click Login. The application will open, displaying the main window.
![Page 51: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/51.jpg)
SafeGuard® PortProtector 3.30, Installation guide
51
4.3.2 Installing SafeGuard PortProtector Management Console Manually
To manually install the Management Console:
1 Locate the ManagementConsole.msi file on your CD and run it. The setup window opens:
2 Proceed with steps 5 through 13 as described above.
![Page 52: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/52.jpg)
SafeGuard® PortProtector 3.30, Installation guide
52
4.4 Launching SafeGuard PortProtector Management Console for the First Time
1 Click the icon on your desktop.
OR
Go to Start > Programs > SafeGuard PortProtector > Management Console. The application open for the first time:
2 Enter your user name, password and domain. The following window opens:
![Page 53: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/53.jpg)
SafeGuard® PortProtector 3.30, Installation guide
53
Each time the Management Console connects to the Server, it automatically downloads the latest version of the Management Console (if an update exists). Once the updated files are downloaded, the window closes, and the following window opens:
3 If you are evaluating the software, click Remind Me Later
OR
Click Enter License Key if you have a valid Sophos license, and enter your Sophos license key as described in the SafeGuard PortProtector User help, Chapter 7, Administration.
SafeGuard PortProtector Management console opens, displaying the main window.
4.5 Uninstalling SafeGuard PortProtector Management Console
To uninstall the Management Console:
1 From the Control Panel, open Add or Remove Programs.
2 From the list, select SafeGuard PortProtector Management Console and click Remove.
Note: Uninstalling SafeGuard PortProtector Management Console does not cause any information loss. You can re-install it at any time.
![Page 54: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/54.jpg)
SafeGuard® PortProtector 3.30, Installation guide
54
5 Installing SafeGuard PortProtector Client
About This Chapter
This chapter describes the various methods for installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and upgrade SafeGuard PortProtector Client. It contains the following sections:
Prerequisites, page 55, describes the prerequisites of the SafeGuard PortProtector Client.
Before Deploying SafeGuard PortProtector Client, page 55, describes the steps you need to take
before installing SafeGuard PortProtector Clients.
Installing SafeGuard PortProtector Client, page 58, describes the following installation methods:
Automatic Client Installation (through Active Directory)
Automatic Client Installation (generic)
Manual Installation
Upgrading SafeGuard PortProtector Client, page 65, describes how to upgrade SafeGuard
PortProtector Client from V2.0 to V3.x.
Defining Endpoint Behavior during Installation, Page 71, describes how to define the End Point
reboot sequence after installation.
Uninstalling SafeGuard PortProtector Client, Page 73, describes how to uninstall SafeGuard
PortProtector Client.
![Page 55: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/55.jpg)
SafeGuard® PortProtector 3.30, Installation guide
55
5.1 Prerequisites
5.1.1 Operating System
Windows 2000 Professional (SP3-4) 32-bit
Windows 2000 Server (SP3-4) 32-bit
Windows 2000 Advanced Server (SP3-4) 32-bit
Windows XP Professional (SP1-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
Windows Vista Business/Enterprise/Ultimate (SP1-2) 32-bit
Windows 7 Business/Enterprise/Ultimate 32- bit
5.1.2 Hardware
Pentium 800 MHz
256 MB of RAM
50 MB HDD space
5.1.3 Software
None required
5.2 Before Deploying SafeGuard PortProtector Client
In order to install SafeGuard PortProtector Client, you must first install the Management Server. This is necessary in order to raise the security level of the system, by "imprinting" each installed client with the encryption keys of the server. From the point of installation, SafeGuard PortProtector Client knows the keys which it uses when communicating with the Server. From this point on, the Client will not accept any policy or perform any communication with a Server that does not hold matching keys.
This "imprinting" process is performed by initializing the Client with a file called ClientConfig.scc. This file is generated by the Server upon user request. This file should be available during Client installation.
Before you can start deploying SafeGuard PortProtector Clients you need to define the path to which the Server will generate all the files needed for Client installation. The process of generating the installation files may be performed again at any time.
![Page 56: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/56.jpg)
SafeGuard® PortProtector 3.30, Installation guide
56
To generate SafeGuard PortProtector Client installation files:
1 In the Management Console, from the Tools menu, open the Administration window as shown
in the following figure:
![Page 57: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/57.jpg)
SafeGuard® PortProtector 3.30, Installation guide
57
2 In the Administration window that opens, click the Clients tab on the left. The Administration-
Clients window opens:
3 Select a shared folder as the Client installation folder. Once the files are created, the following
message appears:
Important: Make sure you enter a network path and not a local path.
4 Click OK.
5 You are now ready to deploy SafeGuard PortProtector Clients on the computers in your
organization. Once Clients have been deployed, you can distribute policies to them as described
in SafeGuard PortProtector User help.
![Page 58: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/58.jpg)
SafeGuard® PortProtector 3.30, Installation guide
58
5.3 Installing SafeGuard PortProtector Client
There are three ways to install the SafeGuard PortProtector Client:
Automatically through the Active Directory Group Policy Management.
Automatically using any corporate software deployment tool, such as SMS and Tivoli.
Manually by running the installation wizard on each computer
5.3.1 Automatic Client Installation (Active Directory)
Automatic SafeGuard PortProtector Client installation is performed using Active Directory's Group Policy Management (if installed) and Active Directory's Users and Computers. These options enable you to define a GPO that will distribute the SafeGuard PortProtector Client to the OUs (computer or user groups) of your choice. When this option is used, the clients are installed in Silent mode.
To automatically install the SafeGuard PortProtector Client:
1 Open the Active Directory Users and Computers window.
2 Right-click the OU to which to install the SafeGuard PortProtector Client and select Properties.
The User Properties window opens.
3 In the User Properties window, select the Group Policy tab. This tab looks different depending
on whether the Group Policy Management Console is installed or not.
4 If the Group Policy Management Console is not installed, the following window is displayed:
![Page 59: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/59.jpg)
SafeGuard® PortProtector 3.30, Installation guide
59
5 Click Add to add the SafeGuard PortProtector deployment GPO, name it, then right-click that
GPO and select Edit. Go to Step 9 below.
6 If the Group Policy Management console is installed, click Open in the Group Policy tab to
display the Group Management window, as shown below:
7 In the OU tree display on the left pane, select the OU to which to install the SafeGuard
PortProtector Client. The right pane displays the GPO's that are already assigned to this OU.
8 Add a GPO that installs software to this OU. Right-click on the OU and select Create and Link a
GPO Here, then name the GPO.
![Page 60: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/60.jpg)
SafeGuard® PortProtector 3.30, Installation guide
60
9 Right-click the SG PP deployment GPO and select Edit. The Group Policy window is displayed.
An example is shown below:
10 Under Computer Configuration in the tree on the left, right-click Software Settings and select
New, and then select Package, as shown below (the right pane may display names of other
software to be installed if any have been defined):
![Page 61: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/61.jpg)
SafeGuard® PortProtector 3.30, Installation guide
61
A file selection window is displayed.
11 Locate the shared folder in which you have selected the Client installation files to be created.
This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc
files. If you are deploying clients to an XP 64 bit machine make sure you are using the files
under the XP64Bit sub-folder.
12 Browse to the full UNC path of the SafeGuard PortProtector Client installation file named
SafeGuardPortProtectorClient.msi, select it and click Open. Make sure this path includes the
ClientConfig.scc file.
13 Double-click the SafeGuardPortProtectorClient.msi file. The following window opens:
![Page 62: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/62.jpg)
SafeGuard® PortProtector 3.30, Installation guide
62
14 Select Assigned and click OK. Wait a few moments while the MSI is added.
a. When installing the SafeGuard PortProtector Client in a foreign language (German, Japanese):
b. Select the Modifications tab from the dialog box and click Add.
Select the appropriate Transform file from the network share and press Open.
![Page 63: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/63.jpg)
SafeGuard® PortProtector 3.30, Installation guide
63
15 Prepare the endpoints of your organization for automatic installation, as described in the
Preparing an Endpoint for Automatic Installation section below.
16 In some rare cases, a restart may be required on the endpoint computer. If so, a message will be
displayed.
5.3.1.1 Preparing an Endpoint for Automatic Installation
In order to install the SafeGuard PortProtector Client, the target computers are required to have access to the shared network folder when the system is rebooted. If the target computers are running Windows XP, you must turn on the Always wait for computer network to startup at logon GPO, which can be found under Computer Configuration | Administrative Templates | System | Logon.
The next time a computer or user in this OU reboots, SafeGuard PortProtector client will be deployed to it.
Note: In some cases, depending on the Domain configuration, it may take some time for the GPO containing the installation package, which is linked to the dedicated OU, to replicate to other domain controllers (usually up to 15 minutes). This may appear as endpoints that are not installing the SG PP Clients. In this case it is necessary to wait for the replication to finish before restarting the endpoints for installation.
![Page 64: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/64.jpg)
SafeGuard® PortProtector 3.30, Installation guide
64
5.3.2 Automatic Client Installation (Generic)
In order to install using a third-party corporate software management solution, follow the procedure below.
To install perform generic automatic client installation:
1 Locate the shared folder in which you have selected the Client installation files to be created.
This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc
files.
2 Create a batch file containing the following command that installs the Protector Client silently:
msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi /qn
When installing the Protector client in a foreign language, use the following command line parameters:
msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi
TRANSFORMS="\\InstallationPath\MSTFileName.mst"/qn (This should be written in a single line.)
3 In some rare cases, a restart may be needed on the endpoint computer. If so, a message will be
displayed.
![Page 65: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/65.jpg)
SafeGuard® PortProtector 3.30, Installation guide
65
5.3.3 Manual Client Installation
You can manually install the SafeGuard PortProtector Client on each computer in your organization that needs to be protected.
To manually install the SafeGuard PortProtector Client:
1 Locate the shared folder in which you have selected the SafeGuard PortProtector Client
installation files to be created. This folder contains the SafeGuardPortProtectorClient.msi
installation file. We recommend that the ClientConfig.scc file necessary for the installation be in
the same folder. To view the path to this folder, select Administration from the Management
Console's Tools menu, then select the Clients tab, as shown in the following figure:
![Page 66: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/66.jpg)
SafeGuard® PortProtector 3.30, Installation guide
66
Run SafeGuardPortProtectorClient.msi. If you are deploying clients to an XP 64 bit machine make
sure you are using the files under the XP64Bit sub-folder. The installation wizard opens:
2 Click Next to continue. The License Agreement window opens:
![Page 67: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/67.jpg)
SafeGuard® PortProtector 3.30, Installation guide
67
3 In the License Agreement window, select the I accept the terms in the license agreement radio
button and click Next. The Destination Folder window opens:
4 In the Destination Folder window, determine the folder to which you want to install SafeGuard
PortProtector Client. If you want to install it to a folder other than the default, click Change,
and in the Change Current Destination Folder window that opens, select the desired folder and
click OK.
![Page 68: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/68.jpg)
SafeGuard® PortProtector 3.30, Installation guide
68
5 Click Next. The Select Client Configuration File window opens:
6 Select the Client configuration file ClientConfig.SCC. This file is necessary in order for the
Client to read encrypted company policies, as well as to set the default uninstall password. This
file is generated by the SafeGuard PortProtector Management Server, and is typically found in
the same folder as the Client installation file.
Note: If you are unsure where this file is, ask your system administrator, or generate a new one as explained in Before Deploying SafeGuard PortProtector Client on page 55.
![Page 69: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/69.jpg)
SafeGuard® PortProtector 3.30, Installation guide
69
7 Click Next. The Ready to Install the Program window opens:
In this window, click Back to review or modify your installation settings, or click Cancel to cancel and exit the installation process.
8 Click Install to begin the installation. The following window opens:
![Page 70: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/70.jpg)
SafeGuard® PortProtector 3.30, Installation guide
70
This window contains a Status bar that displays the progress of the installation process. Installation may take several minutes.
Note: During this installation, some of the devices attached to your computer may temporarily stop functioning. The devices will resume functioning once the installation is completed.
When the installation is complete, the following window opens:
9 Click Finish to exit the installation wizard. SafeGuard PortProtector Client is now installed on
the endpoint.
Note: In some cases, depending on the computer's hardware configuration, restart is required following installation in order for SafeGuard PortProtector Client to begin protecting the endpoint. A message will notify you when this is required.
![Page 71: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/71.jpg)
SafeGuard® PortProtector 3.30, Installation guide
71
5.4 Upgrading SafeGuard PortProtector Client
5.4.1 Upgrading the Client via Active Directory
In order for your endpoint to install the new version of the product, just add the new .msi file as a new GPO (Repeat the steps above). This will automatically update the endpoints on the next reboot.
5.4.2 Upgrading the Client Manually
To upgrade the Client manually:
1 Double-click the SafeGuardPortProtectorClient.msi. SafeGuard PortProtector automatically
uninstalls your previous version of the product and updates it with the new version.
2 Following the upgrade, you must reboot the computer on which it was performed (a message
will appear requesting you to reboot, unless you have set this message not to appear as explained
in the following section).
5.5 Defining Endpoint Behavior during Installation
By default, the process of installing SafeGuard PortProtector Client involves restarting of most of the peripheral devices on the endpoint in order to immediately start enforcing the policy. This may cause temporary disconnection from the network in the final stages of the installation.
Additionally, in some rare cases, this may also require the computer to reboot.
Administrators who are using third party products to deploy software may find it useful to define that the "restart devices" process not be performed in order to avoid network disconnection during installation.
You can control both device restart and reboot behavior by defining whether they should be performed during installation.
If you choose not to perform these processes, the policy will not be enforced until the machine reboots upon user request.
![Page 72: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/72.jpg)
SafeGuard® PortProtector 3.30, Installation guide
72
To define endpoint behavior during installation:
1 In order to determine the reboot method upon installation, open the ClientConfig.scc file:
2 Scroll down to the end of the file, and add a section at the end – [installparams], as shown in
the image above.
3 Add the InstallMethod parameter and values according to the below table:
Parameter Meaning
InstallMethod=0 The installation WILL perform "restart devices" and WILL display a reboot request message when required.
This option ensures instant protection - following installation, all your endpoints immediately start enforcing the policy.
InstallMethod=1 The installation WILL perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required.
This option allows you to perform a totally silent installation, with no messages to the end user. However, the policy may not be enforced until the next reboot.
![Page 73: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/73.jpg)
SafeGuard® PortProtector 3.30, Installation guide
73
InstallMethod=2 – default The installation WILL NOT perform "restart devices" and WILL display a reboot request message when required.
This option allows you to significantly shorten the installation process and use third party applications for deploying the client without network disconnection.
By enforcing reboot, you can make sure the policy is enforced immediately.
InstallMethod=3 The installation WILL NOT perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required.
This option allows you to perform a totally silent installation, with no messages to the user and without causing network disconnections.
However, the policy is not enforced until the next reboot.
Important: When using options 1 and 3, the operating system may become unstable when devices connect to the monitored ports. It is highly important that you make sure the endpoint performs a reboot as soon as possible after completion of the installation process.
5.6 Uninstalling SafeGuard PortProtector Client
You can uninstall SafeGuard PortProtector either manually, or silently from the GPO. The process of uninstalling is password protected using a global password or a policy-specific password which you defined in the Policies World in SafeGuard PortProtector Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Building Polices).
![Page 74: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/74.jpg)
SafeGuard® PortProtector 3.30, Installation guide
74
5.6.1 Uninstalling Manually
To uninstall manually:
1 From the Control Panel's Add or Remove Programs, select SafeGuard PortProtector Client as
follows:
![Page 75: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/75.jpg)
SafeGuard® PortProtector 3.30, Installation guide
75
2 Select SafeGuard PortProtector Client and click Change. The install wizard opens:
3 Click Next to continue uninstalling. The Uninstall Password window opens:
![Page 76: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/76.jpg)
SafeGuard® PortProtector 3.30, Installation guide
76
4 Enter the uninstall password that you defined in the Policies World in SafeGuard PortProtector
Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Defining
Policies) and click Next. The following window opens:
5 In order to review or change any settings before continuing, click Back, or click Cancel to exit
the uninstall wizard. Once you have uninstalled it, SafeGuard PortProtector Client will no
longer be available to protect the endpoint. Otherwise, continue to the next step.
![Page 77: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/77.jpg)
SafeGuard® PortProtector 3.30, Installation guide
77
6 Click Remove to remove SafeGuard PortProtector Client. The uninstall process begins and the
following status window appears:
The process may take several minutes. When it is completed, the following window appears:
![Page 78: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/78.jpg)
SafeGuard® PortProtector 3.30, Installation guide
78
7 Click Finish. SafeGuard PortProtector Client is uninstalled and no longer protecting the
computer.
Note: After uninstalling you must reboot the computer before you can reinstall SafeGuard PortProtector.
5.6.2 Uninstalling SafeGuard PortProtector via GPO
Since the SafeGuard PortProtector uninstall procedure is password protected, it is not possible to use the automatic uninstall feature in the GPO software installation package. Therefore, to uninstall the SG PP, a startup script must be used.
There are two ways to uninstall SafeGuard PortProtector Client. The first and recommended option is to unlink the SG PP Install GPO from the OU containing the client computers, and to apply a NEW GPO containing an uninstall script, as shown in steps 6-11 below. The second option is to edit the SG PP Deployment GPO.
To uninstall a SG PP GPO:
1 Edit the relevant Group Policy applied to the client computers from which the SafeGuard
PortProtector is to be uninstalled.
2 Navigate to Computer Configuration Software Settings Software Installation.
3 Right-click the SafeGuard PortProtector object and select All Tasks Remove.
4 Check the Allow users to continue to use the software, but prevent new installations radio
button.
5 Click the OK button.
6 Create a new GPO Name Protector Uninstall, right-click the new GPO and select Edit.
7 Navigate to Windows Settings under Computer Configuration and select Script and then
Startup.
8 Click the Show Files button and create a new text document containing the following
command:
msiexec.exe /x "\\full UNC path to SG PP shared install folder\SafeGuardPort
ProtectorClient.msi" /qn UNINSTALL_PASSWORD=uninstall password
Note: The uninstall command set in the batch file (shown above) must be set in one line. The actual uninstall process will take place only after the computer is rebooted.
9 Replace the full UNC path to the SafeGuard PortProtector's shared installation folder with the
appropriate path.
10 Replace the uninstall password with the appropriate uninstall password.
![Page 79: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/79.jpg)
SafeGuard® PortProtector 3.30, Installation guide
79
11 Save the file with a *.bat extension.
12 Close the folder, click the Add button and then the Browse button.
13 Select the newly created batch file and click the OK button.
5.6.3 SafeGuard PortProtector Client Cleanup Utility
A Client cleanup utility is available for use when you cannot uninstall SafeGuard PortProtector Client from an endpoint using the processes described above. This may happen in the following cases:
a. SafeGuard PortProtector Client is protecting the endpoint properly, but it cannot be found under the Control Panel's Add or Remove Programs option.
b. Running the Client uninstall (Remove) wizard fails.
c. The Client is not functioning properly (e.g. it is in Panic mode) and will not accept your Client Uninstall password.
d. You have forgotten the Client Uninstall password and cannot update the Client's policy with a new policy in which you have set a new Uninstall password.
To run the Client Cleanup utility:
1 Locate the file spec.exe in the system32 folder under your Windows (system root) folder.
2 Run spec.exe. The following window opens:
![Page 80: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/80.jpg)
SafeGuard® PortProtector 3.30, Installation guide
80
3 Supply the computer-specific Cleanup Token to Sophos support ([email protected]). Once
you receive your cleanup key from Sophos support, enter it in the Cleanup Key field..
4 In Operating System, select either the Current Operating System or Another Operating System
on this machine. If you choice the second option, click Browse to find the other operating
system on the computer. Note: if you choose the Windows 2000 operating system, the path is
the following: C:\winnt\system32.
5 Click Cleanup Now. The Client cleanup process begins and a progress bar shows its progress.
This may take a few minutes. Once cleanup is complete, the following window appears:
6 Restart the endpoint.
![Page 81: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/81.jpg)
SafeGuard® PortProtector 3.30, Installation guide
81
6 Appendix A - OPSEC™ Interoperability
About This Appendix
This appendix explains how Check Point™'s VPN-1®/FireWall-1® SecureClient™ (referred to from here on as SecureClient) interacts with SafeGuard PortProtector Client to enhance your network's security. It contains the following sections:
What is OPSEC™, page 82, describes Check Point's OPSEC™ and its benefits.
OPSEC™ and SafeGuard PortProtector, page 82, describes how Sophos interfaces with
OPSEC™.
Preparing SafeGuard PortProtector Client, page 82, describes the preparations you need to do
on the SafeGuard PortProtector side in order to apply OPSEC™.
Configuring your SCV Policy, page 83, describes the preparations you need to do on the VPN-
1®/FireWall-1® side in order to apply OPSEC™.
Installing Updated SCV Policy to SecureClients, page 89, explains how to install the updated
SCV Policy to SecureClient.
SafeGuard PortProtector SCV Check Parameters, page 92, describes the checks that can be
performed on SafeGuard PortProtector Client and provides examples.
Note: The instructions in this appendix assume that SecureClient is already installed on the required endpoints in your organization.
![Page 82: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/82.jpg)
SafeGuard® PortProtector 3.30, Installation guide
82
6.1 What is OPSEC™
Check Point's OPSEC™ (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. SafeGuard PortProtector can plug into this framework to provide you with a comprehensive security solution. Using this solution, an SVC Check (a DLL) queries the security aspect of the configuration of a client, and reports to SecureClient whether the configuration is "Verified" or "Not Verified". When the configuration is not verified, SecureClient prohibits access to the organizational network.
6.2 OPSEC™ and SafeGuard PortProtector
Sophos provides a DLL which can perform several checks of SafeGuard PortProtector Client, the results of which are reported to SecureClient. In addition to checking for the existence of SafeGuard PortProtector Client, these checks you may include one or more of the following parameters:
Policy ID
Policy update date/time
Version number
Protection Status
Server ID
An explanation of these parameters appears in SafeGuard PortProtector SCV Check Parameters, page 92.
When one or more of the checks fail, the computer configuration is not verified, and SecureClient blocks the endpoint from accessing the organizational network.
6.3 Preparing SafeGuard PortProtector Client
Sophos provides a DLL that interfaces with SecureClient, specifically with its SCV Policy, which you should install to the required endpoints:
1 If you haven't done so, install SafeGuard PortProtector Client as explained in,
2 Installing SafeGuard PortProtector Client, page 54.
3 Install SafeGuardPortProtectorScv to the required computers using GPO or manually
(SafeGuardPortProtectorScv.msi can be found on your SafeGuard PortProtector installation
CD). This installs a DLL that can perform your choice of one or more of the checks described
above, in addition to checking whether SafeGuard PortProtector Client is installed on the
computer. The DLL reports the result – "verified" or "not verified" - to SecureClient.
![Page 83: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/83.jpg)
SafeGuard® PortProtector 3.30, Installation guide
83
Important: SecureClient must already be installed on target computers before you install the SafeGuardPortProtectorScv DLL.
Note: If you install SafeGuardPortProtectorScv manually and SecureClient is active, the latter will stop/start the service. In this case, reconnect it.
6.4 Configuring your SCV Policy
The SCV Policy is SecureClient's security policy, into which third party applications such as SafeGuard PortProtector can plug in. An SCV Policy may include one or more SCV Checks, each relating to a different application. SafeGuard PortProtector's SCV Check, namely SafeGuardPortProtectorScv, must be added to the SCV Policy and then installed to the required SecureClients. This process includes three steps:
Step 1: Adding the SafeGuard PortProtector SCV Check to your SCV Policy
Step 2: Adding SafeGuard PortProtector parameters to your SafeGuard PortProtector SCV
Check
Step 3: Installing your SCV Policy to the required SecureClients
Steps 1 and 2 may be performed using SCVEditor™ (recommended), explained immediately below, or using any text editor.
6.5 Configuring SCV Policy using SCVEditor™
As mentioned above, it is recommended that you configure your SCV Policy using SCVEditor™, as explained immediately below. If you wish to configure the SCV Policy using a text editor, refer to Configuring SCV Policy using a Text Editor on page 86.
6.5.1.1 Adding SafeGuard PortProtector SCV Check to SCV Policy
The SafeGuard PortProtector SCV Check – SafeGuardPortProtectorScv – must be added to your SCV Policy (local.scv), located in the $FW1conf directory of the VPN-1®/FireWall-1® Management Server.
The SafeGuard PortProtector SCV Check can be added to your SCV Policy using SCVEditor™.
![Page 84: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/84.jpg)
SafeGuard® PortProtector 3.30, Installation guide
84
To add the SCV Check using SCVEditor™:
1 From SCVEditor™'s main window, open local.scv:
2 From the left-hand pane of the SCVEditor™ main window, right-click Products, and select
Add. The following window opens:
3 Enter SafeGuardPortProtectorScv and click OK. SafeGuardPortProtectorScv now appears in the
left-hand pane under Products, along with any products you may have added previously.
![Page 85: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/85.jpg)
SafeGuard® PortProtector 3.30, Installation guide
85
4 From the left-hand pane, right-click SafeGuardPortProtectorScv and select Enforce.
SafeGuardPortProtectorScv now appears in the bottom half of the right-hand pane of the main
window:
5 In the Global SCV Parameters section of the main window, set Block connection on SCV
unverified on/off and Expiration Time value as desired.
6 Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.1.2 Adding SafeGuard PortProtector Parameters to the SCV Check
The SCV Check may include several parameters whose value you wish to check in order to verify SecureClient's connection. Refer to SafeGuard PortProtector SCV Check Parameters, page 92, for a list of available parameters including explanations and examples of how to define and use them.
1 To add parameters, right click in the blank workspace on the right-hand side and select New.
The following window opens:
![Page 86: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/86.jpg)
SafeGuard® PortProtector 3.30, Installation guide
86
2 Enter the parameter Name and its Value.
In the figure above you can see how to add the MinimumVersion parameter and its value. In
this example, if the SCV Check determines that the SafeGuard PortProtector Client version is
not equal to or greater than 3.0.12444, the Client will not be verified and will not be allowed to
connect to the organizational network.
3 Click OK. The parameter is now added to SafeGuardPortProtectorScv.
4 Perform steps 1 and 2 for each parameter you wish to add. Each parameter you have added is
shown in the workspace as follows:
5 Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.2 Configuring SCV Policy using a Text Editor
Another way to configure you SCV Policy is by editing local.scv directly using a text editor.
Two examples are provided below.
Example 1 is a general SCV Policy example which describes the file syntax.
Example 2 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check
with no parameters.
Example 3 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check
with several parameters.
Note: If you make a mistake in the object file it will result in a corrupted file error (SCV state will be non-verified). Using SCVEditor™ will eliminate this problem.
![Page 87: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/87.jpg)
SafeGuard® PortProtector 3.30, Installation guide
87
6.5.2.1 Example 1
The following is a general SCV Policy Example:
(SCVObject
:SCVNames (
:(SCVGroup1
:type(group)
:(samplescv1)
:(samplescv)
)
:(SCVGroup2
:type (group)
:(emptyscv)
)
:(samplescv
:type (plugin)
:parameters (
:n1param1(value1)
:n1param2(value2)
:n1param3(value3)
)
)
:(emptyscv
:type(plugin)
:parameters (
:n2param1(value1)
:n2param2(value2)
)
)
)
![Page 88: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/88.jpg)
SafeGuard® PortProtector 3.30, Installation guide
88
:SCVPolicy(
:(SCVGroup1)
)
)
SCV Policy Description
The SCVPolicy set contains the groups of SCV checks that should be used. In SCVGroup1 there are two SCV checks defined (samplescv and samplescv1). The first SCV check from SCVGroup1 that is registered correctly will be used by SecureClient. samplescv and samplescv1 are similar SCV checks in this example, and at least one of them should be used to report SCV status. Since samplescv1 is not defined properly, samplescv will be used instead. The SCVPolicy does not contain the emptyscv SCV check, therefore it will not be used at all. samplescv contains three parameters which will be passed in the Start function.
6.5.2.2 Example 2
The following is an example of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. This SCV Check does not include any parameters and will only check for the existence of SafeGuard PortProtector Client on the endpoint in order to determine whether it is verified to connect to the organizational network.
(SCVObject
:SCVNames (
: (SafeGuardPortProtectorScv
:type (plugin)
:parameters ()
)
)
:SCVPolicy (
: (SafeGuardPortProtectorScv)
)
:SCVGlobalParams (
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (24)
)
)
![Page 89: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/89.jpg)
SafeGuard® PortProtector 3.30, Installation guide
89
6.5.2.3 Example 3
The following example is of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. The SCV Check includes four parameters which should be checked in order to verify the Client and allow connection to the organizational network (refer to SafeGuard PortProtector SCV Check Parameters on page 92 for a list of available parameters including explanations and examples of how to define and use them).
(SCVObject
:SCVNames (
: (SafeGuardPortProtectorScv
:type (plugin)
:parameters (
:PolicyId ("Policy1 0 / 1$$Sophos Initial Policy ")
:ProtectionStatus ("STATUS_PROTECTED")
:PolicyUpdatedSinceDate ("23.08.2006 17:17:00")
:MinimumVersion ("3.0.12444")
)
)
)
:SCVPolicy (
: (SafeGuardPortProtectorScv)
)
:SCVGlobalParams (
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (24)
)
)
![Page 90: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/90.jpg)
SafeGuard® PortProtector 3.30, Installation guide
90
6.6 Installing Updated SCV Policy to SecureClients
Once you have added SafeGuardPortProtectorScv to your SCV Policy and saved it, either through SCVEditor™ or using a text editor, you can install it to your SecureClients as explained below.
To install the updated SCV Policy:
1 Open Check Point SmartDashboard™:
2 From the Policy menu, select Install, as shown in the previous figure. The Install Policy window
opens:
![Page 91: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/91.jpg)
SafeGuard® PortProtector 3.30, Installation guide
91
3 Select the desired settings and click OK. The installation begins and the Installation Process
window opens, displaying installation progress. Once the installation is completed successfully,
the following window is displayed:
4 Your SCV Policy is now installed to the selected gateways.
When SecureClients perform their next logon to Policy Server, the updated SCV Policy will be
installed to them. Once installed to SecureClients, they can now communicate with the
SafeGuard PortProtector DLL described above and block connection to the organizational
network when the SafeGuard PortProtector configuration is not verified.
In the case where a configuration is not verified, an error message appears on the endpoint.
The following figure shows an example of the message the end user will receive when a
configuration is not verified due a parameter value mismatch:
The following figure shows an example of the message the end user will receive when a configuration is not verified due to a format error:
![Page 92: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/92.jpg)
SafeGuard® PortProtector 3.30, Installation guide
92
6.7 SafeGuard PortProtector SCV Check Parameters
Following is a description of the parameters which you may use to perform checks of SafeGuard PortProtector Client, in addition to checking its existence on the endpoint. Syntax and examples are provided for each parameter.
6.7.1 General
There are 5 parameters you can use to check the status of SafeGuard PortProtector. All the parameters are optional.
The parameters are compared with the current SafeGuard PortProtector information which is displayed in the SafeGuard PortProtector Client Options window.
6.7.2 Parameter Format and Description
6.7.2.1 MinimumVersion
Description: "Verified" for versions with the number greater than or equal to MinimumVersion.
Format: 0-255.0-255.0-65535
Examples: 3.0.12444
3.1.0
6.7.2.2 PolicyUpdatedSinceDate
Description: "Verified" if the last policy update was performed on or after
PolicyUpdatedSinceDate. Date is mandatory, time is optional.
Format: DD.MM.YYYY HH:MM:SS
Examples: 24.08.2006 12:32:00
12.06.2005
6.7.2.3 PolicyID
Description: "Verified" if the current policy is equal to one of the PolicyIDs described by the parameter.
Format: PolicyID1$$PolicyID2$$PolicyID3 …
Notes: Policy version and ID should be added to the policy name. For example, if the policy name is “Policy1”, its version is 0 and its ID is 1, it should be “Policy1 0 / 1”.
One space should be added to the Initial policy name: “Sophos Initial Policy “
Examples: Company Policy 0 / 1
My Policy 5 / 10$$Sophos Initial Policy $$Policy2 0 / 1
![Page 93: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/93.jpg)
SafeGuard® PortProtector 3.30, Installation guide
93
6.7.2.4 ProtectionStatus
Description: "Verified" if the current protection status is one of the defined statuses. Currently there are three statuses: STATUS_PROTECTED, STATUS_ERROR and STATUS_SUSPENDED.
Format: Status1$$Status2$$Status3 …
Examples: STATUS_PROTECTED
STATUS_SUSPENDED$$STATUS_PROTECTED$$STATUS_ERROR
6.7.2.5 ServerID
Description: "Verified" if the Server Name is equal to one of the ServerIDs described by the parameter. This parameter is applicable to versions 3.1 and later.
Format: ServerID1$$ServerID2$$ServerID3 …
Examples: Unknown
Unknown$$ABC$$ServerID
![Page 94: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/94.jpg)
SafeGuard® PortProtector 3.30, Installation guide
94
7 Appendix B - NAC Interoperability
About This Chapter
This appendix explains how SafeGuard PortProtector Client interacts with Cisco Trust Agent (CTA) and Cisco Secure Access Control Server (ACS) to enhance your network's security. It contains the following sections:
What is NAC, page 95, describes Cisco's NAC (Network Access Control) and its benefits.
Posture Validation, page 95, explains how attributes, such as those reported by SafeGuard
PortProtector Client through CTA , are validated by ACS.
SafeGuard PortProtector and NAC, page 82, describes how Sophos interfaces with NAC to
provide comprehensive network protection.
Configuring Posture Validation Policies, page 96, describes the process of importing the
SafeGuard PortProtector Client Attribute-Value Pairs (AVP) file and provides a link to Cisco
documentation of posture validation policy configuration.
Attribute–Value Pairs (AVP) File, page 98, provides a sample AVP file which should be imported
into ACS in order to check SafeGuard PortProtector Client attributes.
![Page 95: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/95.jpg)
SafeGuard® PortProtector 3.30, Installation guide
95
7.1 What is NAC
NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. It uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can limit network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.
7.1.1 Benefits of NAC
Dramatically improves any network's security—NAC ensures that all endpoints conform to the
latest security policy; regardless of the size or complexity of the network. With NAC in place,
you can focus operations on prevention, rather than on reaction. As a result, you can
proactively protect against intruders and leakage.
Extends the value of your existing investments—Besides being integrated into the Cisco
network infrastructure, NAC enjoys broad integration with antivirus, security, and management
solutions from dozens of leading manufacturers.
NAC provides deployment scalability and comprehensive span of control—NAC provides
admission control across all access methods (LAN, WAN, wireless, and remote access).
Increases enterprise resilience—NAC prevents noncompliant and rogue endpoints from
affecting network availability.
Reduces operational expenses—NAC reduces the expense of identifying and repairing
noncompliant, rogue, and infected systems.
7.2 Posture Validation
The term posture is used to refer to the collection of attributes that play a role in the conduct and "health" of the endpoint device that is seeking access to the network, and that can be checked. Some of these attributes relate to the endpoint device-type and operating system; other attributes belong to various security applications that might be present on the endpoint, such as SafeGuard PortProtector Client (refer to SafeGuard PortProtector Client Attributes on page 96 for a list of SafeGuard PortProtector Client attributes).
Posture validation refers to the act of applying a set of rules to the posture data to provide an assessment (posture token) of the level of trust that you can place in that endpoint. The posture token is one of the conditions in the authorization rules for network access. Posture validation, together with the traditional user authentication, provides a complete security assessment of the endpoint device and the user.
Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, supports posture validation when ACS is deployed as part of a broad Cisco Network Access Control (NAC) solution.
CTA, which includes a Posture Agent (PA), delivers the SafeGuard PortProtector Client posture attributes to ACS, which performs the evaluation of the posture attributes.
![Page 96: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/96.jpg)
SafeGuard® PortProtector 3.30, Installation guide
96
7.3 SafeGuard PortProtector and NAC
During installation of the SafeGuard PortProtector Client, a DLL is installed (SProtectorPP.dll) that communicates the status of various SafeGuard PortProtector attributes (see below) to CTA. CTA, which includes a Posture Agent, delivers the posture attributes to ACS, which performs evaluation of the posture attributes.
If one or more of the attribute checks fail, the endpoint's access to the organizational network is blocked.
7.3.1 SafeGuard PortProtector Client Attributes
In addition to checking for the existence of a SafeGuard PortProtector Client on the endpoint, the following parameters may be checked and reported to the CTA Posture Agent:
Software version
SafeGuard PortProtector policy name
SafeGuard PortProtector policy ID
SafeGuard PortProtector policy revision
SafeGuard PortProtector policy type
SafeGuard PortProtector policy update time
7.4 Configuring Posture Validation Policies
A Posture Validation policy is where you define validation checks for SafeGuard PortProtector Client attributes. These checks are performed on the attributes communicated by SafeGuard PortProtector Client by means of SProtectorPP.dll to the CTA Posture Agent, and reported by CTA to ACS. In order to enable you to configure policies for SafeGuard PortProtector Client attributes, the SafeGuard PortProtector Attribute-Value Pairs (AVP) file, which defines these attributes, needs to be imported into ACS.
Note: Basic instructions are provided below. For additional details please refer to Cisco ACS documentation, available from :
http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008053d5e4.pdf
OR http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e956.html
![Page 97: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/97.jpg)
SafeGuard® PortProtector 3.30, Installation guide
97
To import the AVP file into ACS policy:
1 If you have not yet done so, install SafeGuard PortProtector Client on relevant endpoints. This
automatically copies two files into c:\Program Files\Common Files\PostureAgent\Plugins:
SProtectorPP.inf: includes a description of SafeGuard PortProtector Client attributes
and their identification.
SProtectorPP.dll: performs checks of SafeGuard PortProtector Client attributes, the
posture of which is reported to CTA.
2 Prepare a SafeGuard PortProtector AVP file according to the example provided in Attribute–Value Pairs (AVP) File on page 98.
3 Open a command window on ACS.
4 Navigate to %\Program Files\Cisco Systems\CiscoSecure ACS 4.0\bin.
5 Drop the AVP file (AVPfilename) into this folder.
6 Run csutil –addAVP AVPfilename. The system will begin adding each attribute from
the AVP file. When the process is completed, the following message appears:
---AVP Summary---
(N) AVPs have been added to the dictionary <DB>.
7 Restart csauth, csadmin and cslogd services. The attributes are now imported into ACS.
8 Set up a profile, and create posture validation policies in the Posture Validation Page. This is
explained in User help for Cisco Secure ACS for Windows available from
http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a
008053d5e4.pdf
OR
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e984.html#wp1196118
![Page 98: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/98.jpg)
SafeGuard® PortProtector 3.30, Installation guide
98
7.5 Attribute–Value Pairs (AVP) File
The AVP file describes the SafeGuard PortProtector Client attributes necessary for posture validation. The file should be imported into ACS as explained in the previous section. The example provided below contains all available SafeGuard PortProtector Client attributes. You may delete the sections that apply to attributes which you do not wish to check.
[attr#0]
vendor-id=24493
vendor-name=Sophos
application-id=5
application-name=HIPS
attribute-id=32768
attribute-name=Software-Name
attribute-profile=in out
attribute-type=string
[attr#1]
vendor-id=24493
vendor-name=Sophos
application-id=5
application-name=HIPS
attribute-id=32769
attribute-name=Version
attribute-profile=in out
attribute-type=version
[attr#2]
vendor-id=24493
vendor-name= Sophos
application-id=5
application-name=HIPS
![Page 99: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/99.jpg)
SafeGuard® PortProtector 3.30, Installation guide
99
attribute-id=32770
attribute-name=Policy-Name
attribute-profile=in out
attribute-type=string
[attr#3]
vendor-id=24493
vendor-name= Sophos
application-id=5
application-name=HIPS
attribute-id=32771
attribute-name=Policy-ID
attribute-profile=in out
attribute-type=string
[attr#4]
vendor-id=24493
vendor-name= Sophos
application-id=5
application-name=HIPS
attribute-id=32772
attribute-name=Policy-Revision
attribute-profile=in out
attribute-type=string
[attr#5]
vendor-id=24493
vendor-name= Sophos
application-id=5
application-name=HIPS
attribute-id=32773
![Page 100: SafeGuard PortProtector Installation guide](https://reader036.vdocuments.site/reader036/viewer/2022071518/613c10df22e01a42d40e7586/html5/thumbnails/100.jpg)
SafeGuard® PortProtector 3.30, Installation guide
100
attribute-name=Policy-Type
attribute-profile=in out
attribute-type=unsigned integer
[attr#6]
vendor-id=24493
vendor-name= Sophos
application-id=5
application-name=HIPS
attribute-id=32774
attribute-name=Policy-Update-Time
attribute-profile=in out
attribute-type=date