safeguard portprotector installation guide

SafeGuard PortProtector 3.30 SP6 Installation guide

Document date: March 2010

SafeGuard® PortProtector 3.30, Installation guide

2

Important Notice This guide is delivered subject to the following conditions and restrictions:

This guide contains proprietary information belonging to Sophos. Such information is supplied

solely for the purpose of assisting explicitly and properly authorized SafeGuard PortProtector

users.

No part of its contents may be used for any other purpose, disclosed to any person or firm or

reproduced by any means, electronic or mechanical, without the express prior written

permission of Sophos.

The text and graphics are for the purpose of illustration and reference only. The specifications

on which they are based are subject to change without notice.

The software described in this guide is furnished under a license. The software may be used or

copied only in accordance with the terms of that agreement.

Information in this guide is subject to change without notice. Corporate and individual names

and data used in examples herein are fictitious unless otherwise noted.

The information in this document is provided in good faith but without any representation or

warranty whatsoever, whether it is accurate, or complete or otherwise and on express

understanding that Sophos shall have no liability whatsoever to other parties in any way arising

from or relating to the information or its use.

SafeGuard PortProtector and SafeGuard PortAuditor are OEM versions of Safend Protector and

Safend Auditor from Safend. Therefore some screenshots throughout this manual may still

contain the Safend branding but mean the same as within the SafeGuard OEM version.

Boston, USA | Oxford, UK © Copyright 2010. Sophos. All rights reserved. All trademarks are the property of their respective owners.

Other company and brand products and service names are trademarks or registered trademarks of their respective holders.


3

About This Guide This Installation Guide is comprised of the following chapters:

Chapter 1, Installation Workflow, suggests workflow for using the SafeGuard PortProtector

solution to protect your organization's endpoints.

Chapter 2, Preparing for Installation, describes the SafeGuard PortProtector architecture and

the SafeGuard PortProtector installation workflow. It then describes the system requirements

and prerequisites for installation and all the preparations that need to take place before

installing SafeGuard PortProtector.

Chapter 3, Installing SafeGuard PortProtector Management Server, describes how to install,

restore and upgrade the SafeGuard PortProtector Management Server, and how to launch the

SafeGuard PortProtector Management Console.

Chapter 4, Installing SafeGuard PortProtector Management Console, describes how to install


Chapter 5, Installing SafeGuard PortProtector Client, describes the various methods for

installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and

upgrade SafeGuard PortProtector Client.

Appendix A - OPSEC™ Interoperability, describes Check Point's OPSEC™ and how it interfaces

with SafeGuard PortProtector.

Appendix B - NAC Interoperability, describes Cisco's NAC and how it interfaces with SafeGuard

PortProtector.


4

Contents

1 Installation Workflow ....................................................................................................................... 5

2 Preparing for Installation .................................................................................................................. 8

3 Installing SafeGuard PortProtector Management Server ............................................................. 12

4 Installing SafeGuard PortProtector Management Console .......................................................... 42

5 Installing SafeGuard PortProtector Client .................................................................................... 54

6 Appendix A - OPSEC™ Interoperability ........................................................................................ 81

7 Appendix B - NAC Interoperability ............................................................................................... 94


5

1 Installation Workflow

About This Chapter

Before installing SafeGuard PortProtector V3.3, it is important to fully understand the implementation process of the SafeGuard PortProtector solution. This chapter suggests a workflow for using the SafeGuard PortProtector solution to protect your organization's data. It contains the following section:

SafeGuard PortProtector Implementation Workflow describes the workflow for implementing

and using SafeGuard PortProtector.


6

1.1 SafeGuard PortProtector Implementation Workflow

The following is an overview of the workflow for implementing and using SafeGuard PortProtector.


7

Step 1: Install the SafeGuard PortProtector Management Server and Console, as described in

Chapter 2, Preparing for Installation and Chapter 3,

Installing SafeGuard PortProtector Management Server.

Step 2: Install Additional Management Consoles, as described in Chapter 4, Installing


Step 3: Define General SafeGuard PortProtector Administration Settings, such as the method in

which policies are published, as described in Chapter 7, Administration in SafeGuard

PortProtector User help.

Step 4: Scan Computers and Detect Port/Device Usage. Use SafeGuard PortAuditor to detect

the ports that have been used in your organization and the devices and WiFi networks that are

or were connected to these ports, as described in SafeGuard PortAuditor User help.

Step 5: Define SafeGuard PortProtector Policies. In this stage you define the blocked, allowed

and restricted ports, devices and WiFi networks according to the security and productivity

requirements of your organization as described in Chapter 3, Defining Policies in SafeGuard


Step 6: Install SafeGuard PortProtector Client on Endpoints, as described in Chapter 5,

Installing SafeGuard PortProtector Client.

Step 7: Distribute SafeGuard PortProtector Policies to Endpoints: in this stage, you can either

associate policies to users and computer and distribute directly to endpoints (via SSL), or use

Active Directory's GPO feature to distribute SafeGuard PortProtector Policies or any other

third-party tool, as described in Chapter 4, Distributing Policies in SafeGuard PortProtector User

help.

Step 8: Endpoints are Protected by SafeGuard PortProtector Policies: in this stage, only

approved devices and WiFi networks can be used, through permitted ports. Logs about port,

device and WiFi network use and attempted use, as well as tampering attempts, are created and

sent to the Management Server as described in Chapter 8, End-User Experience in SafeGuard


Step 9: Monitoring Logs and Alerts, view and export the log entries generated by SafeGuard

PortProtector Clients, as described in Chapter 5, Viewing Logs in SafeGuard PortProtector User

help.


8

2 Preparing for Installation

About This Chapter

This chapter first describes the SafeGuard PortProtector architecture and the SafeGuard PortProtector installation workflow. It then specifies the system requirements and prerequisites for installing the different components of SafeGuard PortProtector, followed by instructions on how to prepare the network for installation. It contains the following sections:

System Requirements, page 9, describes the system requirements for each one of the SafeGuard

PortProtector components.

Preparing your Network, page 10, describes the preparation that needs to be done on your

network in order to allow the different SafeGuard PortProtector components to communicate

without interruptions.

Tips on preparing your Endpoints, page 11, describes the preparation that needs to be done on

your endpoints before installing SafeGuard PortProtector in order to optimize the security of

your network.


9

2.1 System Requirements

Following are the system requirements for the various system components:

SafeGuard PortProtector Client Requirements

SafeGuard PortProtector Console Requirements

SafeGuard PortProtector Server Requirements

Operating System

Windows XP Professional (SP 1-3)

Windows XP 64 bit Professional (SP 2-3) – note that there is a separate MSI from version 3.2 for 64 bit OS

Windows 2003 Server (SP 1-2)

Windows 2000 SP4 Rollup 1

Windows Vista Business/Enterprise /Ultimate (SP 1-2) 32-bit

Windows 7 Business/ Enterprise/Ultimate 32-bit

Windows XP Professional (SP 2)


Windows XP Professional (SP2 – not supported for production environments)


Hardware Pentium 800 MHz

256 MB RAM

50 MB HDD space

Pentium 800 MHz

256 MB of RAM

50 MB HDD space

The server hardware requirements depend on the number of installed SafeGuard PortProtector clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at [email protected].

Software Microsoft .NET Framework 2.0 (Make sure that the server and console are installed with the same .Net 2.0 SP)

Microsoft .NET Framework 2.0 (Make sure that the server and console are installed with the same .Net 2.0 SP)

Microsoft IIS


10

2.2 Preparing your Network

Before installing the system, be sure to enable the following communications in your network and personal firewalls.

To prepare your network:

1 In order to communicate freely between the SafeGuard PortProtector management Server and

the SafeGuard PortProtector Clients, make sure that the SSL port is open in your network

firewall. Sophos typically uses port 443 (SSL standard) for this. If you have chosen otherwise,

make sure to allow this port in your firewall.

2 In order for the SafeGuard PortProtector Management Console to be able to control clients

(send control commands to clients to send their logs and update their policy), it needs WMI

ports to be open on the personal firewalls of each endpoint. WMI uses port 135 and a series of

random ports.

2.2.1 Opening WMI ports on Windows XP (SP2) Firewall

If you are using Windows XP (SP2) firewall as the personal firewall on your endpoints, you can use the GPO mechanism to configure endpoints to accept incoming WMI communications. The following section is quoted from Microsoft documentation.

"Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only.

They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.

Identical sets of policy settings are available for two profiles:

Domain profile. Used when computers are connected to a network that contains your

organization’s Active Directory domain.

Standard profile. Used when computers are not connected to a network that contains your

organization’s Active Directory domain, such as a home network or the Internet.

The relevant policy setting for WMI is:

Windows Firewall: Allow remote administration exception

This allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM.

The default is Not Configured".


11

2.3 Tips on Preparing Your Endpoints

Booting via an external boot device (floppy, CD etc.) will circumvent any security software. However, there are a few ways to either prevent this scenario from happening, or make it impossible to be able to read the data outside the Sophos protected operating system:

Changing the boot sequence: Change the boot sequence so that the machine does not boot first from the floppy, then the CD\DVD-ROM, and, finally, the hard disk drive. The hard disk drive should always be the first boot device. If the floppy or the CD\DVD-ROM is the initial boot device, anyone can use a bootable medium that can directly access the hard disk drive and reset the administrator password in seconds.

Physical seal \ chassis protection: Make sure that the hardware is sealed and that the hard disk drive cannot be simply disconnected.

Setting a password to protect the BIOS: This prevents users from entering the BIOS and re-enabling the boot access through devices other than the internal hard disk drive.

Disk Encryption: Several disk encryption software packages are available in the market. These are used to encrypt the entire disk, making sure that the data can be read only when loading the operating system (which contains a decrypt-able client). Booting from any external boot device will not prove useful since all data will be encrypted.

SafeGuard PortProtector Client has been tested to work along with the leading software products of this type, including PGP Wholedisk, Sophos SafeGuard Easy, WinMagic and Pointsec.


12

3 Installing SafeGuard PortProtector Management Server

About This Chapter

This chapter describes how to install SafeGuard PortProtector Management Server and contains the following sections:

Prerequisites, describes the requirements for installing the management server.

Installing Prerequisite Software, describes how to install Microsoft .NET framework and IIS.

Before Installing SafeGuard PortProtector Management Server, provides a checklist of issues you

need to verify before starting the installation process.

Installing the Management Server, describes how to install the SafeGuard PortProtector

Management Server for the first time and how to launch the SafeGuard PortProtector

Management Console.

Restoring an Existing Management Server, describes how to restore an existing SafeGuard

PortProtector Management Server in case of hardware upgrade or failure.

Upgrading the Management Server, explains how to upgrade SafeGuard PortProtector from

version 3.2 to version 3.3.

Post-Installation Settings (Checklist), lists a set of critical settings to define after installation.

Uninstalling SafeGuard PortProtector Management Server, explains how to uninstall SafeGuard

PortProtector Management Server.

Changing your Database, explains how to switch from using an embedded SafeGuard

PortProtector database to and external MS SQL database, and vice versa.


13

3.1 Prerequisites

3.1.1 Operating System

Windows XP Professional (SP0-2) 32-bit

Windows 2003 Server (SP0-2) 32-bit

3.1.2 Hardware

The server hardware requirements depend on the number of installed SafeGuard PortProtector Clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at [email protected].

3.1.3 Software

Microsoft .NET Framework 2.0 installed

Microsoft Internet Information Services (IIS)

3.2 Installing Prerequisite Software

3.2.1 Installing Microsoft .NET Framework 2.0

To install .NET Framework

Microsoft .NET Framework 2.0 is built in by default on Windows 2003, and can be downloaded for free from the Microsoft website for Windows XP.

Link to .NET framework 2.0 installation package:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en�

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en�


14

3.2.2 Installing Microsoft IIS

To install Microsoft IIS:

1 In Control Panel on your computer, double-click Add or Remove Programs. The Add or Remove

Programs window opens.

2 Click Add/Remove Windows Components. The Windows Components Wizard window opens.

3 If you are installing the application on a machine running Windows 2003, check the

Application Server checkbox. If you are installing IIS on a machine running Window XP, check

the Internet Information Services checkbox, as shown below:

4 Click Next.

5 The Insert Disk window opens, asking for the utility disc or location that holds the relevant

Microsoft Windows installation components:

6 Insert the disc and click OK. The installation may take a few moments.


15

7 When the wizard notifies you that the installation is complete, as shown in the following figure,

click Finish to close the wizard. IIS is now installed.

3.3 Before Installing SafeGuard PortProtector Management Server

1 Verify that all system requirements and prerequisites are met.

2 Make sure that the SafeGuard PortProtector Server machine belongs to the same domain in

which you intend to deploy SafeGuard PortProtector policies.

3 Make sure that a MySQL DB is not installed on the SafeGuard PortProtector Management

Server machine.


16

3.4 Installing the Management Server

To install SafeGuard PortProtector Management Server:

1 Locate on your installation CD.

2 Double-click the file. The SafeGuard PortProtector Server Installation window appears:

3 Click Browse to select a destination folder for the extracted installation files.

Note: Make sure that the files are extracted to a local folder. The installation will not run from a network path.

4 Click Install.


17

5 Following extraction, you will be asked to select the SafeGuard PortProtector Server language, as

shown below:

6 Select the required language and click OK. The first step of the installation wizard appears:


18

Click Next and read the End User License Agreement. After accepting, click Next again. The

Installation Mode step opens:

Select one of the following options:

For a new installation select the New radio button and proceed to step 9 below.

For instructions regarding the Restore option, refer to Restoring an Existing Management

Server on page 33).

To join a server cluster, select the Join a Cluster radio button.

A server cluster enables the installation of several SafeGuard PortProtector Management Servers connected to a single external database, so that they seamlessly share the load of traffic from the endpoints, as well as to provide redundancy and high availability.


19

The following window opens:

7 Click Next. The Database window opens:

SafeGuard PortProtector can create its own internal database for storing configuration and data. Alternatively, you can use an existing external database.

Note: SafeGuard PortProtector supports MS SQL 2000 and up.

8 In the Database window, select the required radio button. Select the first radio button if you

want to use a database which resides on the same machine as the Management Server (the

database is managed by SafeGuard PortProtector Management Server). Select the second

option if you have an MS SQL database on another machine and you want to use it as your

SafeGuard PortProtector database.

Note: If you select to use an existing external database, this database must already be installed.


20

9 Click Next. If you selected to install an embedded database, skip to Step 14.

10 If you have selected to use an existing database server or to join a cluster, the following window

opens:

11 In the Database Credentials window, perform the following steps:

a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).

b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.

c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.

12 Click Next. The installation program validates access to the database.

Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation wizard.


21

Note:

If a valid SafeGuard PortProtector database already exists on this database server, the following window opens:

In this window, click Yes in order to overwrite the existing database. If you wish to use the existing database, click No and skip to Restoring an Existing Management Server on page 33.

13 The Destination Folder step opens:


22

14 Click Next to select the default installation folder: C:\Program Files\Sophos\SafeGuard

PortProtector, or click Change to select a different installation folder then click Next. The

Domain Credentials window opens:

15 In the Domain Credentials window, enter the domain user credentials: SafeGuard PortProtector

Management Server requires a domain account from your Active Directory in order to perform

tasks such as creating GPOs and for controlling clients via WMI. We recommend that you enter

an account with domain administrator privileges (you may change this user after installation).


23

16 Click Next.

Users' access to the Management Console is restricted for security reasons. SafeGuard

PortProtector does not require its own users and computers database. Instead, credentials are

checked against Active Directory and/or local user accounts on the Management Server

machine. Following installation, access to the Management Console is restricted to users who

have local administrative rights on the computer hosting the Server, as shown below:

17 Click Next. The Communication Port window opens.

SafeGuard PortProtector Management Server communicates with the SafeGuard PortProtector Management Consoles and Clients through SSL ports. Port definitions differ in Windows XP and Windows 2003. Windows XP


24

The Management Server will use the default SSL port which is defined by the website of the host computer for communicating both with SafeGuard PortProtector Clients and with the Management Console.

Note: If no website is found on the host computer, the same window appears, with the Communication Port (SSL) text box editable. If you are not using the standard port 443, change it as required.


25

Windows 2003

In Windows 2003, SafeGuard PortProtector uses two different ports to communicate with SafeGuard PortProtector Clients and with the Management Server.

The default ports are 443 for Clients communications and 4443 for Management Console communications. If you wish, you may change these default ports.

18 In order for SSL to operate, a certificate is needed to authenticate the Management Server. This

certificate is also used for encrypting the data sent on the communication port. If the computer

that is running the Server already has an active website that allows the SSL port activation, the

application will use the existing certificate. If no certificate exists, the application will create a

new certificate and will notify you of this.


26

Note: A Sophos generated certificate is not signed by a valid Certificate Authority (CA). Although this does not affect the overall security level of the system, using this certificate will cause Internet Explorer to display security alerts.

In order to avoid these alerts you will need to replace the certificate with a signed certificate you receive from a trusted Certificate Authority.

19 Click OK to continue with the installation.

20 Click Next.

In the following window, you will be asked to backup the encryption keys that are generated by

SafeGuard PortProtector.

To enhance the security of the system, encryption keys are generated during the installation.

These keys are unique to your organization and raise the tampering resistance of your system.

The keys are used to encrypt policies and logs as well as for mutual authentication between the

Server and the endpoints.

One example for the use of these unique keys is in that endpoints need to be initialized upon

installation with the organization's unique keys. From this point on, an endpoint will treat any

information (i.e. policy) that does not correlate to the keys as an attempt to circumvent its

protection.

For this reason it is highly recommended to backup the keys and store them on another machine/site in order to ensure smooth recovery in cases of server malfunction without the need to re-deploy Clients to endpoints.


27

In order to backup your encryption keys, you need to set a password that will be used to protect the keys:

If you do not want to backup your encryption keys during the installation, check the Do not backup encryption keys now checkbox and click Next.

To backup you encryption keys click Browse to select a path. Enter a password, confirm it.

Note: The password should be at least 7 characters long and should contain one upper case character and one digit.

21. Click Next.


28

In the following window, you will be asked to configure the schedule for automatic system backup to the network, which includes the encryption keys that are generated by SafeGuard PortProtector.

You may change the default Perform backups interval (Daily, Weekly, Monthly) and the time. The backup path supplied must reside on a network share, with write permissions for the user provided in the Domain Credentials window (step 16) in the setup wizard. Click Browse to select the Network backup path. Enter a Password and Confirm it. If there is a problem with the password you choose (or share permission), the following message will be displayed.

22. Click Next.


29

The Summary window opens:


30

21 Confirm the installation summary and click Install to perform the Server installation.

Installation begins, and the Installation Progress window opens:


31

22 Once installation has been completed, the following window opens:

23 The SafeGuard PortProtector Management Server has been installed. Check the checkbox at the

bottom of the screen if you wish to launch the SafeGuard PortProtector Management Console,

and click Finish.

Note: The installation process installs the SafeGuard PortProtector Management Console as well.


32

24 If you have chosen to launch the SafeGuard PortProtector Management Console, the Login

window opens:

Enter your User Name, Password and Domain and click Login. The application opens, displaying the main window.

25 Take the time to define preliminary settings in the Administration and Global Policy Settings.

Please refer to Post-Installation Settings (Checklist) on page 38 for a list of settings which you may

want to review and change.


33

3.5 Restoring an Existing Management Server

In some cases you will need to install SafeGuard PortProtector Management Server while maintaining your system unique encryption keys, in order to work with your existing SafeGuard PortProtector Clients. This may happen when you want to migrate the Server from a low-CPU machine to a stronger one, or when recovering from hardware malfunctions.

In order to restore an existing Management Server you will need to provide the encryption keys backup file and the password that was set to protect it.

To restore an existing Management Server:

1 Perform the steps described in Installing the Management Server on page 16 up to Step 7.

2 At this stage, you will be asked to choose the installation mode, as shown below:


34

3 Select the Restore radio button. The following window opens:

4 In the Restore window, select the appropriate radio button according to whether you wish to use

SafeGuard PortProtector backup files or connect to an existing external SafeGuard

PortProtector MS SQL database. If you select the second option, Connect to an existing

SafeGuard PortProtector MS SQL database, skip to step 8 below.


35

5 Click Next. The Backup Files window opens:

6 Enter the path to your keys backup file and the password protecting it.

If you have saved your previous installation configuration (policies, queries etc.), you can

restore the configuration as well. Do this by checking the checkbox and selecting the path to the

configuration backup file.

Note: To learn how to restore logs refer to Restoring Logs on page 37.

7 Skip to step 11 below.


36

8 If you have selected to use an existing database server, the following window opens:

9 In the Database Credentials window, perform the following steps:

a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).

b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.

c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.

10 Click Next. The installation program validates access to the database.

Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation wizard.

11 Follow the instructions in steps 15-27 in Installing the Management Server.


37

3.5.1 Restoring Logs

The need may arise to restore version 3.2 logs that you have previously backed up. This may happen in one of the following cases:

You wish to upgrade or replace your version 3.2 Management Server machine

Upgrading from version 3.2 to a higher version fails and rolls back to version 3.2 without logs.

Note: This utility only restores logs from and to an embedded SafeGuard PortProtector database, since backing up and restoring logs on an external database is handled by your DBA.

Log restoring is performed using the Log Restore Utility. Running this utility deletes the existing log tables, and restores the exact log schema from the backup file. Log views are created automatically when starting the Management Server.

To view Log Restore Tool version (optional):

1 Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder

under the "bin" folder (if you installed in the default destination folder the path is

\Program Files\Sophos\SafeGuard PortProtector\Management Server\Bin)

2 Run RestoreTool.exe using the following syntax:

RestoreTool version

The command returns the assembly version of RestoreTool.exe.

To restore logs:

1 Stop the Management Server.

2 Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder

under the "bin" folder (if you installed in the default destination folder the path is \Program

Files\Sophos\SafeGuard PortProtector\Management Server\Bin)

3 Run RestoreTool.exe using the following syntax:

RestoreTool restore -backupFile [-silent ] [-verbose ]

-backupFile specifies full backup (SLB) file path to restore from

-silent do not ask user for confirmation

-verbose verbose operation


38

The program notifies you of any errors in the restore process.

If there are no errors, your log data and structure are restored.

4 Start the Management Server.

3.6 Upgrading the Management Server

Upgrading from a previous version of SafeGuard PortProtector to this new version 3.3 SP5 is not supported. Customers will have to uninstall the older version and re-install the SP5 version. Also the policies will not be migrated. If customers have purchased professional services, we can help in the migration of policies.

3.7 Upgrading in a Clustered Environment

Upgrading in a clustered environment is not support due to the rebranding of the product.

3.8 Post-Installation Settings (Checklist)

The SafeGuard PortProtector Management Server installation package defines default settings for system behavior which you can find under Administration and Global Policy Settings (both available from the Tools menu in the SafeGuard PortProtector Management Console).

Once you complete installing SafeGuard PortProtector Management Server and access the Management Console, you may want to visit these windows and set the parameters relevant to your environment.

3.8.1 Checklist for the Most Critical Settings in the Administration Window:

1 Policy Publishing Method – Select the format and destination for publishing policies.

2 Encryption Keys Backup – If you haven't backed up the encryption keys during installation.

3 Client Installation Folder – Set a shared folder for creating client installation files. You will need

these files in order to install clients.

Refer to Chapter 7, Administration in SafeGuard PortProtector User help for an explanation of Administration settings.


39

3.8.2 Checklist for the Most Critical Settings in the Global Policy Settings Window:

1 Log Transfer Interval – Define the frequency in which logs will be sent from endpoints to the

Server.

Important:

Take extra care while configuring the Logs Transfer Interval in order not to burden your network and endpoints with excessive log sending.

Consider the following:

The number of endpoints in your network

The number of expected events from each endpoint (client and file logs)

The level of need for "real time" logs information in the Management

Console

During installation, the default log interval is set to 90 minutes. In the case of large scale deployments, please consult Sophos Support in order to optimize your settings.

2 Clients Uninstall Password – Change the default password to your own preference.

Important:

Upon product installation the password is set to "Password1". Since the password is one of the foundations for the tampering resistance of the client, it is highly recommended that you change it as soon as you start deploying the product in a production environment.

Important:

Make sure you have created a backup for the Server encryption keys. This will prevent situations in which you cannot uninstall Clients due to password loss.

Refer to Chapter 3, Defining Policies in SafeGuard PortProtector User help for an explanation of Global Policy settings.


40

3.9 Uninstalling SafeGuard PortProtector Management Server

To uninstall the Management Server:

1 Open the add \ remove programs on your Control Panel.

2 Select the SafeGuard PortProtector Management Server from the list, and click Remove as

described below:

Note: Uninstalling SafeGuard PortProtector Management Server will delete the SafeGuard PortProtector database; therefore, if you wish to install the latest Server version, it is recommended to upgrade your Server rather than to perform an uninstall/install process.


41

3.10 Changing your Database

If you wish to change from using a SafeGuard PortProtector embedded database to an external MS SQL database, or vice versa, you can do so by using the Restore option as explained in Restoring an Existing Management Server on page 33 and selecting the new database type.

Note: You can only change your database if you are using version 3.2 and above.

Note: Changing your database will result in loss of previous logs. Previous policies are transferred to the new database, but policy associations to organizational objects (when using the "direct distribution from the Management Server to Clients" policy distribution mode) are lost.


42

4 Installing SafeGuard PortProtector Management Console

About This Chapter

This chapter describes how to install the SafeGuard PortProtector Management Console. It contains the following sections:

Prerequisites, describes the prerequisites of the Management Console.

Installing Prerequisite Software, describes how to install Microsoft .NET framework.

Installing SafeGuard PortProtector Management Console, describes two methods for installing the

Console.

Launching SafeGuard PortProtector Management Console for the First Time, describes how to

launch SafeGuard PortProtector Management Console.

Uninstalling SafeGuard PortProtector Management Console, describes how to uninstall SafeGuard

PortProtector Management Console.


43

4.1 Prerequisites




4.1.2 Hardware

Pentium 800 MHz

256 MB RAM

50 MB HDD space

4.1.3 Software

Microsoft .NET Framework 2.0 installed

4.2 Installing Prerequisite Software

4.2.1 Installing Microsoft .NET Framework 2.0

To install .NET Framework

Refer to Installing Prerequisite Software on page in section 3.2

4.3 Installing SafeGuard PortProtector Management Console

SafeGuard PortProtector Management Console can be installed and run from any computer on your network. The first console is installed on the same machine that hosts the Management Server as part of the Server installation, and additional consoles can be installed on any machine in your domain that meets the prerequisites.

Additional consoles can be installed on your domain either through Sophos’s Management Console Installation web page (recommended), or by running the ManagementConsole.msi file from an external source, such as a CD.

Note: Access to the Management Consoles is restricted by default to the local administrators group of the machine hosting the server. In order not to expose your server machine user and password unnecessarily, make sure you change this setting to a user group in your Active Directory before installing additional Management Consoles. You can change this setting from the Administration window in the Management Console.


44

4.3.1 Installing the Console from the Installation Web Page

SafeGuard PortProtector Management console features a 'One-click' deployment process which gives you easy access to installing the Management Console by pointing your browser to the SafeGuard PortProtector Management Server address. This method automatically keeps all your Management Consoles up-to-date with the latest software version of the Management Server, and is therefore the recommended installation method.

To install the Management Console from the installation web page:

1 Access the address of the installation web page in the target machine

The link is in the following format:

https://<servername>:<serverport>/SafeGuardPortProtector/consoleinstall.aspx

Tip:

You may also use a shorter link format:

https://<servername>:<serverport>/SafeGuardPortProtector

(This address can be found in the General tab of the Administration window, which you can access from the Management Console's Tools menu).

The installation page opens:


45

The page contains the following:

A link to the Microsoft .NET framework 2.0 installation package.

A link to the Management Console installation package.

Server details.

2 If the machine on which you wish to install an additional Console does not have .NET

framework installed, enter the link and install it before proceeding with the Management

Console installation.

3 Click the link to the Management Console installation package. The following window opens:


46

4 Click Save and then run the program. The Management Console installation wizard opens:


47

5 Click Next. The Select Installation Folder window opens:

6 In the Select Installation Folder window, select the folder in which the SafeGuard PortProtector

Management console will be installed. The default folder is C:\Program Files\Sophos\SafeGuard

PortProtector\. If you wish to install the Management Console in a different folder, click the

Browse button and select the desired folder.

7 Select one of the following options by clicking its radio button:

Everyone: allow access to the application to any user who uses the computer

Just me: allow access to the application only to the logged on user.


48

Click Next. The following window opens:

8 In the Confirm Installation window, click Next to perform the installation.


49

9 Once the installation completes, the following window opens:

10 Click Close to exit.

11 Open the Management Console application by clicking the icon on your desktop or from

Start > Programs > SafeGuard PortProtector > Management Console.


50

12 Depending on the browser you are using, the following message may appear:

Fill in the server name and port as it appears in the installation web page, and click Connect.

13 The Login window appears:

Type your user name, Password and Domain and click Login. The application will open, displaying the main window.


51

4.3.2 Installing SafeGuard PortProtector Management Console Manually

To manually install the Management Console:

1 Locate the ManagementConsole.msi file on your CD and run it. The setup window opens:

2 Proceed with steps 5 through 13 as described above.


52

4.4 Launching SafeGuard PortProtector Management Console for the First Time

1 Click the icon on your desktop.

OR

Go to Start > Programs > SafeGuard PortProtector > Management Console. The application open for the first time:

2 Enter your user name, password and domain. The following window opens:


53

Each time the Management Console connects to the Server, it automatically downloads the latest version of the Management Console (if an update exists). Once the updated files are downloaded, the window closes, and the following window opens:

3 If you are evaluating the software, click Remind Me Later

OR

Click Enter License Key if you have a valid Sophos license, and enter your Sophos license key as described in the SafeGuard PortProtector User help, Chapter 7, Administration.

SafeGuard PortProtector Management console opens, displaying the main window.

4.5 Uninstalling SafeGuard PortProtector Management Console

To uninstall the Management Console:

1 From the Control Panel, open Add or Remove Programs.

2 From the list, select SafeGuard PortProtector Management Console and click Remove.

Note: Uninstalling SafeGuard PortProtector Management Console does not cause any information loss. You can re-install it at any time.


54

5 Installing SafeGuard PortProtector Client

About This Chapter

This chapter describes the various methods for installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and upgrade SafeGuard PortProtector Client. It contains the following sections:

Prerequisites, page 55, describes the prerequisites of the SafeGuard PortProtector Client.

Before Deploying SafeGuard PortProtector Client, page 55, describes the steps you need to take

before installing SafeGuard PortProtector Clients.

Installing SafeGuard PortProtector Client, page 58, describes the following installation methods:

Automatic Client Installation (through Active Directory)

Automatic Client Installation (generic)

Manual Installation

Upgrading SafeGuard PortProtector Client, page 65, describes how to upgrade SafeGuard

PortProtector Client from V2.0 to V3.x.

Defining Endpoint Behavior during Installation, Page 71, describes how to define the End Point

reboot sequence after installation.

Uninstalling SafeGuard PortProtector Client, Page 73, describes how to uninstall SafeGuard

PortProtector Client.


55

5.1 Prerequisites


Windows 2000 Professional (SP3-4) 32-bit


Windows 2000 Advanced Server (SP3-4) 32-bit



Windows Vista Business/Enterprise/Ultimate (SP1-2) 32-bit

Windows 7 Business/Enterprise/Ultimate 32- bit

5.1.2 Hardware

Pentium 800 MHz

256 MB of RAM

50 MB HDD space

5.1.3 Software

None required

5.2 Before Deploying SafeGuard PortProtector Client

In order to install SafeGuard PortProtector Client, you must first install the Management Server. This is necessary in order to raise the security level of the system, by "imprinting" each installed client with the encryption keys of the server. From the point of installation, SafeGuard PortProtector Client knows the keys which it uses when communicating with the Server. From this point on, the Client will not accept any policy or perform any communication with a Server that does not hold matching keys.

This "imprinting" process is performed by initializing the Client with a file called ClientConfig.scc. This file is generated by the Server upon user request. This file should be available during Client installation.

Before you can start deploying SafeGuard PortProtector Clients you need to define the path to which the Server will generate all the files needed for Client installation. The process of generating the installation files may be performed again at any time.


56

To generate SafeGuard PortProtector Client installation files:

1 In the Management Console, from the Tools menu, open the Administration window as shown

in the following figure:


57

2 In the Administration window that opens, click the Clients tab on the left. The Administration-

Clients window opens:

3 Select a shared folder as the Client installation folder. Once the files are created, the following

message appears:

Important: Make sure you enter a network path and not a local path.

4 Click OK.

5 You are now ready to deploy SafeGuard PortProtector Clients on the computers in your

organization. Once Clients have been deployed, you can distribute policies to them as described

in SafeGuard PortProtector User help.


58

5.3 Installing SafeGuard PortProtector Client

There are three ways to install the SafeGuard PortProtector Client:

Automatically through the Active Directory Group Policy Management.

Automatically using any corporate software deployment tool, such as SMS and Tivoli.

Manually by running the installation wizard on each computer

5.3.1 Automatic Client Installation (Active Directory)

Automatic SafeGuard PortProtector Client installation is performed using Active Directory's Group Policy Management (if installed) and Active Directory's Users and Computers. These options enable you to define a GPO that will distribute the SafeGuard PortProtector Client to the OUs (computer or user groups) of your choice. When this option is used, the clients are installed in Silent mode.

To automatically install the SafeGuard PortProtector Client:

1 Open the Active Directory Users and Computers window.

2 Right-click the OU to which to install the SafeGuard PortProtector Client and select Properties.

The User Properties window opens.

3 In the User Properties window, select the Group Policy tab. This tab looks different depending

on whether the Group Policy Management Console is installed or not.

4 If the Group Policy Management Console is not installed, the following window is displayed:


59

5 Click Add to add the SafeGuard PortProtector deployment GPO, name it, then right-click that

GPO and select Edit. Go to Step 9 below.

6 If the Group Policy Management console is installed, click Open in the Group Policy tab to

display the Group Management window, as shown below:

7 In the OU tree display on the left pane, select the OU to which to install the SafeGuard

PortProtector Client. The right pane displays the GPO's that are already assigned to this OU.

8 Add a GPO that installs software to this OU. Right-click on the OU and select Create and Link a

GPO Here, then name the GPO.


60

9 Right-click the SG PP deployment GPO and select Edit. The Group Policy window is displayed.

An example is shown below:

10 Under Computer Configuration in the tree on the left, right-click Software Settings and select

New, and then select Package, as shown below (the right pane may display names of other

software to be installed if any have been defined):


61

A file selection window is displayed.

11 Locate the shared folder in which you have selected the Client installation files to be created.

This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc

files. If you are deploying clients to an XP 64 bit machine make sure you are using the files

under the XP64Bit sub-folder.

12 Browse to the full UNC path of the SafeGuard PortProtector Client installation file named

SafeGuardPortProtectorClient.msi, select it and click Open. Make sure this path includes the

ClientConfig.scc file.

13 Double-click the SafeGuardPortProtectorClient.msi file. The following window opens:


62

14 Select Assigned and click OK. Wait a few moments while the MSI is added.

a. When installing the SafeGuard PortProtector Client in a foreign language (German, Japanese):

b. Select the Modifications tab from the dialog box and click Add.

Select the appropriate Transform file from the network share and press Open.


63

15 Prepare the endpoints of your organization for automatic installation, as described in the

Preparing an Endpoint for Automatic Installation section below.

16 In some rare cases, a restart may be required on the endpoint computer. If so, a message will be

displayed.

5.3.1.1 Preparing an Endpoint for Automatic Installation

In order to install the SafeGuard PortProtector Client, the target computers are required to have access to the shared network folder when the system is rebooted. If the target computers are running Windows XP, you must turn on the Always wait for computer network to startup at logon GPO, which can be found under Computer Configuration | Administrative Templates | System | Logon.

The next time a computer or user in this OU reboots, SafeGuard PortProtector client will be deployed to it.

Note: In some cases, depending on the Domain configuration, it may take some time for the GPO containing the installation package, which is linked to the dedicated OU, to replicate to other domain controllers (usually up to 15 minutes). This may appear as endpoints that are not installing the SG PP Clients. In this case it is necessary to wait for the replication to finish before restarting the endpoints for installation.


64

5.3.2 Automatic Client Installation (Generic)

In order to install using a third-party corporate software management solution, follow the procedure below.

To install perform generic automatic client installation:

1 Locate the shared folder in which you have selected the Client installation files to be created.

This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc

files.

2 Create a batch file containing the following command that installs the Protector Client silently:

msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi /qn

When installing the Protector client in a foreign language, use the following command line parameters:

msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi

TRANSFORMS="\\InstallationPath\MSTFileName.mst"/qn (This should be written in a single line.)

3 In some rare cases, a restart may be needed on the endpoint computer. If so, a message will be

displayed.


65

5.3.3 Manual Client Installation

You can manually install the SafeGuard PortProtector Client on each computer in your organization that needs to be protected.

To manually install the SafeGuard PortProtector Client:

1 Locate the shared folder in which you have selected the SafeGuard PortProtector Client

installation files to be created. This folder contains the SafeGuardPortProtectorClient.msi

installation file. We recommend that the ClientConfig.scc file necessary for the installation be in

the same folder. To view the path to this folder, select Administration from the Management

Console's Tools menu, then select the Clients tab, as shown in the following figure:


66

Run SafeGuardPortProtectorClient.msi. If you are deploying clients to an XP 64 bit machine make

sure you are using the files under the XP64Bit sub-folder. The installation wizard opens:

2 Click Next to continue. The License Agreement window opens:


67

3 In the License Agreement window, select the I accept the terms in the license agreement radio

button and click Next. The Destination Folder window opens:

4 In the Destination Folder window, determine the folder to which you want to install SafeGuard

PortProtector Client. If you want to install it to a folder other than the default, click Change,

and in the Change Current Destination Folder window that opens, select the desired folder and

click OK.


68

5 Click Next. The Select Client Configuration File window opens:

6 Select the Client configuration file ClientConfig.SCC. This file is necessary in order for the

Client to read encrypted company policies, as well as to set the default uninstall password. This

file is generated by the SafeGuard PortProtector Management Server, and is typically found in

the same folder as the Client installation file.

Note: If you are unsure where this file is, ask your system administrator, or generate a new one as explained in Before Deploying SafeGuard PortProtector Client on page 55.


69

7 Click Next. The Ready to Install the Program window opens:

In this window, click Back to review or modify your installation settings, or click Cancel to cancel and exit the installation process.

8 Click Install to begin the installation. The following window opens:


70

This window contains a Status bar that displays the progress of the installation process. Installation may take several minutes.

Note: During this installation, some of the devices attached to your computer may temporarily stop functioning. The devices will resume functioning once the installation is completed.

When the installation is complete, the following window opens:

9 Click Finish to exit the installation wizard. SafeGuard PortProtector Client is now installed on

the endpoint.

Note: In some cases, depending on the computer's hardware configuration, restart is required following installation in order for SafeGuard PortProtector Client to begin protecting the endpoint. A message will notify you when this is required.


71

5.4 Upgrading SafeGuard PortProtector Client

5.4.1 Upgrading the Client via Active Directory

In order for your endpoint to install the new version of the product, just add the new .msi file as a new GPO (Repeat the steps above). This will automatically update the endpoints on the next reboot.

5.4.2 Upgrading the Client Manually

To upgrade the Client manually:

1 Double-click the SafeGuardPortProtectorClient.msi. SafeGuard PortProtector automatically

uninstalls your previous version of the product and updates it with the new version.

2 Following the upgrade, you must reboot the computer on which it was performed (a message

will appear requesting you to reboot, unless you have set this message not to appear as explained

in the following section).

5.5 Defining Endpoint Behavior during Installation

By default, the process of installing SafeGuard PortProtector Client involves restarting of most of the peripheral devices on the endpoint in order to immediately start enforcing the policy. This may cause temporary disconnection from the network in the final stages of the installation.

Additionally, in some rare cases, this may also require the computer to reboot.

Administrators who are using third party products to deploy software may find it useful to define that the "restart devices" process not be performed in order to avoid network disconnection during installation.

You can control both device restart and reboot behavior by defining whether they should be performed during installation.

If you choose not to perform these processes, the policy will not be enforced until the machine reboots upon user request.


72

To define endpoint behavior during installation:

1 In order to determine the reboot method upon installation, open the ClientConfig.scc file:

2 Scroll down to the end of the file, and add a section at the end – [installparams], as shown in

the image above.

3 Add the InstallMethod parameter and values according to the below table:

Parameter Meaning

InstallMethod=0 The installation WILL perform "restart devices" and WILL display a reboot request message when required.

This option ensures instant protection - following installation, all your endpoints immediately start enforcing the policy.

InstallMethod=1 The installation WILL perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required.

This option allows you to perform a totally silent installation, with no messages to the end user. However, the policy may not be enforced until the next reboot.


73

InstallMethod=2 – default The installation WILL NOT perform "restart devices" and WILL display a reboot request message when required.

This option allows you to significantly shorten the installation process and use third party applications for deploying the client without network disconnection.

By enforcing reboot, you can make sure the policy is enforced immediately.

InstallMethod=3 The installation WILL NOT perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required.

This option allows you to perform a totally silent installation, with no messages to the user and without causing network disconnections.

However, the policy is not enforced until the next reboot.

Important: When using options 1 and 3, the operating system may become unstable when devices connect to the monitored ports. It is highly important that you make sure the endpoint performs a reboot as soon as possible after completion of the installation process.

5.6 Uninstalling SafeGuard PortProtector Client

You can uninstall SafeGuard PortProtector either manually, or silently from the GPO. The process of uninstalling is password protected using a global password or a policy-specific password which you defined in the Policies World in SafeGuard PortProtector Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Building Polices).


74

5.6.1 Uninstalling Manually

To uninstall manually:

1 From the Control Panel's Add or Remove Programs, select SafeGuard PortProtector Client as

follows:


75

2 Select SafeGuard PortProtector Client and click Change. The install wizard opens:

3 Click Next to continue uninstalling. The Uninstall Password window opens:


76

4 Enter the uninstall password that you defined in the Policies World in SafeGuard PortProtector

Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Defining

Policies) and click Next. The following window opens:

5 In order to review or change any settings before continuing, click Back, or click Cancel to exit

the uninstall wizard. Once you have uninstalled it, SafeGuard PortProtector Client will no

longer be available to protect the endpoint. Otherwise, continue to the next step.


77

6 Click Remove to remove SafeGuard PortProtector Client. The uninstall process begins and the

following status window appears:

The process may take several minutes. When it is completed, the following window appears:


78

7 Click Finish. SafeGuard PortProtector Client is uninstalled and no longer protecting the

computer.

Note: After uninstalling you must reboot the computer before you can reinstall SafeGuard PortProtector.

5.6.2 Uninstalling SafeGuard PortProtector via GPO

Since the SafeGuard PortProtector uninstall procedure is password protected, it is not possible to use the automatic uninstall feature in the GPO software installation package. Therefore, to uninstall the SG PP, a startup script must be used.

There are two ways to uninstall SafeGuard PortProtector Client. The first and recommended option is to unlink the SG PP Install GPO from the OU containing the client computers, and to apply a NEW GPO containing an uninstall script, as shown in steps 6-11 below. The second option is to edit the SG PP Deployment GPO.

To uninstall a SG PP GPO:

1 Edit the relevant Group Policy applied to the client computers from which the SafeGuard

PortProtector is to be uninstalled.

2 Navigate to Computer Configuration Software Settings Software Installation.

3 Right-click the SafeGuard PortProtector object and select All Tasks Remove.

4 Check the Allow users to continue to use the software, but prevent new installations radio

button.

5 Click the OK button.

6 Create a new GPO Name Protector Uninstall, right-click the new GPO and select Edit.

7 Navigate to Windows Settings under Computer Configuration and select Script and then

Startup.

8 Click the Show Files button and create a new text document containing the following

command:

msiexec.exe /x "\\full UNC path to SG PP shared install folder\SafeGuardPort

ProtectorClient.msi" /qn UNINSTALL_PASSWORD=uninstall password

Note: The uninstall command set in the batch file (shown above) must be set in one line. The actual uninstall process will take place only after the computer is rebooted.

9 Replace the full UNC path to the SafeGuard PortProtector's shared installation folder with the

appropriate path.

10 Replace the uninstall password with the appropriate uninstall password.


79

11 Save the file with a *.bat extension.

12 Close the folder, click the Add button and then the Browse button.

13 Select the newly created batch file and click the OK button.

5.6.3 SafeGuard PortProtector Client Cleanup Utility

A Client cleanup utility is available for use when you cannot uninstall SafeGuard PortProtector Client from an endpoint using the processes described above. This may happen in the following cases:

a. SafeGuard PortProtector Client is protecting the endpoint properly, but it cannot be found under the Control Panel's Add or Remove Programs option.

b. Running the Client uninstall (Remove) wizard fails.

c. The Client is not functioning properly (e.g. it is in Panic mode) and will not accept your Client Uninstall password.

d. You have forgotten the Client Uninstall password and cannot update the Client's policy with a new policy in which you have set a new Uninstall password.

To run the Client Cleanup utility:

1 Locate the file spec.exe in the system32 folder under your Windows (system root) folder.

2 Run spec.exe. The following window opens:


80

3 Supply the computer-specific Cleanup Token to Sophos support ([email protected]). Once

you receive your cleanup key from Sophos support, enter it in the Cleanup Key field..

4 In Operating System, select either the Current Operating System or Another Operating System

on this machine. If you choice the second option, click Browse to find the other operating

system on the computer. Note: if you choose the Windows 2000 operating system, the path is

the following: C:\winnt\system32.

5 Click Cleanup Now. The Client cleanup process begins and a progress bar shows its progress.

This may take a few minutes. Once cleanup is complete, the following window appears:

6 Restart the endpoint.


81

6 Appendix A - OPSEC™ Interoperability

About This Appendix

This appendix explains how Check Point™'s VPN-1®/FireWall-1® SecureClient™ (referred to from here on as SecureClient) interacts with SafeGuard PortProtector Client to enhance your network's security. It contains the following sections:

What is OPSEC™, page 82, describes Check Point's OPSEC™ and its benefits.

OPSEC™ and SafeGuard PortProtector, page 82, describes how Sophos interfaces with

OPSEC™.

Preparing SafeGuard PortProtector Client, page 82, describes the preparations you need to do

on the SafeGuard PortProtector side in order to apply OPSEC™.

Configuring your SCV Policy, page 83, describes the preparations you need to do on the VPN-

1®/FireWall-1® side in order to apply OPSEC™.

Installing Updated SCV Policy to SecureClients, page 89, explains how to install the updated

SCV Policy to SecureClient.

SafeGuard PortProtector SCV Check Parameters, page 92, describes the checks that can be

performed on SafeGuard PortProtector Client and provides examples.

Note: The instructions in this appendix assume that SecureClient is already installed on the required endpoints in your organization.


82

6.1 What is OPSEC™

Check Point's OPSEC™ (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. SafeGuard PortProtector can plug into this framework to provide you with a comprehensive security solution. Using this solution, an SVC Check (a DLL) queries the security aspect of the configuration of a client, and reports to SecureClient whether the configuration is "Verified" or "Not Verified". When the configuration is not verified, SecureClient prohibits access to the organizational network.

6.2 OPSEC™ and SafeGuard PortProtector

Sophos provides a DLL which can perform several checks of SafeGuard PortProtector Client, the results of which are reported to SecureClient. In addition to checking for the existence of SafeGuard PortProtector Client, these checks you may include one or more of the following parameters:

Policy ID

Policy update date/time

Version number

Protection Status

Server ID

An explanation of these parameters appears in SafeGuard PortProtector SCV Check Parameters, page 92.

When one or more of the checks fail, the computer configuration is not verified, and SecureClient blocks the endpoint from accessing the organizational network.

6.3 Preparing SafeGuard PortProtector Client

Sophos provides a DLL that interfaces with SecureClient, specifically with its SCV Policy, which you should install to the required endpoints:

1 If you haven't done so, install SafeGuard PortProtector Client as explained in,

2 Installing SafeGuard PortProtector Client, page 54.

3 Install SafeGuardPortProtectorScv to the required computers using GPO or manually

(SafeGuardPortProtectorScv.msi can be found on your SafeGuard PortProtector installation

CD). This installs a DLL that can perform your choice of one or more of the checks described

above, in addition to checking whether SafeGuard PortProtector Client is installed on the

computer. The DLL reports the result – "verified" or "not verified" - to SecureClient.


83

Important: SecureClient must already be installed on target computers before you install the SafeGuardPortProtectorScv DLL.

Note: If you install SafeGuardPortProtectorScv manually and SecureClient is active, the latter will stop/start the service. In this case, reconnect it.

6.4 Configuring your SCV Policy

The SCV Policy is SecureClient's security policy, into which third party applications such as SafeGuard PortProtector can plug in. An SCV Policy may include one or more SCV Checks, each relating to a different application. SafeGuard PortProtector's SCV Check, namely SafeGuardPortProtectorScv, must be added to the SCV Policy and then installed to the required SecureClients. This process includes three steps:

Step 1: Adding the SafeGuard PortProtector SCV Check to your SCV Policy

Step 2: Adding SafeGuard PortProtector parameters to your SafeGuard PortProtector SCV

Check

Step 3: Installing your SCV Policy to the required SecureClients

Steps 1 and 2 may be performed using SCVEditor™ (recommended), explained immediately below, or using any text editor.

6.5 Configuring SCV Policy using SCVEditor™

As mentioned above, it is recommended that you configure your SCV Policy using SCVEditor™, as explained immediately below. If you wish to configure the SCV Policy using a text editor, refer to Configuring SCV Policy using a Text Editor on page 86.

6.5.1.1 Adding SafeGuard PortProtector SCV Check to SCV Policy

The SafeGuard PortProtector SCV Check – SafeGuardPortProtectorScv – must be added to your SCV Policy (local.scv), located in the $FW1conf directory of the VPN-1®/FireWall-1® Management Server.

The SafeGuard PortProtector SCV Check can be added to your SCV Policy using SCVEditor™.


84

To add the SCV Check using SCVEditor™:

1 From SCVEditor™'s main window, open local.scv:

2 From the left-hand pane of the SCVEditor™ main window, right-click Products, and select

Add. The following window opens:

3 Enter SafeGuardPortProtectorScv and click OK. SafeGuardPortProtectorScv now appears in the

left-hand pane under Products, along with any products you may have added previously.


85

4 From the left-hand pane, right-click SafeGuardPortProtectorScv and select Enforce.

SafeGuardPortProtectorScv now appears in the bottom half of the right-hand pane of the main

window:

5 In the Global SCV Parameters section of the main window, set Block connection on SCV

unverified on/off and Expiration Time value as desired.

6 Click Save from the toolbar or from the File menu to save the updated SCV Policy.

6.5.1.2 Adding SafeGuard PortProtector Parameters to the SCV Check

The SCV Check may include several parameters whose value you wish to check in order to verify SecureClient's connection. Refer to SafeGuard PortProtector SCV Check Parameters, page 92, for a list of available parameters including explanations and examples of how to define and use them.

1 To add parameters, right click in the blank workspace on the right-hand side and select New.

The following window opens:


86

2 Enter the parameter Name and its Value.

In the figure above you can see how to add the MinimumVersion parameter and its value. In

this example, if the SCV Check determines that the SafeGuard PortProtector Client version is

not equal to or greater than 3.0.12444, the Client will not be verified and will not be allowed to

connect to the organizational network.

3 Click OK. The parameter is now added to SafeGuardPortProtectorScv.

4 Perform steps 1 and 2 for each parameter you wish to add. Each parameter you have added is

shown in the workspace as follows:

5 Click Save from the toolbar or from the File menu to save the updated SCV Policy.

6.5.2 Configuring SCV Policy using a Text Editor

Another way to configure you SCV Policy is by editing local.scv directly using a text editor.

Two examples are provided below.

Example 1 is a general SCV Policy example which describes the file syntax.

Example 2 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check

with no parameters.

Example 3 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check

with several parameters.

Note: If you make a mistake in the object file it will result in a corrupted file error (SCV state will be non-verified). Using SCVEditor™ will eliminate this problem.


87

6.5.2.1 Example 1

The following is a general SCV Policy Example:

(SCVObject

:SCVNames (

:(SCVGroup1

:type(group)

:(samplescv1)

:(samplescv)

)

:(SCVGroup2

:type (group)

:(emptyscv)

)

:(samplescv

:type (plugin)

:parameters (

:n1param1(value1)

:n1param2(value2)

:n1param3(value3)

)

)

:(emptyscv

:type(plugin)

:parameters (

:n2param1(value1)

:n2param2(value2)

)

)

)


88

:SCVPolicy(

:(SCVGroup1)

)

)

SCV Policy Description

The SCVPolicy set contains the groups of SCV checks that should be used. In SCVGroup1 there are two SCV checks defined (samplescv and samplescv1). The first SCV check from SCVGroup1 that is registered correctly will be used by SecureClient. samplescv and samplescv1 are similar SCV checks in this example, and at least one of them should be used to report SCV status. Since samplescv1 is not defined properly, samplescv will be used instead. The SCVPolicy does not contain the emptyscv SCV check, therefore it will not be used at all. samplescv contains three parameters which will be passed in the Start function.

6.5.2.2 Example 2

The following is an example of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. This SCV Check does not include any parameters and will only check for the existence of SafeGuard PortProtector Client on the endpoint in order to determine whether it is verified to connect to the organizational network.

(SCVObject

:SCVNames (

: (SafeGuardPortProtectorScv

:type (plugin)

:parameters ()

)

)

:SCVPolicy (

: (SafeGuardPortProtectorScv)

)

:SCVGlobalParams (

:block_connections_on_unverified (true)

:scv_policy_timeout_hours (24)

)

)


89

6.5.2.3 Example 3

The following example is of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. The SCV Check includes four parameters which should be checked in order to verify the Client and allow connection to the organizational network (refer to SafeGuard PortProtector SCV Check Parameters on page 92 for a list of available parameters including explanations and examples of how to define and use them).

(SCVObject

:SCVNames (

: (SafeGuardPortProtectorScv

:type (plugin)

:parameters (

:PolicyId ("Policy1 0 / 1$$Sophos Initial Policy ")

:ProtectionStatus ("STATUS_PROTECTED")

:PolicyUpdatedSinceDate ("23.08.2006 17:17:00")

:MinimumVersion ("3.0.12444")

)

)

)

:SCVPolicy (

: (SafeGuardPortProtectorScv)

)

:SCVGlobalParams (

:block_connections_on_unverified (true)

:scv_policy_timeout_hours (24)

)

)


90

6.6 Installing Updated SCV Policy to SecureClients

Once you have added SafeGuardPortProtectorScv to your SCV Policy and saved it, either through SCVEditor™ or using a text editor, you can install it to your SecureClients as explained below.

To install the updated SCV Policy:

1 Open Check Point SmartDashboard™:

2 From the Policy menu, select Install, as shown in the previous figure. The Install Policy window

opens:


91

3 Select the desired settings and click OK. The installation begins and the Installation Process

window opens, displaying installation progress. Once the installation is completed successfully,

the following window is displayed:

4 Your SCV Policy is now installed to the selected gateways.

When SecureClients perform their next logon to Policy Server, the updated SCV Policy will be

installed to them. Once installed to SecureClients, they can now communicate with the

SafeGuard PortProtector DLL described above and block connection to the organizational

network when the SafeGuard PortProtector configuration is not verified.

In the case where a configuration is not verified, an error message appears on the endpoint.

The following figure shows an example of the message the end user will receive when a

configuration is not verified due a parameter value mismatch:

The following figure shows an example of the message the end user will receive when a configuration is not verified due to a format error:


92

6.7 SafeGuard PortProtector SCV Check Parameters

Following is a description of the parameters which you may use to perform checks of SafeGuard PortProtector Client, in addition to checking its existence on the endpoint. Syntax and examples are provided for each parameter.

6.7.1 General

There are 5 parameters you can use to check the status of SafeGuard PortProtector. All the parameters are optional.

The parameters are compared with the current SafeGuard PortProtector information which is displayed in the SafeGuard PortProtector Client Options window.

6.7.2 Parameter Format and Description

6.7.2.1 MinimumVersion

Description: "Verified" for versions with the number greater than or equal to MinimumVersion.

Format: 0-255.0-255.0-65535

Examples: 3.0.12444

3.1.0

6.7.2.2 PolicyUpdatedSinceDate

Description: "Verified" if the last policy update was performed on or after

PolicyUpdatedSinceDate. Date is mandatory, time is optional.

Format: DD.MM.YYYY HH:MM:SS

Examples: 24.08.2006 12:32:00

12.06.2005

6.7.2.3 PolicyID

Description: "Verified" if the current policy is equal to one of the PolicyIDs described by the parameter.

Format: PolicyID1$$PolicyID2$$PolicyID3 …

Notes: Policy version and ID should be added to the policy name. For example, if the policy name is “Policy1”, its version is 0 and its ID is 1, it should be “Policy1 0 / 1”.

One space should be added to the Initial policy name: “Sophos Initial Policy “

Examples: Company Policy 0 / 1

My Policy 5 / 10$$Sophos Initial Policy $$Policy2 0 / 1


93

6.7.2.4 ProtectionStatus

Description: "Verified" if the current protection status is one of the defined statuses. Currently there are three statuses: STATUS_PROTECTED, STATUS_ERROR and STATUS_SUSPENDED.

Format: Status1$$Status2$$Status3 …

Examples: STATUS_PROTECTED

STATUS_SUSPENDED$$STATUS_PROTECTED$$STATUS_ERROR

6.7.2.5 ServerID

Description: "Verified" if the Server Name is equal to one of the ServerIDs described by the parameter. This parameter is applicable to versions 3.1 and later.

Format: ServerID1$$ServerID2$$ServerID3 …

Examples: Unknown

Unknown$$ABC$$ServerID


94

7 Appendix B - NAC Interoperability

About This Chapter

This appendix explains how SafeGuard PortProtector Client interacts with Cisco Trust Agent (CTA) and Cisco Secure Access Control Server (ACS) to enhance your network's security. It contains the following sections:

What is NAC, page 95, describes Cisco's NAC (Network Access Control) and its benefits.

Posture Validation, page 95, explains how attributes, such as those reported by SafeGuard

PortProtector Client through CTA , are validated by ACS.

SafeGuard PortProtector and NAC, page 82, describes how Sophos interfaces with NAC to

provide comprehensive network protection.

Configuring Posture Validation Policies, page 96, describes the process of importing the

SafeGuard PortProtector Client Attribute-Value Pairs (AVP) file and provides a link to Cisco

documentation of posture validation policy configuration.

Attribute–Value Pairs (AVP) File, page 98, provides a sample AVP file which should be imported

into ACS in order to check SafeGuard PortProtector Client attributes.


95

7.1 What is NAC

NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. It uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can limit network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.

7.1.1 Benefits of NAC

Dramatically improves any network's security—NAC ensures that all endpoints conform to the

latest security policy; regardless of the size or complexity of the network. With NAC in place,

you can focus operations on prevention, rather than on reaction. As a result, you can

proactively protect against intruders and leakage.

Extends the value of your existing investments—Besides being integrated into the Cisco

network infrastructure, NAC enjoys broad integration with antivirus, security, and management

solutions from dozens of leading manufacturers.

NAC provides deployment scalability and comprehensive span of control—NAC provides

admission control across all access methods (LAN, WAN, wireless, and remote access).

Increases enterprise resilience—NAC prevents noncompliant and rogue endpoints from

affecting network availability.

Reduces operational expenses—NAC reduces the expense of identifying and repairing

noncompliant, rogue, and infected systems.

7.2 Posture Validation

The term posture is used to refer to the collection of attributes that play a role in the conduct and "health" of the endpoint device that is seeking access to the network, and that can be checked. Some of these attributes relate to the endpoint device-type and operating system; other attributes belong to various security applications that might be present on the endpoint, such as SafeGuard PortProtector Client (refer to SafeGuard PortProtector Client Attributes on page 96 for a list of SafeGuard PortProtector Client attributes).

Posture validation refers to the act of applying a set of rules to the posture data to provide an assessment (posture token) of the level of trust that you can place in that endpoint. The posture token is one of the conditions in the authorization rules for network access. Posture validation, together with the traditional user authentication, provides a complete security assessment of the endpoint device and the user.

Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, supports posture validation when ACS is deployed as part of a broad Cisco Network Access Control (NAC) solution.

CTA, which includes a Posture Agent (PA), delivers the SafeGuard PortProtector Client posture attributes to ACS, which performs the evaluation of the posture attributes.


96

7.3 SafeGuard PortProtector and NAC

During installation of the SafeGuard PortProtector Client, a DLL is installed (SProtectorPP.dll) that communicates the status of various SafeGuard PortProtector attributes (see below) to CTA. CTA, which includes a Posture Agent, delivers the posture attributes to ACS, which performs evaluation of the posture attributes.

If one or more of the attribute checks fail, the endpoint's access to the organizational network is blocked.

7.3.1 SafeGuard PortProtector Client Attributes

In addition to checking for the existence of a SafeGuard PortProtector Client on the endpoint, the following parameters may be checked and reported to the CTA Posture Agent:

Software version

SafeGuard PortProtector policy name

SafeGuard PortProtector policy ID

SafeGuard PortProtector policy revision

SafeGuard PortProtector policy type

SafeGuard PortProtector policy update time

7.4 Configuring Posture Validation Policies

A Posture Validation policy is where you define validation checks for SafeGuard PortProtector Client attributes. These checks are performed on the attributes communicated by SafeGuard PortProtector Client by means of SProtectorPP.dll to the CTA Posture Agent, and reported by CTA to ACS. In order to enable you to configure policies for SafeGuard PortProtector Client attributes, the SafeGuard PortProtector Attribute-Value Pairs (AVP) file, which defines these attributes, needs to be imported into ACS.

Note: Basic instructions are provided below. For additional details please refer to Cisco ACS documentation, available from :

http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008053d5e4.pdf

OR http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e956.html

http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008053d5e4.pdf�


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e956.html�

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e956.html�


97

To import the AVP file into ACS policy:

1 If you have not yet done so, install SafeGuard PortProtector Client on relevant endpoints. This

automatically copies two files into c:\Program Files\Common Files\PostureAgent\Plugins:

SProtectorPP.inf: includes a description of SafeGuard PortProtector Client attributes

and their identification.

SProtectorPP.dll: performs checks of SafeGuard PortProtector Client attributes, the

posture of which is reported to CTA.

2 Prepare a SafeGuard PortProtector AVP file according to the example provided in Attribute–Value Pairs (AVP) File on page 98.

3 Open a command window on ACS.

4 Navigate to %\Program Files\Cisco Systems\CiscoSecure ACS 4.0\bin.

5 Drop the AVP file (AVPfilename) into this folder.

6 Run csutil –addAVP AVPfilename. The system will begin adding each attribute from

the AVP file. When the process is completed, the following message appears:

---AVP Summary---

(N) AVPs have been added to the dictionary <DB>.

7 Restart csauth, csadmin and cslogd services. The attributes are now imported into ACS.

8 Set up a profile, and create posture validation policies in the Posture Validation Page. This is

explained in User help for Cisco Secure ACS for Windows available from

http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a

008053d5e4.pdf

OR

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e984.html#wp1196118



http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e984.html#wp1196118�

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e984.html#wp1196118�


98

7.5 Attribute–Value Pairs (AVP) File

The AVP file describes the SafeGuard PortProtector Client attributes necessary for posture validation. The file should be imported into ACS as explained in the previous section. The example provided below contains all available SafeGuard PortProtector Client attributes. You may delete the sections that apply to attributes which you do not wish to check.

[attr#0]

vendor-id=24493

vendor-name=Sophos

application-id=5

application-name=HIPS

attribute-id=32768

attribute-name=Software-Name

attribute-profile=in out

attribute-type=string

[attr#1]

vendor-id=24493

vendor-name=Sophos

application-id=5


attribute-id=32769

attribute-name=Version


attribute-type=version

[attr#2]

vendor-id=24493

vendor-name= Sophos

application-id=5



99

attribute-id=32770

attribute-name=Policy-Name



[attr#3]

vendor-id=24493

vendor-name= Sophos

application-id=5


attribute-id=32771

attribute-name=Policy-ID



[attr#4]

vendor-id=24493

vendor-name= Sophos

application-id=5


attribute-id=32772

attribute-name=Policy-Revision



[attr#5]

vendor-id=24493

vendor-name= Sophos

application-id=5


attribute-id=32773


100

attribute-name=Policy-Type


attribute-type=unsigned integer

[attr#6]

vendor-id=24493

vendor-name= Sophos

application-id=5


attribute-id=32774

attribute-name=Policy-Update-Time


attribute-type=date

safeguard portprotector installation guide

Documents