ESM 3.2 Installation and Quick
Contents
1. rather than user based policies POLICYTYPE 2 Use to change MSI installed ZSCs to accept user based rather than machine based poli cies Change ZSC to user based policies STVA Adapter name Add Virtual Adapter Use to activate policy control over a virtual adapter Use to activate logging at instal lation If not this will have to be done through the ZSC Diagnos tics tools see Administrator s Manual L v c Nog txt Turn on logging Distributing a Policy with the MSI Package The default policy included at MSI installation can be replaced with an enterprise configured policy To push down a specific policy with the MSI image perform the following steps Step 1 Create a policy to be distributed to all users through the Management Console see the Administrator s Manual for details on Policy Creation Step 2 Export the policy save it as policy sen Note All policies distributed in this manner unmanaged MUST be named policy sen in order for the ZSC to accept them Policies not named policy sen will not be implemented by the ZSC Step 3 Open the folder the policy was exported into and copy the policy sen and setup sen files Step 4 Browse to the created MSI image and open the program files Novell ZENworks Security Client folder Step 5 Paste the policy sen and setup sen files into the folder This will replace the default policy sen and setup sen files User I nstallation2. Permission Settings Organization Table 0 0 eee eh 47 Publish TO Settings tios RR ewe dba oe beds ay wae tebe ae bib EA 48 Figure 34 Publish Lo Listei m ia is ot A RE RE ARR OE BOE ESR ME BRE CU Ree ere Re ORN 48 Figure 35 Uninstall Password eese EUR Ve eb eve Rb sete SE Eb CE b Ee 53 Figure 36 Management SEIS cs adre aiee BRESUPULEUee gee EESDeBRESSqU EResq iecur dk 54 Figure 37 User or Machine based policies 0 2 0 0 ee cece t 54 Figure 38 Select Network Location for MSI Image o ooooooocorororo ene eee 56 Figure 39 Replace the Default Files in the MSIPackage seseeeeeee III 56 Figure 40 Open Properties in either Root Domain or OU sseseeeeseeeee ete eee 57 Figure 41 Select the MSI package to add 57 Figure 42 Select Not Connected to ESM Servers llle 61 2007 Novell Inc All Rights Reserved List of Tables Table 1 ESM System Requirements 7 Table 2 Command Line Variables sory iaoea i eee cence tenn eee m hr 58 2007 Novell Inc All Rights Reserved Introduction ESM consists of five high level functional components Policy Distribution Service Management Service Management Console Client Location Assurance Service and the ZENworks Security Client The figure below shows these components in the architecture ZENworks Endpoint Security Management DMZ DEMILITARIZED ZONE CENTRAL MANAGEMENT LOCATION SECURE ssuran SSL Link ai
3. Service Figure 13 Enter MS Server Name Step 3 Novell SSL Certificates are created for the installation If you wish to use your own SSL certificates please go to Custom Installation These certificates MUST be distributed to all end users Step 4 The installer will detect the available SQL databases on the machine and network Select the SQL database for the Management Service and enter the database administrator s username and password if the password is zero characters the installer will warn of the potential security issue The username and password CANNOT be a domain user it must be a SQL user with SysAdmin rights 29 Select SQL Server for the Management Service DISTSQL Installshield Figure 14 Select MS SQL Database Step 5 Select the SQL database for the Reporting Service and enter the database administrator s password for that database If you plan to capture and store a large number of reports it is recommended that the Reporting Service database be given its own SQL server Select SQL Server for the Reporting Service InstallShield Figure 15 Select Reporting Service Database 30 Step 6 If ESM has already been purchased a separate license file is provided Copy the license file to this server and browse for it see the instructions page included with your License file for more details If you have not yet purchased an ESM license select 60 Day Evaluat
4. The Management Console is used to both configure the Management Service and to create and manage user and group security policies Policies can be created copied edited disseminated or deleted using the editor Client Location Assurance Service provides a cryptographic guarantee that ZENworks Security Client are actually in a defined location as other existing network environment parameters indicate System Requirements Table 3 ESM System Requirements Server System Requirements Endpoint System Requirements Operating Systems Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Windows 2003 Server Processor 3 0 GHz Pentium 4 HT or greater 756 MB RAM minimum 1 GB Recommended Disk Space 500 MB Without local Microsoft SQL database 5 GB With local MS SQL database SCSI recom mended Required Software Supported RDBMS SQL Server Standard SQL Server Enterprise Microsoft SQL Server 2000 SP4 SQL 2005 Microsoft Internet Information Services config ured for SSL Supported Directory Services eDirectory Active Directory or NT Domains 2 NT Domains is only supported when the Management Ser vice is installed on a Windows 2000 or 2000 advanced server SP4 Operating Systems Windows XP SP1 Windows XP SP2 Windows 2000 SP4 Processor 600MHz Pentium 3 or greater Minimum 128 MB RAM 256 MB or greater recom mended Disk Space 5 MB required 5 addition
5. or connected via VPN a secured network For organizations planning to frequently update their ESM security policies it is recommended a multi server installation be used that places the Policy Distribution Service on a web server outside the DMZ What type of server deployments are available to you If your organization only has a few servers available then a Single Server installation deployment may be necessary If server availability isn t an issue then the size of your client deployment and the number of users operating outside the firewall should be taken into consideration What is your available SQL Server deployment ESM creates three SQL databases at installation If your deployment is small a single SQL database or a server side DB could be installed on the Policy Distribution and Management Service s server s For larger deployments a separate SQL database server should be employed to receive the data from the Policy Distribution and Management Services Only the following RDBMS types are allowed SQL Server Standard SQL Server Enterprise Microsoft SQL Server 2000 SP4 If a named instance the configuration of the server s should be as follows Provider sqloledb Data Source ServerName InstanceName this definition type is REQUIRED for ESM to install Initial Catalog DatabaseName User Id Username Password Password Set SQL to mixed mode The username and password during installation CANNOT be a domain user it must
6. or select a series by selecting the top then holding down the SHIFT key then selecting the bottom selection When all users groups have been selected click the OK button This will add the users groups to the selected name s publish list AL Permissions Administrative Demos Publish To Settings Administrator Administrator corpdomain X User Groups Organizations ME corpdomain SYSTEM 84 Administrators corpdomain 84 Domain Admins corpdomain amp Domain Users corpdomain amp Enterprise Admins corpdomain amp Group Policy Creator Owners corpdomain amp Schema Admins corpdomain 84 Users corpdomain Close Add Remove Figure 34 Publish To List 48 Step 3 To remove a selected user group highlight the name in the list and click Remove The selected name will be moved back to the Organization Table The permission sets are immediately implemented so the administrator only needs to click Close and accept the changes to return to the editor When a new directory service is added the Resource Account entered is granted full permissions settings as described above Publishing a Policy To Publish a security policy with the default settings perform the following steps Step 1 Click Create New Policy Step 2 Enter a name for the policy and click Create Step 3 Save the policy and click the Publish tab Step 4 Since ZSC users must check in to display in the tree s
7. Data O Authenticating Service Configured Figure 23 Communication Verification Step 15 If this installation is occurring on a member server for a domain carrying a directory service the installer will automatically detect and add the following data into the installation using a secure read only connection e Root domain name or machine name Domain administrator s name or a resource account with appropriate read permissions Note The password entered here should be set to not expire nor should this account ever be disabled Step 16 Enter the administrator s password in the space provided and click Test to verify connection can be established If the test is successful click Save If the test fails or the correct domain is not detected it will need to be added manually through the Management Console see Adding Directory Services on page 44 Step 17 The Management Service is now installed click FINISH to close the installation program and launch the performance monitor 37 Starting the Service The Management Service launches immediately following installation with no reboot of the server required The Management Console is used to manage the data on the Management Service see the ESM Administrator s Guide for more details Novell recommends installing the Management Console on this server If installing the Management Console on a separate machine copy the ESM Setup Files directory either via a netshare o
8. Server ASP NET 1 1 will be configured e Printers to run by the installer Novell also recommends using the IIS Lockdown Tool 2 1 available at microsoft com Version 2 1 is driven by supplied templates for the major IIS dependent Microsoft products Select the template that most closely matches the role of this server If in doubt the Dynamic Web server template is recommended 51 Installation Steps To install the CLAS and generate a license key perform the following steps Step 1 Click NEXT on the Welcome screen to continue Step 2 Accept the Licensing Agreement and click NEXT Step 3 The installation will copy files to the default directory Program Files Novell ESM CLAS Step 4 The installation of the Client Location Assurance Service generates two keys the privatekey and the publickey The publickey file may be stored on the desktop or a different directory If you wish to store the publickey file in a different directory click Yes and browse to the desired folder Click No to accept the default to store the publickey file with the privatekey file Step 5 CLAS is now installed click FINISH to close the installation program The public key will need to be accessible to the Management Service CLAS Failover Installations Multiple CLAS iterations may be installed on servers throughout the enterprise to either cryptographically assure multiple enterprise locations or to assure that if the primary CLAS server goes down th
9. Tree Name versi n Deployment state Auto install_ Upgrade T E e Computer Configur open HEI 2 1 Software Settir Look in eskop S y e En feet Software ir windows Settir gt E Administrative rd User Configuration Software Settir E Windows Settir Administrative My Documents My Computer isk My Network Places 1 AS Release 2 5 712 Binaries MSSoap program files 1 System System32 Senforce Security Client File name Sentorce Security Client b Files of type Windows Installer packages msi m Figure 41 Select the MSI package to add The MSI Package can now be pushed to all users 57 Command line Variables Command line variable options are available for MSI installation These MUST be set in the executable shortcut that is set to run in administrator mode installations steps above To use a variable the following command line must be entered in the MSI shortcut Asetup exe a V variables Enter any of the commands below between the quotation marks Separate multiple variables with a single space Example setup exe a V STDRV stateful STBGL 1 creates an MSI package where the ZENworks Security Client will boot in All Stateful with strict white listing enforced Note Booting in stateful MAY cause some interoperability issues DHCP address delays No
10. ZSC onto this machine an MSI package may also be created for an Unmanaged ZSC r y ZENworks Security Client InstallShield Wizard Centrally Managed or Unmanaged Will the ZENworks Security Client be centrally managed gets policies from a server or unmanaged imports policies from Files Select Not connected to ESM servers if you are receiving your policies locally importing the policies From Files OWer O Not connected to ESM servers policies received as files Figure 42 Select Not Connected to ESM Servers Stand Alone Management Console This configuration allows an ESM Management Console to be installed and create policies without connecting to an outside Management Service or distributing policies through the Policy Distribution Service Select Stand Alone Management Console Installation from the Master Installer menu and follow the instructions on page 39 for installation At the start of the installation a SQL database is installed first if one exists on the machine the installer will setup the appropriate databases instead Once the database is installed the installation will stop The machine will need to be restarted to activate the SQL database Following reboot activate the installation again to continue 61 Most policy functionality is available for deployment with the exception of Reporting All exported policy files will need to be distributed to an ZSC s
11. be a SQL user with SysAdmin rights Will you use existing Certificates to establish SSL communication or will you use Novell Self Signed Certificates For disaster recovery and or failover designs it is recommended that you use enterprise or otherwise issued Certificate Authority i e VeriSign GeoTrust Thawte etc SSL certificates for full deployments of ESM When using your own certificates the web service certificate and root CA be created on the machine designated as the Policy Distribution Service then distributed to the appropriate machines To create an Enterprise Certificate Authority see the step by step instructions for securely setting up a certificate authority available at microsoft com For evaluations or small deployments lt 100 users ESM has self signed certificates that may be used Novell SSL Certificates will be installed onto the servers when running the typical installation How will you deploy your ZENworks Security Clients The ZENworks Security Client software may be deployed either individually onto each endpoint or through an MSI push Instructions on creating an MSI package may be found on page 55 Do you want policies to be machine based or user based Policies can be distributed to a single machine where every user who logs onto it will receive the same policy or policies can be set for individual users or groups Each installation has several pre requisites It is recommended that each check l
12. program Step 8 Once the software is installed the user will be prompted to restart their machine Note You can optionally copy the certificate for the Management Service into a folder co located with setup exe prior to running the installation This will automatically install the certificate onto the machine e g for all users This process can also be done with the Novell issued license dat file 54 MSI Installation This will create a MSI Package for the ZENworks Security Client This package is used by a system administrator to publish the installation to a group of users via an Active Directory policy or through other software distribution methods To create the MSI package perform the following steps If using installing from the CD or ISO master installer and if you re not planning to run any command line variables see Command line Variables on page 58 Step 1 Insert the CD and wait for the master installer to launch Step 2 Click Product Installation Step 3 Click Security Client Step 4 Click Create ZSC MSI Package The installer will launch If using just the setup exe for installation the executable can be either downloaded from the Novell installations site or found on the CD under D ESM32 ZSC begin with the following Step 1 Right click setup exe Step 2 Select Create Shortcut Step 3 Right click the shortcut and select Properties Step 4 At the end of the Target field AFTER the qu
13. the Export feature as described above 62
14. the following pre requisites PRIOR to beginning the installation L Ensure Management Service MS to Policy Distribution Service DS server name resolution the target computer where the MS will be installed can ping the DS server name NETBIOS if the DS will be configured inside the network firewall FQDN if installed outside in the DMZ O If successful this is the server name to enter during installation step 9 If unsuccessful you will have to resolve this BEFORE continuing with the installation O Ensure ZENworks Security Client ZSC to DS server name resolution validate that the endpoint clients where the ZSC will be installed can ping the same DS server name used above If unsuccessful you will have to resolve this BEFORE continuing with the installation O Enable Install Microsoft Internet Information Services IIS ensure ASP NET is enabled and configure it to accept Secure Socket Layer SSL Certificates O If using your own SSL certificates ensure that the web service certificate is loaded on the machine and that server name validated in the previous steps whether NETBIOS or FQDN matches the Issued to value for the certificate configured in IIS O If using your own SSL certificates please validate the SSL from the MS server to the DS server open a web browser on the Management Service and enter the following URL https DSNAME where DSNAME is the server name of the DS This should return vali
15. user with SysAdmin rights Select SQL Server for the Distribution Service Installshield Figure 7 Select SQL Server Step 3 Set the database name default is entered as STDSDB 21 Step 4 Enter the password for the Policy Distribution Service agent This is the username and password the service will use to login to its SQL database Novell ESM Policy Distribution Service InstallShield Wizard Password for DS_STDSDB_USER at DISTSERVER Novell Enter a password for the SQL agent account that will be created by Setup the SQL agent account name will be DS_STDSDB_USER The SQL agent account uses this password to authenticate to the STDSDB database in order to manage the data contained therein Please make the password at least 6 but less than 32 characters in length Distribution ATTENTION Make note of this password because you will need it to complete the Management Service Service setup User Ds STDSDB USER at DISTSERVER Password Confirm Figure 8 Distribution Service SQL Password 22 Step 5 Enter the Policy Distribution Service domain name This MUST be the fully qualified domain name if the server will reside outside the corporate firewall Otherwise only the NETBIOS name for the server is required Novell ESM Policy Distribution Service InstallShield Wizard x Enter Text Please enter information in the field below Novell Please enter the fully qualified do
16. 2 ay amp Details Y A lia BL srEnaLocation Module Figure 39 Replace the Default d HTML Help file Ce Transforms ESM MS Security Certificate 1 KB policy sen SEN File OKB Setup sen SEN File OKB STEngine de EN STEngRule dll Files in the MSI Package STEnaRule Module 56 To set the MSI package to be pushed down to user groups like a Group Policy perform the following steps Step 1 Open Administrative Tools Active Directory Users and Computers and open either Root Domain or OU Properties lE active Directory Users and Computers A A M 8 aielsd lt Console Window Help 18 x amp ww e gt Gm se AS Simia v dc Tree STQA senforce com 9 objects Name Delegate Control ain Buil Find Default container For upgr Comput Doa ional Default container For new d asia O DONAN OH vis Ens Default container For secu Operations Masters Ionas a Mark s MM nal H Ryan s New Bional Senforc All Tasks Bona H A Todd s Default container For upar Users View b a New Window From Here Refresh Export List Properties Opens property she Figure 40 Open Properties in either Root Domain or OU Step 2 Click the Group Policy tab and click Edit Step 3 Add the MSI Package to Computer Configuration gt Group Policy Cf x Action view gt Am AE
17. BIOS change DNS configurations modifying the local host file on the target computers to include the correct MS information etc Enable Install Microsoft Internet Information Services IIS and configure it to accept Secure Socket Layer SSL Certificates If using your own SSL certificates ensure that the web service certificate and root CA are loaded on the machine and that server name validated in the previous steps whether NETBIOS or FQDN matches the Issued to value for the certificate configured in IIS If you are using your own certificates or have already installed the Novell Self Signed Certificate you can validate SSL as well by trying the following URL from a machine that will have the ZSC installed on it https SSI SERVER NAME AuthenticationServer UserService asmx Where SSI SERVER NAME should be the server name This should return valid data an html page and NOT certificate warnings ANY certificate warnings MUST be resolved before installation unless you opt to use Novell Self Signed Certificates instead Ensure access to a supported RDBMS It is recommended that the SSI Server be configured hardened so as to deactivate all applications services accounts and other options not necessary to the intended functionality of the server The steps involved in doing so depend upon the specifics of the local environment and so cannot be described in advance Administrators are advised to consult the appro
18. Dai is under no obligation to provide any services by way of maintenance update or otherwise THE SOFT WARE AND ANY DOCUMENTATION ARE PROVIDED AS IS WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT WILL WEI DAI OR ANY OTHER CONTRIBUTOR BE LIABLE FOR DIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES 4 Users will not use Wei Dai or any other contributor s name in any publicity or advertising without prior written con sent in each case 5 Export of this software from the United States may require a specific license from the United States Government It is the responsibility of any person or organization contemplating export to obtain such a license before exporting 6 Certain parts of this software may be protected by patents It is the users responsibility to obtain the appropriate licenses before using those parts If this compilation is used in object code form in an application software acknowledgement of the author is not required but would be appreciated The contribution of any useful modifications or extensions to Wei Dai is not required but would also be appreciated Contents Cohtents sir A E E P o DR UR Se E RE 3 List of FiQGUIES 222 E EO de eee E e wow AA AA 4 List Of Tables Slo xxEkCeE v dd E e RUE UE 5 I nitr d CE OD aa A aim ie a a Be AA ed 6 System Requirements ran
19. Novell ZENworks Endpoint Security Management Version 3 2 Installation and Quick Start Guide June 14 2007 2007 Novell Inc All Rights Reserved The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement PN IG300MWE Document Version 1 0 supporting Novell ESM 3 2 and subsequent version 3 releases Legal Notices Novell Inc makes no representations or warranties with respect to the contents or use of this documentation and specifically dis claims any express or implied warranties of merchantability or fitness for any particular purpose Further Novell Inc reserves the right to revise this publication and to make changes to its content at any time without obligation to notify any person or entity of such revisions or changes Further Novell Inc makes no representations or warranties with respect to any software and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose Further Novell Inc reserves the right to make changes to any and all parts of Novell software at any time without any obligation to notify any person or entity of such changes Any products or technical information provided under this Agreement may be subject to U S export controls and the trade laws of other countries You agree to comply with all export control regulations and to obtain any required lice
20. Policy Distribution Service installation If you used your existing enterprise certificate authority click The Novell Distribution Service Used a certificate IIS was already configured with If the Distribution Service installer created a Novell certificate click The Novell Distribution Service installed a Novell self signed root certificate 33 Step 3 Enter the name of the server that will host the Management Service Novell ESM Management Service InstallShield Wizard x Enter Text Please enter information in the field below Novell Please enter the name of the Novell Management Service This depends on your network configuration but will either be the local machine name ex CARTER2 or the fully qualified domain name ex carter2 carterdomain m Management Service lt Back C se Cancel Figure 19 Enter MS Server Name Step 4 An SSL Certificate is required for secure communication between the Management Service and all ZENworks Security Clients If you already have a certificate authority click Use the existing certificate IIS is configured for If you need a certificate click Allow Novell to create install and use its own self signed root certificate The installer will create the certificates and the signing authority Regardless of the certificate type these certificates MUST be distributed to all end users Step 5 When selecting Novell certificates select where the certificate can be
21. Program FilesNNovelNZENworks Security ClienA directory Distributing Unmanaged Policies To distribute unmanaged polices perform the following steps Step 1 Locate and copy the Management Console s setup sen file to a separate folder The setup sen file is generated at installation of the Management Console and placed in Program FilesNNovelNESM Management Console Step 2 Create a policy in the Management Console see Adminstrator s Manual Step 3 Use the Export command to export the policy to the same folder containing the setup sen file All policies distributed MUST be named policy sen for the ZSC to accept them Step 4 Distribute the policy sen and setup sen files These files MUST be copied to the Program Files Novell ZENworks Security Client directory for all unmanaged clients The Setup sen file only needs to be copied to the unmanaged SSCs once with the first policy Afterwards only new policies need to be distributed If an Unmanaged ZSC is installed on the same machine as the Stand Alone Management Console the Setup sen file will also be copied to the Program Files Novel ZENworks Security ClienA directory If the Unmanaged ZSC is installed on the machine after the Stand Alone Editor the file will need to be transferred manually as described above Clicking the Publish button will immediately publish the policy to that machine s unmanaged ZENworks Security Client To provide policies to multiple unmanaged users use
22. ZENworks Security Client IF you do enter a password here make a note of it because it will be needed to uninstall the ZENworks Security Client O Do not require an uninstall password Enter the uninstall password Confirm the uninstall password Figure 35 Uninstall Password 53 Step 4 Select how policies will be received from Distribution Service for managed clients or retrieved locally for an unmanaged configuration see page 61 for unmanaged details r JE ZENworks Security Client InstallShield Wizard Ex Centrally Managed or Unmanaged Will the ZENworks Security Client be centrally managed gets policies from a server or unmanaged imports policies from Files Select Not connected to ESM servers if you are receiving your policies locally importing the policies From Files O O Not connected to ESM servers policies received as files Figure 36 Management Settings Step 5 Enter the Management Service information Step 6 Select whether policies will be received for users or for the machine machine based policies E Security Client InstallShield Wizard JE Select Policy Type User or Computer Please select if the endpoint is to get User Based Policies or a Computer Based Policy O Computer Based Policy One policy For all users Figure 37 User or Machine based policies Step 7 Click Install to install the
23. al MB recommended for reporting data Required Software Windows 3 1 Installer All Windows updates should be current The Policy Distribution Management and Client Location Assurance services require a LOCAL account of ASP NET to be enabled If this is disabled the services will NOT work correctly About the ESM Manuals The ZENworks Endpoint Security Management manuals provide three levels of guidance for the users of the product ESM Administrator s Manual This guide is written for the ESM Administrators who are required to manage the ESM services create security policies for the enterprise generate and analyze reporting data and provide troubleshooting for end users Instructions for completing these tasks are provided in this manual ESM Installation and Quick Start Guide This guide provides complete installation instructions for the ESM components and assists the user in getting those components up and running ZENworks Security Client User s Manual This manual is written to instruct the end user on the operation of the ZENworks Security Client ZSC This guide may be sent to all employees in the enterprise to help them understand how to use the ZSC ESM Installation The installation software should be physically protected to prevent any tampering or unauthorized use Likewise administrators should review the guidelines for pre installation and installation to ensure the ESM system can function without interru
24. automatically detect and add the following data into the installation using a secure read only connection Root domain name or machine name e Domain administrator s name or a resource account with appropriate read permissions Step 10 Enter the administrator s password in the space provided and click Test to verify connection can be established If the test is successful click Save If the test fails or the correct domain is not detected it will need to be added manually through the Management Console see Adding Directory Services on page 44 Note The password entered here should be set to not expire nor should this account ever be disabled Step 11 The Management Service is now installed click FINISH to close the installation program and launch the performance monitor Custom Installation A custom installation will display the defaults used in the typical installation and will permit the administrator to enter or browse to a different location 32 Step 1 Enter the Policy Distribution Service s agent password created in DS installation Novell ESM Management Service InstallShield Wizard x Edit Data Enter requested data Novell Enter password of the ESM Distribution Service SQL Agent created during the ESM Distribution Service setup Management Service User Distribution Service SQL Agent Password Figure 18 Enter SQL password Step 2 Select the SSL Certificate type used for the
25. bution Service and the Management Service see Policy Distribution Service Installation and Management Service Installation installation steps for further information Like their individual installations the Typical setting will install the Services defaults and the Novell self signing SSL certificates Custom Installation permits the administrator to determine the directory paths and permits the use of an enterprise owned certificate authority Starting the Service The Combined Distribution and Management Service launches immediately following installation with no reboot of the server required The Management Console is used to manage both the Distribution and Management Services using the Configuration feature see the ESM Administrator s Manual for full details Once this installation is complete both the Management Console and the Client Location Assurance Service may be likewise installed on this server If installing the Management Console on a separate machine copy the ESM Setup Files folder to the designated Management Console machine to complete installation Continue to Management Console Installation on page 39 Multi Server Installation Multi Server installation is recommended for large deployments or when the Policy Distribution Service should be placed outside the corporate firewall to ensure users receive regular policy updates when they are outside the perimeter Multi Server installation MUST be done
26. ck Install to create a server image of ZENworks Security Client at the specified network location or click Cancel to exit the wizard Network location H A C Cancel Install Figure 38 Select Network Location for MSI Image Step 7 Click Install to create the MSI image Step 8 Browse to the created MSI image and open the program files Novell ZENworks Security Client folder Step 9 Copy the Management Service SSL certificate ESM MS cer or the enterprise certificate and the Novell License Key into this folder replacing the default 0 KB files currently in the folder The ESM MS SSL certificate is available in the ESM Setup Files folder The license key is emailed separately if using the 30 day evaluation no license key is necessary at this time O C Documents and Settings All Users Desktop program files Novell ZENworks Security Client UL File Edit View Favorites Tools Help Q Back Y y lt Search le Folders E Address ja C Documents and Settings All Users Desktop program files Novell ZENworks Security Client File and Folder Tasks A Drivers Make a new folder Publish this Folder to the clienthelp Web Compiled H 480 KB E Share this Folder License DAT File Other Places OKB E Novell My Documents 3 My Computer WA My Network Places policyServices3 dll 3 2 0 460 Sen STCapt dll 3 2 0 460 STCapt Module
27. d data and NOT certificate warnings valid data may be It is recommended that the DS Server be configured hardened so as to deactivate all applications services accounts and other options not necessary to the intended functionality of the server The steps involved in doing so depend upon the specifics of the local environment and so cannot be described in advance Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage Additional access control recommendations are provided in the ESM Administrator s Manual Hardening of IIS To protect access to only trusted machines the virtual directory and or IIS can be set up to have ACLs Reference the articles below Granting and Denying Access to Computers Restrict Site Access by IP Address or Domain Name IIS FAQ 2000 IP address and domain name restrictions Working With IIS Packet Filtering For security purposes it is highly recommended the following default folders be removed from any IIS installation ISHelp ISAdmin Scripts Printers Novell also recommends using the IIS Lockdown Tool 2 1 available at microsoft com Version 2 1 is driven by supplied templates for the major IIS dependent Microsoft products Select the template that most closely matches the role of this server If in doubt the Dynamic Web server template is recommended Page under Construction ANY certificate warnings MUST be resolved before i
28. d of the error Any inaccurate information will be corrected when possible by the interface during the test E Configuration E EE Infrastructure and Scheduling 7 f Authenticating Directories Friendly Name ACME PDC c New Service Synchronization Service Type Microsoft Active Directory E Host DN acmepdc Domain DC Available for User Authentication Service Connection Options No authentication IV Read only access M Secure authentication Bind to specified server Account administrator Password Test Cancel Figure 30 Completed Directory Screen Step 9 Click Save to add this directory service to the database Click New to add another directory service to the database Step 10 Click OK or Cancel to exit the Configuration window and return to the login screen Management Console Permissions Settings This control is found in the Tools menu of the Management Console and is only accessible by the primary administrator for the Management Service and or any whom have been granted permissions access by that administrator This control is not available when running the Stand Alone Management Console see ESM Unmanaged Installation on page 61 for more details The permissions settings define which user or group of users are permitted access to the Management Console Publish Policies and or Change Permission Settings During the Management Serv
29. dmins gj Users DK Cancel Figure 32 Permission Settings Organization Table Select the appropriate users groups from the list To select multiple users select individually by holding down the CTRL key or select a series by selecting the top then holding down the SHIFT key then selecting the bottom selection e When all users groups have been selected click the OK button This will add the users groups to the grid on the Permissions form Step 3 Assign any or all permissions to the available users groups Step 4 To remove a selected user group highlight the name and click Remove The selected name will be moved back to Organization Table Publish To Settings Users Groups who have Publish Policy checked will need to be assigned users and or groups to publish to To set the Publish To Settings perform the following steps Step 1 Click the Publish Settings tab 47 Step 2 Select the users groups granted the Publish permission from the drop down list AL Permissions E Publish To Settings Administrative Permissions BT Administrator o N corpdomain _ Bemove Figure 33 Publish To Settings Assign users groups to this user group by Click the Add button on the bottom of the screen the Organization Table will display Select the appropriate users groups from the list To select multiple users select individually by holding down the CTRL key
30. e location can still be assured In the case of the second scenario the private key is located based on URL rather than IP address Therefore a block of servers can be set up to share a single URL CLAS may either be installed on a single server then that server s image can be copied to each additional server or it may be installed on each server separately and the private and public keys can be copied over to the other servers ALL servers in a URL block MUST have the same private and public keys Transferring the Public Key to the Management Service After the installation has completed the generated public key which will be transferred via security policy to the ZSC is located in the Program Files Novell Novell ESM CLAS directory on the server The public key is identified by the filename publickey This filename can be changed to any name desired The publickey file will need to then be copied and transferred to the Management Service anywhere on the service which will allow the Management Console to access and distribute the key to all ZENworks Security Clients through a security policy OR the publickey file can be loaded onto a PC running an ESM Management Console Continue to ZENworks Security Client Installation on page 53 52 ZENworks Security Client Installation Click the appropriate ZSC installer from the Installation Interface menu The ZSC installation will begin The following pages outline the installation p
31. e screen to continue Step 2 Accept the Licensing Agreement and click NEXT Step 3 Select either a TYPICAL or CUSTOM installation Novell ESM Policy Distribution Service InstallShield Wizard x Setup Type Select the setup type to install Novell Click the type of setup you prefer then click Next Program will be installed with the most common options Recommended for most users Distribution Service Di You may select the options you want to install Recommended for advanced x users Cancel Figure 2 Select Typical or Custom Installation Both installation paths are presented below Typical I nstallation A typical installation places the Policy Distribution Service software files in the default directory Program Files Novell ESM Policy Distribution Service The SQL database name is assigned as STDSDB The three SQL database files data index and log are placed in Program Files Microsoft SQL Server mssq Data Step 1 Novell SSL Certificates are created for the installation If you wish to use your own SSL certificates please use Custom Installation These certificates MUST be distributed to all end users Step 2 The installer will detect the available SQL databases on the machine and network Select a secured SQL database for the Policy Distribution Service and enter the database administrator s name and password if the password is zero characters the installer will warn of the potential securi
32. e that information 40 Step 1 Enter the Policy Distribution Service s hostname this must be the fully qualified domain name if the Distribution server is deployed outside the enterprise firewall Enter Text Please enter information in the field below Novell Enter the ESM Distribution Server s host name s Management Console Figure 25 Enter Distribution Service Host Name Step 2 Enter the Management Service hostname Step 3 Enter the Management Service SQL database hostname Step 4 Enter the Management Service SQL database name 41 Enter Text Please enter information in the field below Novell Please Enter the Management Server s Database Name letters and numbers only PA Management Console Figure 26 Enter MS SQL database name Step 5 Enter the SQL SA username and password identified during Management Service installation Step 6 Select the type of SSL Certificate installed on the Policy Distribution Service and the Management Service 42 ESM Management Console Select ESM Server The Management Console uses SSL communication through IIS web services to communicate with the ESM Servers C The ESM Servers used pre existing certificates already configured in IIS Management Console ex Figure 27 Select Server Certificates Step 7 Select the directory where the Management Console will be installed default Program Files Novell ESM Management C
33. ease refer to the ESM Administrator s Manual available through the Documentation link Installation Options ESM back end components can be installed as either Single Server or Multi Server installations Single Server installations are ideal for small deployments that do not require regular policy updates Multi Server installations are provided for large deployments and or for regular policy updates Please consult with Novell Professional Services to determine which installation type is right for you ZENworks Security Client can operate when needed without connectivity to the Policy Distribution Service Likewise a Stand Alone Management Console can be optionally installed for evaluation purposes The installation for this Unmanaged mode of operation is described on page 61 of this guide Installation Order ESM should be installed in the following order 1 Single Server Installation or Multi Server Installation e Policy Distribution Service Management Service 2 Management Console 3 Client Location Assurance Service 4 ZENworks Security Client Before I nstalling ESM There are a few questions the ESM administrator needs to consider prior to beginning installation How will your users receive their ESM security policies The options for policy distribution center around whether users should be able to receive a policy update anywhere including outside the central network or if they should receive them ONLY when they are in
34. eke bans 27 Enter SQL passwords etecrtbeptReRUNE Y E ESTOPEEePeEETPPEE P MOOEPT rt 28 Enter MS Server Name rosno redna e Dueb iaa 29 Select MS SOL Databases eie depo Boge k NERO AIR Rer dod UE da a 30 Select Reporting Service Database o oooooooooocorrr eee eens 30 Browse for Novell License File 2 2 0 k ane ne hr rra 31 Communication Verification o 31 Figure 18 Enter SQE password sc OE Rl GR REO ROSE US e RE ere BA OA 33 Figure 19 Enter MS Server Name oed eL thd eh de eh I Ub S bue pb pb Eb E Ebr gee had 34 Figure 20 Select MS SQL Datab s etes ca Apre ee ee A Ah ose EG HES AEE Rs 35 Figure 21 Select Reporting Service Database o o oooooooooococrrr ence eens 35 Figure 22 Browse for Novell License File sss 0 0 00 eee e E EE a E E K AASE E t 36 Figure 23 Communication Verification 0 0 ccc mt 37 Figure 24 Select Typical or Custom eae sinome ame ean ke eee I m mtt 40 Figure 25 Enter Distribution Service Host Name 0 0 cece eee een ene nee 41 Figure 26 Enter MS SQL database name o 42 Figure 27 Select Server Certificates tesi a a i e bet 43 Figure 28 Login to ESM Management Console lesse 43 Figure 29 Authenticating Directories vr arera ie e e e EEA t 44 Figure 30 Completed Directory Screen s rsss ironi d oa nA oE ER EE EE REKE EA E E a E ER 45 Figure 31 Management Console Permissions Settings Window 0 0 0 0 cece eee eee 46 Figure 32 Figure 33
35. elect the top of the tree on the left Double click to populate the publishing field with all current groups and users Step 5 Click Publish to send the policy to the Policy Distribution Service The policy generated in this manner will have the following characteristics A single location Unknown is created CD DVD ROM drives are allowed Removable storage devices are allowed All Communications Ports incl Wi Fi are permitted The Firewall Setting All Adaptive all outbound traffic over networking ports is allowed unsolicited inbound traffic over networking ports is disallowed is included For information on creating a more robust security policy please see the ESM Administrator s Manual for full details on policy components Continue to Client Location Assurance Service Installation on page 51 49 Installing USB Reader Included in the installation package is Novell s USB Reader which assists the administrator in creating allowed USB device lists To install the reader perform the following steps Step 1 Click Setup the installation begins Step 2 On the Welcome Screen click Next to continue Step 3 Accept the license and click Next Step 4 On the customer information screen enter the appropriate username and organization information and select whether anyone on this computer will be permitted access to this software or just the user entered above Step 5 Click Install Step 6 Click Finish The USB Reader
36. ended for most Management Service C Custom You may select the options you want to install Recommended for advanced users Cancel Figure 11 Select Typical or Custom Both installation paths are presented below 27 Typical I nstallation A typical installation places the Management Service software files in the default directory Program Files Novell ESM Management Service The SQL database name is assigned as STMSDB The three SQL database files data index and log are placed in Program Files Microsoft SQL Server mssq Data Step 1 Enter the Policy Distribution Service s agent password created in Step 7 of DS installation Novell ESM Management Service InstallShield Wizard x Edit Data Enter requested data Enter password of the ESM Distribution Service SQL Agent created during the ESM Distribution Service setup Management Service es Distribution Service SQL Agent Password lt Back C se Cancel Figure 12 Enter SQL password 28 Step 2 Enter the name of the server that will host the Management Service Novell ESM Management Service InstallShield Wizard xj Enter Text Please enter information in the field below Novell Please enter the name of the Novell Management Service This depends on your network configuration but will either be the local machine name ex C amp RTER2 or the fully qualified domain name ex carter2 carterdomain m Management
37. entered in the installation shown in step 7 If unsuccessful you will have to resolve this BEFORE continuing with the installation O Enable Install Microsoft Internet Information Services IIS ensure ASP NET is enabled and configure it to accept Secure Socket Layer SSL Certificates O If using your own SSL certificates ensure that the root CA is loaded on the machine and that server name validated in the previous steps whether NETBIOS or FQDN matches the Issued to value for the certificate configured in IIS O If you are using your own certificates or have already installed the Novell Self Signed Certificate you can validate SSL as well by trying the following URL from a machine that will have the ZSC installed on it https MS SERVER NAME AuthenticationServer UserService asmx Where MS SERVER NAME should be the server name This should return valid data an html page and NOT certificate warnings ANY certificate warnings MUST be resolved before installation unless you opt to use Novell Self Signed Certificates instead O Ensure access to a supported RDBMS Microsoft SQL Server 2000 SP4 SQL Server Standard SQL Server Enterprise SQL 2005 Set database to Mixed mode O Ensure access to a supported directory service Active Directory NT Domains It is recommended that the MS Server be configured hardened so as to deactivate all applications services accounts and other options not necessary to the i
38. er installation an administrator or Resource Account name is entered into the configuration form see Management Service Installation Steps Once a successful test has been performed and the user information saved five permissions are automatically granted to this user see below Once the Management Console is installed ALL user groups within the domain will be granted full permissions The resource user should remove permissions from all but the groups users who should have access The resource user may set additional permissions for the designated users The permissions granted have the following results 45 Management Console Access the user may view policies and components and edit existing policies Users granted ONLY this privilege will not be permitted to add or delete polices the publish and permissions options will be unavailable e Publish Policy the user may publish policies ONLY to assigned users groups Change Permission the user may access and change permissions settings for other users that have already been defined or grant permissions to new users e Create Policies the user may create new policies in the Management Console Delete Policies the user may delete ANY policy in the Management Console Note For security purposes it is recommended that only the resource user or very FEW administrators be granted the Change Permission and Delete Policies permissions Administrative Permissions To set the Admi
39. ion program to launch the performance monitor 24 Starting the Service The Policy Distribution Service launches immediately following installation with no reboot of the server required The Management Console is used adjust upload times for the Distribution Service using the Configuration tool See the ESM Adminstrator s Manual for more details Continue to Management Service Installation on page 26 25 Management Service Installation Which server will host the Management Service The Management Service should be installed on a secure server behind the firewall and CANNOT share the same server as the Policy Distribution Service with the exception of a single server installation see page 12 The Management Service should NOT be installed outside the network firewall for security reasons Ensure the required software see page 7 is installed on the server prior to installation Once the server is selected note the server name both the netbios and Fully Qualified Domain Name FQDN Deployment of the Management Service on a Primary Domain Controller PDC is not supported for both security and functionality reasons Please make certain the following pre requisites are in place PRIOR to beginning the installation O Ensure ZENworks Security Client ZSC to MS server name resolution validate that the target computers where the ZSC will be installed can ping the MS server name If successful this is the value
40. ion License to continue Novell ESM Management Service InstallShield Wizard 1 xj Novell Management Server License Installation The Management Server can be licensed now if you already have a license or later it will run for 60 days on an evaluation license Management Service Back L see Cancel Figure 16 Browse for Novell License File Step 7 At the Copy Files screen click Next Installation will begin Step 8 The Management Service will run a communication check to both SQL databases and the Policy Distribution Service If communication cannot be verified the installer will notify you of the issue ALL boxes must be checked for installation to succeed Configuration Description Conan Fe i ee T rl A Schema Exists suthentication service I Database Exists Igi Setup Id Configured 2 Schema Id Configured A Schema Key Id Configured V Domain Information Available 2 Communication Configured Name Utah senforce com 2 Management Key Vriten Type Microsoft Windows 2000 2 Registered with Distribution Service Account frena Hex 2 Initialize the Distribution Service data feet a EZ Create Management Signature Keys O Authenticating Service Configured B Create Encryption Management Key 2 Publish Management Data Figure 17 Communication Verification 31 Step 9 If this installation is occurring on a member server for a domain carrying a directory service the installer will
41. is now installed For more information on using the USB Reader please read the ESM Administrator s Manual 50 Client Location Assurance Service Installation Which server s will host the Client Location Assurance Service CLAS This server should be accessible ONLY when the user enters a controlled network environment to help assure they are indeed in the environment the ZSC has identified Instructions on configurations for failover and redundancies may be found below CLAS can be deployed on the same server hosting the Single Server Installation or multi server Management Service installation if desired Install the CLAS onto a server that endpoints will only be able to detect when they are in the network environment which requires cryptographic verification Deployment of the CLAS on a Primary Domain Controller PDC is not supported for both security and functionality reasons Please make certain the following pre requisites are in place PRIOR to beginning the installation O ZENworks Security Client ZSC to CLAS server it is recommended that the CLAS Server be configured name resolution validate that the target hardened so as to deactivate all applications services computers where the ZSC will be installed can accounts and other options not necessary to the ping the CLAS server name If unsuccessful intended functionality of the server The steps involved in you will have to resolve this BEFORE continuing going so depe
42. ist of prerequisites be complete BEFORE running the installation for any component Please review the lists on the following pages e ESM Single Server Installation on page 12 e Policy Distribution Service Installation on page 15 Management Service Installation on page 26 e Management Console Installation on page 39 e Client Location Assurance Service Installation on page 51 e ZENworks Security Client Installation on page 53 ESM Single Server I nstallation Single Server Installation SSI allows both the Policy Distribution Service and the Management Service to co exist on the same server not possible without using this installation option This server must be deployed inside the firewall for security purposes requiring users to receive policy updates only when they are inside the corporate infrastructure and or connected via a VPN Deployment of the Single Server Installation on a Primary Domain Controller PDC is not supported for both security and functionality reasons Please make certain the following pre requisites are in place PRIOR to beginning the installation O ZENworks Security Client ZSC to Single Server server name resolution validate that the target computers where the ZSC will be installed can ping the SSI server name If unsuccessful you will have to resolve this BEFORE continuing with the installation Change the SSI server name to FQDN NETBIOS change AD to use FQDN NET
43. main name for the Novell Policy Distribution Service ex DS novell com p Distribution Service Figure 9 Enter Policy Distribution Service Domain Name Step 6 At the Copy Files screen click Next Installation will begin Step 7 Select the file paths for the data index and log files Step 8 A ESM Setup files folder is generated in the installation directory This contains a Setup ID file and the ESM DS cer file Novell self signing SSL certificate if selected required by 23 the Management Service Use Browse to designate where this file should be saved on the server default installation directory Novell ESM Policy Distribution Service InstallShield Wizard xj Select the Destination for the PDS Setup id file Novell Select the folder to create the ESM Setup Files Folder where the Policy Distribution Service Setup id file will be saved Destination Folder sora and Settings Administrator Desktop Browse Cancel Figure 10 Save Setup Files Step 9 If you chose to use an enterprise SSL certificate place a copy of this file into the ESM Setup Files folder Step 10 Copy the entire ESM Setup Files directly onto the machine designated as the host for the Management Service either via a netshare or by saving the file to a disk or thumb drive and hand loading it into the server installation directory Step 11 The Policy Distribution Service is now installed click FINISH to close the installat
44. nd upon the specifics of the local with the installation environment and so cannot be described in advance O Enable Install Microsoft Internet Information Administrators are advised to consult the appropriate Services IIS and ensure ASP NET is enabled Section of the Microsoft Technet security webpage Additional access control recommendations are provided Click Client Location Assurance Service in the ESM Administrator s Manual Installation from the Installation Interface Hardening of IIS To protect access to only trusted menu The CLAS installation will begin machines the virtual directory and or IIS can be set up to have ACLs Reference the articles below At launch the installer will verify all required Granting and Denying Access to Computers software is present on the server If any are Restrict Site Access by IP Address or Domain Name absent they will be installed automatically IIS FAQ 2000 IP address and domain name restrictions before the installation continues to the Working With IIS Packet Filtering Welcome Screen license agreements for the For security purposes it is highly recommended the additional software may need to be accepted If following default folders be removed from any IIS Microsoft Data Access Components 2 8 are not Stallation installed the server will need to reboot IISHelp following that installation before ESM liSAdmin installation can continue If using Windows Scripts 2003
45. nistrative Permissions for individual users perform the following steps Step 1 Open the Tools menu and select Permissions The groups associated with this domain are displayed AE Permissions Publish To Settings User Groups Manageme Publish Change Create Delete Organizations Access Policy Permission Policies Policies 2 Administrator corpdomain M 3 Administrators corpdomain v amp Domain Admins corpdomain v amp Domain Users corpdomain vi amp Enterprise Admins corpdom vi 8 Group Policy Creator Owners v JO OO JO amp Schema Admins corpdomain v amp Users corpdomain v Figure 31 Management Console Permissions Settings Window Note All groups are granted full permissions in the Management Console by default Administrators should immediately uncheck any and all policy tasks from unauthorized groups Access to the console can be removed by un checking that permission 46 Step 2 To load users and or new groups to this list do the following Click the Add button on the bottom of the screen the Organization Table will display a KA OrganizationSelect E User Groups Organizations t corpdomain 2 Administrator 2 Director IT 2 domainadmin F hnodd 2 iqpublic 84 Builtin 84 corpdomain amp Domain Users 8 Enterprise Admins 84 Group Policy Creator Owners amp Schema A
46. nses or classification to export re export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell assumes no responsibility for your fail ure to obtain any necessary export approvals Copyright 2007 Novell Inc All rights reserved No part of this publication may be reproduced photocopied stored on a retrieval system or transmitted without the express written consent of the publisher Novell Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intel lectual property rights may include one or more of the U S patents listed on the Novell Legal Patents Web page http www nov ell com company legal patents and one or more additional patents or pending patent applications in the U S and in other countries Novell Inc 404 Wyman Street Suite 500 Waltham MA 02451 U S A www novell com Online Documentation To access the online documentation for this and other Novell products and to get updates see the Novell Documentation Web
47. nstallation unless you opt to use Novell Self Signed Certificates instead O Ensure access to a supported RDBMS Microsoft SQL Server 2000 SP4 SQL Server Standard SQL Server Enterprise SQL Server 2005 Set to DB to Mixed mode This database should be either hosted on the Management Service server or a shared server secured behind the enterprise firewall 15 Installation Steps Click Policy Distribution Service Installation from the Installation Interface menu The Policy Distribution Service installation will begin At launch the installer will verify all required software is present on the server If any are absent they will be installed automatically before the installation continues to the Welcome Screen license agreements for the additional software may need to be accepted If Microsoft Data Access Components MDAC 2 8 need to be installed the server will need to reboot following that installation before ESM installation can continue If using Windows 2003 Server ASP NET 1 1 will be configured to run by the installer Once Policy Distribution Service installation begins perform the following steps Note The following steps outline what you the user need to do to complete the installation process Internal processes will display throughout the installation and are not documented here unless there is a specific action or information that you will need for installation to be successful Step 1 Click NEXT on the Welcom
48. ntended functionality of the server The steps involved in doing so depend upon the specifics of the local environment and so cannot be described in advance Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage Additional access control recommendations are provided in the ESM Administrator s Manual Hardening of IIS To protect access to only trusted machines the virtual directory and or IIS can be set up to have ACLs Reference the articles below Granting and Denying Access to Computers Restrict Site Access by IP Address or Domain Name IIS FAQ 2000 IP address and domain name restrictions Working With IIS Packet Filtering For security purposes it is highly recommended the following default folders be removed from any IIS installation ISHelp IlSAdmin Scripts Printers Novell also recommends using the IIS Lockdown Tool 2 1 available at microsoft com Version 2 1 is driven by supplied templates for the major IIS dependent Microsoft products Select the template that most closely matches the role of this server If in doubt the Dynamic Web server template is recommended Only supported when Management Service is installed on a Microsoft Windows 2000 Advanced server SP4 O Copy the ESM Setup Files directory which contains the Policy Distribution Service Setup ID and Root SSL Certificate for the Policy Distribution Service into the installation directory of
49. of the ZSC from MSI When the end user re authenticates to the domain through a reboot of their machine the MSI installation package will run prior to their logging in Once completed the machine will reboot and the user will be permitted to log in to their machine The ZSC will be installed and running on the machine 59 Running the ZENworks Security Client The ZSC will run automatically at system startup For user operation of the ZSC see the ZENworks Security Client User s Manual The User s Manual can be distributed to all users to help them better understand the operation of their new endpoint security software 60 ESM Unmanaged Installation An enterprise can also run the ESM ZENworks Security Client and Management Console in an Unmanaged mode without connection to the Policy Distribution Service or the Management Service This is available as an installation option primarily intended for setting up simple evaluations This option is also ideal for enterprises with little or no server space or with basic security needs However quick policy updates and Compliance Reporting are not available in this configuration Unmanaged ZENworks Security Client I nstallation To install an unmanaged ZENworks Security Client follow the instructions on page 53 and select the Not Connected to ESM Servers policies received as files option The installation will bypass the questions regarding the names of the servers and will install the
50. omain controller and leave the Domain DC box blank this box will auto populate after a successful test of the user account in Step 8 Step 5 Check Available for User Authentication if this is the domain a Management Service is installed on to display the domain in the login pull down menu If this is a separate domain leave unchecked Step 6 Select a Service Connection Option e No authentication login and password not required for connection to directory service NOT a recommended configuration e Secure authentication login and password required for connection to directory service e Read only access Management Service cannot make updates or changes to the directory service e Bind to specified server creates a direct connection to the server hosting the directory service machine name netbios name must be specified in Step 1 This will increase the speed and efficiency of the connection between the services Step 7 Enter the directory service login name under Account and the login password in the Password field The login name entered must be a user who has permission to view the ENTIRE directory tree It is recommended that this user be either the domain administrator or an OU administrator 44 Note The password entered should be set to not expire nor should this account ever be disabled Step 8 Click Test to verify communication to this directory service If communication cannot be established the user is notifie
51. on at least two separate servers attempts to install both the separate Policy Distribution Service and the Management Service onto the same server will fail see ESM Single Server Installation on page 12 for a single server installation option Multi Server installation should begin with the Policy Distribution Service installation on a secured server either outside or inside the corporate firewall See Policy Distribution Service Installation on page 15 Once the Policy Distribution Service is installed the Management Service installation should follow See Management Service Installation on page 26 It is recommended the Management Console be installed on this server Continue to Policy Distribution Service Installation on page 15 Policy Distribution Service I nstallation Which server will host the Policy Distribution Service Based on your answers to the first two questions above select a server that will host the ESM Policy Distribution Service This server should ALWAYS be reachable by your users whether within the network or out in the DMZ Ensure the required software see page 7 is installed on the server prior to installation Once the server is selected note the server name both the NETBIOS and Fully Qualified Domain Name FQDN Deployment of the Policy Distribution Service on a Primary Domain Controller PDC is not supported for both security and functionality reasons Please check off
52. onsole The Management Console is now installed Starting the Console Double click the Management Console Icon on the desktop to launch the Management Console login window Log into the Management Console by entering the administrator and password Before you can enter the username and password you will need to be connected to the directory service s domain The username entered MUST be a user on the Management Service domain ESM Management Console User name Password Directory arterdomam Y Figure 28 Login to ESM Management Console 43 Adding Directory Services Step 1 Click the Options button on the login screen The Configuration window will display t Configuration GJESI Infrastructure and Scheduling f Authenticating Directories Friendly Name I Y New F Service Synchronization Service Type Microsoft Active Directory Hast Server Domain Name Domain Tree Available for User Authentication Service Connection Options No authentication v Read only access v Secure authentication Bindto specified server Account Password Test OK Cancel Figure 29 Authenticating Directories Step 2 Click Authenticating Servers to display the Listening and Validation Service Manager Step 3 Enter a friendly name for the Directory Service and select its Service Type from the pull down list Step 4 In the Host DN box enter the hostname of a d
53. ory to place the software files The user may select either to install a Novell self signed SSL certificate or use one of their own Step 1 An SSL Certificate is required for secure communication between the Policy Distribution Service and the Management Service and between the DS and all Novell Security Clients If you already have a certificate authority click Use the existing certificate IIS is configured for If you need a certificate click Allow Novell to create install and use its own self signed root certificate The installer will create the certificates and the signing authority Regardless of the certificate type these certificates MUST be distributed to all end users Novell ESM Policy Distribution Service InstallShield Wizard l XI Novell Policy Distribution Service Setup Trusted Root The Policy Distribution Service uses SSL communication through IIS web services to communicate with the Management Service C Use the existing certificate IIS is configured with Distribution Service Cancel Figure 6 Setup Trusted Root Step 2 The installer will detect the available SQL databases on the machine and network Select the secured SQL database for the Policy Distribution Service and enter the database administrator s name and password if the password is zero characters the installer will 20 warn of the potential security issue The username and password CANNOT be a domain user it MUST be a SQL
54. otes enter a space click space bar once then type a Example C Documents and Settings euser Desktop CL Release 3 2 455 setup exe a Several command line variables are available for MSI installation Please see Command line Variables on page 58 for more details Step 5 Click OK Step 6 Double click the shortcut to lauch the MSI installer When installation begins perform the following steps Step 1 Click NEXT on the Welcome screen to continue Step 2 Accept the Licensing Agreement and click NEXT Step 3 Select whether an Uninstall Password is required recommended and enter the password Step 4 Select how policies will be received from Distribution Service for managed clients retrieved locally for an unmanaged configuration If managed is selected e Enter the Management Service information FQDN or NETBIOS name depending upon how it was entered during Management Service installation e Select if they will be user based or machine based policies Step 5 Enter an email address in the provided field to notify you if installation fails optional 55 Step 6 Enter the network location where the MSI image will be created or browse to that location by clicking the Change button JS ZENworks Security Client InstallShield Wizard JE Network Location Specify a network location for the server image of the product Enter the network location or click Change to browse to a location Cli
55. page http www novell com documentation Novell Trademarks For Novell Trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners Licenses FIPS Certified AES Crypto Compilation Copyright c 1995 2003 by Wei Dai All rights reserved This copyright applies only to this software distri bution package as a compilation and does not imply a copyright on any particular file in the package The following files are copyrighted by their respective original authors mars cpp Copyright 1998 Brian Gladman All other files in this compilation are placed in the public domain by Wei Dai and other contributors Permission to use copy modify and distribute this compilation for any purpose including commercial applications is hereby granted without fee subject to the following restrictions 1 Any copy or modification of this compilation in any form except in object code form as part of an application soft ware must include the above copyright notice and this license 2 Users of this software agree that any modification or extension they provide to Wei Dai will be considered public domain and not copyrighted unless it includes an explicit copyright notice 3 Wei Dai makes no warranty or representation that the operation of the software in this compilation will be error free and Wei
56. priate section of the Microsoft Technet security webpage Additional access control recommendations are provided in the ESM Administrator s Manual Hardening of IIS To protect access to only trusted machines the virtual directory and or IIS can be set up to have ACLs Reference the articles below Granting and Denying Access to Computers Restrict Site Access by IP Address or Domain Name IIS FAQ 2000 IP address and domain name restrictions Working With IIS Packet Filtering For security purposes it is highly recommended the following default folders be removed from any IIS installation ISHelp ISAdmin Scripts Printers Novell also recommends using the IIS Lockdown Tool 2 1 available at microsoft com Version 2 1 is driven by supplied templates for the major IIS dependent Microsoft products Select the template that most closely matches the role of this server If in doubt the Dynamic Web server template is recommended Microsoft SQL Server 2000 SP4 SQL Server Standard SQL Server Enterprise Set database to Mixed mode Ensure access to a supported directory service Active Directory NT Domains Only supported when Singer Server Service is installed on a Microsoft Windows 2000 Advanced server SP4 12 Installation Steps Select Single Server Installation from the master installer menu This installation combines the installations described previously in this guide for the Policy Distri
57. ption or be made vulnerable by inadequate hardware protection The administrator installing this software MUST be the primary administrator for the servers and the domain If using enterprise SSL certificates this must also be the same username used to create the SSL Root Security certificate Installation Packages If you have downloaded the individual installation packages from the Novell Download site review the installation instructions below and on the following pages and place each component 1 e DS Release 3 2 zip and MS Release 3 2 zip on their designated servers prior to unzipping and installing If installing from a CD a Master Installer is launched which utilizes simple user interface which guides the ESM Administrator through the installation process Simply load the installation CD on each machine to access the Master Installer and install the desired component About the Master Installer At launch the Master Installer displays two menu options Products and Documentation The Products link opens the installation menu The menu items on this screen will launch the designated installer for each component In the case of the ZENworks Security Client an additional option is available to launch the installation in Administrator Mode which will help the ESM Administrator to create an MSI package for easy distribution see MSI Installation on page 55 For information on the complete operation of the ESM components pl
58. r by saving the file to a disk or thumb drive to the machine that will host the Management Console Continue to Management Console Installation on page 39 38 Management Console Installation Where will you host the Management Console The Management Console can be installed on the Management Service server or on a secure PC that has direct communication with the Management Service server Multiple Management Console can be configured to communicate with a single Management Service however it is highly recommended that access to the Management Console be limited to select users For security reasons it is recommended that the Management Console be installed directly on the MS Server If installing on a separate workstation please make certain the following pre requisites are in place PRIOR to beginning the installation O The required operating systems when running the Management Console on a PC are Windows XP SP1 Windows XP SP2 or Windows 2000 SP4 A 1 0 GHz processor is recommended with a minimum of 256 MB of RAM and 100 MB of disk space available O Copy the ESM Setup files folder which contains the SSL Root Certificates for the Policy Distribution Service and the Management Service along with the STInstParam id file onto the PC O Ifinstalling on the Management Service server verify that the version of Microsoft Internet Explorer is 5 5 or greater Installation Steps Click Management Console Installation from the In
59. rity Client Installation lt lt lt 53 Basic ZSC Installatlon eue dees hake E T pac tr A LIS STR 53 MSI Installation 2 244 kx Rom dk do um RO Yun PL X m See MOX RM P3 3 M OR a 55 Running the ZENworks Security Client llle 60 ESM Unmanaged Installation leeren 61 Unmanaged ZENworks Security Client Installati0N o o o ooo 61 Stand Alone Management Console llle 61 Distributing Unmanaged Policies llle 62 2007 Novell Inc All Rights Reserved Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 List of Figures ESM Architecture 25 enc ha eap e anda dished ata eee ey 6 Select Typical or Custom Installation oooooooooooooocroo Ie 16 select SOL Server i A Rb xb ieee i Sb ATE b EIS Wa b erSbg ac bus bu 17 Distribution Service SQL Password 2 0 eee ence eee rh 18 Enter Policy Distribution Service Domain Name 0 0 eee eee eee 19 setup Trusted Root e ERRARE de REI UNS EXIIT ROLE 20 Select SOL Server 4 c v sd uu eger Rb E 21 Distribution Service SQL Password 0 eee nett hr 22 Enter Policy Distribution Service Domain Name 00 eee cece 23 Lk Saveet p Files uns LUCUS RERO ed BRE Ee es ES BE AG ER 24 Select Typical or Customs soe Xp oU See meee eee Rd bes eb rer
60. rj 8 E g s Lim saL Database ENTERPRISE PERIMETER Figure 1 ESM Architecture The ZEN works Security Client ZSC is responsible for enforcement of the distributed security policies on the endpoint system When the ZSC is installed on all enterprise PCs these endpoints may now travel outside the corporate perimeter and maintain their security while endpoints inside the perimeter will receive additional security checks within the perimeter firewall Each Central Management component is installed separately with the exception of a single server installation see ESM Single Server Installation on page 12 for details the following components are installed on servers which are secured inside the corporate perimeter Policy Distribution Service is responsible for the distribution of security policies to the ZSC and retrieval of reporting data from the SSCs The Policy Distribution Service can be deployed in the DMZ outside the enterprise firewall to ensure regular policy updates for mobile endpoints Management Service is responsible for user policy assignment and component authentication reporting data retrieval creation and dissemination of ESM reports and security policy creation and storage Management Console is a visible user interface which can run directly on the server hosting the Management Service or on a workstation residing inside the corporate firewall with connection to the Management Service server
61. rm Figure 4 Distribution Service SQL Password 18 Step 4 Enter the Policy Distribution Service domain name This MUST be the fully qualified domain name if the server will reside outside the corporate firewall Otherwise only the NETBIOS name for the server is required Novell ESM Policy Distribution Service InstallShield Wizard x Enter Text Please enter information in the field below Novell Please enter the fully qualified domain name for the Novell Policy Distribution Service ex DS novell com ee Distribution Service Back see Cancel Figure 5 Enter Policy Distribution Service Domain Name Step 5 At the Copy Files screen click Next Installation will begin Step 6 A ESM Setup Files folder is generated in the installation directory This contains a Setup ID file and the ESM DS cer file Novell self signing SSL certificate required by the Management Service Copy this file directly onto the machine designated as the host for the Management Service either via a netshare or by saving the file to a disk or thumb drive and hand loading it onto the server installation directory Step 7 The Policy Distribution Service is now installed click FINISH to close the installation program to launch the performance monitor Custom Installation A custom installation will display the defaults used in the typical installation and will permit the administrator to enter or browse to a different direct
62. rocess for both Basic and MSI installation e Basic Installation will install the ZSC only on the current machine MSI Installation will launch the installer in Administrative mode a and will create an MSI Package of the software This package can then be pushed down or otherwise made available at a specified network location with the required user inputs pre configured This allows individual users to install the software with the pre defined server values Basic ZSC Installation This will install the ZSC on the current machine ONLY O Verify all security patches for Microsoft and anti virus software are installed and up to date O Install the Management Service SSL Root Certificates onto the local machine ESM MS cer or the enterprise certificate Note It is recommended antivirus spyware software that is interacting with valid registry functions be shut down during the installation of the ZSC Step 1 Click NEXT on the Welcome screen to continue Step 2 Accept the Licensing Agreement and click NEXT Step 3 Enter an installation password This will prevent the user from uninstalling the ZSC through Add Remove programs recommended yy ZENworks Security Client InstallShield Wizard ZENworks Security Client Uninstall Password Require a Password to uninstall the ZENworks Security Client If you don t add an uninstall password then users will not be prompted for a password when they uninstall the
63. s a a ea a e a URA E a a E aa a eha A E A 7 About the ESM Manuals ooo 7 ESM Installation 2 6 3 a xx ene AA AAA 9 Installation Packages cam RR EE eee ke ee ewe RR RA ERR Ee 9 Installation Options Hiisi enaa e Aa a a T a E rss 9 Installation Order acna taia m a eaa r Aada ee 10 Before Installing ESM s aa ie nae e i aa a a i ee 10 ESM Single Server Installation celer 12 Installation Steps nk a eer RYE exco XH RUE DE Lcd s 13 Starting the Service llle rh 13 Multi Server Installation i eere hhhh 14 Policy Distribution Service Installation ern 15 Installation Steps ege o Tek ee Pe el cu GRAUE GRO MORE X v Rd 16 Starting th Servicer i i d tTa vc pR IM Ada tbv res Bach Aa E VS 25 Management Service Installation leere 26 Installation Steps s vela ate da uec Rr Aa Sor ES tmd ck baee ns 27 Startirig the Services uoce ROM ew ee eee pa A Aik ha ae 38 Management Console Installation eren 39 Installation Steps ica io WS eem a AAA ates ee as 39 Starting the Console o o o ooooo ee 43 Installing USB Reader 00 ce res 50 Client Location Assurance Service Installation less 51 Installation St psu i 4 5 deese trm Rute de fede Do a Re RR Rc oie ul Got Re RR m AL A 52 CLAS Failover Installations lll 52 Transferring the Public Key to the Management ServiCe ooo o 52 ZENworks Secu
64. saved for easy distribution default installation directory Step 6 The installer will detect the available SQL databases on the machine and network Select the SQL database for the Management Service and enter the database administrator s username and password if the password is zero characters the installer will warn of the potential security issue The username and password CANNOT be a domain user it must be a SQL user with SysAdmin rights 34 Select SQL Server for the Management Service DISTSQL Installshield Figure 20 Select MS SQL Database Step 7 Set the database name default is entered as STMSDB Step 8 Select the SQL database for the Reporting Service and enter the database administrator s password for that database Select SQL Server for the Reporting Service DISTSQL Installshield Figure 21 Select Reporting Service Database 35 Step 9 Set the database name default is entered as STRSDB Step 10 If ESM has already been purchased a separate license file is provided Copy the license file to this server and browse for it see the instructions page included with your License file for more details If you have not yet purchased an ESM license select 60 Day Evaluation License to continue Novell ESM Management Service InstallShield Wizard x Novell Management Server License Installation The Management Server can be licensed now if you already ha
65. stallation Interface menu At launch the installer will verify both the required NET Framework 1 1 and WSE 2 0 SP2 are present on the machine If one or both are absent they will be installed automatically before the installation continues to the Welcome Screen the license agreement for NET 1 1 will need to be accepted To install the Management Console perform the following steps Step 1 Click NEXT to continue Step 2 Accept the Licensing Agreement and click NEXT 39 Step 3 Select either a TYPICAL or CUSTOM installation ESM Management Console X Setup Type Select the setup type to install Novell Click the type of setup you prefer then click Next Program will be installed with the most common options Recommended for most users Management r Console You may select the options you want to install Recommended for advanced users lt Back Cancel Figure 24 Select Typical or Custom Typical I nstallation A typical installation will use all the default server and SSL information contained in the STInstParam id file and will make the default directory Program Files Novell ESM Management Console No additional selections need to be made for Management Console installation providing the ESM Setup Files directory is on the machine Custom Installation A custom installation will display the STInstParam id defaults used in the typical installation and will permit the administrator to chang
66. this server 26 Installation Steps Click Management Service Installation from the Installation Interface menu The Management Service installation will begin At launch the installer will verify all required software is present on the server If any are absent they will be installed automatically before the installation continues to the Welcome Screen license agreements for the additional software may need to be accepted If Microsoft Data Access Components MDAC 2 8 need to be installed the server will need to reboot following that installation before ESM installation can continue If using Windows 2003 Server ASP NET 1 1 will be configured to run by the installer Once Management Service installation begins perform the following steps Note The following steps outline what you the user need to do to complete the installation process Internal processes will display throughout the installation and are not documented here unless there is a specific action or information that you will need for installation to be successful Step 1 Click NEXT on the Welcome screen to continue Step 2 Accept the Licensing Agreement and click NEXT Step 3 Select either a TYPICAL or CUSTOM installation Novell ESM Management Service InstallShield Wizard xj Setup Type Select the setup type to install Novell Click the type of setup you prefer then click Next e Typical Program will be installed with the most common options Recomm
67. ty issue The username and password CANNOT be a domain user it MUST be a SQL user with SysAdmin rights Select SQL Server for the Distribution Service i x Novell ESM Policy Distribution Service will use the database hosted on the server you select below You may type the name of a server or select one from the existing SOL servers list Enter a database administrator username and password SQL Server to host Novell ESM Policy Distribution Service Database DISTSQL You may select an existing SOL Server Database Administrator User ID poo Database Administrator Password m InstallShield lt Back L see Cancel Figure 3 Select SQL Server Step 3 Enter the password for the Policy Distribution Service agent This is the username and password the service will use to login to its SQL database Novell ESM Policy Distribution Service InstallShield Wizard Password for DS_STDSDB_USER at DISTSERVER Novell Enter a password for the SQL agent account that will be created by Setup the SQL agent account name will be D5 STDSDB USER The SQL agent account uses this password to authenticate to the STDSDB database in order to manage the data contained therein Please make the password at least 6 but less than 32 characters in length Distribution ATTENTION Make note of this password because you will need it to complete the Management Service Service setup User ps STDSDB USER at DISTSERVER Password Confi
68. ve a license or later it will run for 60 days on an evaluation license C Browse for the file containing the ESM license that have purchased Management Service Figure 22 Browse for Novell License File Step 11 At the Copy Files screen click Next Installation will begin Step 12 Select the file paths for the Management Service database s data index and log files Step 13 Select the file paths for the Reporting Service database s data index and log files Step 14 The Management Service will run a communication check to both SQL databases and the Policy Distribution Service If communication cannot be verified the installer will notify you of the issue ALL boxes must be checked for installation to succeed 8j Management Service Installer Configuration M4 Configurabon File Valid b Schema Exists M4 Database Exists 4 Setup Id Configured b Schema Id Configured Schema Key Id Configured KA Communication Configured 4 Management Key Writien Registered with Distribution Service Description Congratulations you have successfully configured the ESS Management Service You may now optionally configure your default authentication service Domain Information Available Name Utah senforce com Type Microsoft Windows 2000 Account jmms E Password Initialize the Distribution Service data Iz Create Management Signature Keys Ig Create Encryption Management Key Publish Management
69. vel network interop issues etc The following command line variables are available Table 4 Command Line Variables Command Line Variable Description Notes STDRV stateful qn NDIS driver all stateful at boot time Quiet install Changes the default state of the NDIS driver from All Open to All Stateful permitting all network traffic at boot time until the ZSC has determined its location Use to suppress the typical MSI Installation process ZSC will activate at next user reboot STRBR ReallySuppress No reboot after install com pletes Security enforcement and client self defense are not fully func tional until after the first reboot STBGL 1 Strict white list enforcement on application control A policy MUST be created that identifies the application on the white list and distributed with this policy STUPGRADE 1 Upgrade the ZSC Use when upgrading the ZSC STUNINSTALL 1 Uninstall the ZSC Use when uninstalling the ZSC STUIP the password Uninstall with password Use when an uninstall pass word is active STNMS MS Name Change the Management Service name Changes the Management Ser vice name for the ZSC 58 Table 4 Command Line Variables Command Line Variable Description Notes POLICYTYPE 1 Change ZSC to machine based policies Use to change MSI installed ZSCs to accept machine based
Download Pdf Manuals
Related Search