Getting Started with
Symantec™ Network Access
Control
For Symantec Network Access Control
and Symantec Network Access Control
Starter Edition
Getting started with Symantec Network Access Control
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version: 11.00.06.00.00 PN: 20983669
Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital Immune System, LiveUpdate, Norton, Norton 360, Sygate, and TruScan are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Getting Started
This document includes the following topics: ■ About Symantec Network Access Control
■ Components of Symantec Endpoint Protection and Symantec Network Access Control
■ What's new in Symantec Endpoint Protection 11
■ System requirements
■ About migrating to Symantec Endpoint Protection or Symantec Network Access Control
■ Installing and configuring the Symantec Endpoint Protection Manager with an embedded database
■ Configuring and deploying client software on Windows computers
■ About Symantec Network Access Control Enforcers
■ Installing an Enforcer appliance
■ About the Enforcer appliance indicators and controls
■ Setting up an Enforcer appliance
■ Logging on to an Enforcer appliance
■ Configuring an Enforcer appliance
About Symantec Network Access Control
Symantec Network Access Control ensures that a company's client computers are compliant with the company's security policies before the computers are allowed to access the network. Symantec Network Access Control uses a Host Integrity Policy and an optional Symantec Enforcer to discover and evaluate which computers are compliant. The clients that are not compliant are directed to a remediation server. The remediation server downloads the necessary software, patches, virus definitions updates, and so on, to make the client computer compliant. Symantec Network Access Control also continually monitors endpoints for changes in the compliance status.
Symantec Network Access Control is a companion product to Symantec Endpoint Protection. Both products include Symantec Endpoint Protection Manager, which provides the infrastructure to install and manage the Symantec Endpoint Protection and Symantec Network Access Control clients. The Symantec Endpoint Protection client protects your endpoints from both known threats and those threats that have not been seen before.
See“Components of Symantec Endpoint Protection and Symantec Network Access Control”on page 4.
For more information about the Enforcer appliance, see the Implementation Guide
for Symantec Network Access Control Enforcement.
Components of Symantec Endpoint Protection and
Symantec Network Access Control
Table 1-1lists the product's components and describes their functions. Table 1-1 Product components
Description Component
Symantec Endpoint Protection Manager is a management server that manages the client computers that connect to your company's network.
Symantec Endpoint Protection Manager includes the following software:
■ The console software coordinates and manages security policies and client computers.
■ The server software provides secure communication to and from the client computers and the console. Symantec Endpoint
Protection Manager Getting Started
Table 1-1 Product components (continued) Description
Component
The database that stores security policies and events. The database is installed on the computer that hosts Symantec Endpoint Protection Manager.
Database
The Symantec Network Access Control client enforces security policy compliance on the client computers by using Host Integrity checks and self-enforcement capabilities. The client reports its Host Integrity compliance status to a Symantec Enforcer.
For more information, see the Implementation Guide for
Symantec Network Access Control Enforcement.
For more information, see the Client Guide for Symantec
Endpoint Protection and Symantec Network Access Control.
Symantec Network Access Control client
Symantec Protection Center is installed when you install Symantec Endpoint Protection Manager. Protection Center lets you integrate management consoles from multiple supported Symantec security products into a single management environment.
Symantec Protection Center
An Enforcer ensures that the clients that try to connect to the network comply with configured security policies. You can restrict non-compliant computers to specific network segments for remediation and you can completely prohibit access to non-compliant computers.
Symantec Network Access Control includes the following types of Enforcers:
■ The Enforcer appliance, which is a hardware appliance on which you install one of several Symantec Enforcer appliance images.
■ The Integrated Enforcers, which are the software components that interact with a Microsoft DHCP Server and a Microsoft Windows Network Policy Server. See“About Symantec Network Access Control Enforcers”
on page 18.
For more information, see the Implementation Guide for
Symantec Network Access Control Enforcement.
Symantec Enforcer (optional)
Table 1-1 Product components (continued) Description
Component
On-Demand clients are the temporary clients that you provide to users when they are unauthorized to access your network because they do not have the software that is compliant with your security policy.
Symantec Network Access Control On-Demand clients for Windows and Macintosh (optional)
The LiveUpdate Server downloads definitions, signatures, and product updates from a Symantec LiveUpdate server and distributes the updates to client computers. For more information, see the Symantec LiveUpdate
Administrator User's Guide.
LiveUpdate Server (optional)
Figure 1-1 The product components in a network
Firewall Computers running the Symantec Endpoint Protection client or the Symantec Network Access Control client, connecting through a VPN tunnel Internet Local Ethernet Network Symantec Endpoint Protection Manager, with the Symantec Endpoint Protection client or the Symantec Network Access Control client installed
Computers running the Symantec Endpoint Protection client or the Symantec Network Access Control client
See“About Symantec Network Access Control”on page 4.
Getting Started
What's new in Symantec Endpoint Protection 11
The current release includes the following improvements that make Symantec Endpoint Protection and Symantec Network Access Control easier and more efficient to use.For more information, see the Administration Guide for Symantec Endpoint
Protection and Symantec Network Access Control.
Table 1-2 New features in this version Benefit Feature
Symantec Protection Center is a Web-based console that enables you to access and manage multiple, supported Symantec products. The console also provides visibility and analytics across products as well as provides useful security feedback and attack statistics.
The console provides a single sign-on screen for the following registered Symantec products:
■ Symantec Endpoint Protection
■ Symantec Critical System Protection
■ Symantec Web Gateway
■ Symantec Brightmail Gateway
■ Symantec IT Analytics
■ Symantec Data Loss Prevention A Web-based console provides a
single sign-on capability for registered Symantec products
You can now manage Symantec Endpoint Protection Manager remotely in a Web-based console. The Java-based remote console is also still available. A Web-based console for Symantec
Endpoint Protection Manager provides easier remote management access
You can run a Host Integrity check to see whether the client computers run the following software:
■ Norton Antivirus 2010
■ Norton Internet Security 2010
■ Norton 360 Version 3.0
■ Symantec Endpoint Protection Version 11 Release Update 6
■ McAfee Internet Security 2010
■ McAfee VirusScan Plus 2010
■ McAfee Total Protection 2010
■ McAfee VirusScan Enterprise 8.7i Host Integrity policies check for
additional security software
System requirements
Symantec software requires specific protocols, operating systems and service packs, software, and hardware. All the computers to which you install Symantec software should meet or exceed the recommended system requirements for the operating system that is used.
This guide contains summary information about system requirements. This information may be sufficient to install to a small network or test network. You should refer to the full system requirements before you install the product on a more complex network.
See the Installation Guide for Symantec Endpoint Protection and Symantec Network
Access Control for full system requirements.
See“Installing and configuring the Symantec Endpoint Protection Manager with an embedded database”on page 13.
Table 1-3summarizes the minimum requirements for the computer on which you install the Symantec Endpoint Protection Manager.
Table 1-3 Symantec Endpoint Protection Manager system requirements Requirement
Component
32-bit systems:
■ Windows 2000 Server/Advanced Server/Datacenter Server with Service Pack 3 or later
■ Windows XP Professional with Service Pack 1 or later (x86 or x64)
■ Windows Small Business Server 2000/Windows Small Business Server 2003
■ Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Web Edition
■ Windows Server 2008 Standard/Windows Server 2008 Enterprise/Windows Server 2008 Datacenter/Windows Web Server 2008 (all Service Packs supported) 64-bit systems:
■ Windows XP Professional with Service Pack 1 or later
■ Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Small Business Server
■ Windows Server 2008 Standard/Windows Server 2008 Enterprise/Windows Server 2008 Datacenter/Windows Web Server 2008 (R2 and all Service Packs supported)
■ Windows Essential Business Server 2008 Standard Edition/Windows Essential Business Server 2008 Premium Edition (R2 and all Service Packs supported)
■ Windows Small Business Server 2008 Standard Edition/Windows Small Business Server 2008 Premium Edition (R2 and all Service Packs supported)
Table 1-3 Symantec Endpoint Protection Manager system requirements
(continued)
Requirement Component
The Symantec Endpoint Protection Manager includes an embedded database.
■ 32-bit systems: You can also use Microsoft SQL Server 2000 with Service Pack 4 or later, Microsoft SQL Server 2005 with Service Pack 2, or Microsoft SQL Server 2008.
■ 64-bit systems: You can also use Microsoft SQL Server 2000 with Service Pack 3 or later, Microsoft SQL Server 2005 with Service Pack 2, or Microsoft SQL Server 2008. Microsoft SQL Server is optional.
Database
■ 32-bit systems: Internet Information Services server 5.0 or later with Web services enabled.
64-bit systems: Internet Information Services server 5.1 or later with Web services enabled.
■ Internet Explorer 6.0 or later
■ Static IP address recommended Other software
32-bit systems:
■ 1 GB RAM (2-4 GB recommended)
■ 4 GB on the hard disk for the server, plus 4 GB for the database
■ VGA (640x480) or higher resolution video adapter and monitor 64-bit systems:
■ 1 GB RAM (2-4 GB recommended); 4 GB RAM minimum for all editions of Windows Small Business Server 2008 and Windows Essential Business Server 2008
■ 4 GB on the hard disk for the server, plus 4 GB for the database; Small Business Server 2008: 60 GB for the server; Essential Business Server 2008: 45 GB for the server
■ VGA (640x480) or higher resolution video adapter and monitor Hardware
Table 1-4summarizes the minimum requirements for the remote computer on which you run the Symantec Endpoint Protection Manager console.
Table 1-4 Symantec Endpoint Protection Manager remote console system requirements
Requirement Component
32-bit systems:
■ Windows 2000 Professional/Server/Advanced Server/Datacenter Server with Service Pack 3 or later
■ Windows XP Professional with Service Pack 1 or later
■ Windows Small Business Server 2000/Windows Small Business Server 2003
■ Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Web Edition/
■ Windows Vista (all x86 versions)
■ Windows 7 (all x86 versions)
■ Windows Server 2008 Standard/Windows Server 2008 Enterprise/Windows Server 2008 Datacenter/Windows Web Server 2008 (all Service Packs are supported)
64-bit systems:
■ Windows XP Professional with Service Pack 1 or later
■ Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Web Edition/Small Business Server
■ Windows Vista (all x64 versions)
■ Windows 7 (all x64 versions)
■ Windows Server 2008 Standard/Windows Server 2008 Enterprise/Windows Server 2008 Datacenter/Windows Web Server 2008. Windows Server 2008 (R2 and all Service Packs are supported)
■ Windows Essential Business Server 2008 Standard Edition/Windows Essential Business Server 2008 Premium Edition (R2 and all Service Packs are supported)
■ Windows Small Business Server 2008 Standard Edition/Windows Small Business Server 2008 Premium Edition (R2 and all Service Packs are supported)
Operating system
■ 32-bit systems: 512 MB RAM minimum, 1-2 GB recommended 64-bit systems: 512 MB RAM minimum, 1-2 GB recommended
■ 15 MB hard drive
■ VGA (640x480) or higher resolution video adapter and monitor Hardware
Table 1-5summarizes the minimum requirements for the remote computers on which you run the Symantec Endpoint Protection Manager Web Console. Table 1-5 Symantec Endpoint Protection Manager Web Console system
requirements Requirement
Component
Internet Explorer 7 or later, with Enhanced Security Configuration disabled Browser
Table 1-6summarizes the minimum requirements for the computers on which you install the client software for either Symantec Endpoint Protection or Symantec Network Access Control on Windows.
Table 1-6 Windows client software system requirements Requirement
Component
32-bit systems:
■ Windows 2000 Professional/Server/Advanced Server/Datacenter Server with Service Pack 3 or later
■ Windows XP Professional/XP Embedded with Service Pack 1 or later
■ Windows Small Business Server 2000/Windows Small Business Server 2003
■ Windows Server 2003 R2, Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Web Edition
■ Windows Server 2003 with Service Pack 1, Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Web Edition
■ Windows Server 2003 with SP2, Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Web Edition
■ Windows Vista (all x86 versions and Service Packs)
■ Windows 7 (all x86 versions)
■ Windows Fundamentals for Legacy PCs
■ Windows Server 2008 Standard/Windows Server 2008 Enterprise/Windows Server 2008 Datacenter/Windows Web Server 2008 (all Service Packs supported). Core installations are supported.
64-bit systems:
■ Windows XP Professional with Service Pack 1 or later
■ Windows Server 2003 Standard Edition/Enterprise Edition/Datacenter Edition/Storage Edition/Small Business Server
■ Windows Vista (all x64 versions and Service Packs)
■ Windows 7 (all x64 versions)
■ Windows Server 2008 Standard/Windows Server 2008 Enterprise/Windows Server 2008 Datacenter/Windows Web Server 2008 (R2 and all Service Packs supported). Core installations are supported.
■ Windows Essential Business Server 2008 Standard Edition/Windows Essential Business Server 2008 Premium Edition (R2 and all Service Packs supported)
■ Windows Small Business Server 2008 Standard Edition/Windows Small Business Server 2008 Premium Edition (R2 and all Service Packs supported)
Operating system
Table 1-6 Windows client software system requirements (continued) Requirement
Component
Internet Explorer 6.0 or later
Terminal Server clients connecting to a computer with antivirus protection have the following additional requirements:
■ Microsoft Terminal Server RDP (Remote Desktop Protocol) client
■ Citrix Metaframe (ICA) client 1.8 or later if you use Citrix Metaframe server on Terminal Server
Other software
32-bit systems:
■ 256 MB RAM, (1 GB recommended) for Windows XP, Windows XP Embedded, and Windows Fundamentals for Legacy PCs
1 GB RAM minimum (2-4 GB recommended) for Windows Vista, Windows 7, Windows Server 2003 (all editions), and Windows Server 2008 (all editions)
■ 600 MB hard disk
■ VGA (640x480) or higher resolution video adapter and monitor 64-bit systems:
■ 1 GB RAM minimum (2-4 GB recommended) for most systems
4 GB RAM minimum for all editions of Windows Small Business Server 2008 and Windows Essential Business Server 2008
■ 700 MB hard disk
■ XGA (1,024x768) or higher-resolution video adapter and monitor Hardware
For information about operating systems for Symantec AntiVirus for Linux, see the Installation Guide for Symantec Endpoint Protection and Symantec Network
Access Control.
For information about using the Symantec AntiVirus client on Linux, see the
Symantec AntiVirus for Linux Client Guide. The guide is located in the docs folder
of the product disc that contains the Symantec AntiVirus client software for Linux.
About migrating to Symantec Endpoint Protection or
Symantec Network Access Control
Migrating from a Symantec legacy product to Symantec Endpoint Protection is a complex process. You must read and understand all the migration information before you migrate legacy Symantec software. Also, you must test all migration procedures in a test environment before you migrate.
You must perform a migration if you have installed on your network a migration-supported version of the following products:
Getting Started
■ Symantec AntiVirus Corporate Edition ■ Symantec AntiVirus for Mac
■ Symantec Client Security
■ Symantec Sygate Enterprise Protection ■ Sygate Secure Enterprise
To migrate successfully from other Symantec products, read the following migration information first:
■ Migration Web site
■ The Migrating and upgrading section of theInstallation Guide for Symantec Endpoint Protection and Symantec Network Access Control
Installing and configuring the Symantec Endpoint
Protection Manager with an embedded database
Installing with the embedded database is the easiest way to install Symantec Endpoint Protection Manager. The embedded database supports up to 5,000 clients. If you choose to configure the management server in Simple mode, the embedded database is selected automatically.
The installation of Symantec Endpoint Protection Manager is divided into three parts:
■ The first part installs the management server and console.
■ The second part configures the management server and creates the database. ■ The third part creates and deploys client software to the client computers.
You can deploy the client software during the management server installation or later. You must deploy the client software on the computer that runs the management server.
Each part consists of a wizard. When the wizard for each part completes, a prompt that asks you whether or not you want to continue with the next wizard displays. To install Symantec Endpoint Protection Manager
1
Insert the product disc into the drive, and start the installation. For downloaded products, open the CD1 folder and double-click Setup.exe.2
On the Welcome page, do one of the following actions:■ To install Symantec Endpoint Protection, click Install Symantec Endpoint
Protection Manager.
■ To install Symantec Network Access Control, click Install Symantec
Network Access Control, and then click Install Symantec Endpoint Protection Manager.
3
On the Welcome page of the Installation Wizard, click Next.A check is performed to see if the computer meets the minimum system requirements. If it does not, a message indicates which resource does not meet the minimum requirements. You can click Yes to continue installing Symantec Endpoint Protection Manager, but performance can be adversely affected.
4
On the License Agreement page, check I accept the terms in the licenseagreement, and then click Next.
5
On the Destination Folder page, accept or change the installation directory, and then click Next.6
On the Select Web site page, do one of the following:■ To configure the Symantec Endpoint Protection Manager IIS Web as the only Web server on this computer, check Create a custom Web site, and then accept or change the TCP Port.
Note:This setting is recommended for most installations as it is less likely to conflict with other programs.
■ To let the Symantec Endpoint Protection Manager IIS Web server run with other Web sites on this computer, check Use the default Web site.
7
Click Next.8
On the Ready to Install the Program page, click Install.9
When the installation finishes, and the Install Wizard Completed page appears, click Finish.Wait for the Management Server Configuration Wizard page to appear, which can take several seconds. If you are prompted to restart the computer, restart the computer, log on, and the wizard appears automatically for you to continue.
10
Follow the steps for the appropriate mode of configuration that you select:Simple or Advanced.
Getting Started
To configure the Symantec Endpoint Protection Manager with an embedded database in Simple mode
1
On the Management Server Configuration Wizard page, select Simple, and then click Next.2
Provide and confirm a password of 6 or more characters. Optionally, provide an administrator email address.The password is the admin account password that you use to log on to the Symantec Endpoint Protection Manager console. The password is also used as the encryption password necessary for disaster recovery and, if you are installing Symantec Network Access Control, to add Enforcers. After installation, the encryption password does not change, even if the password for the admin account is changed.
Document this password for when you install Symantec Endpoint Protection in your production environment.
3
Click Next.4
On the Data Collection page, do one of the following:■ To let Symantec Endpoint Protection send information about how you use this product to Symantec, check the checkbox.
■ To decline to send information about how you use this product to Symantec, uncheck the checkbox.
5
The configuration summary page displays the values that are used to install Symantec Endpoint Protection Manager. You can print a copy of the settings to maintain for your records, or click Next.Wait while the installation creates the database, which can take several minutes.
6
On the Management Server Configuration Wizard Completed page, do one of the following:■ To deploy client software with the Migration and Deployment Wizard, click Yes, and then click Finish.
■ To log on to the Symantec Endpoint Protection Manager console first, and then deploy client software, click No, and then click Finish.
To configure the Symantec Endpoint Protection Manager with an embedded database in Advanced mode
1
On the Management Server Configuration Wizard page, select Advanced, and then click Next.2
Select the number of clients you want this server to manage, and then clickNext.
This selection appears only when you install the Symantec Endpoint Protection Manager for the first time on this computer.
3
Check Install my first site, and then click Next.4
On the server information page, accept or change the default values, and then click Next.5
On the site name page, in the Site name box, accept or change the default name, and then click Next.6
On the encryption password page, provide and confirm a password, and then click Next.Document this password and store it in a safe, secure location. You cannot change or recover the password after you create the database. You must also enter this password for disaster recovery purposes if you do not have a backed up database to restore.
7
On the database type page, check Embedded database, and then click Next.8
On the system administrator account page, provide and confirm a password of 6 or more characters. Optionally, provide an administrator email address. Click Next.Use the user name and password that you set here to log on to the console for the first time.
Wait while the installation creates the database, which can take several minutes.
9
On the Management Server Configuration Wizard Completed page, do one of the following:■ To deploy client software with the Migration and Deployment Wizard, click Yes, and then click Finish.
■ To log on to the Symantec Endpoint Protection Manager console first, and then deploy client software, click No, and then click Finish.
See“Configuring and deploying client software on Windows computers”
on page 17.
Getting Started
Configuring and deploying client software on
Windows computers
The Migration and Deployment Wizard lets you configure a client software package. The Push Deployment Wizard then optionally appears to let you deploy the client software package to Windows computers.
Note:This procedure has you select a directory in which to place installation files. You may want to create this directory before you start this procedure. Also, you need to authenticate with administrative credentials to the Windows Domain or Workgroup that contain the computers.
Computers that run firewalls, Windows XP, Windows Vista, or Windows Server 2008 have special requirements. Firewalls must permit remote deployment over TCP ports 139 and 445. Also, disable simple file sharing on the computers that are in workgroups and that run Windows XP. On Windows Vista and Windows Server 2008, you must enable network discovery.
For a comprehensive list of system requirements, including port and protocol requirements, see the Installation Guide for Symantec Endpoint Protection and
Symantec Network Access Control.
You can also use the Find Unmanaged Computers utility that lets you locate the client computers that do not run client software and then install the client software on those computers.
For more information on installing and deploying client software, see the
Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.
To configure and deploy client software on Windows computers
1
Start the Migration and Deployment Wizard by doing one of the following: ■ On the Windows Start menu, click Start > Programs > Symantec EndpointProtection Manager > Migration and Deployment Wizard.
The path may be different depending on the version of Windows that you use.
■ On the last panel of the Management Server Configuration Wizard, click
Yes, and then click Finish.
See“Installing and configuring the Symantec Endpoint Protection Manager with an embedded database”on page 13.
2
In the Welcome to the Migration and Deployment Wizard panel, click Next.3
In the What would you like to do panel, check Deploy the Windows client, and then click Next.4
In the next panel, check Specify the name of a new group that you wish todeploy clients to, type a group name in the box, and then click Next.
After you have deployed client software and logged on to the console, you can locate this group in the console.
5
In the next panel, uncheck any types of protection that you do not want to install (Symantec Endpoint Protection only), and then click Next.6
In the next panel, check the installation options that you want for packages, files, and user interaction.7
Click Browse, locate and select a directory in which to place the installation file(s), and then click Open.8
Click Next.9
In the next panel, check Yes, and then click Finish.It can take several minutes to create and export the installation package for your group before the Push Deployment Wizard appears.
To deploy the client software with the Push Deployment Wizard
1
In the Push Deployment Wizard, under Available computers, expand the trees and select the computers on which to install the client software, and then click Add >.2
In the Remote Client Authentication dialog box, type the user name and password, and then click OK.The user name and password must be able to authenticate to the Windows Domain or Workgroup that contains the computers.
3
When you have selected all of the computers and they appear in the right pane, click Finish.About Symantec Network Access Control Enforcers
The Symantec Network Access Control Enforcers control access to the client computers that try to connect to the enterprise network. You use Symantec Endpoint Protection Manager to manage a Host Integrity policy to specify which security software is installed on the client computer. If the computers comply with the Host Integrity policy, the Enforcer permits the client to access resources on the network.The Enforcer appliances are the images that run on a hardware device.
Getting Started
You can install the following types of Enforcer appliance images: ■ Symantec Gateway Enforcer
■ Symantec DHCP Enforcer ■ Symantec LAN Enforcer
See“Installing an Enforcer appliance”on page 19.
The Integrated Enforcers include the following software plug-ins: ■ Symantec Integrated Enforcer for Microsoft DHCP Servers
■ Symantec Integrated Enforcer for Microsoft Network Access Protection
Installing an Enforcer appliance
Table 1-7lists the steps to install all types of Enforcer appliances. Table 1-7 Installation summary for an Enforcer appliance
Description Action
Step
Enforcers need to be placed in specific locations on your network to ensure that all endpoints comply with your security policy.
Learn where to place Enforcers in your network. Step 1
Connect the Enforcer appliance to your network. See“About the Enforcer appliance indicators and controls”on page 19.
See“Setting up an Enforcer appliance”on page 21. Set up the appliance.
Step 2
Log on and configure the Enforcer appliance from the Enforcer command line.
See“Logging on to an Enforcer appliance”on page 22. See“Configuring an Enforcer appliance”on page 23. Configure the appliance.
Step 3
About the Enforcer appliance indicators and controls
The Enforcer appliance is installed on a 1U rack-mountable chassis with support for static rails.Figure 1-2shows the controls, indicators, and connectors that are located behind the optional bezel on the front panel.
Figure 1-2 Enforcer appliance front panel DVD-ROM drive 1 Power switch 2 Reset icon 3 USB ports 4
Hard drive light 5
Monitor 6
Reserved; do not use 7
Figure 1-3shows the back panel of the system.
Figure 1-3 Enforcer appliance back panel (Failopen model shown)
Power cord connector 1 Mouse connector 2 Keyboard connector 3 USB ports 4 Serial port 5 Monitor 6
Reserved; do not use 7
Reserved network ports; do not use 8
eth0 network port 9
eth1 network port 10
Getting Started
You can use the provided serial port and the serial cable to connect to another system that is hooked up to a monitor and keyboard. Alternatively, you can connect a monitor or keyboard directly. If you connect by using the serial port, the default baud rate that is set on the Enforcer is 9600. You must configure the connection on the other system to match. Connecting by the serial port is the preferred method. It lets you transfer files, such as debugging information, to the connected computer for troubleshooting.
See“Installing an Enforcer appliance”on page 19. See“Setting up an Enforcer appliance”on page 21.
Setting up an Enforcer appliance
Set up the Enforcer appliance hardware by connecting it to your network, switching it on, and logging on at the command line.
See“Installing an Enforcer appliance”on page 19.
See“About the Enforcer appliance indicators and controls”on page 19. To set up an Enforcer appliance
1
Unpack the Enforcer appliance.2
Mount the Enforcer appliance in a rack, or place it on a level surface. See the rack mounting instructions that are included with the Enforcer appliance.3
Plug it into an electrical outlet.4
Connect the Enforcer appliance by using one of the following methods: ■ Connect another computer to the Enforcer appliance by using a serialport.
Use a null modem cable with a DB9 connector (female). You must use terminal software, such as HyperTerminal, CRT, or NetTerm, to access the Enforcer console. Set your terminal software to 9600 bps, data bits 8, no parity, 1 stop bit, no flow control.
■ Connect a keyboard and VGA monitor directly to the Enforcer appliance.
5
Connect the Ethernet cables to the network interface ports as follows:Connect two Ethernet cables. One cable connects to the eth0 port (internal NIC). The other cable connects to the eth1 port (external NIC) on the rear of the Enforcer appliance.
The internal NIC connects to the protected network and the Symantec Endpoint Protection Manager. The external NIC connects to the endpoints.
Gateway Enforcer appliance
Connect two Ethernet cables. One cable connects to the eth0 port (internal NIC). The other cable connects to the eth1 port (external NIC) on the rear of the Enforcer appliance.
The internal NIC connects to the protected network and the Symantec Endpoint Protection Manager. The external NIC connects to the endpoints.
DHCP Enforcer appliance
Connect one Ethernet cable to the eth0 port on the rear of the Enforcer appliance. This cable connects to the internal network. The internal network connects to an 802.1x-enabled switch and to any additional 802.1x-enabled switches in your network. LAN Enforcer appliance
6
Switch on the power.The Enforcer appliance starts.
7
Press Enter twice.8
At the logon prompt, log on as follows: Console Login: rootPassword: symantec
The Enforcer appliance automatically logs users off after 90 seconds of inactivity.
See“Logging on to an Enforcer appliance”on page 22. See“Configuring an Enforcer appliance”on page 23.
Logging on to an Enforcer appliance
When you turn on or restart the Enforcer appliance, the logon prompt for the Enforcer appliance console appears:
Getting Started
Enforcer Login
The following levels of access are available:
Access to all commands Superuser
Access only to the clear, exit, help, and show commands for each level of the command hierarchy
Normal
Note:The Enforcer appliance automatically logs users off after 90 seconds of inactivity.
See“Setting up an Enforcer appliance”on page 21.
To log on to an Enforcer appliance with access to all commands
1
On the command line, log on to an Enforcer appliance with access to all commands by typing the following command:root
2
Type the password that you created during the initial installation. The default password is symantecThe console command prompt for root is Enforcer#
To log on to an Enforcer appliance with limited access to commands
1
If you want to log on to an Enforcer appliance with limited access to commands, type the following command on the command line:admin
2
Type the password on the command line. The default password issymantecThe console command prompt for admin isEnforcer$
See“Configuring an Enforcer appliance”on page 23.
Configuring an Enforcer appliance
Configure the appliance from the Enforcer command-line interface. See“Logging on to an Enforcer appliance”on page 22.
To configure an Enforcer appliance
1
Specify the type of Enforcer appliance as follows, responding to the prompts from the Enforcer:1. Select Enforcer mode [G] Gateway [D] DHCP [L] LAN
Where:
Gateway Enforcer appliance G
DHCP Enforcer appliance D
LAN Enforcer appliance L
2
Change the host name of the Enforcer appliance, or press Enter to leave the host name of the Enforcer appliance unchanged.The default or the host name of the Enforcer appliance is Enforcer. The name of the Enforcer appliance automatically registers on the Symantec Endpoint Protection Manager during the next heartbeat.
At the prompt, type the following command if you want to change the host name of the Enforcer appliance:
2. Set the host name Note:
1) Input new hostname or press "Enter" for no change. [Enforcer]: hostnamehostname
where hostname is the new host name for the Enforcer appliance.
Be sure to register the host name of the Enforcer appliance on the Domain Name Server itself.
3
Type the following command to confirm the new host name of the Enforcer appliance:show hostname
4
Type the IP address of the DNS server and press Enter.Getting Started
5
Type the new root password at the prompt by first typing the following command:password
Old password: new password
You must change the root password that you used to log on to the Enforcer appliance. Remote access is not enabled until you change the password. The new password must be at least nine characters long, and contain one lowercase letter, one uppercase letter, one digit, and one symbol.
6
Type the new admin password.7
Set the time zone by following these prompts.Set the time zone
Current time zone is [+0000]. Change it? [Y/n] If you click 'Y', follow the steps below: 1) Select a continent or ocean
2) Select a country
3) Select one of the time zone regions 4) Set the date and time
Enable the NTP feature [Y/n] Set the NTP server:
Note: We set up the NTP server as an IP address
8
Set the date and time.9
Configure the network settings and complete the installation, following the Enforcer prompts.Enter network settings Configure eth0:
Note: Input new settings. IP address []:
Subnet mask []: Set Gateway? [Y/n]
Gateway IP[]:
Apply all settings [Y/N]:
Where to get more information
Sources of information include the following:■ Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Client Guide for Symantec Endpoint Protection and Symantec Network Access Control
■ Implementation Guide for Symantec Network Access Control Enforcement
■ LiveUpdate Administrator Getting Started Guide
■ LiveUpdate Administrator User's Guide
■ Symantec Central Quarantine Implementation Guide
■ Symantec Endpoint Protection 11.0 Windows Small Business Server Best Practices White Paper
■ Tool-specific documents, located in some subdirectories of the Tools folders on the product disc 3
■ Readme files, located in the root folder of the installation product disc
■ Online Help that contains the information that is in the guides plus context-specific content
The primary documentation is available in the Documentation folder on the product discs. Updates to the documentation are available from the Symantec Technical Support Web site.
Table 1-8 Symantec Web sites Web address
Types of information
http://www.symantec.com/business/products/downloads/
Symantec Endpoint Protection trialware
http://www.symantec.com/business/support/overview.jsp?pid=52788
Public Knowledge Base Releases and updates
Manuals and documentation updates Contact options
http://www.symantec.com/business/support/overview.jsp?pid=52788
Release notes and additional post-release information
http://securityresponse.symantec.com
Virus and other threat information and updates
http://enterprisesecurity.symantec.com
Product news and updates Getting Started
Table 1-8 Symantec Web sites (continued) Web address
Types of information
https://forums.symantec.com/syment/board? board.id=endpoint_protection11
Symantec Endpoint Protection forums
http://www.symantec.com/connect/security/forums/network-access-control
Symantec Network Access Control forums
Getting Started
