SafeGuard PortProtector 3.30 SP6
Installation guide
Important Notice
This guide is delivered subject to the following conditions and restrictions:
This guide contains proprietary information belonging to Sophos. Such information is supplied solely for the purpose of assisting explicitly and properly authorized SafeGuard PortProtector users.
No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic or mechanical, without the express prior written permission of Sophos.
The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice.
The software described in this guide is furnished under a license. The software may be used or copied only in accordance with the terms of that agreement.
Information in this guide is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted.
The information in this document is provided in good faith but without any representation or warranty whatsoever, whether it is accurate, or complete or otherwise and on express
understanding that Sophos shall have no liability whatsoever to other parties in any way arising from or relating to the information or its use.
SafeGuard PortProtector and SafeGuard PortAuditor are OEM versions of Safend Protector and Safend Auditor from Safend. Therefore some screenshots throughout this manual may still contain the Safend branding but mean the same as within the SafeGuard OEM version. Boston, USA | Oxford, UK
© Copyright 2010. Sophos. All rights reserved. All trademarks are the property of their respective owners.
About This Guide
This Installation Guide is comprised of the following chapters:
Chapter 1, Installation Workflow, suggests workflow for using the SafeGuard PortProtector solution to protect your organization's endpoints.
Chapter 2, Preparing for Installation, describes the SafeGuard PortProtector architecture and the SafeGuard PortProtector installation workflow. It then describes the system requirements and prerequisites for installation and all the preparations that need to take place before installing SafeGuard PortProtector.
Chapter 3, Installing SafeGuard PortProtector Management Server, describes how to install, restore and upgrade the SafeGuard PortProtector Management Server, and how to launch the SafeGuard PortProtector Management Console.
Chapter 4, Installing SafeGuard PortProtector Management Console, describes how to install SafeGuard PortProtector Management Console.
Chapter 5, Installing SafeGuard PortProtector Client, describes the various methods for installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and upgrade SafeGuard PortProtector Client.
Appendix A - OPSEC™ Interoperability, describes Check Point's OPSEC™ and how it interfaces with SafeGuard PortProtector.
Contents
1 Installation Workflow ... 5
2 Preparing for Installation ... 8
3 Installing SafeGuard PortProtector Management Server ... 12
4 Installing SafeGuard PortProtector Management Console ... 42
5 Installing SafeGuard PortProtector Client ... 54
6 Appendix A - OPSEC™ Interoperability ... 81
1 Installation Workflow
About This Chapter
Before installing SafeGuard PortProtector V3.3, it is important to fully understand the
implementation process of the SafeGuard PortProtector solution. This chapter suggests a workflow for using the SafeGuard PortProtector solution to protect your organization's data. It contains the following section:
1.1 SafeGuard PortProtector Implementation Workflow
Step 1: Install the SafeGuard PortProtector Management Server and Console, as described in Chapter 2, Preparing for Installation and Chapter 3,
Installing SafeGuard PortProtector Management Server.
Step 2: Install Additional Management Consoles, as described in Chapter 4, Installing SafeGuard PortProtector Management Console.
Step 3: Define General SafeGuard PortProtector Administration Settings, such as the method in which policies are published, as described in Chapter 7, Administration in SafeGuard
PortProtector User help.
Step 4: Scan Computers and Detect Port/Device Usage. Use SafeGuard PortAuditor to detect the ports that have been used in your organization and the devices and WiFi networks that are or were connected to these ports, as described in SafeGuard PortAuditor User help.
Step 5: Define SafeGuard PortProtector Policies. In this stage you define the blocked, allowed and restricted ports, devices and WiFi networks according to the security and productivity requirements of your organization as described in Chapter 3, Defining Policies in SafeGuard
PortProtector User help.
Step 6: Install SafeGuard PortProtector Client on Endpoints, as described in Chapter 5, Installing SafeGuard PortProtector Client.
Step 7: Distribute SafeGuard PortProtector Policies to Endpoints: in this stage, you can either associate policies to users and computer and distribute directly to endpoints (via SSL), or use Active Directory's GPO feature to distribute SafeGuard PortProtector Policies or any other third-party tool, as described in Chapter 4, Distributing Policies in SafeGuard PortProtector User
help.
Step 8: Endpoints are Protected by SafeGuard PortProtector Policies: in this stage, only approved devices and WiFi networks can be used, through permitted ports. Logs about port, device and WiFi network use and attempted use, as well as tampering attempts, are created and sent to the Management Server as described in Chapter 8, End-User Experience in SafeGuard
PortProtector User help.
Step 9: Monitoring Logs and Alerts, view and export the log entries generated by SafeGuard PortProtector Clients, as described in Chapter 5, Viewing Logs in SafeGuard PortProtector User
2 Preparing for Installation
About This Chapter
This chapter first describes the SafeGuard PortProtector architecture and the SafeGuard
PortProtector installation workflow. It then specifies the system requirements and prerequisites for installing the different components of SafeGuard PortProtector, followed by instructions on how to prepare the network for installation. It contains the following sections:
System Requirements, page 9, describes the system requirements for each one of the SafeGuard PortProtector components.
Preparing your Network, page 10, describes the preparation that needs to be done on your network in order to allow the different SafeGuard PortProtector components to communicate without interruptions.
2.1 System Requirements
Following are the system requirements for the various system components:
SafeGuard PortProtector Client Requirements SafeGuard PortProtector Console Requirements SafeGuard PortProtector Server Requirements Operating System
Windows XP Professional (SP 1-3)
Windows XP 64 bit Professional (SP 2-3) – note that there is a separate MSI from version 3.2 for 64 bit OS
Windows 2003 Server (SP 1-2)
Windows 2000 SP4 Rollup 1
Windows Vista Business/Enterprise /Ultimate (SP 1-2) 32-bit
Windows 7 Business/ Enterprise/Ultimate 32-bit
Windows XP Professional (SP 2)
Windows 2003 Server (SP 1-2)
Windows XP Professional (SP2 – not supported for production environments)
Windows 2003 Server (SP 1-2) Hardware
Pentium 800 MHz
256 MB RAM
50 MB HDD space
Pentium 800 MHz
256 MB of RAM
50 MB HDD space2.2 Preparing your Network
Before installing the system, be sure to enable the following communications in your network and personal firewalls.
To prepare your network:
1 In order to communicate freely between the SafeGuard PortProtector management Server and
the SafeGuard PortProtector Clients, make sure that the SSL port is open in your network firewall. Sophos typically uses port 443 (SSL standard) for this. If you have chosen otherwise, make sure to allow this port in your firewall.
2 In order for the SafeGuard PortProtector Management Console to be able to control clients
(send control commands to clients to send their logs and update their policy), it needs WMI ports to be open on the personal firewalls of each endpoint. WMI uses port 135 and a series of random ports.
2.2.1 Opening WMI ports on Windows XP (SP2) Firewall
If you are using Windows XP (SP2) firewall as the personal firewall on your endpoints, you can use the GPO mechanism to configure endpoints to accept incoming WMI communications. The following section is quoted from Microsoft documentation.
"Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only.
They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
Identical sets of policy settings are available for two profiles:
Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
The relevant policy setting for WMI is:
Windows Firewall: Allow remote administration exception
2.3 Tips on Preparing Your Endpoints
Booting via an external boot device (floppy, CD etc.) will circumvent any security software.
However, there are a few ways to either prevent this scenario from happening, or make it impossible to be able to read the data outside the Sophos protected operating system:
Changing the boot sequence: Change the boot sequence so that the machine does not boot first
from the floppy, then the CD\DVD-ROM, and, finally, the hard disk drive. The hard disk drive should always be the first boot device. If the floppy or the CD\DVD-ROM is the initial boot device, anyone can use a bootable medium that can directly access the hard disk drive and reset the
administrator password in seconds.
Physical seal \ chassis protection: Make sure that the hardware is sealed and that the hard disk drive
cannot be simply disconnected.
Setting a password to protect the BIOS: This prevents users from entering the BIOS and re-enabling
the boot access through devices other than the internal hard disk drive.
Disk Encryption: Several disk encryption software packages are available in the market. These are
used to encrypt the entire disk, making sure that the data can be read only when loading the operating system (which contains a decrypt-able client). Booting from any external boot device will not prove useful since all data will be encrypted.
3 Installing SafeGuard PortProtector Management
Server
About This Chapter
This chapter describes how to install SafeGuard PortProtector Management Server and contains the following sections:
Prerequisites, describes the requirements for installing the management server.
Installing Prerequisite Software, describes how to install Microsoft .NET framework and IIS. Before Installing SafeGuard PortProtector Management Server, provides a checklist of issues you
need to verify before starting the installation process.
Installing the Management Server, describes how to install the SafeGuard PortProtector Management Server for the first time and how to launch the SafeGuard PortProtector Management Console.
Restoring an Existing Management Server, describes how to restore an existing SafeGuard PortProtector Management Server in case of hardware upgrade or failure.
Upgrading the Management Server, explains how to upgrade SafeGuard PortProtector from version 3.2 to version 3.3.
Post-Installation Settings (Checklist), lists a set of critical settings to define after installation. Uninstalling SafeGuard PortProtector Management Server, explains how to uninstall SafeGuard
PortProtector Management Server.
3.1 Prerequisites
3.1.1 Operating System
Windows XP Professional (SP0-2) 32-bit Windows 2003 Server (SP0-2) 32-bit
3.1.2 Hardware
The server hardware requirements depend on the number of installed SafeGuard PortProtector Clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at [email protected].
3.1.3 Software
Microsoft .NET Framework 2.0 installed Microsoft Internet Information Services (IIS)
3.2 Installing Prerequisite Software
3.2.1 Installing Microsoft .NET Framework 2.0
To install .NET Framework
Microsoft .NET Framework 2.0 is built in by default on Windows 2003, and can be downloaded for free from the Microsoft website for Windows XP.
Link to .NET framework 2.0 installation package:
3.2.2 Installing Microsoft IIS
To install Microsoft IIS:
1 In Control Panel on your computer, double-click Add or Remove Programs. The Add or Remove
Programs window opens.
2 Click Add/Remove Windows Components. The Windows Components Wizard window opens. 3 If you are installing the application on a machine running Windows 2003, check the
Application Server checkbox. If you are installing IIS on a machine running Window XP, check
the Internet Information Services checkbox, as shown below:
4 Click Next.
5 The Insert Disk window opens, asking for the utility disc or location that holds the relevant
7 When the wizard notifies you that the installation is complete, as shown in the following figure,
click Finish to close the wizard. IIS is now installed.
3.3 Before Installing SafeGuard PortProtector Management Server
1 Verify that all system requirements and prerequisites are met.
2 Make sure that the SafeGuard PortProtector Server machine belongs to the same domain in which you intend to deploy SafeGuard PortProtector policies.
3.4 Installing the Management Server
To install SafeGuard PortProtector Management Server:
1 Locate on your installation CD.
2 Double-click the file. The SafeGuard PortProtector Server Installation window appears:
3 Click Browse to select a destination folder for the extracted installation files.
Note: Make sure that the files are extracted to a local folder. The installation will not run from a
5 Following extraction, you will be asked to select the SafeGuard PortProtector Server language, as shown below:
Click Next and read the End User License Agreement. After accepting, click Next again. The
Installation Mode step opens:
Select one of the following options:
For a new installation select the New radio button and proceed to step 9 below.
For instructions regarding the Restore option, refer to Restoring an Existing Management Server on page 33).
To join a server cluster, select the Join a Cluster radio button.
The following window opens:
7 Click Next. The Database window opens:
SafeGuard PortProtector can create its own internal database for storing configuration and data. Alternatively, you can use an existing external database.
Note: SafeGuard PortProtector supports MS SQL 2000 and up.
9 Click Next. If you selected to install an embedded database, skip to Step 14.
10 If you have selected to use an existing database server or to join a cluster, the following window opens:
11 In the Database Credentials window, perform the following steps:
a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).
b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.
c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.
12 Click Next. The installation program validates access to the database.
Note:
If a valid SafeGuard PortProtector database already exists on this database server, the following window opens:
14 Click Next to select the default installation folder: C:\Program Files\Sophos\SafeGuard
PortProtector, or click Change to select a different installation folder then click Next. The
Domain Credentials window opens:
16 Click Next.
Users' access to the Management Console is restricted for security reasons. SafeGuard
PortProtector does not require its own users and computers database. Instead, credentials are checked against Active Directory and/or local user accounts on the Management Server machine. Following installation, access to the Management Console is restricted to users who have local administrative rights on the computer hosting the Server, as shown below:
17 Click Next. The Communication Port window opens.
The Management Server will use the default SSL port which is defined by the website of the host computer for communicating both with SafeGuard PortProtector Clients and with the Management Console.
Note: If no website is found on the host computer, the same window appears, with the
Windows 2003
In Windows 2003, SafeGuard PortProtector uses two different ports to communicate with SafeGuard PortProtector Clients and with the Management Server.
The default ports are 443 for Clients communications and 4443 for Management Console communications. If you wish, you may change these default ports.
Note: A Sophos generated certificate is not signed by a valid Certificate
Authority (CA). Although this does not affect the overall security level of the system, using this certificate will cause Internet Explorer to display security alerts.
In order to avoid these alerts you will need to replace the certificate with a signed certificate you receive from a trusted Certificate Authority.
19 Click OK to continue with the installation. 20 Click Next.
In the following window, you will be asked to backup the encryption keys that are generated by SafeGuard PortProtector.
To enhance the security of the system, encryption keys are generated during the installation. These keys are unique to your organization and raise the tampering resistance of your system. The keys are used to encrypt policies and logs as well as for mutual authentication between the Server and the endpoints.
One example for the use of these unique keys is in that endpoints need to be initialized upon installation with the organization's unique keys. From this point on, an endpoint will treat any information (i.e. policy) that does not correlate to the keys as an attempt to circumvent its protection.
For this reason it is highly recommended to backup the keys and store them on another
In order to backup your encryption keys, you need to set a password that will be used to protect the keys:
If you do not want to backup your encryption keys during the installation, check the Do not backup
encryption keys now checkbox and click Next.
To backup you encryption keys click Browse to select a path. Enter a password, confirm it.
Note: The password should be at least 7 characters long and should contain one upper case
In the following window, you will be asked to configure the schedule for automatic system backup to the network, which includes the encryption keys that are generated by SafeGuard PortProtector.
You may change the default Perform backups interval (Daily, Weekly, Monthly) and the time. The backup path supplied must reside on a network share, with write permissions for the user provided in the Domain Credentials window (step 16) in the setup wizard. Click Browse to select the Network
backup path. Enter a Password and Confirm it. If there is a problem with the password you choose
(or share permission), the following message will be displayed.
22 Once installation has been completed, the following window opens:
23 The SafeGuard PortProtector Management Server has been installed. Check the checkbox at the bottom of the screen if you wish to launch the SafeGuard PortProtector Management Console, and click Finish.
24 If you have chosen to launch the SafeGuard PortProtector Management Console, the Login window opens:
Enter your User Name, Password and Domain and click Login. The application opens, displaying the main window.
3.5 Restoring an Existing Management Server
In some cases you will need to install SafeGuard PortProtector Management Server while maintaining your system unique encryption keys, in order to work with your existing SafeGuard PortProtector Clients. This may happen when you want to migrate the Server from a low-CPU machine to a stronger one, or when recovering from hardware malfunctions.
In order to restore an existing Management Server you will need to provide the encryption keys backup file and the password that was set to protect it.
To restore an existing Management Server:
3 Select the Restore radio button. The following window opens:
4 In the Restore window, select the appropriate radio button according to whether you wish to use SafeGuard PortProtector backup files or connect to an existing external SafeGuard
PortProtector MS SQL database. If you select the second option, Connect to an existing
5 Click Next. The Backup Files window opens:
6 Enter the path to your keys backup file and the password protecting it.
If you have saved your previous installation configuration (policies, queries etc.), you can restore the configuration as well. Do this by checking the checkbox and selecting the path to the configuration backup file.
Note: To learn how to restore logs refer to Restoring Logs on page 37.
8 If you have selected to use an existing database server, the following window opens:
9 In the Database Credentials window, perform the following steps:
a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).
b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.
c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.
10 Click Next. The installation program validates access to the database.
Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation
wizard.
3.5.1 Restoring Logs
The need may arise to restore version 3.2 logs that you have previously backed up. This may happen in one of the following cases:
You wish to upgrade or replace your version 3.2 Management Server machine
Upgrading from version 3.2 to a higher version fails and rolls back to version 3.2 without logs.
Note: This utility only restores logs from and to an embedded SafeGuard PortProtector database,
since backing up and restoring logs on an external database is handled by your DBA.
Log restoring is performed using the Log Restore Utility. Running this utility deletes the existing log tables, and restores the exact log schema from the backup file. Log views are created automatically when starting the Management Server.
To view Log Restore Tool version (optional):
1 Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder under the "bin" folder (if you installed in the default destination folder the path is
\Program Files\Sophos\SafeGuard PortProtector\Management Server\Bin)
2 Run RestoreTool.exe using the following syntax: RestoreTool version
The command returns the assembly version of RestoreTool.exe.
To restore logs:
1 Stop the Management Server.
2 Locate RestoreTool.exe in your SafeGuard PortProtector Management Server installation folder under the "bin" folder (if you installed in the default destination folder the path is \Program Files\Sophos\SafeGuard PortProtector\Management Server\Bin)
3 Run RestoreTool.exe using the following syntax: RestoreTool restore -backupFile [-silent ] [-verbose ]
The program notifies you of any errors in the restore process. If there are no errors, your log data and structure are restored. 4 Start the Management Server.
3.6 Upgrading the Management Server
Upgrading from a previous version of SafeGuard PortProtector to this new version 3.3 SP5 is not supported. Customers will have to uninstall the older version and re-install the SP5 version. Also the policies will not be migrated. If customers have purchased professional services, we can help in the migration of policies.
3.7 Upgrading in a Clustered Environment
Upgrading in a clustered environment is not support due to the rebranding of the product.
3.8 Post-Installation Settings (Checklist)
The SafeGuard PortProtector Management Server installation package defines default settings for system behavior which you can find under Administration and Global Policy Settings (both available from the Tools menu in the SafeGuard PortProtector Management Console). Once you complete installing SafeGuard PortProtector Management Server and access the
Management Console, you may want to visit these windows and set the parameters relevant to your environment.
3.8.1 Checklist for the Most Critical Settings in the Administration Window:
1 Policy Publishing Method – Select the format and destination for publishing policies. 2 Encryption Keys Backup – If you haven't backed up the encryption keys during installation. 3 Client Installation Folder – Set a shared folder for creating client installation files. You will need
these files in order to install clients.
3.8.2 Checklist for the Most Critical Settings in the Global Policy Settings
Window:
1 Log Transfer Interval – Define the frequency in which logs will be sent from endpoints to the
Server.
Important:
Take extra care while configuring the Logs Transfer Interval in order not to burden your network and endpoints with excessive log sending.
Consider the following:
The number of endpoints in your network
The number of expected events from each endpoint (client and file logs) The level of need for "real time" logs information in the Management
Console
During installation, the default log interval is set to 90 minutes. In the case of large scale deployments, please consult Sophos Support in order to optimize your settings.
2 Clients Uninstall Password – Change the default password to your own preference.
Important:
Upon product installation the password is set to "Password1". Since the password is one of the foundations for the tampering resistance of the client, it is highly recommended that you change it as soon as you start deploying the product in a production environment.
Important:
Make sure you have created a backup for the Server encryption keys. This will prevent situations in which you cannot uninstall Clients due to password loss.
3.9 Uninstalling SafeGuard PortProtector Management Server
To uninstall the Management Server:
1 Open the add \ remove programs on your Control Panel.
2 Select the SafeGuard PortProtector Management Server from the list, and click Remove as described below:
Note: Uninstalling SafeGuard PortProtector Management Server will delete the SafeGuard
3.10 Changing your Database
If you wish to change from using a SafeGuard PortProtector embedded database to an external MS SQL database, or vice versa, you can do so by using the Restore option as explained in Restoring an
Existing Management Server on page 33 and selecting the new database type.
Note: You can only change your database if you are using version 3.2 and above.
Note: Changing your database will result in loss of previous logs. Previous policies are transferred to
4 Installing SafeGuard PortProtector Management
Console
About This Chapter
This chapter describes how to install the SafeGuard PortProtector Management Console. It contains the following sections:
Prerequisites, describes the prerequisites of the Management Console.
Installing Prerequisite Software, describes how to install Microsoft .NET framework.
Installing SafeGuard PortProtector Management Console, describes two methods for installing the Console.
Launching SafeGuard PortProtector Management Console for the First Time, describes how to launch SafeGuard PortProtector Management Console.
4.1 Prerequisites
4.1.1 Operating System
Windows XP Professional (SP1-2) 32-bit Windows 2003 Server (SP0-2) 32-bit
4.1.2 Hardware
Pentium 800 MHz 256 MB RAM 50 MB HDD space
4.1.3 Software
Microsoft .NET Framework 2.0 installed
4.2 Installing Prerequisite Software
4.2.1 Installing Microsoft .NET Framework 2.0
To install .NET Framework
Refer to Installing Prerequisite Software on page in section 3.2
4.3 Installing SafeGuard PortProtector Management Console
SafeGuard PortProtector Management Console can be installed and run from any computer on your network. The first console is installed on the same machine that hosts the Management Server as part of the Server installation, and additional consoles can be installed on any machine in your domain that meets the prerequisites.
4.3.1 Installing the Console from the Installation Web Page
SafeGuard PortProtector Management console features a 'One-click' deployment process which gives you easy access to installing the Management Console by pointing your browser to the SafeGuard PortProtector Management Server address. This method automatically keeps all your Management Consoles up-to-date with the latest software version of the Management Server, and is therefore the recommended installation method.
To install the Management Console from the installation web page:
1 Access the address of the installation web page in the target machine The link is in the following format:
https://<servername>:<serverport>/SafeGuardPortProtector/consoleinstall.aspx
Tip:
You may also use a shorter link format:
https://<servername>:<serverport>/SafeGuardPortProtector
(This address can be found in the General tab of the Administration window, which you can access from the Management Console's Tools menu).
The page contains the following:
A link to the Microsoft .NET framework 2.0 installation package. A link to the Management Console installation package.
Server details.
2 If the machine on which you wish to install an additional Console does not have .NET framework installed, enter the link and install it before proceeding with the Management Console installation.
5 Click Next. The Select Installation Folder window opens:
6 In the Select Installation Folder window, select the folder in which the SafeGuard PortProtector Management console will be installed. The default folder is C:\Program Files\Sophos\SafeGuard PortProtector\. If you wish to install the Management Console in a different folder, click the
Browse button and select the desired folder.
7 Select one of the following options by clicking its radio button:
Click Next. The following window opens:
9 Once the installation completes, the following window opens:
10 Click Close to exit.
11 Open the Management Console application by clicking the icon on your desktop or from
12 Depending on the browser you are using, the following message may appear:
Fill in the server name and port as it appears in the installation web page, and click Connect. 13 The Login window appears:
4.3.2 Installing SafeGuard PortProtector Management Console Manually
To manually install the Management Console:
1 Locate the ManagementConsole.msi file on your CD and run it. The setup window opens:
4.4 Launching SafeGuard PortProtector Management Console for the
First Time
1 Click the icon on your desktop. OR
Go to Start > Programs > SafeGuard PortProtector > Management Console. The application open for the first time:
Each time the Management Console connects to the Server, it automatically downloads the latest version of the Management Console (if an update exists). Once the updated files are downloaded, the window closes, and the following window opens:
3 If you are evaluating the software, click Remind Me Later OR
Click Enter License Key if you have a valid Sophos license, and enter your Sophos license key as described in the SafeGuard PortProtector User help, Chapter 7, Administration.
SafeGuard PortProtector Management console opens, displaying the main window.
4.5 Uninstalling SafeGuard PortProtector Management Console
To uninstall the Management Console:
1 From the Control Panel, open Add or Remove Programs.
2 From the list, select SafeGuard PortProtector Management Console and click Remove.
Note: Uninstalling SafeGuard PortProtector Management Console does not cause any information
5 Installing SafeGuard PortProtector Client
About This Chapter
This chapter describes the various methods for installing, or deploying, SafeGuard PortProtector Client. It also explains how to uninstall and upgrade SafeGuard PortProtector Client. It contains the following sections:
Prerequisites, page 55, describes the prerequisites of the SafeGuard PortProtector Client. Before Deploying SafeGuard PortProtector Client, page 55, describes the steps you need to take
before installing SafeGuard PortProtector Clients.
Installing SafeGuard PortProtector Client, page 58, describes the following installation methods: Automatic Client Installation (through Active Directory)
Automatic Client Installation (generic) Manual Installation
Upgrading SafeGuard PortProtector Client, page 65, describes how to upgrade SafeGuard PortProtector Client from V2.0 to V3.x.
Defining Endpoint Behavior during Installation, Page 71, describes how to define the End Point reboot sequence after installation.
5.1 Prerequisites
5.1.1 Operating System
Windows 2000 Professional (SP3-4) 32-bit Windows 2000 Server (SP3-4) 32-bit
Windows 2000 Advanced Server (SP3-4) 32-bit Windows XP Professional (SP1-2) 32-bit Windows 2003 Server (SP0-2) 32-bit
Windows Vista Business/Enterprise/Ultimate (SP1-2) 32-bit Windows 7 Business/Enterprise/Ultimate 32- bit
5.1.2 Hardware
Pentium 800 MHz 256 MB of RAM 50 MB HDD space5.1.3 Software
None required5.2 Before Deploying SafeGuard PortProtector Client
In order to install SafeGuard PortProtector Client, you must first install the Management Server. This is necessary in order to raise the security level of the system, by "imprinting" each installed client with the encryption keys of the server. From the point of installation, SafeGuard
PortProtector Client knows the keys which it uses when communicating with the Server. From this point on, the Client will not accept any policy or perform any communication with a Server that does not hold matching keys.
To generate SafeGuard PortProtector Client installation files:
2 In the Administration window that opens, click the Clients tab on the left. The
Administration-Clients window opens:
3 Select a shared folder as the Client installation folder. Once the files are created, the following message appears:
5.3 Installing SafeGuard PortProtector Client
There are three ways to install the SafeGuard PortProtector Client:
Automatically through the Active Directory Group Policy Management.
Automatically using any corporate software deployment tool, such as SMS and Tivoli. Manually by running the installation wizard on each computer
5.3.1 Automatic Client Installation (Active Directory)
Automatic SafeGuard PortProtector Client installation is performed using Active Directory's Group
Policy Management (if installed) and Active Directory's Users and Computers. These options enable
you to define a GPO that will distribute the SafeGuard PortProtector Client to the OUs (computer or user groups) of your choice. When this option is used, the clients are installed in Silent mode.
To automatically install the SafeGuard PortProtector Client:
1 Open the Active Directory Users and Computers window.
2 Right-click the OU to which to install the SafeGuard PortProtector Client and select Properties. The User Properties window opens.
3 In the User Properties window, select the Group Policy tab. This tab looks different depending on whether the Group Policy Management Console is installed or not.
5 Click Add to add the SafeGuard PortProtector deployment GPO, name it, then right-click that GPO and select Edit. Go to Step 9 below.
6 If the Group Policy Management console is installed, click Open in the Group Policy tab to display the Group Management window, as shown below:
7 In the OU tree display on the left pane, select the OU to which to install the SafeGuard PortProtector Client. The right pane displays the GPO's that are already assigned to this OU. 8 Add a GPO that installs software to this OU. Right-click on the OU and select Create and Link a
9 Right-click the SG PP deployment GPO and select Edit. The Group Policy window is displayed. An example is shown below:
10 Under Computer Configuration in the tree on the left, right-click Software Settings and select
New, and then select Package, as shown below (the right pane may display names of other
A file selection window is displayed.
11 Locate the shared folder in which you have selected the Client installation files to be created. This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc files. If you are deploying clients to an XP 64 bit machine make sure you are using the files under the XP64Bit sub-folder.
12 Browse to the full UNC path of the SafeGuard PortProtector Client installation file named SafeGuardPortProtectorClient.msi, select it and click Open. Make sure this path includes the
ClientConfig.scc file.
14 Select Assigned and click OK. Wait a few moments while the MSI is added.
a. When installing the SafeGuard PortProtector Client in a foreign language (German, Japanese): b. Select the Modifications tab from the dialog box and click Add.
15 Prepare the endpoints of your organization for automatic installation, as described in the
Preparing an Endpoint for Automatic Installation section below.
16 In some rare cases, a restart may be required on the endpoint computer. If so, a message will be displayed.
5.3.1.1 Preparing an Endpoint for Automatic Installation
In order to install the SafeGuard PortProtector Client, the target computers are required to have access to the shared network folder when the system is rebooted. If the target computers are running Windows XP, you must turn on the Always wait for computer network to startup at logon GPO, which can be found under Computer Configuration | Administrative Templates | System | Logon.
The next time a computer or user in this OU reboots, SafeGuard PortProtector client will be deployed to it.
Note: In some cases, depending on the Domain configuration, it may take some time for the GPO
5.3.2 Automatic Client Installation (Generic)
In order to install using a third-party corporate software management solution, follow the procedure below.
To install perform generic automatic client installation:
1 Locate the shared folder in which you have selected the Client installation files to be created. This folder should contain both the SafeGuardPortProtectorClient.msi and ClientConfig.scc files.
2 Create a batch file containing the following command that installs the Protector Client silently: msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi /qn
When installing the Protector client in a foreign language, use the following command line parameters:
msiexec /i DriveName:\InstallationPath\SafeGuardPortProtectorClient.msi
TRANSFORMS="\\InstallationPath\MSTFileName.mst"/qn (This should be written in a single line.)
5.3.3 Manual Client Installation
You can manually install the SafeGuard PortProtector Client on each computer in your organization that needs to be protected.
To manually install the SafeGuard PortProtector Client:
Run SafeGuardPortProtectorClient.msi. If you are deploying clients to an XP 64 bit machine make sure you are using the files under the XP64Bit sub-folder. The installation wizard opens:
3 In the License Agreement window, select the I accept the terms in the license agreement radio button and click Next. The Destination Folder window opens:
5 Click Next. The Select Client Configuration File window opens:
6 Select the Client configuration file ClientConfig.SCC. This file is necessary in order for the Client to read encrypted company policies, as well as to set the default uninstall password. This file is generated by the SafeGuard PortProtector Management Server, and is typically found in the same folder as the Client installation file.
Note: If you are unsure where this file is, ask your system administrator, or generate a new one as
7 Click Next. The Ready to Install the Program window opens:
In this window, click Back to review or modify your installation settings, or click Cancel to cancel and exit the installation process.
This window contains a Status bar that displays the progress of the installation process. Installation may take several minutes.
Note: During this installation, some of the devices attached to your computer may temporarily stop
functioning. The devices will resume functioning once the installation is completed. When the installation is complete, the following window opens:
9 Click Finish to exit the installation wizard. SafeGuard PortProtector Client is now installed on the endpoint.
Note: In some cases, depending on the computer's hardware configuration, restart is required
5.4 Upgrading SafeGuard PortProtector Client
5.4.1 Upgrading the Client via Active Directory
In order for your endpoint to install the new version of the product, just add the new .msi file as a new GPO (Repeat the steps above). This will automatically update the endpoints on the next reboot.
5.4.2 Upgrading the Client Manually
To upgrade the Client manually:
1 Double-click the SafeGuardPortProtectorClient.msi. SafeGuard PortProtector automatically uninstalls your previous version of the product and updates it with the new version.
2 Following the upgrade, you must reboot the computer on which it was performed (a message will appear requesting you to reboot, unless you have set this message not to appear as explained in the following section).
5.5 Defining Endpoint Behavior during Installation
By default, the process of installing SafeGuard PortProtector Client involves restarting of most of the peripheral devices on the endpoint in order to immediately start enforcing the policy. This may cause temporary disconnection from the network in the final stages of the installation.
Additionally, in some rare cases, this may also require the computer to reboot.
Administrators who are using third party products to deploy software may find it useful to define that the "restart devices" process not be performed in order to avoid network disconnection during installation.
You can control both device restart and reboot behavior by defining whether they should be performed during installation.
To define endpoint behavior during installation:
1 In order to determine the reboot method upon installation, open the ClientConfig.scc file:
2 Scroll down to the end of the file, and add a section at the end – [installparams], as shown in the image above.
3 Add the InstallMethod parameter and values according to the below table:
Parameter Meaning
InstallMethod=0 The installation WILL perform "restart devices" and WILL display a reboot request message when required.
This option ensures instant protection - following installation, all your endpoints immediately start enforcing the policy.
InstallMethod=1 The installation WILL perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required.
InstallMethod=2 – default The installation WILL NOT perform "restart devices" and WILL display a reboot request message when required.
This option allows you to significantly shorten the installation process and use third party applications for deploying the client without network
disconnection.
By enforcing reboot, you can make sure the policy is enforced immediately.
InstallMethod=3 The installation WILL NOT perform "restart devices" and WILL NOT display a reboot request message, even if reboot is required.
This option allows you to perform a totally silent installation, with no messages to the user and without causing network disconnections.
However, the policy is not enforced until the next reboot.
Important: When using options 1 and 3, the operating system may become unstable when devices
connect to the monitored ports. It is highly important that you make sure the endpoint performs a reboot as soon as possible after completion of the installation process.
5.6 Uninstalling SafeGuard PortProtector Client
You can uninstall SafeGuard PortProtector either manually, or silently from the GPO. The process of uninstalling is password protected using a global password or a policy-specific password which you defined in the Policies World in SafeGuard PortProtector Management Console (refer to
5.6.1 Uninstalling Manually
To uninstall manually:
2 Select SafeGuard PortProtector Client and click Change. The install wizard opens:
4 Enter the uninstall password that you defined in the Policies World in SafeGuard PortProtector Management Console (refer to SafeGuard PortProtector User help, Chapter 3, Defining Policies) and click Next. The following window opens:
6 Click Remove to remove SafeGuard PortProtector Client. The uninstall process begins and the following status window appears:
7 Click Finish. SafeGuard PortProtector Client is uninstalled and no longer protecting the computer.
Note: After uninstalling you must reboot the computer before you can reinstall SafeGuard
PortProtector.
5.6.2 Uninstalling SafeGuard PortProtector via GPO
Since the SafeGuard PortProtector uninstall procedure is password protected, it is not possible to use the automatic uninstall feature in the GPO software installation package. Therefore, to uninstall the SG PP, a startup script must be used.
There are two ways to uninstall SafeGuard PortProtector Client. The first and recommended option is to unlink the SG PP Install GPO from the OU containing the client computers, and to apply a NEW GPO containing an uninstall script, as shown in steps 6-11 below. The second option is to edit the SG PP Deployment GPO.
To uninstall a SG PP GPO:
1 Edit the relevant Group Policy applied to the client computers from which the SafeGuard PortProtector is to be uninstalled.
2 Navigate to Computer Configuration Software Settings Software Installation. 3 Right-click the SafeGuard PortProtector object and select All Tasks Remove.
4 Check the Allow users to continue to use the software, but prevent new installations radio button.
5 Click the OK button.
6 Create a new GPO Name Protector Uninstall, right-click the new GPO and select Edit. 7 Navigate to Windows Settings under Computer Configuration and select Script and then
Startup.
8 Click the Show Files button and create a new text document containing the following command:
msiexec.exe /x "\\full UNC path to SG PP shared install folder\SafeGuardPort ProtectorClient.msi" /qn UNINSTALL_PASSWORD=uninstall password
Note: The uninstall command set in the batch file (shown above) must be set in one line. The actual
uninstall process will take place only after the computer is rebooted.
11 Save the file with a *.bat extension.
12 Close the folder, click the Add button and then the Browse button. 13 Select the newly created batch file and click the OK button.
5.6.3 SafeGuard PortProtector Client Cleanup Utility
A Client cleanup utility is available for use when you cannot uninstall SafeGuard PortProtector Client from an endpoint using the processes described above. This may happen in the following cases:
a. SafeGuard PortProtector Client is protecting the endpoint properly, but it cannot be found under the Control Panel's Add or Remove Programs option.
b. Running the Client uninstall (Remove) wizard fails.
c. The Client is not functioning properly (e.g. it is in Panic mode) and will not accept your Client Uninstall password.
d. You have forgotten the Client Uninstall password and cannot update the Client's policy with a new policy in which you have set a new Uninstall password.
To run the Client Cleanup utility:
3 Supply the computer-specific Cleanup Token to Sophos support ([email protected]). Once you receive your cleanup key from Sophos support, enter it in the Cleanup Key field..
4 In Operating System, select either the Current Operating System or Another Operating System on this machine. If you choice the second option, click Browse to find the other operating system on the computer. Note: if you choose the Windows 2000 operating system, the path is the following: C:\winnt\system32.
5 Click Cleanup Now. The Client cleanup process begins and a progress bar shows its progress. This may take a few minutes. Once cleanup is complete, the following window appears:
6 Appendix A - OPSEC™ Interoperability
About This Appendix
This appendix explains how Check Point™'s VPN-1®/FireWall-1® SecureClient™ (referred to from here on as SecureClient) interacts with SafeGuard PortProtector Client to enhance your network's security. It contains the following sections:
What is OPSEC™, page 82, describes Check Point's OPSEC™ and its benefits.
OPSEC™ and SafeGuard PortProtector, page 82, describes how Sophos interfaces with OPSEC™.
Preparing SafeGuard PortProtector Client, page 82, describes the preparations you need to do on the SafeGuard PortProtector side in order to apply OPSEC™.
Configuring your SCV Policy, page 83, describes the preparations you need to do on the VPN-1®/FireWall-1® side in order to apply OPSEC™.
Installing Updated SCV Policy to SecureClients, page 89, explains how to install the updated SCV Policy to SecureClient.
SafeGuard PortProtector SCV Check Parameters, page 92, describes the checks that can be performed on SafeGuard PortProtector Client and provides examples.
Note: The instructions in this appendix assume that SecureClient is already installed on the required
6.1 What is OPSEC™
Check Point's OPSEC™ (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. SafeGuard PortProtector can plug into this framework to provide you with a comprehensive security solution.
Using this solution, an SVC Check (a DLL) queries the security aspect of the configuration of a client, and reports to SecureClient whether the configuration is "Verified" or "Not Verified". When the configuration is not verified, SecureClient prohibits access to the organizational network.
6.2 OPSEC™ and SafeGuard PortProtector
Sophos provides a DLL which can perform several checks of SafeGuard PortProtector Client, the results of which are reported to SecureClient. In addition to checking for the existence of SafeGuard PortProtector Client, these checks you may include one or more of the following parameters: Policy ID
Policy update date/time Version number Protection Status Server ID
An explanation of these parameters appears in SafeGuard PortProtector SCV Check Parameters, page 92.
When one or more of the checks fail, the computer configuration is not verified, and SecureClient blocks the endpoint from accessing the organizational network.
6.3 Preparing SafeGuard PortProtector Client
Sophos provides a DLL that interfaces with SecureClient, specifically with its SCV Policy, which you should install to the required endpoints:
1 If you haven't done so, install SafeGuard PortProtector Client as explained in, 2 Installing SafeGuard PortProtector Client, page 54.
Important: SecureClient must already be installed on target computers before you install the
SafeGuardPortProtectorScv DLL.
Note: If you install SafeGuardPortProtectorScv manually and SecureClient is active, the latter will
stop/start the service. In this case, reconnect it.
6.4 Configuring your SCV Policy
The SCV Policy is SecureClient's security policy, into which third party applications such as SafeGuard PortProtector can plug in. An SCV Policy may include one or more SCV Checks, each relating to a different application. SafeGuard PortProtector's SCV Check, namely
SafeGuardPortProtectorScv, must be added to the SCV Policy and then installed to the required SecureClients. This process includes three steps:
Step 1: Adding the SafeGuard PortProtector SCV Check to your SCV Policy
Step 2: Adding SafeGuard PortProtector parameters to your SafeGuard PortProtector SCV Check
Step 3: Installing your SCV Policy to the required SecureClients
Steps 1 and 2 may be performed using SCVEditor™ (recommended), explained immediately below, or using any text editor.
6.5 Configuring SCV Policy using SCVEditor™
As mentioned above, it is recommended that you configure your SCV Policy using SCVEditor™, as explained immediately below. If you wish to configure the SCV Policy using a text editor, refer to
Configuring SCV Policy using a Text Editor on page 86.
6.5.1.1 Adding SafeGuard PortProtector SCV Check to SCV Policy
The SafeGuard PortProtector SCV Check – SafeGuardPortProtectorScv – must be added to your SCV Policy (local.scv), located in the $FW1conf directory of the VPN-1®/FireWall-1® Management Server.
To add the SCV Check using SCVEditor™:
1 From SCVEditor™'s main window, open local.scv:
2 From the left-hand pane of the SCVEditor™ main window, right-click Products, and select
Add. The following window opens:
4 From the left-hand pane, right-click SafeGuardPortProtectorScv and select Enforce.
SafeGuardPortProtectorScv now appears in the bottom half of the right-hand pane of the main
window:
5 In the Global SCV Parameters section of the main window, set Block connection on SCV
unverified on/off and Expiration Time value as desired.
6 Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.1.2 Adding SafeGuard PortProtector Parameters to the SCV Check
The SCV Check may include several parameters whose value you wish to check in order to verify SecureClient's connection. Refer to SafeGuard PortProtector SCV Check Parameters, page 92, for a list of available parameters including explanations and examples of how to define and use them. 1 To add parameters, right click in the blank workspace on the right-hand side and select New.
2 Enter the parameter Name and its Value.
In the figure above you can see how to add the MinimumVersion parameter and its value. In this example, if the SCV Check determines that the SafeGuard PortProtector Client version is not equal to or greater than 3.0.12444, the Client will not be verified and will not be allowed to connect to the organizational network.
3 Click OK. The parameter is now added to SafeGuardPortProtectorScv.
4 Perform steps 1 and 2 for each parameter you wish to add. Each parameter you have added is shown in the workspace as follows:
5 Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.2 Configuring SCV Policy using a Text Editor
Another way to configure you SCV Policy is by editing local.scv directly using a text editor. Two examples are provided below.
Example 1 is a general SCV Policy example which describes the file syntax.
Example 2 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check with no parameters.
6.5.2.1 Example 1
The following is a general SCV Policy Example:
:SCVPolicy( :(SCVGroup1) )
)
SCV Policy Description
The SCVPolicy set contains the groups of SCV checks that should be used. In SCVGroup1 there are two SCV checks defined (samplescv and samplescv1). The first SCV check from SCVGroup1 that is registered correctly will be used by SecureClient. samplescv and samplescv1 are similar SCV checks in this example, and at least one of them should be used to report SCV status. Since samplescv1 is not defined properly, samplescv will be used instead. The SCVPolicy does not contain the emptyscv SCV check, therefore it will not be used at all. samplescv contains three parameters which will be passed in the Start function.
6.5.2.2 Example 2
The following is an example of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. This SCV Check does not include any parameters and will only check for the existence of SafeGuard PortProtector Client on the endpoint in order to determine whether it is verified to connect to the organizational network.
6.5.2.3 Example 3
The following example is of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. The SCV Check includes four parameters which should be checked in order to verify the Client and allow connection to the organizational network (refer to SafeGuard PortProtector SCV
Check Parameters on page 92 for a list of available parameters including explanations and examples
of how to define and use them).
(SCVObject
:SCVNames (
: (SafeGuardPortProtectorScv :type (plugin)
:parameters (
6.6 Installing Updated SCV Policy to SecureClients
Once you have added SafeGuardPortProtectorScv to your SCV Policy and saved it, either through SCVEditor™ or using a text editor, you can install it to your SecureClients as explained below.
To install the updated SCV Policy:
1 Open Check Point SmartDashboard™:
3 Select the desired settings and click OK. The installation begins and the Installation Process window opens, displaying installation progress. Once the installation is completed successfully, the following window is displayed:
4 Your SCV Policy is now installed to the selected gateways.
When SecureClients perform their next logon to Policy Server, the updated SCV Policy will be installed to them. Once installed to SecureClients, they can now communicate with the SafeGuard PortProtector DLL described above and block connection to the organizational network when the SafeGuard PortProtector configuration is not verified.
In the case where a configuration is not verified, an error message appears on the endpoint. The following figure shows an example of the message the end user will receive when a configuration is not verified due a parameter value mismatch:
6.7 SafeGuard PortProtector SCV Check Parameters
Following is a description of the parameters which you may use to perform checks of SafeGuard PortProtector Client, in addition to checking its existence on the endpoint. Syntax and examples are provided for each parameter.
6.7.1 General
There are 5 parameters you can use to check the status of SafeGuard PortProtector. All the parameters are optional.
The parameters are compared with the current SafeGuard PortProtector information which is displayed in the SafeGuard PortProtector Client Options window.
6.7.2 Parameter Format and Description
6.7.2.1 MinimumVersion
Description: "Verified" for versions with the number greater than or equal to MinimumVersion. Format: 0-255.0-255.0-65535
Examples: 3.0.12444 3.1.0
6.7.2.2 PolicyUpdatedSinceDate
Description: "Verified" if the last policy update was performed on or after PolicyUpdatedSinceDate. Date is mandatory, time is optional.
Format: DD.MM.YYYY HH:MM:SS Examples: 24.08.2006 12:32:00 12.06.2005
6.7.2.3 PolicyID
Description: "Verified" if the current policy is equal to one of the PolicyIDs described by the parameter.
Format: PolicyID1$$PolicyID2$$PolicyID3 …
6.7.2.4 ProtectionStatus
Description: "Verified" if the current protection status is one of the defined statuses. Currently there are three statuses: STATUS_PROTECTED, STATUS_ERROR and STATUS_SUSPENDED. Format: Status1$$Status2$$Status3 …
Examples: STATUS_PROTECTED
STATUS_SUSPENDED$$STATUS_PROTECTED$$STATUS_ERROR
6.7.2.5 ServerID
Description: "Verified" if the Server Name is equal to one of the ServerIDs described by the parameter. This parameter is applicable to versions 3.1 and later.
Format: ServerID1$$ServerID2$$ServerID3 …
Examples: Unknown
7 Appendix B - NAC Interoperability
About This Chapter
This appendix explains how SafeGuard PortProtector Client interacts with Cisco Trust Agent (CTA) and Cisco Secure Access Control Server (ACS) to enhance your network's security. It contains the following sections:
What is NAC, page 95, describes Cisco's NAC (Network Access Control) and its benefits. Posture Validation, page 95, explains how attributes, such as those reported by SafeGuard
PortProtector Client through CTA , are validated by ACS.
SafeGuard PortProtector and NAC, page 82, describes how Sophos interfaces with NAC to provide comprehensive network protection.
Configuring Posture Validation Policies, page 96, describes the process of importing the SafeGuard PortProtector Client Attribute-Value Pairs (AVP) file and provides a link to Cisco documentation of posture validation policy configuration.
