manualshive.com logo in svg

Extreme Networks Sentriant AG, Software User'S Manual

Extreme Networks Sentriant AG is a cutting-edge security software that protects your network from threats. Ensure optimal performance by downloading the free Software User's Manual from our website. With comprehensive instructions and troubleshooting tips, this manual guarantees smooth operation of your Sentriant AG system. manualshive.com

Share
Download
background image

Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800

http://www.extremenetworks.com

Sentriant AG Software Users Guide, Version 5.2

Published: January 2009
Part number: 120502-00 Rev 01

Summary of Contents for Sentriant AG

Page 1: ...works Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com Sentriant AG Software Users Guide Version 5 2 Published January 2009 Part number 120502...

Page 2: ...e Unified Access RF Manager UniStack the Extreme Networks logo the Alpine logo the BlackDiamond logo the Extreme Turbodrive logo the Summit logos and the Powered by ExtremeXOS logo are trademarks or r...

Page 3: ...eporting 33 Technical Support 33 Additional Documentation 33 Installing and Upgrading 34 Conventions Used in This Document 34 Navigation Paragraph 34 Note Paragraph 34 Caution Paragraph 34 Warning Par...

Page 4: ...Time 64 Manually Setting the Time 64 Selecting the Time Zone 65 Enabling SNMP 65 Modifying the MS root Account Password 66 Checking for Sentriant AG Upgrades 66 Changing the Sentriant AG Upgrade Timeo...

Page 5: ...uarantine Area 120 Quarantining Inline 120 Post connect 120 Allowing the Post connect Service Through the Firewall 120 First Time Selection 121 Setting Sentriant AG Properties 121 Configuring a Post c...

Page 6: ...point Test Status 152 Enforcement Cluster Access Mode 155 Viewing Endpoint Access Status 156 Selecting Endpoints to Act on 157 Acting on Selected Endpoints 158 Manually Retest an Endpoint 158 Immediat...

Page 7: ...ng the Mac OS Agent 197 Removing the Mac OS Agent 200 ActiveX Test Windows 201 Agentless Test Windows 202 Testing Window 204 Test Successful Window 204 Testing Cancelled Window 205 Testing Failed Wind...

Page 8: ...ine Method 249 Configuring Sentriant AG for DHCP 250 Setting up a Quarantine Area 251 Router Configuration 251 Configuring the Router ACLs 251 Configuring Windows Update Service for XP SP2 251 Chapter...

Page 9: ...ts 314 Chapter 13 Remote Device Activity Capture 315 Creating a DAC Host 315 Downloading the EXE File 316 Running the Windows Installer 316 Adding Additional Interfaces 323 Configuring the MS and ES f...

Page 10: ...me 356 Changing the ES Host Name 356 Changing the MS or ES IP Address 356 Resetting your System 357 Resetting your Test Data 358 Changing Properties 359 Specifying an Email Server for Sending Notifica...

Page 11: ...ts 401 Enable Temporary Ping 401 Enable Persistent Ping 402 Restricting the ICMP Request 402 Changing the Community Name for SNMPD 403 SNMP MIBs 404 Chapter 17 Patch Management 407 Flagging a Test to...

Page 12: ...2003 SP2 Hotfixes 430 Windows Automatic Updates 430 Windows Media Player Hotfixes 431 Windows Vista SP0 Hotfixes 431 Windows XP SP1 Hotfixes 432 Windows XP SP2 Hotfixes 432 Security Settings OS X 433...

Page 13: ...3 Installation Requirements 463 Installing the Standby MS 463 Ongoing Maintenance 464 Failover process 464 Appendix G Licenses 467 Extreme Networks End User License Agreement 467 Other Licenses 469 Ap...

Page 14: ...Sentriant AG Software Users Guide Version 5 2 14 Activation 496 JAVA OPTIONAL PACKAGE 497 jsp api package 498 Appendix H Glossary 503 Index 513...

Page 15: ...18 System Configuration Management Server 61 Figure 19 Management Server Network Settings 62 Figure 20 Date Time 64 Figure 21 System Configuration User Accounts 68 Figure 22 Add User Account 69 Figur...

Page 16: ...ion End user Screens 137 Figure 63 System Configuration Agentless Credentials 139 Figure 64 Agentless Credentials Add Windows Administrator Credentials 140 Figure 65 System Configuration Logging Optio...

Page 17: ...196 Figure 108 Mac OS Installer 4 of 5 196 Figure 109 Mac OS Installer 5 of 5 197 Figure 110 Applications Utilities Folder 198 Figure 111 Activity Monitor 199 Figure 112 Mac Terminal 200 Figure 113 En...

Page 18: ...270 Figure 157 IAS Remote Access Policy Configure 270 Figure 158 IAS Remote Access Policy Add Attribute 271 Figure 159 IAS Remote Access Logging Properties 273 Figure 160 Sentriant AG to IAS Connecto...

Page 19: ...ure 193 Reports 333 Figure 194 NAC Policy Results Report 334 Figure 195 Test Details Report 335 Figure 196 DHCP Plug in 339 Figure 197 System Configuration Quarantining DHCP 343 Figure 198 DHCP Plug i...

Page 20: ...List of Figures Sentriant AG Software Users Guide Version 5 2 20...

Page 21: ...ips 132 Table 8 Troubleshooting Quarantined Endpoints 162 Table 9 Default Test Names and Descriptions 209 Table 10 Expect Script Commands and Parameters 301 Table 11 Report Types and Fields 331 Table...

Page 22: ...List of Tables Sentriant AG Software Users Guide Version 5 2 22...

Page 23: ...nt is displayed at the top of the window Click clear to remove the announcement 2 My account Click this icon to open the user account editing window See User Accounts on page 67 for details on creatin...

Page 24: ...s status on your ESs Click the System monitor option to view details System Monitor The System monitor window provides the following information Enforcement cluster name The Enforcement clusters are l...

Page 25: ...ok for servers with no problems and either warning or error for servers with problems Click the server name to view details Upgrade status Upgrade status shows the status of any upgrades in process me...

Page 26: ...end Table 1 Sentriant AG v5 2 for v4 x Users Sentriant AG 4 x Sentriant AG 5 0 Notes System configuration button System configuration menu option The System configuration button was previously towards...

Page 27: ...ault can be overridden for all clusters and per cluster The DHCP quarantine option has two selections now Static routes on the endpoints or Router access control lists Notification tab System configur...

Page 28: ...dpoints N A Home window System monitor Access policy editor Viewing last device results Endpoint activity Reports tab Home window Reports Proxy settings command line System configuration Management se...

Page 29: ...tions enables you to maximize the advantages and minimize the disadvantages NOTE Agentless testing uses an existing Windows service RPC ActiveX testing uses an ActiveX control Extreme Networks Inc age...

Page 30: ...Sentriant AG s easy to use open API allows administrators to create custom tests for meeting unique organizational requirements The API is fully exposed and thoroughly documented Custom tests are cre...

Page 31: ...ndividual tests that evaluate the security status of endpoints attempting to access the network Specific tests assess operating systems verify that key hotfixes and patches have been installed ensure...

Page 32: ...fined interval as long as they remain connected to the network Compliance Enforcement Based on endpoint test results Sentriant AG takes the appropriate action Endpoints that test compliant with the ap...

Page 33: ...post installation configuration the Users Guide and how to get support Sentriant AG Installation Guide The Sentriant AG Installation Guide is designed to get Sentriant AG up and running on your networ...

Page 34: ...party software functionality Additionally installing third party software and or modifying the Sentriant AG software can violate your license agreement Please refer to the Extreme Networks Inc EULA E...

Page 35: ...If the Domains connection method is enabled Credentials tab enabled check box you must specify your Windows domain controller here Task Paragraph Task paragraphs summarize the instructions that follo...

Page 36: ...er exactly as shown Enter the following URL in the browser address field https IP_address index html In this case you must replace IP_address with the actual IP address such as 10 0 16 99 Do not type...

Page 37: ...mmand will vary based on the utility you use Example 10 Copy the usr local nac properties NACAVPs txt file from the Sentriant AG server to the ACS server using PSCP or other secure copy utility SCP sc...

Page 38: ...u will be prompted to enter a password for the Linux UNIX machine NOTE You can either enter the path to the PSCP EXE file as part of the command or cd to the directory where you saved the PSCP EXE fil...

Page 39: ...r icon to print the current topic Bread crumbs Click on any of the non graylinks in the bread crumbs trail to go to that section Open PDF Click the Open PDF file link to open the PDF file NOTE To prin...

Page 40: ...letter link at the top of the index column to see the index entries 2 Click on an index entry to see the location in the text 3 Click on cross reference items in highlighted text to see more informat...

Page 41: ...ne of the results returned to display it in the right side pane 4 Click on the red arrow to see the contents of the collapsed section of the document NOTE Red arrows that point to the right denote col...

Page 42: ...Introduction Sentriant AG Software Users Guide Version 5 2 42...

Page 43: ...more ESs on separate servers Each ES must be assigned to a cluster This configuration is illustrated in Figure 8 The responsibilities of the MS and ES are as follows MS Configuration NAC policies Qua...

Page 44: ...est installation is where the MS and ES are installed on the same physical server as shown in the following figure Multiple server Installations By using at least three servers one for the MS and two...

Page 45: ...availability is where ESs take over for any other ES or servers that become unavailable Load balancing is where the testing of endpoints is spread evenly over all of the ESs A three server installati...

Page 46: ...should be followed when configuring your network for best performance results A maximum of 300 000 endpoints per MS 4 GB RAM required A maximum of five ESs per cluster A maximum of 3000 endpoints per...

Page 47: ...24 for the Sentriant AG home window of a user with system administration permissions If you do not see the System configuration menu option you do not have system administrator permissions Sentriant A...

Page 48: ...4 NOTE You can override any of the cluster default settings on a per cluster basis Enforcement Clusters and Servers The Enforcement clusters servers menu option Figure 12 on page 52 is where you confi...

Page 49: ...ftware Users Guide Version 5 2 49 Enforcement Clusters Adding an Enforcement Cluster To add an Enforcement cluster Home window System configuration Enforcement clusters servers Figure 10 System Config...

Page 50: ...Quarantining General on page 82 NOTE You can also access the quarantine area Enforcement cluster by clicking Quarantining in the System configuration window see Quarantining General on page 82 for mo...

Page 51: ...Home window System configuration Enforcement clusters servers 1 Click the cluster you want to edit The Enforcement cluster window appears as shown in Figure 12 on page 52 2 Click a menu option to acc...

Page 52: ...e statistics shown in the Home window are system wide See System Monitor on page 24 for column descriptions Deleting Enforcement Clusters NOTE Enforcement clusters need to be empty before the delete o...

Page 53: ...uide Version 5 2 53 2 Click yes The System configuration window appears Figure 10 Enforcement Servers Adding an ES To add an ES Home window System configuration Enforcement clusters servers Figure 13...

Page 54: ...S resolver IP addresses separated by a commas semicolons or spaces in the DNS IP addresses text box For example 10 0 16 100 10 0 1 1 6 Enter the password to set for the root user of the ES server s op...

Page 55: ...se away from the legend icon to hide pop up window Editing ESs To edit ES settings Home window System configuration Enforcement clusters servers 1 Click the ES you want to edit The Enforcement server...

Page 56: ...NMP settings Modifying the ES SNMP Settings on page 58 Other settings Modifying the ES root Account Password on page 58 4 Click ok Changing the ES Network Settings CAUTION Back up your system immediat...

Page 57: ...name FQDN For example the FQDN should include the host and the domain name including the top level domain For example waldo mycompany com Select names that are short easy to remember have no spaces o...

Page 58: ...clusters servers Select an ES Configuration 1 Enter the new password in the Root password text box in the Other settings area 2 Re enter the password in the Re enter root password text box 3 Click ok...

Page 59: ...the status The Enforcement server window appears 2 Click ok or cancel Deleting ESs NOTE Servers need to be powered down for the delete option to appear next to the name in the Sentriant AG user interf...

Page 60: ...ars 2 Click yes The System configuration window appears ES Recovery If an existing ES goes down and comes back up it can participate in its assigned cluster even if the MS is not available When a new...

Page 61: ...System Configuration Sentriant AG Software Users Guide Version 5 2 61 1 Server status is shown in the Network settings area 2 Click ok or cancel Figure 18 System Configuration Management Server...

Page 62: ...configuration Management server WARNING Changing the MS network settings will cause the network interface to restart 1 Click edit network settings in the Network settings area 2 Enter the values you w...

Page 63: ...to authenticate credentials on the proxy server The following methods are supported Basic not recommended The original and most compatible authentication scheme for HTTP Also the least secure because...

Page 64: ...receive NTP updates from and enter one or more Network Time Protocol NTP servers separated by commas The NTP protocol allows Sentriant AG to synchronize its date and time with other endpoints on your...

Page 65: ...zone drop down list 2 Click ok Enabling SNMP To select SNMP settings Home window System configuraton Management server SNMP settings 1 Select the Enable SNMP check box to select the SNMP settings a En...

Page 66: ...the Re enter root password text box 3 Click ok Checking for Sentriant AG Upgrades To check for system upgrades Home window System configuration Management server 1 Click check for upgrades in the Sys...

Page 67: ...g in to the Sentriant AG server as root either using SSH or directly with a keyboard 2 Enter the following at the command line setProperty py m Compliance UpgradeManager UpgradeTimeout minutes Where m...

Page 68: ...System Configuration Sentriant AG Software Users Guide Version 5 2 68 Figure 21 System Configuration User Accounts...

Page 69: ...sed for notifications 3 Select an Account status enabled This status allows an account to log into the user interface disabled This status prevents an account from logging into the user interface 4 In...

Page 70: ...in the for field 3 Click search Table 5 Default User Roles User Role Name Description Cluster Administrator For their clusters users having this role can configure their assigned clusters view endpoi...

Page 71: ...t Area To sort the user account area Home window System configuration User accounts Click the column heading for user id full name email address user roles or clusters The user accounts reorder accord...

Page 72: ...duplicated from the original account 2 Enter the User ID of the new account 3 Enter the Password 4 Re enter the password 5 Select the Account status enable or disable 6 Select the User role for the a...

Page 73: ...ck ok Deleting a User Account You must always have at least one account with System Administrator permissions CAUTION Do not delete or edit the account with which you are currently accessing the inter...

Page 74: ...iated with those roles Add a new user role Name the new user role Provide a detail description for the new user role Assign permissions to the new user role Edit a user role Edit the name of the user...

Page 75: ...System Configuration Sentriant AG Software Users Guide Version 5 2 75 Figure 25 System Configuration User Roles...

Page 76: ...settings of all your assigned clusters and delete any of your clusters Configure servers Allows you to configure all servers within your clusters Configure the system Allows you to configure all syste...

Page 77: ...configuration User roles 1 Click the role you want to edit The user role window appears 2 Enter the information in the fields you want to change See Adding a User Role on page 74 for information on us...

Page 78: ...sort the user roles area Home window System configuration User roles 1 Click user role name or description column heading The selected category sorts in ascending or descending order 2 Click ok Licens...

Page 79: ...by email Copy and paste the license key directly from the text file NOTE The double equal sign is part of the license key Include it with the rest of the numbers 2 Click Submit Now Sentriant AG is ena...

Page 80: ...est updates View test update logs Manually Checking for Test Updates To manually check for test updates Home window System configuration Test updates 1 In the Last successful test update area click ch...

Page 81: ...est updates 1 Using the hour check boxes select the time periods in which you would like Sentriant AG to check for available test updates By default Sentriant AG checks once every hour using the Extre...

Page 82: ...log window appears The Test update log window legend is shown in the following figure Quarantining General The Quarantining menu option allows you to configure the following by cluster Select the quar...

Page 83: ...n 5 2 83 Selecting the Quarantine Method To select the quarantine method Home window System configuration Quarantining 1 Select a cluster 2 In the Quarantine method area select one of the following qu...

Page 84: ...multiple DHCP servers Inline When using the inline quarantine method Sentriant AG must be placed on the network where all traffic to be quarantined passes through Sentriant AG It must be inline with a...

Page 85: ...cement server is then plugged into the spanned port and endpoint traffic is monitored on the eth1 interface In this case choose the local option 2 Enter one or more non quarantined subnets separated b...

Page 86: ...page 86 for more information OpenLDAP User credentials are queried from an OpenLDAP directory service See Configuring OpenLDAP Settings on page 88 for more information Proxy Authentication requests ar...

Page 87: ...cation method drop down list 2 Enter the Fully Qualified Domain Name FQDN of the domain to be joined in the Domain name text field 3 Enter the user name of an account with sufficient administrative ri...

Page 88: ...t from or The MS NOTE If you have a single server installation the Server to test from drop down list is not available b To verify a specific set of user credentials in addition to the Windows domain...

Page 89: ...System Configuration Sentriant AG Software Users Guide Version 5 2 89 1 Select OpenLDAP from the End user authentication method drop down list Figure 34 System Configuration OpenLDAP...

Page 90: ...to use the universal password of the eDirectory user 9 To use a secure Transport Layer Security TLS connection with the LDAP server that is verified with a certificate authority a Select the Use a sec...

Page 91: ...tem administrator to obtain the shared secret for your switch 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Sh...

Page 92: ...Extreme Foundry switches See Figure 36 ProCurve Nortel Other switches See Figure 37 To test the connection to an 802 1X device Home window System configuration Quarantining 802 1X Quarantine method r...

Page 93: ...treme Foundry switches Figure 37 if you want to include the re authentication command as part of the test select the Re authenticate an endpoint during test check box and a Enter the port of the endpo...

Page 94: ...IUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Cisco IOS from the Dev...

Page 95: ...0 are the third fourth and fifth bytes in the identifier 11 Enter the Reconnect idle time This is the amount of time in milliseconds that a telnet SSH console can remain idle or unused before it is re...

Page 96: ...US server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Cisco CatOS from the De...

Page 97: ...SH console can remain idle or unused before it is reset 15 Select the Show scripts plus symbol to show the following scripts Initialization script The expect script used to log into the console and en...

Page 98: ...field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device...

Page 99: ...o show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authentic...

Page 100: ...that appears in log files in the Short name text field 5 Select Extreme ExtremeWare from the Device type drop down list 6 Select telnet or SSH from the Connection method drop down list 7 Enter the Us...

Page 101: ...orm endpoint re authentication Exit script The expect script used to exit the console 12 Click ok NOTE Click revert to defaults to restore the default settings Extreme XOS To add an Extreme XOS device...

Page 102: ...the device s console 8 Enter the Password with which to log into the device s console 9 Enter the Reconnect idle time This is the amount of time in milliseconds that a telnet SSH console can remain id...

Page 103: ...shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Foundry from the Device type drop down list 6 Se...

Page 104: ...ol to show the following scripts Initialization script The expect script used to log into the console and enter enable mode Re authentication script The expect script used to perform endpoint re authe...

Page 105: ...Re enter the shared secret in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurve Switch from the Device ty...

Page 106: ...type the same password you entered into the Password field in the Re enter Password field d Enter the Enable mode user name that is used to enter enable mode on this device e Enter the Password used...

Page 107: ...TTED_DECIMAL are substituted for the port and MAC address of the endpoint to be re authenticated 2 Select the type of the re authentication OID from the OID type drop down list INTEGER unsigned INTEGE...

Page 108: ...4 Enter an alias for this device that appears in log files in the Short name text field 5 Select ProCurve WESM from the Device type drop down list 6 Enter the Community string used to authorize write...

Page 109: ...henticate using a different OID when the supplicant request is for a MAC authenticated device a Enter the Re authenticate OID used to re authenticate an endpoint The strings Port and MAC_DOTTED_DECIMA...

Page 110: ...AP device in the IP address text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter th...

Page 111: ...oint in the OID value text field 10 Select the Use a different OID for MAC authentication check box to re authenticate using a different OID when the supplicant request is for a MAC authenticated devi...

Page 112: ...ess text field 2 Enter a shared secret in the Shared secret text field The shared secret is used to encrypt and sign packets between the device and RADIUS server 3 Re enter the shared secret in the Re...

Page 113: ...nsole can remain idle or unused before it is reset 14 Select the Device is stacked check box if the device is in a stacked configuration 15 Select the Show scripts plus symbol to show the following sc...

Page 114: ...in the Re enter shared secret text field 4 Enter an alias for this device that appears in log files in the Short name text field 5 Select Other from the Device type drop down list 6 Enter the User na...

Page 115: ...ts to restore the default settings Quarantining DHCP To select the DHCP quarantine method Home window System configuration Quarantining 1 Select a cluster 2 In the Quarantine method area select the DH...

Page 116: ...Enforce DHCP requests from all IP addresses Allows DHCP requests from all IP addresses Restrict enforcement of DHCP requests to quarantine and non quarantine subnets Specify individual DHCP relay age...

Page 117: ...e source IP for DHCP forwarding which means the resultant packet may not have a source IP that corresponds to those used on the endpoint s physical subnet Check your switch vendor s implementation to...

Page 118: ...routes assigned on the endpoint This option restricts the network access of non compliant endpoints by vending DHCP settings with no gateway and a netmask of 255 255 255 255 Static routes and a Web p...

Page 119: ...omain suffix d indicates the quarantine option selected in step 3 on page 118 2 The DHCP quarantine area sorts by the column name clicked Editing a DHCP Quarantine Area To edit a DHCP quarantine area...

Page 120: ...k Post connect Post connect in Sentriant AG provides an interface where you can configure external systems such as IDS IPS that request quarantining of an endpoint based on activity that occurs after...

Page 121: ...es you must change the properties as described in Changing Properties on page 359 You must set the following properties for product name variable to communicate with your external post connect server...

Page 122: ...ct service automatically when it is launched by clicking the post connect service name on the Sentriant AG Post connect window Home Post connect a Enter the user name of the account to be used for log...

Page 123: ...can communicate with it To launch a post connect system Home Post connect 1 Click on the post connect system name A new browser window opens 2 If you have not elected to automatically log in to this...

Page 124: ...go and more than one icon You can use your own custom logos and icons for your post connect service To change the mouseover logo and icons Command line window 1 Create logo and icon files in the follo...

Page 125: ...ectServiceName 5 Modify the PRODUCTID in the connector properties file see Changing Properties on page 359 product PostConnectServiceName Maintenance The Maintenance window allows you to back up the M...

Page 126: ...begin backup now in the Backup area The Operation in progress confirmation window appears 2 Depending on your browser settings a pop up window may appear asking if you want to save or open the file Se...

Page 127: ...TAC will instruct you to generate one and will provide instructions on how to upload the generated package a TAR file To save a support package to your local computer Home window System configuration...

Page 128: ...Define order of that the test method screens appear to the end user Select end user options Selecting Test Methods To select test methods Home window System configuration Testing methods 1 Select one...

Page 129: ...n endpoint the end user screen presented first is the one that is selected as first here If this method fails due to a personal firewall or other problem the second method selected here is presented t...

Page 130: ...1 Select one or more of the following options Allow end users to have their administrator login information saved for future access Agentless testing method only This option allows the end users to e...

Page 131: ...Configuration Quarantining 802 1X Windows domain End user authentication method you must specify your Windows domain controller Examples Web sites www mycompany com Host names bagle com IP addresses 1...

Page 132: ...90 DHCP server IP address In inline mode you might need to specify the DHCP server IP address in this field Domain controller name Regardless of where the Domain Controller DC is installed you must s...

Page 133: ...o five bytes or octets to act on more than one endpoint at a time For example entering 00 13 matches all MAC addresses that begin with 00 13 2 To exempt end user domains from testing in the Whitelist...

Page 134: ...point s MAC address This translation occurs each time activity from the endpoint is detected To reduce translation time use the MAC address initially CAUTION If you enter the same endpoint in both the...

Page 135: ...e person or group alias who should receive the notifications c In the Via SMTP server IP address text box enter the IP address of the SMTP email server from which Sentriant AG sends email notification...

Page 136: ...ok End user Screens The End user screens menu option allows you to configure the end user screens with the following Define logo image to be displayed Specify text to be displayed on end user screens...

Page 137: ...eel secure about having their computers tested The logo should be no larger than 450x50 pixels 2 Click ok Specifying the End user Screen Text To specify the end user screen text Home window System con...

Page 138: ...or more tests check box to turn the pop up window on clear the check box to turn it off 2 Enter the customization information a Notification pop up URL In the Notification pop up URL text box the defa...

Page 139: ...member of a configured domain Sentriant AG uses the information supplied to access and test the endpoint NOTE Setting windows credentials here sets them as default settings for all clusters You can o...

Page 140: ...password Enter the password for the administrator login name used in the ID text field NOTE When using a domain account to test many domain endpoints be sure to select a domain account with domain ad...

Page 141: ...method Sentriant AG performs some user based tests with the administrator account s user registry settings rather than those of the actual user logged into the endpoint This only affects Internet Expl...

Page 142: ...configuration Agentless credentials 1 Sort the Windows administrator credentials by clicking on a column heading 2 Click ok Logging Setting ES Logging Levels You can configure the amount of diagnostic...

Page 143: ...from the Enforcement servers drop down list error Log error level messages only warn Log warning level and above messages only info Log info level and above messages only debug Log debug level and abo...

Page 144: ...les related to 802 1X re authentication select a logging level from the 802 1X devices drop down list error Log error level messages only warn Log warning level and above messages only info Log info l...

Page 145: ...iod text field The agent read time is the time in seconds that Sentriant AG waits on an agent read Use a larger number for systems with network latency issues 3 Click ok Setting the RPC Command Timeou...

Page 146: ...System Configuration Sentriant AG Software Users Guide Version 5 2 146...

Page 147: ...a by Access control status or Endpoint test status Search criteria area The top right area of the window allows you to filter the results by cluster NetBIOS name IP address MAC address User ID domain...

Page 148: ...nclude activity for the following Access control status Endpoint test status Cluster NetBIOS name IP address MAC address User ID Windows domain NAC policy Operating system Timeframe Number of endpoint...

Page 149: ...s as shown in the following figure NOTE This part of the window reflects the total number of endpoints in the network at the current time The filters do not affect this area Filtering by Time Filterin...

Page 150: ...how that this filter option has been applied Click reset to clear the filter Limiting Number of Endpoints Displayed To limit the number of endpoints displayed Home window Endpoint Activity Select a nu...

Page 151: ...one of the search criteria are displayed 3 Click Search The results area updates to match the search criteria specified and the background of the fields used in the search are highlighted as shown bel...

Page 152: ...ntined IP address For example an endpoint could have access because it passed a test or could not be tested but is allowed access Temporarily by NAC policy The endpoint has been assigned a non quarant...

Page 153: ...point has been tested while the endpoint is being assigned a non quarantined IP address Awaiting credentials Sentriant AG shows this status briefly while the agentless credentials are being verified B...

Page 154: ...ch presents the user with the next testing method specified on the End user access screen Validating installation Sentriant AG shows this status while Sentriant AG is validating that the agent is work...

Page 155: ...ing the credential permission levels or using a different set of credentials with the necessary permissions Connection failed no route to host The endpoint is unreachable on the network by Sentriant A...

Page 156: ...con in the ac column and a window pops up Figure 76 providing a description of the endpoint access control status as well as what the access control status would be in normal mode In this case the end...

Page 157: ...and an endpoint that was connected in the Engineering cluster also attempted to connect by way of the Training cluster An error would occur in this case Make efforts when you are configuring your clus...

Page 158: ...fic period of time Immediately Quarantine an Endpoint on page 159 Clear the temporary quarantine or access state Clearing Temporary Endpoint States on page 159 Manually Retest an Endpoint To manually...

Page 159: ...the endpoints of interest 2 Click change access 3 Select the Temporarily Quarantine for radio button 4 Select minutes hours or days from the drop down list 5 Enter the number of minutes hours or days...

Page 160: ...ftware Users Guide Version 5 2 160 4 Click ok Viewing Endpoint Information To view information about an endpoint Home window Endpoint activity 1 Click on an endpoint name to view the Endpoint window F...

Page 161: ...de Version 5 2 161 2 Click Test results to view the details of the test NOTE Click on any underlined link for example change access to make changes such as changing access or test credentials Figure 7...

Page 162: ...iant AG DNS Sentriant AG will add any names listed in Accessible services to the named conf file so the endpoint will be able to resolve the names to get the real IP Unless there are corresponding sta...

Page 163: ...so there will be different gateway IP addresses for the production and quarantine networks Sentriant AG fake root DNS As in endpoint enforcement for access to names in Accessible services The DNS ser...

Page 164: ...it tunnel all traffic through VPN Sentriant AG acts as the man in the middle iptables rewrites packets and forwards traffic to the Sentriant AG system itself The production network is protected from V...

Page 165: ...so that users can get to the Sentriant AG user interface on port 443 Sentriant AG DNS As in endpoint enforcement for access to names in Accessible services ACLs on the switch prevent quarantined syste...

Page 166: ...Endpoint Activity Sentriant AG Software Users Guide Version 5 2 166...

Page 167: ...ant AG feature allows the Sentriant AG agent to inform the ES that an endpoint is now active on the network and available to be tested This feature allows faster detection of endpoints in a network ut...

Page 168: ...1 nac2 See the following links for more information about DNS record types http www ietf org Implementations RFC1886 Implementation DNSrecords html Endpoints Supported This Sentriant AG release suppor...

Page 169: ...port for example Linux will be included in future releases Windows ME and Windows 95 are not supported in this release NOTE If the end user switches the Windows view while connected such as from Class...

Page 170: ...uch as Norton must configure that firewall to allow connection to Sentriant AG on port 1500 or the installation of the agent fails Making Changes to the Firewall See the following sections for instruc...

Page 171: ...bled Windows Vista prompts you for credentials After the credentials are entered the agent installs If UAC is disabled the agent installation fails without notifying the end user See the following lin...

Page 172: ...le and Printer sharing is listed and that the check box is selected 5 Click OK Configuring Windows XP Professional for Agentless Testing The agentless test method requires file and printer sharing to...

Page 173: ...roddocs en us howto_config_fileandprintsharing mspx Configuring Windows Vista for Agentless Testing Agentless testing for Windows Vista Endpoints requires that these endpoints be configured from a dom...

Page 174: ...n level affecting all members of the domain NOTE Agentless testing of endpoints with Vista Home Edition is not supported By design endpoints with Microsoft Windows Home Editions installed cannot be ad...

Page 175: ...Name text field 5 Click OK 6 Edit the newly created Agentless Testing group policy object as follows a Right click on the Agentless Testing Policy name and select Edit The Group Policy Object Editor w...

Page 176: ...ht click on Network access sharing and security model for local accounts policy select Properties The Network Access window appears 2 Select the Define this policy setting check box 3 Select Classic l...

Page 177: ...ht click on Network Security LAN Manager authentication level and select Properties The following window appears 6 Select the Define this policy setting check box 7 Select Send LM NTLM responses from...

Page 178: ...appears 2 Select the Define this policy setting check box 3 Select the Automatic radio button 4 Click OK 5 In the right pane right click Remote Procedure Call RPC and select Properties The following w...

Page 179: ...select Properties The following window appears 10 Select the Define this policy setting check box 11 Select the Automatic radio button 12 Click OK e In the left pane under Computer Configuration click...

Page 180: ...file and printer sharing exception and select Properties The following window appears 2 Select the Enabled radio button 3 Click OK g In the left pane click the plus symbols to expand Administrative T...

Page 181: ...rs 2 Select the Disabled radio button 3 Click OK i Close the Group Policy Object Editor window 7 Move the Agentless Testing policy to the top of the list to process it first and take precedence over a...

Page 182: ...gentless testing 137 138 139 445 NOTE See Ports used in Sentriant AG on page 457 for a complete description of the ports used in Sentriant AG Allowing the Windows RPC Service through the Firewall If e...

Page 183: ...Custom List 12 Enter the Sentriant AG Server IP address and the 255 255 255 0 mask 13 Click OK 14 Select TCP 445 15 Click Change Scope 16 Enter the Sentriant AG Server IP address and the 255 255 255 0...

Page 184: ...entials After the credentials are entered the ActiveX component installs If UAC is disabled the ActiveX component installation fails without notifying the end user See the following link for details o...

Page 185: ...End user Access Sentriant AG Software Users Guide Version 5 2 185 Figure 93 Mac System Preferences...

Page 186: ...g window opens 2 Select the Firewall tab 3 The firewall settings must be one of the following Off On with the following OS X NAC Agent check box selected Port 1500 open To change the port Mac endpoint...

Page 187: ...is happening during and after the testing process If you want to make more customizations than are available using the End user window the files are located in the following directory usr local nac we...

Page 188: ...s select Get connected One of the following windows appears depending on which test method and order is specified in the System configuration Testing methods window Windows NAC Agent test Installation...

Page 189: ...t When the test method used is NAC Agent test the first time the user attempts to connect the agent installation process should begin automatically and the installing window appears NOTE The end user...

Page 190: ...le active content see the instructions in the Installation Guide in the Important Browser settings Active Content section If this is the first time the end user has selected NAC Agent test a security...

Page 191: ...ation The user must click Finish to complete the agent installation and begin testing As soon as the installation is complete the endpoint is tested See Testing Window on page 204 Removing the Agent T...

Page 192: ...ntriant AG Agent also appears in the services list Start button Settings Control panel Administrative tools Services Manually Installing the Windows Agent To manually install the agent using Internet...

Page 193: ...in the install process 4 The Agent Installation Wizard starts Figure 99 on page 191 How to View the Windows Agent Version Installed To see what version of the agent the endpoint is running Windows end...

Page 194: ...e the Installation Failed window shown in Figure 98 Installing the MAC OS Agent To install the Mac OS agent The Mac OS agent must be installed manually and works with Mac OS X version 10 3 7 or later...

Page 195: ...Sentriant AG Software Users Guide Version 5 2 195 4 Click Continue The installer appears 5 Click Continue The Select a Destination window appears Figure 105 Mac OS Installer 1 of 5 Figure 106 Mac OS I...

Page 196: ...Sentriant AG Software Users Guide Version 5 2 196 6 Click Continue The Easy Install window appears 7 Click Install The Authenticate window appears Figure 107 Mac OS Installer 3 of 5 Figure 108 Mac OS...

Page 197: ...password Click OK The agent is installed and the confirmation window appears 9 Click Close Verifying the Mac OS Agent To verify that the Mac OS agent is running properly Mac endpoint Double click Desk...

Page 198: ...End user Access Sentriant AG Software Users Guide Version 5 2 198 Figure 110 Applications Utilities Folder...

Page 199: ...Version 5 2 199 1 Double click Activity Monitor The Activity Monitor window appears 2 Verify that the osxnactunnel process is running 3 If the osxnactunnel process is not running start it by performin...

Page 200: ...ng the MAC OS Agent on page 194 d If the agent is installed but not running enter the following at the command line sudo OSXNACAgentDaemon restart e Check the Activity Monitor window again to see if t...

Page 201: ...t OS X NAC Agent c Click Delete ActiveX Test Windows For the ActiveX test the Testing window appears see Testing Window on page 204 and an ActiveX component is downloaded If there is an error running...

Page 202: ...uses the Windows Messenger Service when using agentless testing If you have disabled this service http www microsoft com windowsxp using security learnmore stopspam mspx agentless testing will not wo...

Page 203: ...isplayed see Testing Window on page 204 If the end users do not enter the correct information in the login window fields a login failure window appears NOTE You can customize the logo and contact para...

Page 204: ...Cancelled Window on page 205 Testing failed window see Testing Failed Window on page 205 Other error window see Error Windows on page 207 Test Successful Window When the end users endpoints meet the t...

Page 205: ...end user has the option of clicking Cancel testing If the end users click Cancel testing a window appears indicating that testing is cancelled Testing Failed Window When the end user s endpoints fail...

Page 206: ...mation NOTE You can elect to allow access to specific services and endpoints by including them in the Accessible services and endpoints area of the System configuration Accessible services window see...

Page 207: ...indows End users might see any of the following error windows Unsupported endpoint Unknown error The following figure shows an example of an error window Customizing Error Messages The default error m...

Page 208: ...in the reports and on the end user access windows For example class CustomStrings stringTable checkAntiVirusUpdates String 1 The required anti virus software was not found Install the software from t...

Page 209: ...ti virus software and keep the virus definitions up to date Supported Anti Virus software s checkAntiVirusUpdates String 2 s is installed but the service is not running and the virus signatures are no...

Page 210: ...re no s installed Run Windows Update to install the most recent service packs and hotfixes You may need to run Windows Update multiple times to install all the hotfixes checkIESecurityZoneSettings Str...

Page 211: ...acro Security button Select the Security Level tab Finally select the security level s or higher checkNetBiosInfo String 1 An unsupported operating system was encountered checkPersonalFirewalls String...

Page 212: ...or each service checkSoftwareNotAllowed String 1 Could not import the re module required by this test checkSoftwareNotAllowed String 2 All software found is allowed checkSoftwareNotAllowed String 3 Do...

Page 213: ...rator for removal of these items from the registry checkWormsVirusesAndTrojans String 1 No worms viruses or trojans were found checkWormsVirusesAndTrojans String 2 The following worms viruses or troja...

Page 214: ...End user Access Sentriant AG Software Users Guide Version 5 2 214...

Page 215: ...ng the default NAC policy The NAC policies window shown in Figure 122 is where you create NAC policies and groups disable NAC policies delete NAC policies and access specific NAC policies Once you acc...

Page 216: ...h security Low security Medium security NAC policies are organized in groups Groups include the clusters defined for your system a Default group and any other groups you create Each standard policy ha...

Page 217: ...name for the group in the Name of NAC policy group text box 3 Optional Select the check box next to any NAC policy to move to this group 4 Optional Select the check box next to any cluster to move to...

Page 218: ...policy group Home window NAC policies 1 Move any NAC policies associated with the group to a different NAC policy group a Click on a NAC policy name b Select the new group from the NAC policy group d...

Page 219: ...d Selecting the Default NAC Policy To select the default NAC policy Home window NAC policies Click on the up or down arrow to move the NAC policy The default NAC policy is the one toward the bottom of...

Page 220: ...2 Enter a policy name 3 Enter a description in the Description text box 4 Select a NAC policy group 5 Select either the enabled radio button or the disabled radio button 6 Select the Operating systems...

Page 221: ...the quarantine action was unsuccessful CAUTION Allowing untested endpoints on your network contains risks See Untestable Endpoints and DHCP Mode on page 238 for more information NOTE A security best...

Page 222: ...names of Windows domains to be tested by this cluster for this NAC policy separated by a carriage return 12 Enter a single endpoint or list of endpoints separated by a carriage return using the endpo...

Page 223: ...can leave the Domains and Endpoints areas blank if you do not want to assign domains and endpoints to this policy NOTE Hover the mouse cursor over the question mark by the word Endpoints then click o...

Page 224: ...NAC Policies Sentriant AG Software Users Guide Version 5 2 224 13 Click the Tests menu option to open the Tests window Figure 129 Add NAC Policy Tests Area...

Page 225: ...est see Selecting Action Taken on page 228 18 Click ok NOTE Selecting the Send an email notification option sends an email to the address you identified in Sentriant AG Home window System Configuratio...

Page 226: ...ins to a Policy Select which endpoints are associated with each policy To assign endpoints and domains to a policy Home window NAC policies Select a NAC Policy Domains and endpoints menu option 1 Ente...

Page 227: ...onnected endpoint NOTE A lower number ensures higher security but puts more load on the Sentriant AG server 2 Click ok Setting Connection Time When an endpoint is inactive for a period of time you can...

Page 228: ...ies are specific to the particular test Select the properties you want applied Tests are explained in detail in Tests Help on page 421 To set the test properties for a specific test Home window NAC po...

Page 229: ...you select a temporary access period here the end users are allowed temporary access for the specified time after which they are denied access until they pass the test The temporary access period allo...

Page 230: ...selectable selectable properties or text entry fields Select the check box or radio button that applies for each test A check box indicates that you can make multiple selections A radio button indica...

Page 231: ...ices are Windows operating system applications that run automatically without manual intervention To find the services names on the endpoint Service names must be entered exactly as they appear in Con...

Page 232: ...2900 2180 check box b Type a version number in the text entry field 3 For Internet Explorer on Windows 2000 a Clear the Check For Internet Explorer for Windows 2000 6 0 2800 1106 check box b Type a ve...

Page 233: ...P assigned IP address Sentriant AG cannot affect this endpoint in any way until the lease on the existing IP address for that endpoint expires If an endpoint with an unsupported OS has a static IP add...

Page 234: ...s following it in the list 4 and 5 Use Endpoint testing exceptions System configuration Exceptions to always allow or always quarantine endpoints that are defined in NAC policies For example an NAC po...

Page 235: ...r all other deployment modes the Fully Qualified Domain Name FQDN of the target servers should be added to the list for example mycompany com If the specified servers are not behind an ES a network fi...

Page 236: ...endpoint without testing Home window System configuration Exceptions The following figure shows the Exceptions window 1 In the Whitelist area a In the Endpoints area enter one or more MAC addresses I...

Page 237: ...eturns 2 Click ok CAUTION If you enter the same endpoint for both options in the Endpoint testing exceptions area the Allow access without testing option is used New Users The process Sentriant AG fol...

Page 238: ...rted on page 168 If you allow an untested endpoint to have access there are several important items to keep in mind The IP address granted by your DHCP server has a lease expiration period that cannot...

Page 239: ...s in the quarantine areas to a placeholder such as the following quarantine bad 2 Enter the full domain controller hostnames in the System configuration Accessible services area for example dc01 mycom...

Page 240: ...Quarantined Networks Sentriant AG Software Users Guide Version 5 2 240...

Page 241: ...ow unavailable All ESs participate in enforcement The MS provides notification in the user interface at the top of the Home window For example if an ES is unavailable the notification indicates that a...

Page 242: ...Sentriant AG Software Users Guide Version 5 2 242 unavailable the switch reconnects so that there is always a path from the VPN to an ES All of the ES firewalls continuously stay in sync with each ot...

Page 243: ...High Availability and Load Balancing Sentriant AG Software Users Guide Version 5 2 243 Figure 134 DHCP Installation...

Page 244: ...High Availability and Load Balancing Sentriant AG Software Users Guide Version 5 2 244 Figure 135 802 1X Installation...

Page 245: ...is used to determine which ES should test an endpoint If an ES detects an endpoint for which it is not responsible it notifies the correct ES of the endpoint and that ES takes over testing If an ES fa...

Page 246: ...High Availability and Load Balancing Sentriant AG Software Users Guide Version 5 2 246...

Page 247: ...settings As shown in Figure 136 Sentriant AG is installed inline in a multiple server configuration the multiple ESs form a Layer 2 bridge that spans two switches resulting in a network loop This is a...

Page 248: ...Inline Quarantine Method Sentriant AG Software Users Guide Version 5 2 248 NOTE You can install Sentriant AG at any choke point in your network a VPN is not required Figure 136 Inline Installations...

Page 249: ...address are issued a temporary address on a quarantine subnetwork Once the endpoint is allowed access the IP address is renewed and the main DHCP server assigns an address to the main LAN With a multi...

Page 250: ...Setting up a Quarantine Area on page 251 You should also review the following topics related to quarantining endpoints Endpoint quarantine precedence see Endpoint Quarantine Precedence on page 233 Unt...

Page 251: ...e gateway IP address The quarantine area DHCP settings must reflect this configuration on your router Configuring the Router ACLs In order to sufficiently restrict access to and from the quarantine ar...

Page 252: ...WU client software Short of a Microsoft fix the only way to update XP SP2 endpoints in quarantine is to deploy a local update server such as Microsoft s free Windows Server Update Services WSUS see h...

Page 253: ...e login session Certificates A method for identifying a user that links a public key to the user s or company s identity allowing them to send digitally signed electronic messages Tokens A credit card...

Page 254: ...gure up to six Sentriant AG server URLs The plug in reads the list of servers over and over iterates attempting to connect to one of them Once a connection is made the Sentriant AG plug in uses that s...

Page 255: ...tch Using the built in Sentriant AG RADIUS server With this method all authentication takes place on the Sentriant AG server The switch is configured with the Sentriant AG IP address as the RADIUS ser...

Page 256: ...802 1X Quarantine Method Sentriant AG Software Users Guide Version 5 2 256 Figure 139 Sentriant AG 802 1X Enforcement...

Page 257: ...802 1X Quarantine Method Sentriant AG Software Users Guide Version 5 2 257 Figure 140 802 1X Communications...

Page 258: ...y other RADIUS server see Proxying RADIUS Requests to an Existing RADIUS Server Using the Built in Sentriant AG RADIUS Server on page 281 Use the built in Sentriant AG RADIUS server for authentication...

Page 259: ...column click Add Remove Windows Components The Windows Components Wizard window appears as shown in the following figure 2 Select the Networking Services check box 3 Click Details The Networking Servi...

Page 260: ...eed to log into it and perform the configuration steps described in this section To configure the RADIUS server 1 Log into the RADIUS server 2 From the RADIUS server main window select Start Settings...

Page 261: ...riptive name in the Server Description text box For example IAS 2 Select the Rejected authentication requests check box 3 Select the Successful authentication requests check box d Ports tab 1 Enter th...

Page 262: ...Click OK 5 Define the authenticators that use this RADIUS server for authentication a Right click on RADIUS Clients b Select New RADIUS Client The New RADIUS Client window appears c Enter a descripti...

Page 263: ...switch h Re enter the password in the Confirm shared secret text box i Select the Request must contain the Message Authenticator attribute check box j Click Finish 6 Repeat step 5 for every authentic...

Page 264: ...appears d Select the Use the wizard radio button e Enter a meaningful name in the Policy Name text field f Click Next g Select the Ethernet radio button The Ethernet option will not work for authenti...

Page 265: ...lick Next i You can configure your Access policy by user or group This example uses the group method Select the Group radio button j Click Add The Select Groups pop up window appears Figure 150 IAS Re...

Page 266: ...Guide Version 5 2 266 k Click Advanced l Click Find Now to populate the Search Results area m Select Domain Guests n Click OK o Click OK p Click Next Figure 152 Remote Access Policy Select Group Figur...

Page 267: ...at a specific type of SSL certificate is available for use during authentication These steps assume there is a Domain Certificate Authority CA available to request a certificate Click Configure If you...

Page 268: ...the properties h Open the Certificates folder under the Console Root i Right click on the Personal folder and select All Tasks Request New Certificate NOTE To import the certificate manually 1 Right c...

Page 269: ...use with the PEAP authentication method The Protected EAP Properties window appears Figure 155 m Select the certificate you created in the previous steps select the EAP types you want to use and clic...

Page 270: ...and select Properties The Guest Policy Properties window appears c Click Edit Profile The Edit Dial in Profile window appears 1 Authentication tab Select the check boxes for the authentication method...

Page 271: ...m Type Adding the first of the three attributes c Click Add d Click Add again on the next window e From the Attribute value drop down list select 802 includes all 802 media f Click OK g Click OK h Sel...

Page 272: ...From the Attribute value drop down list select Virtual LANS VLAN r Click OK s Click OK t Click OK 11 Repeat step 9 for every VLAN group defined in Active Directory IMPORTANT The order of the connectio...

Page 273: ...4 Click OK 13 Install the Sentriant AG to IAS connector The Sentriant AG IAS Connector is a DLL file that is installed on your Windows Server 2003 machine where the IAS component is enabled The connec...

Page 274: ...ector dll support ias SAIASConnector ini NOTE SAIASConnector ini is installed within Sentriant AG using standard system defaults Utilities for this such as DebugAttributes and DebugLevel should be mod...

Page 275: ...ve Snap in 6 Click Add 7 Select Certificates 8 Click Add 9 Select the Computer account radio button 10 Click Next 11 Select the Local computer the computer this console is running on radio button 12 C...

Page 276: ...to IAS connector a Modify the INI file for your network environment Sentriant AG returns one of following postures for an endpoint attempting to authenticate For each posture received a different RAD...

Page 277: ...lder inside the AuthSrv folder if it does not already exist New Key 7 Right click on the Parameters folder name 8 Select New Multi string value 9 Type AuthorizationDLLs for the name and press Enter on...

Page 278: ...operties 3 Select the Group Policy tab 4 Click Open 5 Right click Default Domain Policy and select Edit click OK if you get a global changes pop up message 6 Navigate to Computer Configuration Windows...

Page 279: ...Computers b Right click on the user s entry under the appropriate domain under Active Directory Users and Computers c Enter the user information requested d Click Next e Enter the password informatio...

Page 280: ...Guide Version 5 2 280 c Select the Users folder d Right click a user name and select Properties The Properties windows appears e Select the Dial in tab Figure 166 Active Directory Users and Computers...

Page 281: ...stem administrator before reversible encryption takes effect i Click OK j Repeat from step a for each user account Proxying RADIUS Requests to an Existing RADIUS Server Using the Built in Sentriant AG...

Page 282: ...llowing sample file for instructions FreeRADIUS Connector configuration file TO DO Change localhost to your server s IP if this is not the built in FreeRADIUS server ServerUrl https localhost servlet...

Page 283: ...s Extreme Netlogin Vlan HealthyVlanName CheckupRadiusAttributes Extreme Netlogin Vlan HealthyVlanName QuarantineRadiusAttributes Extreme Netlogin Vlan QuarantineVlanName InfectedRadiusAttributes Extre...

Page 284: ...server by modifying the etc raddb users file Add user entries to the beginning of the file in the following format Clear text authentication user name Auth Type Local User Password password EAP PEAP...

Page 285: ...is then plugged into the spanned port and endpoint traffic is monitored on the eth1 interface In this case choose the local option 3 Click ok Setting up the Supplicant Now you must enable the endpoin...

Page 286: ...oint for 802 1X Windows desktop Start Settings Network Connections 1 Right click on Local Area Connection 2 Select Properties The Local Area Connection windows appears 3 Select the General tab 4 Selec...

Page 287: ...ect the Authenticate as computer when computer information is available check box The choice is yours 9 Click OK 10 Select to reboot if prompted Windows XP Home Setup To enable a Windows XP Home endpo...

Page 288: ...k check box b Select an EAP type from the drop down list For this example select MD5 Challenge Important This EAP type must match the EAP type selected in Setting up the RADIUS Server step 7 step q on...

Page 289: ...tab c Select the Show icon in taskbar when connected check box d Select the Authentication tab e Select the Enable network access control using IEE 802 1X check box f Select an EAP type from the drop...

Page 290: ...NOTE Frequently when performing actions on Windows Vista the User Account Control window pops up and asks you to select Continue to authorize the action The instructions in this section do not includ...

Page 291: ...OK e Close the Services window 2 Configure the network connections Windows desktop Start Settings Network Connections 3 Right click on Local Area Connection 4 Select Properties The Local Area Connect...

Page 292: ...Clear or select the Cache user information for subsequent connections to this network check box The choice is yours 9 Click OK 10 Select to reboot if prompted Setting up the Authenticator This section...

Page 293: ...od 30 dot1x guest vlan 5 dot1x reauthentication spanning tree portfast interface FastEthernet0 2 switchport mode access dot1x port control auto dot1x timeout quiet period 30 dot1x guest vlan 5 dot1x r...

Page 294: ...e set port dot1x 2 15 guest vlan 40 set port dot1x 2 17 guest vlan 40 set port dot1x 2 18 guest vlan 40 set port dot1x 2 19 guest vlan 40 Enterasys Matrix 1H582 25 dot1x set dot1x auth config authcont...

Page 295: ...n port 37 vlan Temp enable netlogin port 38 vlan Temp enable netlogin port 39 vlan Temp enable netlogin port 40 vlan Temp configure netlogin redirect page https 10 10 100 100 89 ExtremeWare NOTE When...

Page 296: ...gure netlogin dot1x eapol transmit version v1 configure netlogin dot1x guest vlan Guest enable netlogin logout privilege enable netlogin session refresh 3 configure netlogin base url network access co...

Page 297: ...r key Shared RADIUS secret HP ProCurve Access Point 420 if wireless g ssid 1 radius authentication server vlan format ascii HP ProCurve Access Point 420 if wireless g ssid 1 ssid Enterprise420 HP ProC...

Page 298: ...ve Access Point 530 config interface ethernet ProCurve Access Point 530 ethernet ip address IP of Access Point Netmask ProCurve Access Point 530 ethernet ip default gateway IP of Gateway ProCurve Acce...

Page 299: ...rtel switch user manuals for more information RADIUS Server setup radius server host 10 0 0 5 radius server secondary host 0 0 0 0 radius server port 1812 radius server key Enable 802 1X eapol enable...

Page 300: ...e authentication while the connection to the device remains active until the connection goes bad or the idle time inactivity timeout is reached Exit script This script is used to exit the console It i...

Page 301: ...e 178 Nortel Exit Script send exit expect send exit expect press Return or Enter to select option send noreturn l Table 10 Expect Script Commands and Parameters Command Description and parameters expe...

Page 302: ...the endpoint in colon hex format hh hh hh hh hh hh MAC_DOTTED_DECIMAL The MAC address of the endpoint in dotted decimal format ddd ddd ddd ddd ddd ddd MAC_DOTTED_HEX The MAC address of the endpoint i...

Page 303: ...ABLE_USERNAME expect ifset ENABLE_PASSWORD Password send ifset ENABLE_PASSWORD ENABLE_PASSWORD expect send configure terminal expect config Reauthorization script send interface FastEthernet PORT expe...

Page 304: ...and thus also works with both telnet and SSH without needing to check which the user selected Initialization script expect regex Username Password send ifmatched Username USERNAME expect ifmatched Use...

Page 305: ...y you and contains one or more requests JMS Event Receiver An external program that subscribes listens to topics and can take action base on the information received JMS Requestor An external program...

Page 306: ...pts to connect that is untestable Sentriant AG quarantines the endpoint and publishes a DeviceChangeEvent to that topic Setting Sentriant AG Properties Most Sentriant AG properties are set by default...

Page 307: ...Setting Firewall Rules The iptables firewall needs a new rule that allows an external server to send requests to or receive events from the JMS message bus By default the MS does not allow other serve...

Page 308: ...e 4e30 bbb9 bcc11ffa777b nodeId clusterId 5b227ee9 5085 4bbc 9c6f dd57900eaa1f clusterId accessStatusId QUARANTINED_BY_POLICY accessStatusId nextTestTime 1157049566000 nextTestTime nadPort nadPort nad...

Page 309: ...6 10 38 AM email not sent actionsTaken debugInfo 918899 921883 912812 IE6SP1 20060322 842773 921398 922616 917422 Update Rollup 1 920683 914388 92067 0 917159 917008 920958 911562 debugInfo severity 2...

Page 310: ...ith a sample shell script that invokes Java code that can be used to listen for JMS events Invoke the program by entering the following command eventListener sh u broker URL t topicName l login p pass...

Page 311: ...e ip 192 168 1 128 ip DeviceType list entry requestParameters TemporarilyAllowAccessRequest TemporarilyDenyAccessRequest requestParameters entry string DURATION string int 24 int entry entry string DE...

Page 312: ...iceProperties DeviceType list entry requestParameters PutDeviceInfoRequest The DeviceInfoRequest command replies with output that includes a special NacResponse XML file as shown below NacResponse res...

Page 313: ...ng key1 string string value1 string entry entry string OS string string Windows XP SP1 2000 SP3 string entry entry string key2 string string value2 string entry otherDeviceProperties lastUpdateTime 11...

Page 314: ...uest NOTE The EXTERNAL_QUARANTINE_PRODUCT_ID entry in the previous post connect example is configured in the connector properties file See Adding Post connect System Logos and Icons on page 124 for mo...

Page 315: ...they generate traffic across the ES bridge There is no need for you to do any extra configuration of DAC in these modes 802 1X Mode Mirror Port DAC runs on the ESs The eth1 interface of the ES is conn...

Page 316: ...asks Installs the DAC software Installs the JavaJRE software if needed Installs the WinPcap software if needed Modifies the wrapper conf file Installs DAC as a Windows service NOTE If you have already...

Page 317: ...ick Next The Setup Type window appears 4 Select Complete to install the DAC software the JavaJRE software and the WinPcap software If you already have JavaJRE or WinPcap installed select Custom Figure...

Page 318: ...The Choose Destination Location window appears 6 In most cases you should accept the default location Click Change to select a different location Click Next The Confirm New Folder window appears Figur...

Page 319: ...If you selected Custom in step 4 on page 317 the Select Features window appears otherwise the NIC Selection window appears Figure 185 8 Select the features to install Click Next The NIC Selection wind...

Page 320: ...ted in this window Select the one you want to use and click Next The TCP Port Filter Specification window appears 10 In most cases you should accept the default entry Click Next The Enforcement Server...

Page 321: ...cted Complete in step 4 on page 317 the InstallShield Wizard launches the Java installer first and then the WinPcap installer If you selected Custom in step 4 on page 317 the installers for only the s...

Page 322: ...ac SSDAC bat UninstallSSDAC bat wrapper exe conf wrapper conf lib DAC_keystore Jpcap dll libjpcap so SA_DeviceActivityCapturer jar wrapper dll wrapper jar log wrapper log 15 Perform the steps detailed...

Page 323: ...on parameters Add parameters as needed starting from 1 wrapper app parameter 1 RemoteDac wrapper app parameter 2 d wrapper app parameter 3 l wrapper app parameter 4 log DAC log wrapper app parameter 5...

Page 324: ...n unique key 2 Add a firewall rule to the ES or ESs to which the DAC host will be sending packets On each ES a Enter the following command to dump the Lokkit iptables chain iptables nvL RH Lokkit 0 50...

Page 325: ...100 2 Add another line just below the initial ES with the new IP address or addresses wrapper app parameter 9 172 17 100 150 wrapper app parameter 10 172 50 50 7 3 Increment the rest of the wrapper ap...

Page 326: ...ing Version Information To view version information Windows server 1 Select Start Settings Control Panel Add or Remove Programs 2 Click once on the DAC listing 3 Click Click here for support informati...

Page 327: ...mplete window appears 5 Select one of the options and click Finish To remove the JavaJRE software Windows server 1 Select Start Settings Control Panel Add or Remove Programs 2 Click once on the J2SE R...

Page 328: ...de or perform a new installation the connector file syslog to dac py is in the following directory usr local nac bin Configuring the Infoblox Server You must configure syslog on the Infoblox server to...

Page 329: ...ults are Compliance DeviceActivityCapture RunningRemotely true It can take a minute or two Contact Technical Assistance Center TAC support extremenetworks com if your results are different NOTE It can...

Page 330: ...he command line service nac es stop fw_control stop b Open the following file with a text editor such as vi etc sysconfig iptables c Add the following line before the REJECT lines in the RH Lokkit 0 5...

Page 331: ...sults policy name test status of times of total details Endpoint list Lists each endpoint and the last pass fail policy results mac address ip address cluster netbios user test status Test details Com...

Page 332: ...t passed or failed for each IP address ip address cluster netbios user test status of times of total details Test results by NetBIOS name Lists the number of tests that passed or failed for each netbi...

Page 333: ...Report period 3 Select the Rows per page 4 In the Endpoint search criteria area select any of the following options to use for filtering the report a Cluster b Endpoint NetBIOS c Endpoint IP address d...

Page 334: ...ts capability uses pop up windows if you have blocked pop up windows in your browser you will not be able to view reports See Important browser settings in the Installation Guide for more information...

Page 335: ...Reports Sentriant AG Software Users Guide Version 5 2 335 Figure 195 Test Details Report...

Page 336: ...u want to run 2 Click Generate report 3 Select File Save Page As from the browser menu 4 Enter a name and location where you want to save the file 5 Select Web page complete 6 Click Save The file is s...

Page 337: ...rs Guide Version 5 2 337 6 Click Save This creates a standalone file that retains all of its graphics and formatting 7 To print you might need to reduce the border sizes in File Page Setup dialog box...

Page 338: ...Reports Sentriant AG Software Users Guide Version 5 2 338...

Page 339: ...network the plug in processes or ignores DHCP packets based on the end user device Media Access Control MAC address Sentriant AG tests endpoints that request access to the network and either assigns a...

Page 340: ...ormation back to Sentriant AG NOTE Windows Server 2003 is the only server supported for this release To install the DHCP plug in 1 The DHCP plug in requires that you first configure your system with R...

Page 341: ...the DHCP server will check for a broken connection certificates certfile A Privacy Enhanced Mail PEM formatted file containing the server key and certificate along with any CA trusted entities logging...

Page 342: ...n c windows system32 dhcp nac_DHCP log location level 3 level maxsize 1024 maxsize logging dhcpconnector DHCP Plug in and the Sentriant AG User Interface In order to use the DHCP plug in you need to s...

Page 343: ...HCP plug in radio button 3 Click download the DHCP plug in A Windows save window appears 4 Browse to a location on the DHCP server you will remember and save the file 5 On the DHCP server navigate to...

Page 344: ...Double click the exe installer file The InstallShield Wizard starts 7 Click Next The Customer Information window appears 8 Enter your User Name and Company Name Figure 198 DHCP Plug in InstallShield W...

Page 345: ...Wizard Complete window appears 11 Click Finish Enabling the Plug in and Adding Servers To enable the DHCP plug in and add the DHCP servers Home window System configuration Quarantining 1 Select the D...

Page 346: ...installed in the DHCP server hostname or IP address text box 5 Enter the port number on the DHCP server that listens for plug in requests in the Plug in listening port text field 6 Enter a brief desc...

Page 347: ...gure NOTE Sentriant AG automatically attempts to connect to the DHCP server The possible DHCP server status states are shown in Figure 204 10 Click ok to save the changes and return to the Home window...

Page 348: ...thod radio button DHCP servers using the DHCP plug in radio button 1 Click edit next to the DHCP server you wish to edit The DHCP Plug in configuration window appears 2 Make any necessary modification...

Page 349: ...on DHCP servers using the DHCP plug in radio button 1 Click disable next to the DHCP server plug in configuration you wish to disable 2 Click yes at the Disable DHCP plug in configuration prompt 3 Cli...

Page 350: ...DHCP Plug in Sentriant AG Software Users Guide Version 5 2 350...

Page 351: ...ngs There are several browser configuration settings to make depending on which browser you are using Please see Important browser settings in the Installation Guide for details Restarting Sentriant A...

Page 352: ...Open the text file containing the license key Copy the key including the double equal signs Table 13 Service Stop and Restart Commands Command Description service watchdog stop This command stops all...

Page 353: ...ownload the latest tests from the Extreme Networks Inc server Home window System configuration Test updates Check for test updates button NOTE If you are not receiving test updates try the following c...

Page 354: ...name FQDN and that the domain portion matches the domain for the registered windows domain 4 Ensure that each ES is configured with one or more valid DNS servers that can fully resolve both A and PTR...

Page 355: ...ser is not allowed to change any of the related settings such as receiving automatic updates and other IE security settings The Sentriant AG administrator needs to make sure the global policy on their...

Page 356: ...cation like a street or city name a building or your company name 2 Click ok Changing the MS Host Name To change the MS host name See Modifying MS Network Settings on page 62 Changing the ES Host Name...

Page 357: ...s root to the Sentriant AG MS or ES either using SSH or directly with a keyboard 2 Enter the following command at the command line resetSystem py both ms es Where No arguments The system is reset to t...

Page 358: ...py 2 For multiple server installations a Stop the nac es service on all ESs 1 Log in as root to each Sentriant AG ES either using SSH or directly with a keyboard 2 Enter the following at the command l...

Page 359: ...ne or more of c cluster name Set properties on all Enforcement Servers in cluster e ES hostname Set properties on Enforcement Server a Set properties on all Enforcement Servers m Set properties on Man...

Page 360: ...method for specifying Internet objects Table 14 presents common CIDR naming conventions Table 14 CIDR Naming Conventions Block Netmask Networks Hosts 32 255 255 255 255 1 256 of a Class C Network 1 31...

Page 361: ...nd line to increase the pg_dump timeout setProperty py m Compliance Backup PgDumpCmdTimeout milliseconds Where milliseconds is the number of milliseconds that the backup will wait on the pg_dump comma...

Page 362: ...Sentriant AG version b The Sentriant AG server IP address must be the same as the previously installed Sentriant AG server IP address c Create an admin user when prompted during the installation proce...

Page 363: ...3 Click ok A status window appears 4 The system data is restored and the login window appears Restoring the Original Database CAUTION Running this script resets your entire system not just the databas...

Page 364: ...ements Item Required Server A dedicated server or servers for product installation with the following minimum system requirements Processor Intel Dual Core Core 2 Duo Xeon 5100 series processor at 1 8...

Page 365: ...triant AG does not directly interface or inter operate with VPN endpoints The following commonly deployed VPN solutions have been tested Cisco VPN Concentrators OpenSSL VPNs Protocols supported IPSec...

Page 366: ...following sections CAUTION You should familiarize yourself with Python and with the rest of the Sentriant AG product before attempting to create custom test scripts References This version of Sentrian...

Page 367: ...CheckSoftwareNotAllowed and inherits all the existing tests functionality class MyCheckSoftwareNotAllowed CheckSoftwareNotAllowed Override the testId to be unique from all other test ids testId MyChe...

Page 368: ...riant AG MS usr local nac scripts Custom BaseClasses CAUTION When updating or modifying files use the Custom directory tree Custom BaseClasses Custom Tests The Custom directory tree is a mirror with s...

Page 369: ...ID perf ms1 40612 1162365754580 6 0 00 22 34 DEBUG Sending request UpdateRequest requestParameters entry string UPDATE_DATA string string tmp customUpdatePkg 29285 tar gz string entry requestParameter...

Page 370: ...Q_TEXT_MESSAGE id 0 ActiveMQMessage jmsMessageID ID perf ms1 51331 1162363440379 15 3 bodyAsBytes org activemq io util ByteArray 1362012 readOnlyMessage true jmsClientID 93baaf5a b0ed 4fc2 a3ae ec6460...

Page 371: ...ke up a test id Just make sure it doesn t match any existing test ids testId TestId Make up test name Just make sure it doesn t match any existing test names testName Test Name Assign the test to an e...

Page 372: ...My test arguments All tests must define the runTest method with the self and the debug parameters def runTest self debug 0 All tests must call the initialize routine self initTest Create a hash to st...

Page 373: ...element set in the policy editor All test scripts contain a self session member variable that is set by Sentriant AG when the test class is instantiated It contains a reference to a Session object wh...

Page 374: ...BaseClasses SABase import SABase as SABase This allows a script to be tested from the command line if __name__ __main__ import checkOpenPorts t checkOpenPorts CheckOpenPorts t processCommandLine The...

Page 375: ...he first time this test is configured for a policy or if the test is never configured for a policy this will be the default Notice the key in this hash corresponds to the input element above in the te...

Page 376: ...itTest if debug print Starting checkOpenPorts host self session host session self session id Create a hash to store the return results All tests must fill return a hash with the following keys status_...

Page 377: ...set timeout to 5 seconds Note that Sentriant AG uses a restricted Python socket library that doesn t allow connections to arbitrary hosts Normally the first element of the tuple passed to socket conn...

Page 378: ...ession self session id sys exc_type sys exc_value if debug print Could not connect to hp Port not open Good it wasn t open There are ports open so set the returnHash values to indicate that the endpoi...

Page 379: ...or occurs Return Value Public Method Boolean checkHotfixSp nt 0 win2k 0 xp 0 win2003 0 vista 0 It checks for the servicepack installed Returns the following true if Service pack installed is lower tha...

Page 380: ...on Based on exchange server and its service pack installed retruns a string Dict getExpressionWebInstalled String getFileContentsMac param startbyte endbyte Returns the contents of the file name given...

Page 381: ...ecks whether Front Page Extension 2002 is installed on the machine Returns the following True if installed false if not installed getHostname Returns the host name of the endpoint String getIEVersion...

Page 382: ...he version of Microsoft Data Access Component MDAC installed on the end point String getMsnVersion Returns the MSN version Boolean getMVMInstalled Checks whether MVM is installed or not Returns the fo...

Page 383: ...nd point String getPatchLevel Returns the combination of user visible version and the build version String getProcesses param Returns all processes running on the endpoint String getProgramFilesDir Re...

Page 384: ...005R2 String getVisualDotNetVersion Returns the one of the following present versions of Visual Dot net on the target 2003 2003 SP1 String getVisualStudioVersion Returns the one of the following prese...

Page 385: ...r the presence of Windows Defender Anti Virus on the machine Returns the following True if Installed False if not installed List listExchangeRegKeys Returns the updates installed for Microsoft Exchang...

Page 386: ...tive the test result cache is case sensitive End user Access Windows The end user access windows are completely customizable You can enter general text through the Sentriant AG interface and edit the...

Page 387: ...s but cannot quarantine static IP addresses Sentriant AG can detect static IP endpoints in two different ways Any type of traffic from the endpoint can be detected if that endpoint has any network tra...

Page 388: ...inistrator Password on page 390 endpoint domain administrator Manually entered on the endpoint by the end user If the end user has not defined a login password combination the default login is usually...

Page 389: ...r the new password 2 Click ok If you cannot remember either password this process allows you to enter a new one To reset the Sentriant AG server root password 1 At the Sentriant AG MS or ES server not...

Page 390: ...be able to communicate with the database In this case contact Technical Assistance Center TAC for assistance Changing the Sentriant AG Administrator Password When the Password is Known To reset the Se...

Page 391: ...th Ranges In Sentriant AG implementations particularly in trial installations where you are connecting and disconnecting cables to a number of different types of endpoints you can filter the activity...

Page 392: ...System configuration Select an Enforcement Cluster Advanced menu option In the Endpoint detection area enter the range of addresses to monitor in the IP addresses to monitor text field Separate ranges...

Page 393: ...nt utility that allows you to create your own public and private keys when you use self authentication These keys and certificates are stored in a keystore file NOTE All of the steps in these sections...

Page 394: ...Organizational unit Enter the appropriate value Organization Enter the name of your organization City or locality Enter the city or location State or province Enter the unabbreviated state or province...

Page 395: ...he command line keytool certreq alias key_alias keyalg RSA file csr_filename keystore usr local nac keystore compliance keystore Where key_alias is the name for the key within the keystore file csr_fi...

Page 396: ...ol import alias key_alias trustcacerts file signed_cert_file keystore usr local nac keystore compliance keystore Where key_alias is the name for the key within the keystore file signed_cert_file is th...

Page 397: ...t as quickly as possible 1 Place all of the clusters that have a large number of endpoints in allow all mode a Select System configuration b Click a cluster name c Select the allow all radio button d...

Page 398: ...lowing command at the command line cd etc sysconfig network scripts c For 802 1X mode 1 Enter the following at the command line cp ifcfg eth1 ifcfg eth1 1 2 Open the ifcfg eth1 1 file with a text edit...

Page 399: ...Verify that the EDAC is using the virtual interface you created The log should contain a line similar to the following 070509 MDT 10 53 11 366 DeviceActivityCapture INFO Listening on eth1 1 iptables W...

Page 400: ...process as follows 1 Log in to http eSupport extremenetworks com to get the necessary RPM file 2 Copy the RPM file to your Sentriant AG server 3 Run the update script at the command line Downloading...

Page 401: ...line 1 Log in as root to the Sentriant AG server using SSH or directly with a keyboard 2 Enter the following command at the command line installAirgapTests path to RPM file RPM Filename Supporting Ne...

Page 402: ...ICMP Request If you wish to restrict the ping request to a specific interface such as the interface facing the protected network then after following the procedures above follow the instructions in th...

Page 403: ...ss range customer specific community where IP address range the IP address range of your network CIDR notation is supported Figure 212 snmpd conf Example File Thu Jul 05 15 14 53 MDT 2007 This file is...

Page 404: ...network Simple Network Management Protocol SNMP is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats Sentriant AG supports SNMP v2c for incoming SNMP noti...

Page 405: ...triant AG Software Users Guide Version 5 2 405 See the following link for more information on SNMP and MIBs http en wikipedia org wiki Management_information_base http en wikipedia org wiki Simple_Net...

Page 406: ...System Administration Sentriant AG Software Users Guide Version 5 2 406...

Page 407: ...pletion The patch management capability uses the following test statuses fail patching endpoint patching failed reason patching completed Flagging a Test to Launch a Patch Manager To flag a test to la...

Page 408: ...maximum number of retest attempts Home window NAC Policies Select or create an access policy Tests menu option 1 Select the check box for a test in the left column 2 Click on the test name in the left...

Page 409: ...ate package is available NOTE Detailed instructions on using and configuring SMS are beyond the scope of this document See Learning More About SMS on page 410 for links to helpful SMS information NOTE...

Page 410: ...cessible services area a SMS server IP address b Domain Controllers IP addresses and authentication ports Learning More About SMS The following links provide additional information about SMS Microsoft...

Page 411: ...access depending on the test method in order to be tested These settings are described in End user Access on page 167 Tests NOTE Not all anti virus and anti spyware tests check for signature file upda...

Page 412: ...Requirements Sentriant AG Software Users Guide Version 5 2 412 RADIUS 802 1X Must have privileges access to the network to make configuration changes...

Page 413: ...Your Sensor on page 419 Extracting the ZIP File Windows To download and extract the ZIP file to a Windows machine 1 Create a directory for the contents of the ZIP file on the Windows machine Extreme...

Page 414: ...lowing directory support Installers See the Upgrading from a CD section in the Sentriant AG Installation Guide for instructions on accessing the CD in Linux 3 Extract the contents of the ZIP file by e...

Page 415: ...and filtering system 1 Navigate to http www winpcap org 2 Download and install the WinPcap auto installer driver DLLs image 2 Install Java on a Windows machine if it is not already installed a Log in...

Page 416: ...it the JMSConnection properties file a Open the postconnect lib JMSConnection properties file with a text editor b Enter the MS IP address For example URL ssl 172 16 128 100 61616 c Enter the MS usern...

Page 417: ...racted the ZIP file See Copying Files on page 37 for information on how to copy files securely 4 Log in to the Linux post connect server a Modify the startup script 1 Open the following file with a te...

Page 418: ...SSWORD 7884 25H d Start the service by entering the following at the command line service postconnect start Viewing Logs To view post connect logs The log files are as follows usr local postconnect lo...

Page 419: ...P2P Software Installed or Latest Windows XP Service Pack not applied Configuring Your Sensor Configure your post connect sensor to call Connector_ActionScript py with the IP address of the endpoint t...

Page 420: ...Configuring the Post connect Server Sentriant AG Software Users Guide Version 5 2 420...

Page 421: ...ystem meets your specified security requirements Browser vulnerabilities are related to cookies caches and scripts JavaScript Java and Active scripting ActiveX You can specify generally what level of...

Page 422: ...cks with moving parts The following links provide more detailed information about JavaScript http www javascript com http javascript internet com http www javascriptkit com Active scripting ActiveX Ac...

Page 423: ...rols and plug ins disables file downloads prompts for font downloads disables or prompts for Miscellaneous options disables Scripting requires login Medium A mix of enabled disabled and prompt for Act...

Page 424: ...controls enables downloads a mix of enabled and prompt for Miscellaneous options enables Scripting enables automatic login How Does this Affect me The intranet security zone defines a security level...

Page 425: ...e What Do I Need to Do Perform the following steps 1 Select Tools Internet Options Security Restricted sites 2 Select one of the following Default Level to return to the default settings Select Custom...

Page 426: ...to create custom settings 3 Select Sites 4 Enter a domain name or IP address in the Add this Web site to the zone text box 5 Select the Require server verification https for all sites in this zone che...

Page 427: ...f automatic update is not enabled or is not working Microsoft Office Hotfixes Description This test verifies that the endpoint attempting to connect to your system had the latest Microsoft Office hotf...

Page 428: ...tical updates option requires all the critical patches that have been released or will be released by Microsoft How Does this Affect Me Hotfixes are programs that update the software and may include p...

Page 429: ...Deep Check to permit endpoint tests to run at the file level The most secure option is to select the All critical updates option as this requires all the critical patches that have been released or t...

Page 430: ...Hotfixes are programs that update the software and may include performance enhancements bug fixes security enhancements and so on There is usually only one fix in a hotfix whereas a patch includes mul...

Page 431: ...I Need to Do Manually initiate an update check http v4 windowsupdate microsoft com en default asp if automatic update is not enabled or is not working Windows Vista SP0 Hotfixes Description This test...

Page 432: ...whereas a service pack includes multiple hotfixes What Do I Need to Do Manually initiate an update check at http www update microsoft com microsoftupdate v6 muoptdefault aspx returnurl http www updat...

Page 433: ...eferred networks Test Properties There are no properties to set for this test How Does this Affect Me If you move between different locations and you use an AirPort network in each one you can choose...

Page 434: ...seems For example it may seem to be calendar program but when you open it it erases all your files and displays a message such as Ha ha I deleted your files Trojan horse programs do not spread or rep...

Page 435: ...tem Preferences Sharing 1 Select the Internet tab 2 Click Stop Mac QuickTime Updates Description This test verifies that the QuickTime updates have been applied on this endpoint Test Properties When a...

Page 436: ...ed to Do Initiate an update by clicking on one of the links shown in the Test Properties area For more information on Mac OS X software updates see the following page http docs info apple com article...

Page 437: ...ly macros installed in trusted locations will be allowed to run All other signed and unsigned macros are disabled High Only signed macros from trusted sources will be allowed to run Unsigned macros ar...

Page 438: ...uses and are hidden within a document When you open an infected document the macro virus runs A macro virus can save itself to other files such as the Normal template and can potentially infect all of...

Page 439: ...ng only compliant services Test Properties Enter a list of services that are not allowed on connecting endpoints Separate additional services with a carriage return Use the service names found in the...

Page 440: ...op Help Session Manager How Does this Affect Me Services are Windows operating system applications that run automatically without manual intervention Services explained http www microsoft com technet...

Page 441: ...s documentation windows xp all proddocs en us hnw_understanding_bridge mspx mfr true http www microsoft com windowsxp using networking expert crawford_02april22 mspx Windows Wireless Network SSID Conn...

Page 442: ...ces documentation windows xp all proddocs en us loc_sec_set mspx mfr true Enable Accounts Limit local account use of blank passwords to console logon only http www microsoft com resources documentatio...

Page 443: ...http www winguides com registry What Do I Need to Do Verify that the run and runOnce registry keys run only compliant programs CAUTION Modifying registry entries incorrectly can cause serious problems...

Page 444: ...al gain and for gaining unauthorized access to your network Spyware also consumes system resources and can cause system instability and crashes What Do I Need to Do Make sure you have an anti spyware...

Page 445: ...for one or more Microsoft Office packages Any software package selected that does not have the latest version installed fails the test How Does this Affect Me Some companies may support only the softw...

Page 446: ...4 http www microsoft com technet network wf default mspx http www firewallguide com What Do I Need to Do Make sure you have a personal firewall installed Software Not Allowed Description This test ve...

Page 447: ...cription This test verifies that the endpoint attempting to connect to your system does not have any of the worms viruses or trojans listed Test Properties This area of the window displays the current...

Page 448: ...Tests Help Sentriant AG Software Users Guide Version 5 2 448...

Page 449: ...vides information on the following tables for the Sentriant AG database test_result table on page 450 Device table on page 451 sa_cluster on page 453 sa_node on page 453 sa_user on page 454 cluster_to...

Page 450: ...For example CheckHotFix test_module VARCHAR 50 NOT NULL A reference to the Python script that executed the test For example checkHotFix group_name VARCHAR 50 NOT NULL The type of test for example ope...

Page 451: ...ast policy used last_run_id INT4 DEFAULT NULL A foreign key into the test_result table that references the last test run for this endpoint prev_run_id INT4 A foreign key into the test_result table tha...

Page 452: ...HAR 30 The IP address of the network access endpoint that connects the user session_access INT4 The amount of time in seconds this endpoint has been temporarily granted access or quarantined by an adm...

Page 453: ...ig TEXT XML data representing the cluster s configuration settings sa_node This table contains information about all known Enforcement servers or nodes node_id VARCHAR 64 PRIMARY KEY cluster_id VARCHA...

Page 454: ...e user email VARCHAR 256 The email address of the user enabled INT4 1 if the user is enabled 0 if not cluster_to_user This table contains information about users assigned to clusters cluster_id VARCHA...

Page 455: ...ser role in the many to many relationship user_id INT4 The unique ID of the user in the many to many relationship group_to_permission This table contains information about the user role and its associ...

Page 456: ...Database Design Data Dictionary Sentriant AG Software Users Guide Version 5 2 456...

Page 457: ...figurable 137 UDP 138 UDP 139 TCP ES to endpoint These ports are opened by default when File and Print Sharing is enabled but are not used by Sentriant AG Configure on the firewall router between ES a...

Page 458: ...nternet through the MS Configure on the firewall router between MS and Internet 443 TCP MS to Internet For license validation and test updates http update sentriantag extremenetworks com port 443 NOTE...

Page 459: ...ive Directory the LDAP server IP address and optional port number Configure in the Sentriant AG user interface System configuration Quarantining 802 1X Quarantine method Local RADIUS server type OpenL...

Page 460: ...Controller and Quarantine Area Ports used for accessible services and endpoints Varies ES to endpoint In order to grant access for quarantined endpoints to needed services add entries to the Accessib...

Page 461: ...SNMPD 161 UDP admin user to MS or ES Used for SNMP monitoring of the server NOTE See Enabling SNMP on page 65 for instructions on enabling SNMP Not Configurable 162 UDP TCP MS to SNMP Traps for SNMP...

Page 462: ...Ports used in Sentriant AG Sentriant AG Software Users Guide Version 5 2 462...

Page 463: ...their own unique license keys with equivalent settings number of ESs and endpoints Primary and Standby Management Servers must be assigned an Internet Protocol IP address within the same network so th...

Page 464: ...backups need to be taken of the primary MS and stored in a safe location Failover process Once a standby MS is established for MS recovery and all system requirements and ongoing maintenance issues a...

Page 465: ...of the old or primary MS See Modifying MS Network Settings on page 62 10 Navigate to System configuration Enforcement clusters and servers 11 Ensure that communication has been restored to all ESs Se...

Page 466: ...MS Disaster Recovery Sentriant AG Software Users Guide Version 5 2 466...

Page 467: ...n with such hardware products Some third party materials included in the Software may be subject to other terms and conditions which are typically found in a Read Me file or About file in the Software...

Page 468: ...t modify or create derivative works based upon the Software in whole or in part You may not copy the Software or Documentation except as expressly permitted in Section 2 above You may not remove any p...

Page 469: ...l courts sitting in Santa Clara County California shall have exclusive jurisdiction over all disputes relating to this Agreement 14 Open Source Software This product includes or may include some softw...

Page 470: ...to communication on electronic mailing lists source code control systems and issue tracking systems that are managed by or on behalf of the Licensor for the purpose of discussing and improving the Wor...

Page 471: ...n behalf and on Your sole responsibility not on behalf of any other Contributor and only if You agree to indemnify defend and hold each Contributor harmless for any liability incurred by or claims ass...

Page 472: ...ll included source code is used in accordance with the relevant license agreements and can be used freely for any purpose the GNU license being the most restrictive see below for details However none...

Page 473: ...D style license Copyright 1995 1996 by David Mazieres dm lcs mit edu Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the Ope...

Page 474: ...owing disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided wi...

Page 475: ...distributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this l...

Page 476: ...ED UNDER THE TERMS OF THIS COMMON PUBLIC LICENSE AGREEMENT ANY USE REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT S ACCEPTANCE OF THIS AGREEMENT 1 DEFINITIONS Contribution means a i...

Page 477: ...The Indemnified Contributor may participate in any such claim at its own expense For example a Contributor might include the Program in a commercial product offering Product X That Contributor is the...

Page 478: ...distribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyrig...

Page 479: ...cannot simply be copied and put under another distribution licence including the GNU Public Licence The GNU General Public License GPL Version 2 June 1991 The following license applies to SAPQ samba...

Page 480: ...gram or with a work based on the Program on a volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may copy and distribute the Program or a wo...

Page 481: ...ITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILI...

Page 482: ...knowledgments normally appear 4 The name Indiana Univeristy and Indiana Univeristy Extreme Lab shall not be used to endorse or promote products derived from this software without prior written permiss...

Page 483: ...it You can use it too but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case based on the expla...

Page 484: ...ay copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyr...

Page 485: ...ry if the user installs one as long as the modified version is interface compatible with the version that the work was made with c Accompany the work with a written offer valid for at least three year...

Page 486: ...E THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTI...

Page 487: ...are available to employees for internal use or demonstration purposes only In keeping with Oracle s trade compliance obligations under U S and applicable multilateral law failure to comply with this...

Page 488: ...end user agreements and records of end user information including name address date of distribution and identity of programs distributed c allow us to inspect your end user agreements and records upon...

Page 489: ...or contemporaneous agreements or representations If any term of this agreement is found to be invalid or unenforceable the remaining provisions will remain effective Last updated 03 09 05 Should you h...

Page 490: ...reement Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Agreement These Supplemental Terms shall supersede any inconsistent or conflictin...

Page 491: ...MENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENC...

Page 492: ...at must bear the fee Freely Available means that no fee is charged for the item itself though there may be fees involved in handling the item It also means that recipients of the item may redistribute...

Page 493: ...endorse or promote products including or derived from the Java Software technology without specific prior written permission and Redistributions of source or binary code must contain the above copyrig...

Page 494: ...e Politecnico di Torino CACE Technologies nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWAR...

Page 495: ...oftware must display the following acknowledgement This product includes software developed by Yen Yen Lim and North Dakota State University 4 The name of the author may not be used to endorse or prom...

Page 496: ...rtaining to distribution of the program without specific prior permission and notice be given in supporting documentation that copying and distribution is by permission of Carnegie Mellon and Stanford...

Page 497: ...ies in which case this Agreement will immediately terminate 11 Integration This Agreement is the entire agreement between you and Sun relating to its subject matter It supersedes all prior or contempo...

Page 498: ...either party s opinion be likely to become the subject of a claim of infringement of any intellectual property right For inquiries please contact Sun Microsystems Inc 901 San Antonio Road Palo Alto Ca...

Page 499: ...7 Export Regulations All Software and technical data delivered under this Agreement are subject to US export control laws and may be subject to export or import regulations in other countries You agre...

Page 500: ...ly provided the use of each such bundled product shall be governed by its license agreement 3 License to Distribute Redistributables Subject to the terms and conditions of this Agreement Sun grants yo...

Page 501: ...make of the Sun Marks inures to Sun s benefit 6 Source Code Software may contain source code that is provided solely for reference purposes pursuant to the terms of this Agreement Source code may not...

Page 502: ...Licenses Sentriant AG Software Users Guide Version 5 2 502...

Page 503: ...access policy control platform AD Active Directory A directory service included with Microsoft Windows Server 2003 that allows administrators to manage end user access to the network ActiveX A Microso...

Page 504: ...be intentional for maintenance use or unintentional If a backdoor is discovered malicious users or software can gain entry and cause damage blacklist A list of devices or endpoints that are denied acc...

Page 505: ...ather than at each endpoint DLL Dynamic Link Library A shared library file used in Microsoft systems These files have the DLL extension DMA Direct Memory Access A feature in computers where memory can...

Page 506: ...ne fix in a hotfix whereas a patch includes multiple hotfixes HTML Hyper text markup language A language that tells a web browser how to display the web page IAS Internet Authentication Service A serv...

Page 507: ...age interface JVM Java Virtual Machine A set of programs that converts Java bytecode into machine language L2TP Layer two tunneling protocol An open standard protocol used to create virtual private ne...

Page 508: ...logical grouping of NAC policies NAT Network Address Translation The translation of an external IP address to one or more internal IP addresses and the reverse NIC Network Interface Card A card that c...

Page 509: ...connection to a host post connect Post connect in Sentriant AG provides an interface where you can configure external systems such as IDS IPS that request quarantining of an endpoint based on activit...

Page 510: ...SNMP Simple Network Management Protocol SSH Secure shell or secure socket shell A UNIX based command interface and protocol used to securely gain access to a remote computer SSL Secure socket layer A...

Page 511: ...twork A secure method of using the Internet to gain access to an organization s network WEP Wireless Equivalent Privacy whitelist A list of devices or endpoints that are allowed access to a system or...

Page 512: ...Glossary Sentriant AG Software Users Guide Version 5 2 512...

Page 513: ...rectory 258 and IAS 260 ActiveMQ 305 ActiveX 29 30 testing method 129 add 91 Cisco CatOS device 95 Cisco IOS device 93 custom tests 366 Enforcement cluster 49 Enforcement server 53 Enterasys device 98...

Page 514: ...oot password 66 properties 359 check for available test updates settings 81 CIDR 360 clear a temporary state 159 ClearTemporaryAccess 310 client 253 cluster_id 450 453 454 cluster_name 453 cluster_to_...

Page 515: ...AC policy 219 disconnected 152 display limited endpoints 150 documentation 33 domain controller 139 matching policies 355 Domain Controller IP address 132 specifying the name 132 domainname 451 domain...

Page 516: ...work settings 57 change password 58 delete 59 edit 55 view status 58 enforcement set DHCP 115 enforcing ranges 392 enter license key 352 enter license key 352 error ActiveX 201 license key 79 message...

Page 517: ...nd user Testing 204 End user Testing Cancelled 205 End user Testing Failed Example 1 206 End user Testing Failed Printable Results 207 End user Testing Successful 204 Enforcement Cluster Legend 55 Enf...

Page 518: ...s 133 236 System Configuration License 79 System Configuration Logging Option 143 System Configuration Maintenance 126 System Configuration Management Server 61 System Configuration Notifications 135...

Page 519: ...name 450 451 HTML help 38 HTML or text editor 187 I IAS add to Windows Server 2003 Installation 259 and Active Directory 260 Connector 273 IAS posture Checkup 276 Healthy 276 Infected 277 Quarantined...

Page 520: ...ors 79 key entering 352 keys 352 open source 469 other 469 updating 78 viewing 469 license key not updating 353 limit endpoints displayed 150 limit ping entries to specific interface 402 Linux 169 dow...

Page 521: ...mail server 360 NTLM v2 enabling 391 O one time passwords 253 online help 33 open source license 469 opening screen 188 operating systems non supported 228 not tested 220 supported 238 ordering test m...

Page 522: ...ete 120 edit 119 sort 119 quarantine method DHCP 115 quarantined 152 R RADIUS 253 authentication method setting 85 built in 284 configure 260 server and SA plug in 258 use existing server 281 using a...

Page 523: ...certificate 274 for email notifications 360 names 131 services find names 231 not allowed 231 required 231 services Agent 192 session_access 452 session_access_end 452 set 802 1X logging levels 144 ac...

Page 524: ...s period 206 state clearing 159 test add custom 366 base functionality 378 connection to 802 1X device 92 creating a custom script 370 properties selecting 230 set properties 228 status 152 successful...

Page 525: ...users assigned to clusters database table 454 users database table 454 V vi 187 view access status 156 cluster and server icons 54 current list of tests 230 endpoint information 160 Enforcement cluste...

Page 526: ...Index Sentriant AG Software Users Guide Version 5 2 526...

Reviews:

No comments

Related manuals for Sentriant AG

Makita 3606 Parts Breakdown preview
3606
Brand: Makita Pages: 2
Barnstead Thermolyne Corporation 801 Series Operation Manual And Parts List preview
801 Series
Brand: Barnstead Thermolyne Corporation Pages: 16
Eachine EV200D User Manual preview
EV200D
Brand: Eachine Pages: 14
Wattle Pegasus Quick Installation Manual preview
Pegasus
Brand: Wattle Pages: 6
IBM E12 Quick Reference Manual preview
E12
Brand: IBM Pages: 4
Sunx NA2-N Series Instruction Manual preview
NA2-N Series
Brand: Sunx Pages: 2
Hach Flo-Dar User Manual preview
Flo-Dar
Brand: Hach Pages: 44
Mamiya Universal Specifications preview
Universal
Brand: Mamiya Pages: 10
NA-DE 10220 Manual preview
10220
Brand: NA-DE Pages: 2
N-Tron 7018 User Manual & Installation Manual preview
7018
Brand: N-Tron Pages: 138
I.SOUND DGIPAD-4542 - DATASHEET FOR IPAD Datasheet preview
DGIPAD-4542 - DATASHEET FOR IPAD
Brand: I.SOUND Pages: 1
iDirect iQ Desktop+ Installation, Support, And Maintenance Manual preview
iQ Desktop+
Brand: iDirect Pages: 52
Watchguard ALC-BEAM1 User Manual preview
ALC-BEAM1
Brand: Watchguard Pages: 2
Novitas 01-190-BAS Installation Instructions preview
01-190-BAS
Brand: Novitas Pages: 2
Hytronik HEC7028 Instruction Manual preview
HEC7028
Brand: Hytronik Pages: 4
Sewhacnm SI 4000 Instruction Manual preview
SI 4000
Brand: Sewhacnm Pages: 47
3Com 3C8567 - SuperStack II NETBuilder SI 567... Datasheet preview
3C8567 - SuperStack II NETBuilder SI 567...
Brand: 3Com Pages: 6
F-One HYDROFOIL LEVO CARBON User Manual preview
HYDROFOIL LEVO CARBON
Brand: F-One Pages: 9

Brands by name

Popular brands

Load more brands