background image

F-Secure Policy 

Manager 7.0

Administrator’s Guide

Summary of Contents for POLICY MANAGER 7.0 -

Page 1: ...F Secure Policy Manager 7 0 Administrator s Guide...

Page 2: ...Corporation will not be liable for any errors or omission of facts contained herein F Secure Corporation reserves the right to modify specifications cited in this document without prior notice Compani...

Page 3: ...18 1 3 Features 19 1 4 Policy Based Management 20 1 4 1 Management Information Base 22 Chapter 2 System Requirements 24 2 1 F Secure Policy Manager Server 25 2 2 F Secure Policy Manager Console 27 Cha...

Page 4: ...tion Steps 65 5 3 Uninstalling F Secure Policy Manager Console 83 Chapter 6 Using F Secure Policy Manager Console 84 6 1 Overview 85 6 2 F Secure Policy Manager Console Basics 86 6 2 1 Logging In 87 6...

Page 5: ...ector Pane 146 6 9 3 Report Pane 147 6 9 4 Bottom Pane 148 6 10 Preferences 149 6 10 1 Connection Specific Preferences 150 6 10 2 Shared Preferences 153 Chapter 7 Maintaining F Secure Policy Manager S...

Page 6: ...tic Update Agent 179 9 5 Frequently Asked Questions 179 Chapter 10 Web Reporting 184 10 1 Overview 185 10 2 Introduction 185 10 3 Web Reporting Client System Requirements 186 10 4 Generating and Viewi...

Page 7: ...icy Distribution 209 Appendix A SNMP Support 211 A 1 Overview 212 A 1 1 SNMP Support for F Secure Management Agent 212 A 2 Installing F Secure Management Agent with SNMP Support 213 A 2 1 F Secure SNM...

Page 8: ...Overview 229 Technical Support 231 Overview 232 Web Club 232 Virus Descriptions on the Web 232 Advanced Technical Support 232 F Secure Technical Product Training 233 Training Program 233 Contact Infor...

Page 9: ...9 ABOUT THIS GUIDE Overview 10 How This Guide is Organized 11...

Page 10: ...cy Manager provides tools for administering the following F Secure software products F Secure Client Security F Secure Internet Gatekeeper F Secure VPN F Secure Anti Virus for Workstations Firewalls F...

Page 11: ...Console Covers the installation of F Secure Policy Manager Console applications on the administrator s workstation Chapter 6 Using F Secure Policy Manager Console Includes an overview setup procedures...

Page 12: ...he most common error codes and messages that can occur during the Autodiscover Windows Hosts operation Appendix D Remote Installation Support for Windows 98 ME Offers information on requirements for W...

Page 13: ...s black is used for file and folder names for figure and table captions and for directory tree names Courier New is used for messages on your computer screen WARNING The warning symbol indicates a sit...

Page 14: ...used for online viewing and printing using Adobe Acrobat Reader When printing the manual please print the entire manual including the copyright and disclaimer statements For More Information Visit F...

Page 15: ...15 1 INTRODUCTION Overview 16 Installation Order 18 Features 19 Policy Based Management 20...

Page 16: ...buted mobile workforce F Secure Policy Manager is comprised of F Secure Policy Manager Console and F Secure Policy Manager Server They are seamlessly integrated with the F Secure Management Agent that...

Page 17: ...cure Policy Manager Reporting Option allows users to generate reports concerning the data from the Communication Directory in F Secure Policy Manager Server by using XSL templates which are like prede...

Page 18: ...Secure VPN 1 2 Installation Order To install F Secure Policy Manager please follow this installation order unless you are installing F Secure Policy Manager Server and F Secure Policy Manager Console...

Page 19: ...automatically pushed by F Secure Automatic Update Agent or voluntarily pulled from the F Secure website F Secure Policy Manager Console can be used to export pre configured installation packages which...

Page 20: ...mum control of security in a corporate environment Policy based management implements many functions Remotely controlling and monitoring the behavior of the products Monitoring statistics provided by...

Page 21: ...ific host With domain level policies a group of hosts may share the same file A Base Policy file is signed by F Secure Policy Manager Console protecting the file against changes while it is passing th...

Page 22: ...the manner of an SNMP The managed products must operate within the limits specified here Statistics Delivers product statistics to F Secure Policy Manager Console Operations Operations are handled wit...

Page 23: ...te administration process etc The following types of traps are sent by most of the F Secure products Info Normal operating information from a host Warning A warning from the host Error A recoverable e...

Page 24: ...24 2 SYSTEM REQUIREMENTS F Secure Policy Manager Server 25 F Secure Policy Manager Console 27...

Page 25: ...0 Advanced Server SP 3or higher Windows Server 2003 Standard Edition or Web Edition Windows 2003 Small Business Server Linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SUSE Linux 10 0 SUSE...

Page 26: ...e requirements depend on the size of the installation In addition to this it is recommended to allocate about 1 MB per host for alerts and policies The actual disk space consumption per host is hard t...

Page 27: ...P3 or higher Windows XP Professional SP2 or higher Windows Server 2003 Standard Edition or Web Edition Windows 2003 Small Business Server Linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SU...

Page 28: ...color display with resolution of 1024x768 32 bit color with 1280x960 or higher resolution recommended Network Ethernet network interface or equivalent 10 Mbit network between console and server is rec...

Page 29: ...29 3 INSTALLING F SECURE POLICY MANAGER SERVER Overview 30 Security Issues 31 Installation Steps 37 Uninstalling F Secure Policy Manager Server 58...

Page 30: ...atus information and alerts sent by the managed hosts Communication between F Secure Policy Manager Server and other components can be achieved through the standard HTTP protocol which ensures trouble...

Page 31: ...packages The Web Reporting component stores statistics and historical trend data about the hosts 3 2 Security Issues F Secure Policy Manager Server utilizes Apache Web Server technology and even thou...

Page 32: ...licy data More importantly it is impossible to deploy unauthorized changes to managed hosts Both these features rely on a management key pair that is available to administrators only These features ba...

Page 33: ...e is no way to distribute the changes to managed hosts without the correct original key pair Both of these features may be undesirable in a high security environment where even seeing the management d...

Page 34: ...ccess from the server machine Allow from 10 128 129 209 Allow access from Administrator s workstation SetHandler fsmsa handler Location VirtualHost After this only the person who has access to the mac...

Page 35: ...ion scenarios for high security environments 1 Access to Web Reports is limited to localhost only during the installation After this only the person who has physical access to the localhost can use F...

Page 36: ...t ajp13 ErrorDocument 500 Policy Manager Web Reporting could not be contacted by the Policy Manager Server Location Order Deny Allow Deny from all First deny all Allow from 127 0 0 1 Then allow access...

Page 37: ...t the F Secure CD in your CD ROM drive 2 Select Corporate Use Click Next to continue 3 Go to the Install or Update Managed Software menu and select F Secure Policy Manager Step 2 Setup begins View the...

Page 38: ...CHAPTER3 38 Installing F Secure Policy Manager Server Step 3 Read the license agreement information If you agree select I accept this agreement Click Next to continue...

Page 39: ...the same computer is allowed access to F Secure Policy Manager Server Access to Web Reports is allowed also from other computers Custom This is the default recommended option that lets you specify fo...

Page 40: ...ect the following components F Secure Policy Manager Server F Secure Policy Manager Update Server Agent automate virus definition database updates F Secure Installation Packages select this option if...

Page 41: ...tallation directory If you want to install F Secure Policy Manager Server in a different directory you can use the Browse feature WARNING If you have F Secure Management Agent installed in the same ma...

Page 42: ...munication Directory commdir directory under F Secure Policy Manager Server installation directory and this will be the directory that F Secure Policy Manager Server will use as a repository You can u...

Page 43: ...figuration file HTTPD conf This option automatically keeps the existing administration host and web reporting ports If you want to change the ports from the previous installation select the Change set...

Page 44: ...SH or F Secure VPN Web Reporting module is used for communication with F Secure Policy Manager Web Reporting Select whether it should be enabled Web Reporting uses a local socket connection to the Adm...

Page 45: ...45 Click Next to continue...

Page 46: ...Installing F Secure Policy Manager Server Step 10 Select to add product installation package s from the list of available packages if you selected F Secure Installation Packages in Step 4 on page 17...

Page 47: ...47 Step 11 Setup displays the components that will be installed Click Next...

Page 48: ...CHAPTER3 48 Installing F Secure Policy Manager Server Step 12 When the setup is completed the setup shows whether all components were installed successfully...

Page 49: ...49 Step 13 F Secure Policy Manager Server is now installed Restart the computer if you are prompted to do so Click Finish to complete the installation...

Page 50: ...alhost 80 if you used the default port number during the installation and press ENTER If the server installation was successful the following page will be displayed The F Secure Policy Manager Server...

Page 51: ...path 2 Stop the F Secure Policy Manager Server service 3 Copy the whole directory structure from the old commdir path to the new path 4 Change the value for the CommDir and CommDir2 directives in htt...

Page 52: ...tens in port 80 You can however define what ports they should listen in if the defaults are not suitable If you want to change the port in which F Secure Policy Manager Server Admin Module listens add...

Page 53: ...er Configuration Settings This section introduces and explains all the relevant entries present in the F Secure Policy Manager Server configuration file and how they are used ServerRoot This directive...

Page 54: ...n an absolute path It defines the directory that everyone will be able to access so don t use a path to a directory with sensitive data By default F Secure Policy Manager Server allocates a directory...

Page 55: ...msa fsmsa dll SetHandler fsmsa handler Location VirtualHost Commdir and Commdir2 These directives define the path to the communication directory or repository This is the directory where F Secure Poli...

Page 56: ...0 x86 mod_gzip DECHUNK DECLINED TOO_SMALL CR 0pct 10 128 131 224 18 Apr 2002 14 06 36 0300 tells you when the request to the server was made and by which host described by its IP address The fxnext co...

Page 57: ...a log should be kept 8 days by default and when the files should be rotated e g when the access log is named access log 1 and a new empty access log file is created where the new requests will be log...

Page 58: ...nents accessing the communication directory concurrently e g F Secure Management Agent RetryFileOperation 10 This setting tells the server how many times it should retry a failed file operation with a...

Page 59: ...Secure Uninstall dialog box appears Click Start to begin uninstallation 4 When the uninstallation is complete click Close 5 Click OK to exit Add Remove Programs 6 Reboot your computer for changes to t...

Page 60: ...60 4 COMMDIR MIGRATION Introduction 61 Instructions 61...

Page 61: ...Step 1 Back Up the Existing System 1 Before you start the back up procedure make sure that F Secure Policy Manager Console is not running 2 Backup the management keys admin pub and admin prv and the e...

Page 62: ...Connect the F Secure Policy Manager Console to the new F Secure Policy Manager Server 2 Configure the correct F Secure Policy Manager Server address to use Select the Settings tab and open the Centra...

Page 63: ...ger Server in format http IP address 3 Distribute the policies to the whole managed domain 4 Close F Secure Policy Manager Console Step 5 Wait for the Migration to Complete Wait long enough over a wee...

Page 64: ...64 5 INSTALLING F SECURE POLICY MANAGER CONSOLE Overview 65 Installation Steps 65 Uninstalling F Secure Policy Manager Console 83...

Page 65: ...ministrator and Read Only connections The following sections explain how to run the F Secure Policy Manager Console setup from the F Secure CD and how to select the initial operation mode when the con...

Page 66: ...CHAPTER5 66 Installing F Secure Policy Manager Console Step 2 View the Welcome screen and follow the setup instructions Select the installation language from the drop down menu Click Next to continue...

Page 67: ...67 Step 3 Read the license agreement information If you agree select I accept this agreement Click Next to continue...

Page 68: ...Policy Manager Console installed on the same computer is allowed access to F Secure Policy Manager Server Access to Web Reports is allowed also from other computers Custom Select this option that let...

Page 69: ...69 Step 5 Select the following components to be installed F Secure Policy Manager Console F Secure VPN Certificate Wizard optional required only for F Secure VPN management Click Next to continue...

Page 70: ...cure Policy Manager Console Step 6 Choose the destination folder Click Next It is recommended to use the default installation directory Use the Browse feature to install F Secure Policy Manager Consol...

Page 71: ...71 Step 7 Specify F Secure Policy Manager Server address and Administration port number Click Next to continue...

Page 72: ...CHAPTER5 72 Installing F Secure Policy Manager Console Step 8 Review the changes that setup is about to make Click Next to continue...

Page 73: ...r Console for the first time immediately after the CD setup has been run It is important to run the console after the setup because some connection properties will be collected during the initial cons...

Page 74: ...ole F Secure Policy Manager Console When F Secure Policy Manager Console is run for the first time the Console Setup Wizard collects the information needed to create an initial connection to the serve...

Page 75: ...dministrator features Read Only mode allows you to view administrator data but no changes can be made If you select Read only mode you will not be able to administer hosts To change to Administrator m...

Page 76: ...CHAPTER5 76 Installing F Secure Policy Manager Console Step 12 Enter the address of the F Secure Policy Manager Server that is used for communicating with the managed hosts...

Page 77: ...private key files will be stored By default key files are stored in the F Secure Policy Manager Console installation directory Program Files F Secure Administrator Click Next to continue If the key pa...

Page 78: ...window to initialize the random seed used by the management key pair generator Using the path of the mouse movement ensures that the seed number for the key pair generation algorithm has enough rando...

Page 79: ...79 Step 15 Enter a passphrase which will secure your private management key Re enter your passphrase in the Confirm Passphrase field Click Next...

Page 80: ...CHAPTER5 80 Installing F Secure Policy Manager Console Step 16 Click Finish to complete the setup process F Secure Policy Manager Console will generate the management key pair...

Page 81: ...81 After the key pair is generated F Secure Policy Manager Console will start...

Page 82: ...e Admin pub key file or access to it If you install the F Secure products on the workstations remotely with F Secure Policy Manager a copy of the Admin pub key file is installed automatically on them...

Page 83: ...sts Changing the Web Browser Path The F Secure Policy Manager Console acquires the file path to the default Web browser during setup If you want to change the Web browser path open the Tools menu and...

Page 84: ...ew 85 F Secure Policy Manager Console Basics 86 F Secure Client Security Management 104 Managing Domains and Hosts 104 Software Distribution 115 Managing Policies 134 Managing Operations and Tasks 140...

Page 85: ...osts under policy domains sharing common attribute values Manage host and domain hierarchies easily Generate signed policy definitions which include attribute values and restrictions Display status Ha...

Page 86: ...e properties because its installation is user based and modifications cannot affect other users The user cannot do any of the following in Read only mode Modify the domain structure or the properties...

Page 87: ...lled the program This is not your network administrator password You can start the program in Read Only mode in which case you do not need to enter a passphrase In this case however you will not be al...

Page 88: ...and Private Key File paths specify what management key pair to use for this connection If the specified key files do not exist F Secure Policy Manager Console will generate a new key pair Communicatio...

Page 89: ...s less than one day are normally useful only for trouble shooting purposes because in a typical environment some hosts are naturally disconnected from the server every now and then For example laptop...

Page 90: ...riods dialog See Preferences 149 for more information about other connection specific settings After F Secure Policy Manager Console startup these settings can be edited normally from the Preferences...

Page 91: ...on the toolbar A new policy domain can be created only when a parent domain is selected Add a new host click the icon Find a host View the properties of a domain or host All hosts and domains should b...

Page 92: ...tab allows you to use the Product View pane to define settings restrictions and operations for domains or hosts These changes become effective after the policy has been distributed and the Agent has f...

Page 93: ...alert are displayed in the Product View pane Reports When a report is selected in the Reports tab details of the report are displayed in the Product View pane Installation In the Product View pane you...

Page 94: ...he Properties Pane F Secure Policy Manager Console will render a Product View in the Product View Pane for your selected product and contains the most commonly used settings and the most often needed...

Page 95: ...Menu for Policy Settings Most editor fields in the Product View include a context menu activated by right clicking your mouse The context menu contains the following options Go To Clear Value Force Va...

Page 96: ...ble only if there is a value defined for the currently defined domain or host Force Value This Force Value menu item is available only when a Policy Domain is selected You can enforce the current doma...

Page 97: ...ab will show the domain level status overview number of hosts in the domain and list of disconnected hosts Figure 6 9 Status tab Click any disconnected host to quickly change the policy domain selecti...

Page 98: ...ost tree root node context menu Figure 6 10 An example of shortcuts available in the Domain Status View WARNING Deleting all disconnected hosts is potentially a dangerous operation as it is possible t...

Page 99: ...ou can delete a category in the displayed context menu by right clicking on a tab By right clicking on an individual message a context menu is displayed with cut copy and delete operations By default...

Page 100: ...host in the domain tree selection history Go to the next domain or host in the domain tree selection history Go to the parent domain Cuts a host or domain Pastes a host or domain Adds a domain to the...

Page 101: ...domain Green signifies that the host has sent an autoregistration request Displays available installation packages Updates the virus definition database Displays all alerts The icon is highlighted if...

Page 102: ...olicy files Exit Exits F Secure Policy Manager Console Edit Cut Cuts selected items Paste Pastes items to selected location Delete Deletes selected items New Policy Domain Adds a new domain New Host A...

Page 103: ...which is the user interface described in this manual Anti Virus Mode Changes to the Anti Virus mode user interface which is optimized for managing centrally F Secure Client Security Refresh Item Manu...

Page 104: ...Client Security Administrator s Guide 6 4 Managing Domains and Hosts If you want to use different security policies for different types of hosts laptops desktops servers for users in different parts o...

Page 105: ...n first and create the domain structure later when the need for that arises The hosts can then be cut and pasted to the new domains Figure 6 12 An example of a policy domain structure All domains and...

Page 106: ...Security 7 x installed into another domain 6 4 1 Adding Policy Domains Figure 6 14 An example of a policy domain with sub domains From the Edit menu select New Policy Domain a parent domain must be s...

Page 107: ...ain select the target domain and choose Autodiscover Windows hosts from the Edit menu After the autodiscover operation is completed the new host is automatically added to the Policy Domain tree For mo...

Page 108: ...allation package during installation see step 6 in Using the Customized Remote Installation JAR Package 129 section It is possible to sort autoregistration messages according to the values of any colu...

Page 109: ...window You can use the following as import criteria in the rules WINS name DNS name Dynamic DNS name Custom Properties These support asterisk as a wildcard can replace any number of characters For ex...

Page 110: ...property names that are hidden are remembered only until the Console is closed To add a new custom property do as follows 1 Right click a column heading and select Add New Custom Property The New Cust...

Page 111: ...the Add Host button alternatively press Insert This operation is useful in the following cases Learning and testing You can try out a subset of F Secure Policy Manager Console features without actual...

Page 112: ...erties clear the Autoupdate Properties check box in the Identities tab of the Host Properties dialog box You can open the Host Properties dialog box by choosing Properties from the Edit menu or by cli...

Page 113: ...he properties Platform name is the name of the operating system The operating system version numbers are the following An alias for the host can be defined in the Miscellaneous tab If an alias is defi...

Page 114: ...he Initialize from Status Information check box is selected VPN properties are initialized using the status information sent by the host The following initializations are done If the VPN Identity Type...

Page 115: ...ages pane of F Secure Policy Manager Console The main difference between autoupdate and automatic initialization is that automatic initialization occurs only once Autoupdate will always update propert...

Page 116: ...command from the Edit menu in F Secure Policy Manager Console Local Installation and Updates with pre configured packages Instead of using the standard CD ROM setup you can use F Secure Policy Manage...

Page 117: ...et hosts are selected Autodiscover browses the Windows domains and user can select the target hosts from a list of hosts Push Install to Windows Hosts allows you to define the target hosts directly wi...

Page 118: ...ck the button 3 From the NT Domains list select one of the domains and click Refresh The host list is updated only when you click Refresh Otherwise cached information is displayed for performance reas...

Page 119: ...selected by holding down the shift key and doing one of the following clicking the mouse on multiple host rows dragging the mouse over several host rows using the up or down arrow keys Alternatively y...

Page 120: ...er the target host names of those hosts to which you want to push install and click Next to continue You can click Browse to check the F Secure Management Agent version s on the host s 4 After you hav...

Page 121: ...e to force reinstallation if applications with the same version number already exist Click Next to continue 3 Choose to accept the default policy or specify which host or domain policy should be used...

Page 122: ...et host Another Account Enter account and password The administrator can enter any proper Domain Administrator account and password to easily complete the remote installation on selected hosts When co...

Page 123: ...domain the new hosts should be placed using the import settings Click Finish F Secure Policy Manager Console will place the new hosts in the domain that you selected in Step 1 unless you specified an...

Page 124: ...ure Management Agent fetches the installation package specified in the task parameters from the server and starts installation program When the installation is complete F Secure Management Agent sends...

Page 125: ...tion package Installed Version Version number of the product If there are multiple versions of the product installed all version numbers will be displayed For hosts this is always a single version num...

Page 126: ...r failure Failed The installation or uninstallation operation failed Click the button in the Progress field for detailed status information Completed The installation or uninstallation operation succe...

Page 127: ...eration In any case it is possible to remove the installation operation from the policy by clicking Stop All This will cancel the installation operations defined for the selected policy domain or host...

Page 128: ...ement Agent no statistical information will be sent stating that the uninstallation was successful because F Secure Management Agent has been removed and is unable to send any information For example...

Page 129: ...is explained below You can select the file format for the customized package in the Export Installation Package dialog see step 4 below Login Script on Windows Platforms There are three ways of doing...

Page 130: ...as an anonymous policy Click Next to continue 7 Select the installation type The default Centrally managed installation is recommended You can also prepare a package for a stand alone host 8 It is pos...

Page 131: ...iew and after that the hosts from another unit can be imported to their target domain 9 A summary page shows your choices for the installation Review the summary and click Start to continue to the ins...

Page 132: ...es are displayed even when a fatal error occurs F Forced installation Completes the installation even if F Secure Management Agent is already installed Enter ILAUNCHR at the command line to display co...

Page 133: ...initial installation package must be transferred to F Secure Policy Manager Server The installation packages are available from two sources The installation CD ROM or The F Secure website Normally ne...

Page 134: ...IP address Counter incrementing integer Gauge non wrapping integer TimeTicks elapsed time units measured in 1 100s of a second Octet String binary data this type is also used in UNICODE text strings O...

Page 135: ...values from which the user can choose Additionally the administrator can restrict integer type variables Integer Counter and Gauge to a range of acceptable values An additional restriction the FIXED...

Page 136: ...icy configuration if needed 6 6 4 Distributing Policy Files After you have finished configuring domains and hosts you must distribute the new configurations to the hosts To do this click in the toolba...

Page 137: ...fining of a common policy The policy can be further refined for subdomains or even individual hosts The granularity of policy definitions can vary considerably among installations Some administrators...

Page 138: ...or host values need to be reset to the current domain values the Force Value operation can be used to clean the sub domain and host values You can also use the Reporting Tool to create Inheritance Re...

Page 139: ...Secure Internet Shield Rules table F Secure Internet Shield Services table F Secure VPN Connections table Please refer to the corresponding product manuals for more information about table behavior i...

Page 140: ...n the Policy tab of the Properties pane 2 The following pane appears in the Product View pane Click Start to start the selected operation 3 The operation begins on the host as soon as you have distrib...

Page 141: ...eceived will be displayed in the following format Ack Click the Ack button to acknowledge an alert If all the alerts are acknowledged the Ack button will be dimmed Severity The problem s severity Each...

Page 142: ...tab in the Properties pane or choose Messages from the Product View menu The Reports tab has the same structure as the Alerts tab Alerts tables and Reports tables can be sorted by clicking on the col...

Page 143: ...an be F Secure Policy Manager Console the local user interface an alert agent such as the Event Viewer a log file or SMTP or a management extension The Alert Forwarding table has its own set of defaul...

Page 144: ...example Settings Alerting F Secure Policy Manager Console Retry Send Interval specifies how often a host will attempt to send alerts to F Secure Policy Manager Console when previous attempts have fai...

Page 145: ...t the domains and or hosts you are interested in from the reporting point of view The domain selected in the Policy Domain pane is selected by default in the Reporting tool By selecting the Recursive...

Page 146: ...heck box if inheritance information is to be included in the report Inheritance Report Type Export view reports containing values of all policy variables of the selected products from the selected dom...

Page 147: ...hich information is included to the report to be made Alert report type dependent configurations allows you to sort alerts by all the alert description fields and select by severity which severity ale...

Page 148: ...og that appears Viewing the Report Click View in the bottom pane to generate a report of the selected report type with selected configurations The report is then viewed in HTML format with default the...

Page 149: ...149 Figure 6 28 Saving and Exporting a Report 6 10 Preferences Preference settings are either shared or applied to the specific connection...

Page 150: ...nected hosts will have a notification icon in the domain tree and they will appear in the Disconnected Hosts list in the Domain status view The domain tree notification icons can be switched off from...

Page 151: ...us polling If necessary you can disable the automatic status polling To do this open the Tools menu and select Preferences Select the Communications tab and click Polling Period options Check the Disa...

Page 152: ...hese comments are used to make the file more understandable by the users if they want to read the values directly from the file These settings are normally used only for debugging purposes and both in...

Page 153: ...can choose to display the progress indicator to end users during remote installation Tab Setting Meaning Appearance General Options Language Language selection You can select the local language of yo...

Page 154: ...space Location Web Club Area Choose your location to connect to the F Secure web server closest to you HTML Browser Path The full path to the HTML browser s executable file The browser is utilized for...

Page 155: ...155 7 MAINTAINING F SECURE POLICY MANAGER SERVER Overview 156 Backing Up Restoring F Secure Policy Manager Console Data 156 Replicating Software Using Image Files 159...

Page 156: ...ctory contains both the policy domain structure and all saved policy data It is also possible to back up the entire repository By doing so you will be able to restore not only the policy domain struct...

Page 157: ...rver s repository Commdir Full Backup 1 Close all F Secure Policy Manager Console management sessions 2 Stop F Secure Policy Manager Server service 3 Back up the Communication Directory 4 Back up the...

Page 158: ...If you backed up the full content of the communication directory and Console information such as keys and preferences Full Backup restore it as follows 1 Close all F Secure Policy Manager Console man...

Page 159: ...disk image software is used to install new computers This situation will prevent F Secure Policy Manager from functioning properly Please follow these steps to make sure that each computer uses a per...

Page 160: ...nique ID in the F Secure Anti Virus installation A new Unique ID is created automatically when the system is restarted This will happen individually on each machine where the image file is installed T...

Page 161: ...NITION DATABASES Automatic Updates with F Secure Automatic Update Agent 162 Using the Automatic Update Agent 164 Forcing the Update Agent to Check for New Updates Immediately 169 Updating the Database...

Page 162: ...e agent also downloads Virus News Downloading these can be disabled if so desired You may install and use F Secure Automatic Update Agent in conjunction with licensed F Secure Anti Virus and security...

Page 163: ...figured to use HTTP Proxy it tries to download the updates through the HTTP Proxy from F Secure Update Server f After that the client tries to download the updates directly from F Secure Update Server...

Page 164: ...ication is working properly by viewing the log file For more information see How to Read the Log File 165 8 2 1 Configuration Step 1 To configure F Secure Automatic Update Agent open the fsaua cfg con...

Page 165: ...mmands on command line net stop fsaua net start fsaua 8 2 2 How to Read the Log File The fsaua log file is used to store messages generated by F Secure Automatic Update Agent Some of the messages prov...

Page 166: ...s downloaded the update name and version are shown 3988 Thu Oct 26 12 40 39 2006 3 Downloaded F Secure Anti Virus Update 2006 10 26_04 DFUpdates version 1161851933 from fsbwserver f secure com 1244545...

Page 167: ...ere downloaded For a list of update types that you can find in the log see What Updates are Logged in fsaua log 168 Installation of F Secure Anti Virus Update 2006 10 26_04 Success The files were succ...

Page 168: ...te 2006 10 09_03 avmisc F Secure BlackLight Engine Update 2006 09 15_01 BLENG F Secure Gemini Update 2006 09 05_04 gemdb F Secure HIPS Update 2006 09 01_04 hipscfg F Secure Pegasus Update 2006 09 29_0...

Page 169: ...stop fsaua net start fsaua This will trigger F Secure Automatic Update Agent to connect to the update server and check for new updates 8 4 Updating the Databases Manually If your computer is not conne...

Page 170: ...rectly Problem Proxy Authentication failed Reason The password entered for HTTP proxy is incorrect Solution Check and correct the HTTP proxy password in the http_proxies directive in the fsaua cfg fil...

Page 171: ...171 9 F SECURE POLICY MANAGER ON LINUX Overview 172 Installation 172 Configuration 177 Uninstallation 177 Frequently Asked Questions 179...

Page 172: ...pported Distributions F Secure Policy Manager supports many of the Linux distributions based on the Debian package management DEB system and on the Redhat Package Management RPM system The commands fo...

Page 173: ...Secure Automatic Update Agent 1 Log in as root 2 Open a terminal 3 To install type 4 To configure type opt f secure fsaua bin fsaua config and answer the questions Push ENTER to choose the default set...

Page 174: ...nstall type 4 To configure type opt f secure fspms bin fspms config and answer the questions Push ENTER to choose the default setting shown in square brackets for each of these questions F Secure Poli...

Page 175: ...r sbin usermod G fspmc groups the user belongs to now as comma separated list user id For example if Tom belongs to the groups normal_users and administrators the command is usr sbin usermod G fspmc n...

Page 176: ...rting 1 Log in as root 2 Open a terminal 3 To install type 4 To configure type opt f secure fspmwr bin fspmwr config and answer the questions Push ENTER to choose the default setting shown in square b...

Page 177: ...gent 9 4 1 Uninstalling F Secure Policy Manager Web Reporting 1 Log in as root 2 Open a terminal 3 Type F Secure Policy Manager Component Configuration Command F Secure Policy Manager Server opt f sec...

Page 178: ...manager console Log files and configuration files are not removed as these are irreplaceable and contain valuable information To remove these type rm rf opt f secure fspmc Debian Based Distributions R...

Page 179: ...og Q Why doesn t F Secure Policy Manager Server start A Runtime errors warnings and other information are logged to opt f secure fspms logs error_log opt f secure fsaus log fsaus log log opt f secure...

Page 180: ...and F Secure Automatic Update Agent by typing sudo u fspms opt f secure fspms bin fsavupd debug Q Where are the F Secure Policy Manager Console files located in the Linux version A To list all files a...

Page 181: ...estart F Secure Policy Manager Server a Log in as root b Type etc init d fspms restart Q How can I get information about how F Secure Policy Manager Server is running A Type etc init d fspms status Q...

Page 182: ...ecure Automatic Update Agent so that the changes take effect etc init d fsaua restart Q How can I use an HTTP proxy with F Secure Automatic Update Agent A HTTP proxies are set through the file opt f s...

Page 183: ...183 Q How can I restart F Secure Automatic Update Agent after changing the configuration file A To restart F Secure Automatic Update Agent type etc init d fsaua restart...

Page 184: ...WEB REPORTING Overview 185 Introduction 185 Web Reporting Client System Requirements 186 Generating and Viewing Reports 186 Maintaining Web Reporting 190 Web Reporting Error Messages and Troubleshooti...

Page 185: ...on historical trend data using a web based interface You can produce a wide range of useful reports and queries from F Secure Client Security alerts and status information sent by the F Secure Manage...

Page 186: ...e of the pages Virus Protection Summary Internet Shield Summary Alerts Installed Software and Host Properties in the Web Reporting user interface The starting of F Secure Policy Manager Web Reporting...

Page 187: ...atically Select this if you want Internet Explorer to check for a new version of the page automatically Cookies It is also a good idea to enable cookies in your browser as this makes for example brows...

Page 188: ...selected report category Root is selected by default in the Policy Domains pane 3 To view a new report first select the domain subdomain or host for which you want to generate the report 4 Then select...

Page 189: ...rintable version of the page click the icon in the upper right corner of the page This opens a new browser window with the contents of the main frame in printable format and you can then print the pag...

Page 190: ...want to monitor separately the next time you want to generate the same report because this information is already included in the report specific URL address You have two possibilities Generate a rep...

Page 191: ...Manager Web Reporting by using the Service Control Panel as follows 1 Open the Service Control Panel from the Windows Start menu 2 Select F Secure Policy Manager Web Reporting from the list of service...

Page 192: ...number of hosts defined by their IP addresses Allow Access from Everywhere default By default F Secure Policy Manager Web Reporting can be accessed from any computer that can access the Web Reporting...

Page 193: ...he Policy Manager Server Location Order Deny Allow Deny from all Allow from ip address 1 Allow from ip address 2 Allow from ip address 3 Location VirtualHost After this only those people who have acce...

Page 194: ...rting service 2 Copy the file C Program Files F Secure Management Server 5 Web Reporting firebird data fspmwr fdb to the backup media You can also use some compression utility to compress the file Usi...

Page 195: ...e this time to be longer If you want to keep the trend data for a shorter time you can also configure this time to be shorter 1 Stop the F Secure Policy Manager Web Reporting service 2 Change the maxi...

Page 196: ...that machine or F Secure Policy Manager Server service is not running Check all of these in this order A firewall may also prevent the connection Error message F Secure Policy Manager Web Reporting co...

Page 197: ...rting the Web Reporting service If Web Reporting cannot contact the database you should restart the Web Reporting service If this does not help you may wish to reinstall Web Reporting keeping the exis...

Page 198: ...the database is really broken you can also copy an empty database file on top of the broken one This is done as follows 1 Stop the F Secure Policy Manager Web Reporting service 2 Copy fspmwr fdb empt...

Page 199: ...199 11 F SECURE POLICY MANAGER PROXY Overview 200 Main Differences between Anti Virus Proxy and Policy Manager Proxy 200...

Page 200: ...cally from F Secure Policy Manager Proxy Workstations in the remote offices communicate also with the Policy Manager Server in the main office but this communication is restricted to remote policy man...

Page 201: ...Virus Proxy acts as a standalone server in the network and it can provide updates to hosts without a connection to an upstream server The only upstream server it can connect to is the F Secure Update...

Page 202: ...202 12 TROUBLESHOOTING Overview 203 F Secure Policy Manager Server and Console 203 F Secure Policy Manager Web Reporting 208 Policy Distribution 209...

Page 203: ...Server start A Runtime errors warnings and other information can be found in the file F Secure Management Server 5 logs error log If the Application Log in Event Viewer Administrative tools in NT 200...

Page 204: ...for Management Server 5 directory are automatically set correctly If the directory is copied by hand or for example restored from backup the access rights might be deleted In this case execute the st...

Page 205: ...ion selected This will recreate the F Secure Policy Manager Server account and reset all file access rights to the correct ones Q Why does F Secure Policy Manager Server use its own account to run ins...

Page 206: ...can also prevent the F Secure Policy Manager Server service from starting For more information on these please consult the Microsoft Windows Server documentation Q Why am I unable to connect to F Sec...

Page 207: ...here is a risk that F Secure Policy Manager Server could be under such a heavy network load that it does not have any free network connections available F Secure Policy Manager Console and all hosts a...

Page 208: ...licy Manager Web Reporting Q Where are the log files and configuration files located for F Secure Policy Manager Web Reporting A The log files are located in F Secure Management Server 5 Web Reporting...

Page 209: ...he choices on a sub domain or host too high or low values are specified as range restiriction boundaries or an empty choice list is specified When a domain includes hosts that have different product v...

Page 210: ...reate a sub domains for exceptions This is a good solution if you have only a few hosts with the older software versions installed Reason 2 You entered an integer value that is outside of the range re...

Page 211: ...211 A SNMP Support Overview 212 Installing F Secure Management Agent with SNMP Support 213 Configuring The SNMP Master Agent 214 Management Information Base 215...

Page 212: ...X SPX since the SNMP service uses Windows Sockets for network communication The master agent is an extensible SNMP agent which allows it to service additional MIBs The NT SNMP agent itself does not co...

Page 213: ...alling F Secure Management Agent with SNMP Support A 2 1 F Secure SNMP Management Extension Installation SNMP support for F Secure Management Agent is installed by installing Management Extensions f t...

Page 214: ...eceives a request for information that does not contain the correct community name and does not match an accepted host name for the Service the SNMP Service can send a trap to the trap destination ind...

Page 215: ...anized in a tree like structure and the sequence of numbers identifies the various branches of the subtree that a given object comes from The root of the tree is the ISO International Standards Organi...

Page 216: ...216 B Ilaunchr Error Codes Overview 217 Error Codes 218...

Page 217: ...example which you can insert into your login script Start Wait ILaunchr exe server share mysuite jar U if errorlevel 100 Go to Some_Setup_Error_occurred if errorlevel 5 Go to Some_Ilaunchr_Error_occur...

Page 218: ...et disk has insufficient free space for installation 8 File package ini was not found in JAR file 9 File package ini did not contain any work instructions 10 Wrong parameters in command line or ini fi...

Page 219: ...ted 110 Out of disk space 111 The destination drive is not local 120 The user has no administrative rights to the machine 130 Setup was unable to copy non packed files to the target directory 131 Setu...

Page 220: ...nt Setup plug in returned error 171 Plug in returned an unexpected code 172 Plug in returned a wrapper code 173 One of the previous install uninstall operations was not completed Reboot is required to...

Page 221: ...221 C FSII Remote Installation Error Codes Overview 222 Windows Error Codes 222 Error Messages 223...

Page 222: ...with Domain Administrator privileges With Domain Trusts make sure you have logged on to the F Secure Policy Manager Console using the account from the trusted domain 1069 Logon Failure In most cases t...

Page 223: ...nt canceled the installation or some conflicting software was found Installation aborted A Management Agent portion of Setup cancels the whole installation in the following situations 1 When it detect...

Page 224: ...ROR keyword from the fswssdbg log file located in the target Windows directory Q Newer F Secure product detected installation aborted A If the target host has a newer product version already installed...

Page 225: ...225 D Remote Installation Support for Windows 98 ME Enabling Remote Administration 226...

Page 226: ...rvices 1 From Control Panel Network click Add 2 In the Select Network Component Type dialog box double click Service 3 In the Select Network Service dialog box click Have Disk 4 In the Install From Di...

Page 227: ...7 user group names that are not compatible with the English version of Windows NT Server You must verify that the Administrators list contains the administrator group name in pure English Domain Admin...

Page 228: ...228 E NSC Notation for Netmasks Overview 229...

Page 229: ...re not contiguous The following table gives the number of bits for each permitted netmask The 0 0 0 0 is a special network definition reserved for the default route Network Address Netmask NSC Notatio...

Page 230: ...0 17 255 255 255 128 25 255 255 192 0 18 255 255 255 192 26 255 255 224 0 19 255 255 255 224 27 255 255 240 0 20 255 255 255 240 28 255 255 248 0 21 255 255 255 248 29 255 255 252 0 22 255 255 255 25...

Page 231: ...231 TECHNICAL SUPPORT Overview 232 Web Club 232 Advanced Technical Support 232 F Secure Technical Product Training 233...

Page 232: ...owser and your location To connect to the Web Club directly from your Web browser go to http www f secure com webclub Virus Descriptions on the Web F Secure Corporation maintains a comprehensive colle...

Page 233: ...imum effort F Secure Technical Product Training F Secure provides technical product training material and information for our distributors resellers and customers to succeed with F Secure security pro...

Page 234: ...parts At the end of each course there is a certification exam Contact your local F Secure office or F Secure Certified Training Partner to get information about the courses and schedules Contact Info...

Page 235: ...235 GLOSSARY...

Page 236: ...epresent a single character There are 8 bits in a byte Certificate See Public Key Client A program that is used to contact and obtain data from a Server program on another computer Corrupted Data that...

Page 237: ...s consisting of 4 numeric strings separated by dots This will change in IPv6 IPSec IETF The IP Security Protocol is designed to provide interoperable high quality cryptography based security for IPv4...

Page 238: ...building Sometimes using a simple network protocol Login noun The account name used to gain access to a computer system Mbit Megabit MD5 Message Digest number 5 a secure hash function published in RFC...

Page 239: ...y more than one party Public Key The part of the key in a public key system which is widely distributed and not kept secure This key is used for encryption not decryption or for verifying signatures A...

Page 240: ...nded by the file s creator to be interpreted as a sequence of one or more lines containing ASCII or Latin printable characters URL Uniform Resource Locator The standard way to give the address of any...

Page 241: ...er Communications The latest real time virus threat scenario news are available at the F Secure Antivirus Research Team weblog at http www f secure com weblog Services for Individuals and Businesses F...

Reviews: