manualshive.com logo in svg

Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5, Installation Manual, Page: 61 / 76

Share
Download
Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 Installation Manual Download Page 61

Endpoint Security Client 3.5 Installation

61

no

vd

ocx 

(e

n)

  

17

 Sep

te

m

be

r 20

09

8.2.2  Distributing a Policy with the MSI Package

The default policy included at MSI installation can be replaced with an enterprise-configured policy. 
To push down a specific policy with the MSI image:

1

Create a policy to be distributed to all users through the Management Console (see the 

ZENworks Endpoint Security Management Administration Guide

 for details on Policy 

Creation).

2

Export the policy, then it as 

policy.sen

.

STRBR=ReallySuppress

No reboot after install completes.

Security enforcement and client self 
defense are not fully functional until 
after the first reboot.

STBGL=1

Strict white list enforcement on 
application control.

A policy MUST be created that 
identifies the application on the white 
list, and distributed with this policy.

STUPGRADE=1

Upgrade the Endpoint Security Client 
3.5.

Use when upgrading the Endpoint 
Security Client 3.5.

STUNINSTALL=1

Uninstall the Endpoint Security Client 
3.5.

Use when uninstalling the Endpoint 
Security Client 3.5. For detailed 
uninstall instructions, see 

Uninstalling the Endpoint Security 

Client 3.5

” in the 

ZENworks Endpoint 

Security Management Administration 
Guide

.

STUIP=password

Uninstall with password

Use when an uninstall password is 
active.

STNMS=”MS Name”

Change the Management Service 
name.

Changes the Management Service 
name for the Endpoint Security Client 
3.5.

POLICYTYPE=1

Change Endpoint Security Client 3.5 
to machine-based policies.

Use to change MSI-installed Endpoint 
Security Clients to accept machine-
based, rather than user-based 
policies.

POLICYTYPE=2

Change Endpoint Security Client 3.5 
to user-based policies.

Use to change MSI-installed Endpoint 
Security Clients to accept user-
based, rather than machine-based 
policies.

STVA=”Adapter name”

Add Virtual Adapter.

Use to activate policy control over a 
virtual adapter

/L*v c:\log.txt

Turn on logging.

Use to activate logging at installation. 
If not, this will have to be done 
through the Endpoint Security Client 
Diagnostics tools (see Administrator’s 
Manual).

Command Line Variable

Description

Notes

Summary of Contents for ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5

Page 1: ...vell www novell com novdocx en 17 September 2009 AUTHORIZED DOCUMENTATION ZENworks Endpoint Security Management Installation Guide ZENworks Endpoint Security Management 3 5 July 31 2009 Installation Guide ...

Page 2: ...rt or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell as...

Page 3: ...ell Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 5: ... 3 1 Installation Steps 20 3 2 Starting the Service 21 4 Performing a Multi Server Installation 23 5 Performing the Policy Distribution Service Installation 25 5 1 Installation Steps 26 5 1 1 Typical Installation 27 5 1 2 Custom Installation 29 5 2 Starting the Service 32 6 Performing the Management Service Installation 33 6 1 Installation Steps 34 6 1 1 Typical Installation 35 6 1 2 Custom Instal...

Page 6: ...1 Basic Endpoint Security Client 4 0 Installation 63 9 2 MSI Installation 66 9 2 1 Using the Master Installer 66 9 2 2 Using the Setup exe File 66 9 2 3 Completing the Installation 67 9 2 4 Command Line Variables 68 9 2 5 Distributing a Policy with the MSI Package 69 9 3 Running the Endpoint Security Client 4 0 70 9 4 Features Not Supported In the Endpoint Security Client 4 0 70 10 ZENworks Endpoi...

Page 7: ...ole Installation on page 45 Chapter 8 Endpoint Security Client 3 5 Installation on page 55 Chapter 9 Endpoint Security Client 4 0 Installation on page 63 Chapter 10 ZENworks Endpoint Security Management Unmanaged Installation on page 71 Audience This guide is written for the ZENworks Endpoint Security Management administrators Feedback We want to hear your comments and suggestions about this manua...

Page 8: ...8 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 9: ...al of reporting data from the Endpoint Security Client The Policy Distribution Service can be deployed in the DMZ outside the enterprise firewall to ensure regular policy updates for mobile endpoints Management Service Responsible for user policy assignment and component authentication reporting data retrieval creation and dissemination of ZENworks Endpoint Security Management reports and security...

Page 10: ...erver and Windows Authentication mode authentication Microsoft Internet Information Services configured for SSL Directory Services eDirectoryTM or Active Directory NET framework 3 5 Item Requirement Software One of the following relational database management systems RDBMS SQL Server Standard SQL Server Enterprise Microsoft SQL Server 2000 SP4 SQL 2005 SQL Express SQL Server 2008 server authentica...

Page 11: ...nning This is the guide that you are currently reading ZENworks Endpoint Security Management Administration Guide This guide is written for the administrators who are required to manage the services create security policies for the enterprise generate and analyze reporting data and provide troubleshooting for users Instructions for completing these tasks are provided in this manual ZENworks Endpoi...

Page 12: ...12 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 13: ...using enterprise SSL certificates you must also use the same username to create the SSL Root Security certificate 2 2 Installation Packages When installing from the DVD a master installer program launches that utilizes a simple user interface that guides the ZENworks Endpoint Security Management administrator through the installation process Load the installation DVD on each machine to access the ...

Page 14: ...ity Management There are a few questions the ZENworks Endpoint Security Management administrator needs to consider prior to beginning installation How will your users receive their ZENworks Endpoint Security Management security policies The options for policy distribution center around whether users should be able to receive a policy update anywhere including outside the central network or if they...

Page 15: ...5 but the configuration steps are the same for 2008 1 Make sure you have Microsoft SQL Server Management Studio Management Studio is included with the Standard and Enterprise editions If you are using the Express edition for an evaluation installation you can download Management Studio Express from the Microsoft Download Center http www microsoft com Downloads details aspx FamilyID c243a5ae 4bd1 4...

Page 16: ...Authentication mode 5 Click OK then exit Management Studio 6 Launch SQL Server Configuration Manager Start menu All Programs Microsoft SQL Server 2005 or 2008 Configuration Tools SQL Server Configuration Manager 7 Expand the SQL Server Network Configuration section select Protocols for MSSQLSERVER where MSSQLSERVER is your server then make sure that TCP IP is enabled as shown below ...

Page 17: ...oint Security Management 17 novdocx en 17 September 2009 8 Expand the SQL Native Client Configuration section select Client Protocols then make sure that TCP IP is enabled as shown below 9 Exit SQL Server Configuration Manager ...

Page 18: ...ficates Novell SSL Certificates are installed onto the servers when running the typical installation How will you deploy your Endpoint Security Clients The Endpoint Security Client software can be deployed either individually onto each endpoint or through an MSI push Instructions on creating an MSI package can be found in Chapter 8 2 MSI Installation on page 57 Do you want policies to be machine b...

Page 19: ...of the Microsoft Technet security webpage http www microsoft com technet security default mspx Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide To protect access to only trusted machines the virtual directory and IIS can be set up to have ACLs Reference the articles below Granting and Denying Access to Computers http www micro...

Page 20: ...ween the ZENworks Endpoint Security Management server and the ZENworks Endpoint Security client on the endpoint If you are using your own SSL certificates ensure that the Web service certificate and root CA are loaded on the machine and that server name validated in the previous steps whether NETBIOS or FQDN matches the Issued to value for the certificate configured in IIS If you are using your ow...

Page 21: ...vices using the Configuration feature For more information see ZENworks Endpoint Security Management Administration Guide After this installation is complete the Management Console can be installed on this server If you want to install the Management Console on a separate machine copy the ZENworks Endpoint Security Management Setup Files folder to the designated Management Console machine to compl...

Page 22: ...22 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 23: ...3 Performing a Single Server Installation on page 19 for a single server installation Multi Server installation should begin with the Policy Distribution Service installation on a secured server either outside or inside the corporate firewall For more information see Chapter 5 Performing the Policy Distribution Service Installation on page 25 After the Policy Distribution Service is installed the ...

Page 24: ...24 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 25: ...ion of the Microsoft Technet security webpage http www microsoft com technet security default mspx Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide To protect access to only trusted machines the virtual directory and IIS can be set up to have ACLs Reference the articles below Granting and Denying Access to Computers http www m...

Page 26: ...f you are using your own SSL certificates ensure that the Web service certificate is loaded on the machine and that server name validated in the previous steps whether NETBIOS or FQDN matches the Issued to value for the certificate configured in IIS If you are using your own SSL certificates validate the SSL from the MS server to the DS server open a Web browser on the Management Service and enter...

Page 27: ...om installation Figure 5 1 Select Typical or Custom Installation Both installation paths are presented below Section 5 1 1 Typical Installation on page 27 Section 5 1 2 Custom Installation on page 29 5 1 1 Typical Installation A typical installation places the Policy Distribution Service software files in the default directory Program Files Novell ESM Policy Distribution Service The SQL database n...

Page 28: ...the database administrator s name and password if the password is zero characters the installer warns of the potential security issue The username and password cannot be a domain user it must be a SQL user with SysAdmin rights Figure 5 2 Select SQL Server 3 Specify the password for the Policy Distribution Service agent This is the username and password the service uses to log in to its SQL databas...

Page 29: ...ver installation directory 7 The Policy Distribution Service is now installed click Finish to close the installation program to launch the performance monitor 5 1 2 Custom Installation A custom installation displays the defaults used in the typical installation and permits the administrator to specify or browse to a different directory to place the software files The administrator can select eithe...

Page 30: ...etwork Select the secured SQL database for the Policy Distribution Service and enter the database administrator s name and password if the password is zero characters the installer warns of the potential security issue The username and password cannot be a domain user it must be a SQL user with SysAdmin rights Figure 5 6 Select SQL Server 3 Set the database name default is entered as STDSDB ...

Page 31: ...e and password the service uses to log in to its SQL database Figure 5 7 Distribution Service SQL Password 5 Specify the Policy Distribution Service domain name This must be the fully qualified domain name if the server resides outside the corporate firewall Otherwise only the NETBIOS name for the server is required Figure 5 8 Enter Policy Distribution Service Domain Name ...

Page 32: ...e into the ESM Setup Files folder 10 Copy the entire ESM Setup Files directly onto the machine designated as the host for the Management Service either via a netshare or by saving the file to a disk or thumb drive and hand loading it into the server installation directory 11 The Policy Distribution Service is now installed click Finish to close the installation program to launch the performance mo...

Page 33: ...lt the appropriate section of the Microsoft Technet security webpage http www microsoft com technet security default mspx Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide To protect access to only trusted machines the virtual directory and IIS can be set up to have ACLs Reference the articles below Granting and Denying Access ...

Page 34: ...CA is loaded on the machine and that server name validated in the previous steps whether NETBIOS or FQDN matches the Issued to value for the certificate configured in IIS If you are using your own certificates or you have already installed the Novell Self Signed Certificate you can validate SSL as well by trying the following URL from a machine that has the Endpoint Security Client installed https...

Page 35: ...Next 3 Select either a Typical or Custom installation Figure 6 1 Select Typical or Custom Both installation paths are presented below Section 6 1 1 Typical Installation on page 35 Section 6 1 2 Custom Installation on page 39 6 1 1 Typical Installation A typical installation places the Management Service software files in the default directory Program Files Novell ESM Management Service The SQL dat...

Page 36: ... Enter SQL password 2 Specify the name of the server to host the Management Service Figure 6 3 Enter MS Server Name 3 Novell SSL Certificates are created for the installation If you want to use your own SSL certificates perform a Custom Installation These certificates must be distributed to all users ...

Page 37: ... characters the installer warns of the potential security issue The username and password cannot be a domain user it must be a SQL user with SysAdmin rights Figure 6 4 Select MS SQL Database 5 Select the SQL database for the Reporting Service and specify the database administrator s password for that database If you plan to capture and store a large number of reports it is recommended that the Rep...

Page 38: ...Day Evaluation License to continue Figure 6 6 Browse for Novell License File 7 At the Copy Files screen click Next to begin the installation 8 The Management Service runs a communication check to both SQL databases and the Policy Distribution Service If communication cannot be verified the installer notifies you of the issue All boxes must be checked for installation to succeed Figure 6 7 Communic...

Page 39: ... during Policy Distribution installation Figure 6 8 Enter SQL password 2 Select the SSL Certificate type used for the Policy Distribution Service installation If you used your existing enterprise certificate authority click The Novell Distribution Service Used a certificate IIS was already configured with If the Distribution Service installer created a Novell certificate click The Novell Distribut...

Page 40: ...installer creates the certificates and the signing authority Regardless of the certificate type these certificates must be distributed to all users 5 When selecting Novell certificates select where the certificate can be saved for easy distribution default is the installation directory 6 The installer detects the available SQL databases on the machine and network Select the SQL database for the Ma...

Page 41: ... that database Figure 6 11 Select Reporting Service Database 9 Set the database name default is entered as STRSDB 10 If ZENworks Endpoint Security Management has already been purchased a separate license file is provided Copy the license file to this server and browse for it see the instructions page included with your License file for more details If you have not yet purchased a ZENworks Endpoint...

Page 42: ...ing Service database s data index and log files 14 The Management Service run sa communication check to both SQL databases and the Policy Distribution Service If communication cannot be verified the installer notifies you of the issue All boxes must be checked for installation to succeed Figure 6 13 Communication Verification 15 The Management Service is now installed click Close to close the comm...

Page 43: ... on the Management Service see the ZENworks Endpoint Security Management Administration Guide Novell recommends installing the Management Console on this server If you are installing the Management Console on a separate machine copy the ESM Setup Files directory either via a netshare or by saving the file to a disk or thumb drive to the machine to host the Management Console Continue with Chapter ...

Page 44: ...44 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 45: ...ollowing requirements Windows XP SP1 Windows XP SP2 or Windows 2000 SP4 A 1 0 GHz processor is recommended with a minimum of 256 MB of RAM and 100 MB of disk space available Copy the ESM Setup Files folder that contains the SSL Root Certificates for the Policy Distribution Service and the Management Service along with the STInstParam id file onto the PC If you are installing the Management Console...

Page 46: ...e STInstParam id file and uses the default directory Program Files Novell ESM Management Console No additional selections need to be made for Management Console installation providing the ESM Setup Files directory is on the machine 7 1 2 Custom Installation A custom installation displays the STInstParam id defaults used in the typical installation and permits the administrator to change that infor...

Page 47: ...cx en 17 September 2009 Figure 7 2 Enter Distribution Service Host Name 2 Specify the Management Service hostname 3 Specify the Management Service SQL database hostname 4 Specify the Management Service SQL database name Figure 7 3 Enter MS SQL database name ...

Page 48: ...ory service configuration that defines the scope of your Endpoint Security Client installations The new configuration uses your existing directory service to define the logical boundary for your user based and computer based client installations The wizard guides you through the process of selecting the directory service and the contexts where current and future client accounts reside The wizard a...

Page 49: ...Security Management Management Console 7 2 1 Adding eDirectory Services The following steps provide information for using Novell eDirectory as the directory service For information about using Microsoft Active Directory see Configuring the Directory Service in the ZENworks Endpoint Security Management Administration Guide 1 Click the Options button on the login screen to display the Configuration ...

Page 50: ...service to the database 10 Click OK or Cancel to exit the Configuration window and return to the login screen 7 2 2 Configuring the Management Console s Permissions Settings Permissions is found on the Tools menu of the Management Console and is accessible only by the primary administrator for the Management Service and any other users who have been granted permissions access by that administrator...

Page 51: ...hange permissions settings for other users that have already been defined or grant permissions to new users Create Policies The user can create new policies in the Management Console Delete Policies The user can delete any policy in the Management Console NOTE For security purposes only the resource user or very few administrators should be granted the Change Permission and Delete Policies permiss...

Page 52: ...eys to select multiple users 2c When all users and groups have been selected click OK button to add the users and groups to the grid on the Permissions form 3 Assign permissions to the available users and groups To remove a selected user or group select the name then click Remove Configuring Publish To Settings Users and groups who have Publish Policy checked must be assigned users or groups to pu...

Page 53: ...om the list Use the Ctrl and Shift keys to select multiple users 3c When all users groups have been selected click the OK button Figure 7 11 Publish To List To remove a selected user or group select the name in the list then click Remove The permission sets are immediately implemented so the administrator only needs to click Close and accept the changes to return to the editor When a new directory...

Page 54: ...ublishing field with all current groups and users 5 Click Publish to send the policy to the Policy Distribution Service The policy generated in this manner has the following characteristics A single location Unknown is created CD DVD ROM drives are allowed Removable storage devices are allowed All communications ports including Wi Fi are permitted The Firewall Setting All Adaptive all outbound tra...

Page 55: ... specified network location with the required user inputs pre configured This allows individual users to install the software with the pre defined server values 8 1 Basic Endpoint Security Client 3 5 Installation This procedure install the Endpoint Security Client 3 5 on the current machine only Verify that all security patches for Microsoft and anti virus software are installed and up to date Ins...

Page 56: ...ibution Service for managed clients or retrieved locally for an unmanaged configuration see Chapter 10 ZENworks Endpoint Security Management Unmanaged Installation on page 71 for unmanaged details Figure 8 2 Management Settings 5 Specify the Management Service information 6 Select whether policies should be received for users or for the machine machine based policies ...

Page 57: ...ed by a system administrator to publish the installation to a group of users via an Active Directory policy or through other software distribution methods To create the MSI package If you are installing from the CD or ISO master installer and if you re not planning to run any command line variables see Section 8 2 1 Command line Variables on page 60 1 Insert the CD and wait for the master installe...

Page 58: ...formation FQDN or NETBIOS name depending upon how it was entered during Management Service installation Select if policies will be user based or machine based policies 5 Optional Specify an e ail address in the provided field to notify you if installation fails 6 Specify the network location where the MSI image is created or browse to that location by clicking the Change button Figure 8 4 Select N...

Page 59: ...o set the MSI package to be pushed down to user groups like a Group Policy 1 Open Administrative Tools Active Directory Users and Computers and open either Root Domain or OU Properties Figure 8 6 Open Properties in either Root Domain or OU 2 Click the Group Policy tab then click Edit 3 Add the MSI Package to Computer Configuration ...

Page 60: ...stateful STBGL 1 creates an MSI package where the Endpoint Security Client 3 5 will boot in All Stateful with strict white listing enforced NOTE Booting in stateful can cause some interoperability issues DHCP address delays Novell network interop issues and so forth The following command line variables are available Table 8 1 Command Line Variables Command Line Variable Description Notes STDRV sta...

Page 61: ... Uninstall the Endpoint Security Client 3 5 Use when uninstalling the Endpoint Security Client 3 5 For detailed uninstall instructions see Uninstalling the Endpoint Security Client 3 5 in the ZENworks Endpoint Security Management Administration Guide STUIP password Uninstall with password Use when an uninstall password is active STNMS MS Name Change the Management Service name Changes the Manageme...

Page 62: ...he default policy sen and setup sen files 8 2 3 User Installation of the Endpoint Security Client 3 5 from MSI When the user re authenticates to the domain through a reboot of the machine the MSI installation package runs prior to logging in After the MSI installation completes the machine reboots and the user is permitted to log in to the machine The Endpoint Security Client 3 5 is installed and ...

Page 63: ...ty Client 4 0 Installation This procedure installs the ZENworks Endpoint Security Client 4 0 on the current machine only Before You Begin Verify that all security patches for Microsoft and anti virus software are installed and up to date The Endpoint Security Client 4 0 software can be installed on Windows Vista running Support Pack 1 Novell recommends that antivirus spyware software that is inter...

Page 64: ...e Spanish Traditional 3 Endpoint Security Client 4 0 requires that you have Microsoft Web Services Enhancements WSE 2 0 with Service Pack 3 and Microsoft Visual C 2008 installed on your computer prior to installing the client If the installation process does not detect these components you see this screen Click Install to install these requirements 4 If you haven t already done so turn off anti vi...

Page 65: ...rd then click Next 8 Select a policy type either a User Based Policy where each user has an individual policy or a Computer Based Policy where one policy is used for all users Click Next NOTE Select User Based Policy if your network uses eDirectory as its Directory Service eDirectory does not support computer based policies ...

Page 66: ...s that are not available for the 4 0 Client for Vista see Section 9 4 Features Not Supported In the Endpoint Security Client 4 0 on page 70 9 2 MSI Installation This procedure creates an MSI package for the Endpoint Security Client 4 0 This package is used by a system administrator to publish the installation to a group of users via an Active Directory policy or through other software distribution...

Page 67: ...all password through the MSI properties see Table 9 1 on page 68 3 Select a policy type either a User Based Policy where each user has an individual policy or a Computer Based Policy where one policy is used for all users Click Next NOTE Select User Based Policy if your network uses eDirectory as its Directory Service eDirectory does not support computer based policies 4 Select how policies are to...

Page 68: ...this time 9 2 4 Command Line Variables Command Line variable options are available for an MSI installation These variables must be set in the executable shortcut that is set to run in administrator mode To use a variable the following command line must be entered in the MSI shortcut setup exe a V variables Enter any of the commands below between the quotation marks Separate multiple variables with...

Page 69: ...urity Client 4 0 Upgrades the Endpoint Security Client 4 0 STUNINSTALL 1 Uninstall the Endpoint Security Client 4 0 Uninstalls the Endpoint Security Client 4 0 For detailed uninstall instructions see Uninstalling the Endpoint Security Client 3 5 in the ZENworks Endpoint Security Management Administration Guide STUIP password Uninstall with password Use this variable when an uninstall password is a...

Page 70: ...m better understand the operation of their new endpoint security software 9 4 Features Not Supported In the Endpoint Security Client 4 0 The features that are not supported or are partially supported with Endpoint Security Client 4 0 include Client Self Defense Modem support Scripting Manually changing firewalls in a location Having multiple firewalls visible in a location Only the default firewal...

Page 71: ...tions on Chapter 8 Endpoint Security Client 3 5 Installation on page 55 and select the Not Connected to ZENworks Endpoint Security Management Servers policies received as files option The installation bypasses the questions regarding the names of the servers and installs the Endpoint Security Client onto this machine an MSI package can also be created for an Unmanaged Endpoint Security Client Figu...

Page 72: ...nsole for more information see the ZENworks Endpoint Security Management Administration Guide 3 Use the Export command to export the policy to the same folder containing the setup sen file All policies distributed must be named policy sen for the Endpoint Security Client to accept them 4 Distribute the policy sen and setup sen files These files must be copied to the Program Files Novell ZENworks S...

Page 73: ...ce on the same machine see Chapter 3 Performing a Single Server Installation on page 19 for instructions If you are installing them on separate machines see Chapter 4 Performing a Multi Server Installation on page 23 For Management Console installation instructions see Chapter 7 Performing the Management Console Installation on page 45 5 Import the policies using the Management Console For instruc...

Page 74: ...74 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Page 75: ...y 5 2009 on page 75 A 1 July 31 2009 Updates were made to the following sections A 2 January 5 2009 Updates were made to the following sections Location Update Chapter 11 Upgrading on page 73 Added this section explaining the process for upgrading from one release to another Location Update All sections The name of the client was changed throughout the guide Formally it is now called Novell ZENwor...

Page 76: ...76 ZENworks Endpoint Security Management Installation Guide novdocx en 17 September 2009 ...

Reviews:

No comments