Check Point Integrity Installation Manual Download

Page: 1 / 53

Installation Guide

Installing, Configuring, and Maintaining Integrity Advanced Server

1-0276-0650-2006-0

Summary of Contents for Integrity

Page 1: ...Installation Guide Installing Configuring and Maintaining Integrity Advanced Server 1 0276 0650 2006 04 07 ...

Page 2: ...arter Security SmartDashboard SmartDefense SmartLSM SmartMap SmartUpdate SmartView SmartView Monitor SmartView Reporter SmartView Status SmartViewTracker SofaWare SSL Network Extender TrueVector UAM User to Address Mapping UserAuthority VPN 1 VPN 1 Accelerator Card VPN 1 Edge VPN 1 Pro VPN 1 SecureClient VPN 1 SecuRemote VPN 1 SecureServer VPN 1 VSX Web Intelligence ZoneAlarm Zone Alarm Pro Zone L...

Page 3: ...ver 8 Performing a New Integrity Advanced Server Installation 8 Configuring the databases and gathering information 9 Synchronizing Clocks 12 Running the Installer 13 Installation Information 14 Installation types 14 Server Type 14 Server Properties 15 Domain Options 15 Clustering Options 15 Clustering Information 15 Database Information 16 Setting Client Languages 17 Completing the installation 1...

Page 4: ...ter 5 Setting Up System Event Logs 31 Understanding events and logging 32 Recommended event logs 33 Using SNMP with Integrity 36 General Information 36 Trap Formats 36 Managing events 37 Creating and editing events 37 Deleting event 37 Sending Logs to the SmartCenter Server 38 Configuring SmartDashboard 38 Configuring Integrity Advanced Server 39 Creating a Custom Query 39 Chapter 6 Testing Integr...

Page 5: ...ed Server Installation Guide v Chapter 7 Maintaining Integrity Advanced Server 48 Monitor your database tablespace 48 Update your database statistics 48 Optimize query performance 48 Monitor your disk space 48 Index 50 ...

Page 6: ...n Guide 1 Chapter 1 Integrity Advanced Server Overview This chapter describes Integrity Advanced Server components and communications Integrity Advanced Server system components on page 2 Integrity Advanced Server communications on page 4 ...

Page 7: ...tion about Integrity Advanced Server system requirements see the Integrity Advanced Server System Requirements Document on the Check Point Web site Single host deployments Figure 1 1 shows the Integrity Advanced Server system installed on a single host and configured with the additional components required to operate the system The Integrity Advanced Server system components are 1 Integrity Advanc...

Page 8: ...l An internal or external server that ensures all Integrity Advanced Server hosts have the same time and date These components are not supplied as part of the Integrity Advanced Server distribution and must be obtained from a third party You may use a RADIUS server or use the Integrity Advanced Server s Administrator Authentication feature for authentication Use the instructions in Chapter 2 Insta...

Page 9: ...ocket off loading functionality see page 4 This service and proxy configuration enables Integrity Advanced Server to be set up in a highly scalable and fault tolerant clustered environment Integrity Advanced Server services and ports The diagram below represents the services that make up Integrity Advanced Server and shows which ports the services use The services are divided into two types Client...

Page 10: ...Integrity Advanced Server Installation Guide 5 Figure 1 3 Integrity Advanced Server services and ports ...

Page 11: ...ent policy and configuration It can also end a previously synchronized session with the endpoint Also sends heartbeats to communicate policy or state changes Policy download service enable poli cy policy Policy download service Log upload service enable logU pload logupload Provides the mechanism endpoint computers use to upload client log files Program permission service enable logU pload ask Pro...

Page 12: ... on page 14 Configuring the RADIUS Server on page 18 Configuring Integrity Advanced Server Cluster Load Balancer on page 20 Using Integrity with a proxy server on page 22 Updating the logo on page 23 Clustering Integrity Advanced Servers When deploying a cluster of Integrity Advanced Servers you should first configure and test a single Integrity Advanced Server After you confirm that the single se...

Page 13: ...later versions select the Upgrade option in the installer You will later be prompted to choose a location Specify the current location of your Integrity installation Migrating To change to a higher version from an Integrity Advanced Server 5 x installation you must install the new Integrity Advanced Server and migrate your data See Chapter 4 Migrating Data for more information You can only migrate...

Page 14: ...bout maintaining your database see Chapter 7 Maintaining Integrity Advanced Server Database Version JDBC version IBM DB2 ES 3 1 8 1 7 Bundled with the DB2 installation Oracle 9 2 0 4 0 ojdbc14 zip download from Oracle SQL Server 2000 SP3a SQL Server Driver for JDBC SP3 download from Microsoft JDataStore Embedded 7 2 Bundled with JDataStore If you are using a single server instead of a clustered sy...

Page 15: ...name 3 Record your database port for connections with the Integrity Advanced Server 4 Create a user with the name iss_main with a matching schema name 5 Assign the user the CONNECT and RESOURCE roles and grant the following system privileges QUERY REWRITE ALTER ANY PROCEDURE CREATE ANY PROCEDURE DROP ANY PROCEDURE EXECUTE ANY PROCEDURE UNLIMITED TABLESPACE 6 In the Enterprise Manager Console in Ne...

Page 16: ...correctly your SQL Server security must be set up to handle both SQL authentication and Windows authentication Mixed Mode The JDBC drivers use a SQL authenticated user and password and will not be able to connect if SQL Server is configured for Windows security authentication only 7 Set the recovery model to simple By default SQL Server Enterprise uses FULL recovery mode This means that all transa...

Page 17: ...ord the database username and password for Integrity Advanced Server Synchronizing Clocks It is recommended that you synchronize the clocks on the Integrity Advanced Server with those on your database If you are using clustering you must synchronize all nodes on the cluster To synchronize clocks in Linux 1 Use the ntpdate command to synchronize with public network time protocol NTP servers every 1...

Page 18: ...d Server Installer for Linux To run the Integrity Advanced Server Installer for Linux 1 Log in as root root localhost 2 Change the permissions on the ISSetup_X_X_XXX_X bin file root localhost usr local chmod x ISSetup_X_X_XXX_X bin 3 Run the ISSetup_X_X_XXX_X bin The Integrity Advanced Server Installer for Linux starts 4 Follow the instructions in the wizard entering the information for your insta...

Page 19: ...ntegrity Advanced Server for joining with an existing cluster Server Type There are two server types Integrity Advanced Server Choose this option if you want clustering Integrity Advanced Server can function as either a single or multiple domain installation Integrity Server Choose this option for a single domain installation without clustering engine webapps ROOT The location of the Integrity Web...

Page 20: ... Advanced Server installations can have multiple data segments for different administrators user directories and policies You can use this feature to create virtual grouping for users to reflect company branches sub organizations etc Each domain can have its own security policies and system administrators can assign local administrators to each domain Clustering Options Enable Clustering Choose th...

Page 21: ...atabase Password Enter the password you use to access the database Obtaining the driver files Obtain the necessary driver files for your database type Obtaining the IBM DB2 driver files You can obtain the IBM DB2 driver files from your DB2 host computer To obtain the IBM DB2 drivers 1 Go to your DB2 host computer 2 Copy the db2jcc jar and db2jcc_license_cu jar files to any location on the computer...

Page 22: ...e stored by default in C program files microsoft sql server 2000 driver for jdbc lib Setting Client Languages During installation you can choose which languages other than English are available for Integrity communications with the endpoint user such as client package messages custom alerts and remediation or sandbox pages The administrator will be able to use any of the selected languages for suc...

Page 23: ...cret Create an Integrity Advanced Server account called masteradmin on the RADIUS server If you are migrating data from a 5 x version of Integrity Advanced Server you should log into the Administrator console and complete the migration before making changes to the configuration file To configure the RADIUS server Perform the following steps to configure the RADIUS server Configuration consists of ...

Page 24: ... editor 6 In the AdminConsole node remove the comment tags from the first RADIUS JAAS node and remove the JAAS node for inbuilt authentication of admin users 7 Save you changes and close the file Make sure your XML is well formed Configuring the properties file To configure the properties file 1 Go to CheckPoint Integrity engine webapps ROOT install templates 2 Create a backup of install upgrade p...

Page 25: ...he other Integrity Advanced Servers 2 Restart the Integrity Advanced Servers Configuring Integrity Advanced Server Cluster Load Balancer This section explains the minimum set up requirements for the cluster load balancer The load balancer routes the traffic to two or more Integrity Advanced Server nodes To configure load balancing 1 Set up the virtual server See Setting up the virtual server on pa...

Page 26: ... using the following state information reported in the system status file Compare the file contents to the following messages and set up routing accordingly When the returned text is System status OK It indicates that the node is functioning properly Point traffic to the node System status Error It indicates that the node is not functioning properly Do not point traffic to the node The administrat...

Page 27: ...ion on Program Advisor see Chapter 9 Program Advisor in the Integrity Advanced Server Administrator Guide For information on Anti Spyware see Chapter 11 Policies Protecting Against Spyware in the Integrity Advanced Server Administrator Guide Configuration steps are are provided for the following operating systems Windows on page 22 Linux on page 22 Windows To configure a proxy server 1 Open the Re...

Page 28: ...e JAVA_OPTS environment variable is already set 1 Use the appropriate setenv call to reset the value of JAVA_OPTS to Xms256M Xmx512M Djava awt headless true DproxyHost true Dhttp proxyHost hostname Dhttp proxyPort port Dhttps proxyHost hostname Dhttps proxyPort port Updating the logo If you want the Integrity Advanced Server user interface to display your company s logo you must specify the image ...

Page 29: ...tructions are found in this chapter Managing a Windows Setup on page 25 Stopping starting and resetting the services on page 25 Managing a Linux Setup on page 26 Starting stopping and restarting the Integrity Advanced Server on page 26 Starting stopping and restarting the Apache server on page 26 In order for the Integrity Advanced Server to operate the database host and Integrity Advanced Server ...

Page 30: ...starting and resetting the services Use the Control Panel to start stop or reset the Integrity Advanced Server Apache or Tomcat services To stop start or reset the services 1 Go to Control Panel Administrative Tools Services 2 Right click on the service and choose the option you want ...

Page 31: ...Start etc init d integrityd start Stop etc init d integrityd stop Restart etc init d integrityd restart The Integrity Advanced Server starts stops or restarts Starting stopping and restarting the Apache server This section explains how to start stop or restart the Apache httpd server only To start stop or restart the Apache httpd server only 1 Log in to the Integrity Advanced Server host as root r...

Page 32: ...cessful limited deployment you can deploy to your entire enterprise and shut down the old Integrity Advanced Server Understanding Data Migration Data migration allows you to move some of your data from a previous installation of Integrity Server to your new installation Any data that you did not create settings for will be set to the default values Migrated data The following data is migrated Poli...

Page 33: ...l rules Outbound MailSafe Settings Heartbeat and log transfer settings Gateway MAC addresses Sources and destinations in firewall rules Any data not explicitly mentioned above as being imported Migrating your Data To migrate your data perform the usual installation steps selecting the appropriate migration options in the installer and completing the migration pages in the Integrity Server Administ...

Page 34: ...ting your options as appropriate Be sure to select the Import data from existing Integrity System option For more information about running the installer see Installing and Configuring the Integrity Advanced Server on page 7 4 Click Done Completing the Migration Pages To complete the migration pages 1 Log into the Integrity Server Administrator Console with the default login name and password sett...

Page 35: ...tegrity Advanced Server Administrator Console 3 Create client packages 4 Set Program Advisor license if applicable 5 Create and import catalogs into the new system 6 Set policy assignments for the pilot users 7 Deploy packages to the pilot group of users The package should migrate the users to the new Integrity client Use the pilot period to test your policy settings and Program Advisor if applica...

Page 36: ...p System Event Logs This chapter explains how to set up system event logging and provides recommended messaging and logs This chapter covers the following topics Understanding events and logging on page 32 Using SNMP with Integrity on page 36 Managing events on page 37 ...

Page 37: ...rity Advanced Server or any other accessible server Messages are appended as the events occur SMTP Sends an event message to an SMTP destination such as e mail or a pager Messages are sent as the events occur SNMP trap Sends an event message to a SNMP Manager Messages are sent as the events occur Syslog Records events in a syslog file on Integrity Advanced Server or a system log server Messages ar...

Page 38: ...e pagers Use the following settings to send Fatal event messages via SMTP To use this feature you must be running an SMTP server through which Integrity can send messages Field Setting Description Name Fatal Events Identifies the event to Integrity administrators Description E mail fatal event messages Describes the event type to Integrity administrators Type SMTP Formats the event message in the ...

Page 39: ... assigned to the affected area and another to broader group who would be affected by a complete failure Field Setting Description Name Log Upload System Identifies the event to Integrity administrators Description Critical messages from e mail reporting system Describes the event type to Integrity administrators Type SMTP Formats the event message in the body of an e mail Log Levels Warn and Error...

Page 40: ... Integrity Advanced Server cluster append events to the same remote SYSLOG server when the syslog is stored somewhere other than an Integrity Advanced Server node If you choose create a local syslog each node creates a log and records only events which happen on that host Field Setting Description Name System Log Identifies the event to Integrity administrators Description System status events Des...

Page 41: ...de a header and a message All traps have a common header as they are all generated by Integrity Advanced Server Here is an example trap showing administrator login public 1 3 6 1 4 2620 enterprise 2734006 127 0 0 1 6 1234567 Ver1 1 3 6 1 4 1 2620 1 27 160 2005 08 23 14 47 12 719 INFO logInfoQueue HQs 1 root AdminLogin Administrator Login ADMIN masteradmin SESSION_IP 209 87 212 91 The trap header b...

Page 42: ...then click Next A second Edit Event Destination page appears 4 Change the location or other details and then click Save The event is updated and the changes take effect immediately on the local host Other nodes in the cluster implement the changes the next time the administration services are replicated to the node Deleting event Deleting an event from Integrity Advanced Server completely removes ...

Page 43: ...d Server for testing Use the tests in this chapter to verify that Integrity Advanced Server can detect a client session Integrity Flex receives communications from the Integrity Advanced Server and updates its enterprise policy To test the Integrity Advanced Server 1 Set up the test environment See Setting up the Integrity Advanced Server test on page 41 2 Perform the test See Performing the Integ...

Page 44: ...preconfigured with one administrator account masteradmin The masteradmin account has the highest level of permissions Use this Administrator ID with the password you configured in the RADIUS server to log in for the first time To log on for the first time 1 Open a browser enter the Administrator Console URL http integrityserverip The Administrator Console login page appears For detailed instructio...

Page 45: ... only applies to administrators with self signed certificates that are using Internet Explorer To install the security certificate 1 Select View Certificate The Certificate window appears 2 Select Install Certificate The Certificate Import Wizard appears 3 Click Next The Certificate Store window appears 4 Select Automatically select the certificate store then click Next The wizard complete panel a...

Page 46: ...Server deploys and enforces policies based on the authentication data Create a user catalog named test catalog For information about how to create a new user catalog see the Integrity Advanced Server Administrator Guide Setting up the endpoint computer Use the client packager to deploy the Integrity Flex to an endpoint computer For information about using the client packager see the Integrity Serv...

Page 47: ...y Server session See Verifying the Integrity Advanced Server session on the Integrity client on page 47 Create deploy and assign a new policy to the client Assign a new policy to the client and verify that the client receives it To create deploy and assign a new policy to the Integrity client 1 Create and deploy a new policy See Creating and deploying a new policy Test1 on page 45 2 Assign the pol...

Page 48: ... Policies The Policy Manager page appears 4 Click New and select From Template The Create New Policy page appears 5 Select the Observation policy template and type Test1 in the Policy name text box 6 Click Create The Policy Settings page appears 7 Click Save This saves the policy with the preconfigured settings only 8 Enter version comments click Save and Deploy 9 Click Yes to confirm deployment T...

Page 49: ...dministration Console and select the domain 2 Go to Entities The Entity Manager page appears 3 Select the catalog called test catalog and click Assign Policy The Assign Policies page appears 4 In the Policy dropdown list select Test1 5 Click Assign The Confirm Policy Assignment page appears 6 Click Assign The Assign Policy page appears with the Deployed Policy of the catalog as Test1 ...

Page 50: ...nt s policy 1 On the endpoint computer right click the Integrity Flex icon in the system tray The Control Window opens with the Test1 policy listed 2 Go to the Policy tab The Policy panel appears with the Test1 policy active The Test1 policy was downloaded and is now being used by the Integrity Flex client By default Integrity Flex displays an Alert when it downloads a new policy Integrity Agent d...

Page 51: ...ring over a long time span You should periodically run commands to optimize your query performance Optimizing query performance for DB2 Run the DB2 RUNSTATS command on the reporting tables and indexes on a regular basis In some circumstances queries may time out and errors will appear in the logs If this occurs increase the amount of time for TCP IP timeouts to keep connections alive longer Optimi...

Page 52: ...Integrity Advanced Server Installation Guide 49 remove old logs as needed Monitor the integrity logs directory on the Integrity Advanced Server ...

Page 53: ... I Integrity Advanced Server clustered system deployment 3 installing 7 18 load balancer configuring 20 services and ports 4 single host deployment 2 starting and stopping 24 26 system components 2 verifying status of 21 Integrity clients 2 Integrity services described 6 L load balancer configuring 20 P Program permission 6 R RADIUS server in single host deployments 2 Root Certificate Store confir...

Search results

Summary of Contents for Integrity

Reviews:

Related manuals for Integrity

Brands by name

Popular brands

Check Point Integrity, Installation Manual

Search results

Summary of Contents for Integrity

Reviews:

Related manuals for Integrity

Brands by name

Popular brands