Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1 Скачать руководство пользователя страница 107

Страница: 107 / 244

Establishing an SSH Trust Relationship

You also need to ensure that you have established an SSH trust relationship between
the primary and secondary servers.

The instructions for Linux are as follows:

Run the following commands on the primary server:

cd /home/nsm
su nsm
ssh-keygen -t rsa
chmod 0700 .ssh

NOTE:

If prompted to enter a pass phrase, leave the value blank.

The result of the process is the creation of a hidden directory called

.ssh

under

/home/nsm

which contains two text files (public and private key).

Run the following commands on the secondary server:

cd /home/nsm
su nsm
ssh-keygen -t rsa
chmod 0700 .ssh

NOTE:

If prompted to enter a passphrase, leave the value blank.

From the primary server, you then need to copy the public key called

.ssh/id_rsa.pub

to the secondary server manually and place it in

.ssh/authorized_keys

. For example,

you would run the following command:

scp .ssh/id_rsa.pub root@<IP addr NSM2>:/root/.ssh/authorized_keys

From the secondary server, you then need to copy

.ssh/id_rsa.pub

to the

.ssh/authorized_keys

of the primary machine. For example:

scp .ssh/id_rsa.pub root@<IP addr NSM1>:/root/.ssh/authorized_keys

NOTE:

If the remote machine already has established trust relationships

with other computers, overwriting the

authorized_keys

file will break those

trust relationships. Instead, copy the contents of the

id_rsa.pub

file onto

a new line at the end of the

authorized_keys

file on the remote machine.

You should test connectivity via SSH from the primary server to the secondary server
and vice versa. For example, to test SSH connectivity from NSM Server1 to NSM
Server2, type the following command:

ssh root@<IP ADDRESS of Secondary Server>

Chapter 5: Installing NSM with High Availability

Содержание NETWORK AND SECURITY MANAGER 2010.4 - REV1

Страница 2: ...are copyright 1991 D L S Associates This product includes software developed by Maker Communications Inc copyright 1996 1997 Maker Communications Inc Juniper Networks Junos Steel Belted Radius NetScre...

Страница 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Страница 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Страница 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Страница 7: ...vailability Configuration 9 Extended High Availability Configuration 9 Other Configuration Options 9 Local Remote Database Backup 10 NetScreen Statistical Report Server Interoperability 10 Device Serv...

Страница 8: ...ce in Demo Mode 47 Next Steps 47 Chapter 4 Installing NSM in a Distributed Configuration 49 Suggested Distributed Configuration Installation Order 49 Defining System Parameters 50 Prerequisites 53 Ins...

Страница 9: ...nstalling NSM in a Simple HA Configuration 95 Primary GUI Server and Device Server Installation 96 Secondary GUI Server and Device Server Installation Script 101 Installing the User Interface 107 Conf...

Страница 10: ...entral Manager Appliance Offline Mode 162 Migrating Data to an NSM Regional Server Appliance 165 Data Migration from a Solaris Server to an NSM Regional Server Appliance 165 On the Solaris server 165...

Страница 11: ...187 Downgrade Procedures 188 Removing the Management System 188 Uninstalling the User Interface 190 Part 2 Appendixes Appendix A Technical Overview of the NSM Architecture 193 About the Management Sy...

Страница 12: ...ns 209 Performance Tuning Recommendations 209 Recommendations for Low End Configurations 209 Medium Size Configuration 3 to 8 IDP Profiling Devices 210 High End Configuration 9 to 20 IDP Profiling Dev...

Страница 13: ...g the NSM Installation 46 Chapter 5 Installing NSM with High Availability 71 Figure 6 Simple HA Management System Configuration 72 Figure 7 HA Configuration Example 96 Figure 8 Configuring the HA GUI...

Страница 15: ...meters 22 Chapter 4 Installing NSM in a Distributed Configuration 49 Table 11 Distributed Configuration System Parameters 50 Chapter 5 Installing NSM with High Availability 71 Table 12 HA Utilities 77...

Страница 16: ...e 30 Storage Requirements for Device Server Managing Firewall VPN Devices 206 Table 31 Storage Requirements for Device Server Managing IDP w Profiler Devices 206 Table 32 CPU Requirements for Device S...

Страница 17: ...uide is intended primarily for IT administrators who are responsible for installing upgrading and maintaining NSM Conventions The sample screens used throughout this guide are representations of the s...

Страница 18: ...s Bold typeface like this user input Represents text that the user must type Bold typeface like this host1 show ip ospf Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an area Border Router...

Страница 19: ...s intended for IT administrators responsible for the installation or upgrade of NSM Network and Security Manager Installation Guide Describes how to use and configure key management features in the NS...

Страница 20: ...e Access Devices Guide Provides details about configuring the device features for all supported EX Series platforms Network and Security Manager Configuring EX Series Switches Guide Provides details a...

Страница 21: ...hnical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Networks Community Forum http www juniper net company communities Ope...

Страница 23: ...alling NSM in a Standalone Configuration on page 21 Installing NSM in a Distributed Configuration on page 49 Installing NSM with High Availability on page 71 Upgrading to NSM 2010 4 from an Earlier Ve...

Страница 25: ...s on page 9 Next Steps on page 11 Installation Process Overview NSM is software that enables you to integrate and centralize management of your Juniper Networks environment You need to install two mai...

Страница 26: ...aunches an InstallAnywhere wizard that you can run on any Windows or Linux based computer that meets minimum system requirements See Table 8 on page 7 for more information on the minimum required hard...

Страница 27: ...nagement System Table 6 on page 5 describes the minimum requirements that must be met for the GUI Server and Device Server on the same server Table6 MinimumSystemRequirements ManagementSystemonSame Se...

Страница 28: ...running the same operating system version For example you cannot run the GUI Server on a server running Linux and the Device Server on a server running Solaris Operating System Only Sun Microsystems...

Страница 29: ...s a minimum of 4 GB RAM 384 Kbps DSL or LAN connection minimum bandwidth required to connect to the NSM management system Hardware Choosing Standalone Distributed or High Availability Configurations T...

Страница 30: ...to scale to small medium and large enterprises as well as service provider deployments There are four main options for configuring NSM Standalone Configuration on page 8 Distributed Configuration on p...

Страница 31: ...de process the installer script prompts you to specify whether or not you want the current server machine to participate in an HA cluster If you choose to do so the installer script prompts you to con...

Страница 32: ...ces are preconfigured to perform local database backups See the NSMXpress and NSM3000 User Guide for details If you want to send copies of the file backups to a remote machine the installer script pro...

Страница 33: ...ot already exist the installer creates the user for you In this case the installer prompts you to create a password for the user This password will not expire NOTE The NSM appliance settings for Postg...

Страница 34: ...ice Server on the same server with HA simple high availability configuration or separate servers with HA extended high availability configuration This configuration option enables you to configure a p...

Страница 35: ...er License Management Server LMS and then installed onto the NSM Server or NSM appliance LMS provides an interface to generate licenses based upon serial number authorization code and installation ID...

Страница 36: ...rchase and generate a license key file 4 Enter the installation ID that was generated by the NSM Server The LMS system generates a license key file for the SKU recorded You can choose to download the...

Страница 37: ...per Networks Customer Service Customer Service will validate your purchase and generate a license key 5 Select the Need High Availability Key check box The LMS systems prompts you to provide the NSM S...

Страница 38: ...u purchased Juniper Networks provides an authorization code via e mail If you received a paper license certificate and are managing more than 25 devices call Juniper Networks Customer Service Customer...

Страница 39: ...a license key 5 Select the Need High Availability Key check box The LMS systems prompts you to provide the NSM Secondary serial number and Secondary Installation ID The LMS system generates a license...

Страница 40: ...the NSM License Information window From the menu bar select Tools NSM License Information to view this information Enforcing Licenses The maximum number of devices allowed for NSMXpress appliance ins...

Страница 41: ...for an NSM appliance and software only installations License upgrades can be purchased at any time for any supported product After purchasing a license upgrade you receive a Right to Use RTU certifica...

Страница 43: ...e NSM appliance uses a simplified installation procedure See the NSMXpress and NSM3000 User Guide for details This chapter contains the following sections Suggested Standalone Configuration Installati...

Страница 44: ...er Interface Defining System Parameters During the installation process you are required to configure common system parameters such as the location of the directories where you want to store data for...

Страница 45: ...process By default the GUI Server stores data in var netscreen GuiSvr xdb log GUI Server database log directory The IP address used by the running GUI Server The default is the IP address of the machi...

Страница 46: ...rms the daily backup within an hour after 2 AM Hour of the Day to Start Local Database Backup Total number of database backup files that the GUI Server stores When the GUI Server reaches the maximum n...

Страница 47: ...te have specific version requirements such as PostgreSQL Be sure to use the packages distributed in the system update 5 Configure shared memory size on your appropriate platform See Configuring Shared...

Страница 48: ...m and the update script is put in that directory The script for Solaris is located in the same directory as the tar file The name of the update script for Solaris is update_solaris10 sh The script pro...

Страница 49: ...ssh authorized_keys directory For example scp ssh id_rsa pub root IP addr management system root ssh authorized_keys 4 From the server running the management system copy ssh id_rsa pub to the remote m...

Страница 50: ...locales are installed If you have all required locales proceed to Step 2 C POSIX en_CA en_CA ISO8859 1 en_CA UTF 8 en_US en_US ISO8859 1 en_US ISO8859 15 en_US ISO8859 15 euro en_US UTF 8 es es UTF 8...

Страница 51: ...On Solaris run the following command sh nsm2010 4_servers_sol_sparc sh The installation begins automatically by performing a series of preinstallation checks The installer ensures that The OS version...

Страница 52: ...errorLog If the failure happens in the early stages of the install the log might be in tmp The installer extracts the software payloads and prompts you to install NSM with the base license root h sh...

Страница 53: ...to install the management server files Press Enter to accept the default usr netscreen directory or type the full path name to a directory and then press Enter The installer prompts whether you want t...

Страница 54: ...er to accept the default location var netscreen GuiSvr xdb log NOTE You cannot store files in an existing directory location This feature safeguards against overwriting any existing data If you specif...

Страница 55: ...uration file management actions and prompts for a password 16 Enter a password for the configuration file management CFM user Because the UNIX password can not be saved in plain text format the instal...

Страница 56: ...econds you want NSM to wait while performing backups until the process times out e Designate a directory location for locally storing the NSM database backup Press Enter to accept the default location...

Страница 57: ...erver you must reboot the server after installation Typical Output for a Standalone Installation An example of the output for a typical standalone installation is as follows root h sh nsm2010 4_server...

Страница 58: ...rectory is var netscreen GuiSvr Because the user data including database data and policies can grow to be quite large it is sometimes desirable to place this data in another partition Please enter an...

Страница 59: ...S Will server processes need to be restarted automatically in case of a failure y n y BACKUP SETUP DETAILS Will this machine require local database backups y n y Enter hour of day to start the databas...

Страница 60: ...tgres DevSvr Db password set for nsm Start server s when finished Yes Are the above actions correct y n y PERFORMING INSTALLATION TASKS INSTALLING Device Server Looking for existing RPM package ok Rem...

Страница 61: ...DE CC 91 B8 4F 42 77 42 You will need this for verification purposes when logging into the GUI Server Please make a note of it root C73 16 Starting Server Processes Manually If you did not specify th...

Страница 62: ...f you are installing the UI on RHEL 5 first install the libXp package You can obtain libXp from RedHat We recommend that you exit all running applications before installing the UI To install the NSM U...

Страница 63: ...nt click the button next to the appropriate statement and then click Next to continue NOTE If you choose to not accept the terms of the License Agreement then you are unable to proceed with the instal...

Страница 64: ...ing on a Linux based computer then the installer saves the UI software files in install_user_homedir Network and Security Manager by default To specify a new or different folder location click Choose...

Страница 65: ...to create the NSM product icons Or if you are installing on a Linux based computer select where you would like to create links to the NSM UI program Click Next to continue The Pre Installation Summary...

Страница 66: ...ation is complete a screen indicating Install Complete appears NOTE If you do not select a default web browser then the UI is not able to launch the NSM online help If you still want to use the online...

Страница 67: ...nt to run the program or launch it from a command line From the command line navigate to the subdirectory where you have installed the UI software files and then launch the UI application by running t...

Страница 68: ...o Figure 5 on page 46 Figure 5 Validating the NSM Installation 3 Use the General tab to verify the following information Device Server Manager Port The default port is 7800 IDP Device Server Manager P...

Страница 69: ...t system To run the UI in Demo mode 1 Run the NSM UI The Login window appears 2 Type any username in the Login field provided 3 Type any password in the Password field provided 4 Select DEMO MODE from...

Страница 71: ...uration Installation Order on page 49 Defining System Parameters on page 50 Prerequisites on page 53 Installing the GUI Server on page 53 Installing the User Interface on page 62 Adding the Device Ser...

Страница 72: ...he server that you are installing the GUI Server Defining System Parameters During the installation process you are required to configure common system parameters such as directory locations to store...

Страница 73: ...all process By default the GUI Server stores data in var netscreen GuiSvr xdb log GUI Server database log directory The IP address and port used by the running GUI Server The default is the IP address...

Страница 74: ...fter 2 AM Hour of the Day to Start Local Database Backup Total number of database backup files that the GUI Server stores When the GUI Server reaches the maximum number of backup files you configure i...

Страница 75: ...needed software binaries and packages are present If any component is missing the installer displays a message identifying the missing component Checking for platform specific packages FAILED The Foll...

Страница 76: ...sm2010 4_servers_linux_x86 sh PERFORMING PRE INSTALLATION TASKS Creating staging directory ok Running preinstallcheck Checking if platform is valid ok Checking for correct intended platform ok Checkin...

Страница 77: ...e the full path name to a directory and then press Enter The installer prompts whether you want to enable FIPS support 7 If you require FIPS support enter y Otherwise press Enter to accept the default...

Страница 78: ...he management IP address of the GUI Server c Type the IP address of the GUI Server This address should be the same as the server on which you are installing The installer sets the IP address and port...

Страница 79: ...s to be restarted automatically on failure NOTE The CFM passwords for NSM and for UNIX must be identical although NSM does not check that they are the same 13 If you want the server processes to be re...

Страница 80: ...ter y The installer will start the server processes with nsm user permissions If you do not want to start the server processes enter n NOTE When you restart your server the GUI Server and HA Server pr...

Страница 81: ...ies are present ok Checking for platform specific binaries ok Checking for platform specific packages ok Checking in System File for PostgreSQL and XDB parameters ok Checking for PostgreSQL ok Checkin...

Страница 82: ...word for the super user Enter password password will not display as you type Please enter again for verification Enter password password will not display as you type Enter the one time password for th...

Страница 83: ...ailure Local database backups are enabled Start backups at 02 Daily backups will not be sent to a remote machine Number of database backups to keep 7 HA rsync command backup timeout 3600 Create databa...

Страница 84: ...nstalling the User Interface Install the User Interface See Installing the User Interface on page 40 for more information on installing the User Interface UI Adding the Device Server in the User Inter...

Страница 85: ...need this when you install the Device Server Installing the Device Server The installer guides you through all the steps required to configure the system parameters and then the installer runs to com...

Страница 86: ...ocation var netscreen DevSvr The installer prompts you to enter parameters assigned by the UI to this Device Server b Type the Device Server ID The installer prompts you to type the one time password...

Страница 87: ...and creates a new backup Press Enter to accept the default setting of seven backup files d Type a number specifying how many seconds you want the management system to wait while performing backups unt...

Страница 88: ...tory ok Running preinstallcheck Checking if platform is valid ok Checking for correct intended platform ok Checking for CPU architecture ok Checking if all needed binaries are present ok Checking for...

Страница 89: ...ovide the IP address of the running GUI Server Enter the IP address of the running GUI Server 10 157 48 108 HIGH AVAILABILITY HA SETUP DETAILS Will server processes need to be restarted automatically...

Страница 90: ...TALLING Device Server Looking for existing RPM package ok Removing existing Device Server RPM ok Installing Device Server RPM ok Installing JRE ok Installing GCC ok Creating var directory ok Creating...

Страница 91: ...ating Management System Status To validate the management system is started and running properly we recommend that you view the status of all the running server processes the HA server Device Server a...

Страница 93: ...e 78 Suggested Extended HA Installation Order on page 78 Defining System Parameters on page 79 Prerequisites on page 84 Installing NSM 2010 4 on the Primary Server on page 86 Installing NSM 2010 4 on...

Страница 94: ...scenario with access to a shared disk HA Requirements Consider the following system requirements if you are planning on installing the management system for high availability Both the primary and seco...

Страница 95: ...g TCP port 7801 Upon failure the UI automatically attempts to connect to the secondary GUI Server This process is transparent to the Admin user Note however that the IP address of the secondary GUI Se...

Страница 96: ...tandby Device Server to access log data also on the active Device Server you must connect both servers to an external shared disk NOTE Rsync uses a temporary SSH connection to the peer server to perfo...

Страница 97: ...server then enters an ERROR mode and stays in that mode until you manually restart the HA Server NOTE You cannot start or stop the Device Server and GUI Server processes manually in an HA configuratio...

Страница 98: ...you need to ensure sufficient redundancy within the shared disk machine for example RAID dual power supplies NOTE In a Simple HA installation using a shared disk ensure that the data directories of b...

Страница 99: ...he HA Server is in error mode the script appends log messages from the HaSvr var errorLog highAvail 0 error log You can use this script view error messages output for the server that the script is run...

Страница 100: ...d HA configuration for example with four servers the most important step is to ensure that the PKI information is shared correctly among the servers A failure to do this step correctly could cause the...

Страница 101: ...ice Server 14 Allow the primary Device Server to failover to test that it can connect to the secondary GUI Server 15 Add your managed devices in the UI Check the device connection to both Device Serve...

Страница 102: ...etscreen GuiSvr CAUTION Do not place your data directory in usr netscreen That path normally contains binary files and should not be used for data GUI Server data directory Directory location on the G...

Страница 103: ...ry machine This in addition to the data network link already existing in the primary secondary HA Server IP address Heartbeat links between primary and secondary machine This is the password that is r...

Страница 104: ...e of day in a 24 hour day 00 23 For example if you want the backup to begin at 4 00 AM type 04 if at 4 00 PM type 16 We recommend that you set this parameter to a time of day that effectively minimize...

Страница 105: ...d Disk Parameters If you are using a shared disk partition the installer prompts you to configure additional information Table 15 on page 83 identifies the additional system parameters that you need t...

Страница 106: ...files that each partition is listed on the appropriate mount point etc fstab on Linux etc vfstab on Solaris You also need to verify that all mounts are not set to restart automatically Verifying That...

Страница 107: ...ry server manually and place it in ssh authorized_keys For example you would run the following command scp ssh id_rsa pub root IP addr NSM2 root ssh authorized_keys 4 From the secondary server you the...

Страница 108: ...a directory on the server or download the installer from the Juniper Networks Customer Services Online Web site 2 Navigate to the directory where you saved the installer file We recommend that you sav...

Страница 109: ...that the installer performed a task or check but it was unsuccessful See the install log for information about the failure This log is usually stored in usr netscreen DevSvr var errorLog If the failur...

Страница 110: ...y file enter n You will enter the license file path later See Introduction on page 3 for information about obtaining license keys 6 To accept the default usr netscreen directory press Enter or enter t...

Страница 111: ...cation var netscreen DevSvr NOTE You cannot store files in an existing directory location This feature safeguards against overwriting any existing data If you specify an existing directory the install...

Страница 112: ...er with the GUI Server 13 If you are not installing NetScreen Statistical Report Server with NSM enter n If you are installing NetScreen Statistical Report Server with NSM enter y If you entered y the...

Страница 113: ...that you are managing greater than 1000 devices For example the default heartbeat interval is 15 seconds This interval is appropriate for deployments of fewer than 1000 managed devices If you plan to...

Страница 114: ...operation a Type a two digit number 00 through 23 specifying the hour of day that you want NSM to perform the daily backup operation For example if you want NSM to perform the daily backup operation...

Страница 115: ...rompt NOTE If you are installing NSM for the first time on a Solaris server you must reboot the server after installation Viewing the Management System Installation Log The installer generates a log f...

Страница 116: ...f you are experiencing problems with the HA Server run the following command for more detailed information usr netscreen HaSvr utils haStatus The haStatus utility provides additional information descr...

Страница 117: ...rectory structure for all NSM software and data NOTE If you are installing NSM for the first time on a Solaris server you must reboot the server after installation Example Installing NSM in a Simple H...

Страница 118: ...g for platform specific packages ok Checking in System File for PostgreSQL and XDB parameters ok Checking for PostgreSQL ok Checking if user is root ok Checking if user nsm exists ok Checking if iptab...

Страница 119: ...ctory is var netscreen GuiSvr Because the user data including database data and policies can grow to be quite large it is sometimes desirable to place this data in another partition Please enter an al...

Страница 120: ...ed for Heartbeat authentication Enter password password will not display as you type Please enter again for verification Enter password password will not display as you type Enter number of Heartbeat...

Страница 121: ...e backups y n y Enter hour of day to start the database backup 00 midnight 02 2am 14 2pm 02 Will daily backups need to be sent to a remote machine y n n Enter number of database backups to keep 7 Ente...

Страница 122: ...ckup Use rsync program at usr bin rsync Path for the ssh command usr bin ssh Local database backups are enabled Start backups at 02 Daily backups will not be sent to a remote machine Number of databas...

Страница 123: ...rt Generation ok Removing staging directory ok NOTES Installation log is stored in usr netscreen DevSvr var errorLog netmgtInstallLog 20080902150909 This is the GUI Server fingerprint 17 3E 1F B9 69 2...

Страница 124: ...on the primary server during the installation of this software to avoid data corruption DEVICE SERVER SETUP DETAILS Will the Device Server data directory be located on a shared disk partition y n n T...

Страница 125: ...password will not display as you type Please enter again for verification Enter password password will not display as you type Will a Statistical Report Server be used with this GUI Server y n n CFM u...

Страница 126: ...monitor this server s network connection Enter an IP address outside of the cluster 10 150 47 254 Enter the rsync replication timeout 3600 Enter HA directory var netscreen dbbackup The HA server s req...

Страница 127: ...Use port 8443 for NBI Service Connect to GUI Server at 10 150 41 10 7801 Set password for super user CFM user cfmuser CFM Password set for cfmuser IP address for the primary HA Server 10 150 41 9 IP...

Страница 128: ...tory ok Putting NSROOT into start scripts ok Filling in GUI Server config file s ok Setting permissions for GUI Server ok Running generateMPK utility ok Running fingerprintMPK utility ok Installation...

Страница 129: ...the name of the Device Server 4 In the IP Address box enter the IP address of the Device Server 5 In the Password for GUI Server Connection box enter the password you specified for the super user acc...

Страница 130: ...are done 5 Optional Click to activate the E mail Notification tab Configure the following parameters a Enter the IP Address of the SMTP Server b Enter the e mail address referenced in the e mail notif...

Страница 131: ...ification tabs become available 3 Select the HA tab Configure the following parameters as shown in Figure 9 on page 109 a Enter the IP Address of the Secondary Server b Enter the Secondary Device Serv...

Страница 132: ...HA Configuration If you are installing the management system in an extended configuration GUI Server and Device Server on separate server machines with HA enabled you will need to run the management...

Страница 133: ...e server machines with the following parameters No shared disk No Statistical Report Server Only one heartbeat link between the primary secondary servers IP Address of the primary GUI Server is 10 150...

Страница 134: ...ecture ok Checking if all needed binaries are present ok Checking for platform specific binaries ok Checking for platform specific packages ok Checking in System File for PostgreSQL and XDB parameters...

Страница 135: ...ocation specified in the brackets Enter data directory location var netscreen GuiSvr The GUI Server stores all of the database logs under a single directory By default this directory is var netscreen...

Страница 136: ...the primary and secondary machines The IP addresses entered here must be correct and match on both ends of the link for automatic failover to function correctly Enter the IP address for this machine...

Страница 137: ...oceed with the following actions Install GUI Server Install High Availability Server Store base directory for management servers as usr netscreen This machine will have base license with maximum 25 de...

Страница 138: ...generateMPK utility ok Running fingerprintMPK utility ok Installation of GUI Server complete INSTALLING HA Server Looking for existing RPM package ok Removing existing HA Server RPM ok Installing HA S...

Страница 139: ...ace ok Noting OS name ok Stopping any running servers EXTRACTING PAYLOADS Extracting and decompressing payload ok Extracting license manager package ok GATHERING INFORMATION 1 Install Device Server on...

Страница 140: ...word will not display as you type Enter the one time password for this Gui Server Enter password password will not display as you type Please enter again for verification Enter password password will...

Страница 141: ...s outside the HA cluster is needed to monitor this server s network connection Enter an IP address outside of the cluster 10 150 47 254 Enter the rsync replication timeout 3600 Enter HA directory var...

Страница 142: ...at link 10 150 42 10 IP address for the peer s primary heartbeat link 10 150 42 9 IP address for remote HA replications 10 150 41 9 Port for HA heartbeat communication 7802 Seconds between heartbeat m...

Страница 143: ...3A 31 D4 84 You will need this for verification purposes when logging into the GUI Server Please make a note of it root C73 16 Primary Device Server Installation The following example shows the compl...

Страница 144: ...ease enter an alternative location for this data if so desired or press ENTER for the location specified in the brackets Enter data directory location var netscreen DevSvr Enter the ID assigned by the...

Страница 145: ...outside the HA cluster is needed to monitor this server s network connection Enter an IP address outside of the cluster 10 150 47 254 Enter the rsync replication timeout 3600 Enter HA directory var n...

Страница 146: ...address for the secondary HA Server 10 150 41 8 Set shared password for heartbeat Number of Heartbeat links 1 IP address for this machine s primary heartbeat link 10 150 43 7 IP address for the peer...

Страница 147: ...rt script ok PERFORMING POST INSTALLATION TASKS Running nacnCertGeneration ok Running idpCertGeneration ok Removing staging directory ok NOTES Installation log is stored in usr netscreen DevSvr var er...

Страница 148: ...default this directory is var netscreen DevSvr Because the user data including logs and policies can grow to be quite large it is sometimes desirable to place this data in another partition Please en...

Страница 149: ...t equal at least this value Using the defaults is recommended Enter a time interval seconds between heartbeat messages 15 Enter number of missing heartbeat messages before automatic switchover occurs...

Страница 150: ...ster This server is the primary No Store Device Server data in var netscreen DevSvr Connect to GUI Server at 10 150 41 10 7801 IP address for the primary HA Server 10 150 41 7 IP address for the secon...

Страница 151: ...Server RPM ok Creating var directory ok Putting NSROOT into start scripts ok Filling in HA Server config file s ok Setting permissions for HA Server ok Installation of HA Server complete SETTING START...

Страница 153: ...n on page 150 Upgrading NSM with HA Enabled on page 151 Restoring Data if the Upgrade Fails on page 153 Next Steps on page 154 Upgrade Overview The following procedure summarizes the process for upgra...

Страница 154: ...eter Directory location on the Device Server where device data is stored Because the data on the Device Server can grow to be large consider placing this data in another location If you decide to have...

Страница 155: ...agement password Directory location where local database backup data is stored By default the GUI Server stores local database backup data at var netscreen dbbackup Localdatabasebackup directory Path...

Страница 156: ...henticate with the GUI Server when attempting to connect Password for GUI Server Connection HA Configuration Parameters Table 19 on page 134 describes the system parameters that you need to identify i...

Страница 157: ...matic switchover to the secondary machine occurs The default is 4 messages Missing heartbeats before switchover occurs Network IP Address used to monitor this server s network connection IP Address ou...

Страница 158: ...rver stores seven backup files Number of Local Database Backup Files Stored Shared Disk Parameters Table 20 on page 136 identifies the additional system parameters that you need to identify to upgrade...

Страница 159: ...cated a maximum amount of disk space for the data partition var netscreen directory See Hardware Recommendations on page 201 for more information about the disk space requirements appropriate for your...

Страница 160: ...e shell archive script For example you can execute the shell archive script by running the following command platform sh For example on Linux es4 the update script is named rhes4_upd3 sh and located i...

Страница 161: ...ity configuration directory For example cd usr netscreen HaSvr var 2 Open the High Availability configuration file haSvr cfg in any text editor 3 To modify the rsync timeout values configure the follo...

Страница 162: ...Use the Solaris 10 installation DVD to load any missing locales The minimum supported Solaris 10 revision is 6 06 You can download the DVD from www sun com Mount the DVD in this example solaris and is...

Страница 163: ...following message Device s running ScreenOS 4 0 x or earlier release were found in the managed network Using your currently installed version of NSM upgrade all such devices to ScreenOS 5 0 or later...

Страница 164: ...platform is valid ok Checking for correct intended platform ok Checking if ScreenOS 4 0 x or earlier device in network ok Checking for CPU architecture ok Checking if all needed binaries are present o...

Страница 165: ...prompt you will be prompted for configuration input The installer prompts whether you want to enable FIPS support 6 If you require FIPS support enter y Otherwise press Enter to accept the default val...

Страница 166: ...ding time of day to take the backup how many backups to keep and whether to take a remote backup NOTE You must allow local backup if you want to specify remote backup Database server details including...

Страница 167: ...ple upgrades a standalone installation using the base license and without reconfiguring server parameters root h sh nsm2010 4_servers_linux_x86 sh PERFORMING PRE INSTALLATION TASKS Creating staging di...

Страница 168: ...er password password will not display as you type Please enter again for verification Enter password password will not display as you type Enter the same password again for CFM user Changing password...

Страница 169: ...servers as usr netscreen This machine will have base license with maximum 25 devices This machine does not participate in an HA cluster CFM user cfmuser CFM Password set for cfmuser Servers will be re...

Страница 170: ...abling HA Server start script ok PERFORMING POST INSTALLATION TASKS ok Loading GuiSvr XDB data from init files ok Migrating GuiSvr data ok ok Removing staging directory ok Starting GUI Server ok Start...

Страница 171: ...3 and later releases of the UI client you can upgrade to the 2010 4 Release automatically For earlier releases you must manually download and install the new UI client Downloading and Installing the...

Страница 172: ...er information 2 Click on the Device Server and click on the Edit icon or right click on the Device Server and select Edit to view all information available on the Device Server 3 Use the General tab...

Страница 173: ...on the primary servers where you have currently installed the GUI and Device Servers Specify that you want to upgrade the servers 4 Configure the following HA parameters when prompted during the Gener...

Страница 174: ...tended platform ok Checking for CPU architecture ok Checking if all needed binaries are present ok Checking for platform specific binaries ok Checking for platform specific packages ok Checking in Sys...

Страница 175: ...the next scheduled remote database replication interval default is 1 hour If the primary server goes down before the next scheduled remote database replication the data on the secondary server will no...

Страница 176: ...dy to begin managing your network Refer to the Network and Security Manager Administration Guide and Network and Security Manager Online Help for information describing how to plan and implement NSM f...

Страница 177: ...rading to NSM 2010 4 on an NSM Regional Server appliance if the appliance is connected to the Internet NSM 2010 4 requires a license file if you are managing more than 25 devices You must have the lic...

Страница 178: ...your operating system All the necessary software binaries are present You correctly logged in as root You have installed a version of NSM earlier than the current version you are installing The syste...

Страница 179: ...ct type y and press Enter to proceed If settings are incorrect type n and press Enter to return to the original selection prompt The upgrade proceeds automatically The installer performs the following...

Страница 180: ...g the following command which unzip This command gives you the location of the unzip utility If it is not available use the following command to install this utility yum install unzip 6 Navigate to th...

Страница 181: ...rform a clean install of Central Manager 10 The installer next prompts you to configure additional options specific to your installation during the upgrade These options can include Configuring High A...

Страница 182: ...r upgrade link to download the NSM Appliance upgrade software The downloaded file has the name nsm2010 4_servers_upgrade_rs zip 2 From the NSM Software Download page click the Offline Server upgrade l...

Страница 183: ...heck and verified that the condition was satisfied FAILED indicates that the installer performed a task or check but it was not successful See the install log for information about the failure This lo...

Страница 184: ...with the output of the installation commands for troubleshooting The installer indicates the name of the installation log file and the directory location where it is saved This file is saved by defaul...

Страница 185: ...5 i386 rpm 7 Navigate to the directory where you saved the downloaded files which is typically the tmp subdirectory 8 Enter the following command to unzip and save two files nsm2010 4_servers_cm sh u...

Страница 186: ...m a clean install of the Central Manager 11 The installer next prompts you to configure additional options specific to your installation during the upgrade These options can include Configuring High A...

Страница 187: ...NSM to an NSMXpress or NSM3000 appliance It contains the following procedures Data Migration from a Solaris Server to an NSM Regional Server Appliance on page 165 Data Migration from a Linux Server to...

Страница 188: ...esses with the following commands usr netscreen HaSvr bin haSvr sh stop usr netscreen GuiSvr bin guiSvr sh stop usr netscreen DevSvr bin devSvr sh stop 5 Run Importer using the following command usr n...

Страница 189: ...d in devSvr cfg to match the one time password in the shadow_server table a Use the vi editor to edit the var netscreen DevSvr devSvr cfg file b Change the one time password to match the one time pass...

Страница 190: ...ractical cd var netscreen tar cvf Devdb tar DevSvr 5 Transfer the Guidb tar and Devdb tar archive files to a place where they can be retrieved later On the NSMAppliance 1 Use the nsm_setup utility to...

Страница 191: ...r and guiSvr from the devSvr cfg file so they can be renegotiated and established again Correct the one time client password in devSvr cfg 8 If the Linux server used a customized device server data di...

Страница 192: ...ser to admin 1 Log in as an nsm user by entering the following command at the prompt admin NSMXpress sudo su nsm Password admin password 2 Change user privileges to admin by entering the following com...

Страница 193: ...ge 178 Configuring High Availability Options on page 180 Relocating the Database on page 183 Installing a Trivial File Transfer Protocol Server on page 185 Modifying Timeout Values on the Device Serve...

Страница 194: ...d Stops the management system process for two seconds and then restarts the process restart Starts the management system process start Stops the management system process stop Provides a status of the...

Страница 195: ...Svr sh stop To stop the HA Server process manually enter the following command usr netscreen HaSvr bin haSvr sh stop NOTE To prevent the server from rebooting in a HA configuration that uses shared di...

Страница 196: ...ess xdbUpdate usr netscreen GuiSvr var xdb server 0 1 __ ip IP Address Note that the 0 represents the GUI Server ID and the 1 represents the Device Server You can view these IDs using the Server Manag...

Страница 197: ...isk space is restored If for any reason the Device Server is not able to restore 500 MB of disk space the Device Server automatically shuts down An error message appears in the console window indicati...

Страница 198: ...r until you reclaim required minimum i nodes For your convenience a shell script is provided enabling you to reclaim i nodes This script is located in the utilities directory on the GUI Server usr net...

Страница 199: ...Server configuration file called devSvr cfg 2 Edit the time value in thousandths of a second for the devSvrDirectiveHandler fastCli timeout parameter to change the way the Device Server controls conne...

Страница 200: ...netscreen GuiSvr var or the path that you configured when you initially installed the GUI Server usr netscreen DevSvr var or the path that you configured when you initially installed the Device Serve...

Страница 201: ...al location or disk 6 Start the HA Server GUI Server and then the Device Server NOTE Do not start the GUI Server and the Device Server manually if the HA Server will start them for you The HA Server s...

Страница 202: ...high availability options on the management system by editing the High Availability configuration file haSvr cfg Enabling and Disabling High Availability Processes To enable high availability 1 Stop...

Страница 203: ...ue for the highAvail backupTimeHour variable To change the number of backup files that the tool saves edit the value for the highAvail numofBackup variable To change the path to the rsync package edit...

Страница 204: ...ckup data directory on your new management system server 3 Navigate to the HA Server utilities subdirectory usr netscreen HaSvr utils by default 4 Run the database restore shell archive script and spe...

Страница 205: ...database and the Device Server log database 1 Verify that the system is working properly 2 Stop the server processes usr netscreen HaSvr bin haSvr sh stop If the HA Server is not configured to stop th...

Страница 206: ...ents the GUI Server ID and the 1 represents the Device Server You can view these IDs using the Server Manager in the NSM UI Copy the Device Server log database to the new system 1 On the Device Server...

Страница 207: ...correct d Save the file and exit Restart the server processes 1 Start the HA Server usr netscreen HaSvr bin haSvr sh start 2 If the HA Server is not configured to start the GUI Server and the Device...

Страница 208: ...rver To configure and enable the TFTP server on Linux 1 Open the etc xinetd d tftp file in any text editor 2 Edit the parameter server_args so that the value is s usr netscreen DevSvr var cache 3 Edit...

Страница 209: ...ce Server 1 Stop the Device Server and any HA Server If the HA Serer is configured to stop all NSM server processes when it stops enter this command usr netscreen HaSvr bin haSvr sh stop If the HA Ser...

Страница 210: ...your previous version of NSM 4 Restore your backup database See Restoring the Database on page 182 for more information Removing the Management System To remove previous management system installation...

Страница 211: ...athnames in class none usr netscreen DevSvr utils policy_compiler usr netscreen DevSvr utils nacnUpdateCAnml usr netscreen DevSvr utils nacnLoadPKCS12 usr netscreen DevSvr bin devSvrDataCollector usr...

Страница 212: ...inux based computer you can either double click on the Uninstall_Network_and_Security Manager icon or you can launch the UI uninstaller from a command line sh Uninstall_Network_and_ Security_Manager T...

Страница 213: ...T 2 Appendixes Technical Overview of the NSM Architecture on page 193 Hardware Recommendations on page 201 Profiler Performance Tuning Recommendations on page 209 191 Copyright 2010 Juniper Networks I...

Страница 215: ...ecific network security environment It includes the following key components as shown in Figure 12 on page 193 Management system User interface UI Managed devices Figure 12 NSM Architecture This appen...

Страница 216: ...ating the two server components you can improve system performance GUI Server The GUI Server receives and responds to requests and commands from the NSM UI It manages all the system resources and conf...

Страница 217: ...ocation Refer to the Network and Security Manager Administration Guide or the Network and Security Manager Online Help included in the UI for more information about the NSM UI About Managed Devices Th...

Страница 218: ...rt TCP 443 STRM devices connect to the PostgreSQL on this port to get profiler data TCP 5432 Devices running ScreenOS Software connect to the Device Server on this port TCP 7800 The GUI Server receive...

Страница 219: ...nization the Device Server connects to the NTP server on this port UDP 123 The NSM Topology Discovery Manager uses SNMP to communicate with devices through this port UDP 161 The Device Server sends SN...

Страница 220: ...able 24 on page 198 lists and describes the ports used specifically in communications between NSM and ScreenOS 5 0 devices Table 24 Management System Communications With Devices Running ScreenOS Descr...

Страница 221: ...System Communications With DMI Compatible Devices Description Port Server Component Accepts incoming device connections Inbound TCP 7804 Device Server Communicates with the GUI server Outbound TCP 780...

Страница 222: ...rom the GUI Server if you deploy your UI clients inside the management network If you must deploy UI clients outside the management network then you must allow TCP port 7808 access to the GUI Server i...

Страница 223: ...ome general rules and formulas This appendix contains these sections Standalone or Distributed System for GUI Server and Device Server on page 201 Network Card Requirements on page 202 Memory Requirem...

Страница 224: ...u add a device use the MIP Address for the devices to connect to the Device Server Memory Requirements This section details memory requirements on the GUI Server and Device Server GUI Server A higher...

Страница 225: ...the Device Server is managing firewall VPN devices or Junos devices Table 27 Device Server RAM Requirements for Firewall VPN or Junos Devices Device Server RAM Required Number of Devices 4 GB Less th...

Страница 226: ...Server GUI Server The GUI Server binaries and libraries require less than 100 MB Other key components that are disk space intensive are Audit Log Error Log Device configuration database Nightly backu...

Страница 227: ...audit log details turned off the audit log uses only 100 408 bytes 5 1 KB 45 KB of disk space The GUI Server also requires 2 GB for the database transaction log Error Log The var netscreen GuiSvr err...

Страница 228: ...25 000 000 300 GB 50 000 000 Table 31 on page 206 lists some examples for a Device Server managing just IDP stand alone devices running profiler based on a retention period of 30 days Table 31 Storag...

Страница 229: ...ability on the Device Server A modern Intel or AMD CPU 2 4GHz or an UltraSparc III 1 2 GHz can handle sustained log rates of at least 20 000 logs per second Device Server Managing IDP Standalone Devic...

Страница 230: ...nternal testing The Device Server must have at least enough space in var netscreen for 1 day of logs Make sure that the storage manager parameters in devSvr cfg are adjusted to cover one full day s wo...

Страница 231: ...tivities Low End Configuration 1 or 2 profiling devices Medium Sized Configuration 3 through 8 profiling devices High End Configuration 9 through 20 profiling devices Recommendations for Low End Confi...

Страница 232: ...n recommended settings Medium Size Configuration 3 to 8 IDP Profiling Devices Table 34 on page 210 describes recommendations for optimum performance when managing 3 to 8 profiling devices Table 34 Per...

Страница 233: ...on page 211 describes recommendations for optimum performance when managing 9 to 20 profiling devices Table 35 Performance Turning Recommendations for High End Configurations Value Recommended Compone...

Страница 234: ...erences From the UI use System Preferences Profiler Settings to configure settings on the Profiler to improve performance Table 36 on page 212 describes settings that you can configure to improve perf...

Страница 235: ...e next section Table 37 on page 213 describes parameters in the postgresql conf file that affect Profiler performance Table 37 PostgreSQL Server Settings Default Value Description Parameter 1000 KB Se...

Страница 236: ...set shmsys shminfo_shmmin 1 set shmsys shminfo_shmmni 256 set shmsys shminfo_shmseg 256 set semsys seminfo_semmap 256 set semsys seminfo_semmni 512 set semsys seminfo_semmns 512 set semsys seminfo_se...

Страница 237: ...een two consecutive vacuums profilerMgr receiver minVacuumInterval NO If this setting is YES VACUUM FULL is performed during optimization otherwise skipped profilerMgr receiver performVacuumFull 3 hou...

Страница 238: ...4 CPUs we recommend that you set this value as follows set_cachesize 0 1024000000 4 If you need more memory change the BDB config to increase the exiting limit Increase the parameters listed below in...

Страница 241: ...132 for GUI Server described 23 51 80 132 data migration 165 database backup options 10 replicating 181 restoring 182 defining system parameters 22 50 79 132 Demo Mode 47 Device Server adding 62 inst...

Страница 242: ...ng 131 upgrading Central Manager 158 162 upgrading NSMXpress 155 160 memory requirements for UI 7 management system on same server 5 management system on separate servers 6 migration to NSMXpress 165...

Страница 243: ...vers 6 system parameters 22 50 79 132 system update utility described 5 running 25 138 T technical support contacting JTAC xx TFTP server installing on Linux 186 installing on Solaris 186 timeout bulk...

Результаты поиска

Содержание NETWORK AND SECURITY MANAGER 2010.4 - REV1

Отзывы:

Похожие инструкции для NETWORK AND SECURITY MANAGER 2010.4 - REV1

Бренды по названию

Популярные бренды

Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1, Руководство по установке

Результаты поиска

Содержание NETWORK AND SECURITY MANAGER 2010.4 - REV1

Отзывы:

Похожие инструкции для NETWORK AND SECURITY MANAGER 2010.4 - REV1

Бренды по названию

Популярные бренды