CA Network Flow Analysis Installation Guide

CA Network Flow Analysis
Installation Guide
Release 9.1.3
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to
as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without
the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed
by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing
your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and
CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may
print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your
employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced
copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2013 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
Contact CA Technologies
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the
information that you need for your Home Office, Small Business, and Enterprise CA
Technologies products. At http://ca.com/support, you can access the following
resources:
■
Online and telephone contact information for technical assistance and customer
services
■
Information about user communities and forums
■
Product and documentation downloads
■
CA Support policies and guidelines
■
Other helpful resources appropriate for your product
Providing Feedback About Product Documentation
If you have comments or questions about CA Technologies product documentation, you
can send a message to techpubs@ca.com.
To provide feedback about CA Technologies product documentation, complete our
short customer survey which is available on the CA Support website at
http://ca.com/docs.
Related Documentation
CA provides a full set of technical documentation in the CA Network Flow Analysis
Documentation Bookshelf. Access the bookshelf by clicking the Help link in the CA
Network Flow Analysis user interface. You can open the guides in PDF and HTML format
from the Documentation Bookshelf. Access the bookshelf from the Help menu in the CA
Network Flow Analysis or CA Performance Center user interface.
The documentation may have been updated since its release. To be sure you have the
latest documentation updates, download the bookshelf and Readme files from CA
Support.
The documentation set for CA Network Flow Analysis 9.1.3 includes the following
guides:
■
Online help: Assistance for Administrators and operators, available through the
Help link in the user interface.
■
Administrator Guide: How to set up and maintain CA Network Flow Analysis.
■
Operator Guide: How to use the NFA console to create, view, and manage reports.
■
Installation Guide: How to install the software and perform one-time configuration
tasks.
■
Upgrade Guide: How to upgrade the software and perform initial configuration
tasks.
■
Release Notes: Summary of CA Network Flow Analysis enhancements, fixes, and
open issues.
■
CA Anomaly Detector Guide: How to install, upgrade, configure, and use CA
Anomaly Detector.
■
CA Anomaly Detector Release Notes: Overview of the product, system
requirements/recommendations, and features.
The product PDFs are in the following directory:
<install_path>\Reporter\NetQoS.ReporterAnalyzer.WebSite\help\<locale>\NFA_Booksh
elf\Bookshelf_Files\PDF.
To view the documentation PDF files, make sure that Adobe Reader is installed. You can
download the Reader from http://get.adobe.com/reader/.
Contents
Chapter 1: Introduction
7
Chapter 2: Download the Executables
8
Chapter 3: System Recommendations and Requirements
9
Windows Operating System Requirements ................................................................................................................. 9
Hardware Recommendations for Windows Servers .................................................................................................. 10
Linux Hardware and Operating System Recommendations and Requirements ........................................................ 12
Chapter 4: Preparing Windows Servers
15
Prepare the Windows Servers .................................................................................................................................... 15
Supported Web Browsers .......................................................................................................................................... 17
Install JRE and .NET Framework ................................................................................................................................. 18
Install Adobe Applications .......................................................................................................................................... 18
Firewall Configuration ................................................................................................................................................ 19
Ports to Open for a Standalone System .............................................................................................................. 19
Ports to Open for a Two-Tier Distributed Deployment ....................................................................................... 20
Ports to Open for a Three-Tier Distributed Deployment .................................................................................... 21
Install IIS, ASP, and COM+ .......................................................................................................................................... 22
Install IIS, ASP, and COM+ on Windows Server 2008 R2 ..................................................................................... 22
Install IIS, ASP, and COM+ on Windows Server 2003 .......................................................................................... 24
Configure SNMP ......................................................................................................................................................... 26
Configure SNMP on Windows Server 2008 R2 .................................................................................................... 26
Configure SNMP on Windows Server 2003 ......................................................................................................... 27
Configure the SNMP Community Name ..................................................................................................................... 28
Disable Connections to IPv6 Addresses on Windows Server 2008 R2 ....................................................................... 29
Configure Data Execution Prevention (DEP) .............................................................................................................. 30
Chapter 5: Preparing Linux Servers
33
Prepare the Linux Servers .......................................................................................................................................... 33
Install SNMP on Linux Servers .................................................................................................................................... 34
Disable IPv6 Networking on Linux Servers ................................................................................................................. 35
Disable the iptables Firewall for Linux Servers ........................................................................................................... 36
Contents 5
Chapter 6: Install the Software
37
Install the Components on a Standalone Server ........................................................................................................ 37
Install a Distributed Deployment ............................................................................................................................... 40
Install the Harvester on a Windows Server ......................................................................................................... 40
Install the Harvester on a Linux Server ............................................................................................................... 42
Install the DSA in a Three-Tier Distributed Deployment ..................................................................................... 44
Install the NFA Console ....................................................................................................................................... 46
Chapter 7: Post-Installation Tasks
49
Install CA Performance Center ................................................................................................................................... 50
Configure SNMP on Linux Servers .............................................................................................................................. 51
Synchronize System Time ........................................................................................................................................... 52
Synchronize System Time on Windows Server 2008 R2 ..................................................................................... 53
Synchronize System Time on Windows Server 2003 .......................................................................................... 54
Update the List of Trusted Internet Sites ................................................................................................................... 55
Modify the Router Access Control Lists ..................................................................................................................... 56
Disable User Account Control (UAC) .......................................................................................................................... 56
Configure Web Content Expiration ............................................................................................................................ 57
Configure Web Content Expiration on Windows Server 2008 R2 ....................................................................... 57
Configure Web Content Expiration on Windows Server 2003 ............................................................................ 58
Prevent False Positive Events ..................................................................................................................................... 59
Configure the Recycle Bin .......................................................................................................................................... 60
Disable Unneeded Services ........................................................................................................................................ 61
Disable Unneeded Services on Windows Server 2008 R2 ................................................................................... 61
Disable Unneeded Services on Windows Server 2003 ........................................................................................ 63
Chapter 8: Uninstalling CA Network Flow Analysis
65
Uninstallation Prerequisites ....................................................................................................................................... 65
Uninstall CA Network Flow Analysis ........................................................................................................................... 67
Chapter 9: Troubleshooting
69
FIPS Algorithm Policy Is Enabled ................................................................................................................................ 70
Java Is Not Installed .................................................................................................................................................... 71
SC.exe Is Not Installed ................................................................................................................................................ 72
SNMP Is Not Enabled.................................................................................................................................................. 72
Index
6 Installation Guide
75
Chapter 1: Introduction
CA Network Flow Analysis helps you understand how application traffic affects your
network performance.
The following diagram describes the process of installing CA Network Flow Analysis.
Chapter 1: Introduction 7
Windows Operating System Requirements
Chapter 2: Download the Executables
Copy the installation/upgrade files to the installation server so you are certain to have
access to the files. Obtain the CA Network Flow Analysis installation/upgrade files from
CA Technical Support, then perform one of the following tasks:
■
Burn the ISO files to a CD-ROM or DVD.
■
Extract the contents of the ISO files by using an ISO image software application.
Many ISO image applications are free.
Extract the appropriate files to the installation servers:
■
■
Standalone servers:
–
NFHarvesterSetup9.1.3.exe
–
RAConsoleSetup9.1.3.exe
–
consoletool-exe.jar
Windows Harvester servers in distributed architecture deployments:
–
■
Linux Harvester servers in distributed architecture deployments:
–
■
NFHarvesterSetup9.1.3.exe
NFHarvesterSetup9.1.3.bin
DSA servers in three-tier distributed architecture deployments:
–
DSASetup9.1.3.exe
You can install or upgrade the software locally or remotely.
8 Installation Guide
Chapter 3: System Recommendations and
Requirements
This section describes the hardware and operating system recommendations and
requirements for the CA Network Flow Analysis component servers.
If you purchase hardware from CA Technologies, all components are delivered with the
operating system and security settings already configured. Use the topics in this guide to
verify the settings or update them to suit the needs of your organization.
If you purchase software only, configure and secure the operating system as described
in this guide.
Before you begin, copy any files that you need to the installation server. After you
secure the operating system, you may not be able to access the share folders that
contain the files.
This section contains the following topics:
Windows Operating System Requirements (see page 9)
Hardware Recommendations for Windows Servers (see page 10)
Linux Hardware and Operating System Recommendations and Requirements (see page
12)
Windows Operating System Requirements
Microsoft Windows servers that host CA Network Flow Analysis components must have
one of the following operating systems:
■
Microsoft Windows Server 2008 R2, Standard edition on a 64-bit processor
■
Microsoft Windows Server 2003, Standard edition on a 32-bit processor
■
Install and register the Windows software.
In addition, the servers must meet the following requirements:
■
The most recent service pack and all important updates installed
■
English, Chinese (Simplified), French (France), or Japanese language
Appropriate language packs installed on all servers for localized deployments
■
Minimum display resolution of 1024x768 (XGA)
Chapter 3: System Recommendations and Requirements 9
Hardware Recommendations for Windows Servers
■
Server configured as described in:
–
Prepare the Windows Servers (see page 15)
–
Post-Installation Tasks (see page 49)
Notes:
■
Before you begin the tasks in this guide, log in to a Windows server as a user who is
a member of the Administrators group or in to a Linux server with root privileges.
■
CA Network Flow Analysis 9.1.3 supports installation on servers with IPv4
addresses. Installation is not supported at this time on servers with IPv6 addresses.
■
CA Network Flow Analysis 9.1.3 supports installation and upgrade on servers with
IPv4 addresses, but not IPv6 addresses.
■
We recommend that you configure a single NIC (network interface card) on each
server.
■
The requirements and recommendations that are described in this section apply to
both physical and virtual deployments.
Hardware Recommendations for Windows Servers
In a distributed deployment, the CA Network Flow Analysis components are installed on
separate servers.
A standalone server is a single server that is used for installing all of the CA Network
Flow Analysis components.
We tested the product with the following hardware configuration. Your requirements
may vary depending on the characteristics and volume of interfaces, applications, and
operators in your network.
Notes:
10 Installation Guide
■
The recommended specifications described here apply to both physical and virtual
deployments. The specifications represent an optimal configuration, such as the
configuration of CA appliances that are currently shipping. You can run CA Network
Flow Analysis successfully on configurations that do not meet these specifications,
although your performance may vary.
■
Performance is improved by running CA Network Flow Analysis software and the
operating system on separate drives, as described in the following text. It is possible
to install and run the CA Network Flow Analysis software on the same drive,
however.
Hardware Recommendations for Windows Servers
The following recommended specifications apply to dedicated servers that are used to
install one or more CA Network Flow Analysis components:
Standalone server
■
2.26-GHz quad-core processor
■
3 GB RAM
■
Three 146-GB 10,000-RPM SAS hard drives in RAID 5 configuration
■
1-Gb LAN port
■
Partition for the C: drive that contains 40 GB for the operating system
■
Partition for a D: drive or other separate drive that contains 41 GB for the
installation/upgrade files and at least 200 GB of available space for data
NFA console server
■
2.26-GHz quad-core processor
■
3 GB RAM
■
Three 146-GB 10,000-RPM SAS hard drives in RAID 5 configuration
■
1-Gb LAN port
■
Partition for the C: drive that contains 40 GB for the operating system
■
Partition for a D: drive or other separate drive that contains 41 GB for the
installation/upgrade files and at least 200 GB of available space for data
Harvester server
■
Two 2.26-GHz quad-core processors
■
12 GB RAM
■
Six 300-GB, 10,000-RPM SAS hard drives in RAID 5 configuration
■
1-Gb Ethernet port
■
Partition for the C: drive that contains 40 GB for the operating system
■
Partition for a D: drive or other separate drive that contains 41 GB for the
installation/upgrade files and 1 TB of available space for data
Data Storage Appliance (DSA) server (3-tier architecture only)
■
2.26-GHz quad-core processor
■
12 GB RAM
■
Six 300-GB, 10,000-RPM SAS hard drives in RAID 5 configuration
■
1-Gb Ethernet port
Chapter 3: System Recommendations and Requirements 11
Linux Hardware and Operating System Recommendations and Requirements
■
Partition for the C: drive that contains 40 GB for the operating system
■
Partition for a D: drive or other separate drive that contains 41 GB for the
installation/upgrade files and 1 TB of available space for data
Linux Hardware and Operating System Recommendations and
Requirements
For a distributed deployment, CA Network Flow Analysis supports running the Harvester
on dedicated Linux servers that meet the following system requirements:
■
Red Hat Enterprise Linux 5.5 or 5.6 on a 64-bit processor
■
Java Runtime Engine (JRE) 1.6u41, which is included with the ISO files from CA
Technical Support.
If the installation server does not have JRE version 1.6 installed, the installation or
upgrade program fails to launch. We recommend that you install JRE 1.6u41, the
version that was used in CA Network Flow Analysis 9.1.3 testing. Untested JRE
versions may produce unexpected results.
■
English, Chinese (Simplified), French (France), or Japanese language
Appropriate language packs installed on all servers for localized deployments
We recommend that Linux Harvester servers meet the following specifications:
■
Two 2.26-GHz quad-core processors
■
12 GB RAM
■
Six 300-GB, 10,000-RPM SAS hard drives in RAID 5 configuration
■
1-Gb Ethernet port
■
Root partition that contains 40 GB of available space
■
Partition for CA Network Flow Analysis that contains the following amounts of
available space:
–
41 GB for the installation/upgrade files
–
1 TB for data
If you do not have enough available space in the /tmp directory and you cannot
configure it, relocate the directory. Export the IATEMPDIR environment variable (for the
Install Anywhere temporary directory) to set a new location, and select a directory with
sufficient space.
12 Installation Guide
Linux Hardware and Operating System Recommendations and Requirements
Notes:
■
CA Network Flow Analysis 9.1.3 supports installation on servers with IPv4
addresses. Installation is not supported at this time on servers with IPv6 addresses.
■
The specifications described in this section apply to both physical and virtual
deployments.
Chapter 3: System Recommendations and Requirements 13
Chapter 4: Preparing Windows Servers
This section contains the following topics:
Prepare the Windows Servers (see page 15)
Supported Web Browsers (see page 17)
Install JRE and .NET Framework (see page 18)
Install Adobe Applications (see page 18)
Firewall Configuration (see page 19)
Install IIS, ASP, and COM+ (see page 22)
Configure SNMP (see page 26)
Configure the SNMP Community Name (see page 28)
Disable Connections to IPv6 Addresses on Windows Server 2008 R2 (see page 29)
Configure Data Execution Prevention (DEP) (see page 30)
Prepare the Windows Servers
Before you begin the installation, verify that the following conditions are met. Failure to
meet these requirements and recommendations can result in data loss, increased down
time, software conflicts, or installation failure.
Notes:
■
Install a supported version of CA Performance Center or CA NetQoS Performance
Center (see page 50) on a server in the deployment.
■
Stop other programs from running during the installation or upgrade.
■
Restart all servers to ensure that all the installed operating system patches are
applied.
■
Ensure that no one else is logged in to the server during the installation or upgrade.
Complete the following tasks on each of the Windows servers:
Standalone Server
Distributed NFA Console
Server
Distributed Harvester
Server
Distributed 3-Tier
DSA Server
■
If possible, meet Windows hardware recommendations (see page 10)
■
Meet Windows operating system requirements (see page 9)
■
Download the installation files (see page 8)
■
Assign a static IP address to each server. Set the Harvester server IP address to match the flow export
destination that is assigned to each router.
■
Install the supported version of JRE and .NET Framework (see page 18) *
Chapter 4: Preparing Windows Servers 15
Prepare the Windows Servers
Distributed NFA Console
Server
Standalone Server
Distributed Harvester
Server
Distributed 3-Tier
DSA Server
■
(Recommended) Enable Remote Desktop Connection to allow remote access
■
(Recommended) Install a supported browser (see
page 17) **
■
Configure the firewall (see page 19)
■
(Recommended) Install Flash Player and Reader
(see page 18) **
■
Install IIS, COM+, and ASP [Windows Server 2008
(see page 22) or 2003 (see page 24)] **
■
Configure SNMP [Windows Server 2008 (see page 26) or 2003 (see page 27)] **
■
Configure the SNMP community name (see page 28)
■
Disable IPv6 addresses (Windows Server 2008 systems) (see page 29)
■
Configure DEP (see page 30)
■
Disable the following third-party software: Antivirus, server monitoring, and maintenance software until the
installation is complete. If you enable antivirus scans later, exclude the CA Network Flow Analysis installation
path and its subdirectories.
* If this requirement is not met, the installation program either does not open or does
not complete successfully.
** If the server fails to pass the check for this requirement, a warning message opens.
General Notes:
■
Stop other programs from running during the installation or upgrade.
■
Restart all servers to ensure that all the installed operating system patches are
applied.
■
Ensure that no one else is logged in to the server during the installation or upgrade.
Localization Notes:
16 Installation Guide
■
To support non-Latin characters such as Japanese and Simplified Chinese, any
command line clients that you use for installation must be configured for UTF-8
encoding. If UTF-8 encoding is not enabled, these characters may not display
properly.
■
The appropriate language packs are required for localized deployments.
■
Regional Settings must use a period (.) to indicate a decimal value. If your
deployment is localized to French, change the decimal symbol to a period in the
Region and Language: Customize Format dialog.
Supported Web Browsers
Supported Web Browsers
Access to the NFA console is supported for Microsoft Internet Explorer version 7 or 8.
Version 8 is recommended. Other browsers or browser versions may work with CA
Network Flow Analysis, but have not been tested. Microsoft Internet Explorer version 10
is not supported.
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2003.
Windows Server 2008 R2
NFA console server
Windows Server 2003.
Windows Server 2008 R2
Servers that are used to log
into the NFA console
Required
Standalone server
Note: To set up CA Network Flow Analysis and work with data in the CA Performance
Center Console, use Internet Explorer 8 with compatibility mode turned off. To work in
CA Network Flow Analysis directly, you can use Internet Explorer 7 or 8 with
compatibility mode turned on or off.
If Internet Explorer 8 Developer Tools are installed, you can turn off compatibility mode
for the current browser session:
1.
Press F12 on your keyboard.
2.
Click the Browser Mode item on the main menu.
3.
Select Internet Explorer 8.
If your enterprise has a policy that requires the Internet Explorer 8 browser to operate
in compatibility mode, you may want to use Internet Explorer 7.
Chapter 4: Preparing Windows Servers 17
Install JRE and .NET Framework
Install JRE and .NET Framework
Install the following software on all of the Windows servers, logged on as a user who is a
member of the Administrators group:
■
Java Runtime Engine (JRE) 1.6u41, which is included with the ISO files from CA
Technical Support.
If the installation server does not have JRE version 1.6 installed, the installation or
upgrade program fails to launch. We recommend that you install JRE 1.6u41, the
version that was used in CA Network Flow Analysis 9.1.3 testing. Untested JRE
versions may produce unexpected results.
■
.NET Framework 3.5.1
If the .NET Framework software is missing or version 4.0 is installed, a prerequisite
check causes the installation or upgrade program to exit.
Required/Optional
Operating System
Servers to Configure
Required
Windows Server 2003.
Windows Server 2008 R2
All servers
Install Adobe Applications
Adobe Flash Player is used to view reports and the Administration System Status page.
We recommend that you install the latest version of Flash Player from
http://get.adobe.com/flashplayer/.
Adobe Acrobat Reader is required on any system that you use to view the product
documentation in PDF format. If you do not have a recent version of the Acrobat
Reader, install the latest version from http://get.adobe.com/reader/.
18 Installation Guide
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2003.
Windows Server 2008 R2
Standalone, Console
Firewall Configuration
Firewall Configuration
For CA Network Flow Analysis to work properly in a firewall-protected environment,
certain ports must be open. The following topics summarize the ports that must be
open to allow communication among the CA Network Flow Analysis components. To
perform these tasks, log in as a user who is a member of the Administrators group.
■
Standalone system (see page 19)
■
Two-tier distributed deployment (see page 20)
■
Three-tier distributed deployment (see page 21)
Ports to Open for a Standalone System
Open the following ports on a standalone system to allow CA Network Flow Analysis
communications to function properly.
From
To
Port [Function]
NFA console
Outbound
■
TCP 25 [SMTP email reports]
■
UDP 53 [DNS]
Harvester
Routers (SNMP
■
interface, read-only)
UDP 161 [SNMP polling]
Trap destination
■
UDP 162 [traps]
Router
Harvester
■
UDP 9995 [flow]
Administrators and
operators
NFA console
■
TCP/HTTP 80 [UI access and SNMP web services]
■
TCP/HTTP 8381 [Single Sign-On]
■
TCP 8681 [Report Information Base (RIB) reporting]
■
TCP/HTTP 80 [device and interface synchronization with CA
Performance Center]
■
TCP 8681 [data import for CA Network Flow Analysis views in CA
Performance Center]
■
TCP 3389 [Remote Desktop, if Remote Desktop is used]
■
TCP 5800, 5801, 5900, 5901 [VNC, if VNC is used]
CA Performance
Center Console
Administrators
NFA console
Each server
Chapter 4: Preparing Windows Servers 19
Firewall Configuration
Ports to Open for a Two-Tier Distributed Deployment
Two-Tier Distributed Deployment
NFA console and Harvesters on separate servers, but no DSA
Open the following ports in a two-tier distributed deployment to allow communication
among the NFA console, Harvesters, and other elements.
From
To
Port [Function]
NFA console
Outbound
■
TCP 25 [SMTP email reports]
■
UDP 53 [DNS]
■
TCP 3307 [CA MySQL]
■
TCP 3308 [MySQL]
■
TCP 8066 [SOAP web service calls]
■
TCP 8080 [File web server port for collecting Harvester files]
■
UDP 161 [Watchdog service]
Harvester
Harvester
Routers (SNMP
■
interface, read-only)
UDP 161 [SNMP polling]
Trap destination
■
UDP 162 [traps]
Router
Harvester
■
UDP 9995 [flow]
Administrators and
operators
NFA console
■
TCP/HTTP 80 [UI access and SNMP web services]
■
TCP/HTTP 8381 [Single Sign-On]
■
TCP 8681 [Report Information Base (RIB) reporting]
■
TCP/HTTP 80 [device and interface synchronization with CA
Performance Center]
■
TCP 8681 [data import for CA Network Flow Analysis views in CA
Performance Center]
■
TCP 3389 [Remote Desktop, if Remote Desktop is used]
■
TCP 5800, 5801, 5900, 5901 [VNC, if VNC is used]
CA Performance
Center Console
Administrators
20 Installation Guide
NFA console
Each server
Firewall Configuration
Ports to Open for a Three-Tier Distributed Deployment
Three-Tier Distributed Deployment
NFA console, Harvester, and DSA components on separate servers
Open the following ports in a three-tier distributed deployment to allow communication
among the NFA console, Harvesters, DSAs, and other elements.
From
To
Port [Function]
NFA console
Outbound
■
TCP 25 [SMTP email reports]
■
UDP 53 [DNS]
■
TCP 3307 [CA MySQL]
■
TCP 3308 [MySQL]
■
TCP 8066 [SOAP web service calls]
■
TCP 8080 [File web server port for collecting Harvester files]
■
UDP 161 [Watchdog service]
■
TCP 3307 [CA MySQL]
■
TCP 3308 [MySQL]
■
UDP 161 [Watchdog service]
Harvester
DSA
Harvester
DSA
Routers (SNMP
■
interface, read-only)
UDP 161 [SNMP polling]
Trap destination
■
UDP 162 [traps]
NFA console
■
TCP 3308 [MySQL]
■
TCP 8080 [File Web Service, which retrieves files from the NFA
console without using a file share]
Router
Harvester
■
UDP 9995 [flow]
Administrators and
operators
NFA console
■
TCP/HTTP 80 [UI access and SNMP web services]
■
TCP/HTTP 8381 [Single Sign-On]
■
TCP 8681 [Report Information Base (RIB) reporting]
■
TCP/HTTP 80 [device and interface synchronization with CA
Performance Center]
■
TCP 8681 [data import for CA Network Flow Analysis views in CA
Performance Center]
CA Performance
Center Console
NFA console
Chapter 4: Preparing Windows Servers 21
Install IIS, ASP, and COM+
From
To
Port [Function]
Administrators
Each server
■
TCP 3389 [Remote Desktop, if Remote Desktop is used]
■
TCP 5800, 5801, 5900, 5901 [VNC, if VNC is used]
Install IIS, ASP, and COM+
To run the CA Network Flow Analysis software successfully on a standalone server or
NFA console server, install Internet Information Services (IIS), ASP, and COM+ as
described in the related topics for:
■
Windows Server 2008 R2 (see page 22)
■
Windows Server 2003 (see page 24)
Required/Optional
Operating System
Servers to Configure
Required
Windows Server 2003,
Windows Server 2008 R2
Standalone, Console
Install IIS, ASP, and COM+ on Windows Server 2008 R2
Use the steps in this topic to install the following required components on a standalone
server or NFA console server that is running Windows Server 2008 R2:
■
IIS
■
ASP
■
IIS 6 Management Compatibility
■
COM+ Network Access
Follow these steps:
1.
Log in to the server as a user who is a member of the Administrators group.
2.
Select Start, Administrative Tools, Server Manager.
The Server Manager window opens.
3.
22 Installation Guide
Expand the Roles list in the Console tree on the left.
Install IIS, ASP, and COM+
4.
Add the IIS role service:
a.
Click the Application Server link under Roles in the Console tree on the left.
The Application Server view opens in the right pane.
b.
Click the Add Role Services link in the Role Services section.
The Add Role Services wizard opens to the Select Role Services page.
c.
Select the Web Server (IIS) Support check box.
A confirmation message appears.
d.
Click Add Required Role Services in the confirmation message.
The Web Server (IIS) Support option is highlighted on the Select Role Services
page.
5.
Add the COM+ role service:
a.
Select the COM+ Network Access check box.
A confirmation message appears.
b.
Click Add Required Role Services in the confirmation message, then click Next.
The Web Server (IIS) page of the Add Role Services wizard opens.
6.
Enable IIS 6 Management Compatibility:
a.
Click Next again.
A list of role services appears in the wizard.
b.
Select the IIS 6 Management Compatibility check box in the Management Tools
section of the list, then click Next.
The Confirm Installation Selections page summarizes your actions and displays
related messages.
7.
Install the IIS and COM+ role services and options you selected:
a.
Click Install.
The Progress page is shown until the installation or upgrade is complete, when
the Results page opens.
b.
(Optional) Click ‘Print, e-mail, or save the installation/upgrade report, review
the information,’ then close the page.
The Installation Report page displays a summary of your changes, information
about the changes, and the location of the full installation/upgrade log.
c.
Click Close.
The Results page closes.
Chapter 4: Preparing Windows Servers 23
Install IIS, ASP, and COM+
8.
Add and install the ASP role service:
a.
Click the Web Server (IIS) link under Roles in the Console tree on the left.
The Web Server (IIS) view opens in the right pane.
b.
Click the Add Role Services link in the Role Services section.
The Add Role Services wizard opens to the Select Role Services page.
c.
Select the ASP check box under Application Development in the list and click
Next.
The Confirm Installation Selections page summarizes your actions and related
messages.
d.
Click Install.
The Progress page is shown until the installation or upgrade is complete, when
the Results page opens.
e.
(Optional) Click ‘Print, e-mail, or save the installation/upgrade report, review
the information,’ then close the page.
The Installation Report page displays a summary of your changes, information
about the changes, and the location of the full installation/upgrade log.
f.
Click Close.
The Installation Results page closes.
9.
Exit from the Server Manager window.
Install IIS, ASP, and COM+ on Windows Server 2003
Use the steps in this topic to install the following required components on a standalone
server or NFA console server that is running Windows Server 2003:
■
ASP.NET
■
Network COM+ access
■
Internet Information Services (IIS)
with the Active Server Pages option enabled for the World Wide Web service
Follow these steps:
1.
Log in to the server as a user who is a member of the Administrators group.
2.
Open the Windows Component wizard:
a.
Select Start, Control Panel, Add or Remove Programs.
The Add or Remove Programs window opens.
b.
Click Add/Remove Windows Components in the left pane.
The Windows Components Wizard window opens.
24 Installation Guide
Install IIS, ASP, and COM+
3.
Select the components to add:
a.
Select Application Server in the list.
b.
Click Details.
The Application Server dialog opens and displays a list of optional Application
Server components.
c.
4.
Select the following check boxes:
■
ASP.NET check box.
■
Enable network COM+ access (selected automatically when you select
ASP.NET)
■
Internet Information Services (IIS) (selected automatically when you select
ASP.NET)
Select the Active Server Pages subcomponent to be enabled for the World Wide
Web service:
a.
Select Internet Information Services (IIS) in the Application Server component
list.
b.
Click Details.
The Internet Information Services (IIS) dialog opens and displays a list of
optional IIS subcomponents.
c.
Highlight the World Wide Web Service subcomponent. This check box is
selected by default.
The World Wide Web Service dialog opens and shows a list of subcomponents.
d.
5.
Select the Active Server Pages (ASP) check box.
Save your selections:
a.
Click OK in the World Wide Web Service dialog.
You return to the Internet Information Services (IIS) dialog.
b.
Click OK in the Internet Information Services (IIS) dialog.
You return to the Application Server dialog.
c.
Click OK in the Application Server dialog.
You return to the Windows Component Wizard.
Chapter 4: Preparing Windows Servers 25
Configure SNMP
6.
Update the Windows configuration with your selections:
a.
Click Next in the Windows Components Wizard screen.
The system locates the files for the update. If any files are missing, a message
opens. In this case, insert the Windows 2003 Server Edition CD-ROM or specify
the path to the missing files.
A message notifies you when the preparations are complete.
b.
Click Finish.
The Windows Components wizard closes. The Windows configuration changes
are complete.
Configure SNMP
The Simple Network Management Protocol (SNMP) service is required by the Watchdog
services. Configure the SNMP service as described in the related topics for:
■
Windows Server 2008 R2 (see page 26)
■
Windows Server 2003 (see page 27)
Required/Optional
Operating System
Servers to Configure
Required
Windows Server 2003,
Windows Server 2008 R2
All servers
Configure SNMP on Windows Server 2008 R2
Use the steps in this topic to configure the SNMP service as required on all Windows
Server 2008 R2 servers in your CA Network Flow Analysis deployment.
Follow these steps:
1.
Log in to the server as a user who is a member of the Administrators group.
2.
Select Start, Administrative Tools, Server Manager.
The Server Manager window opens.
3.
Click Features in the left pane.
The Server Manager window displays a list of the installed features.
4.
Click Add Features in the right pane.
The Add Features wizard opens and shows the list of selected and available
features.
26 Installation Guide
Configure SNMP
5.
Select the SNMP Services check box in the list.
A confirmation message appears.
6.
Click Add Required Features.
The Confirm Installation Services page identifies the features to be installed. The
page also displays important messages about the installation or upgrade.
7.
Click Install.
The Installation Progress page opens. When the installation or upgrade is complete,
the Installation Results page opens, identifies the new features, and indicates
whether you will need to restart the server.
8.
Click Close.
A message asks whether you want to restart the server now.
9.
Click Yes.
After the server restarts, the Features view in the Server Manager window shows
the newly installed feature.
Configure SNMP on Windows Server 2003
Use the steps in this topic to configure the SNMP service as required on all Windows
Server 2003 servers in your CA Network Flow Analysis deployment.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Open the Windows Component wizard:
a.
Select Start, Control Panel, Add or Remove Programs.
The Add or Remove Programs window opens.
b.
Click Add/Remove Windows Components in the left pane.
The Windows Components Wizard window opens.
3.
Add Simple Network Management Protocol (SNMP):
a.
Highlight Management and Monitoring Tools in the Windows Component
Wizard component list and click Details.
The Management and Monitoring Tools dialog opens.
b.
Select the Simple Network Management Protocol check box.
c.
Click OK.
The Management and Monitoring Tools dialog closes and you return to the
Windows Components Wizard screen. SNMP is set to be added.
Chapter 4: Preparing Windows Servers 27
Configure the SNMP Community Name
4.
Update the Windows configuration with your selections:
a.
Click Next in the Windows Components Wizard screen.
The system locates the files for the update. If any files are missing, a message
opens. In this case, insert the Windows 2003 Server Edition CD-ROM or specify
the path to the missing files.
A message notifies you when the preparations are complete.
b.
Click Finish.
The Windows Components wizard closes. The selected components are added
to your Windows configuration.
Configure the SNMP Community Name
Define the community name for the SNMP service to help prevent polling errors and
help product components work properly. Use the same community name that is defined
on the Watchdog Settings page, which is "public" by default. This topic describes how to
define the community name as "public" on a Windows server in your CA Network Flow
Analysis deployment.
Required/Optional
Operating System
Servers to Configure
Required
Windows Server 2003,
Windows Server 2008 R2
All servers
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Select Start, Administrative Tools, Services.
The Services window opens.
3.
Right-click the SNMP Service and select Properties.
The SNMP Service Properties dialog opens.
4.
Select the Security tab.
5.
Verify that the appropriate community name is in the "Accepted community
names" list. The default community name is "public."
6.
If the appropriate community name is not listed, add it:
a.
Click Add.
The SNMP Service Configuration dialog opens.
b.
Set the following options:
■
28 Installation Guide
Community rights: Select Read Only.
Disable Connections to IPv6 Addresses on Windows Server 2008 R2
■
Community Name: Enter public or a custom community name. Use the
same community name throughout the CA Network Flow Analysis
deployment:
snmpd.conf file on each Linux server
SNMP service on each Windows server
Watchdog Settings page of the NFA console
c.
Click Add.
The SNMP Service Configuration dialog closes. The SNMP Service Properties
dialog displays the new name in the "Accepted community names" list.
7.
Click OK in the SNMP Service Properties dialog.
Any changes that you made are saved. The SNMP Service Properties dialog closes.
8.
Select File, Exit in the Services window.
The Services window closes.
Disable Connections to IPv6 Addresses on Windows Server
2008 R2
We recommend that you set up Windows Server 2008 R2 systems so that they are
prevented from connecting to IPv6 addresses, which are currently not supported. If
connection to IPv6-formatted addresses is enabled, data collection fails. This topic
describes how to perform this task on the Windows Server 2008 R2 systems in your CA
Network Flow Analysis deployment.
Note: Windows Server 2003 systems disable connection to IPv6 addresses by default.
You do not need to perform this task on a Windows Server 2003 system unless the
"Microsoft TCP/IP version 6" option has been enabled for network connections.
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2008 R2
All servers
The instructions are based on the assumption that each server has a single network
interface card, which is the recommended configuration.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Open the Network Connections window:
a.
Select Start, Control Panel.
b.
Click Network and Internet in the Control Panel.
Chapter 4: Preparing Windows Servers 29
Configure Data Execution Prevention (DEP)
c.
Click Network and Sharing Center in the Network and Internet window that
opens.
d.
Click "Change adapter settings" on the left side of the Network and Sharing
Center window that opens.
The Network Connections window opens and shows the currently configured
connections.
3.
Right-click the connection.
4.
Select Properties from the menu.
The Properties dialog opens.
5.
Clear the check box labeled 'Internet Protocol Version 6 (TCP/IPv6),' if it is selected.
6.
Click OK.
Any changes that you made are saved. The Properties dialog box closes,
7.
Select Organize, Close in the Network Connections window.
The Network Connections window closes.
Configure Data Execution Prevention (DEP)
Data Execution Prevention (DEP) helps to prevent code execution from data pages. This
topic describes how to configure the appropriate DEP policy level on a Windows Server
2008 R2 system.
A Windows Server 2003 system should have the appropriate setting enabled by default
unless a different policy level is specified in an unattended installation. If the default
OptIn DEP policy level has been overridden on your Windows Server 2003 system,
consult the Microsoft support site for steps to restore the setting.
Required/Optional
Operating System
Servers to Configure
Required
Windows Server 2003,
Windows Server 2008 R2
All servers
Follow these steps:
30 Installation Guide
1.
Log in as a user who is a member of the Administrators group.
2.
Open the Control Panel and click the System link.
3.
Click the Advanced tab in the System Properties dialog that opens.
4.
Click Settings.
Configure Data Execution Prevention (DEP)
5.
Click the Data Execution Prevention tab in the Performance Options dialog that
opens.
6.
Select "Turn on DEP for essential Windows programs and services only."
7.
Save your settings and exit:
a.
Click OK in the Performance Options dialog.
Your settings are saved and the dialog closes.
b.
Click OK in the System Properties dialog.
A message opens and informs you that you must restart your system to make
the new settings take effect.
8.
(Optional) Restart your system before you install or upgrade the software.
If you proceed with software installation or upgrade without restarting the system,
the prerequisite test displays a warning about your DEP configuration.
Chapter 4: Preparing Windows Servers 31
Chapter 5: Preparing Linux Servers
This section contains the following topics:
Prepare the Linux Servers (see page 33)
Install SNMP on Linux Servers (see page 34)
Disable IPv6 Networking on Linux Servers (see page 35)
Disable the iptables Firewall for Linux Servers (see page 36)
Prepare the Linux Servers
Before you begin the installation, verify that the following conditions are met. Failure to
comply with these requirements can result in data loss, increased down time, software
conflicts, or a failed installation.
■
System Requirements: Verify that the installation servers meet the requirements
and recommendations (see page 12).
■
Verify that each of the Harvester Linux servers is ready for the installation by:
■
Installing the supported version of the JRE: Java Runtime Engine (JRE) 1.6u41.
■
Assigning a static IP address to each server. Set the Harvester server IP address
to match the flow export destination for each router.
■
Disabling the following third-party software: Antivirus, server monitoring, and
maintenance software. If you enable antivirus scans later, exclude the CA
Network Flow Analysis installation path and its subdirectories
■
Installing SNMP (see page 34)
If SNMP is not running, the installation program displays a warning. You can
bypass the warning and install SNMP later.
■
Disabling the iptables firewall (see page 36)
■
Disabling IPv6 networking (see page 35)
General Notes:
■
Stop other programs from running during the installation or upgrade.
■
Restart all servers to ensure that all the installed operating system patches are
applied.
■
Ensure that no one else is logged in to the server during the installation or upgrade.
Chapter 5: Preparing Linux Servers 33
Install SNMP on Linux Servers
Localization Notes:
■
To support non-Latin characters such as Japanese and Simplified Chinese, any
command line clients that you use for installation must be configured for UTF-8
encoding. If UTF-8 encoding is not enabled, these characters may not display
properly.
■
The appropriate language packs are required for localized deployments.
■
Regional Settings must use a period (.) to indicate a decimal value. If your
deployment is localized to French, change the decimal symbol to a period in the
Region and Language: Customize Format dialog.
■
Polling fails if DNS resolution is not configured. For more information, see the
Readme.
Install SNMP on Linux Servers
To configure a Linux server for a Harvester, complete the following main tasks:
■
If Net-SNMP if it is not already present on the installation or upgrade server, install
it as described in this topic.
■
Finish SNMP configuration after the installation or upgrade is complete: (see
page 51)
–
Set up the Net-SNMP configuration file.
–
Configure SNMP to start automatically on boot.
–
Start the snmpd service.
Verify that Net-SNMP is present on the server and install it if necessary. Net-SNMP is
required to support Watchdog functionality.
Follow these steps:
1.
Open the Linux Package Manager and look for listings that contain "net-snmp."
If you do not find any "net-snmp" listings, Net-SNMP is not installed.
2.
34 Installation Guide
Get and install Net-SNMP if it is not installed. For example, you can get Net-SNMP
from the Linux Package Manager.
Disable IPv6 Networking on Linux Servers
Disable IPv6 Networking on Linux Servers
Disable IPv6 networking on each Linux server that has a Harvester installed.
Note: Complete this task before you add the Harvester in the NFA console. If IPv6 is
enabled when you add a Harvester in the NFA console, the Harvester automatically
binds with an IPv6-format address, which prevents CA Network Flow Analysis from
receiving its data.
To disable IPv6 networking, modify the following files:
■
Kernel driver configuration file, modprobe.conf, which is located by default in the
/etc directory
■
RHEL networking configuration file, network, which is located by default in the
/etc/sysconfig directory
Follow these steps:
1.
Make sure that you are logged in with root privileges.
2.
Edit the modprobe.conf file:
a.
Open the /etc/modprobe.config file in a text editor.
b.
Append the following line:
install ipv6 /bin/true
c.
Save and close the file.
The modprobe.conf file is now configured so that when the system attempts to
load the IPv6 kernel module, it executes the command 'true' instead of loading
the module. The 'true' command performs no action.
3.
Edit the network file:
a.
Open the /etc/sysconfig/network file in a text editor.
b.
Update or add the following lines to match the text strings shown:
NETWORKING_IPV6=no
IPV6INIT=no
c.
4.
Save and close the file.
Reboot the server:
reboot
Chapter 5: Preparing Linux Servers 35
Disable the iptables Firewall for Linux Servers
5.
Verify that IPv6 is disabled:
a.
Enter the following command at a terminal:
lsmod | grep ipv6
If the command returns no output, the IPv6 kernel module is not running: It has
been removed successfully.
b.
Enter the /sbin/ifconfig command:
/sbin/ifconfig
Check the output to verify that it contains only IPv4 addresses and no IPv6
addresses.
Disable the iptables Firewall for Linux Servers
We recommend that you disable the iptables firewall and stop the iptables service on
each Linux server that has a Harvester installed. Disabling iptables ensures that all the
required ports are open and that the iptables firewall does not impact performance
adversely.
Note: If your enterprise requires the use of iptables, make sure that you open all of the
applicable firewall ports in the firewall configuration list (see page 19). In addition make
sure that you have full localhost-to-localhost access. This step is required because CA
Network Flow Analysis uses RMI (Remote Method Invocation) access.
Complete the following steps to disable all levels of iptables and allow communication
among CA Network Flow Analysis components.
Follow these steps:
1.
Log in as root or with a sudo user account.
2.
Run the following commands in a command prompt window:
service iptables stop
chkconfig iptables off
chkconfig –-list |grep iptables
3.
Review the output of the last command to make sure that all of the iptables levels
are off, as shown in the following example:
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
36 Installation Guide
Chapter 6: Install the Software
This section contains the following topics:
Install the Components on a Standalone Server (see page 37)
Install a Distributed Deployment (see page 40)
Install the Components on a Standalone Server
A standalone configuration consists of one server that hosts the NFA console and the
Harvester. Complete the steps in this topic to install all of the CA Network Flow Analysis
components on a single Windows server or virtual machine.
Before You Begin: Verify that the installation server is prepared as described in Prepare
the Windows Servers (see page 15).
Follow these steps to complete the Harvester phase of the installation:
1.
Log in to the server as an administrator.
2.
Start the Harvester phase of the installation: Double-click the
NFHarvesterSetup9.1.3.exe file.
A check verifies that the server has a supported version of the Java Runtime Engine
(JRE) installed. If the check fails, an error message opens (see page 71). You cannot
launch the installation or upgrade program until this problem is corrected.
If the server passes the Java prerequisite check, the program starts and the
language selection screen opens.
3.
Verify that the appropriate language is selected, then click OK.
The Welcome screen opens.
4.
Click Next in the Welcome screen.
The CA NFA Harvester License Agreement screen opens.
5.
Review and accept the license agreement:
a.
Read the license agreement and scroll down.
b.
If you want to continue under the terms of the license agreement, click the
option to accept it. This option is activated when you scroll to the bottom.
c.
Click Next.
Chapter 6: Install the Software 37
Install the Components on a Standalone Server
Prerequisite tests are run to identify problems on the server. If a problem is
found, an error message opens. A critical problem causes the program to exit.
A Pre-requisite Check Warning message or other warning message opens for
non-critical problems, which gives you the option to make corrections now or
after the installation or upgrade is complete.
6.
7.
Review the test results in the Pre-requisite Check Warning message, if it opens:
a.
Correct problems now or wait until the program finishes. For more information
about the warnings, see the Troubleshooting (see page 69) section.
b.
Click OK to close the message.
Verify or specify the installation directory:
a.
(Optional) Click Choose in the Choose Install Folder screen to change the
installation location.
The default location is C:\CA\NFA. We recommend that you install CA Network
Flow Analysis components on a nonsystem drive that is dedicated to CA
Network Flow Analysis instead of using the operating system drive. The NFA
console will be installed to the same directory that you choose for the
Harvester.
b.
Click Next when the installation path setting is correct.
The Pre-Installation Summary screen opens.
8.
Review the pre-installation information, then click Install.
The Installing Harvester screen opens, which shows the progress. When the
installation is complete, the Install Complete screen opens and reports any errors
that occurred.
9.
(Optional) If errors occurred during the installation, see the following log for details:
<install_path>\Harvester_Install_<timestamp>.log (where <timestamp> is the time
the log was created)
10. Click Done in the Install Complete screen.
The Harvester installation program closes.
Follow these steps to complete the NFA console phase of the installation:
1.
Start the NFA console installation software: Double-click the
RAConsoleSetup9.1.3.exe file in Windows Explorer.
A check verifies whether a supported version of the Java Runtime Engine (JRE) is
installed. If the check fails, an error message opens (see page 71). You cannot
launch the installation program until this problem is corrected.
If the server passes the Java prerequisite check, the program starts and the
language selection screen opens.
38 Installation Guide
Install the Components on a Standalone Server
2.
Verify that the appropriate language is selected, then click OK.
The Welcome screen opens.
3.
Click Next in the Welcome screen.
The NFA Console License Agreement screen opens.
4.
Review and accept the license agreements:
a.
Read the NFA console license agreement and scroll down.
b.
If you want to continue under the terms of the NFA console license agreement,
click the option to accept it This option is activated when you scroll to the
bottom.
c.
Click Next.
The Third-Party License Agreement screen opens.
5.
d.
Read the third-party license agreement and scroll down.
e.
If you want to continue under the terms of the third-party license agreement,
click the option to accept it. This option is activated when you scroll to the
bottom.
Click Next.
Prerequisite tests are run on the installation server. If an error message opens that
requires attention, see Troubleshooting (see page 69).
6.
Review the test results in the Pre-requisite Check Warning message, if it opens:
a.
Fix any noncritical problems now or wait until the installation program finishes.
b.
Click OK to close the message.
The Singlebox Confirmation message opens and asks you to confirm that you
want a standalone deployment of CA Network Flow Analysis.
7.
Review the Singlebox Confirmation information and click OK.
The Pre-Installation Summary screen opens after a moment.
8.
Review the pre-installation information, then click Install.
The Installing NFA screen opens. Progress is shown in the status bar and messages.
When the NFA console installation is complete, the Install Complete screen opens.
a.
Select "Yes, restart my system."
b.
Click Done.
Installation is complete.
Next: Complete the post-installation tasks. (see page 49)
Chapter 6: Install the Software 39
Install a Distributed Deployment
Install a Distributed Deployment
In a distributed deployment, CA Network Flow Analysis components are distributed
among multiple servers. The topics in this section describe how to install the software
on each component server.
To install a two-tier distributed deployment, complete the following procedures:
■
Install the Harvester on a Windows Server (see page 40) or
■
Install the Harvester on a Linux Server (see page 42)
■
Install the NFA Console (see page 46)
To install a three-tier distributed deployment, complete the following procedures:
■
Install the Harvester on a Windows Server (see page 40)
■
Install the DSA Server (see page 44)
■
Install the NFA Console (see page 46)
Note: The steps in these topics assume that you follow the recommended installation
order: Harvesters first, DSAs second (if any), then the NFA console last.
Install the Harvester on a Windows Server
Distributed deployments have separate servers for the NFA console and the Harvester.
Complete the steps in this topic to install the Harvester on a dedicated Windows server
or virtual machine.
In a distributed deployment, each Harvester is on a separate server. To install a
Harvester on a dedicated Windows server or virtual machine, complete the steps in this
topic. These steps apply to a two-tier or three-tier distributed deployment.
Before You Begin: Verify that the installation server is prepared as described in Prepare
the Windows Servers (see page 15).
Follow these steps:
1.
Log in to the server as a user with administrative privileges.
2.
Start the installation: Double-click the NFHarvesterSetup9.1.3.exe file in Windows
Explorer on the Harvester server.
A check verifies that the server has a supported version of the Java Runtime Engine
(JRE) installed. If the check fails, an error message opens (see page 71). You cannot
launch the installation or upgrade program until this problem is corrected.
If the server passes the Java prerequisite check, the program starts and the
language selection screen opens.
40 Installation Guide
Install a Distributed Deployment
3.
Verify that the appropriate language is selected, then click OK.
The Welcome screen opens.
4.
Click Next in the Welcome screen.
The License Agreement screen opens.
5.
Review and accept the license agreement:
a.
Read the license agreement and scroll down.
b.
If you want to continue under the terms of the license agreement, click the
option to accept it. This option is activated when you scroll to the bottom.
c.
Click Next.
Prerequisite tests are run to identify problems on the server. If a problem is
found, an error message opens, as described in Troubleshooting (see page 69).
6.
If the Pre-requisite Check Warning message opens, review the test results:
a.
Correct problems now or wait until the installation program finishes. For more
information about the warnings, see the Troubleshooting (see page 69) section.
b.
Click OK to close the message.
Once the server passes the required checks and you close any noncritical
messages, the Choose Install Folder screen opens and displays the default root
installation path.
7.
Verify or specify the installation directory:
a.
(Optional) Click Choose in the Choose Install Folder screen to change the
installation location.
The default location is C:\CA\NFA. We recommend that you install CA Network
Flow Analysis components on a nonsystem drive that is dedicated to CA
Network Flow Analysis instead of using the operating system drive. The NFA
console will be installed to the same directory that you choose for the
Harvester.
b.
Click Next when the installation path setting is correct.
The Pre-Installation Summary screen opens.
8.
Review the pre-installation information, then click Install.
The Installing Harvester screen opens, which shows the progress. When the
installation is complete, the Install Complete screen opens and reports any errors
that occurred.
9.
(Optional) If errors occurred during the installation, see the following log for details:
<install_path>\Harvester_Install_<timestamp>.log (where <timestamp> is the time
the log was created)
Chapter 6: Install the Software 41
Install a Distributed Deployment
10. Click Done in the Install Complete screen.
The Harvester installation program closes.
Next: Repeat these steps to install a Harvester on another server or install the console
(see page 46).
Install the Harvester on a Linux Server
A two-tier distributed deployment of CA Network Flow Analysis may include one or
more Linux Harvester servers. To install the Harvester software on a dedicated Linux
server or virtual machine, complete the steps in this topic.
Before You Begin: Verify that the server is prepared as described in Prepare the Linux
Servers (see page 33).
Follow these steps:
1.
Log in to the target system as root.
You can install the software locally or remotely--for example, by using ssh when you
are logged in with root privileges.
Note: If you do not have root access, use an account with sudo privileges.
2.
Open a command prompt window.
3.
Run the following command to change the ulimit for the open files limit:
ulimit -n ulimit_number
Example:
ulimit -n 65536
4.
Prepare the installation/upgrade file for execution:
a.
Log in to the Harvester server as root.
You can install or upgrade the software locally or remotely--for example, by
using ssh when you are logged in with root privileges. If you do not have root
access, use an account with sudo privileges.
b.
Execute the chmod command on the file in a terminal window:
chmod u+x NFHarvesterSetup9.1.3.bin
c.
(Optional) Execute the list command to verify that the file is executable:
ls -al
The file permission settings are displayed.
5.
Run the installation or upgrade software:
./NFHarvesterSetup9.1.3.bin
42 Installation Guide
Install a Distributed Deployment
A check verifies that the server has a supported version of the Java Runtime Engine
(JRE) installed. If the check fails, an error message opens (see page 71). You cannot
launch the installation or upgrade program until this problem is corrected.
If the server passes the Java prerequisite check, the program starts and the
language selection screen opens.
6.
Verify that the appropriate language is selected, then click OK.
The Welcome screen opens.
7.
Click Next in the Welcome screen.
The License Agreement screen opens.
8.
Review and accept the license agreement:
a.
Read the license agreement and scroll down.
b.
If you want to continue under the terms of the license agreement, click the
option to accept it. This option is activated when you scroll to the bottom.
c.
Click Next.
Prerequisite tests are run to identify problems on the server. If a problem is
found, an error message opens, as described in Troubleshooting (see page 69).
9.
If the Pre-requisite Check Warning message opens, review the test results:
a.
Correct problems now or wait until the installation program finishes. For more
information about the warnings, see the Troubleshooting (see page 69) section.
b.
Click OK to close the message.
Once the server passes the required checks and you close any noncritical
messages, the Choose Install Folder screen opens and displays the default root
installation path.
10. Verify or specify the installation directory:
a.
(Optional) Click Choose in the Choose Install Folder screen to change the
installation location.
The default location is C:\CA\NFA. We recommend that you install CA Network
Flow Analysis components on a partition that is dedicated to CA Network Flow
Analysis. The NFA console will be installed to the same directory that you
choose for the Harvester.
b.
Click Next when the installation path setting is correct.
The Pre-Installation Summary screen opens.
11. Review the pre-installation information, then click Install.
The Installing Harvester screen opens, which shows the progress. When the
installation is complete, the Install Complete screen opens and reports any errors
that occurred.
Chapter 6: Install the Software 43
Install a Distributed Deployment
12. (Optional) If errors occurred during the installation, see the following log for details:
<install_path>/Harvester_Install_<timestamp>.log (where <timestamp is the time
the log was created)
13. Click Done in the Install Complete screen.
The Harvester installation program closes.
Next: Repeat these steps to install a Harvester on another server or install the console
(see page 46).
Install the DSA in a Three-Tier Distributed Deployment
In a three-tier distributed deployment, each DSA is installed on a separate server. To
install a DSA on a dedicated Windows server or virtual machine, complete the steps in
this topic.
Before You Begin:
■
Verify that the installation server is prepared as described in Prepare the Windows
Servers (see page 15).
■
Verify that the CA Network Flow Analysis software is installed on the Harvester
servers.
Follow these steps:
1.
Start the installation: Double-click the NFDSASetup9.1.3.exe file in Windows
Explorer.
A check verifies that the server has a supported version of the Java Runtime Engine
(JRE) installed. If the check fails, an error message opens (see page 71). You cannot
launch the installation or upgrade program until this problem is corrected.
If the server passes the Java prerequisite check, the program starts and the
language selection screen opens.
2.
Verify that the appropriate language is selected, then click OK.
The License Agreement screen opens.
3.
44 Installation Guide
Review and accept the license agreement:
a.
Read the license agreement and scroll down.
b.
If you want to continue under the terms of the license agreement, click the
option to accept it. This option is activated when you scroll to the bottom.
c.
Click Next.
Install a Distributed Deployment
Prerequisite tests are run to identify problems on the server. If a problem is
found, an error message opens. A critical problem causes the program to exit.
A Pre-requisite Check Warning message or other warning message opens for
non-critical problems, which gives you the option to make corrections now or
after the installation or upgrade is complete.
4.
Review the test results in the Pre-requisite Check Warning message, if it opens:
a.
Correct problems now or wait until the program finishes. For more information
about the warnings, see the Troubleshooting (see page 69) section.
b.
Click OK to close the message.
Once the server passes the required checks and you close any warning
messages that appear, the Choose Install Folder screen opens. This screen
displays the original root installation path as the default setting.
5.
Verify or specify the installation directories:
a.
(Optional) Click Choose in the Choose Install Folder screen to change the
installation location.
b.
Click Next when the installation path setting is correct.
The Select a Location for the MySQL Data Directory screen opens after a
moment. This screen shows the default installation path for the MySQL data
directory.
c.
(Optional) Click Choose to change the MySQL installation location, which shows
the default installation path for the MySQL database directory
We recommend that you use a drive that has at least 40 GB of available space
for the database.
d.
Click Next when the MySQL database path setting is correct.
The Select a Location for the MySQL Temp Directory screen opens, which
shows the default installation path for the MySQL tmp directory.
e.
(Optional) Click Choose to change the tmp directory location.
f.
Click Next when the MySQL tmp directory path setting is correct.
MySQL51 is configured, then the Pre-Installation Summary screen opens.
6.
Review the pre-installation information, then click Install.
The Installing DSA screen opens, which shows the progress. When the installation is
complete, the Install Complete screen opens and reports any errors that occurred.
7.
Click Done in the Install Complete screen.
The installation program closes.
Chapter 6: Install the Software 45
Install a Distributed Deployment
8.
(Optional) Check the DSA_Install_<timestamp> log periodically. This log is located at
the install path root level--for example, in the \CA\NFA directory. Use the log to
monitor the migration of the DSA database tables to the new format.
The database table migration begins as soon as the CA NFA DSA Loader service
restarts. The log lists the tables as they are migrated. Nine tables are migrated for
each agent or interface. If you have many agents and an extensive amount of stored
data, migration may continue for some time. Reports will have limited access to
your historical (15-minute) data until the migration is complete.
Next:
■
To install an additional DSA on another server, repeat these steps.
■
To install the NFA console, go to the next topic (see page 46).
Install the NFA Console
Distributed deployments use separate servers for the NFA console, Harvesters, and any
DSAs in the deployment. Complete the steps in this topic to install the NFA console on a
dedicated Windows server or virtual machine.
Before You Begin: Verify that the installation server meets the following requirements:
■
Server is prepared as described in Prepare the Windows Servers (see page 15).
■
The CA Network Flow Analysis software is installed on the Harvester servers.
■
If you have a three-tier architecture deployment, the CA Network Flow Analysis
software is installed on the DSA servers.
Follow these steps:
1.
Log in to the NFA console server as a user who has administrator privileges for the
system and for CA Network Flow Analysis.
2.
Start the installation: Double-click the RAConsoleSetup9.1.3.exe file in Windows
Explorer on the NFA console server.
A check verifies that the server has a supported version of the Java Runtime Engine
(JRE) installed. If the check fails, an error message opens (see page 71). You cannot
launch the installation or upgrade program until this problem is corrected.
If the server passes the Java prerequisite check, the program starts and the
language selection screen opens.
3.
Verify that the appropriate language is selected, then click OK.
The Welcome screen opens.
46 Installation Guide
Install a Distributed Deployment
4.
Click Next in the Welcome screen.
The License Agreement screen opens.
5.
Review and accept the license agreements:
a.
Read the NFA console license agreement and scroll down.
b.
If you want to continue under the terms of the NFA console license agreement,
click the option to accept it This option is activated when you scroll to the
bottom.
c.
Click Next.
The Third-Party License Agreement screen opens.
6.
d.
Read the third-party license agreement and scroll down.
e.
If you want to continue under the terms of the third-party license agreement,
click the option to accept it. This option is activated when you scroll to the
bottom.
Click Next.
Prerequisite tests are run on the installation server, as described in Troubleshooting
(see page 69). If the server fails any noncritical tests, the Pre-requisite Check
Warning message opens. If the server fails the test to verify the presence of the
Service Control command, a separate error message opens.
7.
If the '"sc.exe" is not installed' error message opens, the installation or upgrade
program closes when you close the error message. Restore the missing sc.exe file
and start the program again. For more information see the Troubleshooting topic
(see page 72).
8.
If the Pre-requisite Check Warning message opens, review the test results:
a.
Correct problems now or wait until the installation program finishes. For more
information about the warnings, see the Troubleshooting (see page 69) section.
b.
Click OK to close the message.
The Choose Install Folder screen opens.
9.
(Optional) Click Choose to change the program installation location when prompted
or enter a new path manually.
The Pre-Installation Summary screen opens after a moment.
10. Review the pre-installation information, then click Install.
The Installing NFA screen opens. Progress is shown in the status bar and messages.
When the program finishes, the Install Complete screen opens and reports any
errors.
Chapter 6: Install the Software 47
Install a Distributed Deployment
11. (Optional) If errors occurred during the installation, see the installation log:
<install_path>\NFA_Install_<timestamp>.log.
12. Exit from the installation program:
a.
b.
Select one of the restart options:
■
Yes, restart my system: Restart the system as soon as you click Done.
■
No, I will restart my system myself: Defer the restart to be performed
manually.
Click Done.
The installation program closes after a moment. If you selected the option to
restart now, the system restarts and the installation is finalized.
Next: Complete the post-installation tasks (see page 49).
48 Installation Guide
Chapter 7: Post-Installation Tasks
Complete the following post-installation tasks on each of the Windows servers:
Standalone Server
■
Install CA Performance Center or CA NetQoS Performance Center on a server in
your deployment (see page 50)
■
Configure SNMP on Linux Harvester servers (see page 51)
■
Exclude the following directories are excluded from real-time scans:
C:\Windows\Temp and <install_path> and all its subdirectories. Real-time scans of
these directories can corrupt the database.
■
Do not implement drive space compression. Drive space compression can cause
database losses and degraded system performance.
Distributed NFA Console
Server
Distributed Harvester
Server
Distributed 3-Tier
DSA Server
■
Synchronize system time (Windows Server 2008 (see page 53) or Windows Server 2003 (see page 54))
■
(Recommended) Update the list of trusted internet
sites (see page 55) *
■
(Recommended)
Modify router ACLs
(see page 56) **
■
(Recommended) Disable UAC (see page 56)
(Windows Server 2008 only)
■
(Recommended) Configure Web content expiration
[Windows Server 2008 (see page 57) or Windows
Sever 2003 (see page 58)]
■
(Recommended) Prevent SNMP false positives (see page 59)
■
(Optional) Configure Recycle Bin (see page 60)
■
(Recommended)
Modify router ACLs
(see page 56) **
Chapter 7: Post-Installation Tasks 49
Install CA Performance Center
Distributed NFA Console
Server
Standalone Server
■
Distributed Harvester
Server
Distributed 3-Tier
DSA Server
(Optional) Disable unneeded services [Windows Server 2008 (see page 61) or 2003 (see page 63)]
* In addition to the standalone server or NFA console server, verify that this task has
been completed for the browsers on the systems that will access the NFA console.
** In a distributed deployment, verify that the router access control lists (ACLs) are
configured to enable the Harvesters to perform SNMP polling.
This section contains the following topics:
Install CA Performance Center (see page 50)
Configure SNMP on Linux Servers (see page 51)
Synchronize System Time (see page 52)
Update the List of Trusted Internet Sites (see page 55)
Modify the Router Access Control Lists (see page 56)
Disable User Account Control (UAC) (see page 56)
Configure Web Content Expiration (see page 57)
Prevent False Positive Events (see page 59)
Configure the Recycle Bin (see page 60)
Disable Unneeded Services (see page 61)
Install CA Performance Center
A supported version of CA Performance Center or CA NetQoS Performance Center must
be installed on a server in your deployment. After you install CA Network Flow Analysis,
you register it as a data source with CA Performance Center or CA NetQoS Performance
Center. Registration enables you to perform certain administrative tasks and to view CA
Network Flow Analysis data in CA Performance Center or CA NetQoS Performance
Center views.
Verify that you have one of the following programs installed:
■
CA Performance Center 2.2.x or 2.3.x, installed on a Linux server that does not have
a CA Network Flow Analysis Harvester installed
or
■
CA NetQoS Performance Center 6.1.194, installed on a server that is running the
Standard edition of Windows Server 2003 or Windows Server 2008 R2
You have the option to co-locate CA NetQoS Performance Center 6.1.194 on a
server with a standalone deployment or console component for CA Network Flow
Analysis. Co-location with any other NetQoS software is not supported.
If you uninstall CA Network Flow Analysis from a server that also has CA NetQoS
Performance Center installed, both programs are disabled.
50 Installation Guide
Configure SNMP on Linux Servers
Documentation for installing CA Performance Center or CA NetQoS Performance Center
is available from CA Support. Refer to the bookshelf for your software version:
■
CA Performance Center Installation Guide in the CA Performance Center bookshelf
for version 2.2.x or 2.3.x.
■
CA NetQoS Performance Center Installation Guide in the CA NetQoS Performance
Center 6.1 bookshelf
Configure SNMP on Linux Servers
To configure a Linux server for a Harvester, complete the following tasks:
■
Set up the Net-SNMP configuration file.
■
Configure SNMP to start automatically on boot.
■
Start the snmpd service.
Follow these steps:
1.
Log in as root and open a shell prompt.
2.
Highly Recommended: Use the following steps to set up the Net-SNMP
configuration file. This configuration file is needed for Watchdog SNMP polling.
Note: If you have a custom (non-default) snmp configuration file at
/etc/snmp/snmp.conf, you may want to skip this step and update your existing
configuration file instead. In this case, consult with an administrator to update the
required settings to match the settings in the example configuration file. For
example, make sure the rocommunity value is set as shown in the example
configuration file.
If you use a custom community name as the rocommunity value, use the same
community name throughout the CA Network Flow Analysis deployment:
–
The snmpd.conf file on each Linux Harvester server
–
SNMP service on each Windows server
–
Watchdog Settings page of the NFA console
a.
Back up the configuration file in /etc, for example by entering the following
command (Recommended):
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
b.
Change to the Netflow directory:
cd <install_dir>/Netflow
where <install_dir> is the target directory for installing the Harvester:
/opt/CA/NFA/ or a custom location
Chapter 7: Post-Installation Tasks 51
Synchronize System Time
c.
Copy the snmpd.conf file in the Netflow directory to the /etc/snmp directory,
overwriting the existing file:
cp -i snmpd.conf /etc/snmp
d.
Confirm the overwrite operation when prompted.
e.
Verify that the configuration file is in place:
ls -l /etc/snmp/snmpd.conf
f.
Verify that the configuration file has the correct permissions:
chmod 600 snmpd.conf
3.
Configure SNMP to start automatically on each boot by entering the following
command:
chkconfig snmpd on
4.
Start the SNMP service in either of the following ways:
■
Enter the command:
service snmpd start
■
Navigate to Services in the user interface, select snmpd, Start, then click Save.
The SNMP service starts with the community name that is defined in the
snmpd file.
Synchronize System Time
Synchronize the system time among all servers that have CA Network Flow Analysis
components installed.
For information about performing this procedure on Windows servers, see the related
topics for:
■
Windows Server 2008 R2 (see page 53)
■
Windows Server 2003 (see page 54)
Required/Optional
Operating System
Servers to Configure
Required
Windows Server 2003,
Windows Server 2008 R2
All servers
We also recommend that you synchronize the system time for any Linux servers in your
deployment and and for the server that hosts your CA Performance Center instance.
52 Installation Guide
Synchronize System Time
Synchronize System Time on Windows Server 2008 R2
Complete the steps in this topic on each Windows Server 2008 R2 in your deployment,
unless the system time is synchronized automatically.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Right-click the date or time on the right edge of the taskbar and select 'Adjust
date/time.'
The Date and Time dialog opens.
3.
Click the Internet Time tab.
4.
Click 'Change settings.'
The Internet Time Settings dialog opens.
5.
Select the check box labeled 'Synchronize with an Internet time server.'
6.
Select the server with which you want to synchronize. The default is
time.windows.com.
7.
Click 'Update Now.'
The system time is synchronized with the selected server.
8.
Click OK in the Internet Time Settings dialog.
9.
Click OK in the Date and Time dialog.
Note: If you have collection devices in different time zones, set each device to its local
time zone. Times are converted to Greenwich Mean Time (GMT).
Chapter 7: Post-Installation Tasks 53
Synchronize System Time
Synchronize System Time on Windows Server 2003
This topic describes how to use the Windows Time service to synchronize system time
among Windows Server 2003 systems. The goal is to configure all of your Windows
Server 2003 systems to match their clocks the same time source. For information about
other time synchronization tools and methods, consult the Microsoft support site.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Enter the following command at a command prompt:
net time /querysntp
The command returns the name of the Simple Network Time Protocol (SNTP) server
with which the system is configured to synchronize time.
Example Return Value:
The current SNTP value is: time.windows.com, 0x1
The command completed successfully.
3.
Enter the following command:
net time /SETSNTP:NTPServer
where:
NTPServer = Name of the SNTP server that was returned from the previous query
Example Command:
net time /SETSNTP:time.windows.com
The return value indicates whether the command completed successfully.
4.
(Optional)Verify that the Windows Time service is set to start automatically.
a.
Select Start, Administrative Tools, Services.
The Services window opens.
b.
Double-click Windows Time in the Services list.
The Windows Time Properties window opens.
5.
54 Installation Guide
c.
Verify that the Startup type value is Automatic.
d.
If the value is not Automatic, choose Automatic from the Startup type list.
e.
Click OK.
f.
Close the Services window.
Restart the system.
Update the List of Trusted Internet Sites
Update the List of Trusted Internet Sites
Add the NFA console server to the list of trusted internet sites, unless your browser
security settings allow unrestricted access to internet sites. The process varies by
browser. The following instructions are for Microsoft Internet Explorer 8.
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2003,
Windows Server 2008 R2
Standalone, Console
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Launch Internet Explorer 8 on the NFA console server.
3.
Click Tools, Internet Options.
The Internet Options window opens.
4.
Select the Security tab.
5.
Click the Trusted Sites icon.
6.
Click Sites.
The Trusted Sites dialog opens.
7.
Enter https://localhost in the "Add this Web site to the zone" field.
8.
Click Add.
Your change is saved and the site is added to the Websites list.
9.
Exit:
a.
Click Close.
The Trusted Sites dialog closes and you return to the Internet Options window.
b.
Click OK.
The Internet Options window closes.
Chapter 7: Post-Installation Tasks 55
Modify the Router Access Control Lists
Modify the Router Access Control Lists
We recommend that you configure the router access control lists (ACLs) to ensure that
Harvesters can perform SNMP polling.
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2003,
Windows Server 2008 R2
Standalone, Harvester
Note: If loopback interfaces source the flow packets, verify that CA Network Flow
Analysis can access the IP addresses of those interfaces.
Disable User Account Control (UAC)
We recommend that you disable User Account Control (UAC) on any Windows Server
2008 R2 system that is used as the standalone server or NFA console server. UAC is not
fully supported for the current version of CA Network Flow Analysis. Enabling UAC on
the standalone server or NFA console server can result in unexpected behavior.
Note: UAC is not applicable to Windows Server 2003 systems.
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2008 R2
Standalone, Console
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Open the User Accounts window:
a.
Click Start, Control Panel.
The Control Panel opens.
b.
Click User Accounts.
The User Accounts window opens.
3.
Click "Change User Account Control settings."
The User Account Control Settings dialog opens.
4.
Move the slider bar to the bottom "Never notify" level, if it is not already at this
level.
UAC is set to be disabled for all local accounts on the server.
56 Installation Guide
Configure Web Content Expiration
5.
Click OK.
You return to the User Accounts tasks page.
6.
Close the window.
Configure Web Content Expiration
We recommend that you configure IIS to ensure that fresh web content is displayed.
With the Expire Web Content Immediately setting enabled, the browser displays an
updated page from the server rather than displaying content from a cache.
For the steps to configure web content expiration, see the related topics for:
■
Windows Server 2008 R2 (see page 57)
■
Windows Server 2003 (see page 58)
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2003,
Windows Server 2008 R2
Standalone, Console
Configure Web Content Expiration on Windows Server 2008 R2
Use the steps in this topic to configure web content expiration as recommended on a
standalone server or NFA console server that is running Windows Server 2008 R2.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Select Start, Administrative Tools, Internet Information Services (IIS) 6.0 Manager.
The Internet Information Services Manager window opens.
3.
Display the options for expiring web content:
a.
Click the server name in the Connections pane.
The server features are displayed.
b.
Double-click the HTTP Response Headers icon in the HTTP Features group.
The window displays the current HTTP Response Headers.
c.
Click Set Common Headers in the Actions pane.
The Set Common Headers dialog opens.
Chapter 7: Post-Installation Tasks 57
Configure Web Content Expiration
4.
5.
Select the following options:
■
"Expire Web content" check box
■
Immediately
Save your changes and exit:
a.
Click OK.
The Set Common Headers dialog closes.
b.
Close the Internet Information Services Manager window.
Configure Web Content Expiration on Windows Server 2003
Use the steps in this topic to configure web content expiration as recommended on a
standalone server or NFA console server that is running Windows Server 2003.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Select Start, Administrative Tools, Internet Information Services (IIS) Manager.
The Internet Information Services Manager window opens.
3.
Display the options for expiring web content:
a.
Click the server name in the left pane.
The server features are shown in the right pane.
b.
Right-click Web Sites in the right pane and select Properties.
The Web Sites Properties dialog opens.
c.
4.
5.
Click the HTTP Headers tab.
Select the following options:
■
"Enable content expiration" check box
■
"Expire Immediately" radio button
Save your changes and exit:
a.
Click OK.
The Web Sites Properties dialog closes.
b.
58 Installation Guide
Close the Internet Information Services Manager window.
Prevent False Positive Events
Prevent False Positive Events
We recommend that you create an empty TrapConfiguration key in the Windows
Registry to prevent the SNMP service from logging false positive events. This topic
describes how to perform this step on a system that is running either Windows Server
2008 R2 or Windows Server 2003.
Required/Optional
Operating System
Servers to Configure
Recommended
Windows Server 2003,
Windows Server 2008 R2
All servers
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Open a command prompt window.
3.
Run the following command:
reg add
HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConf
iguration
If the command executes successfully, the return value is: "The operation
completed successfully."
The TrapConfiguration registry key is created in the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters.
Chapter 7: Post-Installation Tasks 59
Configure the Recycle Bin
Configure the Recycle Bin
Optionally, configure the Recycle Bin to remove deleted files from the server
immediately. The default behavior is for the system to save copies of deleted files in the
Recycle Bin. This topic includes steps for Windows Server 2008 R2 and steps for
Windows Server 2003.
Required/Optional
Operating System
Servers to Configure
Optional
Windows Server 2003,
Windows Server 2008 R2
All servers
Follow these steps on Windows Server 2008 R2:
1.
Log in as a user who is a member of the Administrators group.
2.
Right-click the Recycle Bin icon on the desktop.
3.
Select Properties from the menu.
The Recycle Bin Properties dialog opens.
4.
Select Local Disk (C:) on the General tab.
5.
Select the option labeled "Don't move files to the Recycle Bin. Remove files
immediately when deleted."
6.
Click Apply.
7.
Repeat steps 2 through 4 for each additional drive that you want to configure.
8.
Click OK.
Follow these steps on Windows Server 2003:
1.
Log in as a user who is a member of the Administrators group.
2.
Right-click the Recycle Bin icon on the desktop.
3.
Select Properties from the menu.
The Recycle Bin Properties dialog opens.
4.
Choose whether to configure all drives or configure each drive independently:
■
60 Installation Guide
Configure drives independently:
a.
Select the drive to configure: Click the Local Disk (C:) tab.
b.
Select the option labeled "Do not move files to the Recycle Bin. Remove
files immediately when deleted."
c.
Click Apply.
d.
Repeat steps A and B for each additional drive that you want to configure.
Disable Unneeded Services
■
Use one setting for all drives:
Select the option labeled "Do not move files to the Recycle Bin. Remove files
immediately when deleted.
5.
Click OK.
Disable Unneeded Services
Optionally, you can disable unnecessary services. This step is designed to help secure
your servers.
For the steps and a list of services that you can delete, see the related topics for:
■
Windows Server 2008 R2 (see page 61)
■
Windows Server 2003 (see page 63)
Required/Optional
Operating System
Servers to Configure
Optional
Windows Server 2003,
Windows Server 2008 R2
All servers
Disable Unneeded Services on Windows Server 2008 R2
If you want to disable unneeded services on Windows Server 2008 R2 systems in your
deployment, use the steps and list in this topic.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Open the Services window: Select Start, Administrative Tools, Services.
The Services window opens.
3.
Right-click the following services and select Manual or Disabled.
Do not select Stop or the services will restart whenever the server is rebooted.
Windows 2008 R2 Services That You Can Disable
■
Application Layer
Gateway Service
■
Application
Management
■
■
Distributed Link
Tracking Client
■
Distributed Transaction ■
Coordinator
■
Function Discovery
Resource Publication
■
Human Interface
Device Access
■
Certificate Propagation
DNS Client
IP Helper
Chapter 7: Post-Installation Tasks 61
Disable Unneeded Services
Windows 2008 R2 Services That You Can Disable
62 Installation Guide
■
Link-Layer Topology
Discovery Manager
■
Microsoft Iscsi Initiator ■
Service
Multimedia Class
Scheduler
■
Netlogon
■
Network List Service
■
Network Location
Awareness
■
Portable Device
Enumerator Service
■
Print Spooler
■
Remote Access Auto
Connection Manager
■
Remote Access
Connection Manager
■
Remote Registry
■
Resultant Set of Policy
Provider
■
Secondary Logon
■
Smart Card
■
Smart Card Removal
Policy
■
Special Administration
Console Helper
■
SSDP Discovery
■
Tablet PC Input Service
■
Telephony
■
Volume Shadow Copy
■
Windows Audio
■
Windows Audio
Endpoint Builder
■
Windows CardSpace
■
Windows Color System
■
WinHTTP Web Proxy
■
Auto-Discovery Service
WMI Performance
Adapter
Disable Unneeded Services
Disable Unneeded Services on Windows Server 2003
If you want to disable unneeded services on Windows Server 2003 systems in your
deployment, use the steps and list in this topic.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Open the Services window: Select Start, Administrative Tools, Services.
The Services window opens.
3.
Right-click the following services and select Manual or Disabled.
Do not select Stop or the services will restart whenever the server is rebooted.
Windows 2003 Services That You Can Disable
■
Application Layer
Gateway Service
■
Application
Management
■
Distributed Link
Tracking Client
■
Distributed Transaction ■
Coordinator
DNS Client
■
Function Discovery
Resource Publication
■
Human Interface
Device Access
■
Netlogon
■
Network Location
Awareness
■
Print Spooler
■
Remote Access Auto
Connection Manager
■
Remote Access
Connection Manager
■
Remote Registry
■
Resultant Set of Policy
Provider
■
Secondary Logon
■
Smart Card
■
Special Administration
Console Helper
■
Telephony
■
Volume Shadow Copy
■
Windows Audio
■
Windows Color System
■
WinHTTP Web Proxy
■
Auto-Discovery Service
WMI Performance
Adapter
Chapter 7: Post-Installation Tasks 63
Chapter 8: Uninstalling CA Network Flow
Analysis
The CA Network Flow Analysis 9.1.3 includes an option to uninstall the product, which
you can use to remove CA Network Flow Analysis after an installation or upgrade.
Notes:
■
The Uninstaller has no Undo option: Once you uninstall the software, you cannot
restore the deleted files automatically.
■
You should be able to install and uninstall the CA Network Flow Analysis software
once or twice without incident. If you have ongoing problems, we recommend that
you contact CA Support rather than continue to install and uninstall the software.
Do not use the Uninstall option if you have upgraded from CA NetQoS ReporterAnalyzer
9.0.1. To successfully reinstall the software in this case, you must first re-image the
system.
This section contains the following topics:
Uninstallation Prerequisites (see page 65)
Uninstall CA Network Flow Analysis (see page 67)
Uninstallation Prerequisites
Before you begin uninstalling the CA Network Flow Analysis software from a server,
verify that the component is working properly.
Complete the following checks:
■
Verify that you are not uninstalling software that has been upgraded from CA
NetQoS ReporterAnalyzer 9.0.1. If you uninstall this type of upgrade, you will not be
able to reinstall the software on the same server without re-imaging the server.
■
Verify that the appropriate databases are present, as listed in the following table.
Database
Location
Standalone Harvesters
NFA Console
reporter
<install_path>\MySql51\data\ reporter
Yes
Yes
harvester
<install_path>\MySql51\data\ harvester
Yes
Yes
poller
<install_path>\MySql51\data\ poller
Yes
Yes
Chapter 8: Uninstalling CA Network Flow Analysis 65
Uninstallation Prerequisites
Database
Location
Standalone Harvesters
ReaperArchive15 <install_path>\Netflow\datafiles\
ReaperArchive15
Yes
Yes
data_retention
<install_path>\MySql51\data\ data_retention
Yes
Yes
ReaperArchive
<install_path>\Netflow\datafiles\ ReaperArchive
Yes
Yes
■
Verify that the CA Network Flow Analysis services and MySQL are running, as listed
in the following table:
Service
Standalone Harvester
CA NFA Collection and Poller
Webservices
(nfa_collpollws on Linux)
Yes
Yes
CA NFA Data Retention
(nfa_dataretention on Linux)
Yes
Yes
CA NFA DNS/SNMP Proxies
(nfa_proxies on Linux)
Yes
Yes
Console
DSA (3-Tier)
Yes
Yes
CA NFA DSALoader
Yes
CA NFA File Server
(nfa_filewebservice on Linux)
Yes
Yes
CA NFA Harvester
(nfa_harvester on Linux)
Yes
Yes
CA NFA Poller
(nfa_poller on Linux)
Yes
Yes
Yes
(3-tier)
CA NFA Pump
Yes
CA NFA Reaper
(nfa_reaper on Linux)
66 Installation Guide
NFA Console
Yes
CA NFA RibSource
Yes
Yes
NetQoS MySql51
Yes
Yes
Yes
Yes
NetQoS NQMySql51
(nfa_mysqlCSE on Linux)
Yes
Yes
Yes
Yes
NetQoS Reporter Manager
Yes
Yes
NetQoS Reporter/Analyzer
General Services
Yes
Yes
NetQoS Reporter/Analyzer Pump
Yes
Yes
Uninstall CA Network Flow Analysis
Service
Standalone Harvester
Console
NetQoS Reporter/Analyzer Query
Services
Yes
Yes
NetQoS Reporter/Analyzer Report Yes
Yes
NetQoS Reporter/Analyzer
Watchdog
Yes
Yes
DSA (3-Tier)
Uninstall CA Network Flow Analysis
This topic describes how to uninstall the CA Network Flow Analysis software by using
the Uninstaller. You also can uninstall the software from the Windows Add or Remove
Programs window, where it is listed under the publisher CA Technologies, Inc.
Follow these steps:
1.
Log in as a user who is a member of the Administrators group.
2.
Back up your data and configuration files. For information about this step, see the
CA Network Flow Analysis Administrator Guide.
3.
Exit from all applications--with no exceptions.
4.
Start the Uninstaller: Double-click the Uninstaller shortcut in
<install_path>\Uninstall:
■
Standalone system: Double-click Uninstall Reporter shortcut to uninstall the
NFA console first, then double-click the Uninstall Harvester shortcut to uninstall
the Harvester.
If you attempt to uninstall the Harvester software first, an error message
opens.
■
Distributed deployment: Double-click Uninstall Reporter (NFA console server),
Uninstall Harvester (Harvester server), or Uninstall DSA (DSA server).
The Uninstall window opens.
5.
Click Uninstall.
The Uninstaller removes all of the program and data files, including the following CA
Network Flow Analysis and MySQL elements:
■
Data
■
Services
■
Registry entries
■
Shortcuts, links, and aliases
Chapter 8: Uninstalling CA Network Flow Analysis 67
Uninstall CA Network Flow Analysis
■
Most files
■
Some directories
When the process is complete, the screen displays a list of the directories and files
that were not deleted.
Note: Leave the file system undisturbed while uninstallation is in progress. Do not
attempt to view the progress in Windows Explorer, for example.
Once the program finishes, the Uninstall Complete screen opens.
6.
Click Done to close the Uninstall Complete screen.
7.
Wait a few minutes to allow the helper process to finish the final cleanup.
Some files are not deleted until this phase is finished. Once the final cleanup is
finished, the Uninstaller itself is deleted.
Notes:
68 Installation Guide
■
The uninstallation log is at the root level of the original installation path. For
example, the Harvester uninstallation log is at:
<install_path>\Harvester_Uninstall_<timestamp>.txt.
■
You may want to manually delete any CA Network Flow Analysis directories and
files that are still present.
■
If you make an unsuccessful attempt to reinstall the software, contact CA Support.
Chapter 9: Troubleshooting
This section provides some troubleshooting tips for problems that are revealed by
prerequisite tests. Prerequisite tests can generate warnings or failure notices. If you
receive a warning, you can correct the problem immediately or after the installation or
upgrade software runs. Failures must be corrected before you can continue. Most of the
troubleshooting topics are for prerequisite failures.
Note: Many prerequisite tests rely on general indicators to identify problem areas.
Passing a prerequisite test is not a guarantee that everything is configured properly. It is
important to meet all of the server requirements, verify that supported versions of the
required software are installed and complete all of the configuration tasks.
The following prerequisite tests are run:
Test
Description
Warning or
Server
Upgrade/Install
Failure
Browser
Checks the Registry for a browser. Verify that a
supported browser version is installed (see
page 17).
Warning
Standalone
Distributed: NFA console
DEP
Verifies that the winmgt service is running.
Configure DEP as described in this guide (see
page 30).
Warning
Standalone
Distributed: NFA console,
Harvester (Windows)
FIPS Algorithm Verifies that the FIPS Algorithm policy is not
Policy
enabled (see page 70).
Verify automatic Standalone
fix or Failure
Distributed: NFA console
Flash Player
Checks the Registry for any version of Flash
Player (see page 18).
Warning
Standalone
Distributed: NFA console
IIS Installed
Verifies that the wcsvc service is running. Install
and configure IIS as described in this guide. (see
page 22)
Warning
Standalone
Distributed: NFA console
IIS Version
Checks the Registry for IIS version 7.0.
Warning
Standalone
Distributed: NFA console
Java Version
Verifies that the supported version of the Java
Runtime Engine (see page 71) is installed.
Failure
All servers
.NET 3.5
Version
Checks for .NET version 3.5 SP1. If .NET version
3.5 is found, turns on SP1.
Failure
Standalone
Distributed: NFA console
.NET 4.0
Version
Verifies that .NET version 4.0 is not installed.
Failure
Standalone
Distributed: NFA console
Chapter 9: Troubleshooting 69
FIPS Algorithm Policy Is Enabled
Test
Description
Warning or
Server
Upgrade/Install
Failure
Service Control Verifies that the Windows System32 directory
command
contains the sc.exe file (see page 72).
SNMP
Failure
Verifies that the snmp service is running and the Warning
process ID is present. Configure SNMP on
Windows servers (see page 26) and Linux servers
(see page 34).
Standalone
Distributed: NFA console,
Harvester (Windows)
Standalone
Distributed: NFA console,
all Harvesters
This section contains the following topics:
FIPS Algorithm Policy Is Enabled (see page 70)
Java Is Not Installed (see page 71)
SC.exe Is Not Installed (see page 72)
SNMP Is Not Enabled (see page 72)
FIPS Algorithm Policy Is Enabled
When I click Next in the License Agreement screen in the installation or upgrade
program for the NFA console, a Pre-requisite Check Warning message opens, which
includes the following text:
"The FipsAlgorithmPolicy registry key for this system is set to enabled. If the
following key is enabled, Windows will not allow certain algorithms to run..."
The error message opens because a system check found the FipsAlgorithmPolicy key in
the Windows Registry, which indicates that the Federal Information Processing Standard
(FIPS) 140 cryptographic standard is enabled. While this policy is enabled, the server can
run only the cryptographic algorithms that have been submitted to and approved by the
National Institute of Standards and Technology (NIST).
This restriction can cause problems connecting to databases through Open Database
Connectivity (ODBC). Problems with CA Network Flow Analysis connectivity may result.
To disable the FipsAlgorithmPolicy Registry key, click OK in the Pre-requisite Check
Warning message. The FIPS algorithm policy is disabled and does not restrict database
connections.
70 Installation Guide
Java Is Not Installed
Java Is Not Installed
If you attempt to launch the installation or upgrade program on a server that does not
have a supported version of the Java Runtime Engine (JRE), an error message opens. You
must install a supported version of the JRE, before you can proceed.
The error message reads:
"No Java virtual machine could be found from your PATH environment variable. You
must install a VM prior to running this program."
Follow these steps:
1.
(Optional) Determine which JRE version the server is running:
a.
Enter the following command at a command prompt or in a terminal window:
java -version
The command returns the JRE version that is installed.
2.
Download the appropriate JRE installation file to the installation server.
Note: The appropriate JRE installation file is included in the ISO files from CA
Support, which also contain the product installation or upgrade executable files.
3.
(Windows) Run the JRE .exe installation file:
a.
Open the Run window: Select Start, Run.
b.
Specify the path and file name for the installation program in either of the
following ways:
c.
4.
■
Click Browse and use the Browse window to locate and select the file.
■
Enter the path and the file name in the Open field.
■
Click OK.
Follow the prompts to complete installation.
(Linux) Run the JRE .bin installation file:
a.
Navigate to the JRE .bin file location in a terminal window.
b.
Enter the following command:
./jre
The JRE installation program starts.
c.
5.
Follow the prompts to complete installation.
(Optional) Repeat step 1 to verify that the JRE version is updated correctly.
Chapter 9: Troubleshooting 71
SC.exe Is Not Installed
SC.exe Is Not Installed
When I click Next in the License Agreement screen of the installation or upgrade
program, an error message opens, which begins with the following text:
"sc.exe is not installed. The installer was unable to find "sc.exe" in the System32
folder."
A system check did not find the Service Control command (the sc.exe file) in the
Windows/System32 directory. The Service Control command is used for communicating
with the Service Controller during command line operations. If the file is missing, the
installation or upgrade program exits.
The sc.exe file is included with the Windows Server software by default. To correct the
problem, restore the missing sc.exe from your Windows Server installation software,
Windows Resource Kit, or other resource.
SNMP Is Not Enabled
When I click Next in the License Agreement screen of the installation or upgrade
program, an SNMP warning message opens. The message reads:
"Pre-requisite Check Warning The following issues were found: SNMP is not
enabled. While not required before installation, some functionality may not work
correctly if these are not addressed."
The SNMP warning message opens because the prerequisite check does not find that
the snmpd daemon is running. You can correct the problem when the warning appears
or you can proceed with the installation or upgrade. In any case, CA Network Flow
Analysis will not run properly until you configure SNMP (see page 34) and make sure
that the snmpd and snmptrapd daemons are running.
Use the following procedures to check the SNMP status on a Linux server.
Follow these steps:
1.
(Optional) Enter the status command in a terminal window:
/etc/init.d/snmpd status
The command returns the process ID of the snmpd daemon. If the return text does
not list a process ID for the snmpd daemon is not running.
72 Installation Guide
SNMP Is Not Enabled
2.
(Optional) Check the status in the Service Configuration window:
a.
Open the Service Configuration window: Select System, Administration, Server
Settings, Services.
The Service Configuration window opens with the Background Services tab
selected.
b.
Locate snmpd and snmptrapd in the service list.
c.
Check the status of these services:
d.
■
Select snmpd and review the status message that is displayed.
■
Select snmptrapd and review the status message that is displayed.
Close the Service Configuration window.
Chapter 9: Troubleshooting 73
Index
.
2-tier distributed deployment
hardware (Linux) • 12
hardware recommendations (Windows) • 10
ports to open • 20
distributed deployment
hardware (Windows) • 10
preparing Linux servers (overview) • 33
preparing Windows servers (overview) • 15
documentation
location/list of • 4
DSA (Data Storage Appliance)
hardware recommendations • 10
installing • 44
ports to open (Windows) • 19
3
E
3-tier distributed deployment
hardware (Linux) • 12
hardware (Windows) • 10
ports to open • 21
errors
FIPS Algorithm policy • 70
general • 69
Java Not Installed • 71
SC.exe Not Installed • 72
SNMP Not Enabled • 72
.NET
.NET Framework version required • 9
2
A
addresses
disabling for network connections (Linux) • 35
disabling IPv6 addresses (Windows) • 29
ASP
configuring (Windows 2003) • 24
configuring (Windows 2008) • 22
B
browsers
supported versions • 17
C
COM+
configuring (Windows 2003) • 22
configuring (Windows 2008) • 22
community name
configuring (Linux) • 34
configuring (Windows) • 28
compatibility mode for Internet Explorer
turning off temporarily • 17
D
DEP policy
configuring (Windows) • 30
display
display resolution required • 9
F
firewall
disabling iptables (Linux) • 36
ports to open on 2-tier deployment • 20
ports to open on 3-tier deployment • 21
ports to open on standalone server • 19
H
hardware recommendations
for Linux servers • 12
for Windows servers • 10
Harvester
hardware recommendations (Windows) • 10
installing (distributed Linux) • 42
installing (distributed Windows) • 40
installing (standalone) • 37
ports to open on server (Windows) • 19
server recommendations (Linux) • 12
I
IIS
configuring (Windows 2003) • 24
configuring (Windows 2008) • 22
web content expiration (2003) • 57
web content expiration (2008) • 57
Index 75
Internet Explorer
turning off compatibility mode temporarily • 17
versions supported (Windows) • 17
iptables (Linux)
disabling to open ports • 36
IPv6 addresses
disabling connections (Linux) • 35
disabling connections (Windows) • 29
J
Java Runtime Engine (JRE)
error when not installed • 71
JRE version required • 9
L
languages
options supported • 12
Linux
configuring (Linux) • 34
disabling iptables • 36
disabling IPv6 addresses • 35
hardware/OS • 12
preparing servers (overview) • 33
N
NetQoS Performance Center
version supported • 49
NFA console
hardware recommendations • 10
installing (distributed) • 46
installing (standalone) • 37
ports to open • 19
O
operating systems
Windows OSs supported • 9
P
ports
ports to open on 2-tier deployment • 20
ports to open on 3-tier deployment • 21
ports to open on standalone server • 19
post-installation tasks
overview of • 49
prerequisites
downoading executables • 8
hardware/OS (Linux) • 12
76 Installation Guide
hardware/OS (Windows) • 10
preparing Linux servers (overview) • 33
preparing Windows servers (overview) • 15
R
Recycle Bin
setting to delete immediately • 60
role services
configuring (Windows) • 22
Router Access Control Lists
modifying for SNMP polling • 56
S
Server Manager window
configuring IIS, COM+, ASP (2008) • 22
configuring SNMP, SMTP • 26
services
disabling unneeded services • 61
SNMP service
configuring (Linux) • 34
configuring (Windows) • 26
modifying Router Access Control Lists • 56
preventing false positives • 59
standalone server
hardware • 10
installation steps • 37
ports to open • 19
preparing server (overview) • 15
system requirements
on Linux servers • 12
on Windows servers • 9
T
time
synchronizing system time • 53
tmp directory (Linux)
relocating • 12
trusted sites
adding console server to • 55
U
uninstalling
prerequisites • 65
running the Uninstaller • 67
W
web content
setting for immediate expiration • 57
Windows
preparing servers (overview) • 15
version supported • 9
Windows Component Wizard
configuring IIS, COM+, ASP (2003) • 24
Index 77
Download PDF
Similar pages