SafeGuard Enterprise installation best practice

SafeGuard Enterprise installation best practice
SafeGuard Enterprise
Installation best practice
Product version: 6
Document date: February 2012
Contents
Introduction................................................................................................................................................... 4
Technical prerequisites ................................................................................................................................. 5
Installation order ........................................................................................................................................... 6
1. Installing the SafeGuard Enterprise Server........................................................................................... 7
1.1
Quick installation reference ...................................................................................................... 7
1.2
Installing IIS services ................................................................................................................. 8
1.3
Installing .Net Framework ...................................................................................................... 10
1.4
Installing the SafeGuard Enterprise Server package .............................................................. 12
2. Creating the SafeGuard Enterprise Database ..................................................................................... 15
2.1
Quick installation reference .................................................................................................... 15
2.2
Promoting a Windows user to logon to the SQL Server ....................................................... 15
2.3
Creating the SafeGuard Enterprise Database ......................................................................... 18
2.4
Changing access permissions for the SafeGuard Enterprise Database ................................. 19
2.5
Checking the SQL Server Service Settings and the Named Pipes Configuration ................ 21
2.6
Adding the SQL user to the default application pool and to the required Active Directory
user groups including local permissions ............................................................................... 22
3. Installing the SafeGuard Enterprise Management Center................................................................. 28
3.1
Quick installation reference .................................................................................................... 28
3.2
Installing the SafeGuard Enterprise Management Center .................................................... 28
3.3
Running the SafeGuard Management Center Wizard .......................................................... 28
3.4
Importing the Active Directory into SafeGuard Enterprise .................................................. 33
3.5
Importing the license file ........................................................................................................ 37
4. Installing the SafeGuard Enterprise Server configuration package .................................................. 39
4.1
Quick installation reference .................................................................................................... 39
4.2
Creating the SafeGuard Enterprise Server configuration package....................................... 39
4.3
Installing the SafeGuard Enterprise Server configuration package ..................................... 41
4.4
Running the invoke test .......................................................................................................... 41
w.utimaco.com
Installation Best Practice
5. Configuring the SGNSRV web page to accept a certificate and assigning the certificate ................ 44
5.1
Quick installation reference .................................................................................................... 44
5.2
Creating a self-signed certificate ............................................................................................. 45
5.3
Configuring the SGNSRV web page to accept certificates .................................................... 47
5.4
Deploying the certificate to the clients ................................................................................... 49
6. Installing the SafeGuard Enterprise Client ......................................................................................... 53
6.1
Quick installation reference .................................................................................................... 53
6.2
Checking the certificate arrival on the client ......................................................................... 53
6.3
Preparing the client for installation – optional ...................................................................... 57
6.4
Installing the SGNClient.msi and the SGxClientPreinstall.msi ............................................ 58
6.5
Creating the SafeGuard Enterprise Client configuration package ....................................... 59
6.6
Installing the client configuration package ............................................................................ 60
6.7
Rebooting the machine after installation and initializing the user ...................................... 60
7. Technical support ................................................................................................................................. 61
8. Legal notices .......................................................................................................................................... 62
3
3
SafeGuard Enterprise
Introduction
This document guides you through a typical SafeGuard Enterprise installation with best practice
examples and recommendations.
It does NOT replace the SafeGuard Enterprise Installation Guide, but should help with first steps
and simple troubleshooting hints during the installation/implementation of SafeGuard Enterprise.
Note: Some steps refer to the SafeGuard Enterprise Administrator help or to the SafeGuard Enterprise
User help which can be found in your product delivery.
Please follow the steps in this guideline chapter by chapter and do not skip any – the chapter
numbering follows a chronological order. This guideline is designed for system/network/database
administrators installing SafeGuard Enterprise (SGN).
This document describes a set-up that is focused on a maximum of security and performance with
regards to the communication between the single components. In case a different setup method can be
used to install a module this will be highlighted extra.
To meet the current technical standards all examples given refer to the Windows Server 2008, IIS
Server 7 and Microsoft Windows 7. Besides this the document describes a domain situation in which
all machines are members of the same domain. As a result of this, operating system specific tasks may
differ when using other software or a workgroup environment.
4
Installation Best Practice
Technical prerequisites
SafeGuard Enterprise supports a large variety of operating systems and hardware. A full list of the
hardware currently supported, the minimum hardware requirements and the supported operating
systems can be found in the release notes which are part of the SafeGuard Enterprise product delivery.
It is highly recommended to read the release notes prior to the installation of SafeGuard Enterprise in
order to have all the latest information before starting.
5
5
SafeGuard Enterprise
Installation order
SafeGuard Enterprise is built up in several different modules.
The minimum modules in order to build up a working SafeGuard Enterprise infrastructure are




The SafeGuard Enterprise Server.
The SafeGuard Enterprise Management Center.
The SafeGuard Enterprise Database.
The SafeGuard Enterprise Client.
Even if the SafeGuard Enterprise Database is not an extra module of the SafeGuard Enterprise product
it is a vital part of the backend structure to have the product working.
Before being able to deploy any SafeGuard Enterprise Client regardless of the function installed
(SafeGuard Device Encryption, Data Exchange, File Share, Cloud Storage or Configuration
Protection) a working backend is required. As a result of this the installation order of SafeGuard
Enterprise is like this:
1. Installing the SafeGuard Enterprise Server.
2. Creating the SafeGuard Enterprise Database.
3. Installing the SafeGuard Enterprise Management Center and importing the Active Directory.
4. Installing the SafeGuard Enterprise Server Configuration package.
5. Configuring the SGNSRV web page to accept a certificate and assigning the certificate.
6. Installing the SafeGuard Enterprise Client.
All chapters of this document must be passed in chronological order. Following all steps in
combination with the documentation available will lead to a working SafeGuard Enterprise back-end
and a working SafeGuard Enterprise client.
6
Installation Best Practice
1. Installing the SafeGuard Enterprise Server
As of Windows Server 2008 Microsoft has changed the look and feel of the Internet Information Server
(IIS) quite fundamentally. As a result of this the tasks in order to install SafeGuard Enterprise on a
server running IIS7 have changed compared to a machine running IIS6. However, the technical
prerequisites are still the same. On the machine that is hosting the SafeGuard Enterprise web server
interface the installation of Microsoft .Net Framework Version 4 is required.
Besides this it is recommended to use a dedicated server to host the SafeGuard Enterprise Server. It is
possible to run other application on the same machine, but in case the machine is under heavy load
from a 3rd party application the communication between SafeGuard Enterprise clients and the back
end might not be working correctly.
The installation process of the SafeGuard Enterprise Server contains three steps at first hand.
The required steps are described below.
1.1
Quick installation reference
1. Install IIS Services.
2. Install .Net Framework 4 or verify that the installation was done correctly.
3. Install the SafeGuard Enterprise Server package.
7
7
SafeGuard Enterprise
1.2
Installing IIS services
In order to install SafeGuard Enterprise on an IIS 7 server it is required to install the IIS services on the
Windows Server 2008. Besides this the installation requires .Net Framework to be present as well.
Please follow these steps:
1. Click Start -> All Programs -> Administrative Tools -> Server Manager.
2. In the Server Manager window scroll down to Roles Summary and then click on Add Roles.
The Add Roles Wizard will start with a Before You Begin page. The wizard asks for verification
of the following:
a. The administrator account has a strong password.
b. The network settings, such as IP addresses, are configured.
c. The latest security updates from Windows Update are installed.
3. Select Web Server (IIS) on the Select Server Roles page. An introductory page will open with
links for further information > Click on Add Required Features.
8
Installation Best Practice
4. Click WebServer (IIS) > Role Services on the left hand side.
5.
Add any required role services. Please select the pre selected roles and the following:
Click Next and press Install on the next step.
6. IIS is now installed with a default configuration for hosting ASP.NET on Windows server.
Click Close to complete the process which might take a while depending on the hardware in
use.
9
9
SafeGuard Enterprise
7. Confirm that the web server works using http://(Enter machine name without brackets). In
case that the web page is not shown properly please consider the Microsoft knowledge base
(http://support.microsoft.com) for further information.
1.3
Installing .Net Framework
Another prerequisite before installing the SafeGuard Enterprise Server and the SafeGuard Enterprise
Management Center is the fact that .Net Framework Version 4 must be installed on the machine.
The installation of .Net Framework is pretty straight forward and can be done quite easily. In case .Net
Framework is already installed on the machine please proceed with How to verify if .Net Framework is
installed correctly.
How to check if Microsoft .Net Framework is already installed
In case of uncertainty if .Net Framework is installed on the machine or not it is possible to check
Microsoft Programs and Features. In order to do so please use the following steps:
1. Start > Run…
2. Appwiz.cpl.
3. Check the list of installed applications if .Net Framework 4 is shown.
Having ensured that the application is installed on the system please verify that the application is
registered properly. Please proceed with How to verify that .Net Framework is installed correctly for
further information.
Doing a fresh installation of the Microsoft .Net Framework
The installation of .Net Framework is quite straight forward. However, please consider that the
installation requires a permanent internet connection or you have to download the redistribution
package before starting. The detailed installation steps are like this
1. Download Microsoft .Net Framework from http://www.Microsoft.com/downloads.
2. After downloading the installation package run the exe file on the IIS7 machine using an
administrative account. The installation must not be configured and can be clicked through
straight forward.
3. After completing the installation a reboot is required.
10
Installation Best Practice
How to verify if .Net Framework is installed correctly
On a machine that has .Net Framework installed it is required to ensure that the installation was done
correctly and that everything is working as expected.
In order to manually test the installation of the Microsoft .Net Framework, check that the folder
structure under C:\Windows\Microsoft.NET\Framework is like this:
Besides this you can check if the .Net 4 Framework part was initialized correctly by executing
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis /lv within a command shell.
On success the output will be like this:
11
11
SafeGuard Enterprise
1.4
Installing the SafeGuard Enterprise Server package
As soon as the installation of the Internet Information Service and the Microsoft .Net Framework is
completed all prerequisites in order to start the SafeGuard Enterprise server installation are fulfilled.
The installation of the SafeGuard Enterprise Server is divided into two steps:
1. Installing the SafeGuard Enterprise Server package.
2. Installing the SafeGuard Enterprise server configuration package which is described later in
this document. Please proceed with the guide step by step in order to avoid any side effects.
Note: This step cannot be done unless the SafeGuard Enterprise Management Center is
installed.
The installation of the SafeGuard Enterprise Server (base) package is quite easy. The detailed steps are:
1. Copy the SGNServer.msi package from the installation CD or any network location to the
machine that runs the IIS Server.
2. Start the installation by double clicking the MSI package.
Please note: The installation of the SGNServer.msi on Windows Server 2008 and Windows
Server 2008 R2 has to be run with already elevated privileges, otherwise the installation may
fail. Alternatively the SGNServer.exe can be used for the installation.
3. The SafeGuard Enterprise server installation wizard will come up. The wizard should be
completed without changing any of the given settings besides accepting the legal disclaimer
Note: It is not recommended to change the given installation path! Especially when
installing other modules of SGN on the same box this could cause some side effects.
4. In order to ensure that the installation has passed successfully please open the Internet
Information Services Manager and check if a web page named SGNSRV is now available.
12
Installation Best Practice
The installation is now completed. In order to check that everything is working click on
SGNSRV in the left hand pane > the /SGNSRV Home page will open in the center pane again.
In the right hand pane click on Browse *:80 (http) in the Manage Application section.
5. A new Internet Explorer window will open and show the following page:
6. Click Check Connection.
13
13
SafeGuard Enterprise
7. In the next window, click Invoke.
8. A new Internet Explorer window will open and should display the following result:
The section <DBAuth>failed</DBAuth> is expected and does show an error at this point! The
important thing is that <WebService>OK</WebService> is shown.
The first part of the SafeGuard Enterprise Server installation is completed now.
14
Installation Best Practice
2. Creating the SafeGuard Enterprise Database
SafeGuard Enterprise stores all relevant back-end data within a database. The creation of the database
can be done automatically during the SafeGuard Management Center initialization or manually using
the SQL scripts which are part of the SafeGuard Enterprise product delivery.
Before setting up the database please check the release notes for a list of currently supported SQL server
versions.
Note: When using the SQL Express Edition to store the SafeGuard Enterprise Database remember the
maximum file size limitation of the database given by Microsoft. In case the customer wants to set up a
large environment, using the SQL Express Edition might be inappropriate.
This document will use a SQL 2008 Standard Edition including the administrative components.
The authentication is configured to mixed mode (SQL and Windows Authentication possible).
All SQL services are configured to run in the LOCAL\SYSTEM context.
2.1
Quick installation reference
1. Promote a Windows user account to log on to the SQL Server.
2. Create the database using the SafeGuard Management Center configuration wizard or by
running the SQL script provided on the product CD in the SQL Server Management Studio.
3. Change the SQL permissions according to your security need.
4. Check the SQL Browser Service status and the Named Pipes settings.
5. Enter the Windows/SQL user in the Default Application pool and the required Active
Directory Groups including local permissions.
2.2
Promoting a Windows user to logon to the SQL Server
The logon to the SQL server can be done using either a SQL user account or using a Windows user
account which is promoted to a SQL user. Due to the fact that passwords are sent in plain when using
SQL authentication to authenticate to the SQL server we recommend using a dedicated Windows user
account.
If the customer wants to use a SQL user account to authenticate to the database this section can be
skipped.
Note: Due to security reasons we recommend using Windows authentication to access the SafeGuard
database.
However, the promotion of an existing Windows user account as a valid SQL user is fairly easy. Please
follow these steps:
1. Create a new user account in Windows if no existing user should be used. This example will
use a new user account named SGNSQL.
2. Open the SQL Server Management Studio.
15
15
SafeGuard Enterprise
3. In the left hand pane of the Object Explorer section browse to Security > Logins.
4. Right click on Logins > New Login…
5. Select Windows authentication (default) and then Search…
6. Search the user that should be used for authentication – in this case SGNSQL > Click OK.
16
Installation Best Practice
7. The user logon name will be displayed now in the initial dialog > press OK to complete the
user creation. Further actions are not required at this point.
Please read carefully:
Every user that should be able to run the SafeGuard Enterprise Management Center must have a valid
SQL User account when using Windows authentication to connect to the SafeGuard database.
17
17
SafeGuard Enterprise
2.3
Creating the SafeGuard Enterprise Database
The creation of the SafeGuard Enterprise Database can be done either by using the available SQL
scripts which can be found on the product CD or by running the SafeGuard Enterprise Management
Center configuration wizard.
This chapter will describe the creation of the database using the SQL scripts.
If the customer wants to use the Management Center configuration wizard to create the database this
step can be skipped.
The required steps to create the SafeGuard Enterprise Database are:
1. Copy the script CreateDatabase.sql and CreateTables.sql from the SafeGuard Enterprise
product delivery to the SQL server.
2. Double click the CreateDatabase.sql script. The SQL Server Management Studio will open.
Log on using a user that is allowed to create a database (the newly created user does not have
the right by default! In this case do not use the SGNSQL user.)
3. At the beginning of the script the MDF and the LDF file creation path is specified. Ensure that
this path does exist on the local hard drive.
In this case the path would be C:\Program Files\MSSQL\data\ which does not exist when using
SQL express by default!
Change the path of the MDF and the LDF file according to your system set-up. In order to
change the LDF path scroll the middle pane window to the right.
4. As soon as the path has been defined execute the script either by pressing the relevant GUI
button or by using the F5 hot key.
5. Another window pane below the script area will open. On access the screen output will be
Command(s) completed successfully.
6. Now double click on the CreateTables.sql script.
7. Another tab will open in the SQL Server Management Studio.
18
Installation Best Practice
8. Add the following line at the top of the script area:
use safeguard
9. Execute the script.
10. Another window pane below the script area will open. On access the screen output will be
Command(s) completed successfully.
The SafeGuard Enterprise Database is now created successfully. At the moment only user ‘sa’ and the
Administrative account created during the SQL Server installation can be used to access the database.
2.4
Changing access permissions for the SafeGuard Enterprise
Database
The last step of the creation of the SafeGuard Enterprise Database is to enable the user account to
access the SafeGuard Enterprise Database. Therefore the user account must be granted access to the
database.
Since it is possible to assign different roles and permissions to a user on a database only the minimum
required ones will be described.
Please follow these steps carefully:
1.
2.
3.
4.
5.
Open the SQL Server Management Studio.
In the Object Explorer section in the left hand pane browse Security > Logins.
Select the user that should be enabled (in this example SGNSQL).
Right click on the user name > Properties.
A new Login Properties window will open.
19
19
SafeGuard Enterprise
6. Under Select a page (left hand side) select User Mapping.
7. On the right hand side check the Map box for the SafeGuard database.
8. Below this the Database role membership for: section can now be edited. Select the following
roles for the user:
db_datareader
db_datawriter
public
9. Confirm the configuration using the OK button.
20
Installation Best Practice
2.5
Checking the SQL Server Service Settings and the Named
Pipes Configuration
In order to install the SafeGuard Enterprise Management Center it is required that the SQL Browser
Service is running and that “Named Pipes” “TCP/IP connection” is activated. These settings are
required to access the SQL server from other machines. Further information can be found on the
Microsoft home page.
This can be checked in the SQL Server Configuration Manager. The check is done in two steps:
1. When opening the SQL Server Configuration Manager select SQL Server Services in the left
hand pane and then check in the right hand pane if the SQL Server and the SQL Server
Browser service are both up and running.
Note: It might also be necessary to check the Start Mode of each service!
2. Expand the SQL Server Network Configuration node in the left hand pane and select the current
instance – in this example Protocols for SQLEXPRESS. Verify that Named Pipes are enabled.
3. Restart the SQL services.
21
21
SafeGuard Enterprise
2.6
Adding the SQL user to the default application pool
and to the required Active Directory user groups
including local permissions
In order to enable the communication between the SafeGuard Enterprise Server and the SafeGuard
Enterprise Database using Windows NT authentication further actions need to be taken. The SQL user
account must be populated to the Application Pool of the IIS, local file permissions must be adjusted
and the user must be made a member of Active Directory groups.
Even if these steps are IIS related they should not be done prior to the above taken steps.
Adding the user to groups in the Active Directory
1. Open the Active Directory Users and Computers snap in (Start > Run > dsa.msc).
2. In the left hand pane expand the domain tree and browse to the Builtin OU.
3. Add the newly created user (SGNSQL) to the following three groups:
a. IIS_IUSRS
b. Performance Log Users
c. Performance Monitor Users
4. Close the snap in.
22
Installation Best Practice
Changing file system permissions
1. After that switch back to the local file system and browse to C:\Windows\Temp.
2. Enter the properties of the folder C:\Windows\Temp switch to the Security tab.
3. Click Edit…
4. Add the SGNSQL user account.
23
23
SafeGuard Enterprise
Set the following Special permissions for the SGNSQL user on the folder:
a. Delete
b. Create Files/Write Data
c. List Folder / Read Data
Adding the user to the default application pool
1. Open the Internet Information Service manager.
2. Browse to Application Pools in the left-hand pane.
3. Select the SGNSRV-Pool in the center pane window.
24
Installation Best Practice
4. Right-hand pane > Advanced Settings …
5. Process Model > Identity > Change the user name > Custom Account > Set > Enter the user
name and the password of the SQL enabled user like Domain\User. In this example it would
be user name TESTDOMAIN\SGNSQL.
In case that the SQL enabled user is not entered here the communication between the
SafeGuard Enterprise server and the database will fail!
25
25
SafeGuard Enterprise
6. Click on the server name in the left hand pane >in the right-hand pane under Actions click on
Restart.
7. In the left hand side under Sites select SGNSRV.
8. In the center pane select Authentication.
9. Right click Anonymous authentication > Edit.
26
Installation Best Practice
10. Check that the Anonymous user identity: is set to Specific user: and that the user name is
IUSR. In case that there is any other user name (in earlier versions it could happen that an
IUSR_SafeGuard was created) please rename it into IUSR as mentioned above.
The configuration of the SafeGuard Enterprise Database is now completed. The installation of the
SafeGuard Management Center can now be done.
27
27
SafeGuard Enterprise
3. Installing the SafeGuard Enterprise Management Center
When the SafeGuard Enterprise Server is installed and the SafeGuard Enterprise Database is
configured the next step is to install the SafeGuard Management Center. The SafeGuard Management
Center can be installed on different operating systems. A list of the currently supported operating
system can found in the release notes. Please consider this document before taking the next steps. In
case that the SafeGuard Management Center should be installed on a separate machine, please
remember that .Net Framework must be installed beforehand on that machine.
This document describes the installation of the SafeGuard Management Center on Windows 7.
3.1
1.
2.
3.
4.
3.2
Quick installation reference
Install the SafeGuard Management Center.
Run the SafeGuard Management Center configuration wizard.
Create a directory connection and import the Active Directory.
Import the license file.
Installing the SafeGuard Management Center
In order to install the SafeGuard Management Center please follow these steps
1. Copy the SGNManagementCenter.msi from the product CD or any network location to the
machine that should run the Management Center.
2. Run the msi package as Administrator.
3. Go through the installation wizard.
a. Accept the legal disclaimer.
b. Select the installation path: Do not change the destination path!
c. Select the modules to be installed > in case that database multi tenancy should not be
used select Standard as installation type.
3.3
Running the SafeGuard Management Center Wizard
In order to complete the installation of the SafeGuard Management Center the next steps is to run the
SafeGuard Management Center Wizard. The wizard is used to define the connection string to the
SafeGuard Enterprise Database and to create the company certificate.
The required configuration steps are:
1. Open Start > All Programs > Sophos > SafeGuard > SafeGuard Management Center
2. The SafeGuard Management Center Wizard starts.
Note: After completing the wizard this link will start the SafeGuard Management Center. The
wizard will not come up again as soon as the configuration is completed.
28
Installation Best Practice
3. On the Database Server Connection page connect to the database server. These settings will be
used in the SafeGuard Management Center afterwards.
a. Uncheck the Ping Server box.
b. Under Authentication > Use Windows NT Authentication.
c. Select the SQL server instance using the drop down field. In this case the correct name
would be WIN-8YQWL7BZGMS since no named instance was used. In case of using
SQL Express the instance name would be SQLEXPRESS.
Note: In case the drop down field is empty enter the server name manually like Machine
Name\Instance Name. This information is available in the SQL Server Management Studio
logon dialog under Server name: when starting the application.
29
29
SafeGuard Enterprise
4. On the Database Settings page it is possible to either create a new database or to use an existing
one. Since the database was pre-created using the SQL scripts the wizard will automatically
select the already existing database. No configuration is required at this point.
Note: In case the database was not created beforehand select Create a new database named: to
create a new database using this wizard. In this case the user that was used to log on to the
database on the page before must have the right to create a new database on the SQL server!
This step is not required when following this document!
30
Installation Best Practice
5. The next step is to create a new Master Security Officer and a personal SafeGuard Enterprise
certificate store for the Windows user. This is done in multiple steps:
a. Define the ID of the Master Security Officer. The ID can be chosen as desired – a
possible naming would be MSO since this is common terminology when talking about
SafeGuard Enterprise master security officers.
b. After that select the token logon mode – we highly recommend not selecting
Mandatory.
c. Complete this step by clicking Create…
d. Then create the password for the personal certificate store. The SafeGuard Enterprise
Certificate store is a virtual store to store SafeGuard Enterprise certificates. This store
is not related to Microsoft functionality!
Please read carefully:
The password which is defined in this step is the password that is used to log on to the
Management Center afterwards. This is not the password to import the MSO
certificate in case of restoring the SafeGuard Management Center again! This example
uses 123456 as password.
31
31
SafeGuard Enterprise
e. As soon as the password for the certificate store is defined, a new dialog is displayed to
define the certificate password. This is the password which is required to import the
certificate again in case the SafeGuard Management Center has to be restored, the
SafeGuard Enterprise Database has to be restored or the MSO should be used on a
second Management Center on a different machine. This example uses 654321 as
password.
Note:
A Save As… dialog box is displayed. Save the .cer and the .p12 file at a secure place
where it cannot be deleted. In case the .cer and the .p12 file are not available a recovery
of the SafeGuard Enterprise Database will not be possible!
6. As soon as the security officer certificate is exported, the certificate store and the security
officer is created the wizard will proceed with the creation of the company certificate. At this
point it will be able to either import an existing company certificate from an already existing
SafeGuard Enterprise installation or to create a new company certificate. Since this is a fresh
installation select Create a new company certificate and enter the company name into the
field. In this example the name would be My company Ltd.
Note: Importing the company certificate is available as of SafeGuard Enterprise 5.50 – earlier
versions do not offer this function.
7. Passing this step will complete the configuration of the SafeGuard Management Center.
Exiting the wizard will automatically start the SafeGuard Management Center.
32
Installation Best Practice
3.4
Importing the Active Directory into SafeGuard Enterprise
SafeGuard Enterprise offers the possibility to import the Active Directory structure into the SafeGuard
Management Center. During the synchronization with the Active Directory objects such as computers,
users and groups are imported to the SafeGuard Management Center. All data is stored within the
SafeGuard Enterprise Database.
In case a customer does not have an Active Directory or the directory should not be imported it is also
possible to use the Autoregistration feature of SafeGuard Enterprise. Please read the SafeGuard
Enterprise Administrator Help for further information.
This example will have a domain (TESTDOMAIN.COM) and therefore the structure will be imported.
This is the most common scenario.
The Active Directory import is done like this:
1. Open Start > All Programs > Sophos > SafeGuard > SafeGuard Management Center.
2. Authenticate to the SafeGuard Management Center using the certificate password which was
defined before (in this example 123456).
3. The SafeGuard Management Center will open.
4. In the lower left-hand pane select Users and Computers. After that select Root [Filter is active]
in the top left window.
33
33
SafeGuard Enterprise
5. In the right hand pane select the Synchronize tab.
6. The LDAP Authentication wizard will automatically start. Within this wizard the
communication details to import the Active Directory into SafeGuard Enterprise are defined.
Enter the logon credentials which should be used to synchronize the Active Directory and
specify the server name or the IP address of the Domain controller! The user name should be
[email protected] otherwise a LDAP information box might come up at every synch.
Note: The synchronization will be done in the context of the user defined in this wizard!
Therefore, it is required that the user has sufficient rights on the Active Directory objects that
should be imported. However the user can be a normal AD user and does not have to be
member of the administrative group. The SafeGuard Enterprise synchronization will only read
information and not modify the Active Directory at any time!
After submitting the data by clicking OK a positive result should be displayed on the screen.
34
Installation Best Practice
7. As soon as the directory connection is successfully established the Directory DSN field will
display domain information.
8. After that click the binocular symbol in order to list the Active Directory – depending on the
number of objects the reading of the Active Directory information might take a while.
As soon as the reading process has completed, the domain structure is displayed in the center
pane. Select the organizational units that should be imported into SafeGuard Enterprise by
clicking the referencing check boxes. It is not possible to select single machines, groups or user
objects only. However, it is possible to select organizational units only.
Then decide if Active Directory group memberships should be synchronized with the
SafeGuard Management Center. The import of Active Directory groups can be skipped by unchecking the Synchronize memberships box.
35
35
SafeGuard Enterprise
Note: SafeGuard Enterprise creates a key for every Container, Organizational Unit (OU) and
domain object that is imported by default. The creation of keys can be quite time consuming
and resource allocating. As a result of this we recommend (especially when importing large.
environments) not to enable the key creation for groups if not required. If group memberships
are not required for the use-case, unchecking “synchronize memberships” can speed up the
import/sync process.
9. Start the synchronization by clicking Synchronize. The detailed information from the Active
Directory will now be read.
10. At the end of the synchronization a summary with all changes will be shown. In case the
number of read objects exceeds a certain number a non- graphical summary will be shown.
This example shows the normal behavior.
By clicking OK all changes will be written into the SafeGuard Enterprise Database.
11. As soon as this is completed the domain structure is displayed in the left-hand pane.
12. The import of the Active Directory in the SafeGuard Management Center is now completed.
36
Installation Best Practice
3.5
Importing the license file
SafeGuard Enterprise has an integrated license counter. By default a fixed number of 5 licenses for
every available SafeGuard Enterprise module is part of the installation. This should enable the
evaluation of other SafeGuard Enterprise modules easily without any side effects. However, when
purchasing SafeGuard Enterprise every customer receives a personalized license file for their company
which needs to be imported into the SafeGuard Management Center.
Note: Further information regarding the licensing model of SafeGuard Enterprise can be found in the
SafeGuard Enterprise Administrator Help or via the sales department.
Importing the license file is very easy. The required steps are:
1. Safe the license file (the XML file) on a local hard drive so that it can be reached from a
machine that has the SafeGuard Management Center installed.
2. In the SafeGuard Management Center click on Root in the left hand pane and then on the
Licenses tab on the right hand side.
3. The license overview will be displayed showing 5 licenses for every module. In the lower left
corner of the center pane press the Import license file…button.
4. An open file dialog is displayed. Browse to the license xml file and click Open.
37
37
SafeGuard Enterprise
5. The Apply license? dialog is displayed. Validate that the number of licenses matches
the purchase order and check that the company name is ok. To complete this step, click Apply
license.
6. After that, the center frame should show the correct license information.
The installation of the SafeGuard Management Center is now completed. The next step is to complete
the installation of the SafeGuard Enterprise Server.
38
Installation Best Practice
4. Installing the SafeGuard Enterprise Server configuration
package
At the moment the SafeGuard Enterprise server is installed. However, no communication information
to connect to the SafeGuard database is available.
Communication information (between the IIS server, the database, the SafeGuard client and the IIS
server) is “implemented” by installing a so-called configuration package. These configuration packages
are created in the SafeGuard Management Center.
4.1
Quick installation reference
1. Create the server configuration package.
2. Install the server configuration package on the SafeGuard Enterprise Server.
3. Run the invoke test.
4.2
Creating the SafeGuard Enterprise Server
configuration package
So in order to complete the installation of the SafeGuard Enterprise Server it is necessary to create a
new server configuration package. In order to create this file, follow these steps in the SafeGuard
Management Center:
1. Open Start > All Programs > Sophos > SafeGuard > SafeGuard Management Center.
2. Tools > Configuration Package Tool > Servers tab.
3. Click Add…
39
39
SafeGuard Enterprise
4. In the next window browse the SafeGuard Enterprise server certificate which can be found
under C:\Program Files\Sophos\SafeGuard Enterprise\MachCert on the IIS server that runs the
SafeGuard Enterprise Server.
As soon as the certificate is imported the FQDN Name of the SafeGuard Enterprise Server is
displayed in the server name field.
5. A new entry appears on the Register Server tab.
40
Installation Best Practice
6. Switch to the Server packages tab. Select the server entry from the list. Define the
Configuration Package output path. Click Create Configuration Package.
The output name of the file will be [Server FQDN Name.msi].
7. Copy the newly created server configuration package to the IIS machine that runs the
SafeGuard Enterprise Server.
4.3
Installing the SafeGuard Enterprise Server
configuration package
The installation of the server configuration package is straight forward.
1.
2.
3.
4.
5.
Switch to the machine that runs the SafeGuard Enterprise Server.
Copy the server configuration package to the server.
Run the MSI package by double-clicking it.
Accept all defaults in the installation wizard.
The package will not need a reboot.
The installation of the SafeGuard Enterprise Server is now completed. The next step is to verify that
everything is working as expected.
4.4
Running the invoke test
SafeGuard Enterprise offers a possibility to check if the SafeGuard Enterprise Server is correctly
configured and working.
Note: Whenever changing something in the back-end such as logon data to the SQL server we
recommend running an invoke test to double-check that the communication between the SafeGuard
Enterprise server and the database is still working. The same applies to any changes to the IUSR under
Windows.
41
41
SafeGuard Enterprise
The invoke test is part of the SafeGuard Enterprise web page SGNSRV. To run the test take these steps:
1. Open the Internet Information Services Manager (Start > run > inetmgr.exe) and browse to
the SGNSRV web page.
2. The /SGNSRV Home page will open in the center pane. In the right hand pane click on
Browse *:80 (http) in the Manage Application section.
42
Installation Best Practice
A new Internet Explorer window is displayed showing the following page:
3. Click Check Connection.
4. In the next window, click Invoke.
A new Internet Explorer window is displayed and should display the following result:
43
43
SafeGuard Enterprise
5. Configuring the SGNSRV web page to accept a
certificate and assigning the certificate
SafeGuard Enterprise is set up to provide communication between the client and the back-end. This
communication is secured. At the moment there are two possible communication methods available to
secure the data transfer:


Using the integrated encryption method
Using certificate based SSL
This document describes how to implement SSL in order to secure the communication between the
SafeGuard Enterprise client and the back end.
The main advantage of using SSL is the performance win compared to the integrated encryption. Using
SSL is approximately 40% faster and can furthermore parallelize connections to multiple threads and
CPU’s.
Using SSL encryption to secure the communication between the SafeGuard Enterprise client and the
back-end requires a valid certificate. The following certificate types can be used in order to secure the
communication:
1.
2.
A self- signed certificate
Certificate issued by a PKI having a private or a public root certificate
Technically there is no difference between using a certificate published by a PKI with a public or a
private root certificate. This document will describe the installation procedure using a self-signed
certificate as well as using a PKI generated certificate.
Important note: In case only a certificate created by a public PKI and no PKI infrastructure is
available it is not possible to use this certificate to secure the communication with SSL.
5.1
Quick installation reference
1. Create a new self-signed certificate.
2. Configure the SGNSRV web page to accept a certificate.
3. Deploy the certificate.
44
Installation Best Practice
5.2
Creating a self-signed certificate
In order to create a self- signed certificate using SafeGuard Enterprise please follow these steps:
1. Open the Internet Information Server (IIS) Manager on the machine which hosts the
SafeGuard Enterprise Server.
2. Check the name of the server that is displayed at the top node.
3. Open the SafeGuard Certificate Manager (which is installed on the same machine as the
SafeGuard Management Center) via Start > All Programs > Sophos > SafeGuard Enterprise >
SafeGuard Certificate Manager.
4. Enter the password for the certificate store.
Important note: In order to authenticate use the same password that is used to log on to the
SafeGuard Management Center: in this example it would be 123456.
45
45
SafeGuard Enterprise
5. Create a new certificate. The name of the certificate must be the same as the name of the machine
which was gathered in step 2 having the current domain suffix (FQDN name of the IIS box).
In this case the certificate`s name would be “WIN-8YQWL7BZGMS.testdomain.com” since the
name of the machine is “WIN-8YQWL7BZGMS” and the name of the domain is
“testdomain.com”.
The key length of the certificate remains on the default value. The password can be set just as
desired.
6. After pressing OK save the cert and the .p12 file to a destination that can be reached from the
machine which hosts the IIS.
Note:
If you´re using a PKI please create a certificate for the machine that is running the SafeGuard
Enterprise Server. The certificate’s name must be identical to the identity that is shown in the Internet
Information Service (IIS) Manager top node. Besides this the certificate must be issued to the machine
using the FQDN name of this machine.
46
Installation Best Practice
5.3
Configuring the SGNSRV web page to accept certificates
As soon as a valid certificate in order to use SSL is available, it is possible to configure the SGNSRV
web page to accept a certificate secured connection. To do so, follow these steps:
1. Open the Internet Information Services (IIS) Manager.
2. Click on the server name.
3. From the center menu, double-click the "Server Certificates" button in the "IIS" section center
pane.
4. From the Actions menu (on the right), select Import. The Import Certificate wizard is opened.
5. In the open dialog change the file extension to *.* and browse to the location where the .p12
and the .cer file are stored. Select the p12 file that was created before. In case that file
extensions are disabled please select the file with the description Personal information
Exchange”
47
47
SafeGuard Enterprise
6. Once the certificate has been installed successfully on the server, you will need to assign that
certificate to the appropriate website using IIS.
From the Connections pane on the left-hand side in the main Internet Information Services
(IIS) Manager window, select the name of the server on which the certificate was installed.
7. Under Sites, select the site to be secured with SSL.
8. From the Actions menu (on the right), select Bindings. This will open the Site Bindings
window.
9. In the Site Bindings window, click Add... This will open the Add Site Binding window.
10. Under Type choose https. The IP address should be All Unassigned, and the Port over which
traffic will be secured by SSL is 443. The SSL certificate field should specify the certificate that
was installed before.
48
Installation Best Practice
11. Click OK.
The certificate is now installed and the website configured to accept secure connections.
5.4
Deploying the certificate to the clients
To complete the SSL configuration, you need to deploy the certificate on the SafeGuard Enterprise
Clients as well
There are multiple ways of assigning a certificate to a client. One way of doing the assignment, is using
a Microsoft Group Policy. This is the way that will be described here. In case a different way of
distribution should be used, please ensure that the certificate is stored in the Computer Certificate
Store.
To assign the certificate to the client using the Active Directory group policy mechanism perform the
following steps.
Note: Ensure that the policy with the certificate deployment reaches all machines that should be
installed with SafeGuard Enterprise especially if these objects are not centrally stored in one single OU.
The detailed steps are:
1. Open the Group Policy Management console (Start > Run > Gpmc.msc).
2. Create a new group policy object.
3. Open the new GPO and browse to Computer Configuration > Windows settings > Security.
Settings > Public Key Policies > Trusted Root Certification Authorities.
4. Right-click in the right-hand pane window and click Import.
49
49
SafeGuard Enterprise
5. Browse to the .cer file which was created to secure the communication and select it.
6. By default the certificate will be located in the correct Certificate store on the client.
50
Installation Best Practice
7. Having completed this successfully the GPO will look like this:
8. Browse back to the Public Key Policies node. Right-click on Certificate Services Client Auto-Enrollment in the right-hand pane and select Properties.
51
51
SafeGuard Enterprise
9. Activate the automatic enrollment of certificates. This will ensure that every client receives the
required policy.
10. Apply the changes and close the snap-in.
The configuration of the SafeGuard Enterprise back-end is now completed!
The next step is to proceed with the installation of the client.
52
Installation Best Practice
6. Installing the SafeGuard Enterprise Client
As soon as the back-end is running the deployment and installation of the SafeGuard Enterprise Client
can begin.
The installation of the SafeGuard Enterprise Client is straight forward. However, there are some things
that should be considered such as preparation tasks prior to the installation. Although these steps are
only optional we highly recommend following these steps to ensure a smooth implementation.
The SafeGuard Enterprise Client can be installed on different kinds of hardware and on different
operating systems. A full list of all supported operating systems and the minimum system requirements
can be found in the Release Notes which are available for each SafeGuard Enterprise version in the
Sophos Knowledge Database.
Besides this there is a list of hardware which has been tested successfully or which is already known to
need a POA hot key to function properly. Further details about SafeGuard Enterprise POA hot keys
can be found in our knowledge base under http://www.sophos.com/support/ > please use SGN POA hot
key or SGN hardware as search expression. Reading these articles is highly recommended before
starting the installation of the SafeGuard Enterprise client.
This example will use a Windows 7 (32 bit) machine to demonstrate the installation.
6.1
Quick installation reference
1. Check that the certificate has reached the client.
2. Prepare the operating system using chkdsk /f /v /x and defrag.
3. Install the SafeGuard Client package including the latest hardware compatibility file
(POACFG).
4. Create a new client configuration package.
5. Install the client configuration package.
6. First reboot and user initialization.
6.2
Checking the certificate arrival on the client
In order to check if the certificate was distributed correctly please take these actions.
The certificate must be assigned to the computer and not to the user. The certificate file must be
available in the Certificate Store of Microsoft under Trusted Root Certification Authorities (in case of
having a PKI running this is not required).
In order to do so please follow these steps on the client:
1. Log on to the machine using an administrative account.
2. Click Start > Run > mmc.
53
53
SafeGuard Enterprise
3. In the Console1 window, click the File menu and then click the Add/Remove Snap-in
command.
4. In the Add/Remove Snap-in dialog box select Certificates in the left hand pane and click the
Add button in the center afterwards.
54
Installation Best Practice
5. Select the Computer account option on the Certificates snap-in page.
6. Select Local computer: (the computer this console is running on) on the Select Computer
page. Click Finish.
55
55
SafeGuard Enterprise
7. Click OK in the Add Standalone Snap-in dialog box.
8. In the left pane click Console Root > Certificates (Local Computer) > Trusted Root
Certification Authorities > Certificates.
9. Check in the right hand pane if the certificate created before is displayed.
In case the certificate appears this step is completed.
Note: If the certificate does not appear take these steps:
a. Start > run > gpupdate /force > a Windows command box is displayed.
b. Wait until the box has closed and perform the above steps again starting at 1.
56
Installation Best Practice
6.3
Preparing the client for installation
SafeGuard Enterprise is deeply connected to the system after the installation. Even if it is possible to
start the client installation without checking the system in any way it is highly recommended to
perform these steps prior to the installation. This will ensure that the installation and the encryption of
the local drives will not fail.
The main preparation points are:


Before installing SafeGuard Enterprise, back up your data media completely.
Use CHKDSK to check the hard disks for errors (further information can be found in the
Knowledge Base searching for 107799). It is not recommended to install SafeGuard Enterprise on a
faulty HDD.
Note: When running chkdsk /f /v /x on your system a reboot will be required. Do not start the
SafeGuard Enterprise installation without having done this reboot before (if using chkdsk)!




If you use a 3rd-party boot manager, consider re-installing the system without the boot manager.
If an imaging tool was used to install the operating system, it is recommended to "re-write" the
master boot record (MBR). To install SafeGuard Enterprise a "spotless" master boot record is
needed. The use of imaging/cloning programs may have affected the state of this record.
The master boot record can be cleaned by booting from a Windows 7 CD and using the relevant
command within the recovery console.
If the boot partition on the endpoint has been converted from FAT to NTFS and the endpoint has
not been restarted since, restart the endpoint once. Otherwise the installation might not be
completed successfully. If the system was not changed this step can be skipped.
Defragment the harddrive – further information regarding this can be found
in http://www.sophos.com/support/knowledgebase/article/109226.html - How and why to use
"defrag" within Windows
Proceed with the installation after finishing the above mentioned steps. In case that the steps are not
taken proceed directly with the installation.
57
57
SafeGuard Enterprise
6.4
Installing the SGNClient.msi and the SGxClientPreinstall.msi
Beginning with SafeGuard Enterprise 5.50 the client installation is divided into four steps:
1.
2.
3.
4.
Consider the pre-installation steps in chapter 6.2.
Installing the SGxClientPreinstall.msi.
Installing the SGNClient.msi.
Installing the SafeGuard Enterprise configuration package with subsequent reboot.
In earlier versions (prior to SafeGuard Enterprise 5.50) it was not necessary to install the
SGxClientPreinstall.msi package. Due to changes in the technology it is now required to install this
package additionally. Alternatively it is possible to install the Microsoft VCredist.exe package that is
also available on the Product delivery.
To install the SafeGuard Enterprise Client follow these steps:
1. Copy the SGNClient.msi package and the SGxClientPreinstall.msi package to the client that
should be installed with SafeGuard Enterprise.
Note: Do not copy the files into a temporary folder (C:\ Temp or in the root of a drive) but
create one – for example use C:\SGN. There might be issues with the installation when using
C:\Temp or the root of the C:\ drive as installation source location.
2. First install the SGxClientPreinstall.msi package – the installation is done by double-clicking
the MSI package. The installer does not require any configuration
3. As soon as the installer is finished download the current POACFG file as described in the
knowledgebase: http://www.sophos.com/support/knowledgebase/article/65700.html.
Note: The POACFG file is constantly updated on a monthly basis. Before starting any client
installation please check if a new revision of the POACFG file is available. We recommend
using the latest file for new installations.
4. Download the latest version of the file and save it centrally so that it can be reached from every
client.
5. Open a new command line box on the client machine (Start > run > cmd).
6. Change to the folder containing the SafeGuard Enterprise installation binaries (C:\SGN in this
case).
58
Installation Best Practice
7. Start the installation using this command:
MSIEXEC /i <client.msi> POACFG=<path of the POA configuration file>
In this case: msiexec /i SGNClient.msi POACFG="POACFG_December.xml”
8. The SafeGuard Enterprise Client installation wizard starts.
9. Go through the installation wizard:
a. Accept the legal disclaimer.
b. Select the installation path. Do not change the destination path.
c. Select the modules to be installed. In case only the Device Encryption module should
be used. Select Typical as installation type.
6.5
Creating the SafeGuard Enterprise Client
configuration package
The installation of the SafeGuard Enterprise Client is completed by installing a configuration package.
This package is created in the SafeGuard Enterprise Management Center. Therefore, do the following:
1.
2.
3.
4.
5.
6.
Switch to the machine that hosts the SafeGuard Management Center.
Open the SafeGuard Management Center.
Select Tools > Configuration Package Tool > Managed client packages.
Click Add Configuration Package.
Define the output name of the file.
Select the server and define the transport encryption as SSL > Sophos is default.
7. Save the client configuration file via Configuration Package output path (lower right corner)
and Create Configuration Package at a place where it can be reached by every client.
59
59
SafeGuard Enterprise
6.6
Installing the client configuration package
As soon as the client configuration file is created, install it on the client as follows:.
1. Copy the client configuration file to the machine on which the SafeGuard Enterprise Client
was recently installed.
2. Double-click the configuration package (MSI file). This will start the installation. The package
does not require any configuration.
3. As soon as the installation is done, you are prompted to reboot the computer. Reboot the
machine at this point and do not skip the dialog.
6.7
Rebooting the machine after installation and initializing
the user
At the end of the configuration package installation the machine forces a reboot. During this reboot
the SafeGuard Enterprise Kernel will be written and the POA is initialized. This reboot will be like this:
1. The machine reboots.
2. Windows is starting dialog comes up.
3. The screen changes > SafeGuard Enterprise Kernel is written > the machine reboots again
without loading Windows.
4. Now the POA is displayed for the first time however, in autologon mode booting straight to
Windows.
5. At the Windows logon dialog select the SafeGuard Enterprise credential provider (Switch user
> select the key icon symbol >select the user name) and log on with your Windows credentials.
6. In the taskbar, a new tray icon will appear.
7. As soon as the client can contact the SafeGuard Enterprise server the user initialization will be
done automatically.
8. On success a popup message confirms that Initial User synchronization completed.
The installation of the SafeGuard Enterprise Client is now complete!
60
Installation Best Practice
7. Technical support
You can find technical support for Sophos products in any of these ways:




Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who are
experiencing the same problem.
Visit the Sophos support knowledgebase at http://www.sophos.com/support/.
Download the product documentation at http://www.sophos.com/support/docs/.
Send an email to [email protected], including your Sophos software version number(s),
operating system(s) and patch level(s), and the text of any error messages.
61
61
SafeGuard Enterprise
8. Legal notices
Copyright © 1996 - 2012 Sophos Group. All rights reserved. SafeGuard is a registered trademark of
Sophos Group.
Sophos is a registered trademark of Sophos Limited, Sophos Group and Utimaco Safeware AG, as
applicable. All other product and company names mentioned are trademarks or registered trademarks
of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form
or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a
valid licensee where the documentation can be reproduced in accordance with the license terms or you
otherwise have the prior permission in writing of the copyright owner.
62
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement