advertisement
Preinstallation Planning
This chapter describes the following:
•
Server Requirements on page 1-2
•
Information Needed to Install IWSVA on page 1-6
•
Planning Network Traffic Protection on page 1-9
Chapter 1
1-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide
Server Requirements
Operating System
A purpose-built, hardened, and performance-tuned 64-bit operating system is included with InterScan Web Security Virtual Appliance (IWSVA).
Hardware Requirements
The minimum requirements specified provide enough resources to properly evaluate the product under light traffic loads. The recommended requirements specified provide general production sizing guidance.
For more detailed sizing information, refer to the IWSVA Sizing Guide at: http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx
Search for “sizing guide”.
Minimum Requirements:
• Single 2.0 GHz Intel ™ Core2Duo™ 64-bit processor supporting Intel™ VT™ or equivalent
• 4GB RAM
• 50GB of disk space. (IWSVA automatically partitions the detected disk space as required)
Note:
50GB of disk space is only appropriate for the testing environment. See
Recommended Requirements: on page 1-2 for the disk space in the production
environment.
• Monitor that supports 1024 x 768 resolution with 256 colors or higher
Recommended Requirements:
• Dual 2.8 GHz Intel Core2Duo 64-bit processor or equivalent for up to 4000 users
• Dual 3.16 GHz Intel QuadCore 64-bit processor or equivalent for up to 9500 users
• 300GB of disk space or more for log intensive environments. IWSVA automatically partitions the detected disk space as per recommended Linux practices
1-2
Preinstallation Planning
Server Platform Compatibility
IWSVA should install and operate without issues on many brands of “off-the-shelf ” server platforms. However, Trend Micro cannot guarantee 100% compatibility with all brands and models of server platforms.
To obtain a list of Trend Micro certified servers that are compatible with IWSVA, access the following URL: http://www.trendmicro.com/go/certified
To obtain a general list of available platforms that should operate with IWSVA, access the following URL: http://wiki.centos.org/HardwareList
Trend Micro cannot guarantee full compatibility with the hardware components from this general list.
Component Installation
During installation, the following Trend Micro components are automatically installed:
• Main Program—Management console and the basic library files necessary for
IWSVA.
• Application Control—Service to control application usage by protocol.
• HTTP Malware Scan—Service necessary for HTTP scanning (either ICAP or
HTTP proxy) and URL blocking.
• FTP Scanning—Service necessary for FTP scanning.
• URL Filtering—Service necessary for URL filtering.
• Applets and ActiveX Scanning—Service necessary for scanning Java applets and
ActiveX controls.
• SNMP Notifications—Service to send SNMP traps to SNMP-compliant network management software.
• Control Manager Agent for IWSVA—Files necessary for the Control Manager agent. You need to install the agent if you are using Control Manager (Trend Micro’s central management console).
• Command Line Interface—A custom CLI shell to manage IWSVA from the command line, either by TTY or SSH.
1-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide
During installation, the following open-source application is installed for convenience, but is not enabled by default:
• Squid—To provide optional content caching.
Web Browser
To access the HTTP-based Web console, use any of the browsers in
.
T ABLE 1-1.
Supported Web Browsers for Web Console Access
B ROWSER
IE 9.0, 10, 11
Firefox 15, 16+
Google Chrome 35+
XP
✔
W INDOWS L INUX
Windows 7 SP1 CentOS 6
✔
✔
✔
To access the Internet through IWSVA, use any of the browsers in
.
T
ABLE
1-2.
Supported Web Browsers for Internet Access
B
ROWSER
XP
✔
W
INDOWS
L
INUX
W INDOWS 7 SP1 C ENT OS 6
IE 8.0
IE 9.0, 10, 11
Firefox 30+
Safari 5, 6+
Google Chrome 35+
✔
✔
✔
✔
✔
M
AC
OS X
✔
1-4
Preinstallation Planning
Other Requirements
• Database Requirements:
• PostgreSQL v9.2.8 (included)
• Internet Content Adaptation Protocol (ICAP):
• NetApp™ NetCache™ release 6.0.1
• Blue Coat Systems™ SGOS v5
• Cisco ICAP servers: CE version 5.3
• Any cache server that is ICAP 1.0 compliant
• Directory Servers:
To configure policies based on Lightweight Directory Access Protocol (LDAP) users and groups, IWSVA can integrate with the following LDAP directories:
• Microsoft Active Directory 2003, 2008 and 2012.
• Linux OpenLDAP Directory 2.2.16 or 2.3.39
• Sun™ Java System Directory Server 5.2 (formerly Sun™ ONE Directory
Server)
• Novell eDirectory 8.8
• Transparent Bridge:
• Each transparent bridge segment supported by IWSVA requires two network interface cards.
• Web Cache Content Protocol (WCCP):
Trend Micro recommends using the following Cisco IOS versions when configuring
WCCP with IWSVA:
• 12.2(0) to 12.2(22). Avoid using releases 23 and above within the 12.2 family
• 12.3(10) and above. Avoid using releases 0-9 in the 12.3 family
• IOS 15.1(1)T3 or above should be used
• Other Requirements:
• For proxy deployment modes, network clients must be able to access the HTTP port of the IWSVA server that is selected during the install.
• IWSVA server and clients must be able to communicate with each other over the corporate network.
1-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide
Information Needed to Install IWSVA
You can either purchase or download a 30-day trial version of IWSVA. The 30-day trial version provides all the functionality of IWSVA.
The IWSVA setup program prompts you for required information, depending on the options chosen during installation.
Before beginning, determine the type of installation you should do:
• For new customers doing fresh installations, see
Chapter 2, Deployment Primer on page 2-1 for product placement advice and
Chapter 3, Installing InterScan Web
Security Virtual Appliance on page 3-1
.
• For returning customer migrating from older versions of IWSVA, see
Chapter 4, Migrating to InterScan Web Security Virtual Appliance
to migrate data
and Chapter 3, Installing InterScan Web Security Virtual Appliance on page 3-1 for
fresh installation instructions.
Fresh Installation
IWSVA only supports fresh installations if you are running a version of IWSVA older than IWSVA 6.5. Upgrading an existing IWSS or IWSA installation is not supported.
The fresh installation process formats your existing system to install IWSVA. (see
).
Migration
IWSVA 6.5 supports existing configuration and policy data migration from the following Trend Micro Products:
• InterScan Web Security Virtual Appliance 5.6 (same language version)
• InterScan Web Security Virtual Appliance 6.0 (same language version)
• InterScan Web Security Virtual Appliance 6.0 SP1 (same language version)
• InterScan Web Security Virtual Appliance 6.5 (same language version)
For more information about migration, see
Chapter 4, Migrating to InterScan Web
.
1-6
Preinstallation Planning
Type of Proxy Configuration
IWSVA supports multiple deployment modes.
• Forward proxy where clients directly connect to IWSVA.
• Upstream proxy to another existing internal proxy server
• ICAP Server to an existing ICAP 1.0 compliant cache controller
• WCCP client to a configured WCCP-enabled router of firewall
• Transparent Bridge Mode
• Reverse proxy to protect a Web server
The deployment is configured after the IWSVA installation and it can be changed using the Deployment Wizard in the Web console. Each transparent bridge segment supported by IWSVA requires two network interface cards. See
and Planning FTP Flows on page 2-7
.
Control Manager Server Information
Control Manager registration is performed through the IWSVA Web UI after the
IWSVA installation is complete.
Database Type and Location
IWSVA uses the PostgreSQL database for policies, rules, and configuration settings. A local PostgreSQL installation is performed during IWSVA installation.
SNMP Notifications
If you plan to use SNMP notifications, the IWSVA setup program installs the appropriate SNMP libraries.
Web Console Password
Access to the IWSVA Web console is controlled initially through a default username
“admin.” The password is set during installation from the ISO file.
1-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide
Tip: For security reasons, Trend Micro recommends that you change the admin password after you log in to the Web console the first time.
Tip: The password for OS account "root" and CLI account "enable" and IWSS account
"admin" are the same after installing from ISO file. The IWSVA administrator can make them different. For details, please refer to the Administrator Guide.
Command Line Access
IWSVA provides a Command Line Interface (CLI) to allow configuration of the appliance using an industry standard CLI syntax. The CLI offers additional commands and functionality to manage, troubleshoot, and maintain within IWSVA. The CLI can be accessed using a local console keyboard and monitor or remotely through SSHv2.
Proxy for Internet Updates
If you have a proxy host between IWSVA and the Internet, you must configure the
IWSVA's proxy settings in order to receive updates from Trend Micro. From the menu, choose Updates > Connection Settings to configure the upstream proxy settings. See the Administrator’s Guide for more details.
Activation Codes
Activating the three IWSVA modules (core program, URL Filtering, and Applet and
ActiveX Scanning) requires a single activation code. IWSVA includes one registration key for all the modules. During product registration, the Registration Key is exchanged for an Activation Code that “unlocks” the program. You can register the installation and exchange the registration key for an activation code from a link in the setup program.
Alternatively, you can register and obtain an activation code before installing by visiting
Trend Micro’s online registration Web site at: https://olr.trendmicro.com
1-8
Preinstallation Planning
Planning Network Traffic Protection
IWSVA can be deployed in different modes to help secure your network. (See Chapter 2,
). IWSVA supports the following deployment topologies:
•
Transparent Bridge Mode on page 1-9
•
Forward Proxy Mode on page 1-10
•
Reverse Proxy Mode on page 1-10
•
•
Simple Transparency Mode on page 1-10
•
Transparent Bridge Mode
IWSVA acts as a bridge between network devices such as routers and switches. IWSVA scans passing HTTP and FTP traffic without the need to modify the browser or network settings. This is the easiest deployment mode with traffic being scanned in both directions.
An additional dependency for this deployment mode is two network interface cards per transparent bridge segment protected with IWSVA. Trend Micro recommends that the following network cards be used to ensure maximum compatibility in this deployment mode:
• Broadcom NetXtreme Series
• Intel Pro/1000 PT Dual Port Server Adapter
• Intel Pro/1000 MF Dual Port Fiber
IWSVA 6.5 features an optional High Availability (HA) deployment mode. In this mode, two IWSVA 6.5 nodes are configured as an HA cluster. In this configuration one of the nodes is designated as the parent, or active node, and is connected to a child, or passive node, through a “heartbeat” link.
In HA deployment mode, the parent node processes all “live” traffic while the child node remains in a passive state. If a failure in the parent node is detected, the child node then becomes the active node and the parent node is taken offline.
The HA deployment mode is only supported in Transparent Bridge mode.
1-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide
For further details on the Transparent Bridge Mode, see Deploying in Transparent Bridge
Forward Proxy Mode
IWSVA acts as an upstream proxy for network clients. Client browser settings must be configured to redirect traffic to IWSVA. IWSVA scans HTTP and FTP traffic and there is no separate need for another dedicated proxy server. Content is scanned in both the inbound and outbound directions.
The Forward Proxy Mode also forwards all traffic to another upstream proxy server.
For more details on the Forward Proxy mode, see
Deploying in Forward Proxy Mode on page
.
Reverse Proxy Mode
IWSVA is deployed in front of a Web server. IWSVA scans HTTP and FTP content from the clients that are uploaded to a Web server as well as content that is downloaded from the Web server to the clients and helps secure the Web server.
For more details on the Reverse Proxy Mode, see
Deploying in Reverse Proxy Mode on page
.
ICAP Mode
IWSVA acts as an ICAP proxy and accepts ICAP connections from an ICAP v1.0 compliant cache server. Cache servers can help reduce the overall bandwidth requirements and reduce latency by serving cached content locally. IWSVA scans and secures all content returned to the cache server and to the clients.
For more details on the ICAP mode, see Deploying in ICAP Mode on page 2-23 .
Simple Transparency Mode
IWSVA's Forward Proxy Mode supports simple transparency with popular Layer 4 load balancing switches and provides HTTP scanning without the need to modify the client's browser settings.
1-10
Preinstallation Planning
For more details on the Simple Transparency Mode, see HTTP Proxy in Simple
Transparency Mode on page 2-16 .
WCCP Mode
IWSVA works with Cisco's WCCP protocol to provide content scanning for Web and
FTP traffic without the need to modify client configurations and allows redundancy and saleability to be designed into the architecture without additional hardware.
For more details on the WCCP Mode, see Deploying in WCCP Mode on page 2-23
.
1-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 6.5 Installation Guide
1-12
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement