View
215
Download
0
Category
Preview:
Citation preview
7/29/2019 CATD UNC Implementation En
1/65
Implementation Guide
r12
Total Defense forUnified Network Control
7/29/2019 CATD UNC Implementation En
2/65
This documentation, which includes embedded help systems and electronically distributed materials (hereinafter
collectively referred to as the "Documentation"), is for your informational purposes only and is subject to change or
withdrawal by Total Defense at any time.
The Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in
part, without the prior written consent of Total Defense. The Documentation is confidential and proprietary
information of Total Defense and may not be disclosed by you or used for any purpose other than as may be
permitted in (i) a separate agreement between you and Total Defense governing your use of the Total Defense
software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and Total
Defense.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the
Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation
for internal use by you and your employees in connection with that software, provided that all Total Defense
copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the
applicable license for such software remains in full force and effect. Should the license terminate for any reason, it
is your responsibility to certify in writing to Total Defense that all copies and partial copies of the Documentation
have been returned to Total Defense or destroyed.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE DOCUMENTATION IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL TOTAL
DEFENSE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE
USE OF THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESSINTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF TOTAL DEFENSE IS EXPRESSLY ADVISED IN ADVANCE OF
THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement
and such license agreement is not modified in any way by the terms of this notice.
The manufacturer of the Documentation is Total Defense.
The Documentation is provided with "Restricted Rights." Use, duplication or disclosure by the United States
Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2)
and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.
Copyright 2011 Total Defense, Inc. All rights reserved. All trademarks, trade names, service marks, and logos
referenced in the Documentation are the property of their respective owners.
7/29/2019 CATD UNC Implementation En
3/65
Contact Total Defense
Contact Technical Support
For your convenience, Total Defense provides one site where you can access
the information you need for your Home Office, Small Business, and Enterprise
Total Defense products. At http://totaldefense.com/support
http://www.totaldefense.com/support, you can access the following:
Online and telephone contact information for technical assistance andcustomer services
Information about user communities and forums Product and documentation downloads Total Defense support policies and guidelines Other helpful resources appropriate for your product
http://www.totaldefense.com/supporthttp://www.totaldefense.com/supporthttp://www.totaldefense.com/support7/29/2019 CATD UNC Implementation En
4/65
Product References
This document references the following Total Defense products:
Total Defense Total Defense for Unified Network Control
7/29/2019 CATD UNC Implementation En
5/65
Contents 5
Contents
Chapter 1: Introducing Total Defense for Unified Network Control 7Architecture Overview ......................................................................... 8Chapter 2: Preparing to Install the Product 11Pre-Installation Checklist...................................................................... 11
Verify Microsoft Windows Installer Version.................................................. 12Verify System Requirements............................................................... 12Install Internet Information Services and .NET Framework................................... 13Install Microsoft Network Access Protection (MS-NAP) ....................................... 14Configure MSMQ .......................................................................... 15Perform Pre-installation Database Tasks.................................................... 16
Activate Your License ......................................................................... 20(Optional) Use in Test Mode ................................................................... 21Chapter 3: Installing the Infrastructure 23Management Server Host Names .............................................................. 26Install Server Components (Standalone Install)................................................. 27Install Server Components (Distributed Install) ................................................. 32Install Server Components (Combined Standalone Install)....................................... 36Install Server Components (Combined Distributed Install)
.......................................
41
First-Time Install ......................................................................... 42Subsequent Install ........................................................................ 48
Verify Services are Running ................................................................... 51Chapter 4: Enabling JavaScript in the Web Browser 53Chapter 5: Installing the Client Agent 55Prepare to Install the Client Agent ............................................................. 55
Install Microsoft Network Access Protection (MS-NAP) Agent................................. 55Install the Client Agent
........................................................................
56
Configure the Client Agent .................................................................... 57Configure the Communication Server IP Address and Port ................................... 58
Chapter 6: Uninstalling and Repairing Server Components 59Uninstall and Repair .......................................................................... 60
7/29/2019 CATD UNC Implementation En
6/65
6 Implementation Guide
Appendix A: Troubleshooting 63Management Server .......................................................................... 63
Reimporting the SSL Certificate............................................................ 63Locating Error Logs
.......................................................................
64Communication Server........................................................................ 64
Verifying the Presence of the System Health Validator....................................... 64Uninstalling Servers .......................................................................... 65
7/29/2019 CATD UNC Implementation En
7/65
Chapter 1: Introducing Total Defense for Unified Network Control 7
Chapter 1: Introducing Total Defense for
Unified Network Control
7/29/2019 CATD UNC Implementation En
8/65
Architecture Overview
8 Implementation Guide
Architecture Overview
A standard Total Defense for Unified Network Control installation consists of:
One Management Server One Reporting Server One or more Communication Servers One or more Client Agents
7/29/2019 CATD UNC Implementation En
9/65
Architecture Overview
Chapter 1: Introducing Total Defense for Unified Network Control 9
The Management Server controls the installation. With the Management
Console, the server's graphical user interface, you can manage all aspects of
the installation, including databases, reports, events, policies, user access, and
licenses. Dashboard panels display Total Defense for Unified Network Control
status information. Events are related to the assessment, quarantine, andremediation of endpoint devices. Policies define the Minimum Baseline
Standard (MBS) for endpoint devices that comply with network security
requirements.
The Reporting Server is the reporting and event management component of
an installation. It builds the standard policy-based and custom reports that
you request through the Management Console.
The Management Server, Reporting Server, and Communication Server can be
installed on the same computer or on separate computers. The Client Agent is
installed on an endpoint device. The Communication Server and Client Agent
cannot be installed on the same computer.
A Communication Server is the conduit between the Management Server and
its assigned Client Agents on the endpoint devices. It also validates the
applicability of a policy, assesses the MBS compliance of an endpoint device,
and triggers remediation of that device when necessary.
A Client Agent resides on an endpoint device and collects user, machine, and
policy attribute data for the Communication Server.
7/29/2019 CATD UNC Implementation En
10/65
7/29/2019 CATD UNC Implementation En
11/65
Chapter 2: Preparing to Install the Product 11
Chapter 2: Preparing to Install the
Product
Pre-Installation Checklist
Each of these tasks is fully described in the following sections of this chapter.
As you complete each task, use this checklist to check-off each task as you
complete it:
Verify that you have Administrative credentials to perform the installation. Verify the operating system and hardware requirements for server and
agent. Verify that the Microsoft Windows Installer version is 3.0 or higher. Install/enable Internet Information Services, MSMQ, CGI, and .NET
Framework 3.5 SP1.
Install Microsoft Network Access Protection (MS-NAP), if enforcement isdesired.
Perform pre-installation database tasks. Verify that the necessary ports are open. Activate your license. (Optional) Use test mode to make sure it meets the requirements outlined
in this checklist.
7/29/2019 CATD UNC Implementation En
12/65
Pre-Installation Checklist
12 Implementation Guide
Verify Microsoft Windows Installer Version
Verify that the computer on which you will run the Total Defense Installation
Wizard has version 3.0 or higher of the Microsoft Windows Installer. If you
need to download the Windows Installer, go to the Windows Download Centerand search for Windows Installer 3.0. The Windows Download Center is
located at:
http://www.microsoft.com/downloads/en/default.aspx
You can also find it in the \Common\Bin folder of the Total Defense R12
distribution medium (DVD or compressed folder) with the name "Windows
Installer v3.1 - KB893803-v2-x86.exe".
Verify System Requirements
Total Defense provides information on the minimum system requirements for
the Total Defense for Unified Network Control Servers and the Total Defense
for Unified Network Control Client Agent in the Total Defense for Unified
Network Control Release Notes. The Release Notes are located on the
installation DVD.
Once you have reviewed the system requirements, do the following:
Select one or more computers that meet the minimum hardware andoperating system requirements to host the server components.
Verify that all endpoints meet the minimum hardware and operatingsystem requirements to host the client agent.
http://www.microsoft.com/downloads/en/default.aspxhttp://www.microsoft.com/downloads/en/default.aspx7/29/2019 CATD UNC Implementation En
13/65
Pre-Installation Checklist
Chapter 2: Preparing to Install the Product 13
Install Internet Information Services and .NET Framework
The following applications and services must be installed and running on the
host computer(s) for the Total Defense for Unified Network Control (UNC)
server components if version 7.0 or higher of Internet Information Services(IIS) is used:
Communication Server: Internet Information Services (IIS)
IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008
.NET Framework 3.5 SP1 MSMQ CGI
Management Server, Reporting Server: Internet Information Services (IIS)
IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008
.NET Framework 3.5 SP1 ASP.NET .NET Extensibility
IIS is bundled with Microsoft Windows Server 2008. However you must ensure
that IIS is installed and enabled so that the Total Defense Installation Wizardcan configure specific settings. For more information, search the Microsoft
Tech Net (http://technet.microsoft.com) for discussions of IIS.
Note: A Management Server or Reporting Server running on Microsoft
Windows Server 2003 uses IIS 6.0. A Communication Server requires IIS 7.0
or higher because it can run only on Microsoft Windows Server 2008.
If NET Framework 3.5 SP1 is not already installed on your server, you can
download it using the Microsoft Windows Update feature or from
http://www.microsoft.com/downloads.
If your computer already has IIS (any version) and .NET Framework (older
than version 3.5) installed, you need to install .NET Framework 3.5 and thenmap IIS to it. The mapping identifies the .NET Framework 3.x configurations
to IIS.
http://technet.microsoft.com/en-us/library/cc771209.aspxhttp://technet.microsoft.com/en-us/library/cc771209.aspxhttp://technet.microsoft.com/en-us/library/cc771209.aspxhttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://technet.microsoft.com/en-us/library/cc771209.aspx7/29/2019 CATD UNC Implementation En
14/65
Pre-Installation Checklist
14 Implementation Guide
Install Microsoft Network Access Protection (MS-NAP)
Total Defense for Unified Network Control (UNC) requires Microsoft Network
Access Protection (MS-NAP) for the enforcement of network policies. Before
you install the UNC Communication Server, you must install and configureNetwork Policy Server (NPS) on the host computer (which must be running
Microsoft Windows Server 2008). In addition, You must have MS-NAP Agent
installed on every computer (running Windows Vista or Windows XP-SP3)
where UNC Client Agent is installed. If either NPS or MS-NAP Agent is missing
or is not configured properly, UNC will not enforce network policies.
Provide domain services
UNC requires the following domain services:
Domain controller for the Active Directory domain DNS server for the DNS domainThe domain controller must be installed on a separate computer (running on
Windows Server 2003 and above), not the host computer. Once Active
Directory and DNS are running, perform the following:
1. Create a user account and group in Active Directory.2. Create an NAP client computer security group for UNC client agents.For a full description of the steps involved, see the Microsoft Step By Step
Guide for your enforcement method listed at the end of this section.
Configure the host computer
The host computer for the Communication Server must run Microsoft Windows
Server 2008 and host the NPS service. The host computer for a Standalone
installation, which includes the Communication Server, must also meet these
requirements.
Perform the following steps to configure the host computer for UNC:
1. Join the computer to the domain.2. Install the NPS and enforcement server (DHCP, VPN, etc.) roles.3. Install the Group Policy Management feature.4. Configure NPS as a NAP health policy server.5. Configure the enforcement method (DHCP, VPN, etc.).6. Configure NAP client settings in Group Policy.For a full description of the steps involved, see the Microsoft Step By Step
Guide for your enforcement method listed at the end of this section.
7/29/2019 CATD UNC Implementation En
15/65
Pre-Installation Checklist
Chapter 2: Preparing to Install the Product 15
Documentation resources
The following Microsoft Step By Step Guides demonstrate how to configure
MS-NAP for different enforcement methods:
Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test LabYou can find these guides by searching for all or part of their titles at
http:www.microsoft.com/downloads.
Configure MSMQ
Perform this procedure on the host computer for the Communication Server to
configure Microsoft Message Queuing.
To configure MSMQ
1. In the Server Manager window, click Features.2. In the right pane under Features Summary, click Add Features.
The Select Features window appears.
3. Expand Message Queuing and then Message Queuing Services.4. Select the Message Queuing Server check box.5.
Click Next, and then click Install.The feature is installed and the Select Features window closes.
6. In the Server Manager window, expand Features and then MessageQueuing.
7. Verify that Private Queues are available.
http://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloads7/29/2019 CATD UNC Implementation En
16/65
Pre-Installation Checklist
16 Implementation Guide
Perform Pre-installation Database Tasks
Total Defense for Unified Network Control supports the following database
applications:
Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Microsoft SQL Server 2008 Microsoft SQL Server 2008 ExpressIf your company already has one of these database applications, you can also
use it to host the Total Defense for Unified Network Control databases.
However, Total Defense also provides Microsoft SQL Server 2005 Express as
an out-of-the-box solution. Microsoft SQL Server 2005 Express is located on
the installation DVD and, if chosen as an installation option, is automatically
installed and configured during the installation of Total Defense for Unified
Network Control.
Note: Microsoft SQL Server Express can be used during a product trial or if
your organization has fewer than 500 endpoints; however it is not
recommended for larger organizations.
During the installation of Total Defense for Unified Network Control, the
Installation Wizard prompts you to enter the following information for each
database:
Database user credentials Name of the database instance Name of the computer that hosts the databaseThese fields are pre-populated with default values if you are installing
Microsoft SQL Server Express.
The Installation Wizard automatically creates the required database schema
for the Total Defense for Unified Network Control Management Server
database.
7/29/2019 CATD UNC Implementation En
17/65
Pre-Installation Checklist
Chapter 2: Preparing to Install the Product 17
Tasks for Microsoft SQL Server
If you are already using Microsoft SQL Server and plan to use it for the Total
Defense for Unified Network Control database, check that the following items
are configured:
Create a new user that has the sysadmin role. Verify that you are using SQL authentication. Verify that the TCP/IP protocol is enabled for port 1433. Verify that firewall blocking access is disabled. Enable Common Language Runtime (CLR).See the sections that follow for instructions on how to configure these items.
The items noted above are automatically configured if you choose to install
Microsoft SQL Server Express during the Total Defense for Unified NetworkControl installation.
Note: If you are reinstalling or repairing Total Defense for Unified Network
Control, the installer will delete the existing database (named "UNCDB") and
create a new one. To preserve the contents of the existing database, you must
create a backup version of the database before running the installer. After
installation, you can then restore the contents of the UNCDB database from
the backup version.
Enable Windows and SQL Authentication
To enable Windows and SQL authentication
1. From All Programs, select Microsoft SQL Server, SQL Server ManagementStudio.
2. Enter the server name, select Windows authentication, and then clickConnect.
The Microsoft SQL Server Management Studio window appears.
3. Right click on the server and select Properties.The Server Properties dialog appears.
4. Select the Security page, and then click SQL Server and WindowsAuthentication Mode.
5. Click OK.Your SQL Server now supports both SQL Server and Windows authentication.
7/29/2019 CATD UNC Implementation En
18/65
Pre-Installation Checklist
18 Implementation Guide
Enable TCP/IP Protocol
To enable the TCP/IP Protocol
1. Log into the SQL Server Configuration Manager.2. Expand the SQL Server Network Configuration.3. Click Protocols for SQL Server or SQL Express.4. Right click the TCP/IP protocol in the right pane and select Enable.5. Right click the TCP/IP protocol again and select Properties.
The TCP/IP Properties dialog appears.
6. Click the IP Address tab and enter the IP address of the machine hostingthe SQL Server or SQL Express, and then click Ok.
The IP address is added and TCP/IP is enabled on port 1433.
Verify Communication Ports
The Total Defense for Unified Network Control (UNC) server components
communicate over the HTTPS channel on ports whose numbers are set during
the UNC Server installation. The default port numbers are:
HTTPS Web-Service Website: 34443 HTTPS Content Update Website: 34444 HTTPS Certificate Website: 44333The default port number for the UNC database is 1433.
The Client Agent installation sets the default port number 34443 for its
Communication Server. The Communication Server port number can be reset
from the endpoint.
Your proxy settings and firewall must be configured for these port numbers (or
their replacements) to allow the UNC components to communicate.
7/29/2019 CATD UNC Implementation En
19/65
Pre-Installation Checklist
Chapter 2: Preparing to Install the Product 19
Create a Login User and Role
The following procedure uses SQL Server Management Studio Express. If you
do not already have this application, you may download it using the following
link:
http://www.microsoft.com/express/sql/download/(
http://www.microsoft.com/express/sql/download/)
Best Practice Tip! Although you may use your sa user during installation
and skip this procedure, Total Defense recommends creating a new user name
and a strong password to protect the integrity of the database.
1. Using the SQL Server Management Studio Express interface, connect tothe Database Server you created during the SQL installation.
2. Navigate to the Security folder, right-click the Logins folder, and thenselect New login from the pop-up menu.
The SQL Server Login Properties - New Login dialog appears, displaying
the General tab.
3. Enter a name in the Login name field.Note: Do not include curly braces, { or }, in the Login name field, as they
are not supported.
4. Click SQL Server Authentication.The password fields are enabled.
5. Enter and confirm a password for the new login.6. Uncheck the Enforce password expiration option.7. Select the Server Roles page.
The Server Roles page appears.
8. Check the sysadmin role, and then click OK.
http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/7/29/2019 CATD UNC Implementation En
20/65
Activate Your License
20 Implementation Guide
Enable Common Language Runtime (CLR)
To enable Common Language Runtime (CLR)
1. From the Start menu, select All Programs, Microsoft SQL Server,Configuration Tools, SQL Server Surface Area Configuration.
The SQL Server Surface Area Configuration window appears.
2. Click Surface Area Configuration for Features.The Surface Area Configuration for Features - localhost window appears.
3. Click the View by Instance tab and expand the database instance name(for example, SQLEXPRESS) and then Database Engine.
4. In the vertical menu list, click CLR Integration.5. Select the Enable CLR integration check box.6. Click Apply, and then click OK.
Activate Your License
With the purchase of this product, Total Defense sends you the following
license-related documentation:
A hard-copy of your License Certificate in regular mail.Keep this certificate in a safe location for future reference.
An electronic version of your License Certificate in email.Keep this email in a safe, yet convenient location, as you will need the
license number during the installation of this product.
A license activation link in email.Best Practice Tip! Total Defense highly recommends that you activate
your license as soon as you receive the license activation email.
If you do not click the license activation link provided in the license activation
email before you start the installation, you may install this product in a 30-day
trial mode.
When the installation is complete, the Management Server will attempt to
register your license with the Entitlement Management System. If it is unable
to do so, a banner appears in the Management Console providing further
instructions on how to complete this transaction.
For more information about licensing, refer to "License Management" in the
Total Defense for Unified Network Control Administration Guide.
7/29/2019 CATD UNC Implementation En
21/65
(Optional) Use in Test Mode
Chapter 2: Preparing to Install the Product 21
(Optional) Use in Test Mode
Using Total Defense for Unified Network Control in Test mode allows you to
test your policies and assess endpoints prior to activating policy enforcement
and remediation. It also provides you the opportunity to become familiar with
the Management Console and to configure key policies prior to full product
deployment.
Best Practice Tip! We recommend that you initially deploy the product to a
limited number of endpoints.
To test the UNC installation
1. Choose a host computer or server for the Total Defense for UnifiedNetwork Control server components that meets the minimum system
requirements as defined in the Release Notes. The host machine(s) for the
server components can be the same computer(s) that will serve as the
permanent host(s) for these servers in your normal productionenvironment.
2. Choose a small number of endpoints to which you will deploy the TotalDefense for Unified Network Control Client Agent. These endpoints should
represent each type of platform (hardware and operating system)
currently used in your production network and supported by this release.
3. Verify that the pre-installation tasks outlined in this chapter have beenmet for each of these endpoints.
7/29/2019 CATD UNC Implementation En
22/65
7/29/2019 CATD UNC Implementation En
23/65
Chapter 3: Installing the Infrastructure 23
Chapter 3: Installing the Infrastructure
7/29/2019 CATD UNC Implementation En
24/65
(Optional) Use in Test Mode
24 Implementation Guide
Total Defense for Unified Network Control (TDUNC) provides the following
installation scenarios:
Standalone Installation
In a Standalone Installation all TDUNC server components are installed onthe same host machine that meets the minimum hardware and operating
system requirements. A Standalone Installation works best for sites with
fewer than 1,000 endpoints in the same physical location.
Best Practice Tip! Since this server is considered mission critical for
keeping your environment healthy, Total Defense recommends that no
other applications run on this server. It should be dedicated to TDUNC
alone.
Database Connectivity in a Standalone Installation: The Total
Defense Installation Wizardwill automatically install and configure
Microsoft SQL Server Express on the same machine that you install the
Management Server or allow you to use a locally installed database
instead. If you use an existing database, you must complete severalconfiguration tasks prior to starting the Total Defense installation.
Distributed Installation
In a Distributed Installation the TDUNC Management Server, Reporting
Server, and Communication Server may each be installed on a separate
machine to improve product performance and network flow. This
installation is recommended for sites with more than 1,000 endpoints or
sites that have endpoints located across more than one physical location.
A Distributed Installation can have one of the following configurations:
Configuration 1
Computer A: Management Server
Computer B: Reporting Server
Computer C: Communication Server
Configuration 2
Computer A: Management Server and Reporting Server
Computer B: Communication Server
Configuration 3
Computer A: Management Server
Computer B: Reporting Server and Communication Server
Database Connectivity in a Distributed Installation
7/29/2019 CATD UNC Implementation En
25/65
(Optional) Use in Test Mode
Chapter 3: Installing the Infrastructure 25
In a Distributed Installation you may use an existing Microsoft SQL
database for the Management Server. The database may be located on a
separate machine, such as an application server located in a database
farm. In this scenario, the Installation Wizard prompts you for the required
database information (SQL hostname, SQL instance name, and so on).Before you begin the Total Defense installation, you must complete several
configuration tasks.
Combined Standalone Installation
In a Combined Standalone Installation, all Total Defense (TD) and TDUNC
server components are installed at the same time on the same host
machine that meets the recommended hardware and operating system
requirements. A Standalone Installation works best for sites with fewer
than 1,000 endpoints in the same physical location.
Combined Distributed Installation
In a Combined Distributed Installation the TD and TDUNC Management
Servers are installed at the same time on the same machine, while theremaining server components of both products may each be installed on a
separate machine to improve product performance and network flow. This
installation is recommended for sites with more than 1,000 endpoints or
sites that have endpoints located across more than one physical location.
Combined Staged Installations
In a Combined Staged Installation, TD and TDUNC are installed at different
times in Standalone or Distributed Installations.
Standalone Configurations
Computer A: TD installed first; TDUNC installed second.
Computer A: TDUNC installed first; TD installed second.
Distributed Configurations
Note: All servers in these configurations must be installed with a
distributed installation type.
Computer A: All TD servers installed first; TDUNC Management Server
installed second.
Computer B: Remaining TDUNC servers installed.
Computer A: All TDUNC servers installed first; TD Management Server
installed second.
Computer B: Remaining TD servers installed.
7/29/2019 CATD UNC Implementation En
26/65
Management Server Host Names
26 Implementation Guide
Management Server Host Names
When selecting a host machine for the Management Server, be sure its name
conforms to the Domain Name System (DNS) naming standards. A standard
host name can:
Begin with a letter (A-Z, a-z) End with a letter or digit (0-9) Contain any combination of letters, digits, and hyphens (-)Host names are case-insensitive, so host names such as Safety-First and
safety-first are seen as identical.
7/29/2019 CATD UNC Implementation En
27/65
Install Server Components (Standalone Install)
Chapter 3: Installing the Infrastructure 27
Install Server Components (Standalone Install)
The instructions in this section describe how to perform a Standalone
Installation in which all server components are installed on the same host
computer.
Note: To ensure a successful installation, please readPreparing to Install
Total Defense for Unified Network Control(see page 11) before you start the
installation process.
To perform a Standalone Installation
1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click the setup.exe
program located in the root folder of the DVD.
The Language dialog appears.
2. Select the appropriate installation language when prompted, and then clickOK.
The Main Menu appears.
3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the host
computer.
If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems
and virtual environments.
Click Next or Exit to cancel the installation.
If the operating system is supported, the Installation Wizard displays alist of prerequisite tests to be performed.
Click Next or Exit to proceed with the tests.
The Installation Wizard runs the tests and displays the results
(Success, Fail, or Optional).
Success indicates that the test succeeded and that the prerequisiteis met.
Fail indicates that the test failed and that the prerequisite is notmet.
Optional indicates that the test failed, but that the tested item orcondition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of
that product. The Fail result indicates that the product was found; the
Success result indicates that the product was not found.
4. (Optional) Select the name of a failed test on the screen to display the testresults.
7/29/2019 CATD UNC Implementation En
28/65
Install Server Components (Standalone Install)
28 Implementation Guide
The results appear on the right side of the screen.
5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.
Note: A failed test indicates a missing Total Defense prerequisite. If youcontinue to install the product, the resulting installation may not operate
as intended or desired.
6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool
failed to complete successfully. Do you wish to continue?"
Click Yes to continue with the installation. No cancels the installation.
Product Selection appears.
7. Click Yes to install the Management Server, select Endpoint Protection, andthen click Next.
License Agreements appear.8. After reading the legal notices, click the I accept the terms of the License
Agreement button, and then click Next.
Registration appears.
7/29/2019 CATD UNC Implementation En
29/65
Install Server Components (Standalone Install)
Chapter 3: Installing the Infrastructure 29
9. Enter the registration information, and then click Next.Note: The Total Defense Entitlement Management System (EMS) sends a
license activation link to the email address that you enter on this screen.
Make sure to enter an address that you check frequently so that you can
finalize the license activation process.
Renewal appears.
10.(Optional) Modify the information if your Renewal Contact information isdifferent than the Product Registration information, and then click Next.
Internet Proxy Information appears.
11.If you use a web proxy to access the Internet, enter the specifiedinformation, and then click Next.
License Verification appears.
12.Copy and paste your license (or manually enter it using all UPPER CASEcharacters), and then click Next.If you have an Internet connection, the Total Defense Entitlement
Management Server is contacted and registers your license.
If you do not have an Internet connection or the Entitlement Management
Server cannot be reached, click Next to complete the installation in a 30-
day trial mode.
Note: The Management Server will attempt to complete the registration
for you when the installation is complete. The server will attempt to
activate the license for 5 days. If it is unable to do so, a message will
appear in the banner of the Management Console with a link to
instructions on how to complete the registration.
Installation Type appears.
13.Click Standalone Installation, and then click Next.Another Product Selection appears.
7/29/2019 CATD UNC Implementation En
30/65
Install Server Components (Standalone Install)
30 Implementation Guide
14.Select Unified Network Control Management Components, unselect theother options, and then click Next.
15.The Unified Network Control servers appear, all selected for a standaloneinstallation. Click Next.
Unified Network Control Administrator and Port Settings appears.
16.Enter the user name, password, and email address for the personresponsible for implementing Total Defense for Unified Network Control:
If you specify a domain with the user name (for example,
domain\username), the installer attempts to authenticate the user name
through Active Directory. If you do not enter a domain, the installer stores
the unauthenticated user name and password in the Total Defense for
Unified Network Control database catalog.
17.Accept the port numbers for the web service and certificate web sites byclicking Next.
Email Notifications appears.
18.Enter the email address for the Total Defense for Unified Network Controladministrator. If authentication is required to access the Management
Server, select the check box for an authenticated user, and enter the
domain user name and password.
Database Selection appears.
19.Choose to install Microsoft SQL Server Express or use an existing MicrosoftSQL Server or Microsoft SQL Server Express installation. Click Next.
Note: If the installer discovers an existing Microsoft SQL Server or
Microsoft SQL Server Express installation on the host computer, the choice
to install Microsoft SQL Server Express is disabled.
If you chose to use an installed database server in this step, Database
Version appears.
If you chose to install Microsoft SQL Server Express in this step, Database
Server appears.
20.(Installing Microsoft SQL Server Express) Enter the following databaselogin information:
User Name PasswordNote: Total Defense highly recommends creating and using an alternate
account rather than the default MS SQL sa account. The new account musthave system administrator (sysadmin) permissions and no System Roles.
7/29/2019 CATD UNC Implementation En
31/65
Install Server Components (Standalone Install)
Chapter 3: Installing the Infrastructure 31
21.(Using an installed database server) click the Microsoft SQL Server andODBC Driver types that identify your installed database server. Click Next.
Database Connection appears.
22.Enter the following database configuration information for the UNCManagement Server, and then click Next. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)Note: Total Defense highly recommends creating and using an alternate
account rather than the default MS SQL sa account. The new account must
have system administrator (sysadmin) permissions and no System Roles.
23.Click the Test SQL Connection button to verify the connection, close themessage box, and then click Next. The database configuration informationon the screen must be complete.
The Destination screen appears.
24.Click the Browse button (...) to select or create an installation folder, oraccept the default installation location, and then click Next.
Finish Installation appears with a list of the components you selected for
installation.
25.Review the list of components and click Finish to begin the installation. Tomodify any of the installation options, click Back to make the necessary
adjustments.
7/29/2019 CATD UNC Implementation En
32/65
Install Server Components (Distributed Install)
32 Implementation Guide
Install Server Components (Distributed Install)
The instructions in this section describe how to perform a Distributed
Installation in which server components are installed on separate machines to
improve product performance and network flow. This installation is
recommended for sites with more than 1,000 endpoints or sites that have
endpoints located across more than one geographical location. To determine if
a Distributed Installation is the appropriate implementation for your
organization, see Installation Scenarios.
Note: To ensure a successful installation, please see thePre-Installation
Checklist(see page 11) before you begin this procedure.
To perform a Distributed Installation
1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click setup.exe located in
the root folder of the DVD.
The Language screen appears.
2. Select the appropriate installation language and click OK.The Main Menu appears.
3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the host
computer.
If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems
and virtual environments.
Click Next or Exit to cancel the installation.
If the operating system is supported, the Installation Wizard displays alist of prerequisite tests to be performed.
Click Next or Exit to proceed with the tests.
The Installation Wizard runs the tests and displays the results
(Success, Fail, or Optional).
Success indicates that the test succeeded and that the prerequisiteis met.
Fail indicates that the test failed and that the prerequisite is notmet.
Optional indicates that the test failed, but that the tested item orcondition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of
that product. The Fail result indicates that the product was found; the
Success result indicates that the product was not found.
7/29/2019 CATD UNC Implementation En
33/65
Install Server Components (Distributed Install)
Chapter 3: Installing the Infrastructure 33
4. (Optional) Select the name of a failed test on the screen to display the testresults.
The results appear on the right side of the screen.
5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.Note: A failed test indicates a missing Total Defense prerequisite. If you
continue to install the product, the resulting installation may not operate
as intended or desired.
6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool
failed to complete successfully. Do you wish to continue?"
Click Yes to continue with the installation. No cancels the installation.
Product Selection appears.
7.
Select the following options, and then click Next: Would you like to install the Management Server?
Select Yes if you are installing on the first of multiple machines ina distributed installation, or if you are installing all components on
only one machine.
Select No if you are installing on an additional machine in adistributed installation.
Endpoint Protection. Select this option to install Total Defense forUnified Network Control.
Gateway Security. Do not select this option.License Agreements appear.
8. After reading the agreements, click the I accept the terms of the LicenseAgreements, and then click Next.
Registration appears.
7/29/2019 CATD UNC Implementation En
34/65
Install Server Components (Distributed Install)
34 Implementation Guide
9. Enter the registration information, and then click Next.Note: The Total Defense Entitlement Management System (EMS) sends a
license activation link to the email address that you enter on this screen.
Make sure to enter an address that you check frequently so that you can
finalize the license activation process.
Renewal appears.
10.(Optional) Modify the information as needed if your Renewal Contactinformation is different than the Product Registration information, then
click Next.
Internet Proxy Information appears.
11.If you are using a proxy to access the Internet, enter the informationnecessary or select the check box indicating that a web proxy server is not
used to access the Internet, and then click Next.
License Verification appears.
12.Copy and paste your license (or manually enter it using all UPPER CASEcharacters), and then click Next.
If you have an Internet connection, the Total Defense Entitlement
Management Server is contacted and registers your license.
If you do not have an Internet connection or the Entitlement Management
Server cannot be reached, click Next to complete the installation in a 30-
day trial mode.
Note: The Management Server will attempt to complete the registration
for you when the installation is complete. The server will attempt to
activate the license for 5 days. If it is unable to do so, a message will
appear in the banner of the Management Console with a link to
instructions on how to complete the registration.
Installation Type appears.
13.Select Distributed Installation, and then click Next.Another Product Selection appears and displays the options you are
entitled to install.
14.Select Unified Network Control Management Components, unselect allother options, and then click Next.
Unified Network Control appears.
15.Select the server components you want to install, and then click Next. Forinformation on the Total Defense for Unified Network Control servercomponents, seeArchitecture Overview(see page 8).
Unified Network Control Administrator and Port Settings appears.
7/29/2019 CATD UNC Implementation En
35/65
Install Server Components (Distributed Install)
Chapter 3: Installing the Infrastructure 35
16.Enter the user name, password, and email address of the individual whowill be responsible for managing Total Defense for Unified Network
Control.
This user may be you or another user who has a valid account on the
machine that will host the Total Defense for Unified Network Control
Management Server. This user will have full Administrative authority
within the Management Server.
17.Accept the default ports by clicking Next.Email Notifications appears.
18.Enter the email address for the Total Defense for Unified Network Controladministrator. If authentication is required to access the Management
Server, select the check box for an authenticated user, and enter the
domain user name and password.
Database Selection appears.
19.Choose to use an existing database or install a new one to use with TotalDefense for Unified Network Control, and then click Next:
Note: If the installer discovers an existing Microsoft SQL Server or
Microsoft SQL Server Express installation on the host computer, the choice
to install Microsoft SQL Server Express is disabled.
If you chose Install Microsoft SQL Server Express, Database Serverappears. Enter a user name and password for the new SQL Server
Express database server, and then click Next.
If you chose Use existing MS SQL Server or SQL Server Express,Database Version appears. Do the following:
a. Select the version of MS SQL Server and ODBC driver to use, andthen click Next.
Database Connection appears.
b. Enter the database configuration information, and then click Next.Note: Total Defense highly recommends creating and using an account
other than the default MS SQL Server sa account. The new account must
have system administrator (sysadmin) permissions and no System Roles.
20.Accept the default installation folder, or click the Browse button (...) andcreate or select a different folder, and then click OK. Click Next.
Finish Installation appears with the list of components you selected for
installation.
21.Review the list of components. To modify any of the installation options,click Back to make the necessary adjustments. To begin the installation,
click Finish.
7/29/2019 CATD UNC Implementation En
36/65
Install Server Components (Combined Standalone Install)
36 Implementation Guide
Install Server Components (Combined Standalone Install)
The instructions in this section describe how to perform a Standalone
Installation in which all Total Defense and Total Defense for Unified Network
Control server components are installed on the same system.
Note: Read the Pre-Installation Checklist for Total Defense and Total Defense
for Unified Network Control before you begin this procedure.
To perform a Standalone Installation
1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click setup.exe located in
the root folder of the DVD.
The Language dialog appears.
2. Select the appropriate installation language and click OK.Main Menu appears.
3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the host
computer.
If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems
and virtual environments.
Click Next or Exit to cancel the installation.
If the operating system is supported, the Installation Wizard displays alist of prerequisite tests to be performed.
Click Next or Exit to proceed with the tests.
The Installation Wizard runs the tests and displays the results
(Success, Fail, or Optional).
Success indicates that the test succeeded and that the prerequisiteis met.
Fail indicates that the test failed and that the prerequisite is notmet.
Optional indicates that the test failed, but that the tested item orcondition is optional.
Note: The CA Threat Manager r8.1 test determines the presence ofthat product. The Fail result indicates that the product was found; the
Success result indicates that the product was not found.
4. (Optional) Select the name of a failed test on the screen to display the testresults.
The results appear on the right side of the screen.
7/29/2019 CATD UNC Implementation En
37/65
Install Server Components (Combined Standalone Install)
Chapter 3: Installing the Infrastructure 37
5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.
Note: A failed test indicates a missing Total Defense prerequisite. If you
continue to install the product, the resulting installation may not operate
as intended or desired.
6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool
failed to complete successfully. Do you wish to continue?"
Click Yes to continue with the installation. No cancels the installation.
Product Selection appears.
7. Select the following options, and then click Next: Would you like to install the Management Server? Select Yes. Endpoint Protection. Select this option to install Total Defense and
Total Defense for Unified Network Control. Gateway Security. Do not select this option.License Agreements appear.
8. After reading the agreements, click I accept the terms of the LicenseAgreements, and then click Next.
Registration appears.
7/29/2019 CATD UNC Implementation En
38/65
Install Server Components (Combined Standalone Install)
38 Implementation Guide
9. Enter the registration information, and then click Next.Note: The Total Defense Entitlement Management System (EMS) sends a
license activation link to the email address that you enter on this screen.
Make sure to enter an address that you check frequently so that you can
finalize the license activation process.
Renewal appears.
10.(Optional) Modify the information as needed if your renewal contactinformation is different than the product registration information, then
click Next.
Internet Proxy Information appears.
11.If you use a web proxy to access the Internet, enter the specifiedinformation, and then click Next.
License Verification appears.
12.Copy and paste your license (or manually enter it using all UPPER CASEcharacters), and then click Next.
If you have an Internet connection, the Total Defense Entitlement
Management Server is contacted and registers your license.
If you do not have an Internet connection or the Entitlement Management
Server cannot be reached, click Next to complete the installation in a 30-
day trial mode.
Note: The Management Server will attempt to complete the registration
for you when the installation is complete. The server will attempt to
activate the license for 5 days. If it is unable to do so, a message will
appear in the banner of the Management Console with a link to
instructions on how to complete the registration.
Installation Type appears.
13.Click Standalone Installation, and then click Next.Another Product Selection appears.
14.Select Endpoint Protection Management Components and Unified NetworkControl Management Components, and then click Next.
Endpoint Discovery Acknowledgement appears.
7/29/2019 CATD UNC Implementation En
39/65
Install Server Components (Combined Standalone Install)
Chapter 3: Installing the Infrastructure 39
15.Read the acknowledgement and click Next.Certificate Password appears.
16.Enter a password for the digital certificate, verify the password, and thenclick Next.
This password protects the generation and storage of your digital
certificate and encrypts and authenticates sensitive Total Defense data
communications.
Note: If you install additional server components or proxies at a later
time, the Installation Wizard prompts you for this password. Total Defense
recommends storing this password in a safe location.
User Specification appears.
17.Enter the user name and password of the individual that will perform theremote deployment of the Total Defense Agent/Client and the user who
will initiate the Endpoint Discovery process to discover all unmanaged
endpoints in your organization.
Port Specification appears.
18.(Optional) Modify the Total Defense Management Server ports, ifnecessary, and then click Next.
Unified Network Control appears.
19.The Total Defense for Unified Network Control server components to beinstalled are displayed. Click Next.
Unified Network Control Administrator and Port Settings appears.
20.Enter the user name, password, and email address for the personresponsible for implementing Total Defense for Unified Network Control:
If you specify a domain with the user name (for example,
domain\username), the installer attempts to authenticate the user name
through Active Directory. If you do not enter a domain, the installer stores
the unauthenticated user name and password in the Total Defense for
Unified Network Control database catalog.
21.Accept the port numbers for the web service and certificate web sites byclicking Next.
Email Notifications appears.
22.Enter the Fully Qualified Domain Name of your email server and youremail address to receive email notification when certain events occur and
when reports are ready for viewing.If authentication is required, click Authenticated Server, and enter the
domain user name and password.
Database Selection appears.
23.Choose to install Microsoft SQL Server Express or use an existing MicrosoftSQL Server or Microsoft SQL Server Express installation. Click Next.
7/29/2019 CATD UNC Implementation En
40/65
Install Server Components (Combined Standalone Install)
40 Implementation Guide
Note: If the installer discovers an existing Microsoft SQL Server or
Microsoft SQL Server Express installation on the host computer, the choice
to install Microsoft SQL Server Express is disabled.
If you choose to use an installed database server in this step, Database
Version will appear.
If you choose to install Microsoft SQL Server Express in this step,
Database Server will appear instead.
24.(Database Server screen) Enter the following database server logininformation:
User Name PasswordNote: Total Defense highly recommends creating and using an alternate
account rather than the default MS SQL Server sa account. The new
account must have system administrator (sysadmin) permissions and no
System Roles.
Destination appears. (Skip the Database Version and Database Connection
steps.)
25.(Database Version) Click the Microsoft SQL Server and ODBC Drivertypes that identify your installed database server. Click Next.
Database Connection appears.
26.(Database Connection) Enter the following database configurationinformation for the Total Defense and Total Defense for Unified Network
Control Management Servers.
Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)Note: Total Defense highly recommends creating and using an alternate
account rather than the default MS SQL Server sa account. The new
account must have system administrator (sysadmin) permissions and no
System Roles.
7/29/2019 CATD UNC Implementation En
41/65
Install Server Components (Combined Distributed Install)
Chapter 3: Installing the Infrastructure 41
27.(Database Connection, continued) Click the Test SQL Connection buttonto verify the connection, close the message box, and then click Next. The
database configuration information on the screen must be complete.
Destination appears.
28.Click the Browse button (...) to select or create an installation folder, oraccept the default installation location, and then click Next.
Finish Installation appears with a list of the components you selected for
installation.
29.Review the list of components and click Finish to begin the installation. Tomodify any of the installation options, click Back to make the necessary
adjustments.
Install Server Components (Combined Distributed Install)
When you perform a Combined Distributed Install, you install the Total
Defense and Total Defense for Unified Network Control Management Servers
and Management Consoles first on the same machine. You can also install any
other server components at that time and on that machine. To install the
remaining server components, you repeat the Combined Distributed Install on
other machines until all of the required server components are installed. A
Combined Distributed Install also lets you install all server components on the
same machine.
Note: If Total Defense and Total Defense for Unified Network Control are
installed Standalone on separate machines, there can be no integration of
products. They must be installed Combined Distributed to be integrated
(reports only).
Note: Performing a Standalone install of one product on top of the Standalone
install of another product invalidates and disables the first product installed.
This section describes the following procedures:
First-Time Install
Installs the Management Servers and Management Consoles for both
products together, and any other server components you select, on the
same machine (referred to as the first-time machine).
Subsequent Install
Installs one or more server components on an additional machine
(referred to as a subsequent machine).
7/29/2019 CATD UNC Implementation En
42/65
Install Server Components (Combined Distributed Install)
42 Implementation Guide
First-Time Install
The instructions in this section describe how to perform a first-time Distributed
Installation in which the Management Servers and Management Consoles of
Total Defense and Total Defense for Unified Network Control, and any otheravailable server components, are installed on the same machine.
Note: Read and perform the tasks in the Pre-Installation Checklist for Total
Defense and Total Defense for Unified Network Control before you begin this
procedure.
To perform a Distributed Installation
1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click setup.exe located in
the root folder of the DVD.
The Language dialog appears.
2. Select the appropriate installation language and click OK.Main Menu appears.
3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the host
computer.
If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems
and virtual environments.
Click Next or Exit to cancel the installation.
If the operating system is supported, the Installation Wizard displays alist of prerequisite tests to be performed.
Click Next or Exit to proceed with the tests.
The Installation Wizard runs the tests and displays the results
(Success, Fail, or Optional).
Success indicates that the test succeeded and that the prerequisiteis met.
Fail indicates that the test failed and that the prerequisite is notmet.
Optional indicates that the test failed, but that the tested item orcondition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of
that product. The Fail result indicates that the product was found; the
Success result indicates that the product was not found.
4. (Optional) Select the name of a failed test on the screen to display the testresults.
7/29/2019 CATD UNC Implementation En
43/65
Install Server Components (Combined Distributed Install)
Chapter 3: Installing the Infrastructure 43
The results appear on the right side of the screen.
5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.
Note: A failed test indicates a missing Total Defense prerequisite. If youcontinue to install the product, the resulting installation may not operate
as intended or desired.
6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool
failed to complete successfully. Do you wish to continue?"
Click Yes to continue with the installation. No cancels the installation.
Product Selection appears.
7. Select the following options, and then click Next: Would you like to install the Management Server? Select Yes if you are
installing on the first of multiple machines in a distributed installation,or if you are installing all components on only one machine.
Endpoint Protection. Select this option to install Total Defense andTotal Defense for Unified Network Control.
Gateway Security. Do not select this option.License Agreements appear.
8. After reading the agreements, click I accept the terms of the LicenseAgreements, and then click Next.
Registration appears.
9. Enter the registration information, and then click Next.Note: The Total Defense Entitlement Management System (EMS) sends a
license activation link to the email address that you enter on this screen.
Make sure to enter an address that you check frequently so that you can
finalize the license activation process.
Renewal appears.
10.(Optional) Modify the information as needed if your renewal contactinformation is different than the product registration information, then
click Next.
Internet Proxy Information appears.
11.If you are using a proxy to access the Internet, enter the informationnecessary or select the check box indicating that a web proxy server is notused to access the Internet, and then click Next.
License Verification appears.
12.Copy and paste your license (or manually enter it using all UPPER CASEcharacters), and then click Next.
7/29/2019 CATD UNC Implementation En
44/65
Install Server Components (Combined Distributed Install)
44 Implementation Guide
If you have an Internet connection, the Total Defense Entitlement
Management Server is contacted and registers your license.
If you do not have an Internet connection or the Entitlement Management
Server cannot be reached, click Next to complete the installation in a 30-
day trial mode.
Note: The Management Server will attempt to complete the registration
for you when the installation is complete. The server will attempt to
activate the license for 5 days. If it is unable to do so, a message will
appear in the banner of the Management Console with a link to
instructions on how to complete the registration.
Installation Type appears.
13.Click Distributed Installation, and then click Next.Another Product Selection appears and displays the options you are
entitled to install.
14.Select Endpoint Protection Management Components and Unified NetworkControl Management Components, and then click Next.
Endpoint Discovery Acknowledgement appears.
15.Read the Acknowledgement and click Next.Server Components appears.
16.Select the Total Defense server components you want to install, and thenclick Next.
If this is a first installation, the Total Defense Management Server and
Management Console are automatically selected. You can install other
server components on the same system or unselect the components to
install them elsewhere.
Server Location appears.
17.Enter the Fully Qualified Domain Names for the Total Defense ReportServer, Events Server, or both, and then click Next. An FQDN is required
for any server not selected for installation on the preceding Server
Components screen.
Certificate Password appears.
18.Enter a password for the digital certificate, verify the password, and thenclick Next.
This password protects the generation and storage of your digital
certificate and encrypts and authenticates sensitive Total Defense datacommunications.
Note: If you install additional server components or proxies at a later
time, the Installation Wizard prompts you for this password. Total Defense
recommends storing this password in a safe location.
User Specification appears.
7/29/2019 CATD UNC Implementation En
45/65
Install Server Components (Combined Distributed Install)
Chapter 3: Installing the Infrastructure 45
19.Enter the user name and password of the individual who will performremote deployments of the Total Defense Agent/Client, and the user name
and password of the user who will initiate the discovery of endpoints on
your network.
Note: It is preferred that the Endpoint Discovery user have domain
administrative privileges, however it not a requirement. Using domain
administrator privileges ensures a better discovery rate. The remote
deployment password can be a user in the Local Users group or a domain
user.
Port Specification appears.
20.Accept or modify the default ports for the Total Defense ManagementServer, and then click Next.
Unified Network Control appears.
21.The Total Defense for Unified Network Control server components to beinstalled are displayed. Click Next.Unified Network Control Administrator and Port Settings appears.
22.Enter the user name, password, and email address for the personresponsible for implementing Total Defense for Unified Network Control:
If you specify a domain with the user name (for example,
domain\username), the installer attempts to authenticate the user name
through Active Directory. If you do not enter a domain, the installer stores
the unauthenticated user name and password in the Total Defense for
Unified Network Control database catalog.
23.Accept the port numbers for the web service and certificate web sites byclicking Next.
Email Notifications appears.
24.Enter the Fully Qualified Domain Name of your email server and youremail address to receive email notification when certain events occur and
when reports are ready for viewing.
If authentication is required, click Authenticated Server, and enter the
domain user name and password.
Database Selection appears.
25.Choose to install Microsoft SQL Server Express or use an existing MicrosoftSQL Server or Microsoft SQL Server Express installation. Click Next.
Note: If the installer discovers an existing Microsoft SQL Server or
Microsoft SQL Server Express installation on the host computer, the choiceto install Microsoft SQL Server Express is disabled.
If you choose to use an installed database server in this step, Database
Version and Database Connection will appear.
If you choose to install Microsoft SQL Server Express in this step,
Database Server will appear instead.
7/29/2019 CATD UNC Implementation En
46/65
Install Server Components (Combined Distributed Install)
46 Implementation Guide
26.(Database Server) Enter the following database server login information,and then click Next:
User Name PasswordNote: Total Defense highly recommends creating and using an alternate
account rather than the default MS SQL Server sa account. The new
account must have system administrator (sysadmin) permissions and no
System Roles.
Destination appears. (Skip the Database Version and Database Connection
steps.)
27.(Database Version) Click the Microsoft SQL Server and ODBC Drivertypes that identify your installed database server. Click Next.
Database Connection for Total Defense appears.
28.(Database Connection screen) Enter the following databaseconfiguration information for the Total Defense Management Server.
Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)Note: Total Defense highly recommends creating and using an alternate
account rather than the default MS SQL Server sa account. The new
account must have system administrator (sysadmin) permissions and no
System Roles.
29.(Database Connection) Click the Test SQL Connection button to verifythe connection, close the message box, and then click Next. The database
configuration information on the screen must be complete.
The Database Connection screen for Total Defense for Unified Network
Control appears.
30.(Database Connection) For the Total Defense for Unified NetworkControl Management Server, enter the same database information you
used for Total Defense. Also verify the connection, close the message box,
and then click Next.
Destination appears.
31.Click the Browse button (...) to select or create an installation folder, oraccept the default installation location, and then click Next.
Finish Installation appears with a list of the components you selected for
installation.
32.Review the list of components and click Finish to begin the installation. Tomodify any of the installation options, click Back to make the necessary
adjustments.
7/29/2019 CATD UNC Implementation En
47/65
Install Server Components (Combined Distributed Install)
Chapter 3: Installing the Infrastructure 47
Note: During the installation of the Endpoint Discovery feature, a WinPCap
install wizard appears. Click Next, I Agree, Install, and Finish when
required to accept all of the default settings and continue with the Total
Defense installation.
7/29/2019 CATD UNC Implementation En
48/65
Install Server Components (Combined Distributed Install)
48 Implementation Guide
Subsequent Install
The instructions in this section describe how to install some or all the
remaining server components during a subsequent install. The Total Defense
and Total Defense for Unified Network Control Management Servers andManagement Consoles must have already been installed on a different
machine during a first-time Distributed Installation.
Note: Read and perform the tasks in the Pre-Installation Checklist for Total
Defense and Total Defense for Unified Network Control before you begin this
procedure.
To perform a Distributed Installation
1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click setup.exe located in
the root folder of the DVD.
The Language dialog appears.
2. Select the appropriate installation language and click OK.Main Menu appears.
3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the host
computer.
If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems
and virtual environments.
Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a
list of prerequisite tests to be performed.
Click Next or Exit to proceed with the tests.
The Installation Wizard runs the tests and displays the results
(Success, Fail, or Optional).
Success indicates that the test succeeded and that the prerequisiteis met.
Fail indicates that the test failed and that the prerequisite is notmet.
Optional indicates that the test failed, but that the tested item orcondition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of
that product. The Fail result indicates that the product was found; the
Success result indicates that the product was not found.
7/29/2019 CATD UNC Implementation En
49/65
Install Server Components (Combined Distributed Install)
Chapter 3: Installing the Infrastructure 49
4. (Optional) Select the name of a failed test on the screen to display the testresults.
The results appear on the right side of the screen.
5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.Note: A failed test indicates a missing Total Defense prerequisite. If you
continue to install the product, the resulting installation may not operate
as intended or desired.
6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool
failed to complete successfully. Do you wish to continue?"
Click Yes to continue with the installation. No cancels the installation.
Product Selection appears.
7.
Select the following options, and then click Next: Would you like to installthe Management Server? Select No if you are
installing on an additional machine in a distributed installation.
Endpoint Protection. Select this option to install Total Defense andTotal Defense for Unified Network Control.
Gateway Security. Do not select this option.Another Product Selection appears and displays the options you are
entitled to install.
8. Select Endpoint Protection Management Components and Unified NetworkControl Management Components, and then click Next.
Management Server appears.
9. Enter the Fully Qualified Domain Name of the Endpoint Protection MasterManagement Server, and then click Next to accept the default port
number.
Server Components for Total Defense appears.
10.Select the Total Defense server components you want to install, and thenclick Next.
The Total Defense Management Server and Management Console are not
available. You can install other server components or unselect the
components to install them elsewhere.
Certificate Password appears.11.Enter the password for the digital certificate, verify the password, and then
click Next.
Note: This is the certificate password you created when you installed the
Management Server and Management Console during the first-time
installation.
7/29/2019 CATD UNC Implementation En
50/65
Install Server Components (Combined Distributed Install)
50 Implementation Guide
12.Enter the Fully Qualified Domain Names for the Total Defense ReportServer, Events Server, or both, and then click Next. An FQDN is required
for any server not selected for installation on the preceding Server
Components screen.
Unified Network Control appears.
13.The Total Defense for Unified Network Control server components to beinstalled are displayed. Click Next.
Unified Network Control Management Server Settings appears.
14.Enter the following Management Server and Administrator information: Management Server IP Address Management Server Host Name Administrator User Name Administrator PasswordThe Administrator information must match what was specified during the
first-time installation of the Management Server and Management
Console.
15.Accept the port numbers for the web service and certificate web sites byclicking Next.
Database Selection appears.
16.Choose to use the Endpoint Protection Management Server.Database Version appears.
17.Click the Microsoft SQL Server and ODBC Driver types that identify yourinstalled database server. Click Next.
Database Connection appears.
18.Enter the following database configuration information for the TotalDefense and Total Defense for Unified Network Control Management
Servers.
Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)
19.Click the Test SQL Connection button to verify the connection, close themessage box, and then click Next. The database configuration informationon the screen must be complete.
Destination appears.
20.Click the Browse button (...) to select or create an installation folder, oraccept the default installation location, and then click Next.
7/29/2019 CATD UNC Implementation En
51/65
Verify Services are Running
Chapter 3: Installing the Infrastructure 51
Finish Installation appears with a list of the components you selected for
installation.
21.Review the list of components and click Finish to begin the installation. Tomodify any of the installation options, click Back to make the necessary
adjustments.
Verify Services are Running
If performing a Distributed installation, verify that the Management Server
service is running before installing the Reporting Server. Repeat the procedure
for the Reporting Server and then the Communication Server after installing
each of those components. At the same time, you should also verify that the
component is accessible over the network.
To verify that the server component is running
1. On the host computer, click Start, and then click Run.The Run dialog opens.
2. In the Open field, enter services.msc and click OK.The Services window opens.
3. Verify that the Total Defense for Unified Network Control Server service has started. If it has not started, right-click the service
name in the Services window and select Start.
If performing a Standalone installation, you will have to wait until all of the
server components are installed to verify that their services are running.
7/29/2019 CATD UNC Implementation En
52/65
7/29/2019 CATD UNC Implementation En
53/65
Chapter 4: Enabling JavaScript in the Web Browser 53
Chapter 4: Enabling JavaScript in the
Web BrowserThe web browser(s) you use to run the Management Console must have
JavaScript enabled.
To enable JavaScript in an Internet Explorer window
1. Select Tools from the top of the window.2. Select Internet Options.3. Click the Security tab.4. Click Custom level....5. Scroll to the Scripting section.6. Under Active scripting, click Enable.7. Click OK.To enable JavaScript in a Mozilla Firefox window
1. Select Tools from the top of the window.2. Click Options.3. Click the Content tab.4. Select the Enable JavaScript check box.5. Click OK.
7/29/2019 CATD UNC Implementation En
54/65
7/29/2019 CATD UNC Implementation En
55/65
Chapter 5: Installing the Client Agent 55
Chapter 5: Installing the Client Agent
Prepare to Install the Client Agent
The Microsoft Network Access Protection (MS-NAP) Agent is a prerequisite for
the Total Defense for Unified Network Control Client Agent if policy
enforcement is desired.
Install Microsoft Network Access Protection (MS-NAP) Agent
Before installing the Client Agent on an endpoint, you need to configure that
endpoint as follows for MS-NAP:1. Join the computer to the domain.2. Add the computer to the NAP client computers security group and restart
the computer.
3. Enable Run on the Start menu.4. Verify Group Policy settings.The following Microsoft Step By Step Guides explain how to perform these
steps for different enforcement methods:
Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test LabYou can find these guides by searching for all or part of their titles at
http:www.microsoft.com/downloads.
http://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloads7/29/2019 CATD UNC Implementation En
56/65
Install the Client Agent
56 Implementation Guide
Install the Client Agent
Note: Do not install the Total Defense for Unified Network Control (UNC)
Client Agent on the same computer as the UNC Communication Server.
To install the UNC Client Agent
1. Insert the Total Defense DVD. If the Installation Wizard does not startautomatically, click the setup.exe program located in the root folder of the
DVD.
The Language screen appears.
2. Select the installation language when prompted, and then click OK.The Main Menu screen appears.
3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the hostcomputer.
If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems
and virtual environments.
Click Next or Exit to cancel the installation.
If the operating system is supported, the Installation Wizard displays alist of prerequisite tests to be performed.
Click Next or Exit to proceed with the tests.
The Installation Wizard runs the tests and displays the results
(Success, Fail, or Optional).
Success indicates that the test succeeded and that the prerequisiteis met.
Fail indicates that the test failed and that the prerequisite is notmet.
Optional indicates that the test failed, but that the tested item orcondition is optional.
Note: The CA Threat Manager r8.1 test determines the presence of
that product. The Fail result indicates that the product was found; the
Success result indicates that the product was not found.
4. (Optional) Select the name of a failed test on the screen to display the testresults.
The results appear on the right side of the screen.
5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.
7/29/2019 CATD UNC Implementation En
57/65
Configure the Client Agent
Chapter 5: Installing the Client Agent 57
Note: A failed test indicates a missing Total Defense prerequisite. If you
continue to install the product, the resulting installation may not operate
as intended or desired.
6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool
failed to complete successfully. Do you wish to continue?"
Click Yes to continue with the installation. No cancels the installation.
Product Selection appears.
7. Respond as indicated to the following options, and then click Next: Would you like to install the Management Server: No Endpoint Protection: Selected Gateway Security: UnselectedProduct Selection appears.
8. Select the Unified Network Control Management Components check box,and then cli
Recommended