CATD UNC Implementation En

7/29/2019 CATD UNC Implementation En

1/65

Implementation Guide

r12

Total Defense forUnified Network Control


2/65

This documentation, which includes embedded help systems and electronically distributed materials (hereinafter

collectively referred to as the "Documentation"), is for your informational purposes only and is subject to change or

withdrawal by Total Defense at any time.

The Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in

part, without the prior written consent of Total Defense. The Documentation is confidential and proprietary

information of Total Defense and may not be disclosed by you or used for any purpose other than as may be

permitted in (i) a separate agreement between you and Total Defense governing your use of the Total Defense

software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and Total

Defense.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the

Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation

for internal use by you and your employees in connection with that software, provided that all Total Defense

copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the

applicable license for such software remains in full force and effect. Should the license terminate for any reason, it

is your responsibility to certify in writing to Total Defense that all copies and partial copies of the Documentation

have been returned to Total Defense or destroyed.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE DOCUMENTATION IS PROVIDED "AS IS"

WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL TOTAL

DEFENSE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE

USE OF THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESSINTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF TOTAL DEFENSE IS EXPRESSLY ADVISED IN ADVANCE OF

THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement

and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of the Documentation is Total Defense.

The Documentation is provided with "Restricted Rights." Use, duplication or disclosure by the United States

Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2)

and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

Copyright 2011 Total Defense, Inc. All rights reserved. All trademarks, trade names, service marks, and logos

referenced in the Documentation are the property of their respective owners.


3/65

Contact Total Defense

Contact Technical Support

For your convenience, Total Defense provides one site where you can access

the information you need for your Home Office, Small Business, and Enterprise

Total Defense products. At http://totaldefense.com/support

http://www.totaldefense.com/support, you can access the following:

Online and telephone contact information for technical assistance andcustomer services

Information about user communities and forums Product and documentation downloads Total Defense support policies and guidelines Other helpful resources appropriate for your product
http://www.totaldefense.com/supporthttp://www.totaldefense.com/supporthttp://www.totaldefense.com/support


4/65

Product References

This document references the following Total Defense products:

Total Defense Total Defense for Unified Network Control


5/65

Contents 5

Contents

Chapter 1: Introducing Total Defense for Unified Network Control 7Architecture Overview ......................................................................... 8Chapter 2: Preparing to Install the Product 11Pre-Installation Checklist...................................................................... 11

Verify Microsoft Windows Installer Version.................................................. 12Verify System Requirements............................................................... 12Install Internet Information Services and .NET Framework................................... 13Install Microsoft Network Access Protection (MS-NAP) ....................................... 14Configure MSMQ .......................................................................... 15Perform Pre-installation Database Tasks.................................................... 16

Activate Your License ......................................................................... 20(Optional) Use in Test Mode ................................................................... 21Chapter 3: Installing the Infrastructure 23Management Server Host Names .............................................................. 26Install Server Components (Standalone Install)................................................. 27Install Server Components (Distributed Install) ................................................. 32Install Server Components (Combined Standalone Install)....................................... 36Install Server Components (Combined Distributed Install)

.......................................

41

First-Time Install ......................................................................... 42Subsequent Install ........................................................................ 48

Verify Services are Running ................................................................... 51Chapter 4: Enabling JavaScript in the Web Browser 53Chapter 5: Installing the Client Agent 55Prepare to Install the Client Agent ............................................................. 55

Install Microsoft Network Access Protection (MS-NAP) Agent................................. 55Install the Client Agent

........................................................................

56

Configure the Client Agent .................................................................... 57Configure the Communication Server IP Address and Port ................................... 58

Chapter 6: Uninstalling and Repairing Server Components 59Uninstall and Repair .......................................................................... 60


6/65

6 Implementation Guide

Appendix A: Troubleshooting 63Management Server .......................................................................... 63

Reimporting the SSL Certificate............................................................ 63Locating Error Logs

.......................................................................

64Communication Server........................................................................ 64

Verifying the Presence of the System Health Validator....................................... 64Uninstalling Servers .......................................................................... 65


7/65

Chapter 1: Introducing Total Defense for Unified Network Control 7

Chapter 1: Introducing Total Defense for

Unified Network Control


8/65

Architecture Overview



A standard Total Defense for Unified Network Control installation consists of:

One Management Server One Reporting Server One or more Communication Servers One or more Client Agents


9/65


Chapter 1: Introducing Total Defense for Unified Network Control 9

The Management Server controls the installation. With the Management

Console, the server's graphical user interface, you can manage all aspects of

the installation, including databases, reports, events, policies, user access, and

licenses. Dashboard panels display Total Defense for Unified Network Control

status information. Events are related to the assessment, quarantine, andremediation of endpoint devices. Policies define the Minimum Baseline

Standard (MBS) for endpoint devices that comply with network security

requirements.

The Reporting Server is the reporting and event management component of

an installation. It builds the standard policy-based and custom reports that

you request through the Management Console.

The Management Server, Reporting Server, and Communication Server can be

installed on the same computer or on separate computers. The Client Agent is

installed on an endpoint device. The Communication Server and Client Agent

cannot be installed on the same computer.

A Communication Server is the conduit between the Management Server and

its assigned Client Agents on the endpoint devices. It also validates the

applicability of a policy, assesses the MBS compliance of an endpoint device,

and triggers remediation of that device when necessary.

A Client Agent resides on an endpoint device and collects user, machine, and

policy attribute data for the Communication Server.


10/65


11/65

Chapter 2: Preparing to Install the Product 11

Chapter 2: Preparing to Install the

Product

Pre-Installation Checklist

Each of these tasks is fully described in the following sections of this chapter.

As you complete each task, use this checklist to check-off each task as you

complete it:

Verify that you have Administrative credentials to perform the installation. Verify the operating system and hardware requirements for server and

agent. Verify that the Microsoft Windows Installer version is 3.0 or higher. Install/enable Internet Information Services, MSMQ, CGI, and .NET

Framework 3.5 SP1.

Install Microsoft Network Access Protection (MS-NAP), if enforcement isdesired.

Perform pre-installation database tasks. Verify that the necessary ports are open. Activate your license. (Optional) Use test mode to make sure it meets the requirements outlined

in this checklist.


12/65



Verify Microsoft Windows Installer Version

Verify that the computer on which you will run the Total Defense Installation

Wizard has version 3.0 or higher of the Microsoft Windows Installer. If you

need to download the Windows Installer, go to the Windows Download Centerand search for Windows Installer 3.0. The Windows Download Center is

located at:

http://www.microsoft.com/downloads/en/default.aspx

You can also find it in the \Common\Bin folder of the Total Defense R12

distribution medium (DVD or compressed folder) with the name "Windows

Installer v3.1 - KB893803-v2-x86.exe".

Verify System Requirements

Total Defense provides information on the minimum system requirements for

the Total Defense for Unified Network Control Servers and the Total Defense

for Unified Network Control Client Agent in the Total Defense for Unified

Network Control Release Notes. The Release Notes are located on the

installation DVD.

Once you have reviewed the system requirements, do the following:

Select one or more computers that meet the minimum hardware andoperating system requirements to host the server components.

Verify that all endpoints meet the minimum hardware and operatingsystem requirements to host the client agent.
http://www.microsoft.com/downloads/en/default.aspxhttp://www.microsoft.com/downloads/en/default.aspx


13/65



Install Internet Information Services and .NET Framework

The following applications and services must be installed and running on the

host computer(s) for the Total Defense for Unified Network Control (UNC)

server components if version 7.0 or higher of Internet Information Services(IIS) is used:

Communication Server: Internet Information Services (IIS)

IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008

.NET Framework 3.5 SP1 MSMQ CGI

Management Server, Reporting Server: Internet Information Services (IIS)

IIS 7.5 on Microsoft Windows Server 2008 R 2 IIS 7.0 on Microsoft Windows Server 2008

.NET Framework 3.5 SP1 ASP.NET .NET Extensibility

IIS is bundled with Microsoft Windows Server 2008. However you must ensure

that IIS is installed and enabled so that the Total Defense Installation Wizardcan configure specific settings. For more information, search the Microsoft

Tech Net (http://technet.microsoft.com) for discussions of IIS.

Note: A Management Server or Reporting Server running on Microsoft

Windows Server 2003 uses IIS 6.0. A Communication Server requires IIS 7.0

or higher because it can run only on Microsoft Windows Server 2008.

If NET Framework 3.5 SP1 is not already installed on your server, you can

download it using the Microsoft Windows Update feature or from

http://www.microsoft.com/downloads.

If your computer already has IIS (any version) and .NET Framework (older

than version 3.5) installed, you need to install .NET Framework 3.5 and thenmap IIS to it. The mapping identifies the .NET Framework 3.x configurations

to IIS.
http://technet.microsoft.com/en-us/library/cc771209.aspxhttp://technet.microsoft.com/en-us/library/cc771209.aspxhttp://technet.microsoft.com/en-us/library/cc771209.aspxhttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://technet.microsoft.com/en-us/library/cc771209.aspx


14/65



Install Microsoft Network Access Protection (MS-NAP)

Total Defense for Unified Network Control (UNC) requires Microsoft Network

Access Protection (MS-NAP) for the enforcement of network policies. Before

you install the UNC Communication Server, you must install and configureNetwork Policy Server (NPS) on the host computer (which must be running

Microsoft Windows Server 2008). In addition, You must have MS-NAP Agent

installed on every computer (running Windows Vista or Windows XP-SP3)

where UNC Client Agent is installed. If either NPS or MS-NAP Agent is missing

or is not configured properly, UNC will not enforce network policies.

Provide domain services

UNC requires the following domain services:

Domain controller for the Active Directory domain DNS server for the DNS domainThe domain controller must be installed on a separate computer (running on

Windows Server 2003 and above), not the host computer. Once Active

Directory and DNS are running, perform the following:

1. Create a user account and group in Active Directory.2. Create an NAP client computer security group for UNC client agents.For a full description of the steps involved, see the Microsoft Step By Step

Guide for your enforcement method listed at the end of this section.

Configure the host computer

The host computer for the Communication Server must run Microsoft Windows

Server 2008 and host the NPS service. The host computer for a Standalone

installation, which includes the Communication Server, must also meet these

requirements.

Perform the following steps to configure the host computer for UNC:

1. Join the computer to the domain.2. Install the NPS and enforcement server (DHCP, VPN, etc.) roles.3. Install the Group Policy Management feature.4. Configure NPS as a NAP health policy server.5. Configure the enforcement method (DHCP, VPN, etc.).6. Configure NAP client settings in Group Policy.For a full description of the steps involved, see the Microsoft Step By Step

Guide for your enforcement method listed at the end of this section.


15/65



Documentation resources

The following Microsoft Step By Step Guides demonstrate how to configure

MS-NAP for different enforcement methods:

Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test LabYou can find these guides by searching for all or part of their titles at

http:www.microsoft.com/downloads.

Configure MSMQ

Perform this procedure on the host computer for the Communication Server to

configure Microsoft Message Queuing.

To configure MSMQ

1. In the Server Manager window, click Features.2. In the right pane under Features Summary, click Add Features.

The Select Features window appears.

3. Expand Message Queuing and then Message Queuing Services.4. Select the Message Queuing Server check box.5.

Click Next, and then click Install.The feature is installed and the Select Features window closes.

6. In the Server Manager window, expand Features and then MessageQueuing.

7. Verify that Private Queues are available.
http://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloads


16/65



Perform Pre-installation Database Tasks

Total Defense for Unified Network Control supports the following database

applications:

Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Microsoft SQL Server 2008 Microsoft SQL Server 2008 ExpressIf your company already has one of these database applications, you can also

use it to host the Total Defense for Unified Network Control databases.

However, Total Defense also provides Microsoft SQL Server 2005 Express as

an out-of-the-box solution. Microsoft SQL Server 2005 Express is located on

the installation DVD and, if chosen as an installation option, is automatically

installed and configured during the installation of Total Defense for Unified

Network Control.

Note: Microsoft SQL Server Express can be used during a product trial or if

your organization has fewer than 500 endpoints; however it is not

recommended for larger organizations.

During the installation of Total Defense for Unified Network Control, the

Installation Wizard prompts you to enter the following information for each

database:

Database user credentials Name of the database instance Name of the computer that hosts the databaseThese fields are pre-populated with default values if you are installing

Microsoft SQL Server Express.

The Installation Wizard automatically creates the required database schema

for the Total Defense for Unified Network Control Management Server

database.


17/65



Tasks for Microsoft SQL Server

If you are already using Microsoft SQL Server and plan to use it for the Total

Defense for Unified Network Control database, check that the following items

are configured:

Create a new user that has the sysadmin role. Verify that you are using SQL authentication. Verify that the TCP/IP protocol is enabled for port 1433. Verify that firewall blocking access is disabled. Enable Common Language Runtime (CLR).See the sections that follow for instructions on how to configure these items.

The items noted above are automatically configured if you choose to install

Microsoft SQL Server Express during the Total Defense for Unified NetworkControl installation.

Note: If you are reinstalling or repairing Total Defense for Unified Network

Control, the installer will delete the existing database (named "UNCDB") and

create a new one. To preserve the contents of the existing database, you must

create a backup version of the database before running the installer. After

installation, you can then restore the contents of the UNCDB database from

the backup version.

Enable Windows and SQL Authentication

To enable Windows and SQL authentication

1. From All Programs, select Microsoft SQL Server, SQL Server ManagementStudio.

2. Enter the server name, select Windows authentication, and then clickConnect.

The Microsoft SQL Server Management Studio window appears.

3. Right click on the server and select Properties.The Server Properties dialog appears.

4. Select the Security page, and then click SQL Server and WindowsAuthentication Mode.

5. Click OK.Your SQL Server now supports both SQL Server and Windows authentication.


18/65



Enable TCP/IP Protocol

To enable the TCP/IP Protocol

1. Log into the SQL Server Configuration Manager.2. Expand the SQL Server Network Configuration.3. Click Protocols for SQL Server or SQL Express.4. Right click the TCP/IP protocol in the right pane and select Enable.5. Right click the TCP/IP protocol again and select Properties.

The TCP/IP Properties dialog appears.

6. Click the IP Address tab and enter the IP address of the machine hostingthe SQL Server or SQL Express, and then click Ok.

The IP address is added and TCP/IP is enabled on port 1433.

Verify Communication Ports

The Total Defense for Unified Network Control (UNC) server components

communicate over the HTTPS channel on ports whose numbers are set during

the UNC Server installation. The default port numbers are:

HTTPS Web-Service Website: 34443 HTTPS Content Update Website: 34444 HTTPS Certificate Website: 44333The default port number for the UNC database is 1433.

The Client Agent installation sets the default port number 34443 for its

Communication Server. The Communication Server port number can be reset

from the endpoint.

Your proxy settings and firewall must be configured for these port numbers (or

their replacements) to allow the UNC components to communicate.


19/65



Create a Login User and Role

The following procedure uses SQL Server Management Studio Express. If you

do not already have this application, you may download it using the following

link:

http://www.microsoft.com/express/sql/download/(

http://www.microsoft.com/express/sql/download/)

Best Practice Tip! Although you may use your sa user during installation

and skip this procedure, Total Defense recommends creating a new user name

and a strong password to protect the integrity of the database.

1. Using the SQL Server Management Studio Express interface, connect tothe Database Server you created during the SQL installation.

2. Navigate to the Security folder, right-click the Logins folder, and thenselect New login from the pop-up menu.

The SQL Server Login Properties - New Login dialog appears, displaying

the General tab.

3. Enter a name in the Login name field.Note: Do not include curly braces, { or }, in the Login name field, as they

are not supported.

4. Click SQL Server Authentication.The password fields are enabled.

5. Enter and confirm a password for the new login.6. Uncheck the Enforce password expiration option.7. Select the Server Roles page.

The Server Roles page appears.

8. Check the sysadmin role, and then click OK.
http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/http://www.microsoft.com/express/sql/download/


20/65

Activate Your License


Enable Common Language Runtime (CLR)

To enable Common Language Runtime (CLR)

1. From the Start menu, select All Programs, Microsoft SQL Server,Configuration Tools, SQL Server Surface Area Configuration.

The SQL Server Surface Area Configuration window appears.

2. Click Surface Area Configuration for Features.The Surface Area Configuration for Features - localhost window appears.

3. Click the View by Instance tab and expand the database instance name(for example, SQLEXPRESS) and then Database Engine.

4. In the vertical menu list, click CLR Integration.5. Select the Enable CLR integration check box.6. Click Apply, and then click OK.

Activate Your License

With the purchase of this product, Total Defense sends you the following

license-related documentation:

A hard-copy of your License Certificate in regular mail.Keep this certificate in a safe location for future reference.

An electronic version of your License Certificate in email.Keep this email in a safe, yet convenient location, as you will need the

license number during the installation of this product.

A license activation link in email.Best Practice Tip! Total Defense highly recommends that you activate

your license as soon as you receive the license activation email.

If you do not click the license activation link provided in the license activation

email before you start the installation, you may install this product in a 30-day

trial mode.

When the installation is complete, the Management Server will attempt to

register your license with the Entitlement Management System. If it is unable

to do so, a banner appears in the Management Console providing further

instructions on how to complete this transaction.

For more information about licensing, refer to "License Management" in the

Total Defense for Unified Network Control Administration Guide.


21/65

(Optional) Use in Test Mode



Using Total Defense for Unified Network Control in Test mode allows you to

test your policies and assess endpoints prior to activating policy enforcement

and remediation. It also provides you the opportunity to become familiar with

the Management Console and to configure key policies prior to full product

deployment.

Best Practice Tip! We recommend that you initially deploy the product to a

limited number of endpoints.

To test the UNC installation

1. Choose a host computer or server for the Total Defense for UnifiedNetwork Control server components that meets the minimum system

requirements as defined in the Release Notes. The host machine(s) for the

server components can be the same computer(s) that will serve as the

permanent host(s) for these servers in your normal productionenvironment.

2. Choose a small number of endpoints to which you will deploy the TotalDefense for Unified Network Control Client Agent. These endpoints should

represent each type of platform (hardware and operating system)

currently used in your production network and supported by this release.

3. Verify that the pre-installation tasks outlined in this chapter have beenmet for each of these endpoints.


22/65


23/65

Chapter 3: Installing the Infrastructure 23

Chapter 3: Installing the Infrastructure


24/65



Total Defense for Unified Network Control (TDUNC) provides the following

installation scenarios:

Standalone Installation

In a Standalone Installation all TDUNC server components are installed onthe same host machine that meets the minimum hardware and operating

system requirements. A Standalone Installation works best for sites with

fewer than 1,000 endpoints in the same physical location.

Best Practice Tip! Since this server is considered mission critical for

keeping your environment healthy, Total Defense recommends that no

other applications run on this server. It should be dedicated to TDUNC

alone.

Database Connectivity in a Standalone Installation: The Total

Defense Installation Wizardwill automatically install and configure

Microsoft SQL Server Express on the same machine that you install the

Management Server or allow you to use a locally installed database

instead. If you use an existing database, you must complete severalconfiguration tasks prior to starting the Total Defense installation.

Distributed Installation

In a Distributed Installation the TDUNC Management Server, Reporting

Server, and Communication Server may each be installed on a separate

machine to improve product performance and network flow. This

installation is recommended for sites with more than 1,000 endpoints or

sites that have endpoints located across more than one physical location.

A Distributed Installation can have one of the following configurations:

Configuration 1

Computer A: Management Server

Computer B: Reporting Server

Computer C: Communication Server

Configuration 2

Computer A: Management Server and Reporting Server

Computer B: Communication Server

Configuration 3

Computer A: Management Server

Computer B: Reporting Server and Communication Server

Database Connectivity in a Distributed Installation


25/65



In a Distributed Installation you may use an existing Microsoft SQL

database for the Management Server. The database may be located on a

separate machine, such as an application server located in a database

farm. In this scenario, the Installation Wizard prompts you for the required

database information (SQL hostname, SQL instance name, and so on).Before you begin the Total Defense installation, you must complete several

configuration tasks.

Combined Standalone Installation

In a Combined Standalone Installation, all Total Defense (TD) and TDUNC

server components are installed at the same time on the same host

machine that meets the recommended hardware and operating system

requirements. A Standalone Installation works best for sites with fewer

than 1,000 endpoints in the same physical location.

Combined Distributed Installation

In a Combined Distributed Installation the TD and TDUNC Management

Servers are installed at the same time on the same machine, while theremaining server components of both products may each be installed on a

separate machine to improve product performance and network flow. This

installation is recommended for sites with more than 1,000 endpoints or

sites that have endpoints located across more than one physical location.

Combined Staged Installations

In a Combined Staged Installation, TD and TDUNC are installed at different

times in Standalone or Distributed Installations.

Standalone Configurations

Computer A: TD installed first; TDUNC installed second.

Computer A: TDUNC installed first; TD installed second.

Distributed Configurations

Note: All servers in these configurations must be installed with a

distributed installation type.

Computer A: All TD servers installed first; TDUNC Management Server

installed second.

Computer B: Remaining TDUNC servers installed.

Computer A: All TDUNC servers installed first; TD Management Server

installed second.

Computer B: Remaining TD servers installed.


26/65

Management Server Host Names


Management Server Host Names

When selecting a host machine for the Management Server, be sure its name

conforms to the Domain Name System (DNS) naming standards. A standard

host name can:

Begin with a letter (A-Z, a-z) End with a letter or digit (0-9) Contain any combination of letters, digits, and hyphens (-)Host names are case-insensitive, so host names such as Safety-First and

safety-first are seen as identical.


27/65

Install Server Components (Standalone Install)



The instructions in this section describe how to perform a Standalone

Installation in which all server components are installed on the same host

computer.

Note: To ensure a successful installation, please readPreparing to Install

Total Defense for Unified Network Control(see page 11) before you start the

installation process.

To perform a Standalone Installation

1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click the setup.exe

program located in the root folder of the DVD.

The Language dialog appears.

2. Select the appropriate installation language when prompted, and then clickOK.

The Main Menu appears.

3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the host

computer.

If the operating system is not supported, the Installation Wizarddisplays an error message with a list of supported operating systems

and virtual environments.

Click Next or Exit to cancel the installation.

If the operating system is supported, the Installation Wizard displays alist of prerequisite tests to be performed.

Click Next or Exit to proceed with the tests.

The Installation Wizard runs the tests and displays the results

(Success, Fail, or Optional).

Success indicates that the test succeeded and that the prerequisiteis met.

Fail indicates that the test failed and that the prerequisite is notmet.

Optional indicates that the test failed, but that the tested item orcondition is optional.

Note: The CA Threat Manager r8.1 test determines the presence of

that product. The Fail result indicates that the product was found; the

Success result indicates that the product was not found.

4. (Optional) Select the name of a failed test on the screen to display the testresults.


28/65



The results appear on the right side of the screen.

5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.

Note: A failed test indicates a missing Total Defense prerequisite. If youcontinue to install the product, the resulting installation may not operate

as intended or desired.

6. If the Installation Wizard cannot complete the prerequisite testing, itdisplays the error message: "The Total Defense R12 prerequisite tool

failed to complete successfully. Do you wish to continue?"

Click Yes to continue with the installation. No cancels the installation.

Product Selection appears.

7. Click Yes to install the Management Server, select Endpoint Protection, andthen click Next.

License Agreements appear.8. After reading the legal notices, click the I accept the terms of the License

Agreement button, and then click Next.

Registration appears.


29/65



9. Enter the registration information, and then click Next.Note: The Total Defense Entitlement Management System (EMS) sends a

license activation link to the email address that you enter on this screen.

Make sure to enter an address that you check frequently so that you can

finalize the license activation process.

Renewal appears.

10.(Optional) Modify the information if your Renewal Contact information isdifferent than the Product Registration information, and then click Next.

Internet Proxy Information appears.

11.If you use a web proxy to access the Internet, enter the specifiedinformation, and then click Next.

License Verification appears.

12.Copy and paste your license (or manually enter it using all UPPER CASEcharacters), and then click Next.If you have an Internet connection, the Total Defense Entitlement

Management Server is contacted and registers your license.

If you do not have an Internet connection or the Entitlement Management

Server cannot be reached, click Next to complete the installation in a 30-

day trial mode.

Note: The Management Server will attempt to complete the registration

for you when the installation is complete. The server will attempt to

activate the license for 5 days. If it is unable to do so, a message will

appear in the banner of the Management Console with a link to

instructions on how to complete the registration.

Installation Type appears.

13.Click Standalone Installation, and then click Next.Another Product Selection appears.


30/65



14.Select Unified Network Control Management Components, unselect theother options, and then click Next.

15.The Unified Network Control servers appear, all selected for a standaloneinstallation. Click Next.

Unified Network Control Administrator and Port Settings appears.

16.Enter the user name, password, and email address for the personresponsible for implementing Total Defense for Unified Network Control:

If you specify a domain with the user name (for example,

domain\username), the installer attempts to authenticate the user name

through Active Directory. If you do not enter a domain, the installer stores

the unauthenticated user name and password in the Total Defense for

Unified Network Control database catalog.

17.Accept the port numbers for the web service and certificate web sites byclicking Next.

Email Notifications appears.

18.Enter the email address for the Total Defense for Unified Network Controladministrator. If authentication is required to access the Management

Server, select the check box for an authenticated user, and enter the

domain user name and password.

Database Selection appears.

19.Choose to install Microsoft SQL Server Express or use an existing MicrosoftSQL Server or Microsoft SQL Server Express installation. Click Next.

Note: If the installer discovers an existing Microsoft SQL Server or

Microsoft SQL Server Express installation on the host computer, the choice

to install Microsoft SQL Server Express is disabled.

If you chose to use an installed database server in this step, Database

Version appears.

If you chose to install Microsoft SQL Server Express in this step, Database

Server appears.

20.(Installing Microsoft SQL Server Express) Enter the following databaselogin information:

User Name PasswordNote: Total Defense highly recommends creating and using an alternate

account rather than the default MS SQL sa account. The new account musthave system administrator (sysadmin) permissions and no System Roles.


31/65



21.(Using an installed database server) click the Microsoft SQL Server andODBC Driver types that identify your installed database server. Click Next.

Database Connection appears.

22.Enter the following database configuration information for the UNCManagement Server, and then click Next. Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)Note: Total Defense highly recommends creating and using an alternate

account rather than the default MS SQL sa account. The new account must

have system administrator (sysadmin) permissions and no System Roles.

23.Click the Test SQL Connection button to verify the connection, close themessage box, and then click Next. The database configuration informationon the screen must be complete.

The Destination screen appears.

24.Click the Browse button (...) to select or create an installation folder, oraccept the default installation location, and then click Next.

Finish Installation appears with a list of the components you selected for

installation.

25.Review the list of components and click Finish to begin the installation. Tomodify any of the installation options, click Back to make the necessary

adjustments.


32/65

Install Server Components (Distributed Install)



The instructions in this section describe how to perform a Distributed

Installation in which server components are installed on separate machines to

improve product performance and network flow. This installation is

recommended for sites with more than 1,000 endpoints or sites that have

endpoints located across more than one geographical location. To determine if

a Distributed Installation is the appropriate implementation for your

organization, see Installation Scenarios.

Note: To ensure a successful installation, please see thePre-Installation

Checklist(see page 11) before you begin this procedure.

To perform a Distributed Installation

1. Insert the Total Defense DVD into the computer's CD/DVD drive. If theInstallation Wizard does not start automatically, click setup.exe located in

the root folder of the DVD.

The Language screen appears.

2. Select the appropriate installation language and click OK.The Main Menu appears.


computer.















33/65





5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.Note: A failed test indicates a missing Total Defense prerequisite. If you

continue to install the product, the resulting installation may not operate






7.

Select the following options, and then click Next: Would you like to install the Management Server?

Select Yes if you are installing on the first of multiple machines ina distributed installation, or if you are installing all components on

only one machine.

Select No if you are installing on an additional machine in adistributed installation.

Endpoint Protection. Select this option to install Total Defense forUnified Network Control.

Gateway Security. Do not select this option.License Agreements appear.

8. After reading the agreements, click the I accept the terms of the LicenseAgreements, and then click Next.



34/65







Renewal appears.

10.(Optional) Modify the information as needed if your Renewal Contactinformation is different than the Product Registration information, then

click Next.


11.If you are using a proxy to access the Internet, enter the informationnecessary or select the check box indicating that a web proxy server is not

used to access the Internet, and then click Next.


12.Copy and paste your license (or manually enter it using all UPPER CASEcharacters), and then click Next.

If you have an Internet connection, the Total Defense Entitlement




day trial mode.







13.Select Distributed Installation, and then click Next.Another Product Selection appears and displays the options you are

entitled to install.

14.Select Unified Network Control Management Components, unselect allother options, and then click Next.

Unified Network Control appears.

15.Select the server components you want to install, and then click Next. Forinformation on the Total Defense for Unified Network Control servercomponents, seeArchitecture Overview(see page 8).



35/65



16.Enter the user name, password, and email address of the individual whowill be responsible for managing Total Defense for Unified Network

Control.

This user may be you or another user who has a valid account on the

machine that will host the Total Defense for Unified Network Control

Management Server. This user will have full Administrative authority

within the Management Server.

17.Accept the default ports by clicking Next.Email Notifications appears.

18.Enter the email address for the Total Defense for Unified Network Controladministrator. If authentication is required to access the Management

Server, select the check box for an authenticated user, and enter the



19.Choose to use an existing database or install a new one to use with TotalDefense for Unified Network Control, and then click Next:




If you chose Install Microsoft SQL Server Express, Database Serverappears. Enter a user name and password for the new SQL Server

Express database server, and then click Next.

If you chose Use existing MS SQL Server or SQL Server Express,Database Version appears. Do the following:

a. Select the version of MS SQL Server and ODBC driver to use, andthen click Next.


b. Enter the database configuration information, and then click Next.Note: Total Defense highly recommends creating and using an account

other than the default MS SQL Server sa account. The new account must

have system administrator (sysadmin) permissions and no System Roles.

20.Accept the default installation folder, or click the Browse button (...) andcreate or select a different folder, and then click OK. Click Next.

Finish Installation appears with the list of components you selected for

installation.

21.Review the list of components. To modify any of the installation options,click Back to make the necessary adjustments. To begin the installation,

click Finish.


36/65

Install Server Components (Combined Standalone Install)



The instructions in this section describe how to perform a Standalone

Installation in which all Total Defense and Total Defense for Unified Network

Control server components are installed on the same system.

Note: Read the Pre-Installation Checklist for Total Defense and Total Defense

for Unified Network Control before you begin this procedure.

To perform a Standalone Installation




2. Select the appropriate installation language and click OK.Main Menu appears.


computer.











Note: The CA Threat Manager r8.1 test determines the presence ofthat product. The Fail result indicates that the product was found; the





37/65




Note: A failed test indicates a missing Total Defense prerequisite. If you







7. Select the following options, and then click Next: Would you like to install the Management Server? Select Yes. Endpoint Protection. Select this option to install Total Defense and

Total Defense for Unified Network Control. Gateway Security. Do not select this option.License Agreements appear.

8. After reading the agreements, click I accept the terms of the LicenseAgreements, and then click Next.



38/65







Renewal appears.

10.(Optional) Modify the information as needed if your renewal contactinformation is different than the product registration information, then

click Next.


11.If you use a web proxy to access the Internet, enter the specifiedinformation, and then click Next.







day trial mode.







13.Click Standalone Installation, and then click Next.Another Product Selection appears.

14.Select Endpoint Protection Management Components and Unified NetworkControl Management Components, and then click Next.

Endpoint Discovery Acknowledgement appears.


39/65



15.Read the acknowledgement and click Next.Certificate Password appears.

16.Enter a password for the digital certificate, verify the password, and thenclick Next.

This password protects the generation and storage of your digital

certificate and encrypts and authenticates sensitive Total Defense data

communications.

Note: If you install additional server components or proxies at a later

time, the Installation Wizard prompts you for this password. Total Defense

recommends storing this password in a safe location.

User Specification appears.

17.Enter the user name and password of the individual that will perform theremote deployment of the Total Defense Agent/Client and the user who

will initiate the Endpoint Discovery process to discover all unmanaged

endpoints in your organization.

Port Specification appears.

18.(Optional) Modify the Total Defense Management Server ports, ifnecessary, and then click Next.


19.The Total Defense for Unified Network Control server components to beinstalled are displayed. Click Next.










22.Enter the Fully Qualified Domain Name of your email server and youremail address to receive email notification when certain events occur and

when reports are ready for viewing.If authentication is required, click Authenticated Server, and enter the





40/65






If you choose to use an installed database server in this step, Database

Version will appear.

If you choose to install Microsoft SQL Server Express in this step,

Database Server will appear instead.

24.(Database Server screen) Enter the following database server logininformation:


account rather than the default MS SQL Server sa account. The new

account must have system administrator (sysadmin) permissions and no

System Roles.

Destination appears. (Skip the Database Version and Database Connection

steps.)

25.(Database Version) Click the Microsoft SQL Server and ODBC Drivertypes that identify your installed database server. Click Next.


26.(Database Connection) Enter the following database configurationinformation for the Total Defense and Total Defense for Unified Network

Control Management Servers.

Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)Note: Total Defense highly recommends creating and using an alternate



System Roles.


41/65

Install Server Components (Combined Distributed Install)


27.(Database Connection, continued) Click the Test SQL Connection buttonto verify the connection, close the message box, and then click Next. The

database configuration information on the screen must be complete.

Destination appears.



installation.


adjustments.


When you perform a Combined Distributed Install, you install the Total

Defense and Total Defense for Unified Network Control Management Servers

and Management Consoles first on the same machine. You can also install any

other server components at that time and on that machine. To install the

remaining server components, you repeat the Combined Distributed Install on

other machines until all of the required server components are installed. A

Combined Distributed Install also lets you install all server components on the

same machine.

Note: If Total Defense and Total Defense for Unified Network Control are

installed Standalone on separate machines, there can be no integration of

products. They must be installed Combined Distributed to be integrated

(reports only).

Note: Performing a Standalone install of one product on top of the Standalone

install of another product invalidates and disables the first product installed.

This section describes the following procedures:

First-Time Install

Installs the Management Servers and Management Consoles for both

products together, and any other server components you select, on the

same machine (referred to as the first-time machine).

Subsequent Install

Installs one or more server components on an additional machine

(referred to as a subsequent machine).


42/65



First-Time Install

The instructions in this section describe how to perform a first-time Distributed

Installation in which the Management Servers and Management Consoles of

Total Defense and Total Defense for Unified Network Control, and any otheravailable server components, are installed on the same machine.

Note: Read and perform the tasks in the Pre-Installation Checklist for Total

Defense and Total Defense for Unified Network Control before you begin this

procedure.







computer.
















43/65





Note: A failed test indicates a missing Total Defense prerequisite. If youcontinue to install the product, the resulting installation may not operate






7. Select the following options, and then click Next: Would you like to install the Management Server? Select Yes if you are

installing on the first of multiple machines in a distributed installation,or if you are installing all components on only one machine.

Endpoint Protection. Select this option to install Total Defense andTotal Defense for Unified Network Control.

Gateway Security. Do not select this option.License Agreements appear.

8. After reading the agreements, click I accept the terms of the LicenseAgreements, and then click Next.






Renewal appears.

10.(Optional) Modify the information as needed if your renewal contactinformation is different than the product registration information, then

click Next.


11.If you are using a proxy to access the Internet, enter the informationnecessary or select the check box indicating that a web proxy server is notused to access the Internet, and then click Next.




44/65







day trial mode.







13.Click Distributed Installation, and then click Next.Another Product Selection appears and displays the options you are


14.Select Endpoint Protection Management Components and Unified NetworkControl Management Components, and then click Next.

Endpoint Discovery Acknowledgement appears.

15.Read the Acknowledgement and click Next.Server Components appears.

16.Select the Total Defense server components you want to install, and thenclick Next.

If this is a first installation, the Total Defense Management Server and

Management Console are automatically selected. You can install other

server components on the same system or unselect the components to

install them elsewhere.

Server Location appears.

17.Enter the Fully Qualified Domain Names for the Total Defense ReportServer, Events Server, or both, and then click Next. An FQDN is required

for any server not selected for installation on the preceding Server

Components screen.

Certificate Password appears.

18.Enter a password for the digital certificate, verify the password, and thenclick Next.

This password protects the generation and storage of your digital

certificate and encrypts and authenticates sensitive Total Defense datacommunications.

Note: If you install additional server components or proxies at a later

time, the Installation Wizard prompts you for this password. Total Defense

recommends storing this password in a safe location.

User Specification appears.


45/65



19.Enter the user name and password of the individual who will performremote deployments of the Total Defense Agent/Client, and the user name

and password of the user who will initiate the discovery of endpoints on

your network.

Note: It is preferred that the Endpoint Discovery user have domain

administrative privileges, however it not a requirement. Using domain

administrator privileges ensures a better discovery rate. The remote

deployment password can be a user in the Local Users group or a domain

user.

Port Specification appears.

20.Accept or modify the default ports for the Total Defense ManagementServer, and then click Next.


21.The Total Defense for Unified Network Control server components to beinstalled are displayed. Click Next.Unified Network Control Administrator and Port Settings appears.









24.Enter the Fully Qualified Domain Name of your email server and youremail address to receive email notification when certain events occur and

when reports are ready for viewing.

If authentication is required, click Authenticated Server, and enter the





Microsoft SQL Server Express installation on the host computer, the choiceto install Microsoft SQL Server Express is disabled.

If you choose to use an installed database server in this step, Database

Version and Database Connection will appear.

If you choose to install Microsoft SQL Server Express in this step,

Database Server will appear instead.


46/65



26.(Database Server) Enter the following database server login information,and then click Next:




System Roles.

Destination appears. (Skip the Database Version and Database Connection

steps.)

27.(Database Version) Click the Microsoft SQL Server and ODBC Drivertypes that identify your installed database server. Click Next.

Database Connection for Total Defense appears.

28.(Database Connection screen) Enter the following databaseconfiguration information for the Total Defense Management Server.

Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)Note: Total Defense highly recommends creating and using an alternate



System Roles.

29.(Database Connection) Click the Test SQL Connection button to verifythe connection, close the message box, and then click Next. The database

configuration information on the screen must be complete.

The Database Connection screen for Total Defense for Unified Network

Control appears.

30.(Database Connection) For the Total Defense for Unified NetworkControl Management Server, enter the same database information you

used for Total Defense. Also verify the connection, close the message box,

and then click Next.




installation.


adjustments.


47/65



Note: During the installation of the Endpoint Discovery feature, a WinPCap

install wizard appears. Click Next, I Agree, Install, and Finish when

required to accept all of the default settings and continue with the Total

Defense installation.


48/65



Subsequent Install

The instructions in this section describe how to install some or all the

remaining server components during a subsequent install. The Total Defense

and Total Defense for Unified Network Control Management Servers andManagement Consoles must have already been installed on a different

machine during a first-time Distributed Installation.

Note: Read and perform the tasks in the Pre-Installation Checklist for Total

Defense and Total Defense for Unified Network Control before you begin this

procedure.







computer.



Click Next or Exit to cancel the installation. If the operating system is supported, the Installation Wizard displays a

list of prerequisite tests to be performed.











49/65





5. When you have finished viewing the results, click Next to continue with theinstallation, or click Exit to cancel it.Note: A failed test indicates a missing Total Defense prerequisite. If you







7.

Select the following options, and then click Next: Would you like to installthe Management Server? Select No if you are

installing on an additional machine in a distributed installation.

Endpoint Protection. Select this option to install Total Defense andTotal Defense for Unified Network Control.

Gateway Security. Do not select this option.Another Product Selection appears and displays the options you are


8. Select Endpoint Protection Management Components and Unified NetworkControl Management Components, and then click Next.

Management Server appears.

9. Enter the Fully Qualified Domain Name of the Endpoint Protection MasterManagement Server, and then click Next to accept the default port

number.

Server Components for Total Defense appears.

10.Select the Total Defense server components you want to install, and thenclick Next.

The Total Defense Management Server and Management Console are not

available. You can install other server components or unselect the

components to install them elsewhere.

Certificate Password appears.11.Enter the password for the digital certificate, verify the password, and then

click Next.

Note: This is the certificate password you created when you installed the

Management Server and Management Console during the first-time

installation.


50/65



12.Enter the Fully Qualified Domain Names for the Total Defense ReportServer, Events Server, or both, and then click Next. An FQDN is required

for any server not selected for installation on the preceding Server

Components screen.


13.The Total Defense for Unified Network Control server components to beinstalled are displayed. Click Next.

Unified Network Control Management Server Settings appears.

14.Enter the following Management Server and Administrator information: Management Server IP Address Management Server Host Name Administrator User Name Administrator PasswordThe Administrator information must match what was specified during the

first-time installation of the Management Server and Management

Console.



16.Choose to use the Endpoint Protection Management Server.Database Version appears.

17.Click the Microsoft SQL Server and ODBC Driver types that identify yourinstalled database server. Click Next.


18.Enter the following database configuration information for the TotalDefense and Total Defense for Unified Network Control Management

Servers.

Database Login Name Database Login Password Database Instance Name Database Host Name (fully qualified domain name)

19.Click the Test SQL Connection button to verify the connection, close themessage box, and then click Next. The database configuration informationon the screen must be complete.




51/65

Verify Services are Running



installation.


adjustments.

Verify Services are Running

If performing a Distributed installation, verify that the Management Server

service is running before installing the Reporting Server. Repeat the procedure

for the Reporting Server and then the Communication Server after installing

each of those components. At the same time, you should also verify that the

component is accessible over the network.

To verify that the server component is running

1. On the host computer, click Start, and then click Run.The Run dialog opens.

2. In the Open field, enter services.msc and click OK.The Services window opens.

3. Verify that the Total Defense for Unified Network Control Server service has started. If it has not started, right-click the service

name in the Services window and select Start.

If performing a Standalone installation, you will have to wait until all of the

server components are installed to verify that their services are running.


52/65


53/65

Chapter 4: Enabling JavaScript in the Web Browser 53

Chapter 4: Enabling JavaScript in the

Web BrowserThe web browser(s) you use to run the Management Console must have

JavaScript enabled.

To enable JavaScript in an Internet Explorer window

1. Select Tools from the top of the window.2. Select Internet Options.3. Click the Security tab.4. Click Custom level....5. Scroll to the Scripting section.6. Under Active scripting, click Enable.7. Click OK.To enable JavaScript in a Mozilla Firefox window

1. Select Tools from the top of the window.2. Click Options.3. Click the Content tab.4. Select the Enable JavaScript check box.5. Click OK.


54/65


55/65

Chapter 5: Installing the Client Agent 55

Chapter 5: Installing the Client Agent

Prepare to Install the Client Agent

The Microsoft Network Access Protection (MS-NAP) Agent is a prerequisite for

the Total Defense for Unified Network Control Client Agent if policy

enforcement is desired.

Install Microsoft Network Access Protection (MS-NAP) Agent

Before installing the Client Agent on an endpoint, you need to configure that

endpoint as follows for MS-NAP:1. Join the computer to the domain.2. Add the computer to the NAP client computers security group and restart

the computer.

3. Enable Run on the Start menu.4. Verify Group Policy settings.The following Microsoft Step By Step Guides explain how to perform these

steps for different enforcement methods:

Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test LabYou can find these guides by searching for all or part of their titles at

http:www.microsoft.com/downloads.
http://www.microsoft.com/downloadshttp://www.microsoft.com/downloadshttp://www.microsoft.com/downloads


56/65

Install the Client Agent


Install the Client Agent

Note: Do not install the Total Defense for Unified Network Control (UNC)

Client Agent on the same computer as the UNC Communication Server.

To install the UNC Client Agent

1. Insert the Total Defense DVD. If the Installation Wizard does not startautomatically, click the setup.exe program located in the root folder of the

DVD.

The Language screen appears.

2. Select the installation language when prompted, and then click OK.The Main Menu screen appears.

3. Click Install Total Defense Suite r12.The Installation Wizard validates the operating system running on the hostcomputer.


















57/65

Configure the Client Agent

Chapter 5: Installing the Client Agent 57

Note: A failed test indicates a missing Total Defense prerequisite. If you







7. Respond as indicated to the following options, and then click Next: Would you like to install the Management Server: No Endpoint Protection: Selected Gateway Security: UnselectedProduct Selection appears.

8. Select the Unified Network Control Management Components check box,and then cli

Documents

CATD UNC Implementation En