Control Manager 6.0 Deployment Best Practice Guide 0_BPG... · only one management console. This simplifies administration by creating policies, templates, user ... ArcSight integration

Control Manager 6.0 Deployment Best Practice Guide

© 2014 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 2

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright © 2014 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Released: November 2014







Control Manager 6.0 Deployment Planning Best Practice


This document is designed to help resellers and customers develop a set of best practices when deploying and managing Control Manager.

This is also designed to be used in conjunction with the following guides, both of which provide more details about Control Manager than are provided in this document:

Control Manager 6.0 Installation Guide

Control Manager 6.0 Administrator’s Guide

Information in this book was provided by the following subject-matter experts:

Cenen Enalbes Oliver Zieminski

Karen Tsai Fanny Wang

Control Manager TW SEG Team Tonie Santos

Control Manager TW PDG Team



In this document, you will learn about deployment methods for Control Manager, including their advantages and disadvantages. Specific examples are presented based on the deployment methods.

This document uses the term site. A site is an independent region within an organization that has its own IT department. It is separate from other regions—physically across different segments of the network, or administratively handled by another team. In most situations, a site would be country- or continent-based.

Planning the placement of Control Manager, in conjunction with a target site(s), is a key step.

In most deployments, a single Control Manager server is sufficient for most regions. Having a single Control Manager server in one site is the primary application of central management. A Control Manager server is required for organizations with multiple Trend Micro products installed. With one site, the communication between Control Manager and its managed products is open. A site can also be within one datacenter. However, it is also possible to have multiple sites within a datacenter. This occurs if there is a separate IT department managing servers, but all those servers are within a datacenter.

Here is an example of a single site deployment.

http://esupport.trendmicro.com/solution/en-US/1038211.aspx



Custom sites run the following solutions:

● A single OfficeScan deployment that protects 400 servers and endpoints

● Two servers running ScanMail for Exchange that protect the Exchange servers

● A single InterScan Web Security Virtual Appliance

● A subscription to InterScan Web Security as a Service

Multiple IT departments and sites are typical features of a large network environment used by multinational corporations. Although there are multiple sites, it is still possible to manage multiple Trend Micro products using a single Control Manager server.

The biggest advantage of having a single Control Manager server serving multiple sites is having only one management console. This simplifies administration by creating policies, templates, user roles, and other settings through a single Control Manager server. Consequently, there is one update source. To limit the amount of endpoints that connect to the Internet to download updates, this approach is an advantage.

Consider the following when deploying a single Control Manager server on multiple sites:

The hardware features of the servers hosting Control Manager and Microsoft™ SQL Server™ must be powerful enough.



The firewall ports must be open to ensure connectivity between the Control Manager server and agents on managed products.

For details, see http://esupport.trendmicro.com/solution/en-US/1038211.aspx.

Control Manager must be positioned where sufficient bandwidth between servers and agents is available. This is important if Control Manager will serve as the source for component updates.

The Control Manager server has Internet connectivity.

This allows Control Manager to download updates and use the License Extension feature. Hosting Control Manager on a server without Internet connection prevents the use of such features.

InterContinental Bank is a multinational company that provides banking services for startup companies. The company has the following sites:

● America Site: This site has four datacenters: Los Angeles and Pittsburgh for the North American region; Buenos Aires and Sao Paolo for the Central and South American regions. These host the OfficeScan servers that manage OfficeScan agents for other sites.

● Asia Pacific Site: This site has four datacenters: Beijing for regions of China, Tokyo for the Japanese region, New Delhi for the South Asian region, and Singapore for the Southeast Asian region.

● European Site: This site has two datacenters: A datacenter for Paris and London and another in South Africa to handle the African region.

As the company is based in Los Angeles, deploying the Control Manager server in the Los Angeles datacenter is convenient. Because all datacenters are interconnected and there is sufficient network bandwidth (at least a 10 Mbps line), hosting the Control Manager server in that location should not pose any issues.



Corporations with multiple sites can also deploy multiple Control Manager servers. Refer to the following sections for information about factors and considerations when multiple Control Manager deployments are needed.

These factors contribute to deploying multiple servers depending on location:

● Sites without any available connection.

● Sites with limited network capacity

● Sites with sensitive data

● Very large enterprises

The succeeding sections provide details about these factors.

In some environments, there are sites that cannot be connected—neither through physical connection nor through VPN capabilities. In this case, consider the following deployment approaches:

● Deploy a Control Manager server per isolated site

● Deploy another Control Manager server on interconnected sites



Multiple servers prevent central visibility to be achieved and the cascading management feature to be fully utilized.

Another situation when multiple Control Manager servers maybe deployed is if there are sites that have extremely slow connection to other sites. The option is to have a Control Manager server per site to service the managed products present in that site.

Control Manager collects logs from its managed products. Such logs contain host names, IP addresses, and other identifiable information that multinational corporations want to limit dissemination of. These corporations may decide to prevent the transfer or exchange of any data between sites for security reasons. In this case, consider the following deployment approaches:

Deploy a Control Manager server per site where information should be contained

Deploy another Control Manager server to handle the rest of the regions

Multiple servers prevents central visibility to be achieved and the cascading management feature to be fully utilized.

In most cases, deployment of a single Control Manager server is sufficient. For very large enterprises, careful logical planning might result to having multiple servers managing multiple sites. These are some of the contributing factors:

Different teams that manage different sites require their own Control Manager server

Major products report to different Control Manager servers

For example, a customer has the following product implementation and usage:

o OfficeScan servers managing 200,000 endpoints

o InterScan Messaging Security Virtual Appliance devices receiving 1,000,000 spam logs everyday

In this case, have all OfficeScan servers report to a Control Manager server, while all InterScan Messaging Security Virtual Appliance devices report to another server.

With scalability as a constant enhancement for each Control Manager releases, a single Control Manager server can answer most of these factors.



If there are multiple Control Manager deployments with cascading management implemented, take note of the following considerations:

Log consolidation

Update source

Administration and visibility

If there are multiple servers and log consolidation is required, use SIEM applications to collect logs. The following workflows are achievable if you have existing or are planning to adopt SIEM solutions:

Control Manager can send event logs using Syslog, SNMP, and SMTP to SIEM solutions

Control Manager database access

Contact your Trend Micro solution architects for details about extracting information from the Control Manager database.

ArcSight integration

Contact your ArcSight support provider for details about using the Control Manager Database Connector.

For multiple Control Manager servers that do not implement cascading management, establish the procedure for component updates. These are the available options:

Deploy a Control Manager server that downloads updates from the ActiveUpdate server

Updates can then be manually copied to other Control Manager servers.

Use the Trend Micro Update Tool to download updates from the Internet

Contact your Trend Micro solution architects for guidance.

Managing policies and licenses is not possible through multiple Control Manager servers. Administrative tasks must be done on each server.

The cascading management feature supports multiple complex management layers. Refer to the succeeding sections for advantages and limitations.



Cascading management provides the following advantages:

Centralized log view

Cascading management offers the ability to see all logs of child Control Manager server through the parent server, which consequently allows your organization to have a central log repository. This is an option for corporations that do not use SIEM solutions.

Centralized update source

Cascading management allows a parent server to host as an update source of its child servers.

These are the limitations of cascading management:

Hardware specifications

Parent servers must be able to receive all logs from child servers. A machine hosting the parent Control Manager and the corresponding SQL Server must be powerful enough to handle the transaction and amount of data involved.

A parent server must double or triple the CPU speed of a normal Control Manager server, while the disk capacity of the SQL Server database must be greater than the total size of all databases used by child servers. If these requirements cannot be met, do not implement cascading management.

Limited visibility and administration capabilities

Similar to the issue of having multiple Control Manager servers in a non-cascading environment, Policy Management and License Management are not possible in an environment with separated sites and Control Manager servers. The single sign-on (SSO) feature provides a way to administer child servers individually.



This chapter discusses the best practices for installation. Note that this topic deals with Fresh installations of Control Manager. Upgrading to Service Packs, patches, and other versions will be discussed in the following chapters. For very large Enterprise customers (VLE), it is highly recommended to engage the Professional Services of Trend Micro or it’s resellers for planning and deployment.

For the official minimum and recommended requirements, please refer to the System Requirements document of Control Manager 6.0:

Control Manager 6.0 Service Pack 1: http://docs.trendmicro.com/all/ent/tmcm/v6.0-sp1/en-us/tmcm_6.0-sp1_req.pdf

Control Manager 6.0 Service Pack 2: http://docs.trendmicro.com/all/ent/tmcm/v6.0-sp2/en-us/tmcm_6.0-sp2_req.pdf

Trend Micro recommends installing the Control Manager server and SQL server on separate machines. Once the number of registered entities and OfficeScan clients exceed 1,000 entries, installing the servers on separate machines becomes mandatory to ensure optimal performance.

The minimum and recommended system requirements for Control Manager 6.0 Service Pack 1 are:

Memory: 4 GB minimum, 8 GB recommended

Available Disk Space: 20 GB minimum, 40 GB recommended

CPU: At least 2.3 GHz Intel Core i5 or compatible CPUs.

The number of CPUs is not stated but Trend Micro recommends to have at least 4 CPUs.

For SQL Sizing of an SQL server dedicated only for Control Manager, the following are recommended:

● Memory: 4 GB minimum, 8 GB recommended

http://docs.trendmicro.com/all/ent/tmcm/v6.0-sp1/en-us/tmcm_6.0-sp1_req.pdf






● Available Disk Space: At least 100 GB recommended for the drive where the Control Manager database files will be stored and an additional 200 GB for the drives where the transaction log files will be stored.

● Make sure that the disks where the Control Manager database files will be stored have relative fast disk controllers.

● CPU: At least 2-4 CPUs

Disk performance is imperative for SQL servers. The SQL database files are normally separated into three types:

Database files – These are files with the .MDF extension.

Transaction logs – These are files with the .LDF extension.

Additional database files – These are files with the .NDF extension. These files are normally not used by Control Manager, and should only be configured with the assistance of expert and certified SQL Administrators.

The following are the disk recommendations when installing Control Manager:

Store the database files (.MDF files) on a separate drive from the transaction log files (.LDF files). This allows for optimal performance.

Store the database files (.MDF files) on fast RAID 5 disks.

Store the transaction log files (.LDF files) on fast RAID 1+0 disks. This is based on the Storage Best Top 10 Best Practices for Microsoft SQL. Raid 1+0 generally provides better throughput for write-intensive applications, even better than RAID 5 disks, which makes it suitable for transaction log files.

With the costs of Solid State Disks (SSD) going down, it is possible to implement SSDs for both database files and transaction log files.

Refer to the Microsoft SQL Top 10 Storage Best practices and see if they can be implemented.

It is mandatory that the Control Manager server is on the same time zone and same time as the SQL server. Thus, it is important to configure the two servers to use the same NTP server so that the two servers will always be in sync. Setting Control Manager in different time zones can cause unpredictable results.

Control Manager supports only VMware virtualization and Hyper-V virtualization. Refer to the System Requirements documents of the supported versions.



It is highly recommended to separate the Control Manager and the SQL Server in different ESXi or Virtualization servers (e.g. ESXi Servers or Hyper-V servers). Control Manager and the SQL server are both CPU-intensive. They may exhaust their host resources. Additionally, the SQL server is disk and memory intensive.

If both must be on one virtualization server, consider the following:

Trend Micro recommends to only have Control Manager and SQL as the virtual guests on the host. If there are more virtual guests running on a virtualization server, the greater the chance that resource contention will occur. However, if there are other servers, make sure that other guests are not over utilizing the resources of the virtualization server.

In some situations, administrators may resort to Memory and CPU resource allocations. During these situations, Trend recommends that the resources available to Control Manager and the SQL server are reviewed properly.

Ensure that the virtual disks of the SQL server and Control Manager servers are on separate physical disks of the virtual hosts. In VMware, this would normally mean that they are on separate datastores. This will prevent the SQL server disk operations from affecting the Control Manager server.

To further improve performance, it would be best if the two disks have separate disk controllers. This allows read-write operations to be optimal.

Trend Micro recommends Control Manager and SQL to have their own virtual switch. This is highly advisable in environments where there are other virtual guests on the Virtualization server other than Control Manager and the SQL server.

If Control Manager and SQL are on different virtual hosts, ensure the following:

That there is a fast network connection between the virtual hosts containing Control Manager and SQL.

o It is recommended that Control Manager and SQL are on the same physical network switch.

o If possible, create a virtual switch between the two virtual hosts and make sure that only Control Manager and SQL are able to connect to the two virtual hosts using the same physical network switch.

That Control Manager and the SQL server have enough resources to run on both machines. Since Control Manager and SQL are CPU and memory-intensive applications it is important that they have adequate resources available.



Review and follow the Control Manager 6.0 Installation Guide, which you can download from: http://docs.trendmicro.com/all/ent/tmcm/v6.0/en-us/tmcm_6.0_ig.pdf .

Additional installation reminders:

From the Installation Guide:

o Page 52 of the Installation Guide lists the Pre-required Components. These must be installed before installing Control Manager.

o Ensure that the 8.3 file names mentioned in Page 53 are enabled on the system. Refer to the Knowledge Base article: http://esupport.trendmicro.com/solution/en-us/1056505.aspx.

o The installation steps are discussed in detail on Chapter 3.

For Windows 2012 and Windows 2012 R2 servers, the server Roles and Role Services needed are specified here: http://esupport.trendmicro.com/solution/en-us/1096281.aspx

After installing the Control Manager server and before registering agents, you can check if Control Manager is experiencing too many connections. This can be done by going to the Event logs and see if Event ID 4226 appears.

If Event ID 4226 appears, you need to increase the maximum number of ephemeral ports.

1. Open the Registry Editor.

2. Go to the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters hive.

3. Add the following registry key with the following details:

Registry value: MaxUserPort

Data type: REG_DWORD

Range: 5,000-65,534 (port number) Default value: 5000

It is possible to increase the number to a maximum of 65,534. But in most cases, the default value of 5000 works on most environments. We suggest increasing the values incrementally by 5,000 (5,000, 10,000, 15,000, etc.) until the Event ID disappears.

Restart the Windows server for the changes to take effect.

http://esupport.trendmicro.com/solution/en-us/1056505.aspx

http://esupport.trendmicro.com/solution/en-us/1056505.aspx



The default settings of the Control Manager are normally sufficient. However, in some cases, there may be a need to increase the number of threads or change settings within configuration files.

To increase threads:

1. Back up the file ..\Control Manager\ProcessManager.xml.

2. Open the ..\Control Manager\ProcessManager.xml file using a text editor. 3. Increase the number of threads for CmdProcessor. Look for the parameter:

Set the value of “Command_Processor -thread_number=20” to “40”. Increasing the value will increase the number of CMDProcessor threads, especially in large environments.

4. Increase the number of threads of CasProcessor for the Control Manager child and parents. Look for the parameter:

<Process Order="8" ID="ID_CAS_PROCESSOR" Filename="CasProcessor.exe" CommandLine="-component_name=SC_TVCS_Cascading_Processor -thread_number=15 -scheduler_thread_number=5 -mrf_thread_number=10 -timeout=120 -enable_debug=false -db_conn_pool_size=10" WaitingTime="0" Priority="NORMAL_PRIORITY_CLASS" />

Set the value of “-scheduler_thread_number” to “15”.

Set the value of “-thread_number” to “30”.

5. Restart the TMCM Services after applying the changes.

In very large environments, it is important to configure the OfficeScan Control Manager Agent to throttle the number of logs sent by Control Manager. The steps are described in the KB article: http://esupport.trendmicro.com/solution/en-US/1059861.aspx.

The changes to the settings allow OfficeScan to do following:




Increase the HTTP connection timeout to 300 seconds (5 minutes). In some instances, when the Control Manager server is very busy, it may take more than 60 seconds for Control Manager to reply. This will cause its agents to timeout.

The BatchedClientSize and BatchedClientStatusCommandSize allow the OfficeScan Client to send only the maximum number of status to the Control Manager server at one time. If the values are set to 50, then 50 OfficeScan Client information will be sent at one time.



This chapter discusses upgrading best practices in the following scenarios:

Upgrading to a major version (i.e. upgrading Control Manager 5.5 to 6.0)

Installing a Patch or Service Pack

Installing a Critical Patch

Installing Hot Fixes

In some situations, it is imperative to upgrade to the latest versions to not only take advantages of fixes, but also take advantage of new enhancements available for the product.

This chapter will also discuss the

This section will discuss how to back up the Control Manager server and how to restore the server from a backup.

It is very important to back up the Control Manager server before upgrading to ensure that you will be able to restore the server if an upgrade fails. This allows the Control Manager to function properly and not leave traces of failed upgrades as these may cause upgrade failures in the future.

In some situations, customers may install monitoring applications that restart specific services when they are shutdown. Examples of these applications are IBM Tivoli, Microsoft Systems Center Operations Manager (SCOM) agents, etc.

Before initiating an upgrade, it is important to double-check if such applications are installed and monitor the following services:

● World Wide Web Service

● Trend Micro Control Manager

● Trend Micro Management Infrastructure

● Trend Micro Common CGI

The services listed are shut down by Control Manager installers, Service Packs, Hot Fixes, and Patch installers. Additionally, during the upgrade process, the listed services must stay shutdown. If these services are started, the upgrade may fail.

Control Manager administrators should consult with the Windows Server administrators and other administrators in charge of these applications. They should enlist the help of these administrators to temporarily turn off the monitoring of these services.



Once you have created a backup of the Control Manager server and have turned off monitoring applications, you can start initiating the upgrade. If all the points discussed have been followed, the upgrade should run smoothly. In case there are issues, contact you Trend Micro Support Representative for assistance.



This chapter discusses useful tips in configuring the database settings and SQL performance monitoring.

We would like to point out that there are no fixed values for right or wrong settings. This all depends on the environment used.

There are different ways and several tools that can be used to monitor the i/o performance. (spell out or expound)

To access the built-in Windows Performance Monitor:

1. Go to Control Panel.

2. Click System and Security > Administrative Tools.

3. Select Performance Monitor.

This is an MSDN tool used for monitoring counters. You can access the tool via http://msdn.microsoft.com/en-us/library/cc296652(v=bts.10).aspx.

This is a server management tool that helps administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server 2008 R2.

To know more about the BPA tool, refer to the Microsoft article: http://technet.microsoft.com/en-us/library/dd759260.aspx.

The above tools can be to monitor the different counters, which are based on the main components of machine: CPU, Memory and Storage.

The tools mentioned in the previous section can be used to monitor different counters. These counters are based on the main components of the machine (CPU, Memory, and Storage).

http://msdn.microsoft.com/en-us/library/cc296652(v=bts.10).aspx

http://technet.microsoft.com/en-us/library/dd759260.aspx



● Processor

○ %Processor Time

○ %Privileged Time

● Process (sqlservr.exe)

○ %Processor Time

○ %Privileged Time

● Memory

○ Available Mbytes

● SQL Server:Buffer Manager

○ Lazy writes/sec

○ Page life expectancy

○ Page reads/sec

○ Page writes/sec

● * SQL Server:Memory Manager

○ Total Server Memory (KB)

○ Target Server Memory (KB)

● Avg. Disk sec/Read

● Avg. Disk Bytes/Read

● Avg. Disk sec/Write

● Avg. Disk Bytes/Write

The following are Microsoft's recommendations for i/o latencies:

● < 8ms: excellent

● < 12ms: good

● < 20ms: fair



● >20ms: poor

For more information about the different PerfMon counter tools, you can refer to the following sites:

● SQL skills > Performance Counters

http://www.sqlskills.com/blogs/jonathan/the-accidental-dba-day-21-of-30-essential-perfmon-counters/

● Using the PAL tool


● Best Practices Analyzer


There are different types SQL of indexes. Our focus is on clustered SQL indexes as fragmentations can lead to performance issues.

For more information on the different types of indexes, refer to the Microsoft article: http://technet.microsoft.com/en-us/library/ms175049.aspx.

To check for index defragmentation, run the following script against the database using Microsoft SQL Server Management Studio:

SELECT OBJECT_NAME(ind.OBJECT_ID) AS TableName, ind.name AS IndexName, indexstats.index_type_desc AS IndexType, indexstats.avg_fragmentation_in_percent FROM sys.dm_db_index_physical_stats(DB_ID(), NULL, NULL, NULL, NULL) indexstats INNER JOIN sys.indexes ind ON ind.object_id = indexstats.object_id AND ind.index_id = indexstats.index_id WHERE indexstats.avg_fragmentation_in_percent > 30 ORDER BY indexstats.avg_fragmentation_in_percent DESC

To fix index defragmentation, refer to the Microsoft article: http://technet.microsoft.com/en-us/library/ms189858.aspx.

There are also different pages offering pre-defined scripts for defragmenting indexes.





http://technet.microsoft.com/en-us/library/ms175049.aspx





Microsoft and Trend Micro offer different resources outlining best practices for SQL, as well as database configuration:

● SQL Server Best Practices

http://technet.microsoft.com/en-us/sqlserver/bb671430.aspx

● SQL Server Requirements

http://msdn.microsoft.com/en-us/library/ms143506.aspx

● Trend Micro Control Manager Database Configuration


http://technet.microsoft.com/en-us/sqlserver/bb671430.aspx





This chapter describes the different scenarios on how to recover your Control Manager server. In some situations, due to hardware failure, software failure, or by pure accident, customers may lose important files or data that prevent the Control Manager server from functioning properly.

You need to back up the Control Manager server whenever a new Service Pack, Patch, or Hot Fix is installed. If the files and database are different, the services may not be able to start.

The following are resources on how to create backups for different Control Manager components:

● Control Manager database

http://msdn.microsoft.com/en-us/library/ms187510(v=sql.100).aspx


● Control Manager files and folders

○ Schema-related files

– CmKeyBackup directory

– \Control Manager\schema.dtd

– \Control Manager\schema.xml

○ Profile-related files

– \Control Manager\ProductClass folder

– \Common\TMI\Profile folder

– \Control Manager\StringTable.xml

– \Control Manager\ProductInfos.xml

– \Control Manager\IDMapping.xml

– \Control Manager\WebUI\WebApp\App_Data

– \Control Manager\WebUI\ProductUI folder

○ Report-related files

– \Control Manager\WebUI\Exports

http://msdn.microsoft.com/en-us/library/ms187510(v=sql.100).aspx




– \Control Manager\Reports (3.5 only)

○ Single Sign-On (SSO) related files

– \Control Manager\Certificate folder

– \Control Manager\WebUI\Download\SSO_PKI_PublicKey.pem

○ DLP related files

– \Control Manager\WebUI\Download\dlp

○ Control Manager Child files

– \Control Manager\Agent.ini

– \Control Manager\DMRegisterInfo.xml

○ Dashboard and widgets

– \Control Manager\WebUI\WebApp\widget\repository\db\sqlite\tmwf.db

○ Ad Hoc Queries

– \Control Manager\WebUI\Webapp\AdHocQuery folder

○ Proxy and Event Configurations

– \Control Manager\SystemConfiguration.xml

– TMI.cfg

● Reference files (needed when getting specific information)

○ 32-bit OS

– HKEY_LOCAL_MACHINE\Software\TrendMicro\TVCS

○ 64-bit OS

– HKEY_LOCAL_MACHINE\Software\Wow6432Node\TrendMicro\TVCS

If the Windows server itself is still functional, but the Control Manager server has issues, it is possible to restore the backup files and database listed in the previous section. However, the backup files and the Control Manager database restored must be during the same version. If there was a Service Pack, a Hot Fix, or a Patch installed, make sure that the backup and the Control Manager database were from the latest version.

To restore the backup files:

1. Make sure that the following services are stopped:







2. Restore the files and database.

2.1. Copy back the files that you backed up.

2.2. Restore the database using MS Management Studio. Refer to the documentation: http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_database_mgmt/db_backup_sql/db_backup_restore_sql.aspx.

3. Start the following services:





This section discusses how to prepare a new Control Manager server from the created backups. This is applicable in situations wherein the Windows server cannot not be started and a new Windows server must be prepared.

The basic idea here is to prepare a Control Manager server with the same build and version as the backup, and then restore the backup files and database.

Ensure that the server restored has the same IP address and same Hostname. This will allow the agents to register back to the Control Manager server seamlessly.

The latest Control Manager GM version is available on the Trend Micro download center: http://www.trendmicro.com. Follow the steps provided in the Installation Guide. There are sections, however, that must be considered:

The value here should be from the HostID value of the TMI.cfg (without the port). This value is the one specified in the Host Address.

http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_database_mgmt/db_backup_sql/db_backup_restore_sql.aspx

http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_database_mgmt/db_backup_sql/db_backup_restore_sql.aspx



The information needed in this section can be taken from the m_strTMS_InstallPath from the backup SystemConfiguration.xml. Make sure to remove the “Control Manager” part when specifying the destination folder.

<P Value="C:\Program Files (x86)\Trend Micro\Control Manager\" Name="m_strTMS_InstallPath"/>



Make sure to specify the SQL server that contains the Control Manager database.

After installing the Control Manager server, you can then install the latest Service Packs, Patches, and Hot Fixes.

To find the actual versions, check the registry backup:



● Service Pack version

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\TVCS]

"ServicePackVersion"

● Patch version

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\TVCS\HOTFIX]

"Patch”

● Hot Fix version

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\TVCS\HOTFIX]

"HotfixVersion"

Service Packs and patches are available from the Trend Micro Download Center. The Hot Fixes, however, must be requested from Trend Micro Technical Support.

The order in applying Service Packs, patches, and hot fixes is:

1. Apply the latest Service Pack.

2. Apply the latest patch.

3. Apply the latest hot fix.

Follow this Knowledge Base entry to update the Control Manager widgets: http://esupport.trendmicro.com/solution/en-US/1095447.aspx.

At this stage, the Control Manager server is now ready and the backups can now be applied. Before applying the backups, make sure the following services are stopped:





Once the services are stopped, you can then restore the Database backup. Make sure to restore the Database backup using the same name. Microsoft has resources on how to restore the database backup:








After restoring the Database backup, proceed with restoring the following files and folders:

● CmKeyBackup directory

● \Control Manager\schema.dtd

● \Control Manager\schema.xml

● \Control Manager\ProductClass folder

● \Common\TMI\Profile folder

● \Control Manager\StringTable.xml

● \Control Manager\ProductInfos.xml

● \Control Manager\IDMapping.xml

● \Control Manager\WebUI\WebApp\App_Data

● \Control Manager\WebUI\ProductUI folder

● \Control Manager\WebUI\Exports

● \Control Manager\Reports (3.5 only)

● \Control Manager\Certificate folder

● \Control Manager\WebUI\Download\SSO_PKI_PublicKey.pem

● \Control Manager\WebUI\Download\dlp

● \Control Manager\Agent.ini

● \Control Manager\DMRegisterInfo.xml

● \Control Manager\WebUI\WebApp\widget\repository\db\sqlite\tmwf.db

● \Control Manager\WebUI\Webapp\AdHocQuery folder

● \Control Manager\SystemConfiguration.xml

If the machine is a parent Control Manager server, make sure to set the following in the TMI.cfg:

PARENT_SERVER_CASCADED=1

This tells the Control Manager server that the machine is a Parent Control Manager server.

Start the following services:





At this point, the Control Manager server is now restored and fully functional.



Refer to the following Knowledge Base article for the steps on how to recover the Control Manager server without a backup: http://esupport.trendmicro.com/solution/en-US/1060967.aspx.

There are, however, sections that cannot be restored.

● If there were no backups of the Policy management rules, the customer must manually create them again.

● Ad Hoc queries must also be recreated manually.

● Reports should also be recreated manually.

● Additionally, all Control Manager settings must be set manually.





This chapter briefly discusses the migrating best practices for Control Manager agents from one Control Manager machine to another.

The Agent Migration Tool is the preferred tool for migrating MCP-based agents and Windows TMI-based agents. Before using this tool, take note of the following considerations:

Linux-based MCP agents can be migrated using the Agent Migration Tool. Products with Linux-based MCP agents are:

● ServerProtect for Linux 3.0

● Interscan Messaging Security Virtual Appliance (all supported versions)

● Interscan Web Security Virtual Appliance (all supported versions)

Linux-based TMI-based agents can only be migrated by reinstalling the Control Manager agent. Most of the Linux-based TMI-based agents are no longer supported. The only product that is still supported is ScanMail for Lotus Domino 3.0 for AS/400.

For Web Service-based agents, the only way to migrate them is to unregister them from the old Control Manager server and register them manually on the new Control Manager server.

1. Open the Control Manager console.

2. Go to Administration > Managed Servers.

3. In the Server Type section, select the Product.

4. Once displayed, remove the agent by clicking the Delete icon (trash can) under Actions.



1. Open the Control Manager console.

2. Go to the Dashboard tab.

3. On the upper-right corner, click Server Visibility.

4. Remove the agent from the list by ticking the checkbox and clicking Delete.

After completely removing the agent from the old Control Manager server, you need to register the agent to the new Control Manager server.

It is possible that a Web Service-based Control Manager agent can display the information on an agent using the Widget framework on one of Control Manager server. The policies can then be set on another Control Manager server.

For example:

1. Install tmcm-1.



2. Configure the widgets of tmcm-1 to access the web service-based agent.

3. Install tmcm-2.

4. Configure Managed Server of tmcm-2 to connect to the same web service-based agent.

However, this is NOT supported and recommended. We suggest using only one Control Manager to display information and contain policy settings.



This chapter discusses the updates and deployment via Active Update to the connected entities in Control Manager.

By default, Control Manager is set to update all available components.

Trend Micro recommends doing the following:

● Modify the default deployment plan. Make sure that it contains only one deployment plan schedule.

1. Log in to the Control Manager console.

2. Go to Updates > Deployment Plan.

3. Click Deploy to All Managed Products Now (Default). You should be able to see three schedules.

4. Delete the following Deployment schedules:

Delay 00 hours 30 minutes

Delay 01 hours 00 minutes

This will prevent TMCM from performing too many deploy commands.

5. Click Save.

● Make sure that the All Pattern files/cleanup templates option is not set to less than two (2) hours.

1. Log in to the TMCM console.

2. Go to Updates > Scheduled Updates.

3. In the Pattern Files/CleanUp templates section, click All pattern Files/Cleanup templates.

4. Set the schedule to every two hours. This will prevent TMCM from performing too many update commands.

5. Click Save.

Additionally, the traffic and TMCM’s workload can be minimized by adjusting downloads to focus on only needed components. You can do this by using the Product Component Status widget from the Dashboard section

1. On the Dashboard section, go to Product Component Status.

2. Under the widget settings, select the following options:

Scope: All Products

Source: Both



3. Click Save. Choosing these settings will show a list of the needed components.

Adjust the scheduled download settings accordingly.



This chapter deals with Policy Management best practices and will discuss planning, testing, implementing, and administering Policy Management. Policy Management is a powerful feature in Control Manager as it allows administrators to enforce settings on specific products and specific targets.

The first important step in Policy Management planning is to see which settings can be implemented in Policy Management as not all settings can be implemented. It is important for the administrator to be able to identify the settings are available.

To see the actual list of products that support Policy Management, go to the Control Manager console > Policy > Policy Resources > Policy Template Settings.

The Product Support table lists the products that support Policy Management. Pointing the mouse to Information icon ( i ) will reveal the product versions that support Policy Management.

The figure above is based on Control Manager 6.0 Service Pack 1 with additional widget updates (as of May 15, 2014). It is possible that new sets of widgets will be released in the future. When this happens, the list of products that support Policy Management may also increase.



The next step is to check the settings that are available for each product. You can do this by going to Policies > Policy Management. You can then create a draft template to see what settings are available. Draft policies are policies that are not deployed to any product. Simply set the product and click the Create button.

Below is a sample of how OfficeScan policies look like.

You can expand each setting to view the settings that are available. The settings are different for each product and product versions. There are no definite settings so it is important for administrators to have an overview of what is available.

It is important to know that only one policy will take effect. This is very important Policy Management planning. Administrators may think that two policies can be set on an endpoint or entity and these policies can be merged. Since only one policy takes effect, it is very important to plan the policies.



Below is the order of application:

1. A Specified Policy takes precedence over a Filtered Policy

2. A Specified Policy does not have a Priority number and only shows “Locked”. When an entity is assigned a Specified Policy, it is locked to that machine.

Customers may want to set a policy for a specific set of computers. These computers would deviate from the Filtered Policies that normally take effect. Specified Policies are ideal for these situations.

Specified Policies are policies where specific “Targets” are identified. This indicates that the machines are already registered to the Control Manager server.

Unlike the Filtered Policy, a Specified Policy allows users to search for the endpoints or entities where the policy will be applied. As indicated, the entity must already be in the Control Manager server for a Specified Policy to be applied on it. By finding the entity or endpoint, administrators can add the entity to the targets. The policy will not take effect on the endpoint until it is added to the list.

Search for targets using the Search tab and the different criteria available. Figure 10 shows an example of searching for targets using the Match keywords in criteria to run a search for Host names that matches “TMCM”. Click the Search button to find a match.



Tick the entity of the target and click Add Selected Targets for the policy to take effect on the endpoint.

You can also look for targets directly using the Browse tab. From this tab, you can specify the machines you want to apply the policy to. You can browse using the Directory drop-down (Product Directory or Active Directory) or you can browse using the tree.



View Results and View Action List show how many endpoints or entities will have the policy.

The Trendy-A company has created two Filtered Policies, one for users in the United States, the other for users in Germany. Every new computer that they add immediately receives the policy that disables deployment of OfficeScan hot fixes and program upgrades, preventing a large amount of network bandwidth.



After applying a hot fix on the OfficeScan server, administrators need to disable the Officescan agents can update components but not upgrade the agent program or deploy hotfixes option. However, you do not want to disable it for all OfficeScan clients, but only for 100 clients at a time until all clients have completely upgraded.

To disable the option using Specified Policies:

1. Create a copy of the policy you want to modify and set the target first to None (Draft only). This allows administrators to plan properly the policy but does not apply the policy.

a. Open the Control Manager console.

b. Go to the Policies tab and choose Policy.

c. Tick the checkbox of the Policy that you want to copy and click Copy Settings.

d. Ensure that targets are set to None (Draft only) in the copy of the policy.

2. Under OfficeScan Client Settings, expand Privileges and Other Settings.



3. Untick the OfficeScan agents can update components but not upgrade the agent program or deploy hot fixes option.

4. Set the Target to Specify Targets and manually assign the OfficeScan clients that need to be upgraded.

5. Take note of the following:

a. The new policy will automatically have a higher order than the old policy.

b. If the previous policy was a Specified Policy, then the clients will be removed from the previous Specified Policy list.

c. The Filtered Policy takes a lower precedence and will be in the bottom of the list.

6. After applying the hot fixes or Service Packs to the OfficeScan clients check if the OfficeScan client should be added again to the older Specified Policies. This will allow the OfficeScan clients to restore the old policies.



a. Assign the OfficeScan clients to Specified Policies if they are meant to be under the previous Specified Policies.

b. For Filtered Policies, the OfficeScan client will automatically apply them once the Specified Policy is removed.

7. After upgrading the OfficeScan clients, you can then delete the policy.

The Trendy-B company has created a Filtered Policy for all Windows 2012 Servers in the data center. However, they started experiencing performance issues on Microsoft SQL Servers. After searching through Trend Micro’s Knowledge Base, they found an article that lists specific folders to exclude from scanning to improve the performance of SQL Servers.


In this case, a Specified Policy is also a good option to use. The steps are similar to the first example.

1. Create a copy of the policy you want to modify and set the target first to None (Draft only). This allows administrators to plan properly the policy but does not apply the policy.

2. Under Scan Exclusion, enter the SQL Server paths for exclusion.

3. Set the Target to Specify Targets and manually assign the SQL Servers. You can use the Search Criteria to find the targets.



Some customers may want to automatically assign a set of policies to entities based on a set of criteria. This called Filtered Policy. These policies are set by using the Filter by Criteria option.

By choosing this option, any new entity that registers to the Control Manager server will automatically apply the policy when:

● There is no other Filtered Policy with higher order matches

● There is no other Specified Policy matches

● The criteria matches

Filtered Policies are ideal for the following scenarios:

1. A large number of computers have similar settings. These are normally baseline policies, or policies that must be enforced on all machines within the company unless exceptions are made In this case, the Specified Policies become the exceptions, and the Filtered Policies are the rule if there are no exceptions.

2. Filtered Policies can also be applied to future machines. For example, an OfficeScan client is not yet installed, but once installed and the criteria match, the policy is automatically deployed.

The Control Manager Administrator’s Guide explains each of the settings available. We recommend testing the Filtered Policies first before applying them.

Tick the Set Filter option to allow administrators to specify the targets of the Filtered Policy.



Important reminders:

● When specifying this option all criteria must match.

● When a naming convention is available, it is possible to use the Match keywords in option when searching via Hostname.

● Tree Paths are also available for OfficeScan clients in multi-domain environments.

● Customers who have specific IP address ranges for their environments can also use these when creating a policy.

● Policies can also be based on the Product Directory. This allows administrators to define policies for an entire folder within the Control Manager tree.

The Trendy-A company has all employees divided into IP address blocks for users using their production environment for each country:

172.16.0.1 to 172.16.1.254 – All users from the United States

172.16.2.1 to 172.16.3.254 – All users from the Germany

In this case, administrators can use the IP addresses option to set the criteria to make sure the Filtered Policy applies to the IP address range.



The Trendy-B company wants to use OfficeScan Client Grouping to group OfficeScan clients into the multiple-layer domains. The company decided that Control Manager must automatically create a configuration for all sub-domains and also change them using the policy.

Control Manager is only able to display the first layer domain. This is a current limitation of Control Manager. To be able to configure multiple-layer domains to be applied to the sub-layer, multiple criteria must be specified and all the criteria must match.

Criteria 1: Specify Match keywords in and the tree path. The tree path of the OfficeScan client can actually be seen in the OfficeScan client view from the Control Manager console.

As you can see, the format is: layer1\layer2\layer3. This makes it possible to set the criteria to be “layer1\layer2\layer3” or specify only “layer2\layer3”. However, wildcards are not supported.

Criteria 2: If you need to limit your search to only specific OfficScan servers, or if you want to set separate policies for different OfficeScan servers that also have the same multi-layer domains, then it is possible to set the Product Directory as the second criteria.

You can then specify the Officescan server, and also even the first layer OfficeScan Domain.

Any new OfficeScan client will automatically apply the policy.



Not all products support Filtered Policies. Some products only support Specified Policies. Examples of these products are:

● Trend Micro Mobile Security 9.0

● Trend Micro Security for Macintosh 2.0

● Trend Micro Endpoint Encryption 5.0

You cannot use Filtered Policies for these products.

The samples show that Specified Policies are designed for creating exemptions to Filtered Policies. The samples provided are not only basic examples but recommended practices as well.

Also note that any Specific Policies that you create are copies of the Filtered Policies. This allows administrators to copy the original settings from old policies. It enables them to make exact copies of the old policies and make minor deviations.

In some companies, local administrators are delegated to do certain tasks while regional administrators are in charge of other tasks. An example of this is OfficeScan administrators who only have access to their Officescan servers in their country. When Policy management is used, it is possible that these administrators are not able to do this task.

When local administrators are delegated and can only use the product console, the policy permissions should be set. By default, they are hidden, but can be seen when you click Show Permissions.



By default, all permissions are as “Centrally Managed”. This means that the settings of the policy will take precedence over the product console.

However, a customer, for example, may want only the following settings to be defined in the policy:

● Real-time Scan Settings

● Privileges and Other Settings – this prevents administrators from deploying hot fixes

● Web Reputation Settings

● Scan Methods – this prevents local administrators from changing Smart Scan clients to Conventional Scan

This configuration is possible. In the figure below, Real-time Scan, Privileges and Other Settings, Web Reputation Settings, and Scan Methods are set as “Centrally Managed”. The other settings, on the other hand, are set as “Locally Managed”.



When a policy is removed, Control Manager does not impose the settings to the product. However, the product does not rollback any settings. This is very important during deployment planning.

If a setting was configured on the product and you need to roll back the setting, you can do this through the following:

● If there is no more policy affecting the endpoint, a customer can log in using the Local console to revert back the original settings.

● The customer can create another Filtered or Specified policy that will change the setting to the intended setting.

This is one of the reasons why it is recommended to have a Filtered Policy that enforces the default configuration settings of the products. The Filtered Policy essentially becomes the default setting.

When a policy is created, administrators are able to specify:

● The Policy targets

● The settings to be applied

However, the policy can only cover endpoints where the Control Manager user has access. Thus, it is important to plan who will create the policy. It is also possible for multiple administrators to



have the same policy settings but different targets because they have only access to specific endpoints and entities.

You can view the coverage of each user by going to the Administration tab > Administration > Account Management > User Accounts section. When you click the User, you will see their Access Control.

The sample below checks the Access Control of a user. You can see that the user only has access to the entity under the two folders, DE – ESX 100 and DE – PHYSICAL.

The user then will not be able to apply any policy to entities or endpoints under the other folders.

Aside from Folders, it is also possible that the user can only have access to Entities.



In this example, we can see that the account has access to the imsva85.core.tm_IMSVA entity, but not to imsva82.core.tm_IMSVA. Because of this, the account is only able to apply policies to the imsva85.core.tm_IMSVA entity.

Another example is when a policy is based on the OfficeScan domains.

In the example shown below, the account only has access to specific Officescan server domains. Because of this, the policy cannot be applied to other Officescan clients who are part of the Officescan domain where the account does not have access.





You can configure multiple Control Manager servers to be Child Control Manager servers and send logs to a Parent Control Manager server. The Parent Control Manager is responsible for the following:

● A repository of all the logs of the Child Control Manager servers. This allows a global view of all logs from a Child Control Manager Server.

● The Parent Control Manager can also be a source of updates by the Child Control Manager servers.

The only major requirement is that the Child Control Manager servers must be able to access the Parent Control Manager console. If the Child Control Manager server cannot access the Parent Control Manager server IIS web server port (Port 80 by default), then it is not possible to register the Child Control Manager.

This chapter is meant to be a supplement and offer recommendations for Cascading. Before proceeding, take time to review the Control Manager 6.0 Administration Guide for more details about Cascading. Basic configuration will not be discussed here.

IMPORTANT: As much as possible, Trend Micro recommends not to use cascading for new installations due to the limitations.



The Parent server must have the same or a higher Control Manager version than the Child Control Manager servers. This includes the Hot Fix, Patch, and Service Pack levels. Having a Child Control Manager server on a higher version can cause unpredictable results on a Parent Control Manager server.

It is also recommended that the Parent Control Manager server only manage Child Control Manager servers. Configuring other products to be registered to the Parent Control Manager servers is possible. However, generating reports and dashboard information becomes complicated because products are then mixed with the other Child Control Manager servers. It would then be needed to reconfigure every widget scope.

Because the Parent Control Manager server collects most of the Parent Control Manager logs, the database can grow tremendously. Before preparing the SQL Database of the Parent Control Manager server, it is recommended to monitor the disk space usage of all the Child Control Manager server databases. This will allow administrators to get an overview of the amount of disk space needed.

You should separate SQL Server for the Parent Control Manager server than the Child Control Manager servers. The SQL Server of the Parent Control Manager server should also not be installed on the same machine as the Control Manager server itself.

By default, all Control Manager servers are configured to synchronize the Product Tree information every 30 minutes. This is defined in the SystemConfiguration.xml file of the Child Control Manager servers.

<P Value="30" Name="m_uiCasMcpChildTriggerDataSyncFreqInMin"/>



In Control Manager 6.0 Service Pack 1, tree synchronization has been dramatically improved that you do not need to modify the default time anymore. However, in some situations, you will need to increase or decrease the synchronization frequency.

It is required to increase the synchronization frequency interval if the Child Control Manager server has a large number of OfficeScan clients. For environments with a large number of OfficeScan clients (>50,000 clients), it is recommended to set the value to every two hours (120 minutes). This prevents Control Manager from taking too much time synchronizing the tree.

To increase the interval:

1. Open a command prompt for each Child Control Manager servers.

2. Go to the \Control Manager folder.

3. Execute the following:

XMLModify.exe m_uiCasMcpChildTriggerDataSyncFreqInMin <new interval> SystemConfiguration.xml

For example, to increase the interval to 120:

XMLModify.exe m_uiCasMcpChildTriggerDataSyncFreqInMin 120 SystemConfiguration.xml

4. Restart the Trend Micro Control Manager service.

By default, the Child Control Manager server is configured not to send information to the Parent Control Manager. This is important to note because some administrators make the mistake of not configuring the Log Upload setting. Refer to the Configuring Log Upload Settings topic in the Control Manager Administrator’s Guide.

The sample below shows the log upload is configured to be uploaded as soon as it is available. Administrators should choose this option if they want a real-time view the logs available in their environment



The “Schedule log upload” option should be used in the following scenarios:

● There is limited network bandwidth between the Parent and the Child Control Manager servers.

● If the Control Manager dashboard is not regularly used and reports are only generated every day at a certain period. You can set the upload schedule daily and then generate the report afterwards.

Currently, the only reason for disabling log upload is for legal reasons. In some institutions, the administrators of the Parent Control Manager server need to see the number of logs detected on the Child Control Manager servers, but are not allowed to have a physical copy of the logs in their database. These can be legal restrictions depending on the country of the institution.

Administrators will notice that the Parent Control Manager will still show the number of logs available of the Child Control Manager server in the dashboard. The Child Control Manager server sends two types of information to the Parent based on the logs.

● Log Count – The number of logs available on the Child Control Manager (i.e., 5 virus logs were detected).

● Actual Logs – The actual log information (file detected, etc.)

The Log Count is sent at a faster interval. Additionally, if the Log Upload was not enabled previously, then a discrepancy will occur between the widget and the actual logs.

For example, a Child Control Manager was registered at 5:00 pm in the afternoon. During the day, the Child Control Manager server detected 5 viruses. The Parent Control Manager widget will show 5 viruses. At 6:00pm, an additional 5 viruses were detected. The Parent Control Manager Threat Detection widget will now show 10 viruses, but if the number is clicked, or a report is generated, it will only show 5 viruses.

To prevent the discrepancy:

1. Open a command prompt on the Parent Control Manager server

2. Go to the \Control Manager folder.

3. Execute the following:

XmlModify.exe m_iCalSummaryLogByParentCM 1 SystemConfiguration.xml

4. Restart the Trend Micro Control Manager service.

This configures the Parent Control Manager server to ignore the count of the logs, but instead recalculate the amount of logs based on the actual logs it has.



The Parent Control Manager server can be used as an update source for Child Control Manager servers. This is applicable if, due to security, only the Parent Control Manager server is allowed to access the Internet.

If the network bandwidth between the Parent and the Child Control Manager servers is not fast enough, using the Parent Control Manager as an update source is not practical. This is particularly true if the Parent and the Child Control Manager servers are geographically separated by continents. For example, the Parent Control Manager server is in Asia, but the Child Control Manager server is in the United States.

In this case, it is recommended to completely disable Scheduled Update on the Parent Control Manager server.

If the Parent Control Manager server will be used as an update source, there are two update options. The first option, is to allow the Parent Control Manager server to download the updates but not to deploy these updates.

1. On the Parent Control Manager server, go to Scheduled Updates and choose All Pattern files/Cleanup templates.

2. Select Enable scheduled download and set its frequency to Every Hour.

3. On the Automatic Deployment settings section, select Do not deploy.



4. Click Save.

5. Set the following configurations:

a. All Antispam rules – Set frequency to daily

b. All Engines – Set frequency to daily

c. Officescan Plug-in Programs – Set frequency to daily

d. All Product Programs – Set frequency to weekly

6. Disable all other Component Categories.

The second option is to specify the update source in the Child Control Manager servers

1. Open the Control Manager console and go to Scheduled Updates.

2. For all components the customer wants to enable update, set the Source to: http://<parent_ip_or_fqdn>:<http_port>/TvcsDownload/Activeupdate.



The advantage of this setting is to allow the Child Control Managers to download the pattern files and cleanup templates actively from the Parent Control Manager. This allows for flexibility, especially if the Child Control Manager servers have separate download sites.

The main disadvantage of using this setting is that there are instances where the Child and the Parent will initiate an update at the same time. If the Parent Control Manager has not finished downloading the updates, then the Child Control Manager server will return an error.

The second update option is to have the same configuration as normal Control Manager servers and agents.

1. Configure the Parent Control Manager server to download and deploy updates.

2. Disable all Child Control Manager servers Scheduled Update settings.

In this case, when the Parent Control Manager server has finished downloading the updates, it will immediately deploy the updates to the Child Control Manager servers.



The advantage of this option is that the updates are synchronized. Only when the Parent Control Manager server has finished its updates will the Child Control Manager servers start to download the updates.

The disadvantage of this option is that it is not flexible enough. The Child Control Manager servers cannot download updates on different schedules. For example, if pattern files must only be updated daily on one Control Manager server that hosts sensitive file-servers, but another Control Manager server that hosts all OfficeScan servers must get the updates as soon as possible. In this case, the first option must be used.

The last option is to allow the Child Control Manager servers to download updates from the Internet. In this case, make sure to disable Scheduled Update on the Parent Control Manager server and configure the Child Control Manager servers to download the updates.

In Control Manager 6.0 Service Pack 1, the following features are not available:

● License Management - It is not possible to deploy new Activation Codes and extend Activation Codes from a Parent Control Manager to an entity of a Child Control Manager server. This must be done on the Child Control Manager servers.

● Policy Management - It is not possible to configure policies from the Parent Control Manager server and deploy the policies to the entities of a Child Control Manager server. Policies must be configured in the Child Control Manager servers.

● Data Leak Protection Templates – It is not possible to configure Data Leak Protection Templates and Identifiers from the Parent Control Manager server and have them automatically deployed to Child Control Manager servers. These must be configured in the Child Control Manager servers.



This chapter discusses considerations to take into account when storing logs over an extended period of time and recommended backup procedures for logs.

By default, this setting is not available in the Control Manager console. Nevertheless, you can use the following article to enable this configuration: http://esupport.trendmicro.com/solution/en-US/1102806.aspx.

To calculate the approximate SQL database size, refer to the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/ms187445.aspx.

Table 1 shows the estimated sizes of Control Manager log files.






Table 2 shows the size of the TMCM directory database components.





This chapter provides an overview of Control Manager’s Active Directory (AD) Integration feature.

This feature helps you to easily import AD users. It also enables you use the new widgets and features such as the Endpoint Protection Verification widget and the Users/Endpoints Directory section.

The User/Endpoint Directory is a graphical representation of the organization of your Control Manager network. Control Manager 6.0 Service Pack 1 allows you to organize your network into groups of users or endpoints

You can organize the User/Endpoint Directory through any of these methods:

● Filter-based grouping: Use filters to group users or endpoints based on specific characteristics

● Tag-based grouping: Use tags to assign users or endpoints manually

● Active Directory mapping: Automatically synchronize your Endpoint directory with your Active Directory server

Administrators of Parent Control Manager can monitor entities of Child Control Manager servers using the User/Endpoint Directory. By default, Child servers will sync the following information with its Parent server hourly:

● Managed entity and physical machine relationship

● Corresponding policy of each endpoint entity

● Non-Active Directory users in the incident log

To configure Control Manager to use Active Directory Integration use the Control Manager GUI and navigate to Administration > Settings > Active Directory and Widget Settings.



Custom tags are labels that you can manually associate with one or more users or endpoints. Create custom labels to group certain users or endpoints.

Custom filters allow you to automatically group users or endpoints that have the same criteria. The Users tree can group users based on their name, direct manager, location in the Active Directory or organization unit, and policy status. The Endpoints tree can group computing devices based on their name, IP address, type, operating system, or location in the Active Directory.

Control Manager 6.0 offers the user the possibility to define custom views for a better visibility based on the customer’s needs.



This enables the accounts which do have access to the TMCM console simplify the management by allowing the user to do the following:

● View a list of users and actionable information such as associated security threats, policy status, and contact information per user

● View a list of endpoints and policy status per endpoint

● View a timeline chart for incident investigation

● The User Access Information in an ad hoc query provides details about any user modifications related to any available custom tags or filters

● Group users based on your Active Directory organization

● Group endpoints based on their location (that is, their IP ranges)

● Group users or endpoints with similar properties or characteristics

For example, grouping based on who manages a group of users, who accesses a group of servers, endpoints with the same operating system type or host names, etc.

● Group users or endpoints based on any other criteria that support your needs

For example, it is a common practice to divide networks according to the roles of those using the network—Marketing, Finance, Human Resources, Product Development, etc.

Control Manager comes with several pre-defined roles.



For more information regarding pre-defined roles refer to the Control Manager documentation: http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/ch_ag_user_access_configure/understand_account_types.aspx.

Aside from the pre-defined roles, you can also set custom roles in order to assign scopes based on user needs.

Custom Roles are based on specific customer requirements. This means that:

● Customers can name the role based on their needs.

● The Menu Access Control is also customizable. You can select the menus and objects on a per need basis.

The option to be able to customize Control Manager according to your needs makes it highly flexible.

Control Manager offers two access methods, Menu Access Control and Product Access Control.

When adding a Custom Role, administrators can define the menu items the role can access on the console.

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/ch_ag_user_access_configure/understand_account_types.aspx

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/ch_ag_user_access_configure/understand_account_types.aspx



When adding a new user, administrators can also define the products users can manage and can be specified down to machine entity level.



This chapter discusses the best practices and general recommendations for License Management in Control Manager.

License Management in Control Manager has two topics, License Extension and Activation Code Deployment.

By default, an Activation Code has an expiration date specified within the license. Through the Online Registration servers (OLR), it is possible to change the expiration date, either to a new date, or to expire the licenses immediately. Contact your Trend Micro sales representatives in case you need to extend the expiration dates of the licenses.

The requirements for License Extension are as follows:

● Internet access

The OLR servers are can be accessed through https://olr.trendmicro.com. Control Manager needs to be able to access the OLR either through the proxy servers specified on the updates, or through direct Internet access.

● Specific Products that support License Extension

Only specific products support License Extension. Refer to the following Knowledge Base article for more information: http://esupport.trendmicro.com/solution/en-US/1102817.aspx

To initiate License Extension:

1. Go to the Product Directory tree and select the product.

2. Click Tasks > Deploy License Profile.

https://olr.trendmicro.com/





This will trigger Control Manager to check the OLR servers if the Activation Code used by the product has a new profile or not. Included in the profile are the number of seats and the expiration date of the license.

The steps above initiate Control Manager to check the OLR servers if the Activation Code used by the Product has a new profile or not. Among the information included in the profile are the number of seats and also the expiration date, etc. If there is new information, Control Manager downloads the profile, and the changes are distributed to the product.

Some products use multiple Activation Codes for each product module. One example is OfficeScan. By default, OfficeScan contains multiple components such as:

● Antivirus for Desktops

● Antivirus for Servers

● Web Reputation and Antispyware for Desktops

● Web Reputation and Antispyware for Servers

● Damage Cleanup Services



It is important to note that for License Management to work properly in Control Manager, only one Activation Code per component must be active. All other Activation Code must be expired. If more than one is active, Control Manager will indicate that a product is using multiple Activation Codes. Contact your Trend Micro sales representative to deactivate other licenses that are not needed.



In instances where Control Manager does not have Internet access, an alternative is to use Activation Code Deployment. Through Control Manager, it is possible to configure a product to use a new Activation Code.

Only specific products support Activation Code Deployment. Refer to the following Knowledge Base article for the list of products that support Activation Code Deployment: http://esupport.trendmicro.com/solution/en-US/1102817.aspx.

Refer to the Control Manager 6.0 Administrator’s Guide for the detailed steps on how to initiate Active Code Deployment. This feature is found under Administration > License Management > Managed Products section of the Control Manager console.

Similar to License Extension, Control Manager only deploys the Activation Code to the product. Most products will not remove the previous Activation Code. The products will only input the new Activation Code into the system. This may then cause multiple Activation codes to be active and non-expired. Be careful in this situation and allow only one active Activation Code to be deployed to the Trend Micro products.


Documents

Control Manager 6.0 Deployment Best Practice Guide 0_BPG... · only one management console. This simplifies administration by creating policies, templates, user ... ArcSight integration