Akonix Enforcer Version 3.2 Installation Guide€¦ · Akonix Enforcer Installation Guide Contents...

Akonix®

Enforcer

Version 3.2 Installation Guide

Akonix Enforcer Installation Guide

Copyright Information

Akonix is a registered trademark, and the Enforcer Enterprise and the Akonix logo are trademarks of Akonix Systems, Inc. Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. AIM and AOL are registered trademarks and AOL Instant Messenger is a trademark of America Online, Inc. Apple, Mac, and Macintosh are registered trademarks of Apple Computer, Inc. Check Point, FireWall-1, OPSEC, and VPN-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. IBM, Lotus, and Sametime are registered trademarks and Domino is a trademark of IBM Corporation. ICQ is a trademark of ICQ Inc. Legato and EmailXtender are trademarks or registered trademarks of Legato Systems, Inc. Microsoft, MS-DOS, Active Directory, MSN, the MSN logo, NetMeeting, Outlook, Windows, Windows NT, and the MSN logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and the Netscape N and Ship's Wheel logos are registered trademarks of Netscape Communications Corporation in the U.S. and other countries. Novell is a registered trademark and eDirectory is a trademark of Novell, Inc. Reuters and the Reuters sphere logo are registered trademarks or trademarks of the Reuters group of companies around the world. Sun, Sun Microsystems, the Sun Logo, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Yahoo!, the Yahoo! logo, and other Yahoo! logos and product and service names are trademarks of Yahoo! Inc. ZANTAZ is a registered trademark and Digital Safe is a trademark of ZANTAZ, Inc.

Other company names mentioned in this documentation might be trademarks of those companies. Other product names mentioned in this documentation might be trademarks of the companies that own those products. Use of a trademark without mention of trademark status should not be construed as a challenge to such status.

Copyright © 2000–2004, Akonix Systems, Inc. All rights reserved. Patent pending. Akonix Enforcer Installation Guide, Version 3.2 July 2004

2


Contents Product Support.............................................................................................................. 4

Overview .......................................................................................................................... 5 Product Description ..................................................................................................................... 6 Managed Protocols...................................................................................................................... 7 Product Components ................................................................................................................... 9

Installation ..................................................................................................................... 11 Upgrading .................................................................................................................................. 12 Installation Planning................................................................................................................... 19 Network and Firewall Configuration........................................................................................... 26 Akonix Enforcer Setup............................................................................................................... 30 Uninstalling Akonix Enforcer...................................................................................................... 37

Supplemental ................................................................................................................ 40 Command Line Interface ........................................................................................................... 41 Network Ports ............................................................................................................................ 43 Product Version Information ...................................................................................................... 44 Backing Up and Restoring System Settings.............................................................................. 45 Glossary..................................................................................................................................... 47

3


PRODUCT SUPPORT For support options, please visit the Akonix Web site at http://www.akonix.com, and choose the Support link.

4


OVERVIEW This section helps you get started with some general information about Akonix Enforcer.

Product Description

Managed Protocols

Product Components

5


PRODUCT DESCRIPTION Akonix Enforcer is an enterprise server that reduces the risks associated with the use of public instant messaging (IM) and peer-to-peer (P2P) file sharing, securing them for use on a corporate network. Unauthorized usage of these protocols is blocked by Akonix Enforcer. For the complete list of protocols currently handled by Akonix Enforcer, see Managed Protocols. Most firewalls by themselves cannot reliably block IM and P2P communications. This is because these so-called “rogue protocols” can port scan and communicate through any open port, including tunneling through port 80 (generally always open to allow Web browser access to the Internet). This makes it impossible to block all rogue protocol communications by simply closing firewall ports.

Key Benefits of Akonix Enforcer Reduced Legal Liability: Employers are at legal risk when employees send or share improper content. Akonix Enforcer detects and blocks this activity.

Recaptured Productivity & Network Bandwidth: Akonix Enforcer extends employee Internet management to instant messaging protocols, recapturing lost employee productivity and recovering network bandwidth lost to file sharing and file attachments.

6


MANAGED PROTOCOLS Akonix Enforcer manages rogue protocols that can be dangerous if not properly controlled. Rogue protocols typically attempt to evade standard network security measures in order to communicate. They defy traditional security measures such as firewalls because they do not conform to easily identifiable communication patterns, such as always connecting over the same network port. Akonix Enforcer currently handles the following rogue protocols.

Protocol Type Variations

Instant messaging.

AOL Instant Messenger (AIM) versions 4.7, 4.8, 5.0, 5.1, 5.5, AIM Express (Web-based), and Apple iChat (based on AIM).

ICQ versions 2002a and 2003a, 2003b, ICQ Lite 4.0 and 4.1, and ICQ2GO (Web-based). Note: The ICQ protocol is very similar to AIM. Some management features of Akonix Enforcer control both protocols at the same time.

MSN Messenger versions 5.0, 6.0, 6.1, 6.2, MSN Web Messenger, and Windows Messenger versions 4.7, 5.0.

SameTime Connect version 3.0.

Yahoo! Messenger versions 5.5, 5.6, 6.0, Yahoo! Web Messenger. Support for new versions will be made available via product updates. See the administration documentation for information about managing product updates.

Peer-to-peer file sharing.

FastTrack Network

Grokster.

Kazaa & KazaaLite.

iMesh.

7


Protocol Type Variations

Peer-to-peer file sharing.

Gnutella Network

BearShare.

Gnucleus.

LimeWire.

Morpheous.

NeoNapster.

Phex.

Shareaza.

Swapper.

XoloX. OpenNapster Network

WinMX. WinMX Peer Network

WinMX. BitTorrent Network

BitTorrent.

Shareaza.

Personal Torrent Collector.

BitTornado.

Bee Tee Plus Plus.

Azureus.

Effusion. Support for new versions will be made available via product updates. See the administration documentation for information about managing product updates.

8


PRODUCT COMPONENTS Akonix Enforcer consists of a number of different components that work together to manage communications. These components are described below. It is not necessary to install certain components if you do not need the functionality they provide. The Installation documentation provides more details about the installation considerations, as well as instructions for performing the installation.

Basic Components These are the components that must be installed for basic functionality.

Component Description

Enforcer The Enforcer component checks the traffic trying to leave the network in order to ensure that no unauthorized communications pass through.

Identity Server The Identity Server determines the identity of each managed user by retrieving the user’s network account and computer information.

Akonix Enterprise Manager

Akonix Enterprise Manager is the component administrators use to manage users and create policies that govern how Akonix Enforcer handles monitored traffic. Akonix Enterprise Manager runs as a Microsoft Management Console (MMC) snap-in. For your convenience, Akonix Enterprise Manager may be installed on as many computers as you wish, anywhere on your network. Each copy must be able to communicate with the server components of Akonix Enforcer over the appropriate management ports.

9


Reporting Components (Optional) These components are not required for basic management functionality, but they must be installed before you can create reports.

Component Description

Data Transformation Server

The Data Transformation Server transfers information from the log files into the Akonix Enforcer Data Warehouse on a configurable schedule.

Akonix Enforcer Data Warehouse

The Akonix Enforcer Data Warehouse is a SQL database used to archive information and to report on your organization’s managed protocol activity.

Akonix Enterprise Reporter

Akonix Enterprise Reporter lets an administrator create reports to review the traffic monitored and the actions taken by Akonix Enforcer. It can be installed separately so that report generation can be performed by someone other than the main policy administrator. To guarantee the security of the data, Akonix Enterprise Reporter requires a logon to the Akonix Enforcer Data Warehouse. For your convenience, Akonix Enterprise Reporter may be installed on as many computers as you wish, anywhere on your network. Each copy must be able to communicate with the Akonix Enforcer Data Warehouse.

10


INSTALLATION These instructions explain how to install and configure Akonix Enforcer. Before installing Akonix Enforcer, you should ensure that your network and your firewall are both running and working properly.

Upgrading

Installation Planning

Network & Firewall Configuration

Akonix Enforcer Setup

Uninstalling Akonix Enforcer

11


UPGRADING This section contains instructions for upgrading an existing installation of Akonix Enforcer. If you do not want to upgrade, see Installation Planning for details about setting up a new system.

Before Upgrading

Starting the Upgrade

Upgrade Prompt

Existing Folder

Upgrade Destination Location

Start Copying Upgrade Files

Data Warehouse Upgrade

Upgrade Component Configuration

BEFORE UPGRADING Before upgrading Akonix Enforcer, please review the following information.

Back up your existing system. Back up any computers with components of Akonix Enforcer already installed. In particular, be sure to back up the program files folder for Akonix Enforcer (default C:\Program Files\Akonix\Enforcer 3.1\).

You can use the Setup wizard to upgrade only from version 3.1, or version 3.0. To upgrade from an earlier version, please contact Support for assistance.

Check the locations of your report templates and schedules. If you have any report templates and schedules stored in the version 3.1 program files folder but not at their default locations, you should move or copy them to the default locations, or to a different location outside the program files folder. If you leave them where they are, they will not be migrated, and they might be deleted during the upgrade process.

You must upgrade all components. You cannot run some components of Akonix Enforcer version 3.2 and some components of Akonix Enforcer version 3.1 together. If you upgrade, you must

12


upgrade all components, including the management workstation components (Akonix Enterprise Manager and Akonix Enterprise Reporter).

When you are ready to proceed, see Starting the Upgrade.

STARTING THE UPGRADE To begin upgrading Akonix Enforcer, follow the steps below. IMPORTANT! Before you begin, please read the information in Before You Upgrade.

Notes

Do not uninstall Akonix Enforcer version 3.1 before you upgrade to Akonix Enforcer version 3.2.

You must follow this procedure on each computer that has components of Akonix Enforcer installed. You cannot run different components from different versions of the product.

To upgrade the Akonix Enforcer Data Warehouse, run Setup on the computer from which the Akonix Enforcer Data Warehouse was previously installed—which is not necessarily where the database itself is located. If SQL Server is on a different computer from where Akonix Enforcer was installed, then Setup will not recognize the SQL Server itself as having an installation of Akonix Enforcer. The computer from which the Akonix Enforcer Data Warehouse was previously installed should have a DB\ subfolder in the version 3.1 program files folder (by default, C:\Program Files\Akonix\Enforcer 3.1\DB\).

You must have administrative rights on the computer in order to run Setup.

To Start the Upgrade Do one of the following.

If you run the program from the Web site, Setup should start automatically.

If you download it and save the download package, simply run the downloaded program to begin the installation.

13


UPGRADE PROMPT After the Setup files are extracted, a message is displayed that the installation program has detected a previous version, and asking if you want to upgrade to Akonix Enforcer version 3.2. Choose Yes to begin the upgrade process.

EXISTING FOLDER Specify the full path to the location of the installed program files for your previous version of Akonix Enforcer (default C:\Program Files\Akonix\Enforcer 3.1\). To locate the installation folder, click Browse.

UPGRADE DESTINATION LOCATION Setup prompts you to choose a folder for the new program files. This is the top-level folder for Akonix Enforcer on this computer. All components from the new version of the software that are installed on this computer, either now or later, are placed in subfolders of this top-level folder. To change the default installation folder, enter the full path of the directory into which you want to install Akonix Enforcer version 3.2, or click Browse to locate the folder. When you choose Next, Akonix Enforcer version 3.1 is uninstalled. IMPORTANT! On some systems the uninstall process could take some time. Setup waits up to 10 minutes for the uninstall process to complete. During this time it might appear that nothing is happening, but it is important that you let uninstallation run for the entire timeout period. If Akonix Enforcer version 3.1 cannot be uninstalled within that time, Setup displays an appropriate message and then exits. Note: If Setup detects archived log files in the existing folder for the Data Transformation Server, then it prompts you to copy them to the new archive folder for version 3.2. To protect against accidental erasure, instead of moving the files Setup copies them to the new location. Depending on the amount of archived data you have, this could take a considerable amount

14


of time. However, the original files are deleted, so if you choose not to copy them you will lose the archived data.

START COPYING UPGRADE FILES Setup then displays a confirmation screen showing which components of Akonix Enforcer version 3.2 will be installed. For more information, see Select Components. Note that you will not see an option to install "Data Warehouse (MSDE Version)" as you are installing into an existing Microsoft SQL Server installation. After you choose Next, Setup begins copying files. This might take several minutes. After file copying is complete, Setup begins the configuration of product components, displaying configuration screens for the components being upgraded. (Depending on the computer’s configuration, the computer might have to be restarted first. If so, Setup automatically continues after the restart.) Note: If you choose the Cancel button at any subsequent point in the installation, only the component configuration is canceled. After Setup is complete, you can complete the configuration by running the file L7InitializationWizard.exe from the installation folder (default C:\Program Files\Akonix\Enforcer 3.1\).

DATA WAREHOUSE UPGRADE The following information is required to upgrade the Akonix Enforcer Data Warehouse.

Database Administrator

Database Backup

Upgraded Database Creation

DATABASE ADMINISTRATOR Setup prompts for SQL logon information, as follows:

15


SQL Server name or IP address Specify the IP address or the computer name of the SQL Server (or MSDE) installation that hosts the Akonix Enforcer Data Warehouse. (This can be the same computer as the one you are installing on.)

Login Name / Password Specify a valid SQL Server login name and password for creating new databases. SQL Server must be using mixed-mode authentication. If you originally installed the database with MSDE, the default administrator user name is sa.

DATABASE BACKUP If you are upgrading from Akonix Enforcer 3.0, before upgrading the database, Setup makes a backup of your existing database. Depending on the size of your database, this could take many minutes or even hours. If you are upgrading from Akonix Enforcer 3.1, you will not see this dialog box as the database does not need to be converted to version 3.2 (the same database format is used in 3.1 and 3.2). Choose Next to start the backup. Once the database backup is complete, choose Next to upgrade it to the new version.

UPGRADED DATABASE CREATION After you enter the database information, Setup displays a confirmation screen showing the settings you specified. Choose Next to begin the installation of the database. You should see installation progress items appear on the next screen as the installation proceeds. Note: If you are upgrading from version 3.1, the file names of the database files are not updated; they are still ENF31.mdf and ENF31.ldf. If you are upgrading from version 3.0, although you have upgraded to Akonix Enforcer version 3.2, the new database is named EN31. When the database installation is complete, choose the Next button to continue.

16


UPGRADE COMPONENT CONFIGURATION During an upgrade, you are prompted for the following configuration items. IMPORTANT! Do not cancel the configuration wizard during an upgrade. If you do, some items might not be migrated.

1. Akonix Enforcer System Administrator Password You must use the administrator password you have already configured on the system. Passwords are case-sensitive. Note: If you specify an incorrect password or have multiple components with different passwords, you might be prompted for passwords again later in the process. For details, see Akonix Enforcer Administrator Password in the Configuration documentation.

2. Identity Server IP Address You must specify the IP address of an Identity Server to use when identifying users. If you are installing the L7 Gateway, this screen configures the L7 Gateway to point to the Identity Server. If you are installing the Akonix Enforcer component, this screen configures the Enforcer component to point to the Identity Server For details, see Identity Server IP Address in the Configuration documentation.

3. Akonix Enforcer Upgrade If you are upgrading from version 3.0, you need to specify the location of the existing data so that it can be upgraded. Specify the path to the \Akonix Enforcer\Data\data.schema file in the Akonix Enforcer 3.0 Program Files folder. You are not prompted to enter the location of the schema file if you are upgrading from Akonix Enforcer 3.1. For details, see Akonix Enforcer Upgrade in the Configuration documentation.

4. Service Credentials For details, see Configure Service Credentials in the Configuration documentation.

5. Start Services Setup starts the services so they are ready to use.

6. License Alert E-mail Address Provide an e-mail address to be notified of licensing violations. This provides some warning when your license is about to expire. For details, see License Alert E-Mail Address in the Configuration documentation.

17


7. Migrate Scheduled Reports To upgrade report schedules, you must provide valid account credentials for running the scheduled tasks. For details, see Akonix Enterprise Reporter Configuration in the Configuration documentation.

8. DTS Database Connection Information Setup prompts you to specify connection information for the Akonix Enforcer Data Warehouse so that the Data Transformation Server can write to it. For details, see DTS Database Connection Information in the Configuration documentation.

9. Logged Data Sources The Data Transformation Server moves data from various servers into the Akonix Enforcer Data Warehouse. Use the Add button to add the IP addresses and logon information for the servers you want to be able to archive data or generate reports from. For details, see Logged Data Sources in the Configuration documentation.

10. Configure Internal Subnets Specify the IP addresses, masks, or ranges of any computers that are internal to your network. Akonix Enforcer uses this information to determine which user or users to block when it detects a peer-to-peer connection between two users. For details, see Configure Internal Subnets in the Configuration documentation.

Once the configuration is complete, choose Finish to complete Setup. If you have other components of Akonix Enforcer installed on different computers, be sure to run Setup on those computers to upgrade them as well.

18


INSTALLATION PLANNING This section contains information that you should review before installing the product.

System Requirements

Database Server Options

Connectivity Checks

SYSTEM REQUIREMENTS This section lists the minimum requirements for running Akonix Enforcer.

Component Requirements

Enforcer Hardware Intel Pentium III 500 MHz or faster processor (minimum); 2.0 GHz recommended. 1 GB RAM. A network card that runs in promiscuous mode (allows all network traffic). One of the following.

A non-modular or “dumb” hub that does not perform any switching. A switch with a monitor port.

Many different companies sell hubs or switches that you can use with the Enforcer component. An example of one such hub with which the software has been tested is the Cisco 1538 Series Micro Hub 10/100 from Cisco Systems.

For details about setting up the hardware for the Enforcer component, see Enforcer Hardware Setup.

Operating System One of the following:

Windows Server 2003. Windows 2000 Server with Service Pack 1 or later.

19



Identity Server Operating System One of the following:

Windows Server 2003. Windows 2000 Server with Service Pack 1 or later. Windows NT 4.0 Server with the following updates:

Service Pack 6a. Microsoft Data Access Components (MDAC) version 2.5 or later. Microsoft Internet Explorer 5.0 or later.

Directory Service Akonix Enforcer can be synchronized with the following types of user directory services.

Windows domains (both Active Directory and Windows NT 4.0 domains). Novell eDirectory version 8.7.


Hardware Intel Pentium III 400 MHz or faster processor.


Windows Server 2003. Windows XP Professional Windows 2000 (Professional or Server) with Service Pack 1 or later. Note: Service Pack 2 or later is recommended because it corrects a Microsoft Management Console issue that could cause Akonix Enterprise Manager to crash when you resize the window panes. Windows NT 4.0 (Workstation or Server) with the following updates installed.


20



Akonix Enterprise Manager, con't

Note: Microsoft Management Console (MMC) version 1.2 must also be installed. MMC is automatically installed with Akonix Enterprise Manager if it is not already on the computer.



Windows Server 2003. Windows 2000 Server with Service Pack 1 or later. Windows NT 4.0 Server with the following updates installed.



Hardware Intel Pentium III 400 MHz or faster processor. 256 MB RAM or greater. 1 GB or more of free hard disk space.


Windows Server 2003. Windows 2000 Server with Service Pack 1 or later. Windows NT 4.0 Server with the following updates installed.


21



Akonix Enforcer Data Warehouse, con't

Database Server One of the following:

Microsoft SQL Server 2000. Microsoft SQL Server 7.0. Microsoft Data Engine (MSDE). MSDE is included free with Akonix Enforcer. However, with MSDE the Akonix Enforcer Data Warehouse is limited to 2 GB in size. For more information about the differences between MSDE and the full version of Microsoft SQL Server, see Database Server Options.


Hardware Intel Pentium III 400 MHz or faster processor.


Windows Server 2003. Windows XP Professional Windows 2000 (Professional or Server) with Service Pack 1 or later. Windows NT 4.0 (Workstation or Server) with the following updates installed.


22



Managed Client Computers

Computer Type One of the following:

IBM-compatible PC with one of the following operating systems:

Windows XP. Note: The Windows XP personal firewall must be turned off in order for Windows XP users to be managed via directory accounts. For more details, see Overview of User Identification in the Administration documentation. Windows Server 2003. Windows 2000. Windows NT 4.0. Windows 98.

Apple Macintosh with Mac OS X.

For details about the instant messaging clients supported, see Managed Protocols.

23


DATABASE SERVER OPTIONS Akonix Enforcer stores reporting data in a SQL database hosted by Microsoft SQL Server. If you don’t have Microsoft SQL Server, you can install MSDE, a “lite” version provided free with Akonix Enforcer. MSDE databases are limited in size so it might not meet your needs indefinitely, but you can upgrade to the full version of Microsoft SQL Server even after Akonix Enforcer is running. Simply run SQL Server Setup to automatically upgrade MSDE. You might be able to continue to use MSDE if there is a small amount of managed traffic on your network, or if you want to periodically start over with a new database. The maximum size of the Akonix Enforcer Data Warehouse with MSDE is 2 GB. If your database approaches this limit, you must upgrade to the full version of SQL Server in order to continue using it. For more information about MSDE, visit the Microsoft Web site (http://www.microsoft.com). If you choose to use the full version of Microsoft SQL Server instead of starting with MSDE, you must have your own copy of SQL Server, and you must install it before you install Akonix Enforcer. Follow the installation instructions provided with SQL Server.

Notes

The version of MSDE provided with Akonix Enforcer is MSDE 2000, based on Microsoft SQL Server 2000. If you install MSDE and then want to upgrade to SQL Server, you must use Microsoft SQL Server 2000 or later.

SQL Server must be configured to use mixed mode authentication in order to use it with Akonix Enforcer. Akonix Enforcer does not authenticate to the database via Windows accounts.

Akonix Enforcer does not work with non-default named instances of SQL Server 2000.

IMPORTANT! You should not install MSDE and the full version of SQL Server on the same computer.

CONNECTIVITY CHECKS Before you install Akonix Enforcer, you should make sure that the appropriate components of your network environment are functioning properly without Akonix Enforcer. That way, in the event you encounter difficulties during or after the installation of Akonix Enforcer, you can more effectively narrow down the source of the problem.

24


Communications Checks Listed below are some communications you can attempt in order to ensure that the system is functioning properly. You can test the communications by opening an MS-DOS style command prompt on the computer you are starting at, then entering PING target to test the connection, where target is the IP address of the computer you want to get to. You should see several lines that start with Reply from IP address.... Run this command on each of the computers that will run Akonix Enforcer and related components listed in the following table.

Computer Should Be Able to Ping

Enforcer Identity Server.

Data Transformation Server.

The Akonix Enterprise Manager computer.

Identity Server Enforcer.

Domain controller.

Managed clients. You should check at least one client computer on each subnet you want to manage with Akonix Enforcer.


Enforcer.

Akonix Enforcer Data Warehouse.



The Akonix Enterprise Reporter computer.


Enforcer.

Identity Server.



Akonix Enforcer Data Warehouse.

25


NETWORK & FIREWALL CONFIGURATION This section discusses the domain controller configuration settings you might need to verify or change in order to use Akonix Enforcer.

DOMAIN CONTROLLER CONFIGURATION For Akonix Enforcer to be able to determine the network credentials of managed users, you must ensure that certain settings are present on your Windows domain controllers if you have any of the following.

Windows NT 4.0 domain controllers.

Windows 98 client computers being managed by Akonix Enforcer.

If any of the above conditions is true, the following must be configured in order to ensure proper identification.

Certain security events must be logged to the security event log. Akonix Enforcer monitors the security log for logon and logoff events. To Log Security Events on a Windows NT 4.0 Domain Controller

1. Open User Manager for Domains. By default it is on the Windows Start menu under Programs/Administrative Tools (Common).

2. From the Policies menu, choose Audit. 3. Choose Audit These Events. 4. Check the options indicated below.

Security Setting Events to Log

Logon and Logoff Success Failure

File and Object Access Success

Use of User Rights Success

26


To Log Security Events on a Windows 2000 Domain Controller 1. In Windows Control Panel, open Active Directory Users and Computers. 2. In the console tree (usually on the left), expand Active Directory Users and

Computers, expand the domain name, and then select Domain Controllers. 3. From the Action menu (or the right-click context menu), choose Properties. 4. On the Group Policy tab, choose the policy you want to change, then choose

Edit. 5. In the Group Policy window, in the console tree, expand Computer

Configuration, then Windows Settings, then Security Settings, and then Local Policies. Select Audit Policy.

6. In the details pane, open each of the following attributes to set the options indicated below. You can open each one by double-clicking it, or by selecting it and choosing the Action menu, then Security.

Security Setting Events to Log

User and Group Management Success

Security Policy Changes Success

Restart, Shutdown, and System Success

Process Tracking Success

Security Setting Audit these attempts

Audit account logon events Success Failure

Audit account management Success

Audit directory service access Success

Audit logon events Success

Audit object access Success

27


The security event log settings should be updated to automatically overwrite the log as needed. If you don’t do this, the log could fill up, preventing any further events from being logged. To Configure the Event Log to Overwrite Events

1. Open Windows Event Viewer. By default it is on the Windows Start menu, under Programs\Administrative Tools\Event Viewer.

2. Open the security event log properties by doing one of the following.

Windows 2000 a. In the console tree, select Security Log. b. From the Action menu (or the right-click context menu), choose

Properties. c. Choose the General tab.

Windows NT 4.0 a. From the Log menu, choose Log Settings. b. In the Change Settings for list, choose Security.

3. Set the Maximum log size value to 2048 KB. This helps ensure that events do not get overwritten too quickly.

4. Choose Overwrite events as needed for the event log wrapping action. 5. Choose OK.

The Autodisconnect value in the registry should be increased. This value determines the amount of time before a logoff is automatically reported to the security event log (even if the user has not logged off). The default value is 15 minutes, but if a first-time managed user does not start instant messaging within 15 minutes of starting the computer, then the user might not be properly identified. To help ensure that users are identified when needed, change the Autodisconnect value to 12 hours (720 minutes). The path to this registry value is

Security Setting Audit these attempts

Audit policy change Success

Audit privilege use Success

Audit process tracking Success

Audit system events Success

28


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserverFor more details about this setting, see Microsoft Knowledge Base Article 138365, which is available on the Microsoft Web site (http://www.microsoft.com).

29


AKONIX ENFORCER SETUP This section describes the installation of the software components of Akonix Enforcer.

Enforcer Hardware Setup

Running the Akonix Enforcer Setup Program

ENFORCER HARDWARE SETUP To block unauthorized traffic, the Enforcer component must be able to see all the traffic that tries to get out to the Internet.

The computer running the Enforcer component must be connected to the firewall or router that resides between your network and the Internet.

If you have multiple entry points to your network, you might need to install a copy of the Enforcer component at each one.

30


You must use one of the following devices to connect the Enforcer component to the firewall or router.

A switch with a monitor port. Most such monitor ports are read-only, so you’ll need to add a second connection to allow the Enforcer component to communicate out. A non-modular or “dumb” hub that does not perform any switching. In this case, the Enforcer component will be able to see all the traffic that cross the hub.

The switch or hub must also be connected to the internal network card of the firewall or router, which sees the traffic inside your network.

RUNNING THE AKONIX ENFORCER SETUP PROGRAM All components of Akonix Enforcer are installed from the same Setup program. Before running Setup, you should review the component descriptions. Components can be installed anywhere on the network, but each one must be able to communicate with certain other components of Akonix Enforcer as well as certain other computers on the network. See Connectivity Checks for a set of tests you can perform. See the following sections for details about running Setup.

Starting Setup

Modify Installation

Setup License Agreement

Choose Destination Location

Select Components

Start Copying Files

Data Warehouse Setup

Component Configuration

Finish Setup

31


STARTING SETUP Notes

You must have administrative rights on the computer on which you run Setup.

MSDE cannot be installed over a Windows Terminal Services connection. To install the Akonix Enforcer Data Warehouse with MSDE, you must be physically at the computer to which you are installing it.

To Start Setup Do one of the following.

If you run the program from the Web site, Setup should start automatically.

If you download it and save the download package, simply run the downloaded program to begin the installation.

MODIFY INSTALLATION If you already have components from Akonix Enforcer version 3.2 installed on this computer, you’ll see the following options. Note: If you have a previous version of Akonix Enforcer installed, this is considered a new installation and you will not see this screen.

Modify This option lets you add and remove components from the installation.

Repair This option reinstalls all the components that were already installed. Data files are left intact, and only the program files are reinstalled. If you choose this option, you do not have to provide Setup with any additional information.

Remove This option uninstalls Akonix Enforcer. For further details, see Uninstalling Akonix Enforcer Software.

32


SETUP LICENSE AGREEMENT If this is a new installation, Setup prompts you to read and accept the license agreement. You must choose Yes to accept the license agreement before you can continue the installation.

CHOOSE DESTINATION LOCATION If this is a new installation, Setup prompts you to choose a folder for the program files. This is the top-level folder for Akonix Enforcer on this computer. All components from the current version of the software that are installed on this computer, either now or later, are placed in subfolders of this top-level folder. After specifying a folder, choose Next.

33


SELECT COMPONENTS Check the boxes next to the product components you want to install on this computer. IMPORTANT! The Enforcer component must be installed at a specific location on the network. For details, see Enforcer Hardware Setup.

Data Warehouse (Existing SQL Server) is unchecked by default. This option is for installing the Akonix Enforcer Data Warehouse (the reporting database for Akonix Enforcer) into an existing Microsoft SQL Server installation. You can choose this option even if SQL Server is installed on a different computer, as long as Setup can communicate with that copy of SQL Server over the network. Note that the installation of SQL Server that you use for the Akonix Enforcer Data Warehouse must be configured to use mixed mode authentication. Data Warehouse (MSDE Version) installs the MSDE database server software in addition to the actual database. This option is available only if neither SQL Server nor MSDE is already installed on the computer. Note that MSDE cannot be installed over a Windows Terminal Services connection, so you must be physically at the computer that you are installing to.

34


The two options are identical except for the installation of the MSDE software. If MSDE has already been installed (perhaps by another database application), then the Data Warehouse (MSDE Version) option does not appear. Akonix Enforcer can use the installed copy of MSDE for its own database, treating MSDE as an existing SQL Server installation.

START COPYING FILES Setup then displays a confirmation screen so you can review your settings before the installation actually begins. If you need to make changes, choose Back until the appropriate screen appears. Otherwise, choose Next. After you choose Next, Setup begins copying files. This might take several minutes. After file copying is complete, Setup begins the configuration of product components, displaying configuration screens for any new components being installed. (Depending on the computer’s existing configuration, the computer might have to be restarted first. If so, Setup automatically continues after the restart.) Note: If you choose the Cancel button at any subsequent point in the installation, only the component configuration is canceled. After Setup is complete, you can complete the configuration by running the file L7InitializationWizard.exe from the installation folder (default C:\Program Files\Akonix\Enforcer 3.2\).

35


FINISH SETUP After Setup is complete, you are prompted to restart the computer if necessary. Choose Yes, I want to restart my computer now, then choose Finish. Note: If the computer does not require a reboot and you have installed Akonix Enterprise Manager, this screen shows the option to start Akonix Enterprise Manager instead.

36


UNINSTALLING AKONIX ENFORCER This section describes the uninstallation procedures for Akonix Enforcer.

Uninstalling Akonix Enforcer Components

Uninstalling MSDE

UNINSTALLING AKONIX ENFORCER COMPONENTS This section describes the uninstallation procedure for the components of Akonix Enforcer running under Windows. Note: This procedure removes all components that are installed on the computer. If you have components installed on multiple computers, you must perform these steps on each computer that you want to remove them from.

To Uninstall Components of Akonix Enforcer From a Computer

1. Close all open programs.

2. In Windows Control Panel, open Add/Remove Programs (Start\Settings\Control Panel\Add/Remove Programs).

3. Select Akonix Enforcer 3.2 in the list.

4. Choose the Change/Remove button.

5. In the Setup wizard window, do one of the following. To remove all installed components, choose Remove, then Next, and confirm the prompt to continue. To only some components, choose Modify, then choose Next. Clear the boxes next to the components you want to uninstall, then choose Next again.

37


6. The next screen shows a summary of the actions to be performed. Choose Next.

7. When uninstalling certain components, you can choose to remove data files. If you remove them, and you reinstall Akonix Enforcer at a later time, you must configure Akonix Enforcer again. Note: The reporting database is never removed, even if you choose to remove data files. If you installed the Akonix Enforcer Data Warehouse with MSDE and you want to remove these files, you must first uninstall MSDE, then manually delete the files. (They are located in the MSSQL7\Data\ folder on the computer’s system drive.)

8. The following additional prompts might appear. You might see one or more prompts indicating that files are locked. Choose the Reboot button to have the system delete the file automatically after the computer is restarted. Note: After you choose Reboot, nothing further happens until the lock on the file is released. (Setup appears to hang.) A file is usually locked because an application is using it. For example, if you used Windows Event Viewer to view events logged by Akonix Enforcer, then started the uninstall process without closing Event Viewer, you might see this behavior. You can release the lock by closing Event Viewer or the relevant application. You might also see one or more prompts warning that shared files could potentially be in use by other programs. Usually the file is not actually in use by another program, but to be safe, you can choose No to avoid affecting any other programs.

9. Restart the computer.

38


Note: After you uninstall Akonix Enforcer, any remaining event messages logged by AkonixEnforcer in the Windows Application event log might appear corrupted and unreadable, or they might contain text such as the following. The description for Event ID ( number ) in Source ( component ) could not be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: message. This is expected behavior and occurs because the files containing event message information are removed from the system during uninstall.

UNINSTALLING MSDE If you installed the Akonix Enforcer Data Warehouse with MSDE and have uninstalled the Akonix Enforcer Data Warehouse, then you can also uninstall MSDE. MSDE is not automatically removed when you uninstall Akonix Enforcer; you must uninstall MSDE separately. Note: It is possible that programs other than Akonix Enforcer are using the same installation of MSDE to store data. Before uninstalling MSDE, make sure that no application you need to keep running is using it.

To Uninstall MSDE

1. In the system tray (usually in the lower right corner of the screen), right-click the MSDE icon and choose MSSQLServer - Stop, confirming any prompts.

2. Right-click the MSDE icon again and choose Exit.

3. Open Windows Control Panel Add/Remove Programs (Start\Settings\Control Panel\Add/Remove Programs).

4. Select Microsoft SQL Server Desktop Engine in the list.

5. Choose the Change/Remove button, and confirm the prompt to continue.

6. You might see one or more prompts warning that shared files could potentially be in use by other programs. Usually the file is not actually in use by another program, but to be safe, you can choose No to avoid deleting it.

7. Restart the computer.

39


SUPPLEMENTAL This section provides additional reference material that you might find useful.

Command Line Interface

Network Ports

Product Version Information

Backing Up and Restoring System Settings

Glossary

40


COMMAND LINE INTERFACE Akonix Enforcer provides a command line interface that lets you stop and start server components, which run as Windows services. Although you can stop and start the individual services using the normal Windows interface, the interface for Akonix Enforcer lets you control all the services at the same time. The command-line program is enf.exe, located in the Util subfolder of the product installation folder. This folder is added to your system PATH environment variable during installation, so you should be able to use it without specifying the path to it.

Command Line Syntax enf [[start | stop | restart | status] [identity | enforcer | dts] [computer]] | [help]

Parameters Description

start stop restart status

These are the actions that can be performed on the services. You can specify only one action. If you do not specify any command line parameters, Help is displayed. Note: You must have the access right to stop and start services in order to use any of the commands except for status.

identity enforcer dts

These are the services that can be controlled.

You can explicitly specify only one service.

If you do not specify a service, the action is performed on all installed components.

computer This is the computer where the services are installed. This computer must be reachable on the network. You can specify any of the following.

Windows computer name.

Domain Name System (DNS) host name.

IP address. If you do not specify a computer, the action is performed on the computer running the command line program.

help This option displays Help for the command line program.

41


Examples enf stop Stops all services on the current computer.

42


NETWORK PORTS Software products communicate with each other over specific network ports that the receiver “listens on”. This section lists the port numbers used by Akonix Enforcer and related products.

Akonix Enforcer Network Ports Each component of Akonix Enforcer must communicate with one or more other components in order to function properly. Each component uses one or more specific network ports on the computer where it is installed to listen for communications from other computers. The default port numbers are listed below. Akonix Enforcer uses only TCP network ports.

Database Server Network Port Microsoft SQL Server (and MSDE) uses port 1433 to listen for connection requests from client applications. Akonix Enterprise Reporter connects to SQL Server over this port.

Port Number Component Listens For

9030 Data Transformation Server

Akonix Enterprise Manager communications.

9023 Identity Server All of the following.


DTS requests for logged activity data.

9024 Enforcer All of the following.


Data Transformation Server requests for logged activity data.

10011 Identity Server User identification requests.

43


PRODUCT VERSION INFORMATION You can view detailed version information about the files installed with Akonix Enforcer by running the version program installed with the product. This is a command-line program located in the Util subfolder of the installation folder. This folder is added to your system PATH environment variable during installation, so you should be able to use it without specifying the path to it. When you run the version program, it displays the version information about all of the program files in your installation of Akonix Enforcer. It also creates a text file with the same information. The file is named enfVersionInfo.txt and is stored in the folder from which you run the program (which might not be the same as the folder that contains the program).

Command Line Syntax enfVer [/L:path] | [/?]

Parameters Description

path This is the full path to the program files folder for Akonix Enforcer. If the path contains spaces, enclose it in quotation marks ( " " ). If you do not specify a path, the program checks the environment variable ENFROOT for the location of the program files. This environment variable is set automatically when you install Akonix Enforcer.

/? This option displays Help for the command line program.

44


BACKING UP AND RESTORING SYSTEM SETTINGS All of the system settings for Akonix Enforcer are stored in subfolders of the program files installation folder (by default, Akonix\Enforcer 3.2\). You can back up the configuration of the system by making copies of the appropriate files and folders. For backup purposes, you might find it easier to simply copy the entire installation folder. This also ensures that nothing is accidentally left out. Backup and recovery can be done on a server-by-server basis.Note: The reporting database is the only data item that is not usually stored in the installation folder for Akonix Enforcer. The location of the database was specified when the Akonix Enforcer Data Warehouse was installed.

To Back Up an Installation of Akonix Enforcer

1. Stop all services for Akonix Enforcer.

2. Make a backup copy of the installed program files folder for Akonix Enforcer (by default, Akonix\Enforcer 3.2\).

3. Restart all services for Akonix Enforcer.

To Restore a Backed Up Configuration IMPORTANT! Only restore a backup to the same version of Akonix Enforcer. If you attempt to restore a backup from an earlier version to a later version, the system might not function correctly.

1. Stop all services for Akonix Enforcer.

2. Restore the following items from your backup copy to the installed program files folder. Subfolder names end with a backslash ( \ ).

45


3. Restart all services for Akonix Enforcer.

Component Items to Restore

Identity Server Data\

Enforcer Data\ Log\

Data Transformation Server *.log Archive\ Data\ DTSDrop\

Akonix Enterprise Reporter Schedules\ Templates\

46


GLOSSARY You might encounter some of the following terminology in Akonix Enforcer and its documentation.

bandwidth The capacity of a communications link, usually expressed in terms of how much data can pass through the link in a given amount of time (for example, 100 Mbps, or megabits per second).

Data Transformation Server The component of Akonix Enforcer responsible for keeping the information in the Akonix Enforcer Data Warehouse up to date.

Akonix Enforcer Data Warehouse The reporting database for Akonix Enforcer. It contains logged information about managed communications. Information can be retrieved from the Akonix Enforcer Data Warehouse by creating reports with Akonix Enterprise Reporter.

instant messaging (IM) service A provider of instant messaging software and functionality.

IP address A set of numbers that uniquely identifies a computer via the Internet protocol (IP). It is written as a series of numbers separated by periods (for example 10.0.0.11).

policy In Akonix Enforcer, a set of rules that govern communications.

rogue protocol A network protocol whose behavior is not easily controlled. Rogue protocols are generally newer protocols such as instant messaging and peer-to-peer file sharing. They frequently employ techniques like port scanning and tunneling to evade standard network security measures.

47

Akonix Systems, Inc. 600 B Street 18th Floor San Diego, California 92101 [email protected] www.akonix.com

Akonix Enforcer Version 3.2 Installation Guide€¦ · Akonix Enforcer Installation Guide Contents...

Documents

Transcript of Akonix Enforcer Version 3.2 Installation Guide€¦ · Akonix Enforcer Installation Guide Contents...