CROSSTEC CORPORATION

NetOp White Paper – NetOp Desktop Firewall Deployment

Deploying the NDF with GPO’s

P R E P A R E D B Y A L B E R T C A B A L L E R O

Deploying the NetOp Desktop Firewall with Group Policy Objects

© Crosstec Corporation 500 NE Spanish River Blvd. • Suite 201 Phone 800.675.0729 • Fax 561.391.5820

www.CrossTecCorp.com

i

Table of Contents 1. Introduction…………………………………………………………….…1 2. NDF Installation………………………………………………………..2-4 3. NDF Setup and Configuration………………………………………..5-6 4. Active Directory Deployment - Setup and Preparation………...........7

a. Create the Installer Transform (.MST) file……………….…..7-8 b. Setup Deployment Directory………………………………….....9 c. Create and Link Group Policy Object in Active Directory…9-12

5. Test Your Solution………………………………….......................13-14

ii

Introduction When dealing with any application that must be installed on every node of your corporate network there are always challenges involved such as deployment, configuration and management. With distributed software firewalls such as the NetOp Desktop Firewall some of these challenges are met by the inherent design of the software such as a central configuration and management console. So how do you deploy the software so that it will be in place for you to actually configure and manage? Some vendors use complex methods such as requiring a web server and email clients be installed or provide proprietary distribution methods that require plenty of set up time. If you aren’t familiar with the program this could cause some frustration and loss of valuable time. Typically there are three main methods of deploying the NDF being that it is conveniently packaged in a Windows Installer (.MSI) package:

1. If in a Windows Active Directory environment the quickest and most reliable way of distributing software is usually through Group Policy Objects.

2. Good ol’ fashion scripting. You can always write a script for just about anything and software installation is no exception. The NDF offers many switches for the .msi package that will prove handy if you are forced to go this route (i.e. non AD environments).

3. Third party software distribution. Many corporations have their own homegrown method of distributing software or use management suites such as SMS or Novell services to deploy new software across their enterprise.

This document is meant to provide a step by step guide for method 1 listed above: Deployment of the NetOp Desktop Firewall using MS Active Directory Group Policy Objects. The steps outlined in this document will include the short list below and must be done in sequence for the deployment to be successful:

1. NDF Client Installation. 2. NDF Client Setup and Configuration. 3. Active Directory Deployment - Setup and Preparation. 4. Test your solution - Deploy.

This document is not meant to be a how to for the NDF or the NPS (NetOp Policy Server); it strictly deals with deploying the NDF client through MS Group Policy. Any software distribution or application should always be thoroughly tested in a lab environment BEFORE deploying in a production network or to production machines. For Quick Install Guides or other documentation on NetOp products please visit our Resources web site: http://www.crossteccorp.com/whitepapers/index.html

1

NDF Installation To successfully deploy a NetOp Desktop Firewall which has been preconfigured to connect to the NetOp Policy Server upon installation the first step that must be taken is to manually install and configure a single NDF client on a single machine. Once this has been done we can use these configuration and license files to create a package that will allow us to deploy using Group Policy. First you must download the Setup.msi package for the NDF from Danware’s Knowledge base http://help.netop.com/download/current_df/windows/updateuk.htm and execute it or run the CD provided by your vendor. You will be presented this dialog once installation begins:

Click Next > Accept the License Agreement as well as the Default Program Directory and go through the screens until you arrive at the Reg. Number and Reg. Key dialog shown on the next page. Here you will enter the numbers provided in the License.txt file in your downloaded zip or in the email sent to you from your vendor (some trials will not prompt you for license numbers). NOTE: The first time you register or install your product you must have Internet access. If you encounter trouble with anything call for free tech support at 1-800-675-0729.

2

Click Next > then Click Install

3

You will be requested to reboot your machine for the installation to complete. Once you reboot the Setup Wizard begins Click Next > through the default screens:

You can configure some options through this wizard but we will be configuring our NDF later. Once your NDF is installed and minimized to the tray you’ll see this icon: The NDF is now installed and you can use the current installation files to deploy, but first we must configure the NDF to connect to the Policy Server. This way when it does get deployed it knows where the Policy Server is thereby logging on and downloading its Security Policy automatically and immediately.

4

NDF Setup and Configuration Double click the NDF icon in the taskbar and bring up the NDF local administrator, I’ve checked the Show Hidden check box to display all of the automatically detected processes:

Once you have the NDF on your screen you need to configure the NDF to log on to the NetOp Policy Server (or create any default configuration you’d like). This step requires you have a Policy Server already installed somewhere on your network and you have pre determined how you will be assigning security policies i.e. Active Directory groups, NetOp Policy Accounts, or using the Anonymous account (everyone gets the same policy with Anonymous). Go to Tools > Options and find the Policy Server tab.

5

Insert the IP address of the NPS and click Log On.

If your log on is successful you will be presented with this dialog:

That’s it! Your NDF is now configured to connect to the NPS automatically. We can now concentrate on the setup and preparation for Active Directory deployment. At this point ALL configurations on the client including programs, ports, processes, profiles, IP trusts and bans will be controlled centrally via the NPS for all corporate endpoints running the NDF.

6

Active Directory Deployment During this part of the paper we finally get into creating the files and directory we need for a successful GPO deployment as well as creating the GPO itself. We will need Administrator access when creating and linking the GPO to our test OU so for the sake of simplicity I have logged in as Domain Admin. The steps involved in setting this up are:

1. Create the Installer Transform (.MST) file. 2. Setup Deployment Directory. 3. Create and Link Group Policy Object in Active Directory.

Step 1 Creating the Installer Transform is actually quite easy. You will need access to the setup.msi file as well as to the PC where we installed the NDF in the previous section. The tool we will be using is found on the CD provided by your vendor or in your trial download and it is called NDFMST.exe. Here is a snapshot of the tool when you first run it:

7

First you locate the Original MSI file that was used to install the NDF and then you name your Output transform file. You can place this file anywhere you want for now and name it anything you’d like (I went with ndf_transform.mst and put it in my download directory C:\NDF). In the third step you will be locating the NDF.LIC file found in the program directory of the installed NDF client (usually: C:\Program Files\Danware Data\NetOp Desktop Firewall\NDF.LIC). Once these steps have been accomplished you must Add the NDF configuration files from the same client where we got the NDF.LIC. These files are in the same directory C:\Program Files\Danware Data\NetOp Desktop Firewall and all end with a .DAT extension. Click Add… under Additional files and select all files ending in .DAT.

Click Build. You now have an ndf_transform.mst file as well as the setup.msi.

8

Step 2

The next step is to create a network share which contains these two files. Typically this would be a share accessible by every machine you have a need to deploy to. On your share paste both the .msi and the .mst files and give Everyone at least Read permissions:

Step 3 When creating and linking a GPO we need access to Active Directory Users and Computers as well as the Group Policy Editor MMC. For the purposes of this deployment I will be creating an OU and GPO specifically for NetOp however you can incorporate this GPO setting into any other GPO and link it to any OU which already exists in AD:

Right click your GPO and go to Properties then click on the Group Policy tab - Click Open.

9

From the Group Policy Management console Right click your OU and select Create and Link GPO Here… then name your GPO and click it. You can see the Settings tab is empty:

Right click your Computer Configuration and click Edit which will bring up the Group Policy Object editor. Under Computer Settings go to Software Settings > Software Installation then right click and Click New > Package.

10

Select your .msi package from your network location (Note: do not browse to your local C:\ drive, you should browse the network for the share that was created in step 2) and when prompted select Advanced for your deployment method:

After selecting Advanced you will be presented with the Properties of your deployment package. You want to click on the Modifications tab (no other tab should require any changes). Here you will Click Add… and point to your transform file in the same share:

11

We should now be completely prepared to either add computer accounts to the OU we created so that the software gets installed upon reboot or link our newly created GPO to any other OU which already exists. Before actually testing our solution we will verify that the GPO is linked to our test OU and that it is enabled with our new settings as such: Open Active Directory Users and Computers, right click your new OU, and go to Properties > Group Policy > Open. Check the Settings tab of your new GPO and make sure the NDF is listed as an Assigned Application under Computer Configuration:

Once we have verified the existence of the GPO and its settings then we will add a computer account to the OU where the GPO is linked and reboot that computer to see if during the boot process the installation actually occurs.

12

Test Your Solution I have moved a computer account into our new test OU as shown below:

During the boot process your 2k pro or XP machine will go through some display messages such as: Applying Security Policy, Applying Software Policy, and then Installing Managed software NetOp Desktop Firewall (this is the message we are looking for). When we reboot our Lab machine we should see the computer log into the NetOp Policy Server immediately.

13

The machine will reboot once after installing the package and we will then be able to verify the settings for ourselves by opening up the NDF GUI and seeing if we are logged into the server or not (we can also check the NPS console to see what Active Logons exist). Programs, ports, protocols or IP rules with a yellow lock indicate that the rule was retrieved from the Policy Server and cannot be overridden by the end user. You will also see a yellow and red icon in the taskbar which is different from the default green and red, indicating you’re logged on to a server: All firewall rules, profiles, and processes can now be centrally configured and managed via the NetOp Policy Server Console:

You have now successfully deployed the NetOp Desktop Firewall as a Group Policy object. This means you have a distributed desktop firewall that not only has the ability to centrally control every process, port, protocol, and IP address on every end point of your network but you also have an easy way to deploy it across an Active Directory enterprise.

Prepared by Albert Caballero

14