ESRS Policy Server Installation Guide for Windows Active Directory Integration for User Authentication

PurposeThis document will serve as a guide to install and configure the EMC ESRS-IP Policy Manager to use Active Directory .

The Policy Manager is customer installable. Due to the information used for Windows Active Directory Integration for User Authentication the customer should perform the install. This functionality is available in the Policy Manager but the customer is responsible for the configuration and troubleshooting.

1. On Windows 2008 ( any version ) because of UAC the installer MUST be “ Run as Administrator”

NOTE: Due to the use of User Account Control (UAC) in W2k8 R2 and some versions of W2k8 R1 the install of the EMC Secure Remote IP Solution ( ESRS2) Components ( Gateway Client and/or Policy Manager ) installers must be executed in “ Run As Administrator” mode to be successfully installed

2. Launch the EMC ESRS-IP Policy Manager Installer the following will popup

3. As long as you have all the information necessary for your installation, click Next to display the License Agreement screen, shown in the following figure.

4. In the License Agreement screen, read through the agreement and then click the option button next to “I accept the terms of the License Agreement”

5. When it becomes available, click Next to display the Choose Install Folder screen, shown in the following figure

6. In the Choose Install Folder screen, you cana. Keep the default folder, and click Nextb. User a different folder / drive by clicking Choose to browse for the folder in which you

want to install the software; when ready, click Next

7. Due to a limitation in the OpenDs application that is installed as part of the Policy Manager Application change the default path by deleting the space between Policy and Manager

8. After you click Next in the Choose Install Folder screen, the Listening Port Screen appears

9. In the Listening Port screen, leave the default value ( 8090) unless you are required to use another port . type the number of the port on this computer, through which Policy Server will communicate with agents running on your devices. If using SLL ( Port 8443 ) do NOT change the port to 8443 as this will cause communication issues to the Policy Manager

10. Click Next to display the E-mail Server screen, shown in the following figure

11. In the E-mail Server screen, type the URL and port for your outgoing e-mail server. This email server will be used to send Request for Access emails and Policy Manager Error Emails

a. Leave the default email port unless you need to use a different port

12. Click Next to display the Default Notification Template screen, shown in the following figure. Review and make note of any changes you wish to make ( this screen is read only

13. Click Next to display the System Error Notification Settings screen, shown in the following figure

14. In the System Error Notification Settings, type the following information:a. E-mail address to send to – Type the e-mail address of the Tomcat/Policy Server system

administrator. When the system has problems, Tomcat will send an e-mail message to this address, notifying the individual of the problem

b. E-mail from address – Type the e-mail address that you want to use for the Policy Server. This address will appear in the From line of the e-mail message

c. Frequency (in minutes) of e-mails – If you want Tomcat to send the message once an hour (the default), continue to the next entry. Otherwise, type the number of minutes that you want Tomcat to wait between transmissions of the message, until the problem is resolved

d. Subject for System Error E-mails – Type the string that you want to use in the Subject line of messages from the system. The default Subject is “EMCPolicyManager System Error” It is recommended that you include the Policy Manager IP Address or host name

in the Subject for System Error field. This permits easy identification if you have more htan 1 Policy Manager in your environment

15. Click Next to display the Audit Log screen, shown in the following figure

16. In the Audit Log screen, type the number of days you want to keep audit log information. The default number is 365 days. The audit log messages are available through the View Audit Log Entries page in the Audit Log component of the Policy Server application. You can always change this setting through the Configuration tab of that application (select Audit in the menu bar of the tab, and change the number of days in the Configure Audit Category page).Note: This setting does not affect the number of audit log files (also containing a single day’s audit messages per file) saved to disk; you can change that setting in the PolicyManager.properties file.

17. Click Next to display the Host Name screen, shown in the following figure

18. After entering the Host Name or IP Address of the Policy Manager Server, this will be populated in the Request for Access email click Next to display the Use SSL screen, shown in the following figure

19. In the Use SSL screen, select Yes if you will use SSL for communications between the Policy Server and devices, or No if you are not using SSL

20. Click Next to display the EMC ESRS-IP Policy Server Service screen, shown in the following figure

21. In the EMC ESRS-IP Policy Server Service screen, select Install as a service check box if you want Policy Server installed as a service. Otherwise, leave it cleared

22. If you want Policy Server to start whenever you start or reboot the machine, select the Start Service check box.

23. Click Next to display the Backup screen, shown in the following figure

24. If you would like Policy Server to automatically backup the DB everyday at 3am, select the Backup Database checkbox. Otherwise, leave blank.

25. Click Next to display the first Directory Server Configuration screen, shown in the following figure

26. To use an existing Active Directory server, select Yes, and click Next to display the next Directory Server Configuration screen, shown in the following figure

27. In this second Directory Server Configuration screen, select Active Directory as your external LDAP directory server. Then, click Next to display the configuration parameters, shown in the following figure

28. In the Directory Server Configuration screen, enter the following information for your Active Directory LDAP directory server

Note: This user interface is only available during the install of the Policy Manager and is NOT available for reconfiguration. It is critical that the information is accurate. Punctuation and white space are critical for proper operation

a. Host Name – Type the name of the machine where your LDAP server is running. You can also type the IP address of the machine

b. Listening Port – Type the number of the port you are using for LDAP authentication

c. Directory Server Principal DN – Type the uid (the user name that you use to log in to the directory server as the administrator) ou’s, and o. Policy Server will use this uid when accessing the directory server for user authentication.

d. Directory Server Principal Password – Type the password that Policy Server will use when accessing the directory server for user authentication. This password must be the password associated with the user name (uid, ou,o) that you specified in the Directory Server Principal DN field

e. Confirm Directory Server Principal Password- Type the LDAP administrator password a second time to confirm it.

f. User Base DN – Type the information appropriate to your directory server setup, for example: ou=Users, ou=DRM, dc=qaad, dc=com (replace with the actual OU and domain names.)

g. Scroll down and fill in the rest of the fields

h. Group Base DN – Type the information appropriate to your directory server setup, for example: ou=Groups, ou=DRM, dc=qaad, dc=com (replace with the actual OU and domain names.)

i. Username Attribute – This is the attribute of a user entry that specifies the user's login username. For AD, this is usually 'sAMAccountName'. No quotes should be used when specifying values in the installer.

j. Static Group Name Attribute - This is the attribute of a group entry that specifies the group's name. For AD, this is usually 'cn'. No quotes should be used when specifying values in the installer.

k. User From Name Filter - This is the LDAP filter that is used to locate users by their login username within the LDAP tree. For example: 'sAMAccountName={0},ou=Users,<rest_of_environment_specific_ldap_domain>'. No quotes should be used when specifying values in the installer.

l. Group From Name Filter - This is the LDAP filter that is used to locate the members of a group within the LDAP tree. For AD, this is usually '(member={0})'. No quotes should be used when specifying values in the installer.

29. Click Next to display the Pre-Installation Summary screen, shown in the following figure

30. In the Pre-Installation Summary screen, review your installation selections. If necessary, click Previous to return to any of the other installation screens and change the selections

31. When ready, click Install. The Installer presents a progress screen while it copies the files to the machine, as shown in the following figure

32. When it completes the installation, the program displays the following screen

33. Click Done to exit the Installer.

34. Log in to the PM w/ a user who is a member of the APSAdmins Windows AD Group to verify you can access the Policy Manager .

35. Navigate thru the application and verify proper operation

36. Click on the Administration tab and select Users verify that users in AD are properly enumerated