IMPLEMENTING F-SECURE POLICY MANAGER

Page 2

Agenda

Main topics

• Pre-deployment phase

• Is the implementation possible?

• Implementation scenarios and examples

• Installing the environment

• Most critical installation steps

• Console configuration tips

• Point application rollout

• Point application rollout planning and piloting

• Most common rollout methods and examples

PRE-DEPLOYMENT PHASE

Page 4

Before you begin...

Checklist

1. Network requirements

• Does the network support the required protocols?

• Is the network fast enough?

2. System requirements

• Does the existing hardware meet the requirements?

• Are the installed operating systems and service packs supported?

3. Policy Manager Implementation

• How many Policy Manager Servers, Consoles and Proxy Servers does the infrastructure require?

• Where to place them for best performance?

Page 5

Network Requirements

Network

• 10Mbit Ethernet or faster

• In installations with more than 5000 managed hosts, 100Mbit networks are recommended

Required Protocols

• UDP

• Used for virus definitions updates directly from F-Secure Root Update Server

• TCP

• Used for F-Secure Intelligent Installations (a.k.a push installations)

• Used for general Apache Web Server traffic

Page 6

System Requirements:Policy Manager Server

Operating system

• Windows 2000 Server and Advanced Server (SP3 or higher), Windows Server 2003 Standard, Web Edition, or Small Business Server

Processor

• Intel Pentium III 450 MHz or faster (1 GHz or more recommended, especially when managing big environments or when Web Reporting is enabled)

Memory

• 256 MB RAM (512 MB or more recommended, especially when Web Reporting is enabled)

Disk space

• 50 MB required (recommended 500 MB or more)

Page 7

System Requirements:Policy Manager Console

Operating system

• Windows 2000 Professional (SP3 or higher), Windows XP Professional (SP2 or higher) or Windows 2003 Small Business Server

Processor

• Intel Pentium III 450 MHz or faster (750 MHz or more recommended)

Memory

• Dedicated computer

• 256 MB RAM (512 or more recommended)

• Single computer (same as PMS)

• 1 GB or more recommended

Disk space

• 50 MB required

Page 8

System Requirements:Anti-Virus Client Security 6.x

Operating system

• Microsoft Windows 2000 Professional (SP4 or higher)

• Microsoft Windows XP Professional and Home Edition (SP1 or higher)

Memory

• 128 MB (Windows 2000), 256 MB (Windows XP)

• 256 MB an more recommended

Disk space

• 120 MB (150 MB required during installation)

Page 9

Policy Manager Implementation

Policy Manager Server and Console can be implemented in two

different ways

• Both components on a single computer (recommended)

• Dedicated computers for each component

Single Computer

Dedicated Computers

Page 10

Policy Manager Implementation

Depending on the size and structure of the company, it might be

necessary to

• Install more than one Policy Manager Console

• Global company with slow internet connection

• Install more than one Policy Manager Server

• Single Policy Manager Server scales up to 10000 hosts

• It can handle significantly more host, but will be difficult to administer (policy distribution time increases)

• Install Policy Manager Proxies for virus definitions updates

• Solves bandwidth bottle-necks

Page 11

Policy Manager Server Location

Location of the Policy Manager Server

• Place it in the internal network (recommended)

• Well protected from external attacks

• Access from external network only possible with authenticated, encrypted connections (e.g. VPN+)

• Place it in a DMZ network

• Server has a public IP address, FSMA can access the server from the external network without using VPN+

• In general, the security in a DMZ is less restricted as it is in an internal network. The Server contains sensitive infomation of your policy domain and policies. There might be a security risk.

Page 12

Implementation in Basic Environment

Managed hosts

Policy Manager Server & Console

Root Update Server

Page 13

Implementation in Global Environment

Root Update Server

Managed Hosts PMC PM Proxy PMC & PMS Managed Hosts

Subsidiary Germany Headquarters Finland

POLICY MANAGER INSTALLATION

Page 15

Starting the Installation

If you have a valid license of any F-Secure product you are entitled to

use F-Secure Policy Manager

You are entitled to use as many Console, Server and Reporting

Option installations as you need

Page 16

Installation Order

1. Policy Manager Server

2. Policy Manager Console

3. Point Applications

Page 17

Critical Steps:Server Installation

Select components to install

• Policy Manager Console

• Don’t forget to deselect in case you want to run it on a dedicated computer

• Policy Manager Update Server & Agent

• Without this components, database updates will not be possible

Page 18

Critical Steps:Server Installation

Configure Apache Modules

• In general, default port settings work fine

• However, in some situations the ports are already taken and need to be changed

• The system will automatically inform

• Already taken ports

• Ports which might cause problems

Page 19

Critical Steps:Console Initialization

Important: In this step you define

the administration module

• The host module address has to be specified separately in the policy

Page 20

Critical Steps:Console Initialization

Management key-pair

generation

• Make sure to backup these keys after console initialization completed!

Page 21

Console Configuration Tips

• Lock most important settings• Prevents problems with IPF overwriting

• Define Policy Manager Server Address• Empty by default!

POINT APPLICATION ROLLOUT

Page 23

Before you Start the Rollout...

Checklist

• Remove all conflicting software from target hosts

• Sidegrade detects and removes certain vendors automatically (AVCS only!)

• Test sidegrade during piloting phase!

• Check target host for third party firewalls (e.g. XP firewalls) and disable them (e.g through AD group policy)

• Start piloting

• Test different rollout methods and choose the one suited best for your environment

• Never rollout without careful testing – or to the whole domain at once!

Page 24

Rollout Methods

Intelligent Installations

• Autodiscover windows hosts (recommended)

• Installation package created with PMC

• Transfers package separately to each host (no multicasting)

• Certain inbound traffic on hosts needs to be allowed

• RPC (TCP 135) and SMB (TCP 445)

• Push install to Windows host

• Advantage: needs no name resolution, if IP addresses are used

• Disadvantage: IP addresses have to be typed manually

Page 25

Rollout Methods

Pre-configured package

• Using PMC to create a pre-configured package

• No inbound traffic on hosts required

• JAR: Installation of exported package by ilaunchr.exe through windows login script

• Make sure to run login sript silent (script includes password in cleartext!)

• MSI: Installation of exported package through windows group policy in active directory

Page 26

Anti-Virus

Centrally Manageable Products

F-Secure Anti-Virus for Citrix Servers (and for Microsoft Terminal Server)

F-Secure Anti-Virus for SAMBA Servers

Anti-Virus

Server Computing

Anti-Virus for HTTP, SMTP, FTP and POPAnti-SpamContent Filtering

Anti-VirusAnti-SpamContent Filtering

Anti-VirusVirus & SpyProtection Intrusion prevention

F-Secure solutions and services provided

Web & DNS

Servers

F-Secure Anti-Virus for MS Exchange

F-Secure Spam Control for Microsoft Exchange

F-Secure Spam Control for Internet Gatekeeper

F-Secure Internet Gatekeeper

F-Secure Anti-Virus for MIMEsweeper

F-Secure Anti-Virus for Windows Servers

F-Secure Anti-Virus for Linux Servers

F-Secure Anti-Virus for Workstations

F-Secure Anti-Virus Client Security

GatewaysEmail Servers

File & Print

Servers

Desktops & laptopsMicrosoft Platforms

Linux Platforms

Page 27

Summary

Main topics

• Pre-deployment phase

• Is the implementation possible?

• Implementation scenarios and examples

• Installing the environment

• Most critical installation steps

• Console configuration tips

• Point application rollout

• Point application rollout planning and piloting

• Most common rollout methods and examples