Xem mẫu
- Endpoint Security
Installation Guide
Version NGX 7.0 GA
January 16, 2008
- © 2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their
use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by
any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check
Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing,
ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,
DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX,
FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity
Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,
OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage,
PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,
SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security
Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter
UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand,
SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1,
UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1
Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm
Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs,
and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm
is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668,
5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign
patents, or pending applications.
- Contents
Preface
About this Guide ...................................................................... 7
Available Formats ........................................................................7
Obtaining the Correct Version .......................................................7
Obtaining New Issues of this Guide ...............................................7
About the Endpoint Security Documentation Set ......................... 8
Documentation for Administrators .................................................8
Documentation for Endpoint Users ................................................8
Feedback ............................................................................... 10
Chapter 1 Endpoint Security Overview
Endpoint Security System Components ..................................... 12
System Requirements ................................................................12
Architecture ..............................................................................12
Endpoint Security Communications .......................................... 14
The Endpoint Security Sync ........................................................14
Other Endpoint Security Communications ....................................14
Endpoint Security Services .........................................................15
Chapter 2 Installation Overview
Master Installer ...................................................................... 18
Supported Installations ........................................................... 18
Upgrading and Migration ......................................................... 19
Gateway Integration ................................................................ 20
Chapter 3 Upgrading and Migration
Introduction to Upgrading ....................................................... 21
Supported Upgrades ..................................................................21
Migration ..................................................................................22
Upgrade Workflow .................................................................. 22
Backing Up Data .................................................................... 23
SPLAT Upgrade Instructions .................................................... 23
Clustered Upgrade Instructions ................................................ 24
Chapter 4 Installing on a Dedicated Host
Windows ................................................................................ 26
Linux .................................................................................... 27
Check Point SecurePlatform (Command Line Version) ................ 28
Check Point SecurePlatform (GUI Version) ................................ 30
Endpoint Security Installation Guide 4
- Chapter 5 Installing with SmartCenter on the Same Host
Windows ................................................................................ 33
Linux .................................................................................... 35
Check Point SecurePlatform (Command line Version) ................. 36
Check Point SecurePlatform (GUI Version) ................................ 38
Installing Endpoint Security with an Existing SmartCenter .......... 40
Connecting Endpoint Security and SmartCenter ............................40
Chapter 6 Installing with SmartCenter on Separate Hosts
Workflow ............................................................................... 43
Installing SmartCenter in a Distributed Installation .................... 44
Windows ...................................................................................44
Linux .......................................................................................45
Check Point SecurePlatform (Command Line Version) ...................46
Check Point SecurePlatform (GUI Version) ...................................47
Connecting Endpoint Security and SmartCenter ......................... 49
Chapter 7 Installing Endpoint Security and Provider-1
Provider-1 Overview ................................................................ 51
Workflow ............................................................................... 52
Installing Endpoint Security on the Same Host as Provider-1 ...... 53
Connecting Endpoint Security and Provider-1 ............................ 54
Chapter 8 Endpoint Security Installation Wizard Reference
Completing the Endpoint Security Installation Wizard ................ 56
Completing the Installation ..................................................... 57
Chapter 9 Check Point Configuration Tool
Starting the Configuration Tool ................................................ 59
Configuration Tool Options ...................................................... 60
Chapter 10 Remote Logging
Connecting the Log Server and SmartCenter .............................. 63
Connecting the Log Server and Endpoint Security ...................... 64
Chapter 11 High Availability
Overview of High Availability .................................................... 65
Architecture ........................................................................... 66
Configuring High Availability ................................................... 67
Forcing Replication ................................................................. 68
Changing an Active Server to a Standby Server .......................... 69
Changing a Standby Server to an Active Server .......................... 69
- Preface
In This Preface
About this Guide page 7
About the Endpoint Security Documentation Set page 8
Feedback page 10
Endpoint Security Installation Guide 6
- About this Guide
The Endpoint Security Installation Guide provides detailed instructions for installing,
configuring, and maintaining Endpoint Security. This document is intended for global
administrators. Please make sure you have the most up-to-date version available for
the version of Endpoint Security that you are using.
Before using this document to install Endpoint Security, you should read and
understand the information in the Endpoint Security Implementation Guide in order to
familiarize yourself with the basic features and principles.
Available Formats
This guide is available as a PDF. This document is available from the Check Point CD.
Updated editions of the document may be available on the Check Point Website after
the release of Endpoint Security. The version of this document on the Check Point
Website may be more up-to-date than the version on the CD.
When obtaining updated PDF editions from the Check Point Website, make sure
they are for the same server version as your Endpoint Security. Do not attempt to
administer Endpoint Security using documentation that is for another version.
Obtaining the Correct Version
Make sure that this document has the Version Number that corresponds to the version
of your Endpoint Security. The Version Number is printed on the cover page of this
document.
Obtaining New Issues of this Guide
New issues of this guide are occasionally available in PDF format from the Check Point
Website. When using the PDF version of this document, make sure you have the most
up-to-date issue available. The issue date is on the cover page of this document.
When obtaining the most up-to-date issue of the documentation, make sure that you
are obtaining the issue that is for the appropriate server.
Endpoint Security Installation Guide 7
- About the Endpoint Security Documentation Set
A comprehensive set of documentation is available for Endpoint Security, including the
documentation for the Endpoint Security clients. This includes:
“Documentation for Administrators,” on page 8
“Documentation for Endpoint Users,” on page 8
Documentation for Administrators
The following documentation is intended for use by Endpoint Security administrators.
Table 1-1: Server Documentation for Administrators
Title Description
Endpoint Security Installation Contains detailed instructions for installing,
Guide configuring, and maintaining Endpoint
Security. This document is intended for global
administrators.
Endpoint Security Administrator Provides background and task-oriented
Guide information about using Endpoint Security. It is
available in both a Multi and Single Domain
version.
Endpoint Security Administrator Contains descriptions of user interface
Online Help elements for each Endpoint Security
Administrator Console page, with cross-
references to the associated tasks in the
Endpoint Security Administrator Guide.
Endpoint Security System Contains information on client and server
Requirements requirements and supported third party devices
and applications.
Endpoint Security Gateway Contains information on integrating your
Integration Guide gateway device with Endpoint Security.
Endpoint Security Client Contains detailed information on the use of
Management Guide third party distribution methods and command
line parameters.
Endpoint Security Agent for Linux Contains information on how to install and
Installation and Configuration configure Endpoint Security Agent for Linux.
Guide
Documentation for Endpoint Users
Although this documentation is written for endpoint users, Administrators should be
familiar with it to help them to understand the Endpoint Security clients and how the
policies they create impact the user experience.
Endpoint Security Installation Guide 8
- Table 1-2: Client documentation for endpoint users
Title Description
User Guide for Endpoint Security Provides task-oriented information about the
Client Software Endpoint Security clients (Agent and Flex) as
well as information about the user interface.
Introduction to Endpoint Security Provides basic information to familiarize new
Flex users with Flex. This document is intended to
be customized by an Administrator before
distribution. See the Endpoint Security
Implementation Guide for more information.
Introduction to Endpoint Security Provides basic information to familiarize new
Agent users with Endpoint Security Agent. This
document is intended to be customized by an
Administrator before distribution. See the
Endpoint Security Implementation Guide for
more information.
Endpoint Security Installation Guide 9
- Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:
cp_techpub_feedback@checkpoint.com
Endpoint Security Installation Guide 10
- Chapter 1
Endpoint Security Overview
In This Chapter
Endpoint Security System Components page 12
Endpoint Security Communications page 14
Endpoint Security Installation Guide 11
- Endpoint Security System Components
This section provides an overview of the Endpoint Security system components.
System Requirements
For information about Endpoint Security system requirements, see the Endpoint
Security System Requirements Document on the Check Point Web site.
Architecture
Figure 1-1 shows a typical installation. In this illustration, the Endpoint Security
system components are installed on a single host. There are several other
configurations options available, some involving distributing one or more components
across multiple servers. Figure 1-1 illustrates the relationships and communications
between the components, which is the same for all installations.
Figure 1-1: Typical Endpoint Security Configuration
A typical Endpoint Security configuration includes the following components:
Endpoint Security Server-Allows you to centrally configure your Endpoint Security
enterprise policies.
Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 12
- Endpoint Security Clients-Monitor your endpoints and enforce your security
policies. These clients are installed on your endpoint computers. There are two
types of Endpoint Security clients that work with Endpoint Security server:
Flex-has a full user interface that allows the user to control security settings
under some conditions.
Agent-Has a limited interface and does not allow the user to control his or her
security settings.
Apache HTTP Server-Provides secure HTTPS communication between the
Endpoint Security server and Endpoint Security clients. It also provides secure
communication with the Endpoint Security server for Administrators logging onto
the Endpoint Security Administrator Console. The Apache HTTP server also
improves performance by serving your security data to Endpoint Security clients
using a high speed cache.
Administrator Workstation-Administrators can use a workstation to access Endpoint
Security through the Endpoint Security Administrator Console, a Web-based
Graphical User Interface that allows Administrators to create security policies, view
reports, and perform other administrative tasks.
Other Check Point Components-When you install the Endpoint Security server, you
are also automatically installing some Check Point SmartCenter components to
create an integrated security solution. These components are installed in the
background even if you choose an ‘Endpoint Security only’ installation. Integration
points include:
Smart Portal
SmartCenter Server
SmartView Tracker
Eventia Reporter
SmartDashboard
SmartView Monitor
Logging
For more information about these integration points, see “Integrations With Other
Check Point Products,” on page 12.
Endpoint Security also integrates with a variety of gateways, such as VPN or wireless
devices, to provide client enforcement capabilities at the gateway level. for more
information about these sorts of configurations, see the Endpoint Security
Administrator Guide and the chapter of the Endpoint Security Gateway Integration
Guide appropriate to your gateway device. The Endpoint Security System
Requirements document lists all supported gateways. These documents are
available on the Check Point Web site.
Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 13
- Endpoint Security Communications
This section explains the internal and external communication protocols and ports
used by the Endpoint Security system.
When an Endpoint Security client is initialized it performs a sync with the Endpoint
Security. This allows the Endpoint Security client to get the security policy that is
assigned to it. Other communications take place either by the request of administrators
or as determined by your security policies.
The Endpoint Security Sync
1. The Endpoint Security client requests the policy location from the Endpoint
Security server.
2. The server returns a sync response to the Endpoint Security client with the location
of the policy.
3. The client then downloads the policy assigned to it. This is done over HTTP on port
80. The policy is encrypted before it is sent. The Web server transmits the request
to the Endpoint Security server over an internal channel of communication, using
AJP13 on ports 8009 and 8010. The policy contains both your security policy
information as well as the location of the remediation sandbox and log upload
server.
Once the Endpoint Security client receives the policy, it immediately enforces it.
Other Endpoint Security Communications
Once the sync has been established between the Endpoint Security server and the
Endpoint Security client, the following types of communication may occur, depending
on circumstances and the security policy you configure.
Heartbeats-Once the sync request has completed successfully, a heartbeat
regularly occurs according to the interval specified by the Administrator.
Heartbeats occur over UDP on port 6054. Heartbeats contain various pieces of
information concerning the status and compliance state of the endpoint computer.
This information is stored in the Endpoint Security datastore and is used for the
Endpoint Monitor report.
Remediation Requests-The Endpoint Security client may request remediation
resources from the Endpoint Security sandbox.
For example, if the client is out of compliance with the policy’s enforcement rules,
the policy might specify that the client should restrict the endpoint computer’s
access to your network and attempt to download a remediation file from the
sandbox remediation area. The initial Endpoint Security client connection to the
sandbox is done over HTTPS on port 2100, while the download is done on port 80
because the Endpoint Security client verifies the sandbox files after download by
checking the MD5 hash.
Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 14
- Program Permission Requests-Depending on your policy settings, as programs are
run on the endpoint computer, Endpoint Security clients may request program
permission information from the Endpoint Security server. These real-time,
encrypted requests are performed over HTTP on port 80.
Log Upload-Periodically, the Endpoint Security client uploads logs to the Endpoint
Security server. These logs are stored in SmartCenter’s log data files using the ELA
API. You can configure the frequency of the log upload using the Endpoint Security
Administrator console.
Administrator Workstation Access-Administrators can use a workstation to access
the Endpoint Security Administrator console to make changes to configure security
policies, view reports and perform other administration tasks. The administrator
workstation contacts the Endpoint Security via HTTPS on port 443. Some reports
are viewed on SmartPortal via HTTPS on port 4433 by drilling down in the
Endpoint Security Administrator console.
Endpoint Security Services
Endpoint Security operations are implemented by separate Endpoint Security services.
The services are divided into two types:
Client services allow an Endpoint Security client to get policies and configuration
information, and to communicate session state information.
Administration services allow administrators to create groups and users; manage
policies; manage system configuration; and perform other administrative tasks.
Ports and Protocols
The Endpoint Security server uses the ports and protocols listed below to communicate
with Endpoint Security clients. Make sure all these ports and protocols are available on
the Endpoint Security server:
80 HTTP
443 HTTPS
6054 UDP
8009 AJP13 (Internal)
8010 AJP13 (Internal)
“Endpoint Security services and ports,” on page 16 represents the services that make
up Endpoint Security and shows which ports the services use.
Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 15
- Figure 1-2: Endpoint Security services and ports
Service Details
The table below lists the individual services that make up Endpoint Security. The
configuration name is the parameter name of the service in the Endpoint Security
server and Apache HTTPS server configuration files. The URL is the service location
information embedded in the request from the Endpoint Security client that allows the
Apache HTTPS server to proxy requests.
Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 16
- Table 1-1: Description of Endpoint Security Services
Service name Configuration Name URL Description
Connection service.enable.con /cm/* Sychronizes with the server.
Manager nectionManager
The Connection Manager service allows the
endpoint to establish a session, verify endpoint
state information, and get information needed
to download the current policy and
configuration. It can also end a previously
synchronized session with the endpoint. this
service also sends heartbeats to communicate
policy or state changes
Policy service.enable.poli /policy/* Policy download service.
download cy
Log upload service.enable.logU /logupload/* Provides the mechanism endpoint computers
pload use to upload client log files.
Program service.enable.logU /ask/* Provides the mechanism endpoint computers
permission pload use to upload client log files.
Sandbox server service.enable.sand /sandbox/* Serves remediation Web pages to non-
Box compliant, authenticated endpoint users.
Package service.enable.pack /package/* Serves the client installer packages that install
Manager age an Endpoint Security client on an endpoint
computer.
Administrator service.enable.adm / Serves the user interface that allows
Console inConsole administrators to manage the Endpoint
Security.
Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 17
- Chapter 2
Installation Overview
In This Chapter
Master Installer page 18
Supported Installations page 18
Upgrading and Migration page 19
Gateway Integration page 20
You can install the Endpoint Security server as a standalone product or with other Check
Point products, such as SmartCenter or VPN-1. Use this guide to perform these installations.
This guide provides the workflows you need to perform installations with other Check Point
products and the details of the Endpoint Security server installation steps. For details of
general installation steps for other Check Point products, see the appropriate Check Point
documentation.
NT Domain catalogs are not available in SPLAT installations. If you plan on using NT
Domain catalogs, you must install on Windows or Linux.
Master Installer
For all installation options, you use a master installer that lets you select which products to
install. Note that all Endpoint Security installations (standalone or integrated) include Check
Point SmartPortal, which provides some of Endpoint Security’s reporting functionality. If you
choose standalone mode, the installer also silently installs some necessary components of
Check Point SmartCenter, which remain invisible.
Supported Installations
This guide explains how to install Endpoint Security in the following supported
configurations:
Endpoint Security Installation Guide 18
- Endpoint Security alone
You can install just Endpoint Security and the necessary supporting components.
(Endpoint Security installations always include Check Point SmartPortal and some
Check Point SmartCenter components.)
To install Endpoint Security alone, follow the instructions for installing Endpoint
Security on its own host. See “Installing on a Dedicated Host,” on page 25.
Endpoint Security with other Check Point products
You can install Endpoint Security with the following Check Point products:
SmartCenter
The SmartCenter components that come with Endpoint Security are invisible.
If you want to have the full range of SmartCenter functionality, you can choose
to install SmartCenter in one of the following configurations:
Same Host
You can install Endpoint Security on the same host as SmartCenter. You
can install Endpoint Security either at the same time as you install
SmartCenter, or you can install it on a server with an existing SmartCenter
installation. See “Installing with SmartCenter on the Same Host,” on page
32.
Distributed
You can install Endpoint Security and SmartCenter on different servers and
then configure them to communicate. See“Installing with SmartCenter on
Separate Hosts,” on page 42.
Provider-1
You can install Endpoint Security with Provider-1 in the following
configurations:
Same Host
You can install Endpoint Security with Provider-1 on the same server. See
“Installing Endpoint Security and Provider-1,” on page 50.
Distributed
You can install Endpoint Security and Provider-1 on different servers and
then configure them to connect. See “Installing Endpoint Security and
Provider-1,” on page 50.
Upgrading and Migration
For information about changing from an earlier version of Endpoint Security to this
one, see “Upgrading and Migration,” on page 21.
Endpoint Security Installation Guide 19
- Gateway Integration
This guide does not include information about configuring Endpoint Security to work
with gateways, including Check Point gateways. Gateway integration and Cooperative
Enforcement is achieved through post-installation steps described in the Endpoint
Security Administrator Guide and the Endpoint Security Gateway Integration Guide.
Endpoint Security Installation Guide 20
nguon tai.lieu . vn
