1. Manuals
  2. Brands
  3. F-SECURE Manuals
  4. Software
  5. POLICY MANAGER 7.0 -
  6. Administrator's manual

F-SECURE POLICY MANAGER 7.0 Administrator's Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
F-Secure Policy
Manager 7.0
Administrator's Guide

Advertisement

Table of Contents
loading

Related Manuals for F-SECURE POLICY MANAGER 7.0

Summary of Contents for F-SECURE POLICY MANAGER 7.0

  • Page 1 F-Secure Policy Manager 7.0 Administrator’s Guide...
  • Page 2 Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.

  • Page 3: Table Of Contents

    1.4.1 Management Information Base ..............22 Chapter 2 System Requirements F-Secure Policy Manager Server ................25 F-Secure Policy Manager Console ................27 Chapter 3 Installing F-Secure Policy Manager Server Overview ........................30 Security Issues......................31 3.2.1 Installing F-Secure Policy Manager in High Security Environments....32 Installation Steps......................37...
  • Page 4 Configuring F-Secure Policy Manager Server............51 3.4.1 Changing the Communication Directory Path ..........51 3.4.2 Changing the Ports Where the Server Listens for Requests......52 3.4.3 F-Secure Policy Manager Server Configuration Settings .......53 Uninstalling F-Secure Policy Manager Server ............58 Chapter 4 CommDir Migration Introduction ........................61...
  • Page 5 6.10.2 Shared Preferences..................153 Chapter 7 Maintaining F-Secure Policy Manager Server Overview ........................156 Backing Up & Restoring F-Secure Policy Manager Console Data......156 Replicating Software Using Image Files ..............159 Chapter 8 Updating F-Secure Virus Definition Databases Automatic Updates with F-Secure Automatic Update Agent........162 Using the Automatic Update Agent ................164...
  • Page 6 9.2.3 Installing F-Secure Policy Manager Console..........175 9.2.4 Installing F-Secure Policy Manager Web Reporting........176 Configuration......................177 Uninstallation......................177 9.4.1 Uninstalling F-Secure Policy Manager Web Reporting ........177 9.4.2 Uninstalling F-Secure Policy Manager Console ...........178 9.4.3 Uninstalling F-Secure Policy Manager Server..........178 9.4.4 Uninstalling F-Secure Automatic Update Agent ...........179 Frequently Asked Questions ..................179...
  • Page 7 Appendix A SNMP Support A.1 Overview ......................... 212 A.1.1 SNMP Support for F-Secure Management Agent ........212 A.2 Installing F-Secure Management Agent with SNMP Support ........213 A.2.1 F-Secure SNMP Management Extension Installation ........213 A.3 Configuring The SNMP Master Agent..............214 A.4 Management Information Base ................215 Appendix B Ilaunchr Error Codes B.1 Overview .........................
  • Page 8 Appendix E NSC Notation for Netmasks E.1 Overview ......................... 229 Technical Support Overview .......................... 232 Web Club .........................232 Virus Descriptions on the Web ................232 Advanced Technical Support ...................232 F-Secure Technical Product Training ................233 Training Program ....................233 Contact Information ....................234 Glossary About F-Secure Corporation viii...

  • Page 9: About This Guide

    BOUT UIDE Overview..................10 How This Guide is Organized............. 11...

  • Page 10: Overview

    About This Guide Overview F-Secure Policy Manager provides tools for administering the following F-Secure software products: F-Secure Client Security F-Secure Internet Gatekeeper F-Secure VPN+ F-Secure Anti-Virus for Workstations Firewalls File Servers Microsoft Exchange MIMEsweeper:...

  • Page 11: How This Guide Is Organized

    How This Guide is Organized The F-Secure Policy Manager Administrator’s Guide is divided into the following chapters. Chapter 1. Introduction. Describes the architecture and components of the policy-based management. Chapter 2. System Requirements. Defines the software and hardware requirement for F-Secure Policy Manager Console and F-Secure Policy Manager Server.
  • Page 12 FSII to work with them. Appendix E. NSC Notation for Netmasks. Defines and offers information on NSC notation for Netmasks. Glossary — Explanation of terms Technical Support — Web Club and contact information for assistance. About F-Secure Corporation — Company background and products.

  • Page 13: Conventions Used In F-Secure Guides

    Conventions Used in F-Secure Guides This section describes the symbols, fonts, and terminology used in this manual. Symbols WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data. IMPORTANT: An exclamation mark provides important information that you need to consider.
  • Page 14 In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at documentation@f-secure.com.

  • Page 15: Introduction

    NTRODUCTION Overview..................16 Installation Order ................ 18 Features ..................19 Policy-Based Management............20...

  • Page 16: Overview

    CHAPTER 1 Introduction Overview F-Secure Policy Manager provides a scalable way to manage the security of numerous applications on multiple operating systems, from one central location. It can be used to keep security software up-to-date, manage configurations, oversee enterprise compliance, and can be scaled to handle even the largest, most mobile workforce.
  • Page 17 Communication Directory (CommDir) in F-Secure Policy Manager Server, collects alert, status and property data from the managed security domain or host of choice. F-Secure Policy Manager Reporting Option allows users to generate reports concerning the data from the Communication Directory in F-Secure Policy Manager Server by using XSL templates (which are like predefined queries).

  • Page 18: Installation Order

    CHAPTER 1 Introduction the local workstations and provides a common interface for all F-Secure applications, and operates within the policy-based management infrastructure. VPN+ Certificate Wizard is an application for creating certificates for F-Secure VPN+. Installation Order To install F-Secure Policy Manager, please follow this installation order...

  • Page 19: Features

    Updates can be provided in several ways: From the F-Secure CD. From the F-Secure Web site to the customer. These can be automatically ‘pushed’ by F-Secure Automatic Update Agent, or voluntarily ‘pulled’ from the F-Secure website.

  • Page 20: Policy-Based Management

    A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. The management architecture of F-Secure software uses policies that are centrally configured by the administrator for optimum control of security in a corporate environment.
  • Page 21 F-Secure Policy Manager Console, protecting the file against changes while it is passing through the network and while it is stored in the host’s file system. These files are sent from F-Secure Policy Manager Console to the F-Secure Policy Manager Server. The host periodically polls for new policies created by F-Secure Policy Manager Console.

  • Page 22: Management Information Base

    The Management Information Base (MIB) is a hierarchical management data structure used in the Simple Network Management Protocol (SNMP). In F-Secure Policy Manager, the MIB structure is used for defining the contents of the policy files. Each variable has an Object Identifier (OID) and a value that can be accessed using the Policy API.
  • Page 23 The following types of traps are sent by most of the F-Secure products: Info. Normal operating information from a host. Warning. A warning from the host.

  • Page 24: Chapter 2 System Requirements

    YSTEM EQUIREMENTS F-Secure Policy Manager Server ..........25 F-Secure Policy Manager Console..........27...

  • Page 25: F-Secure Policy Manager Server

    F-Secure Policy Manager Server In order to install F-Secure Policy Manager Server, your system must meet the following minimum requirements: Operating system: Microsoft Windows: Microsoft Windows 2000 Server (SP 3or higher); Windows 2000 Advanced Server (SP 3or higher); Windows Server 2003, Standard Edition or Web Edition;...
  • Page 26 CHAPTER 2 System Requirements Memory: 256 MB RAM When Web Reporting is enabled, 512 MB RAM. Disk space: Disk space: 200 MB of free hard disk space; 500 MB or more is recommended. The disk space requirements depend on the size of the installation.

  • Page 27: F-Secure Policy Manager Console

    F-Secure Policy Manager Console In order to install F-Secure Policy Manager Console, your system must meet the following minimum requirements: Operating system: Microsoft Windows: Microsoft Windows 2000 Professional (SP3 or higher) Windows 2000 Server (SP3 or higher) Windows 2000 Advanced Server (SP3 or...
  • Page 28 CHAPTER 2 System Requirements 100 MB of free hard disk space. Disk space: Minimum 256-color display with resolution of Display: 1024x768 (32-bit color with 1280x960 or higher resolution recommended). Ethernet network interface or equivalent. Network: 10 Mbit network between console and server is recommended.

  • Page 29: Installing F-Secure Policy Manager Server

    NSTALLING ECURE OLICY ANAGER ERVER Overview..................30 Security Issues ................31 Installation Steps ................ 37 Uninstalling F-Secure Policy Manager Server......58...

  • Page 30: Overview

    The following are advanced instructions for installing F-Secure Policy Manager Server on a machine dedicated only to the Server. F-Secure Policy Manager Server can also be installed on the same machine as F-Secure Policy Manager Console. F-Secure Policy Manager Server is the link between F-Secure Policy...

  • Page 31: Security Issues

    The information stored by F-Secure Policy Manager Server includes the following files: Policy Domain Structure. Policy Data, which is the actual policy information attached to each policy domain or host. Base Policy files generated from the policy data. Status Information, including incremental policy files, alerts, and reports.

  • Page 32: Installing F-Secure Policy Manager In High Security Environments

    3.2.1 Installing F-Secure Policy Manager in High Security Environments F-Secure Policy Manager is designed to be used in internal corporate networks mainly for managing F-Secure Anti-Virus products. F-Secure does not recommend using F-Secure Policy Manager over public networks such as Internet.
  • Page 33 If this is done accidentally, or intentionally by an unauthorized user, the authorized user will notice the change when he tries to login to F-Secure Policy Manager the next time. In the worst case, the authorized user needs to recover backups in order to remove the possible changes made by the unauthorized user.
  • Page 34 After this, only the person who has access to the machines with the defined IP addresses can use F-Secure Policy Manager Console. 3. If there is a very strong need to use F-Secure Policy Manager over a public network (such as the Internet), it is recommended to encrypt the connection between F-Secure Policy Manager Server and F-Secure Policy Manager Console with a VPN or SSH type product.
  • Page 35 F-Secure Policy Manager Web Reporting. When access to F-Secure Policy Manager Web Reporting is limited only to the localhost during the installation (see , 45), F-Secure Setup modifies the #Web Reporting listen directive in httpd.conf file as...
  • Page 36 Allow from 10.128.129.209 <- Allow access from Administrator’s workstation </Location> </VirtualHost> After this, only the person who has access to the local host or the machine with the defined IP address can use F-Secure Policy Manager Web Reporting.

  • Page 37: Installation Steps

    Installation Steps To install F-Secure Policy Manager Server, you need physical access to the server machine. Step 1. 1. Insert the F-Secure CD in your CD-ROM drive. 2. Select Corporate Use. Click Next to continue. 3. Go to the Install or Update Managed Software menu and select F-Secure Policy Manager.
  • Page 38 CHAPTER 3 Installing F-Secure Policy Manager Server Step 3. Read the license agreement information. If you agree, select I accept this agreement. Click Next to continue.
  • Page 39 F-Secure Policy Manager Server, F-Secure Policy Manager Console, F-Secure Policy Manager Update Server & Agent are installed on the same computer. The default ports are used for F-Secure Policy Manager Server modules. Only the F-Secure Policy Manager Console installed on the same computer is allowed access to F-Secure Policy Manager Server.
  • Page 40 If you are installing on a clean computer, select the following components: F-Secure Policy Manager Server, F-Secure Policy Manager Update Server & Agent - automate virus definition database updates, F-Secure Installation Packages - select this option if you want to upload/install new remote installation packages from the CD (recommended) Click Next to continue.
  • Page 41 Step 6. Choose the destination folder. Click Next. It is recommended to use the default installation directory. If you want to install F-Secure Policy Manager Server in a different directory, you can use the Browse feature. WARNING: If you have F-Secure Management Agent installed...
  • Page 42 F-Secure Policy Manager Server will use as a repository. You can use the previous commdir as a backup, or you can delete it once you have verified that F-Secure Policy Manager Server is correctly installed.
  • Page 43 Step 8. Select whether you want to keep the existing settings or change them. This dialog is displayed only if a previous installation of F-Secure Policy Manager Server was detected on the computer. By default the setup keeps the existing settings. Select this option if you have manually updated the F-Secure Policy Manager Server configuration file (HTTPD.conf).
  • Page 44 CHAPTER 3 Installing F-Secure Policy Manager Server Step 9. Select the F-Secure Policy Manager Server modules to enable: Host module is used for communication with the hosts. The default port is 80. Administration module is used for communication with F-Secure Policy Manager Console.
  • Page 45 Click Next to continue.
  • Page 46 CHAPTER 3 Installing F-Secure Policy Manager Server Step 10. Select to add product installation package(s) from the list of available packages (if you selected F-Secure Installation Packages in Step 4 on page 17). Click Next.
  • Page 47 Step 11. Setup displays the components that will be installed. Click Next.
  • Page 48 CHAPTER 3 Installing F-Secure Policy Manager Server Step 12. When the setup is completed, the setup shows whether all components were installed successfully.
  • Page 49 Step 13. F-Secure Policy Manager Server is now installed. Restart the computer if you are prompted to do so. Click Finish to complete the installation.
  • Page 50 ENTER following page will be displayed. The F-Secure Policy Manager Server starts serving hosts only after F-Secure Policy Manager Console has initialized the Communication directory structure, which happens automatically when you run F-Secure Policy Manager Console for the first time.

  • Page 51: Configuring F-Secure Policy Manager Server

    F-Secure Policy Manager Server. After any change to the configuration, you need to stop F-Secure Policy Manager Server, and restart it for the changes to become active.

  • Page 52: Changing The Ports Where The Server Listens For Requests

    80. You can, however, define what ports they should listen in, if the defaults are not suitable. If you want to change the port in which F-Secure Policy Manager Server Admin Module listens, add a Listen entry in the configuration file with the new port (e.g.

  • Page 53: F-Secure Policy Manager Server Configuration Settings

    F-Secure Policy Manager Server Configuration Settings This section introduces and explains all the relevant entries present in the F-Secure Policy Manager Server configuration file, and how they are used. ServerRoot: This directive sets the directory in which the server is installed.
  • Page 54 <VirtualHost _default_:port>: This directive defines a set of directives that will apply only to a VirtualHost. A VirtualHost is a virtual server, i.e., a different server that is run in the same process as other servers. F-Secure...
  • Page 55 Policy Manager Server; for example, has two virtual hosts, one running in port 80 (F-Secure Policy Manager Server Host Module) and another one running in port 8080 (FSMSA or Admin Module). Here is the default configuration for F-Secure Policy Manager Server: # FSMSH port <VirtualHost _default_:80>...
  • Page 56 CHAPTER 3 Installing F-Secure Policy Manager Server CustomLog: This entry is used to log requests to the server. The first parameter is either a file (file to which the requests should be logged) or a pipe ('|') followed by the path to a program to receive the log information on its standard input.
  • Page 57 '+' = connection may be kept alive after the response is sent. '-' = connection will be closed after the response is sent. 5. F-Secure Policy Manager Server Admin Module error code (0 for success). 6. Bytes transferred to the server (“-” for none).

  • Page 58: Uninstalling F-Secure Policy Manager Server

    Installing F-Secure Policy Manager Server For more information on the settings you can read the httpd.sample file that is located in the same directory as the configuration file of F-Secure Policy Manager Server (<fspms installation directory>\conf). mod_gzip_on Yes: This setting is one of the several compression settings, and the one that enables or disables support for the compression in F-Secure Policy Manager Server.
  • Page 59 3. The F-Secure Uninstall dialog box appears. Click Start to begin uninstallation. 4. When the uninstallation is complete, click Close. 5. Click to exit Add/Remove Programs. 6. Reboot your computer for changes to take effect.

  • Page 60: Commdir Migration

    IGRATION Introduction................. 61 Instructions ................. 61...

  • Page 61: Introduction

    You can do the migration as follows: Step 1. Back Up the Existing System 1. Before you start the back-up procedure, make sure that F-Secure Policy Manager Console is not running. 2. Backup the management keys (admin.pub and admin.prv), and the existing CommDir.
  • Page 62 Step 3. Connect Policy Manager Console to the New Policy Manager Server 1. Connect the F-Secure Policy Manager Console to the new F-Secure Policy Manager Server. 2. Configure the correct F-Secure Policy Manager Server address to use: Select the Settings tab and open the Centralized Management page.
  • Page 63 F-Secure Policy Manager Server instead of the old CommDir. You can check this, for example, form the Summary tab in F-Secure Policy Manager Console. When the Hosts having latest policy: has reached 100%, the migration is complete.

  • Page 64: Chapter 5 Installing F-Secure Policy Manager Console

    NSTALLING ECURE OLICY ANAGER ONSOLE Overview..................65 Installation Steps ................ 65 Uninstalling F-Secure Policy Manager Console ......83...

  • Page 65: Overview

    The same console installation can be used for both Administrator and Read-Only connections. The following sections explain how to run the F-Secure Policy Manager Console setup from the F-Secure CD, and how to select the initial operation mode when the console is run for the first time.
  • Page 66 CHAPTER 5 Installing F-Secure Policy Manager Console Step 2. View the Welcome screen, and follow the setup instructions. Select the installation language from the drop-down menu. Click Next to continue.
  • Page 67 Step 3. Read the license agreement information. If you agree, select I accept this agreement. Click Next to continue.
  • Page 68 F-Secure Policy Manager Server, F-Secure Policy Manager Console, F-Secure Policy Manager Update Server & Agent are installed on the same computer. The default ports are used for F-Secure Policy Manager Server modules. Only the F-Secure Policy Manager Console installed on the same computer is allowed access to F-Secure Policy Manager Server.
  • Page 69 Step 5. Select the following components to be installed: F-Secure Policy Manager Console F-Secure VPN+ Certificate Wizard (optional, required only for F-Secure VPN+ management) Click Next to continue.
  • Page 70 CHAPTER 5 Installing F-Secure Policy Manager Console Step 6. Choose the destination folder. Click Next. It is recommended to use the default installation directory. Use the Browse feature to install F-Secure Policy Manager Console in a different directory.
  • Page 71 Step 7. Specify F-Secure Policy Manager Server address, and Administration port number. Click Next to continue.
  • Page 72 CHAPTER 5 Installing F-Secure Policy Manager Console Step 8. Review the changes that setup is about to make. Click Next to continue.
  • Page 73 Step 9. By default the setup will run the F-Secure Policy Manager Console for the first time immediately after the CD setup has been run. It is important to run the console after the setup, because some connection properties will be collected during the initial console startup.
  • Page 74 CHAPTER 5 Installing F-Secure Policy Manager Console Step 10. If you did not choose to launch F-Secure Policy Manager Console immediately after the setup has finished, you can find the shortcut from Start >Programs > F-Secure Policy Manager Console > F-Secure Policy Manager Console.
  • Page 75 Step 11. Select your user mode according to your needs: Administrator mode - enables all administrator features. Read-Only mode - allows you to view administrator data, but no changes can be made. If you select Read-only mode, you will not be able to administer hosts.
  • Page 76 CHAPTER 5 Installing F-Secure Policy Manager Console Step 12. Enter the address of the F-Secure Policy Manager Server that is used for communicating with the managed hosts.
  • Page 77 Step 13. Enter the path where the administrator’s public key and private key files will be stored. By default, key files are stored in the F-Secure Policy Manager Console installation directory: Program Files\F-Secure\Administrator. Click Next to continue. If the key-pair does not pre-exist, it will be created later in the setup...
  • Page 78 CHAPTER 5 Installing F-Secure Policy Manager Console Step 14. Move your mouse cursor around in the window to initialize the random seed used by the management key-pair generator. Using the path of the mouse movement ensures that the seed number for the key-pair generation algorithm has enough randomness.
  • Page 79 Step 15. Enter a passphrase, which will secure your private management key. Re-enter your passphrase in the Confirm Passphrase field. Click Next.
  • Page 80 CHAPTER 5 Installing F-Secure Policy Manager Console Step 16. Click Finish to complete the setup process. F-Secure Policy Manager Console will generate the management key-pair.
  • Page 81 After the key-pair is generated, F-Secure Policy Manager Console will start.
  • Page 82 View menu and selecting Advanced Mode. When setting up workstations, you must provide them with a copy of the Admin.pub key file (or access to it). If you install the F-Secure products on the workstations remotely with F-Secure Policy Manager, a copy of the Admin.pub key file is installed automatically on them.

  • Page 83: Uninstalling F-Secure Policy Manager Console

    Changing the Web Browser Path The F-Secure Policy Manager Console acquires the file path to the default Web browser during setup. If you want to change the Web browser path, open the Tools menu, and select Preferences.

  • Page 84: Chapter 6 Using F-Secure Policy Manager Console

    SING ECURE OLICY ANAGER ONSOLE Overview..................85 F-Secure Policy Manager Console Basics ......... 86 F-Secure Client Security Management........104 Managing Domains and Hosts ..........104 Software Distribution ..............115 Managing Policies ..............134 Managing Operations and Tasks..........140 Alerting ..................140 Reporting Tool ................

  • Page 85: Overview

    View reports in HTML format, or export reports to various exports formats. F-Secure Policy Manager Console generates the policy definition, and displays status and alerts. Each managed host has a module (F-Secure Management Agent) enforcing the policy on the host. The conceptual world of F-Secure Policy Manager Console consists of hosts that can be grouped within policy domains.

  • Page 86: F-Secure Policy Manager Console Basics

    Save policy data. Distribute policies. Delete alerts or reports. There can be only one Administrator mode connection to F-Secure Policy Manager Server at a time. There can be several read-only connections to F-Secure Policy Manager Server simultaneously. F-Secure Policy Manager Console Basics The following sections describes the F-Secure Policy Manager Console logon procedure, menu commands and basic tasks.

  • Page 87: Logging In

    6.2.1 Logging In When you start F-Secure Policy Manager Console, the following dialog box will open (click Options to expand the dialog box to include more options) Figure 6-1 F-Secure Policy Manager Console Login dialog The dialog box can be used to select defined connections. Each connection has individual preferences, which makes it easier to manage many servers with a single F-Secure Policy Manager Console instance.
  • Page 88 Polling Period Options. Host connection status controls when hosts are considered disconnected from F-Secure Policy Manager. All hosts that have not contacted F-Secure Policy Manager Server within the defined interval are considered disconnected. The disconnected hosts will have a notification...
  • Page 89 icon in the domain tree and they will appear in the Disconnected Hosts list in the Domain status view. The domain tree notification icons can be switched off from Advanced Options. Note that it is possible to define an interval that is shorter than one day by simply typing in a floating point number in the setting field.

  • Page 90: The User Interface

    Preferences view. 6.2.2 The User Interface When you start F-Secure Policy Manager Console, the user interface opens displaying the following four panes: Policy Domain pane, Properties pane, Product View pane and Messages pane (not visible if...

  • Page 91: Policy Domain Pane

    Figure 6-5 F-Secure Policy Manager Console user interface 6.2.3 Policy Domain Pane In the Policy Domain pane, you can do the following: Add a new policy domain (click the icon, which is located on the toolbar). A new policy domain can be created only when a parent domain is selected.

  • Page 92: Properties Pane

    CHAPTER 6 Using F-Secure Policy Manager Console After selecting a domain or host, you can access the above options from the Edit menu. The domains referred to in the commands are not Windows NT or DNS domains. Policy domains are groups of hosts or subdomains that have a similar security policy.

  • Page 93: Product View Pane

    Product View simply links to the data found also in the MIB tree. The F-Secure Management Agent Product View is on the following page as an example (the same generic operations and functionality are found in all Product Views).
  • Page 94 Certificates - allows definition of trusted certificates Certificate Directory - defines the directory settings where certificates are stored. About - contains a link to F-Secure Web Club (for more details, “Web Club”, 232). You can edit the policy settings normally, and use the restriction setting...
  • Page 95 Figure 6-6 Product View pane Using the Context Menu for Policy Settings Most editor fields in the Product View include a context menu (activated by right-clicking your mouse). The context menu contains the following options: Go To, Clear Value, Force Value and Show domain values. Figure 6-7 Context menu...
  • Page 96 CHAPTER 6 Using F-Secure Policy Manager Console Shortcut to the MIB Tree Node Sometimes it is convenient to see what setting of the MIB tree is actually changed when modifying some specific Product View item. Select the Go To menu item to display the corresponding MIB tree node in the Properties pane.
  • Page 97 Figure 6-8 Show Domain Values dialog Viewing Status Open the Status tab and select the product from the Properties pane. F-Secure Policy Manager Console will render a Product View to the Product View pane, where you can view the more important local settings and statistics.
  • Page 98 CHAPTER 6 Using F-Secure Policy Manager Console disconnected. If the reason is clear, for example, if the host's F-Secure software has been uninstalled, the host can be deleted normally. After investigating one disconnected host, the most convenient way to get back...

  • Page 99: Messages Pane

    Figure 6-11 The status of a component displayed in the Product View pane 6.2.6 Messages Pane F-Secure Policy Manager Console logs messages in the Message pane about different events. Unlike the Alerts and Reports panes, Message pane events are generated only by F-Secure Policy Manager Console.

  • Page 100: The Toolbar

    CHAPTER 6 Using F-Secure Policy Manager Console 6.2.7 The Toolbar The toolbar contains buttons for the most common F-Secure Policy Manager Console tasks. Saves the policy data Distributes the policy Go to the previous domain or host in the domain tree selection history.
  • Page 101 Green signifies that the host has sent an autoregistration request. Displays available installation packages. Updates the virus definition database. Displays all alerts. The icon is highlighted if there are new alerts. When you start F-Secure Policy Manager Console, the icon is always highlighted.

  • Page 102: Menu Commands

    CHAPTER 6 Using F-Secure Policy Manager Console 6.2.8 Menu Commands Menu Command Action File Creates a new policy data instance with the Management Information Base (MIB) defaults. This command is rarely needed because existing policy data will usually be modified and saved using the Save As command.
  • Page 103 Anti-Virus Mode Changes to the Anti-Virus mode user interface, which is optimized for managing centrally F-Secure Client Security. Refresh <Item> Manually refreshes the status, alert, or report view. The menu item changes according to the selected tab in the Properties pane.

  • Page 104: F-Secure Client Security Management

    Displays version information. Manager Console F-Secure Client Security Management In F-Secure Policy Manager 5.50 and later there is a new separate graphical user interface for managing F-Secure Client Security and F-Secure Anti-Virus for Workstations. The new user interface is optimized...
  • Page 105 If you have designed the policy domain structure beforehand, you can import the hosts directly to that structure. If you want to get started quickly, you can also import all hosts to the root domain first, and create the domain structure later, when the need for that arises. The hosts can then be cut and pasted to the new domains.

  • Page 106: Adding Policy Domains

    Using F-Secure Policy Manager Console A third possibility is to group the hosts into subdomains based on the installed F-Secure Client Security version. You could, for example, group hosts that have F-Secure Client Security 6.x installed into one sub-domain, and hosts that have F-Secure Client Security 7.x installed into another domain.

  • Page 107: Adding Hosts

    F-Secure Intelligent Installation by choosing ‘Autodiscover Windows hosts’ from the Edit menu in F-Secure Policy Manager Console. Note that this also installs F-Secure Management Agent on the imported hosts. In order to import hosts from a Windows domain, select the target domain, and choose ‘Autodiscover...
  • Page 108 CHAPTER 6 Using F-Secure Policy Manager Console Figure 6-16 Import Autoregistered Hosts dialog > Autoregistered Hosts tab The Autoregistration view offers a tabular view to the data which the host sends in the autoregistration message. This includes the possible custom...
  • Page 109 Autoregistration Import Rules Figure 6-17 Import Autoregistered Hosts dialog > Import Rules tab You can define the import rules for the autoregistered hosts on the Import Rules tab in the Import Autoregistered Hosts window. You can use the following as import criteria in the rules: WINS name, DNS name, Dynamic DNS name, Custom Properties These support * (asterisk) as a wildcard.
  • Page 110 CHAPTER 6 Using F-Secure Policy Manager Console 192.1.2.3) and IP sub-domain matching (for example: 10.15.0.0/16). You can hide and display columns in the table by using the right-click menu that opens when you right-click any column heading in the Import Rules window.
  • Page 111 . This operation is useful in the following cases: Insert Learning and testing – You can try out a subset of F-Secure Policy Manager Console features without actually installing any software in addition to F-Secure Policy Manager Console. For example, you can create a test domain and host, and define F-Secure VPN+ connections without installing VPN+ to numerous hosts.

  • Page 112: Host Properties

    Also, no status information will be available. Any changes made to the domain structure are implemented even though you exit F-Secure Policy Manager Console without saving changes to the current policy data. 6.4.3...
  • Page 113 The network name for the host is the name that the host uses internally in the network to access policies. Figure 6-19 Host Properties dialog In the Platform tab, you can add the operating system of the host to the properties.
  • Page 114 CHAPTER 6 Using F-Secure Policy Manager Console The VPN+ tab is used only if you have F-Secure VPN+ software. The VPN+ tab contains information about the host's VPN+ identity (used with IPSec connections). You must use an email address as your VPN+ identity for the host if the host does not use static IP addresses, that is, if it is a dial-up host that uses DHCP to get the IP address.

  • Page 115: Software Distribution

    VPN+ identities. For example, this can happen in the following scenario: The host is imported from a Windows domain. (The F-Secure Management Agent is installed remotely.) Because VPN+ is not installed, no information about VPN+ identities can be obtained.
  • Page 116 Manager can update the latest Anti-Virus databases by downloading them automatically from F-Secure’s Automatic Update site. Managed hosts will fetch the updates from F-Secure Policy Manager according to the host policy, either automatically or with remotely triggered operations. For more information, see “Automatic Updates with F-Secure Automatic Update...

  • Page 117: F-Secure Push Installations

    6.5.1 F-Secure Push Installations The only difference between the Autodiscover Windows Hosts and the Push Install to Windows Hosts features is how the target hosts are selected: Autodiscover browses the Windows domains and user can select the target hosts from a list of hosts, Push Install to Windows Hosts allows you to define the target hosts directly with IP addresses or host names.
  • Page 118 Before clicking Refresh, you can change the following Autodiscover options: Hide already managed hosts Select the Hide Managed Hosts check box to show only those hosts, which do not have F-Secure applications installed.
  • Page 119 Resolve hosts with all details (slower) With this selection, all details about the hosts are shown, such as the versions of the operating system and F-Secure Management Agent. Resolve host names and comments only (quicker) If all hosts are not shown in the detailed view or it takes too much time to retrieve the list, this selection can be used.
  • Page 120 Next to continue. You can click Browse to check the F-Secure Management Agent version(s) on the host(s). 4. After you have selected your target hosts, continue to “Push Installation After Target Host Selection”, 120 for instructions on push-installing the applications to hosts.
  • Page 121 1. Select the installation package, and click Next to continue. 2. Select the products to install. You can choose to force reinstallation if applications with the same version number already exist. Click Next to continue. 3. Choose to accept the default policy, or specify which host or domain policy should be used as an anonymous policy.
  • Page 122 CHAPTER 6 Using F-Secure Policy Manager Console Push Installation requires administrator rights for the target machine during the installation. If the account you entered does not have administrator rights on one of the remote hosts, an “Access denied” error message will be indicated for that host, while installation will continue on the other hosts.
  • Page 123 In the final dialog box, click Finish, and go to the next step. 6. F-Secure Policy Manager installs F-Secure Management Agent and the selected products on the hosts. During this process, the Status line will display the procedure in process. You can click...

  • Page 124: Policy-Based Installation

    F-Secure Management Agent installed. F-Secure Policy Manager Console creates an operation-specific installation package, which it stores on the F-Secure Policy Manager Server, and writes an installation task to the base policy files (thus, policy distribution is required to start installations). Both base policy files and the installation package are signed by the management key-pair so that only genuine information is accepted by the hosts.
  • Page 125 Figure 6-21 Installation Editor The Installation Editor contains the following information about the products that are installed on your target policy domain or host: Product Name Name of the product, which is either installed on a host or domain, or which can be installed with an available installation package.
  • Page 126 CHAPTER 6 Using F-Secure Policy Manager Console If a host is selected, the Progress field displays one of the following messages: In progress The installation operation has been started (added to policy data), but the host has not yet reported the operation’s success or failure.
  • Page 127 The new package is saved on F-Secure Policy Manager Server. Start button is used to start the installation operations selected in the Version to Install field. If the installation editor is closed without first clicking Start button, then all changes will be discarded.
  • Page 128 For example, if uninstalling F-Secure Anti-Virus and F-Secure Management Agent: 1. Uninstall F-Secure Anti-Virus 2. Wait for F-Secure Policy Manager Console to report the success or failure of the uninstallation. 3. If F-Secure Anti-Virus was uninstalled successfully, uninstall F-Secure Management Agent.

  • Page 129: Local Installation And Updates With Pre-Configured Packages

    JAR package, by using a customized MSI package, or by using the non-JAR approach. Using the Customized Remote Installation JAR Package 1. Run F-Secure Policy Manager Console. 2. Choose Installation Packages from the Tools menu. This will open the Installation Packages dialog box.
  • Page 130 Click Export. 4. Specify the file location where you want to save the customized installation JAR package. Click Save. 5. Select the products you want to install (F-Secure Management Agent will be installed by default). Click Next to continue.
  • Page 131 9. A summary page shows your choices for the installation. Review the summary and click Start to continue to the installation wizard. 10. F-Secure Policy Manager Console displays the Remote Installation Wizards that collect all necessary setup information for the selected products. When you reach the last wizard page, click Finish to continue.
  • Page 132 ILAUNCHR has the following command line parameters: /U — Unattended. No messages are displayed, even when a fatal error occurs. /F — Forced installation. Completes the installation even if F-Secure Management Agent is already installed. Enter ILAUNCHR /? at the command line to display complete help.

  • Page 133: Information Delivery

    6.5.4 Information Delivery All of the installation information is delivered as files through the F-Secure Policy Manager Server The Installation packages are JAR archives that can be viewed (in WinZip, for example), but other files types (such as the policy files and INI files) are used for triggering the actual installation process.

  • Page 134: Managing Policies

    CHAPTER 6 Using F-Secure Policy Manager Console Managing Policies This section describes how to configure and distribute policies. 6.6.1 Settings To configure settings, browse the policy tree and change the values of the policy variables. There are two types of policy variables: (1) leaf nodes under a subtree, and (2) table cells.

  • Page 135: Restrictions

    6.6.2 Restrictions There are two types of restriction: Access restrictions and Value restrictions. Access restrictions are Final and Hidden. Final always forces the policy: the policy variable overrides any local host value, and the end user cannot change the value as long as the Final restriction is set. Hidden merely hides the value from the end user.

  • Page 136: Saving The Current Policy Data

    CTRL from the saved policy data. Policy files are copied to the Communication directory, where the F-Secure software on the hosts will check for it periodically. The difference between policy data and policy files is important. Policy data is a compact data structure containing the whole policy domain structure.

  • Page 137: Policy Inheritance

    6.6.5 Policy Inheritance In F-Secure Policy Manager Console, each policy domain automatically inherits the settings of its parent domain, allowing for easy and efficient management of large networks. The inherited settings may be overridden for individual hosts or domains. When a domain's inherited settings are changed, the changes are inherited by all of the domain’s hosts and...
  • Page 138 CHAPTER 6 Using F-Secure Policy Manager Console Figure 6-24 Show Domain Values dialog If the subdomain or host values need to be reset to the current domain values, the Force Value operation can be used to clean the sub-domain and host values.
  • Page 139 MIB defaults are obtained based on the product version installed on hosts. For a domain, the values from the newest product version are used. Certain F-Secure products override the default table implementation, and as such they do not implement the normal table inheritance as stated above.

  • Page 140: Managing Operations And Tasks

    CHAPTER 6 Using F-Secure Policy Manager Console Managing Operations and Tasks To launch an operation from F-Secure Policy Manager Console: 1. Select one of the actions from the selected product’s Operations branch in the Policy tab of the Properties pane.

  • Page 141: Viewing Alerts And Reports

    6.8.1 Viewing Alerts and Reports The hosts can send alerts and reports if there has been a problem with a program or an operation. When an alert is received, the button will brighten. To view the alerts, click . The Alerts tab in the Properties pane will open.

  • Page 142: Configuring Alert Forwarding

    When an alert is selected from the list, the Product View pane displays more specific information about the alert. F-Secure Anti-Virus scanning alerts may have an attached report. This report will also be in the Product View pane.
  • Page 143 F-Secure Management Agent>Settings>Alert Forwarding Figure 6-25 The same table can also be found in the F-Secure Management Agent product view in the Alert Forwarding tab. You can specify where alerts are sent according to severity level. The target can be F-Secure Policy Manager Console, the local user interface, an alert agent (such as the Event Viewer, a log file, or SMTP), or a management extension.

  • Page 144: Reporting Tool

    You can further configure the alert target by setting the policy variables under target-specific branches. For example “Settings->Alerting->F-Secure Policy Manager Console->Retry Send Interval” specifies how often a host will attempt to send alerts to F-Secure Policy Manager Console when previous attempts have failed. Reporting Tool The Reporting tool allows users to view and export reports of F-Secure Policy Manager Console managed data.

  • Page 145: Policy Domain / Host Selector Pane

    Figure 6-27 Reporting Tool 6.9.1 Policy Domain / Host Selector Pane In the Policy Domain / Host Selector pane you can select the domains and/or hosts you are interested in from the reporting point of view. The domain selected in the Policy Domain pane is selected by default in the Reporting tool.

  • Page 146: Report Type Selector Pane

    CHAPTER 6 Using F-Secure Policy Manager Console 6.9.2 Report Type Selector Pane In the Report Type Selector pane you can do the following: Select the type of report to be made. Select the filtering by product (only information on selected products is included to the report to be made).

  • Page 147: Report Pane

    Alert Report Type Export/view reports containing information of all alerts at the selected domains. You can also sort alerts with Sort Order Selector, by defining sort order among alert description fields. With Severity Selector you can select, which severity alerts are included to the report to be made. Configuration Report Export/view reports containing information of Type...

  • Page 148: Bottom Pane

    CHAPTER 6 Using F-Secure Policy Manager Console 6.9.4 Bottom Pane In the bottom pane, you can: Reset the defaults to all user interface components. Launch the report exporting process. Launch the report viewing process. Stop the report generating process. Close the Reporting Tool user interface. This does not stop generation of the report to be exported;...

  • Page 149: Preferences

    Figure 6-28 Saving and Exporting a Report 6.10 Preferences Preference settings are either shared or applied to the specific connection.

  • Page 150: 6.10.1 Connection-Specific Preferences

    Advanced Status Cache You can adjust the number of hosts for which F-Secure Policy communication Manager Console caches status information. options...
  • Page 151 You can disable initial status loading if you want to reduce status loading F-Secure Policy Manager Console startup time in a large environment (this is an advanced option that should be used with care, since it causes the following functional differences to the normal status handling): 1.
  • Page 152 Include Comments affects the size of the policy files produced by F-Secure Policy Manager Console. These comments are used to make the file more understandable by the users if they want to read the values directly from the file.

  • Page 153: 6.10.2 Shared Preferences

    General Options operating system or the default English setting. All objects that do not support the system’s local language will be displayed in English. You must restart F-Secure Policy Manager Console for the change to take effect. Appearance -> Highlight You can highlight disconnected hosts in a policy domain tree.
  • Page 154 You may clear all cached information concerning browsed hosts and installed software to clean up disk space. Location Web Club Area Choose your location to connect to the F-Secure web server closest to you. HTML Browser The full path to the HTML browser’s executable file. The...

  • Page 155: Chapter 7 Maintaining F-Secure Policy Manager Server

    AINTAINING ECURE OLICY ANAGER ERVER Overview ................156 Backing Up & Restoring F-Secure Policy Manager Console Data ................. 156 Replicating Software Using Image Files ......159...

  • Page 156: Overview

    CHAPTER 7 Maintaining F-Secure Policy Manager Server Overview F-Secure Policy Manager Server can be maintained by routinely backing up and restoring the console data in the Server. Backing Up & Restoring F-Secure Policy Manager Console Data It is highly recommended that you back up the most important management information regularly.
  • Page 157 To back up the management key-pair, copy the admin.prv file and the admin.pub file from the root of the local F-Secure Policy Manager Console installation directory. Keep the admin.prv file stored in a secure place. It is very important to save a backup copy of the admin.prv key file.
  • Page 158 CHAPTER 7 Maintaining F-Secure Policy Manager Server 5. Back up the lib\Administrator.properties file from the local F-Secure Policy Manager Console installation directory. 6. Restart F-Secure Policy Manager Server service. 7. Reopen the F-Secure Policy Manager Console management sessions. 8. Distribute the policies.

  • Page 159: Replicating Software Using Image Files

    F-Secure Anti-Virus. Configure F-Secure Anti-Virus to use the correct F-Secure Policy Manager Server. However, do not import the host to F-Secure Policy Manager Console if the host has sent an autoregistration request to the F-Secure Policy Manager Server. Only hosts to where the image file will be installed should be imported.
  • Page 160 Maintaining F-Secure Policy Manager Server 4. Create the disk image file. 5. The utility program resets the Unique ID in the F-Secure Anti-Virus installation. A new Unique ID is created automatically when the system is restarted. This will happen individually on each machine where the image file is installed.

  • Page 161: Chapter 8 Updating F-Secure Virus Definition Databases

    PDATING ECURE IRUS EFINITION ATABASES Automatic Updates with F-Secure Automatic Update Agent . 162 Using the Automatic Update Agent........164 Forcing the Update Agent to Check for New Updates Immediately................169 Updating the Databases Manually........169 Troubleshooting..............170...

  • Page 162: Automatic Updates With F-Secure Automatic Update Agent

    With F-Secure Automatic Update Agent, you are able to receive automatic updates and informational content without interrupting your work to wait for files to download from the Web. F-Secure Automatic Update Agent downloads files automatically in the background using bandwidth not being used by other Internet applications, so users can always be sure they will have the latest updates without having to search the Web.
  • Page 163 In F-Secure Policy Manager 6.0 and onwards, the Automatic Update Agent installed with F-Secure products tries to download the automatic updates from the configured update sources in the following order: a. If there are Policy Manager Proxies in use in the company network, the client tries to connect to F-Secure Policy Manager Server through each Policy Manager Proxy in turn.

  • Page 164: Using The Automatic Update Agent

    Updating F-Secure Virus Definition Databases Automated updates You don't have to look for the updates and manually download them. With F-Secure Automatic Update Agent, you will automatically get the virus definition updates when they have been published by F-Secure. Using the Automatic Update Agent With F-Secure Policy Manager 7.0 and onwards, the F-Secure Automatic...

  • Page 165: How To Read The Log File

    1 hour. poll_interval=3600 If the minimum polling interval defined at the F-Secure Update Server is, for example, 2 hours, the settings in F-Secure Automatic Update Agent configuration file cannot override that limitation. Step 4. Save and close the file.
  • Page 166 CHAPTER 8 Updating F-Secure Virus Definition Databases [ 3988]Thu Oct 26 12:40:39 2006(3): Downloaded 'F-Secure Anti-Virus Update 2006-10-26_04' - 'DFUpdates' version '1161851933' from fsbwserver.f-secure.com, 12445450 bytes (download size 3853577) A brief explanation of what happened. When an update is downloaded, the update name and version are shown.
  • Page 167 Anti-Virus Update result of updating the communication directory. Note that 2006-10-26_04' : Success F-Secure Automatic Update Agent is not able to display whether the new files have been taken into use by the host(s) or not. An error message indicating that the update check failed.
  • Page 168 2006-10-26_04' : Success You can also see a summary of the Virus, Spyware and System Control update statuses on the server on the Summary tab in F-Secure Policy Manager Console. To check the update status on a centrally managed host, go to the Status...

  • Page 169: Forcing The Update Agent To Check For New Updates Immediately

    Forcing the Update Agent to Check for New Updates Immediately If you need to force F-Secure Automatic Update Agent to check for new updates immediately, you need to stop and restart the fsaua service. To do this, enter the following commands on command line:...

  • Page 170: Troubleshooting

    CHAPTER 8 Updating F-Secure Virus Definition Databases Troubleshooting Below are some examples of problems that may be logged as error messages in the fsaua.log file. Problem: There was a DNS lookup failure, or connection failed, was lost or refused. Reason:...
  • Page 171 ECURE OLICY ANAGER ON INUX Overview................... 172 Installation ................172 Configuration ................177 Uninstallation ................177 Frequently Asked Questions ............ 179...

  • Page 172: Differences Between Windows And Linux

    Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SUSE Linux 10.0 SUSE Linux 9.x SUSE Linux Enterprise Server 9 Debian GNU Linux Sarge 3.1 Installation F-Secure Policy Manager is installed in four parts. They must be installed in the following order:...

  • Page 173: Installing F-Secure Automatic Update Agent

    Reporting and F-Secure Automatic Update Agent must all be installed on the same computer. This can be either Windows or Linux. F-Secure Policy Manager Console can be installed on the same or a separate computer. This can be Windows or Linux.

  • Page 174: Installing F-Secure Policy Manager Server

    CHAPTER 9 F-Secure Policy Manager on Linux 6. If you want to specify how often F-Secure Automatic Update Agent checks for new updates, enter a new polling interval value when the configuration script asks for it. The default is 3600 seconds, which is 1 hour.

  • Page 175: Installing F-Secure Policy Manager Console

    A new user group called fspmc is created automatically. Users must be added to the fspmc user group before they can run F-Secure Policy Manager Console: 4. Check which groups the user belongs to: groups <user id>...

  • Page 176: Installing F-Secure Policy Manager Web Reporting

    These questions are the same as for the Windows version (see “Installation Steps”, 65). 9.2.4 Installing F-Secure Policy Manager Web Reporting 1. Log in as root. 2. Open a terminal. 3. To install type: Debian Based Distributions...

  • Page 177: Configuration

    Configuration F-Secure Policy Manager components have separate configuration scripts. To configure each component type the corresponding configuration command and answer the questions. F-Secure Policy Manager Component Configuration Command F-Secure Policy Manager Server /opt/f-secure/fspms/bin/fspms-config F-Secure Policy Manager Web Reporting /opt/f-secure/fspmwr/bin/fspmwr-config Uninstallation You must uninstall the four components in this order: 1.

  • Page 178: Uninstalling F-Secure Policy Manager Console

    CHAPTER 9 F-Secure Policy Manager on Linux 9.4.2 Uninstalling F-Secure Policy Manager Console 1. Log in as root. 1. Open a terminal. 2. Type: Debian Based Distributions RPM Based Distributions dpkg -r f-secure-policy-manager-console rpm -e f-secure-policy-manager-console Log files and configuration files are not removed as these are irreplaceable and contain valuable information.

  • Page 179: Uninstalling F-Secure Automatic Update Agent

    RPM Based Distributions dpkg -r f-secure-automatic-update-agent rpm -e f-secure-automatic-update-agent Frequently Asked Questions Q. Why doesn't F-Secure Policy Manager Console start? A. Runtime errors and warnings are logged to: /opt/f-secure/fspmc/lib/Administrator.error.log Q. Why doesn't F-Secure Policy Manager Server start? A. Runtime errors, warnings and other information are logged to:...
  • Page 180 F-Secure Policy Manager Server and F-Secure Automatic Update Agent by typing: sudo -u fspms /opt/f-secure/fspms/bin/fsavupd --debug Q. Where are the F-Secure Policy Manager Console files located in the Linux version? A. To list all files and their places type: Debian Based Distributions...
  • Page 181 Configuration files /etc/opt/f-secure/fspms/ Communication Directory /var/opt/f-secure/fspms/commdir Q. How do I change the ports at which F-Secure Policy Manager Server listens for requests? A. See “Access to F-Secure Policy Manager Server will be limited only to the separately defined IP addresses by editing the httpd.conf file.”,...
  • Page 182 Restart F-Secure Automatic Update Agent so that the changes take effect: /etc/init.d/fsaua restart Q. How can I use an HTTP proxy with F-Secure Automatic Update Agent? A. HTTP proxies are set through the file /opt/f-secure/fsaua/etc/ fsaua_config a. Open the file /opt/f-secure/fsaua/etc/fsaua_config with a text editor.
  • Page 183 Q. How can I restart F-Secure Automatic Update Agent after changing the configuration file? A. To restart F-Secure Automatic Update Agent, type: /etc/init.d/fsaua restart...
  • Page 184 EPORTING Overview................... 185 Introduction................185 Web Reporting Client System Requirements ......186 Generating and Viewing Reports..........186 Maintaining Web Reporting ............190 Web Reporting Error Messages and Troubleshooting....196...

  • Page 185: Overview

    The Web Reporting database collects all data that is currently stored in the F-Secure Policy Manager Server, and adds new data as it arrives. The collected data includes most of the data in alerts and some of the data in...

  • Page 186: Web Reporting Client System Requirements

    Summary, Alerts, Installed Software and Host Properties) in the Web Reporting user interface. The starting of F-Secure Policy Manager Web Reporting can take a lot of time in big environments. When the Web Reporting is starting the reports are not available, and if you try to access them some error messages might be displayed.

  • Page 187: Generating A Report

    You can generate a web report as follows: 1. First open the F-Secure Policy Manager Web Reporting main page. Enter the name or IP address of the F-Secure Policy Manager Server followed by the Web Reporting port (separated by a colon) in your browser.
  • Page 188 2. Wait until the Web Reporting page opens. In large environments this can take a lot of time. When the F-Secure Policy Manager Web Reporting page opens, it displays a default report for the currently selected report category. Root is selected by default in the Policy Domains pane.

  • Page 189: Creating A Printable Report

    10.4.3 Creating a Printable Report To get a printable version of the page, click the icon in the upper right corner of the page. This opens a new browser window with the contents of the main frame in printable format, and you can then print the page with your browser’s normal print functionality.

  • Page 190: Generating A Specific Url For Automated Report Generation

    First generate a printable version of the page and then save the whole page in a browser. This will always show the 'old' report. For instructions, see “Creating a Printable Report”, 189. 10.5 Maintaining Web Reporting This section covers the most common F-Secure Policy Manager Web Reporting maintenance tasks.

  • Page 191: Disabling Web Reporting

    10.5.1 Disabling Web Reporting You can disable F-Secure Policy Manager Web Reporting by using the Service Control Panel as follows: 1. Open the Service Control Panel from the Windows Start menu. 2. Select F-Secure Policy Manager Web Reporting from the list of services.

  • Page 192: Restricting Or Allowing Wider Access To Web Reports

    F-Secure Policy Manager Server and F-Secure Policy Manager Web Reporting. After any change to the configuration, you need to stop F-Secure Policy Manager Server, and restart it for the changes to become active.

  • Page 193: Changing The Web Reporting Port

    IP addresses can use Web Reporting. 10.5.4 Changing the Web Reporting Port The recommended method for changing the F-Secure Policy Manager Web Reporting port is to re-run the F-Secure Policy Manager Setup, and change the Web Reporting port there. For more information, see “Installation Steps”, 37.

  • Page 194: Creating A Backup Copy Of The Web Reporting Database

    3. Start F-Secure Policy Manager Server. If there is a port conflict, F-Secure Policy Manager Server will not start, and an error message will be printed in the log file. In this case you should try another, unused port.

  • Page 195: Changing The Maximum Data Storage Time In The Web Reporting Database

    1. Stop the F-Secure Policy Manager Web Reporting service. 2. Copy and decompress the fspmwr.fdb file from the backup media to the following directory: 3. C:\Program Files\F-Secure\Management Server 5\Web Reporting\firebird\data 4. Restart the F-Secure Policy Manager Web Reporting service. 10.5.7 Changing the Maximum Data Storage Time in the Web...

  • Page 196: Web Reporting Error Messages And Troubleshooting

    Web Reporting is not installed on that machine, or F-Secure Policy Manager Server service is not running. Check all of these in this order. A firewall may also prevent the connection.

  • Page 197: Troubleshooting

    Web Reporting service. If this does not help, you may wish to reinstall Web Reporting, keeping the existing database. 10.6.2 Troubleshooting In general, if F-Secure Policy Manager Web Reporting does not work, try one of the following, in this order: Reload the page.
  • Page 198 1. Stop the F-Secure Policy Manager Web Reporting service. 2. Copy fspmwr.fdb.empty on top of fspmwr.fdb, replacing fspmwr.fdb. They are in the same directory. If the fspmwr.fdb.empty file accidentally gets lost, you need to re-install F-Secure Policy Manager Server. 3. Start the F-Secure Policy Manager Web Reporting service.
  • Page 199 ECURE OLICY ANAGER ROXY Overview................... 200 Main Differences between Anti-Virus Proxy and Policy Manager Proxy ..................200...

  • Page 200: Chapter 11 F-Secure Policy Manager Proxy

    Since the heavy database update traffic is redirected to the F-Secure Anti-Virus Proxy in the same local network, the network connection between manager workstations and F-Secure Policy Manager Server has a substantially lighter load.
  • Page 201 F-Secure Anti-Virus Proxy acts as a standalone server in the network, and it can provide updates to hosts without a connection to an upstream server. The only upstream server it can connect to is the F-Secure Update Server. F-Secure Policy Manager Proxy acts as a true proxy in the network and requires a connection to an upstream server to be able to serve updates to clients.
  • Page 202 ROUBLESHOOTING Overview................... 203 F-Secure Policy Manager Server and Console ......203 F-Secure Policy Manager Web Reporting ........ 208 Policy Distribution..............209...

  • Page 203: Overview

    This chapter contains troubleshooting information and frequently asked questions about F-Secure Policy Manager Server and F-Secure Policy Manager Console. For information on how to configure F-Secure Policy Manager Server, and how to change the ports the server listen for requests, see “Configuring F-Secure Policy Manager Server”, 51.
  • Page 204 Manager Server service or reboot the computer. The fsms_<COMPUTERNAME> account is created during the installation of F-Secure Policy Manager Server, and the service is started under this user account. With normal installation, the directory access rights for Management Server 5 directory are automatically set correctly. If the directory is copied by hand or, for example, restored from backup, the access rights might be deleted.
  • Page 205 Q. How can the server role change stop F-Secure Policy Manager Server from working? A. Domain Controller server and Member/Standalone server use different types of accounts: domain accounts on Domain Controller and local accounts on Member server. Because F-Secure Policy Manager Server uses its own account to run, this account becomes invalid with the role change.
  • Page 206 Manager Server service from starting. For more information on these please consult the Microsoft Windows Server documentation. Q. Why am I unable to connect to F-Secure Policy Manager Server? A. If you are getting the ‘Unable to connect to management server.
  • Page 207 Q. Why does F-Secure Policy Manager Console lose the connection to F-Secure Policy Manager Server? A. If F-Secure Policy Manager Console is run on a separate computer from F-Secure Policy Manager Server, then the connection may be affected by network problems. There have been numerous reports...

  • Page 208: F-Secure Policy Manager Web Reporting

    <F-Secure>\Management Server 5\Web Reporting\logs The configuration files are in: <F-Secure>\Management Server 5\Web Reporting\fspmwr.conf <F-Secure>\Management Server 5\Web Reporting\jetty\ etc\fspmwr.xml <F-Secure>\Management Server 5\Web Reporting\firebird\ aliases.conf <F-Secure>\Management Server 5\Web Reporting\firebird\firebird.conf See also the F-Secure Policy Manager Server configuration files: <F-Secure>\Management Server 5\conf\httpd.conf <F-Secure>\Management Server 5\conf\workers.properties...

  • Page 209: Policy Distribution

    12.4 Policy Distribution Q. When distributing a policy, F-Secure Policy Manager Console shows an error message about an invalid policy value. What should I do? A. See below for information on error messages you may see during policy distribution, and for the reasons and solutions.

  • Page 210: Chapter 12 Troubleshooting

    Troubleshooting 1. Group the hosts into subdomains based on the installed product version. For example, group hosts that have F-Secure Client Security 6.x installed into one sub-domain, and hosts that have F-Secure Client Security 7.x installed into another domain 2. Set most of the settings on the root domain and create a sub-domains for exceptions.
  • Page 211 SNMP Support Overview................... 212 Installing F-Secure Management Agent with SNMP Support... 213 Configuring The SNMP Master Agent ........214 Management Information Base ..........215...

  • Page 212: Overview

    The NT master agent hosts the extensions and passes the requests to the Management Agent, which is responsible for returning the request to the management console that made it. The F-Secure SNMP Management Extension may be loaded even if no other modules...

  • Page 213: Installing F-Secure Management Agent With Snmp Support

    F-Secure SNMP Management Extension Installation SNMP support for F-Secure Management Agent is installed by installing Management Extensions. f the SNMP master agent is installed when installing the F-Secure SNMP Management Extension, the corresponding Service Pack has to be re-installed (see...

  • Page 214: Configuring The Snmp Master Agent

    APPENDIX A SNMP Support Configuring The SNMP Master Agent The SNMP Service is installed from the Windows Control Panel Network Options window. The SNMP Service option is in the TCP/IP Installation Options window. After the SNMP Service software is installed on your computer, you must configure it with valid information in order for SNMP to operate.

  • Page 215: Management Information Base

    Traps are sent to the management station through the SNMP agent only if forwarding is selected in the product’s redirection table in F-Secure Policy Manager Console. For more information about trap redirection, see “Configuring Alert Forwarding”,...
  • Page 216 Ilaunchr Error Codes Overview................... 217 Error Codes ................218...

  • Page 217: B.1 Overview

    Overview When Ilaunchr.exe is completed silently, it reports installation results with the standard exit codes. With the login script, you can test for the cause of the problem. Here is one example, which you can insert into your login script: Start /Wait ILaunchr.exe \\server\share\mysuite.jar /U if errorlevel 100 Go to Some_Setup_Error_occurred if errorlevel 5 Go to Some_Ilaunchr_Error_occurred...

  • Page 218: B.2 Error Codes

    APPENDIX B Ilaunchr Error Codes Error Codes Installation OK. FSMA already installed. User has no administrative rights. JAR not found. JAR corrupted. Error occurred when unpacking an installation package. Target disk has insufficient free space for installation. File package.ini was not found in JAR file. File package.ini did not contain any work instructions.
  • Page 219 Update is disabled. (Setup attempted to update the installation.) Setup was unable to read the product.ini file. Invalid data is encountered in prodsett.ini. Management Agent canceled the installation or conflicting software was found. Installation aborted. The CD-KEY was entered incorrectly or is missing.
  • Page 220 APPENDIX B Ilaunchr Error Codes Setup was unable to load installation support dll. Setup was unable to load wrapper dll. Setup was unable to initialize a cabinet file. Management Agent Setup plug-in returned error. Plug-in returned an unexpected code. Plug-in returned a wrapper code. One of the previous install/uninstall operations was not completed.
  • Page 221 FSII Remote Installation Error Codes Overview................... 222 Windows Error Codes............... 222 Error Messages ................ 223...

  • Page 222: C.1 Overview

    Access Denied -- If using “This Account”, it is important that the administrator is logged on to the F-Secure Policy Manager Console machine with Domain Administrator privileges. With Domain Trusts, make sure you have logged on to the F-Secure Policy Manager Console using the account from the trusted domain. 1069 Logon Failure.

  • Page 223: C.3 Error Messages

    A. By default even the administrator does not have a required “Act as part of operating system” privilege on the F-Secure Policy Manager Console machine. Without this privilege, Windows NT does not allow FSII to authenticate the entered user accounts. To add this privilege to administrator’s account on the F-Secure Policy Manager Console,...
  • Page 224 Q. Management Agent installation failed to fatal FSMAINST error, see host log files for details. A. Fatal installation error occurred during F-Secure Management Agent installation. It is recommended that Management Agent be installed manually to the host. It is also possible to try to find out the ERROR keyword from the fswssdbg.log file located in the target Windows...
  • Page 225 Remote Installation Support for Windows 98/ME Enabling Remote Administration ..........226...

  • Page 226: D.1 Enabling Remote Administration

    3. From Control Panel Passwords, make sure Remote Administration is enabled. Optional Remote Registry Support If you want to allow installed agent version to appear in the F-Secure Policy Manager Console’s AutoDiscover screen, you need to install Microsoft 98/ME Remote Registry services: 1.
  • Page 227 user group names that are not compatible with the English version of Windows NT Server. You must verify that the Administrators list contains the administrator group name in pure English (Domain Admins).
  • Page 228 NSC Notation for Netmasks Overview................... 229...

  • Page 229: E.1 Overview

    Overview NSC notation is a standard shorthand notation, which combines a network address with its associated netmask. NSC notation defines the number of contiguous one-bits in the netmask with a slash and a number following the network address. Here is a simple example: Network Address Netmask...
  • Page 230 APPENDIX E NSC Notation for Netmasks Netmask Bits Netmask Bits 255.255.128.0 255.255.255.128 255.255.192.0 255.255.255.192 255.255.224.0 255.255.255.224 255.255.240.0 255.255.255.240 255.255.248.0 255.255.255.248 255.255.252.0 255.255.255.252 255.255.254.0 255.255.255.254 255.255.255.0 255.255.255.255...

  • Page 231: Technical Support

    ECHNICAL UPPORT Overview................... 232 Web Club.................. 232 Advanced Technical Support............ 232 F-Secure Technical Product Training ........233...

  • Page 232: Web Club

    The F-Secure Web Club provides assistance to users of F-Secure products. To enter, choose the Web Club command from the Help menu in the F-Secure application. The first time you use this option, enter the path and name of your Web browser and your location.

  • Page 233: F-Secure Technical Product Training

    After installing the F-Secure software, you may find a ReadMe file in the F-Secure folder in the Windows Start > Programs menu. The ReadMe file contains late-breaking information about the product.

  • Page 234: Contact Information

    The courses take place in modern and well-equipped classrooms. All of our courses consist of theory and hands-on parts. At the end of each course there is a certification exam. Contact your local F-Secure office or F-Secure Certified Training Partner to get information about the courses and schedules.

  • Page 235: Glossary

    LOSSARY...
  • Page 236 Data that has been modified without the user’s authorization or approval. Domain Name A unique name that identifies an Internet site (for example, F-Secure.com) Domain Name System. A service that converts symbolic node names to IP addresses. DNS uses a distributed database. Firewall A combination of hardware and software that separates a network into two or more parts for security purposes.
  • Page 237 (File Transfer Protocol) A very common method of moving files between two Internet sites. Host Any computer on a network that is a repository for services available to other computers on the network. HTTP The Hyper Text Transfer Protocol is the protocol used between a Web browser and a server to request a document and transfer its contents.
  • Page 238 Glossary Kernel Mode The part of the Windows operating system, through which, among other things, user-mode applications and services use an API to interact with the computer's hardware. The Kernel mode also contains an interface to user-mode, and a facility for synchronizing it's own services and coordinating all I/O functions.
  • Page 239 Random Seed The seed value for the cryptographically strong random number generator, which is updated each time an F-Secure application closes. Server A computer, or a piece of software, that provides a specific kind of service to client software.
  • Page 240 Glossary SNMP Simple Network Management Protocol. A standard TCP/IP protocol used for monitoring and setting network parameters and counters of LAN- and WAN-connected repeaters, bridges, routers, and other devices. TCP/IP (Transmission Control Protocol/Internet Protocol) This is the suite of protocols that defines the Internet. Originally designed for the UNIX operating system, TCP/IP software is now available for every major kind of computer operating system.
  • Page 241 F-Secure Corporation is the fastest growing publicly listed company in the antivirus and intrusion prevention industry with more than 50% revenue growth in 2004. Founded in 1988, F-Secure has been listed on the Helsinki Stock Exchange since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Italy, Sweden, the United Kingdom and Japan.

Table of Contents