Related Manuals for Check Point Integrity Advanced Server
Summary of Contents for Check Point Integrity Advanced Server
-
Page 1: Installation Guide
Installation Guide Installing, Configuring, and Maintaining Integrity Advanced Server 1-0276-0650-2006-04-07... - Page 2 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S.
-
Page 3: Table Of Contents
Single host deployments ..........2 Clustered Integrity Advanced Server ........ 3 Integrity Advanced Server communications ..... 4 Integrity Advanced Server services and ports ....4 IAS services details ............6 Chapter 2: Installing and Configuring the Integrity Advanced Server ..7 Clustering Integrity Advanced Servers ...... - Page 4 Testing Integrity Advanced Server ..........40 Setting up the Integrity Advanced Server test ....41 Logging on to the Integrity Advanced Server Administrator Console ................ 41 Creating a custom user catalog ........43 Performing the Integrity Advanced Server Tests .... 44 Create, deploy, and assign a new policy to the client ..
- Page 5 Chapter 7: Maintaining Integrity Advanced Server ........48 Monitor your database tablespace ........48 Update your database statistics ........48 Optimize query performance ......... 48 Monitor your disk space ..........48 Index ....................... 50 Integrity Advanced Server Installation Guide...
-
Page 6: Integrity Advanced Server Overview
Chapter 1 Integrity Advanced Server Overview This chapter describes Integrity Advanced Server components and communications. “Integrity Advanced Server system components,” on page “Integrity Advanced Server communications,” on page Integrity Advanced Server Installation Guide... -
Page 7: Integrity Advanced Server System Components
This section provides an overview of the Integrity Advanced Server system components. Integrity Advanced Server is scalable and can be deployed on one host in smaller environments or clustered in a server farm on many hosts to support a high volume of connections in a larger environment. -
Page 8: Clustered Integrity Advanced Server
Advanced Server hosts have the same time and date. Figure 1-2: Clustered Integrity Advanced Server Configuration * These components are not supplied as part of the Integrity Advanced Server distribution, and must be obtained from a third party. You may use a RADIUS server, or use the Integrity Advanced Server’s Administrator Authentication feature for authentication. -
Page 9: Integrity Advanced Server Communications
SSL, file caching, UDP, and/or TCP socket off loading functionality (see page 4). This service and proxy configuration enables Integrity Advanced Server to be set up in a highly scalable and fault-tolerant clustered environment. - Page 10 Figure 1-3: Integrity Advanced Server services and ports Integrity Advanced Server Installation Guide...
-
Page 11: Ias Services Details
Serves the client installer packages that install Manager an Integrity client on an endpoint computer. Administrator service.enable.adm Serves the user interface that allows Console inConsole administrators to manage the Integrity Advanced Server. Table 1-1: Description of Integrity Services Integrity Advanced Server Installation Guide... -
Page 12: Installing And Configuring The Integrity Advanced Server
Clustering Integrity Advanced Servers When deploying a cluster of Integrity Advanced Servers, you should first configure and test a single Integrity Advanced Server. After you confirm that the single server is functioning properly, install and configure Integrity Advanced Server on the remaining nodes of the cluster. -
Page 13: Upgrading And Migrating Integrity Advanced Server
See “Backing up an existing installation,” on page 7. Integrity Advanced Server supports two methods of changing from an earlier to a later version of Integrity Advanced Server: Upgrading —To upgrade from 6.0.448.01 and later versions, select the Upgrade option in the installer. -
Page 14: Configuring The Databases And Gathering Information
If you are using a single server, instead of a clustered system, you can choose to use the embedded database. If you use the embedded database, it will be automatically configured by the Integrity Advanced Server Installer and you can skip the steps in this section. - Page 15 Use a host name rather than an IP address to specify your database. This allows you to later change your database. 3. Record your database port for connections with the Integrity Advanced Server. 4. Create the Integrity Advanced Server database name.
- Page 16 7. Record the database username and password for the Integrity Advanced Server. To configure SQL Server: 1. Create your database. 2. Record your database server host name. Use a host name rather than an IP address to specify your database. This allows you to later change your database.
-
Page 17: Synchronizing Clocks
8. Record the database username and password for Integrity Advanced Server. Synchronizing Clocks It is recommended that you synchronize the clocks on the Integrity Advanced Server with those on your database. If you are using clustering, you must synchronize all nodes on the cluster. -
Page 18: Running The Installer
Running the Installer The Integrity Advanced Server installers use wizards to help you to install and configure your Integrity Advanced Server. There is a wizard for Windows installations and a wizard for Linux installations. Choose the installer appropriate for your system. -
Page 19: Installation Information
Make sure you have backed up your system before choosing this option. See “Backing up an existing installation,” on page 7. Join Cluster Installation—Use this option to install Integrity Advanced Server for joining with an existing cluster. Server Type There are two server types: Integrity Advanced Server—Choose this option if you want clustering. -
Page 20: Server Properties
IP address. Heartbeat port—Enter the UDP heartbeat port. Domain Options Single Domain—Single domain Integrity Advanced Server installations can only have one domain segment for all administrators, user directories, and policies Multiple Domains—Multiple domain Integrity Advanced Server installations can have multiple data segments for different administrators, user directories, and policies. -
Page 21: Database Information
Database Information The Integrity Advanced Server uses a database to store operational and log information. Use the following information to specify the information for the database. Database Type—Select a database type. JDBC Driver Folder—Enter the location of the JDBC drivers residing locally on your server. -
Page 22: Setting Client Languages
To add client language options after installation: 1. Shut down Integrity Advanced Server. (In a clustered environment, shut down all Integrity nodes in the cluster.) 2. At the command line, go to <install_dir>\engine\webapps\ROOT\bin. (In a clustered environment, you can do this on any node in the cluster.) 3. -
Page 23: Completing The Installation
Create an Integrity Advanced Server account, called “masteradmin” on the RADIUS server. If you are migrating data from a 5.x version of Integrity Advanced Server, you should log into the Administrator console and complete the migration before making changes to the configuration file. -
Page 24: Updating The Configuration File
2. Create a backup of install-upgrade.properties. 3. Open install-upgrade.properties in a text editor. 4. Specify the following properties: radius.authtype=<CHAP or PAP> radius.server=<IP address of your radius server> radius.port=<Port for your radius server. Usually 1812.> Radius.secret=<Radius secret code> Integrity Advanced Server Installation Guide... -
Page 25: Copying The Files To The Cluster
Configuring Integrity Advanced Server Cluster Load Balancer This section explains the minimum set up requirements for the cluster load balancer. The load balancer routes the traffic to two or more Integrity Advanced Server nodes. To configure load balancing: 1. Set up the virtual server. -
Page 26: Setting Status Verification
ZSPHB (UDP 6054) Setting status verification Configure a load balancer service to check that each Integrity Advanced Server node is up and running. To check system status, set up an HTTPS get on URL: “https:// {Integrity_IP}/systemstatus” (where {Integrity_IP} is the Integrity Advanced Server IP address). -
Page 27: Using Integrity With A Proxy Server
If you plan to use Integrity’s Program Advisor feature or Anti-Spyware feature in an environment that includes a proxy server for Internet access, perform the configuration steps below to let Integrity Advanced Server connect to Check Point’s central servers (containing Program Advisor settings or Anti-Spyware definitions) the through the proxy server. -
Page 28: Updating The Logo
"-Xms256M -Xmx512M -Djava.awt.headless=true -DproxyHost=true -Dhttp.proxyHost=hostname -Dhttp.proxyPort=port -Dhttps.proxyHost=hostname -Dhttps.proxyPort=port" Updating the logo If you want the Integrity Advanced Server user interface to display your company’s logo, you must specify the image file for your logo. To update the logo: 1. Log in as root. -
Page 29: Starting And Stopping Integrity Advanced Server
This chapter explains how to manually start, stop, and restart Integrity Advanced Server and the Apache httpd server. In order for the Integrity Advanced Server to operate, the database host and Integrity Advanced Server database instances must also be running. -
Page 30: Managing A Windows Setup
Managing a Windows Setup Stopping, starting, and resetting the services Use the Control Panel to start, stop, or reset the Integrity Advanced Server, Apache, or Tomcat services. To stop, start, or reset the services 1. Go to Control Panel | Administrative Tools | Services. -
Page 31: Managing A Linux Setup
Starting, stopping, and restarting the Integrity Advanced Server This section explains how to start, stop, or restart, the Integrity Advanced Server only. To start, stop, or restart the Integrity Advanced Server only: 1. Log in to the Integrity Advanced Server host as root. -
Page 32: Chapter 4: Migrating Data
The best practice for upgrading is to install the new Integrity Advanced Server, perform the migration steps to transfer your data, then test the new server with a limited deployment. -
Page 33: Data That Is Not Migrated
1. Gather the database information and configure your databases. You must create new database schemas for the new installation. See “Configuring the databases and gathering information,” on page 9. 2. Synchronize clocks. “Synchronizing Clocks,” on page 12. Integrity Advanced Server Installation Guide... -
Page 34: Running The Installer
4. Complete the second migration page with your database information and click Run Migration. If you are using an embedded database and it is located on a different computer, copy the …./Repository/data directory with all its content from that computer to Integrity Advanced Server Installation Guide... -
Page 35: Redeploy Policies To Users
If you cancel the migration process, you will not have another opportunity to import your data. You will need to uninstall the Integrity Advanced Server then reinstall it to migrate your data. Redeploy policies to users Once you have successfully migrated your old data, you will need to redeploy your policies to users. -
Page 36: Setting Up System Event Logs
This chapter explains how to set up system event logging and provides recommended messaging and logs. This chapter covers the following topics: “Understanding events and logging,” on page “Using SNMP with Integrity,” on page “Managing events,” on page Integrity Advanced Server Installation Guide... -
Page 37: Understanding Events And Logging
The preconfigured log and message types are: Text — Records event messages in a text file (on Integrity Advanced Server or any other accessible server). Messages are appended as the events occur. SMTP — Sends an event message to an SMTP destination, such as e-mail or a pager. -
Page 38: Recommended Event Logs
Routing Fatal messages to e-mail and pager accounts (SMTP) Integrity Advanced Server generates Fatal events when immediate intervention is required to keep the system running or to bring the system back online. Use the following configuration to send Fatal messages to a list of e-mail recipients, including those with SMTP-compatible pagers. - Page 39 Routing Log Upload System warn and error messages to e-mail and pager accounts (SMTP) The Log Upload System loads client logs into the Integrity Advanced Server database. The Log Upload System does not produce any fatal errors for Integrity Advanced Server.
- Page 40 Integrity to send syslog events to the syslog server. All nodes in the Integrity Advanced Server cluster append events to the same remote SYSLOG server when the syslog is stored somewhere other than an Integrity Advanced Server node.
-
Page 41: Using Snmp With Integrity
37. Trap Formats Traps include a header and a message. All traps have a common header, as they are all generated by Integrity Advanced Server. Here is an example trap showing administrator login: [public] [1.3.6.1.4.2620]... -
Page 42: Managing Events
Deleting event Deleting an event from Integrity Advanced Server completely removes it from the system. Integrity immediately stops recording and sending events from the local host. In a clustered environment, other nodes in the cluster stop sending information the next time the administrative services are replicated. -
Page 43: Sending Logs To The Smartcenter Server
Testing Integrity Advanced Server Once you have installed and configured theIntegrity Advanced Server and started all the components, you are ready to set up the Integrity Advanced Server for testing. Use the tests in this chapter, to verify that: Integrity Advanced Server can detect a client session. -
Page 44: Configuring Integrity Advanced Server
Use the steps in this section to set up your system to test the basic functionality of your Integrity Server. For detailed instructions on using the Integrity Advanced Server, refer to the Integrity Advanced Server Administrator Guide. Perform the following steps: 1. -
Page 45: Testing Integrity Advanced Server
If you are using RADIUS authentication, enter the password you used for the RADIUS server for this account. Log in 4. Click You are now logged into the Integrity Advanced Server Administrator Console. Installing the Security Certificate This step only applies to administrators with self-signed certificates that are using Internet Explorer. -
Page 46: Setting Up The Integrity Advanced Server Test
Creating a custom user catalog The user’s authentication information (catalog and group) entered on the endpoint computer is passed to the Integrity Advanced Server when the user establishes a connection. The Integrity Advanced Server deploys and enforces policies based on the authentication data. -
Page 47: Create, Deploy, And Assign A New Policy To The Client
“Verifying the Integrity Advanced Server session on the Integrity client,” page 47. All the components in the Integrity Advanced Server system, including the database instances, RADIUS server, and Apache httpd server must be running to perform the steps in this section. - Page 48 7. Click Save. This saves the policy with the preconfigured settings only. 8. Enter version comments, click Save and Deploy. 9. Click Yes to confirm deployment. The Policy Manager page appears with Test1 in the Policy list. Integrity Advanced Server Installation Guide...
-
Page 49: Performing The Integrity Advanced Server Tests
The Assign Policies page appears. 4. In the Policy dropdown list, select Test1. 5. Click Assign. The Confirm Policy Assignment page appears. 6. Click Assign. The Assign Policy page appears with the “Deployed Policy” of the catalog as Test1. Integrity Advanced Server Installation Guide... -
Page 50: Verifying The Integrity Advanced Server Session On The Integrity Client
Verifying the Integrity Advanced Server session on the Integrity client Once the policy is assigned, the Integrity client gets the Test1 policy after the next heartbeat. By default, Integrity Flex displays an Alert when it downloads a new policy. Integrity Agent does not display alerts of any type. -
Page 51: Monitor Your Database Tablespace
Monitor your disk space Closely monitor the Integrity Advanced Server disk space usage. Integrity and Apache logs can consume a lot of disk space on the Integrity Advanced Server. Integrity Advanced Server will fail to respond to Integrity clients and/or not work as expected if there are no free disk space. - Page 52 Monitor the 'integrity/logs' directory on the Integrity Advanced Server. Integrity Advanced Server Installation Guide...
-
Page 53: Maintaining Integrity Advanced Server
21 Integrity clients 2 Integrity services, described 6 load balancer, configuring 20 Program permission 6 RADIUS server in single-host deployments 2 Root Certificate Store, confirming 42 single-host deployments 2 system status, verifying 21 Integrity Advanced Server Installation Guide...
Need help?
Do you have a question about the Integrity Advanced Server and is the answer not in the manual?
Questions and answers