IMPLEMENTING F-SECURE POLICY MANAGER

Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples Installing the environment Most critical installation steps Console configuration tips Point application rollout Point application rollout planning and piloting Most common rollout methods and examples

PRE-DEPLOYMENT PHASE

Page 4 Before you begin... Checklist 1.Network requirements Does the network support the required protocols? Is the network fast enough? 2.System requirements Does the existing hardware meet the requirements? Are the installed operating systems and service packs supported? 3.Policy Manager Implementation How many Policy Manager Servers, Consoles and Proxy Servers does the infrastructure require? Where to place them for best performance?

Page 5 Network Requirements Network 10Mbit Ethernet or faster In installations with more than 5000 managed hosts, 100Mbit networks are recommended Required Protocols UDP Used for virus definitions updates directly from F-Secure Root Update Server TCP Used for F-Secure Intelligent Installations (a.k.a push installations) Used for general Apache Web Server traffic

Page 6 System Requirements: Policy Manager Server Operating system Windows 2000 Server and Advanced Server (SP3 or higher), Windows Server 2003 Standard, Web Edition, or Small Business Server Processor Intel Pentium III 450 MHz or faster (1 GHz or more recommended, especially when managing big environments or when Web Reporting is enabled) Memory 256 MB RAM (512 MB or more recommended, especially when Web Reporting is enabled) Disk space 50 MB required (recommended 500 MB or more)

Page 7 System Requirements: Policy Manager Console Operating system Windows 2000 Professional (SP3 or higher), Windows XP Professional (SP2 or higher) or Windows 2003 Small Business Server Processor Intel Pentium III 450 MHz or faster (750 MHz or more recommended) Memory Dedicated computer 256 MB RAM (512 or more recommended) Single computer (same as PMS) 1 GB or more recommended Disk space 50 MB required

Page 8 System Requirements: Anti-Virus Client Security 6.x Operating system Microsoft Windows 2000 Professional (SP4 or higher) Microsoft Windows XP Professional and Home Edition (SP1 or higher) Memory 128 MB (Windows 2000), 256 MB (Windows XP) 256 MB an more recommended Disk space 120 MB (150 MB required during installation)

Page 9 Policy Manager Implementation Policy Manager Server and Console can be implemented in two different ways Both components on a single computer (recommended) Dedicated computers for each component Single Computer Dedicated Computers

Page 10 Policy Manager Implementation Depending on the size and structure of the company, it might be necessary to Install more than one Policy Manager Console Global company with slow internet connection Install more than one Policy Manager Server Single Policy Manager Server scales up to hosts It can handle significantly more host, but will be difficult to administer (policy distribution time increases) Install Policy Manager Proxies for virus definitions updates Solves bandwidth bottle-necks

Page 11 Policy Manager Server Location Location of the Policy Manager Server Place it in the internal network (recommended) Well protected from external attacks Access from external network only possible with authenticated, encrypted connections (e.g. VPN+) Place it in a DMZ network Server has a public IP address, FSMA can access the server from the external network without using VPN+ In general, the security in a DMZ is less restricted as it is in an internal network. The Server contains sensitive infomation of your policy domain and policies. There might be a security risk.

Page 12 Implementation in Basic Environment Managed hosts Policy Manager Server & Console Root Update Server

Page 13 Implementation in Global Environment Root Update Server Managed Hosts PMCPM Proxy PMC & PMS Managed Hosts Subsidiary Germany Headquarters Finland

POLICY MANAGER INSTALLATION

Page 15 Starting the Installation If you have a valid license of any F-Secure product you are entitled to use F-Secure Policy Manager You are entitled to use as many Console, Server and Reporting Option installations as you need

Page 16 Installation Order 1.Policy Manager Server 2.Policy Manager Console 3.Point Applications

Page 17 Critical Steps: Server Installation Select components to install Policy Manager Console Don’t forget to deselect in case you want to run it on a dedicated computer Policy Manager Update Server & Agent Without this components, database updates will not be possible

Page 18 Critical Steps: Server Installation Configure Apache Modules In general, default port settings work fine However, in some situations the ports are already taken and need to be changed The system will automatically inform Already taken ports Ports which might cause problems

Page 19 Critical Steps: Console Initialization Important: In this step you define the administration module The host module address has to be specified separately in the policy

Page 20 Critical Steps: Console Initialization Management key-pair generation Make sure to backup these keys after console initialization completed!

Page 21 Console Configuration Tips Lock most important settings Prevents problems with IPF overwriting Define Policy Manager Server Address Empty by default!

POINT APPLICATION ROLLOUT

Page 23 Before you Start the Rollout... Checklist Remove all conflicting software from target hosts Sidegrade detects and removes certain vendors automatically (AVCS only!) Test sidegrade during piloting phase! Check target host for third party firewalls (e.g. XP firewalls) and disable them (e.g through AD group policy) Start piloting Test different rollout methods and choose the one suited best for your environment Never rollout without careful testing – or to the whole domain at once!

Page 24 Rollout Methods Intelligent Installations Autodiscover windows hosts (recommended) Installation package created with PMC Transfers package separately to each host (no multicasting) Certain inbound traffic on hosts needs to be allowed RPC (TCP 135) and SMB (TCP 445) Push install to Windows host Advantage: needs no name resolution, if IP addresses are used Disadvantage: IP addresses have to be typed manually

Page 25 Rollout Methods Pre-configured package Using PMC to create a pre-configured package No inbound traffic on hosts required JAR: Installation of exported package by ilaunchr.exe through windows login script Make sure to run login sript silent (script includes password in cleartext!) MSI: Installation of exported package through windows group policy in active directory

Page 26 Anti-Virus Centrally Manageable Products F-Secure Anti-Virus for Citrix Servers (and for Microsoft Terminal Server) F-Secure Anti-Virus for SAMBA Servers Anti-Virus Server Computing Anti-Virus for HTTP, SMTP, FTP and POP Anti-Spam Content Filtering Anti-Virus Anti- Spam Content Filtering Anti-VirusVirus & Spy Protection Intrusion prevention F-Secure solutions and services provided Web & DNS Servers F-Secure Anti-Virus for MS Exchange F-Secure Spam Control for Microsoft Exchange F-Secure Spam Control for Internet Gatekeeper F-Secure Internet Gatekeeper F-Secure Anti-Virus for MIMEsweeper F-Secure Anti-Virus for Windows Servers F-Secure Anti-Virus for Linux Servers F-Secure Anti-Virus for Workstations F-Secure Anti-Virus Client Security Gateways Servers File & Print Servers Desktops & laptops Microsoft Platforms Linux Platforms

Page 27 Summary Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples Installing the environment Most critical installation steps Console configuration tips Point application rollout Point application rollout planning and piloting Most common rollout methods and examples