F-secure POLICY MANAGER 7.0 Administrator’s Guide

F-Secure Policy

Manager 7.0

Administrator’s Guide

"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.

Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.

This product may be covered by one or more F-Secure patents, including the following:

GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233 GB2374260

Contents

About This Guide 9

Overview ............................................................................................................................ 10

How This Guide is Organized ............................................................................................ 11

Conventions Used in F-Secure Guides.............................................................................. 13

Symbols .................................................................................................................... 13

Chapter 1 Introduction 15

1.1 Overview ....................................................................................................................16

1.2 Installation Order........................................................................................................18

1.3 Features.....................................................................................................................19

1.4 Policy-Based Management........................................................................................20

1.4.1 Management Information Base ......................................................................22

Chapter 2 System Requirements 24

2.1 F-Secure Policy Manager Server...............................................................................25

2.2 F-Secure Policy Manager Console ............................................................................27

Chapter 3 Installing F-Secure Policy Manager Server 29

3.1 Overview ....................................................................................................................30

3.2 Security Issues...........................................................................................................31

3.2.1 Installing F-Secure Policy Manager in High Security Environments...............32

3.3 Installation Steps........................................................................................................37

iii

3.4 Configuring F-Secure Policy Manager Server............................................................51

3.4.1 Changing the Communication Directory Path ................................................51

3.4.2 Changing the Ports Where the Server Listens for Requests..........................52

3.4.3 F-Secure Policy Manager Server Configuration Settings...............................53

3.5 Uninstalling F-Secure Policy Manager Server ...........................................................58

Chapter 4 CommDir Migration 60

4.1 Introduction ................................................................................................................61

4.2 Instructions.................................................................................................................61

Chapter 5 Installing F-Secure Policy Manager Console 64

5.1 Overview ....................................................................................................................65

5.2 Installation Steps........................................................................................................65

5.3 Uninstalling F-Secure Policy Manager Console.........................................................83

Chapter 6 Using F-Secure Policy Manager Console 84

6.1 Overview ....................................................................................................................85

6.2 F-Secure Policy Manager Console Basics.................................................................86

6.2.1 Logging In.......................................................................................................87

6.2.2 The User Interface..........................................................................................90

6.2.3 Policy Domain Pane .......................................................................................91

6.2.4 Properties Pane.......................................................... ....................................92

6.2.5 Product View Pane.........................................................................................93

6.2.6 Messages Pane............. ...... ....... ...... ...... ....... ...... ....... ...... ..............................9 9

6.2.7 The Toolbar ..................................................................................................100

6.2.8 Menu Commands .........................................................................................102

6.3 F-Secure Client Security Management ....................................................................104

6.4 Managing Domains and Hosts.................................................................................104

6.4.1 Adding Policy Domains.................................................................................106

6.4.2 Adding Hosts ................................................................................................107

6.4.3 Host Properties.............................................................................................112

6.5 Software Distribution.............................. ...... ............................................. ...............115

6.5.1 F-Secure Push Installations..........................................................................117

6.5.2 Policy-Based Installation ..............................................................................124

6.5.3 Local Installation and Updates with Pre-Configured Packages....................129

6.5.4 Information Delivery ....... ...... ....... ...... ...... ....... ...... ....... ...... ....... ...... ....... ...... ..133

6.6 Managing Policies....................................................................................................134

6.6.1 Settings.........................................................................................................134

6.6.2 Restrictions...................................................................................................135

6.6.3 Saving the Current Policy Data .............. ....... ...... ....... ...... ....... ...... ....... ...... ..136

6.6.4 Distributing Policy Files ................................. ...... ....... ...... ....... .....................136

6.6.5 Policy Inheritance .........................................................................................137

6.7 Managing Operations and Tasks.............................................................................140

6.8 Alerting.....................................................................................................................140

6.8.1 Viewing Alerts and Reports ................................. ....... ...... ....... ...... ....... ...... ..141

6.8.2 Configuring Alert Forwarding........................................................................142

6.9 Reporting Tool..........................................................................................................144

6.9.1 Policy Domain / Host Selector Pane.............................................................145

6.9.2 Report Type Selector Pane..........................................................................146

6.9.3 Report Pane .................................................................................................147

6.9.4 Bottom Pane.................................................................................................148

6.10 Preferences..............................................................................................................149

6.10.1 Connection-Specific Preferences ............................... ...... ....... ...... ....... ...... ..150

6.10.2 Shared Preferences............. ....... ...... ...... ....... ...... .........................................153

Chapter 7 Maintaining F-Secure Policy Manager Server 155

7.1 Overview ..................................................................................................................156

7.2 Backing Up & Restoring F-Secure Policy Manager Console Data...........................156

7.3 Replicating Software Using Image Files ..................................................................159

Chapter 8 Updating F-Secure Virus Definition Databases 161

8.1 Automatic Updates with F-Secure Automatic Update Agent....................................162

8.2 Using the Automatic Update Agent..........................................................................164

8.2.1 Configuration ................................................................................................164

8.2.2 How to Read the Log File.............................................................................165

8.3 Forcing the Update Agent to Check for New Updates Immediately.........................169

8.4 Updating the Databases Manually ...........................................................................169

8.5 Troubleshooting .......................................................................................................170

Chapter 9 F-Secure Policy Manager on Linux 171

9.1 Overview ..................................................................................................................172

9.1.1 Differences Between Windows and Linux ....................................................172

9.1.2 Supported Distributions................................................................................172

9.2 Installation................................................................................................................172

9.2.1 Installing F-Secure Automatic Update Agent................................................173

9.2.2 Installing F-Secure Policy Manager Server ............................. ...... ....... ...... ..174

9.2.3 Installing F-Secure Policy Manager Cons ole........................... ...... ....... ...... ..175

9.2.4 Installing F-Secure Policy Manager Web Reporting.....................................176

9.3 Configuration............................................................................................................177

9.4 Uninstallation............................................................................................................177

9.4.1 Uninstalling F-Secure Policy Manager Web Reporting ................................177

9.4.2 Uninstalling F-Secure Policy Manager Console ...........................................178

9.4.3 Uninstalling F-Secure Policy Manager Server..............................................178

9.4.4 Uninstalling F-Secure Automatic Update Agent ...........................................179

9.5 Frequently Asked Questions ....................................................................................179

Chapter 10 Web Reporting 184

10.1 Overview ..................................................................................................................185

10.2 Introduction ..............................................................................................................185

10.3 Web Reporting Client System Requirements...........................................................186

10.4 Generating and Viewing Reports.............................................................................186

10.4.1 Required Browser Settings for Viewing Web Reports..................................186

10.4.2 Generating a Report.....................................................................................187

10.4.3 Creating a Printable Report..........................................................................189

10.4.4 Generating a Specific URL for Automated Report Generation.....................190

10.5 Maintaining Web Reporting......................................................................................190

10.5.1 Disabling Web Reporting..............................................................................191

10.5.2 Enabling Web Reporting...............................................................................191

10.5.3 Restricting or Allowing Wider Access to Web Reports.................................192

10.5.4 Changing the Web Reporting Port................................................................193

10.5.5 Creating a Backup Copy of the Web Reporting Database...........................194

10.5.6 Restoring the Web Reporting Database from a Backup Copy .....................194

10.5.7 Changing the Maximum Data Storage Time in the Web Reporting

Database......................................................................................................195

10.6 Web Reporting Error Messages and Troubleshooting.............................................196

10.6.1 Error Messages............................................................................................196

10.6.2 Troubleshooting............................................................................................197

Chapter 11 F-Secure Policy Manager Proxy 199

11.1 Overview ..................................................................................................................200

11.2 Main Differences between Anti-Virus Proxy and Policy Manager Proxy..................200

Chapter 12 Troubleshooting 202

12.1 Overview ..................................................................................................................203

12.2 F-Secure Policy Manager Server and Console........................................................203

12.3 F-Secure Policy Manager Web Reporting................................................................208

12.4 Policy Distribution.....................................................................................................209

AppendixA SNMP Support 211

A.1 Overview ................................................................................................................. 212

A.1.1 SNMP Support for F-Secure Management Agent ........................................212

A.2 Installing F-Secure Managem ent Age nt with SNMP Support .......................... ...... ..213

A.2.1 F-Secure SNMP Management Extension Installation ..................................213

A.3 Configuring The SNMP Master Agent......................................................................214

A.4 Management Information Base................................................................................215

AppendixB Ilaunchr Error Codes 216

B.1 Overview ................................................................................................................. 217

B.2 Error Codes..............................................................................................................218

AppendixC FSII Remote Installation Error Codes 221

C.1 Overview................................................................................................................. 222

C.2 Windows Error Codes..............................................................................................222

C.3 Error Messages........................................................................................................223

AppendixD Remote Installation Support for Windows 98/ME 225

D.1 Enabling Remote Administration............................................................................. 226

vii

AppendixE NSC Notation for Netmasks 228

E.1 Overview ................................................................................................................. 229

Technical Support 231

Overview .......................................................................................................................... 232

Web Club .........................................................................................................................232

Virus Descriptions on the Web ................................................................................232

Advanced Technical Support ...........................................................................................232

F-Secure Technical Product Training ...............................................................................233

Training Program ....................................................................................................233

Contact Information .................................................................................................234

Glossary 235 About F-Secure Corporation

viii

ABOUT THIS GUIDE

Overview.................................................................................... 10

How This Guide is Organized..................................................... 11

Overview

About This Guide 10

F-Secure Policy Manager provides tools for administering the following F-Secure software products:

 F-Secure Client Security  F-Secure Internet Gatekeeper  F-Secure VPN+  F-Secure Anti-Virus for

Workstations Firewalls File Servers Microsoft Exchange MIMEsweeper:

How This Guide is Organized

The F-Secure Policy Manager Administrator’s Guide is divided into the

following chapters.

Chapter 1. Introduction. Describes the architecture and components of

the policy-based management.

Chapter 2. System Requirements. Defines the software and hardware

requirement for F-Secure Policy Manager Console and F-Secure Policy

Manager Server.

Chapter 3. Installing F-Secure Policy Manager Server. Covers the

installation of F-Secure Policy Manager Server on the server machine.

Chapter 4. CommDir Migration. Contains instructions on how to do the

migration from CommDir to F-Secure Policy Manager Server based

system.

Chapter 5. Installing F-Secure Policy Manager Console. Covers the

installation of F-Secure Policy Manager Console applications on the

administrator’s workstation.

Chapter 6. Using F-Secure Policy Manager Console. Includes an

overview, setup procedures, the logon procedure, menu commands, and

basic tasks.

Chapter 7. Maintaining F-Secure Policy Manager Server. Covers backup

procedures and restoration routines.

Chapter 8. Updating F-Secure Virus Definition Databases. Describ es the

various ways you can update your virus definition databases.

Chapter 9. F-Secure Policy Manager on Linux. Describes how to install

and manage F-Secure Policy Manager on Linux.

Chapter 10. Web Reporting. Describes how to use F-Secure Policy

Manager Web Reporting, a new enterprise-wide graphical reporting

system included in F-Secure Policy Manager Server.

Chapter 11. F-Secure Policy Manager Proxy. Contains a brief

introduction into F-Secure Policy Manager Proxy.

About This Guide 12

Chapter 12. Troubleshooting. Contains troubleshooting information and

frequently asked questions.

Appendix A. SNMP Support. Contains information about SNMP support. Appendix B. Ilaunchr Error Codes. Contains a list of Ilaunchr error codes. Appendix C. FSII Remote Installation Error Codes. Describes the most

common error codes and messages that can occur during the Autodiscover Windows Hosts operation.

Appendix D. Remote Installation Support for Windows 98/ME. Offers

information on requirements for Windows 98/ME workstations to allow FSII to work with them.

Appendix E. NSC Notation for Netmasks. Defines and offers information

on NSC notation for Netmasks.

Glossary — Explanation of terms Technical Support — Web Club and contact information for assistance. About F-Secure Corporation — Company background and products.

Conventions Used in F-Secure Guides

This section describes the symbols, fonts, and terminology used in this

manual.

Symbols

WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data.

IMPORTANT: An exclamation mark provides important information that you need to consider.

REFERENCE - A book refers you to related information on the topic available in another document.

NOTE - A note provides additional information that you should consider.

Fonts

TIP - A tip provides information that can help you perform a task more quickly or easily.

⇒ An arrow indicates a one-step procedure.

Arial bold (blue) is used to refer to menu names and commands, to

buttons and other items in a dialog box.

Arial Italics (blue) is used to refer to other chapters in the manual, book

titles, and titles of other manuals.

Arial Italics (black) is used for file and folder names, for figure and table

captions, and for directory tree names.

Courier New is used for messages on your computer screen.

Courier New bold is used for information that you must type.

SMALL CAPS (BLACK) is used for a key or key combination on your

keyboard.

PDF Document

For More Information

Arial underlined (blue )

Arial italics is used for window and dialog box names.

This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe® Acrobat® Reader. When printing the manual, please print the entire manual, including the copyright and disclaimer statements.

Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and support contacts.

In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at documentation@f-secure.com

is used for user interface links.

INTRODUCTION

Overview..................................................................................... 16

Installation Order...................... .................................................. 18

Features..................................................................................... 19

Policy-Based Management......................................................... 20

1.1 Overview

CHAPTER 1 16

Introduction

F-Secure Policy Manager provides a scalable way to manage the security of numerous applications on multiple operating systems, from one central location. It can be used to keep security software up-to-date, manage configurations, oversee enterprise compliance, and can be scaled to handle even the largest, most mobile workforce. F-Secure Policy Manager provides a tightly integrated infrastructure for defining security policies, distributing policies and installing application software to local as well as remote systems, and monitoring the activities of all systems in the enterprise to ensure compliance with corporate policies and centralized control.

F-Secure Automatic Update Agent can be installed as a part of F-Secure Policy Manager Server.

The power of the F-Secure Policy Manager lays in the F-Secure management architecture, which provides high scalability for a widely distributed, mobile workforce. F-Secure Policy Manager is comprised of F-Secure Policy Manager Console and F-Secure Policy Manager Server. They are seamlessly integrated with the F-Secure Management Agent that handles all management functions on local hosts.

Main Components of F-Secure Policy Manager

F-Secure Policy Manager Console provides a centralized management

console for the security of the managed hosts in the network. It enables the administrator to organize the network into logical units for sharing policies. These policies are defined in F-Secure Policy Manager Console and then distributed to the workstations through the F-Secure Policy Manager Server. F-Secure Policy Manager Console is a Java-based application that can be run on several different platforms. It can be used to remotely install the Management Agent on other workstations without the need for local login scripts, restarting, or any intervention by the end user.

F-Secure Policy Manager Server is the repository for policies and

software packages distributed by the administrator, and status information

and alerts sent by the managed hosts. It provides scalability by working

as an extension to the Apache web server. Communication between

F-Secure Policy Manager Server and the managed hosts is accomplished

through the standard HTTP protocol, which ensures trouble-free

performance on the LAN and WAN.

F-Secure Policy Manager Web Reporting is an enterprise-wide web

based graphical reporting system included in F-Secure Policy Manager

Server. With F-Secure Policy Manager Web Reporting you can quickly

create graphical reports based on historical trend data, identify computers

that are unprotected or vulnerable to virus outbreaks.

F-Secure Policy Manager Repor ting Option is a stand-alone command

line program that, with an existing Communication Directory (CommDir) in

F-Secure Policy Manager Server, collects alert, status and property data

from the managed security domain or host of choice. F-Secure Policy

Manager Reporting Option allows users to generate reports concerning

the data from the Communication Directory in F-Secure Policy Manager

Server by using XSL templates (which are like predefined queries). These

reports can then be exported as files in HTML, XML, CSV or TXT file

format.

F-Secure Policy Manager Update Server & Agent are used for

updating virus and spyware definitions on the managed hosts. F-Secure

Automatic Update Agent allows users to receive automatic updates and

informational content without interrupting their work to wait for files to

download from the Web. F-Secure Automatic Update Agent downloads

files automatically in the background using bandwidth not being used by

other Internet applications, so the users can always be sure they will have

the latest updates without having to search the Web. If F-Secure

Automatic Update Agent is always connected to the Internet, it will

automatically receive new virus definition updates within about two hours

after they have been published by F-Secure.

F-Secure Management Agent enf orces the security policies set by the

administrator on the managed hosts, and provides the end user with a

user interface and other services. It handles all management functions on

the local workstations and provides a common interface for all F-Secure applications, and operates within the policy-based management infrastructure.

VPN+ Certificate Wizard is an application for creating certificates for

F-Secure VPN+.

1.2 Installation Order

To install F-Secure Policy Manager, please follow this installation order (unless you are installing F-Secure Policy Manager Server and F-Secure Policy Manager Console on the same machine, in which case setup installs all components during the same installation process):

1. F-Secure Policy Manager Server and F-Secure Policy Manager Update Server & Agent,

2. F-Secure Policy Manager Console,

3. Managed point applications.

CHAPTER 1 18

Introduction

1.3 Features

Software Distribution

 First-time installation on Windows domains with F-Secure Push

Installation.

 Updating of executable files and data files, including virus

definition databases.

 Support for policy-based updates. Policies force the F-Secure

Management Agent to perform updates on a host. Both policies and software packages are signed, making the entire update process strongly authe nti ca ted and se cu re .

 Updates can be provided in several ways:

 From the F-Secure CD.  From the F-Secure Web site to the customer. These can be

automatically ‘pushed’ by F-Secure Automatic Update Agent, or voluntarily ‘pulled’ from the F-Secure website.

 F-Secure Policy Manager Console can be used to export

pre-configured installation packages, which can also be delivered using third-party software, such as SMS, and similar tools.

Configuration and Policy Management

 Centralized configuration of security policies. The policies are

distributed from F-Secure Policy Manager Server by the administrator to the user’s workstation. Integrity of the policies is ensured through the use of digital signatures.

Event Management

 Reporting through the Management API to the Event Viewer

(local and remote logs), SNMP agent, e-mail, report files, etc.

 Event redirection through policies.  Event statistics.

Performance Management

 Statistics and performance data handling and reporting.

Task Management

 Management of virus scanning tasks and other operations.

1.4 Policy-Based Management

A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. The management architecture of F-Secure software uses policies that are centrally configured by the administrator for optimum control of security in a corporate environment. Policy-based management implements many functions:

 Remotely controlling and monitoring the behavior of the products  Monitoring statistics provided by the products and the

Management Agent

 Remotely starting predefined operations  Transmission of alerts and notifications from the products to the

system administrator

CHAPTER 1 20

Introduction

The information flow between F-Secure Policy Manager Console and the hosts is accomplished by transferring policy files. There are three kinds of policy files:

 Default Policy files (.dpf)  Base Policy files (.bpf)  Incremental Policy files (.ipf)

The current settings of a product consist of all three policy file types:

Default Policy Files

The Default Policy file contains the default values (the factory settings) for a single product that are installed by the setup. Default policies are used only on the host. If neither the Base Policy file nor the Incremental Policy file contains an entry for a variable, then the value is taken from the Default Policy file. Each product has its own Default Policy file. New product versions get new versions of the Default Policy file.

Base Policy Files

Base Policy files contain the administrative settings and restrictions for all the variables for all F-Secure products on a specific host (With domain level policies, a group of hosts may share the same file). A Base Policy file is signed by F-Secure Policy Manager Console, protecting the file against changes while it is passing through the network and while it is stored in the host’s file system. These files are sent from F-Secure Policy Manager Console to the F-Secure Policy Manager Server. The host periodically polls for new policies created by F-Secure Policy Manager Console.

Incremental Policy Files

Incremental Policy files are used to store local changes to the Base Policy. Only changes that fall within the limits specified in the Base Policy are allowed. The Incremental Policy files are then periodically sent to F-Secure Policy Manager Console so that current settings and statistics can be viewed by the administrator.

1.4.1 Management Information Base

The Management Information Base (MIB) is a hierarchical management data structure used in the Simple Network Management Protocol (SNMP). In F-Secure Policy Manager, the MIB structure is used for defining the contents of the policy files. Each variable has an Object Identifier (OID) and a value that can be accessed using the Policy API. In addition to basic SNMP MIB definitions, the F-Secure MIB concept includes many extensions that are needed for complete policy-based management.

The following categories are defined in a product’s MIB:

Settings Used to manage the workstation in the manner

of an SNMP. The managed products must operate within the limits specified here.

Statistics Delivers product statistics to F-Secure Policy

Manager Console.

Operations Operations are handled with two policy

variables: (1) a variable for transferring the operation identifier to the host, and (2) a variable for informing F-Secure Policy Manager Console about the operations that were performed. The second variable is transferred using normal statistics; it acknowledge s all previous operations at one time. A custom editor for editing operations is associated with the subtree; the editor hides the two variables.

CHAPTER 1 22

Introduction

Private The management concept MIBs may also

contain variables which the product stores for its internal use between sessions. This way, the product does not need to rely on external services such as Windows registry files.

Traps Traps are the messages (including alerts and

events) that are sent to the local console, log file, remote administration process, etc. The following types of traps are sent by most of the F-Secure products:

Info. Normal operating information from a host.

Warning. A warning from the host.

Error. A recoverable error on the host.

Fatal error. An unrecoverable error on the host.

Security alert. A security hazard on the host.

SYSTEM REQUIREMENTS

F-Secure Policy Manager Server............................................... 25

F-Secure Policy Manager Console............................................. 27

2.1 F-Secure Policy Manager Server

In order to install F-Secure Policy Manager Server, your system must meet the following minimum requirements:

Operating system: Microsoft Windows:

Microsoft Windows 2000 Server (SP 3or higher); Windows 2000 Advanced Server (SP 3or higher); Windows Server 2003, Standard Edition or Web Edition; Windows 2003 Small Business Server.

Linux:

Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SUSE Linux 10.0 SUSE Linux 9.x SUSE Linux Enterprise Server 9 Debian GNU Linux Sarge 3.1

Processor: Intel Pentium III 450 MHz processor or faster.

Managing more than 5000 hosts or using Web Reporting requires Intel Pentium III 1 GHz level processor or faster.

CHAPTER 2 26

System Requirements

Memory: 256 MB RAM

When Web Reporting is enabled, 512 MB RAM.

Disk space: Disk space: 200 MB of free hard disk space; 500

MB or more is recommended. The disk space requirements depend on the size of the installation.

In addition to this it is recommended to allocate about 1 MB per host for alerts and policies. The actual disk space consumption per host is hard to anticipate, since it depends on how the policies are used and how many installation packages are stored.

Network: 10 Mbit network. Managing more than 5000

hosts requires a 100 Mbit network.

2.2 F-Secure Policy Manager Console

In order to install F-Secure Policy Manager Console, your system must meet the following minimum requirements:

Operating system:

Processor:

Memory:

Microsoft Windows:

Microsoft Windows 2000 Professional (SP3 or higher)

Windows 2000 Server (SP3 or higher) Windows 2000 Advanced Server (SP3 or higher) Windows XP Professional (SP2 or higher) Windows Server 2003, Standard Edition or Web Edition. Windows 2003 Small Business Server.

Linux:

Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SUSE Linux 10.0 SUSE Linux 9.x SUSE Linux Enterprise Server 9 Debian GNU Linux Sarge 3.1

Intel Pentium III 450 MHz processor or faster. Managing more than 5000 hosts requires Pentium III 750 MHz processor or faster.

256 MB of RAM. Managing more than 5000 hosts requires 512MB of memory.

CHAPTER 2 28

System Requirements

Disk space: Display:

Network:

100 MB of free hard disk space. Minimum 256-color display with resolution of

1024x768 (32-bit color with 1280x960 or higher resolution recommende d) .

Ethernet network interface or equivalent. 10 Mbit network between console and server is recommended. Managing more than 5000 hosts requires 100Mbit connection between console and server.

INSTALLING F-SECURE

OLICY MANAGER

ERVER

Overview..................................................................................... 30

Security Issues........................................................................... 31

Installation Steps........................................................................ 37

Uninstalling F-Secure Policy Manager Server............................ 58

3.1 Overview

CHAPTER 3 30

Installing F-Secure Policy Manager Server

The following are advanced instructions for installing F-Secure Policy Manager Server on a machine dedicated only to the Server. F-Secure Policy Manager Server can also be installed on the same machine as F-Secure Policy Manager Console.

F-Secure Policy Manager Server is the link between F-Secure Policy Manager Console and the managed hosts and acts as the repository for policies and software packages distributed by the administrator, as well as status information and alerts sent by the managed hosts.

Communication between F-Secure Policy Manager Server and other components can be achieved through the standard HTTP protocol, which ensures trouble-free performance on LAN and global networks.

The information stored by F-Secure Policy Manager Server includes the following files:

 Policy Domain Structure.  Policy Data, which is the actual policy information attached to

each policy domain or host.

 Base Policy files generated from the policy data.  Status Information, including incremental policy files, alerts, and

reports.

 Autoregistration requests sent by the hosts.  PKCS#10 Certification requests (for F-Secure VPN+ only).  Host certificates.  Security News received from F-Secure.  Product installation and virus definition database update

packages.

 The Web Reporting component stores statistics and historical

trend data about the hosts.

This manual does not include infor mati on about the F-Se cu re Policy Manager Reporting Option. For information on that component, please refer to the F-Secure Policy Manager Reporting Option Administrator’s Guide.

3.2 Security Issues

F-Secure Policy Manager Server utilizes Apache Web Server technology, and even though we do the utmost to deliver a secure and up-to-date technology we advise you to regularly consult the following sites from information on Apache technology and security .

The most up to date information on security issues related to Operating Systems and Apache web server can be found at the CERT web site:

http://www.cert.org.

Installing F-Secure Policy Manager Server

A document containing advice on how to secure an installation of the Apache web server is available at http://www.apache.org/docs/misc/

security_tips.html. and a list of vulnerabilities at http://www.apacheweek.com/features/security-13

The release notes contain important information about installation and security. Read these notes carefully!

3.2.1 Installing F-Secure Policy Manager in High Security Environments

F-Secure Policy Manager is designed to be used in internal corporate networks mainly for managing F-Secure Anti-Virus products. F-Secure does not recommend using F-Secure Policy Manager over public networks such as Internet.

IMPORTANT: When installing F-Secure Policy Manager in high security environments, you should make sure that the Administration port (by default port 8080) and the Host port (by default port 80) are not visible in the Internet.

CHAPTER 3 32

F-Secure Policy Manager's Built-In Security Features

F-Secure Policy Manager has built-in security features that ensure detection of changes in the policy domain structure and policy data. More importantly, it is impossible to deploy unauthorized changes to managed hosts. Both these features rely on a management key pair that is available to administrators only. These features, based on strong digital signatures, will in most cases provide the right balance between usability and security in most Anti-Virus installations, but the following features may require additional configuration in high security environments:

1. By default, all users can access the Policy Manager Server in read-only mode but are only able to view the management data. This is a convenient way of sharing information to users who are not

allowed full administrative rights. Multiple users can keep a read-only session open simultaneously, monitoring the system status without affecting other administrators or managed hosts in any way.

2. To enable easy migration to new management keys, it is possible to re-sign the policy domain structure and policy data with a newly generated or previously existing key pair. If this is done accidentally, or intentionally by an unauthorized user, the authorized user will notice the change when he tries to login to F-Secure Policy Manager the next time. In the worst case, the authorized user needs to recover backups in order to remove the possible changes made by the unauthorized user. In any case, the policy domain structure and policy data changes will be detected, and there is no way to distribute the changes to managed hosts without the correct original key pair.

Both of these features may be undesirable in a high security environment where even seeing the management data should be restricted. The following measures can be taken to increase the level of system security:

Possible different installation scenarios for high security environments:

1. F-Secure Policy Manager Server and F-Secure Policy Manager Console will be installed in the same machine and access to the F-Secure Policy Manager Server will be limited only to the localhost. After this, only the person who has physical access to the localhost can use the F-Secure Policy Manager Consol e.

When access to the F-Secure Policy Manager Server is limited only to the localhost during the installation (see Step 9. , 44), F-Secure Setup modifies the #FSMSA listen directive in httpd.conf file as follows:

#FSMSA listen

Listen 127.0.0.1:8080 <- Allow connections only from localhost to PMC port 8080

CHAPTER 3 34

Installing F-Secure Policy Manager Server

2. Access to F-Secure Policy Manager Server will be limited only to the

separately defined IP addresses by editing the httpd.conf file.

If the access to port 8080 was limited only to the localhost duri ng the setup, you should now open the port and then define the list of allowed IP addresses (see the Listen 8080 directive in the example below).

Below is an example of edited httpd.conf file section:

#FSMSA listen

Listen 8080 <- make sure that connections are not limited to localhost only

#FSMSA port

Order Deny,Allow

Deny from all <- First deny all

Allow from 127.0.0.1 <- Then allow access to the server from local machine

Allow from 10.128.129.2 <- Allow access from the server machine

Allow from 10.128.129.209 <- Allow access from Administrator's workstation

SetHandler fsmsa-handler

</Location>

</VirtualHost>

After this, only the person who has access to the machines with the defined IP addresses can use F-Secure Policy Manager Console.

3. If there is a very strong need to use F-Secure Policy Manager over a

public network (such as the Internet), it is recommended to encrypt the connection between F-Secure Policy Manager Server and F-Secure Policy Manager Console with a VPN or SSH type product.

As an alternative, F-Secure Policy Manager Console and F-Secure Policy Manager Server can be installed on the same machine, and access limited to the localhost. Remote administrator access to the F-Secure Policy Manager Console can be arranged by using a secure remote desktop product.

Installing F-Secure Policy Manager Web Reporting in High-Security Environments

F-Secure Policy Manager Web Reporting is designed to be used in internal corporate networks for generating graphical reports of, for example, F-Secure Client Secur i ty viru s pr otecti on status and aler ts. F-Secure does not recommend using F-Secure Policy Manager Web Reporting over public networks such as Internet.

Possible different installation scenarios for high security environments:

1. Access to Web Reports is limited to localhost only during the installation. After this, only the person who has physical access to the localhost can use F-Secure Policy Manager Web Reporting.

When access to F-Secure Policy Manager Web Reporting is limited only to the localhost during the installation (see , 45), F-Secure Setup modifies the #Web Reporting listen directive in httpd.conf file as follows:

#Web Reporting listen Listen 127.0.0.1:8081 <- Allow connections only from localhost to Web Reporting port 8081

2. Access to F-Secure Policy Manager Web Reporting is limited only to the separately defined IP addresses by editing the httpd.conf file (see

below)

If the access to port 8081 was limited only to the localhost duri ng the setup, you should now open the port and then define the list of allowed IP addresses (see the Listen 8081 directive in the example below).

CHAPTER 3 36

Installing F-Secure Policy Manager Server

Below is an example of edited httpd.conf file section, in which access is allowed from the localhost and from one separately defined IP address:

#Web Reporting listen

Listen 8081

# Web Reporting port:

JkMount /* ajp13

ErrorDocument 500 "Policy Manager Web Reporting could not be contacted by

the Policy Manager Server.

Order Deny,Allow

Deny from all <- First deny all

Allow from 127.0.0.1 <- Then allow access to Web Reporting from the local machine

Allow from 10.128.129.209 <- Allow access from Administrator’s workstation

</Location>

</VirtualHost>

After this, only the person who has access to the local host or the machine with the defined IP address can use F-Secure Policy Manager Web Reporting.

3.3 Installation Steps

To install F-Secure Policy Manager Server, you need physical access to the server machine.

Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.

2. Select Corporate Use. Click Next to continue.

3. Go to the Install or Update Managed Software menu and select F-Secure Policy Manager.

Step 2. Setup begins. View the Welcome screen, and follow the setup

instructions. Select the installation language from the drop-down menu. Click Next to continue.

CHAPTER 3 38

Installing F-Secure Policy Manager Server

Step 3. Read the license agreement information. If you agree, select I accept this

agreement. Click Next to continue.

Step 4. Select the type of installation:

 Typical - Setup installs the product with default options:

 F-Secure Policy Manager Server, F-Secure Policy Manager

Console, F-Secure Policy Manager Update Server & Agent are installed on the same computer.

 The default ports are used for F-Secure Policy Manager

Server modules.

 Only the F-Secure Policy Manager Console installed on the

same computer is allowed access to F-Secure Policy Manager Server.

 Access to Web Reports is allowed also from other computers.

 Custom - This is the default (recommended) option that lets you

specify, for example, the installation directory and the ports for F-Secure Policy Manager Server modules. Some installation dialogs will be displayed only when Custom is selected

 Reinstall - This option reinstalls all existing components and

restores the missing settings. This dialog is only displayed if there is a previous F-Secure Policy Manager installation on the computer.

CHAPTER 3 40

Installing F-Secure Policy Manager Server

Step 5. If you are installing on a clean computer, select the following components:

 F-Secure Policy Manager Server,  F-Secure Policy Manager Update Server & Agent - automate

virus definition database updates,

 F-Secure Installation Packages - select this option if you want to

upload/install new remote installation packages from the CD (recommended)

Click Next to continue.

Step 6. Choose the destination folder. Click Next.

It is recommended to use the default installation directory. If you want to install F-Secure Policy Manager Server in a different directory, you can

use the Browse feature.

WARNING: If you have F-Secure Management Agent installed in the same machine you must not change the installation directory of the F-Secure Policy Manager Server

CHAPTER 3 42

Installing F-Secure Policy Manager Server

Step 7. Setup requests confirmation if a previous installation of F-Secure Policy

Manager exists.

1. If Yes

2. If No

Click Next to continue.

, select I have existing F-Secure Policy Manager installation. Enter the communication directory path of the installed F-Secure Policy Manager. The contents of this directory will be copied under

<server installation directory>\ Communication Directory (commdir\ directory under F-Secure Policy Manager Server installation directory), and this will be the directory that F-Secure Policy Manager

Server will use as a repository. You can use the previous commdir as a backup, or you can delete it once you have verified that F-Secure Policy Manager Server is correctly installed.

, select I do not have existing F-Secure Policy Manager.

This will not require a existing commdir, and will create an empty commdir in the default location (under <F-Secure Policy Manager 5 installation directory>\commdir).

Step 8. Select whether you want to keep the existing settings or change them.

This dialog is displayed only if a previous installation of F-Secure Policy Manager Server was detected on the computer.

 By default the setup keeps the existing settings. Select this option

if you have manually updated the F-Secure Policy Manager Server configuration file (HTTPD.conf). This option automatically keeps the existing administration, host and web reporting ports.

 If you want to change the ports from the previous installation,

select the Change settings option. This option overwrites the HTTPD.conf file, and restores the settings to defaults.

Installing F-Secure Policy Manager Server

Step 9. Select the F-Secure Policy Manager Server modules to enable:

 Host module is used for communication with the hosts. The

default port is 80.

 Administration module is used for communication with F-Secure

Policy Manager Console. The default HTTP port is 8080.

If you want to change the default port for communication, you will also need to change the HTTP Port Number setting in F-Secure Policy Manager Console.

By default the access to the Administration module is restricted to the local machine. This is the most secure way to use the product.

When using a connection over a network, please consider securing the communication with F-Secure SSH or F-Secure VPN+.

For environments requiring maximum security, see section

Installing F-Secure Policy Manager in High Security Environments in F-Secure Policy Manager Administrator’s Guide.

CHAPTER 3 44

 Web Reporting module is used for communication with F-Secure

Policy Manager Web Reporting. Select whether it should be enabled. Web Reporting uses a local socket connection to the Admin module to fetch server data. The default port is 8081.

By default access to Web Reports is allowed also from other computers. If you want to allow access only from this computer, select Restrict access to the local machine.

Click Next to continue.

CHAPTER 3 46

Installing F-Secure Policy Manager Server

Step 10. Select to add product installation package(s) from the list of available

packages (if you selected F-Secure Installation Packages in Step 4 on page 17). Click Next.

Step 11. Setup displays the components that will be installed. Click Next.

CHAPTER 3 48

Installing F-Secure Policy Manager Server

Step 12. When the setup is completed, the setup shows whether all components

were installed successfully.

Step 13. F-Secure Policy Manager Server is now installed. Restart the computer if

you are prompted to do so. Click Finish to complete the installation.

CHAPTER 3 50

Installing F-Secure Policy Manager Server

Step 14. To determine if your installation was successful, open a web browser in

the machine where F-Secure Policy Manager Server was installed, enter http://localhost:80 (if you used the default port number during the installation) and press following page will be displayed.

ENTER. If the se rver i nst all ation was su cces sful, the

The F-Secure Policy Manager Server starts serving hosts only after F-Secure Policy Manager Console has initialized the Communication directory structure, which happens automatically when you run F-Secure Policy Manager Console for the first time.

3.4 Configuring F-Secure Policy Manager Serve r

Under the conf\ directory in the Policy Manager Server installation directory, you will find a file named httpd.conf, which contains the configuration information for F-Secure Policy Manager Server.

After any change to the configuration, you need to stop F-Secure Policy Manager Server, and restart it for the changes to become active.

The F-Secure Policy Manager Web Reporting settings that can be configured in httpd.conf are explained in

Reporting”, 190

3.4.1 Changing the Communication Directory Path

If the existing network drive on which the communication directory is located is getting full, you can change its location by using these instructions.

1. Choose a new network path on a drive with more space. Create the path and ensure that the fsms_<machine wins name> user has Full Control access rights to all the directories on the path.

2. Stop the F-Secure Policy Manager Server service.

3. Copy the whole directory structure from the old commdir path to the new path.

4. Change the va lue for the CommDir and CommDir2 directi ve s in httpd.conf. The default configuration contains the following configuration:

CommDir "C:\Program Files\F-Secure\Management Server 5\CommDir"

CommDir2 "C:\Program Files\F-Secure\Management Server 5\CommDir"

If you want to change the Communication Directory Location to

E:\CommDir, change the directives to reflect that configuration:

CommDir "E:\CommDir"

CommDir2 "E:\CommDir"

“Maintaining Web

Installing F-Secure Policy Manager Server

5. Start the F-Secure Policy Manager Server service.

6. Check that everything still works.

7. Delete the old commdir files.

3.4.2 Changing the Ports Where the Server Listens for Requests

There are two directives that define the ports for both of the WebServer Modules that constitute F-Secure Policy Manager Server: Listen and <VirtualHost>. By default, F-Secure Policy Manager Server Admin Module (the component that handles requests coming from Policy Manager Console) listens in port 8080, and F-Secure Policy Manager Server Host Module (the component that handles requests from workstations) listens in port 80. You can, however, define what ports they should listen in, if the defaults are not suitable.

If you want to change the port in which F-Secure Policy Manager Server Admin Module listens, add a Listen entry in the configuration file with the new port (e.g. Listen 8888), and remove the Listen directive that defines the default port in which F-Secure Policy Manager Server Admin Module listens: Listen 8080.

CHAPTER 3 52

When a new Listen entry is added, be sure to remove the obsolete entry. Otherwise, the server will unnecessarily consume system resources, such as a network port.

After adding the Listen directive, F-Secure Policy Manager Server knows that it should listen in the new port (8888 in our example). However, you must still configure it to associate the F-Secure Policy Manager Server Admin Module to that new port. This is done by changing

the <VirtualHost> directive, which is associated with F-Secure Policy Manager Server Admin Module. Here is that directive’s default configuration:

#FSMSA port

SetHandler fsmsa-handler

</Location>

</VirtualHost>

To associate it with the newly selected port, change the statement to:

#New FSMSA port

SetHandler fsmsa-handler

</Location>

</VirtualHost>

WARNING: If you have workstations already configured to access F-Secure Policy Manager Serv er (through the F-Secure Policy Manager Server Host module) you should not change the F-Secure Policy Manager Server Host port where agents communicate, since you might reach a state where the workstations will not be able to contact the server

3.4.3 F-Secure Policy Manager Server Configuration Settings

This section introduces and explains all the relevant entries present in the F-Secure Policy Manager Server configuration file, and how they are used.

ServerRoot: This directive sets the directory in which the server is installed. Relative paths for other configuration files are taken as relative to this directory.

CHAPTER 3 54

Installing F-Secure Policy Manager Server

Timeout: This directive defines the period of time that the server will wait before closing a connection, when there is no outbound or inbound traffic in the network connection.

LoadModule: This directive defines the symbolic name of the module to read and the path to the library that contains the module binaries.

Example: LoadModule fsmsh_module

"C:\serverroot\modules\fsmsh.dll"

Listen: This directive defines what port the server should listen on. The default configuration for a web server, for example is: Listen 80. You can restrict where the connections can be received from, for example, Listen 127.0.0.1:80 will only allow connections to port 80 from the machine where the server is running (localhost).

You can configure F-Secure Policy Manager Server to listen on different ports by changing this setting and the associated <VirtualHost> setting that we also discuss in this section. For more information, see “Changing

the Ports Where the Server Listens for Requests”, 52.

DocumentRoot: This directive should contain an absolute path. It defines the directory that everyone will be able to access, so don’t use a path to a directory with sensitive data. By default F-Secure Policy Manager Server allocates a directory under F-Secure Policy Manager Server installation directory, htdocs\. This directory is where the “welcome page” for the server is located. If you change it, this page will no longer be displayed.

<Directory “c:\somepath”>: This directive will define what kind of security settings will be associated with the directory specified in the path component of the directive.

ErrorLog: The error log directive sets the name of the file to which the server logs any errors it encounters. If the file path does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the file path begins with a pipe (|), it is assumed to be a command to spawn handling of the error log. This feature is used for spawning the rotatelogs (see the rotatelogs entry in this section) utility so that log file is actually rotated and not written to an ever growing file.

<VirtualHost _default_:port>: This directive defines a set of directives that will apply only to a VirtualHost. A VirtualHost is a virtual server, i.e., a different server that is run in the same process as other servers. F-Secure

Policy Manager Server; for example, has two virtual hosts, one running in port 80 (F-Secure Policy Manager Server Host Module) and another one running in port 8080 (FSMSA or Admin Module).

Here is the default configuration for F-Secure Policy Manager Server:

# FSMSH port

SetHandler fsmsh-handler

</Location>

SetHandler fsmsh-handler

</Location>

</VirtualHost>

#FSMSA port

SetHandler fsmsa-handler

</Location>

</VirtualHost>

Commdir and Commdir2: These directives define the path to the communication directory or repository. This is the directory where F-Secure Policy Manager Server stores all the Management Data that it receives from Policy Manager Console and F-Secure Management Agent. You can alter the Communication Directory location by changing these directives, but you must make sure that the account under which the server is run (fsms_<machine wins name>) has full rights to that directory.

Commdir "C:\Program Files\F-Secure\Policy Manager Server\CommDir"

Commdir2 "C:\Program Files\F-Secure\Policy Manager Server\CommDir"

CHAPTER 3 56

Installing F-Secure Policy Manager Server

CustomLog: This entry is used to log requests to the server. The first parameter is either a file (file to which the requests should be logged) or a pipe ('|') followed by the path to a program to receive the log information on its standard input. This feature is used for spawning the rotatelogs (see the rotatelogs entry in this section) utility so that the log file is actually rotated and not written to an ever growing file.

The second parameter specifies what will be written to the log file, and is defined under a previous LogFormat directive.

Below is an example of an entry in the access.log file:

10.128.131.224 - - [18/Apr/2002:14:06:36 +0300] /fsmsa/ fsmsa.dll?FSMSCommand=ReadPackage&Type=27&SessionID=248 HTTP/

1.1" 200 5299 0 - 0 - "FSA/5.10.2211 1.3.1_02 Windows2000/5.0 x86" mod_gzip: DECHUNK:DECLINED:TOO_SMALL CR:0pct.

10.128.131.224 - - [18/Apr/2002:14:06:36 +0300] tells you when the

request to the server was made and by which host (described by its IP address).

The fxnext component informs you which module the command sent to / fsmsa/fsmsa.dll. This module (fsmsa.dll) is the Admin Module. fsmsh.dll would be the Host Module.

Then come the command and parameters FSMSCommand=ReadPackage&Type=27&SessionID=248. In this case the host requested an object of Type 27 (there is only one).

The HTTP version used is also noted HTTP/1.1 Immediately after the http version comes six different numbers, as

follows:

1. HTTP response code: In this example 200 is used, meaning OK in HTTP specification. There are other codes, all of them covered under the HTTP specification that can be obtained from http://www.w3.org.

2. Bytes transferred from the server: The example entry informs of 5299 bytes transferred.

3. How long the server took to serve the request (in seconds).

4. Connection status when response is completed.

'X' = connection aborted before the response completed. '+' = connection may be kept alive after the response is sent. '-' = connection will be closed after the response is sent.

5. F-Secure Policy Manager Server Admin Module error code (0 for success).

6. Bytes transferred to the server (“-” for none).

The next string identifies the client "FSA/5.10.2211 1.3.1_02 Windows2000/5.0 x86". In this case, note that the server was contacted by FSA 5.10 build 2211.

The information that follows is about the compression of data: mod_gzip: DECHUNK:DECLINED:TOO_SMALL. In this instance the data was not compressed because it was too small.

And finally the compression ratio, 0% in this case: CR:0pct. Rotatelogs: This is a small program that is used to rotate the logs that

F-Secure Policy Manager Server produces. This allows us to define the length a log should be kept (8 days by default) and when the files should be rotated, e.g. when the access.log is named access.log.1 and a new, empty access.log file is created where the new requests will be logged.

Example usage:

CustomLog '|""C:\Program Files\F-Secure\Policy Manager Server 5\bin\rotatelogs"

"C:\Program Files\F-Secure\Policy Manager Server 5\logs\access.log" 8 86400"' common"

In this example the CustomLog directive defines that the rotatelogs utility should open the access.log file, and keep 8 files (8 archive files plus the active file) that are rotated daily (86400 seconds = 24 hours). In practice this means that the files for the last full week plus one day are kept and there is still a file for logging accesses during the current day.

<ifModule mod_gzip.c>: There is a new feature in F-Secure Policy Manager Server that allows you to compress all the data that is transferred between Console and Server. This directive marks the start of the compression settings, which end just before the directive </ifModule>.

CHAPTER 3 58

Installing F-Secure Policy Manager Server

For more information on the settings you can read the httpd.sample file that is located in the same directory as the configuration file of F-Secure Policy Manager Server (<fspms installation directory>\conf).

mod_gzip_on Yes: This setting is one of the several compression settings, and the one that enables or disables support for the compression in F-Secure Policy Manager Server. Compression is disabled if the setting is changed to mod_gzip_on No.

FastPolicyDistribution On: This is a performance versus maximum backward compatibility switch. When enabled (On) it will allow the F-Secure Policy Manager Server to distribute policies in a way that speeds up the process greatly (30-100 times, depending on the number of hosts). The disabled switch (Off) should be used when there are other components accessing the communication directory concurrently (e.g. F-Secure Management Agent).

RetryFileOperation 10: This setting tells the server how many times it should retry a failed file operation (with a 1 second retry-interval) before giving up.

CommdirCacheSize 10: The number-value of this setting informs the server how much memory, percentage-wise, it should use for storing files in memory before serving them. This will allow the server to serve the files much faster, since it will not have to read them from the disk all the time. If you use the default (10), the server will use 10% of the memory available for this cache. For example, in a 512MB RAM machine, it will use 51,2 MB for the cache.

3.5 Uninstalling F-Secure Policy Manager Server

To uninstall F-Secure Policy Manager Server (or other F-Secure Policy Manager components), follow these steps:

1. Open the Windows Start menu and go to Control Panel. Select Add/

Remove Programs.

2. Select F-Secure Policy Manager Server (or the component you want

to uninstall), and click the Add/Remove button.

3. The F-Secure Uninstall dialog box appears. Click Start to begin uninstallation.

4. When the uninstallation is complete, click Close.

5. Click OK to exit Add/Remove Programs.

6. Reboot your computer for changes to take effect.

COMMDIR MIGRATION

Introduction................................................................................. 61

Instructions................................................................................. 61

4.1 Introduction

In F-Secure Policy Managerrelease 6.0 and onwards the use of communication directory (CommDir) instead of F-Secure Policy Manager Server is not supported. Therefore you must upgrade the CommDir based installations to F-Secure Policy Manager Server installations.

This chapter contains instructions on how to do the migration, from backing up the existing system to checking that all the managed hosts in the network have started to communicate with F-Secure Policy Manager Server.

4.2 Instructions

You can do the migration as follows:

Step 1. Back Up the Existing System

1. Before you start the back-up procedure, make sure that F-Secure

2. Backup the management keys (admin.pub and admin.prv), and the

Policy Manager Console is not running.

existing CommDir. By default, the management keys are located in

C:\Program Files\F-Secure\Administrator\

Step 2. Install New F-Secure Policy Manager Server and

Console

1. Install new F-Secure Policy Manager Server and Console. For instructions, see “Installing F-Secure Policy Manager Server”, 29 and “Installing F-Secure Policy Manager Console”, 64.

2. During the F-Secure Policy Manager Server installation, copy the existing CommDir Data from the backup you made in Step 1 above. When the dialog (see the figure below) is displayed, click Browse.. to locate the backup.

CHAPTER 4 62

CommDir Migration

3. After you have located the backup, a confirmation dialog is displayed.

Click OK to proceed.

Step 3. Connect Policy Manager Console to the New Policy

Manager Server

1. Connect the F-Secure Policy Manager Console to the new F-Secure

Policy Manager Server.

2. Configure the correct F-Secure Policy Manager Server address to

use:

 Select the Settings tab and open the Centralized Management

page.

 Enter the address of F-Secure Policy Manager Server in format

http://<IP address>.

3. Distribute the policies to the whole managed domain.

4. Close F-Secure Policy Manager Console.

Step 4. Configure Connections to Old CommDir

1. Connect F-Secure Policy Manager Console to the old CommDir.

2. Configure the correct F-Secure Policy Manager Server address to use:

 Select the Settings tab and open the Centralized Management

page.

 Enter the address of F-Secure Policy Manager Server in format

http://<IP address>.

3. Distribute the policies to the whole managed domain.

4. Close F-Secure Policy Manager Console.

Step 5. Wait for the Migration to Complete

Wait long enough (over a week) so that all hosts have started to communicate with the new F-Secure Policy Manager Server instead of the old CommDir.

You can check this, for example, form the Summary tab in F-Secure Policy Manager Console. When the Hosts having latest policy: has reached 100%, the migration is complete.

INSTALLING F-SECURE

OLICY MANAGER

ONSOLE

Overview..................................................................................... 65

Installation Steps........................................................................ 65

Uninstalling F-Secure Policy Manager Console......................... 83

5.1 Overview

F-Secure Policy Manager Console can operate in two modes:

 Administrator mode - you can use F-Secure Policy Manager

Console to its full extent.

 Read-Only mode - you can view F-Secure Policy Mana ger

Console information but cannot perform any administrative tasks (this mode is useful for such users as Helpdesk personnel).

The same console installation can be used for both Administrator and Read-Only connections. The following sections explain how to run the F-Secure Policy Manager Console setup from the F-Secure CD, and how to select the initial operation mode when the console is run for the first time. The CD setup is identical for both modes, and it is always possible to add new Administrator and Read-Only connections after the initial startup.

5.2 Installation Steps

Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.

2. Select Corporate Use. Click Next to continue.

3. Select F-Secure Policy Manager from the Install or Update Management Software menu.

CHAPTER 5 66

Installing F-Secure Policy Manager Console

Step 2. View the Welcome screen, and follow the setup instructions. Select the

installation language from the drop-down menu. Click Next to continue.

Step 3. Read the license agreement information. If you agree, select I accept this

agreement. Click Next to continue.

Step 4. Select the type of installation:

 Typical - Setup installs the product with default options:

 F-Secure Policy Manager Server, F-Secure Policy Manager

Console, F-Secure Policy Manager Update Server & Agent are installed on the same computer.

 The default ports are used for F-Secure Policy Manager

Server modules.

 Only the F-Secure Policy Manager Console installed on the

same computer is allowed access to F-Secure Policy Manager Server.

 Access to Web Reports is allowed also from other computers.

 Custom - Select this option that lets you specify, for example, the

installation directory and the ports for F-Secure Policy Manager Server modules. Some installation dialogs will be displayed only when Custom is selected

 Reinstall - This option reinstalls all existing components and

restores the missing settings. This dialog is only displayed if there is a previous F-Secure Policy Manager installation on the computer.

CHAPTER 5 68

Installing F-Secure Policy Manager Console

Step 5. Select the following components to be installed:

 F-Secure Policy Manager Console  F-Secure VPN+ Certificate Wizard (optional, required only for

F-Secure VPN+ management)

Click Next to continue.

Installing F-Secure Policy Manager Console

Step 6. Choose the destination folder. Click Next.

It is recommended to use the default installation directory. Use the

Browse feature to install F-Secure Policy Manager Console in a different

directory.

CHAPTER 5 70

Step 7. Specify F-Secure Policy Manager Server address, and Administration

port number. Click Next to continue.

CHAPTER 5 72

Installing F-Secure Policy Manager Console

Step 8. Review the changes that setup is about to make. Click Next to continue.

Step 9. By default the setup will run the F-Secure Policy Manager Console for the

first time immediately after the CD setup has been run. It is important to run the console after the setup, because some connection properties will be collected during the initial console startup. Click Finis h to launch F-Secure Policy Manager Console.

Installing F-Secure Policy Manager Console

Step 10. If you did not choose to launch F-Secure Policy Manager Console

immediately after the setup has finished, you can find the shortcut from

Start >Programs > Policy Manager Console. When F-Secure Policy Manager Console is run

for the first time, the Console Setup Wizard collects the information needed to create an initial connection to the server. Normally this step is run immediately after installing the console from your F-Secure CD as explained in the steps 1-8.

The first page of F-Secure Policy Manager Console setup wizard summarizes the installation process. Click Next to continue.

F-Secure Policy Manager Console > F-Secure

CHAPTER 5 74

Step 11. Select your user mode according to your needs:

 Ad mi nist rato r mod e - enables all administrator features.  Read-Only mode - allows you to view administrator data, but no

changes can be made. If you select Read-only mode, you will not be able to administer hosts. To change to Administrator mode, you will need the admin.pub and admin.prv administration keys.

Click Next to continue.

CHAPTER 5 76

Installing F-Secure Policy Manager Console

Step 12. Enter the address of the F-Secure Policy Manager Server that is used for

communicating with the managed hosts.

Step 13. Enter the path where the administrator’s public key and private key files

will be stored. By default, key files are stored in the F-Secure Policy Manager Console installation directory:

Program Files\F-Secure\Administrator.

Click Next to continue.

If the key-pair does not pre-exist, it will be created later in the setup process

CHAPTER 5 78

Installing F-Secure Policy Manager Console

Step 14. Move your mouse cursor around in the window to initialize the random

seed used by the management key-pair generator. Using the path of the mouse movement ensures that the seed number for the key-pair generation algorithm has enough randomness. When the progress indicator has reached 100%, the Passphrase dialog box will open automatically.

Step 15. Enter a passphrase, which will secure your private management key.

Re-enter your passphrase in the Confirm Passphrase field. Click Next.

Installing F-Secure Policy Manager Console

Step 16. Click Finish to complete the setup process.

CHAPTER 5 80

F-Secure Policy Manager Console will generate the management key-pair.

After the key-pair is generated, F-Secure Policy Manager Console will start.

CHAPTER 5 82

Installing F-Secure Policy Manager Console

F-Secure Policy Manager Console starts in Anti-Virus mode, which is a optimized user interface for managing F-Secure Client Security and F-Secure Anti-Virus for Workstations. If you are going to use F-Secure Policy Manager Console for managing any other F-Secure product, you should use the Advanced Mode user interface. You can access it by opening the View menu and selecting Advanced Mode.

When setting up workstations, you must provide them with a copy of the Admin.pub key file (or access to it). If you install the F-Secure products on the workstations remotely with F-Secure Policy Manager, a copy of the Admin.pub key file is installed automatically on them. However, if you run the setup from a CD, you must transfer a copy of the Admin.pub key file manually to the workstations. The best and most secure method is to copy the Admin.pub file to a diskette and use this diskette for workstation installations. Alternatively, you can put the Admin.pub file in a directory that can be accessed by all hosts that will be installed with remotely managed F-Secure products. By default, F-Secure Policy Manager Console places the public key in the root of the Communication directory.

Certain directories and files should be protected by setting their permissions to allow access only by administrators. To achieve this, do the following:

1. Remove all unnecessary access rights to the \fsa subdirector y. Only the administrator who is running F-Secure Policy Manager Console should have rights to this directory.

2. Remove unnecessary Write/Change access rights from the commdir.cfg and admin.pub files. The Communication directory account should have Read-only rights to these files.

After the installation has been completed, the F-Secure Policy Manager program starts. From here, it is possible to continue by creating policy domains and installing hosts.

Changing the Web Browser Path

The F-Secure Policy Manager Console acquires the file path to the default Web browser during setup. If you want to change the Web browser path, open the Tools menu, and select Preferences.

Select the Locations tab and enter the new file path.

5.3 Uninstalling F-Secure Policy Manager Consol e

To uninstall F-Secure Policy Manager Console (or other F-Secure Policy Manager components), follow these steps:

1. Open the Windows Start menu and go to Control Panel. Select Add/ Remove Programs.

2. Select the component you want to uninstall (F-Secure Policy Manager Console or Certificate Wizard), and click the Add/Remove button.

3. The F-Secure Uninstall dialog box appears. Click Start to begin uninstallation.

4. When the uninstallation is complete, click Close.

5. Click OK to exit Add/Remove Programs.

6. Reboot your computer for changes to take effect.

USING F-SECURE

OLICY MANAGER

ONSOLE

Overview..................................................................................... 85

F-Secure Policy Manager Console Basics................................. 86

F-Secure Client Security Management..................................... 104

Managing Domains and Hosts................................................. 104

Software Distribution................................................................ 115

Managing Policies.................................................................... 134

Managing Operations and Tasks.............................................. 140

Alerting..................................................................................... 140

Reporting Tool.......................................................................... 144

Preferences.............................................................................. 149

6.1 Overview

F-Secure Policy Manager Console is a remote management console for the most commonly used F-Secure security products, designed to provide a common platform for all of the security management functions required in a corporate network.

An administrator can create different security policies for each host, or create a single policy for many hosts. The policy can be distributed over a network to the workstations, servers, and security gateways.

With F-Secure Policy Manager Console, you can:

 Set the attribute values of managed products,  Determine rights for users to view or modify attribute values that

were remotely set by the administrator.

 Group the managed hosts under policy domains sharing common

attribute values.

 Manage host and domain hierarchies easily.  Generate signed policy definitions, which include attribute values

and restrictions.

 Display status.  Handle alerts.  Handle F-Secure Anti-Virus scanning reports.  Handle remote installations.  View reports in HTML format, or export reports to various exports

formats.

F-Secure Policy Manager Console generates the policy definition, and displays status and alerts. Each managed host has a module (F-Secure Management Agent) enforcing the policy on the host.

The conceptual world of F-Secure Policy Manager Console consists of hosts that can be grouped within policy domains. Policies are host-oriented. Even in multi-user environments, all users of a specific host share common settings.

F-Secure Policy Manager Console recognizes two types of users: administrators and read-only mode users.

CHAPTER 6 86

Using F-Secure Policy Manager Console

The administrator has access to the administration private key. This private key is stored as a file, which may be shared among users with management rights. The administrator uses F-Secure Policy Manager Console to define policies for different domains and individual hosts.

In Read-only mode, the user can:

 View policies, statistics, operation status, version numbers of

installed products, alerts and reports.

 Modify F-Secure Policy Manager Console properties, because its

installation is user-based and modifications cannot affect other users.

The user cannot

 Modify the domain structure or the properties of domains and

do any of the following in Read-only mode:

hosts.

 Modify product settings.  Perform operations.  Install products.  Save policy data.  Distribute policies.  Delete alerts or reports.

There can be only one Administrator mode connection to F-Secure Policy Manager Server at a time. There can be several read-only connections to F-Secure Policy Manager Server simultaneously.

6.2 F-Secure Policy Manager Console Basics

The following sections describes the F-Secure Policy Manager Console logon procedure, menu commands and basic tasks.

6.2.1 Logging In

When you start F-Secure Policy Manager Console, the following dialog box will open (click Options to expand the dialog box to include more options)

Figure 6-1 F-Secure Policy Manager Console Login dialog

The dialog box can be used to select defined connections. Each connection has individual preferences, which makes it easier to manage many servers with a single F-Secure Policy Manager Console instance.

It is also possible to define multiple connections to a single server. After selecting the connection, enter your F-Secure Policy Manager Console passphrase. This is the passphrase that you defined when you installed the program. This is not your network administrator password.

You can start the program in Read-Only mode, in which case you do not need to enter a passphrase. In this case, however, you will not be allowed to make changes.

The setup wizard creates the initial connection, which appears by default in the Connections: field. To add more connections, click Add or to edit an existing connection, click Edit (these options are available when the dialog box is expanded).

Note that it is possible to make copies of existing connections. This makes it easy to define multiple connections to the same server, with slightly different connection preferences for different usages. For example, an existing connection can be taken as a template, and different connection preferences can be tested with the new copy without affecting the original settings.

Connection Properties

The link to the data repository is defined as the HTTP URL of the F-Secure Policy Manager Server.

CHAPTER 6 88

Using F-Secure Policy Manager Console

Figure 6-2 Connection Properties dialog

The Name field specifies what the connection will be called in the Connection: field in the login dialog. If the Name field is left empty, the

URL or the directory path is displayed. Public Key File and Private Key File paths specify what management

key-pair to use for this connection. If the specified key files do not exist, F-Secure Policy Manager Console will generate a new key-pair.

Communication Preferences

Select the Communication tab to customize communication settings. To change polling intervals, click Polling Period Options.

Host connection status controls when hosts are considered disconnected from F-Secure Policy Manager. All hosts that have not contacted F-Secure Policy Manager Server within the defined interval are considered disconnected. The disconnected hosts will have a notification

icon in the domain tree and they will appear in the Disconnected Hosts list in the Domain status view. The domain tree notification icons can be switched off from Advanced Options. Note that it is possible to define an interval that is shorter than one day by simply typing in a floating point number in the setting field. For example, with a value of "0.5" all hosts that have not contacted the server within 12 hours are considered disconnected. Values less than one day are normally useful only for trouble shooting purposes, because in a typical environment some hosts are naturally disconnected from the server every now and then. For example, laptop computers may not be able to access the server daily, but in most cases this is perfectly acceptable behavior.

Figure 6-3 Connection Properties > Communication dialog

The communication protocol selection affects the default polling intervals. You should modify the communication setting to suit your environment. If you are not interested in certain management information, you should switch unnecessary polling off by clearing the polling item you want to

CHAPTER 6 90

Using F-Secure Policy Manager Console

disable. Disable All Polling disables all of the polling items. Whether or not automatic polling is disabled, manual refresh operations can be used to refresh the selected view.

Figure 6-4 Polling Periods dialog

See “Preferences”, 149 for more information about other connection-specific settings. After F-Secure Policy Manager Console startup these settings can be edited normally from the Preferences view.

6.2.2 The User Interface

When you start F-Secure Policy Manager Console, the user interface opens displaying the following four panes: Policy Domain pane, Properties pane, Product View pane and Messages pane (not visible if there are no messages).

Figure 6-5 F-Secure Policy Manager Console user interface

6.2.3 Policy Domain Pane

In the Policy Domain pane, you can do the following:

 Add a new policy domain (click the icon, which is located on

the toolbar). A new policy domain can be created only when a parent domain is selected.

 Add a new host (click the icon).  Find a host.  View the properties of a domain or host. All hosts and domains

should be given unambiguous names.

 Import autoregistered hosts.  Autodiscover hosts from a Windows domain.  Delete hosts or domains.  Move hosts or domains, using cut and paste operations.  Export a policy file.

After selecting a domain or host, you can access the above options from the Edit menu.

The domains referred to in the commands are not Windows NT or DNS domains. Policy domains are groups of hosts or subdomains that have a similar securi ty pol ic y.

6.2.4 Properties Pane

Defining policies consists of specifying default values for settings, specifying what values are allowed, and specifying access restrictions to the settings. Policies for a domain or a host are defined in the Properties pane.

The Properties pane contains subtrees (“branches”), tables, rows, and policy variables. Subtrees are only used to expand the structures. Tables may contain any number of rows.

The Properties pane has the following tabs:

 Policy - The Policy tab allows you to use the Product View pane

 Status - Beneath each product shown in the Status tab are two

 Alerts - Displays a list of alerts originating from hosts in the

 Reports - Displays all reports from the selected host.  Installation - Displays installation options.

CHAPTER 6 92

Using F-Secure Policy Manager Console

to define settings, restrictions, and operations for domains or hosts. These changes become effective after the policy has been distributed and the Agent has fetched the policy file.

status categories: Settings and Statistics. Settings displays the local settings that have been explicitly modified in the host; default values or values set in the Base Policy are not displayed. The Statistics subtree displays statistics for the host for each product. If a policy domain is selected, the Status view displays number of hosts in the domain and which hosts are disconnected from F-Secure Policy Manager.

selected domain, displays the selected alert in the Product View pane, and displays reports related to the alerts.

6.2.5 Product View Pane

The function of the Product View pane changes according to which tab of the Properties pane is open:

 Policy tab - In the Product View pane, you can set the value of a

policy variable. All modifications affect the selected policy domain or host. There is a predefined editor for each type of policy variable. The editor is displayed when you select the variable type in the Policy tab. Some subtrees, tables, and leaf nodes might have special custom editors. These editors customize F-Secure Policy Manager Console for each installed product. There are also Restriction Editors, which open within the Product View pane or open as a separate dialog box.

 Status tab - In the Product View pane, you can view (1)

“settings”, which are the local modifications reported by the host, and (2) statistics.

 Alerts tab - When an alert is selected in the Alerts tab, details of

the alert are displayed in the Product View pane.

 Reports - When a report is selected in the Reports tab, details of

the report are displayed in the Product View pane.

 Installation - In the Product View pane, you can view and edit

installation information.

The traditional F-Secure Policy Manager Console MIB tree contains all the settings/operations (Policy) and local setting/statistics (Status) in a product component specific MIB tree. There is also an optional simplified GUI view available. Most F-Secure products already define these new style interfaces, which offer the most important items found in the MIB tree in a much more user friendly way. It is still possible to define policies and view status using the MIB tree like view, but in most cases the new Product Views are enough. Using both MIB tree and Product Views simultaneously is possible, because Product View simply links to the data found also in the MIB tree.

The F-Secure Management Agent Product View is on the following page as an example (the same generic operations and functionality are found in all Product Views).

CHAPTER 6 94

Using F-Secure Policy Manager Console

Using Help

In most cases the Product View fields offer the same help texts as the MIB tree nodes. In addition, each tab has it's own help text. The help texts follow mouse clicks (all tabs and policy and status editors) and field focus (only available when the Policy tab is selected in the Properties pane). You can click either the field label or the value editor field to activate the corresponding help text.

Editing Policy Settings

Select a product (e.g. F-Secure Management Agent) and the Policy tab from the Properties Pane. F-Secure Policy Manager Console will render a Product View in the Product View Pane for your selected product, and contains the most commonly used settings and the most often needed restriction editors from the MIB tree, in the following categories:

 Communication - edit communication settings.  Alerting - edit alert settings.  Alert Forwarding - see “Configu ring Alert Forwarding” on

page 142 for more details.

 Certificates - allows definition of trusted certificates  Certificate Directory - defines the directory settings where

certificates are stored.

 About - contains a link to F-Secure Web Club (for more details,

see “Web Club”, 232).

You can edit the policy settings normally, and use the restriction setting (final, hidden) to define end user access rights.

Figure 6-6 Product View pane

Using the Context Menu for Pol icy Settings

Most editor fields in the Product View include a context menu (activated by right-clicking your mouse). The context menu contains the following options: Go To, Clear Value, Force Value and Show domain values.

Figure 6-7 Context menu

CHAPTER 6 96

Using F-Secure Policy Manager Console

Shortcut to the MIB Tree Node

Sometimes it is convenient to see what setting of the MIB tree is actually changed when modifying some specific Product View item. Select the Go

To menu item to display the corresponding MIB tree node in the Properties pane.

Note that in most cases the MIB tree offers more, though less frequently needed, setting parameters. For example, this is one way to edit the restrictions of those policy settings that do not display direct restriction editors in the Product View.

Clear Value

The functionality of the Clear Value menu item is the same as in the MIB tree. After clearing the current value, the field will either display the inherited value (grey text), or no value at all. The Clear Value menu item is available only if there is a value defined for the currently defined domain or host.

Force Value

This Force Value menu item is available only when a Policy Domain is selected. You can enforce the current domain setting to also be active in all subdomains and hosts. In practice, this operation clears the corresponding setting in all subdomains and hosts below the current domain, enabling the inheritance of the current value to all subdomains and hosts. Use this menu entry cautiously: all values defined in the subdomain or hosts under the selected domain are discarded, and cannot be restored.

Show Domain Values

The Show Domain Values menu item is available only when a Policy Domain is selected. You can view a list of all policy domains and hosts below the selected policy domain, together with the value of the selected field.

Click any domain or host name to quickly select the domain or host in the Policy Domains pane. It is possible to open more than one Domain Value dialog simultaneously.

Figure 6-8 Show Domain Values dialog

Viewing Status

Open the Status tab and select the product from the Properties pane. F-Secure Policy Manager Console will render a Product View to the Product View pane, where you can view the more important local settings and statistics.

Values cannot be edited, but the MIB help texts can be displayed by clicking a field or its label.

For the policy domains, the Status tab will show the domain level status overview: number of hosts in the domain, and list of disconnected hosts.

Figure 6-9 Status tab

Click any disconnected host to quickly change the policy domain selection into that host. This way it is possible to investigate if the disconnected host managed to send some alerts or useful statistics before the disconnection. This information may help to investigate why the host was

CHAPTER 6 98

Using F-Secure Policy Manager Console

disconnected. If the reason is clear, for example, if the host's F-Secure software has been uninstalled, the host can be deleted normally. After investigating one disconnected host, the most convenient way to get back

to the previously selected domain level is to click the button in the toolbar.

The Domain Status view also offers two shortcut operations for handling a greater number of disconnected hosts: selecting all disconnected hosts and deleting all disconnected hosts. Both operations can be accessed through the Disconnected Host tree root node context menu.

Figure 6-10 An example of shortcuts available in the Domain Status View

WARNING: Deleting all disconnected hosts is potentially a dangerous operation, as it is possible that some existing hosts are for some natural reason temporarily disconnected longer than the allotted threshold days. Always check the disconnection threshold value from Preferences before deleting hosts. If a still existing host is deleted accidently, all host specific alerts, report, status and policy settings will be lost. However, the host will send an autoregistration message once it discovers that it has been removed from the F-Secure Policy Manager. The host can be re-imported to the domain tree, but from the Policy Manager point of view it's like any other newly added host.

Figure 6-11 The status of a component displayed in the Product View pane

6.2.6 Messages Pane

F-Secure Policy Manager Console logs messages in the Message pane about different events. Unlike the Alerts and Reports panes, Message pane events are generated only by F-Secure Policy Manager Console.

There are three categories of messages: Information, Warnings, and Errors. Each Message View tab can contain messages of all three severities. You can delete a category in the displayed context menu by right-clicking on a tab. By right-clicking on an individual message, a context menu is displayed with cut, copy, and delete operations.

By default, messages are logged into UTF-8 files in the message subdirectory of the local F-Secure Policy Manager Console installation directory. A separate log file is created for each message category (tab names in the Message pane). You can use the Preferences-Locations page to specify the directory for the log file, and to switch logging on and off. The functionality of the Messages view is not affected when you switch message saving on and off.

6.2.7 The Toolbar

The toolbar contains buttons for the most common F-Secure Policy Manager Console tasks.

CHAPTER 6 100

Using F-Secure Policy Manager Console

Saves the policy data

Distributes the policy

Go to the previous domain or host in the domain tree selection history.

Go to the next domain or host in the domain tree selection history.

Go to the parent domain.

Cuts a host or domain.

Pastes a host or domain.

Adds a domain to the currently selected domain.

Adds a host to the currently selected domain.

Displays the Properties box of a host or domain.

Launches the Autodiscover Windows Hosts tool. New hosts will be added to the currently selected policy domain.

F-secure POLICY MANAGER 7.0 Administrator’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

ABOUT THIS GUIDE

Overview

How This Guide is Organized

Conventions Used in F-Secure Guides

Symbols

INTRODUCTION

1.1 Overview

1.2 Installation Order

1.3 Features

1.4 Policy-Based Management

1.4.1 Management Information Base

SYSTEM REQUIREMENTS

2.1 F-Secure Policy Manager Server

2.2 F-Secure Policy Manager Console

3.1 Overview

3.2 Security Issues

3.2.1 Installing F-Secure Policy Manager in High Security Environments

3.3 Installation Steps

3.4 Configuring F-Secure Policy Manager Serve r

3.4.1 Changing the Communication Directory Path

3.4.2 Changing the Ports Where the Server Listens for Requests

3.4.3 F-Secure Policy Manager Server Configuration Settings

3.5 Uninstalling F-Secure Policy Manager Server

COMMDIR MIGRATION

4.1 Introduction

4.2 Instructions

5.1 Overview

5.2 Installation Steps

5.3 Uninstalling F-Secure Policy Manager Consol e

6.1 Overview

6.2 F-Secure Policy Manager Console Basics

6.2.1 Logging In

6.2.2 The User Interface

6.2.3 Policy Domain Pane

6.2.4 Properties Pane

6.2.5 Product View Pane

6.2.6 Messages Pane

6.2.7 The Toolbar