Juniper NETWORK AND SECURITY MANAGER 2010.4 - INSTALLATION GUIDE REV1, NETWORK AND SECURITY MANAGER 2010.4 Installation Manual

Download

Page 1

Juniper Networks Network and Security Manager

Installation Guide

Release

2010.4

Published: 2010-11-17

Revision 1

Page 2

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology,an Integrated Systems Company.Copyright ©1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Installation Guide

Revision History November 17, 2010—Revision 1

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

Page 3

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER)CONSENT TO BE BOUNDBY THIS AGREEMENT.IF YOUDO NOTOR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (ifthe Customer’sprincipal officeis located outsidethe Americas) (such applicable entitybeing referred to herein as“Juniper”),and (ii) the person or organization thatoriginally purchased from Juniperor an authorized Juniperreseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and thelimitations andrestrictions setforth herein,Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitsto Customer’s useof the Software. Suchlimits may restrictuse to amaximum numberof seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, toany thirdparty; (d)remove any proprietarynotices, labels,or marks on orin any copy of the Softwareor any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold inthe secondhand market; (f)use any ‘locked’ orkey-restricted feature,function, service, application, operation, orcapability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Page 4

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompaniesthe Software (the“Warranty Statement”).Nothing inthis Agreement shallgive riseto any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTEGOODS ORSERVICES,OR FOR ANY SPECIAL,INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIEDSOFTWARE. INNO EVENT SHALLJUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

Page 5

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in itsown name asif it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Page 6

Page 7

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1 Network and Security Manager Installation Procedures

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installation Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Management System Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

User Interface Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Installation Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

System Requirements—Management System . . . . . . . . . . . . . . . . . . . . . . . . . 5

System Requirements—User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Choosing Standalone, Distributed, or High Availability Configurations . . . . . . . . . . 7

Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Simple High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Extended High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Other Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Local/Remote Database Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

NetScreen-Statistical Report Server Interoperability . . . . . . . . . . . . . . . . . . . 10

Device Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Generating the NSM License Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Installing NSM for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

NSM Trial Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Generating the License Key for an NSM Software-Only Installation . . . . . . . . 14

Generating the License Key for an NSM Appliance Installation . . . . . . . . . . . . 14

Generating the License Key for a High Availability NSM Installation . . . . . . . . 14

Upgrading to an NSM Release that Requires a License . . . . . . . . . . . . . . . . . . . . . . 15

Generating the License Key for an NSM Software-Only Upgrade . . . . . . . . . . 15

Generating the License Key for an NSM Appliance Upgrade Installation . . . . 16

Generating the License Key File for an NSM 2007.3 or Later High Availability

Upgrade Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Page 8

Network and Security Manager Installation Guide

Example of an NSM License File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing the License Key File in Various Configurations . . . . . . . . . . . . . . . . . . . . . 18

Upgrading the License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Viewing License Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Enforcing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Licensing FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Installing NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 21

Suggested Standalone Configuration Installation Order . . . . . . . . . . . . . . . . . . . . . 21

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Prerequisite Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Running the System Update Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring Shared Memory Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Establishing a Trust Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Preparing a Solaris Server for NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Installing NSM 2010.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Typical Output for a Standalone Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Installing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Running the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Validating the NSM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Running the User Interface in Demo Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 4 Installing NSM in a Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 49

Suggested Distributed Configuration Installation Order . . . . . . . . . . . . . . . . . . . . 49

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Installing the GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Typical Output for Installing a GUI Server in a Distributed Configuration . . . . 59

Installing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Adding the Device Server in the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Installing the Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Typical Output for Installing a Device Server in a Distributed

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Chapter 5 Installing NSM with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

High Availability Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

HA Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

HA Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Communication Between Physical Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Inter-server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

HA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Database Synchronization and Remote Replication . . . . . . . . . . . . . . . . 73

HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Restoring Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Page 9

Table of Contents

Using a Shared Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Creating a Trust Relationship Between Servers . . . . . . . . . . . . . . . . . . . . 76

Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Checking HA Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Viewing HA Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

HA Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Suggested Simple HA Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Suggested Extended HA Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Simple HA Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Extended HA Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Shared Disk Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Verifying That Shared Partitions Are Mounted Properly . . . . . . . . . . . . . . . . . 84

Verifying That All Required System Binaries Are Available . . . . . . . . . . . . . . . 84

Verifying That Clocks Are Synchronized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Establishing an SSH Trust Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Installing NSM 2010.4 on the Primary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Viewing the Management System Installation Log . . . . . . . . . . . . . . . . . . . . . 93

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Other Useful Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Installing NSM 2010.4 on the Secondary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Example: Installing NSM in a Simple HA Configuration . . . . . . . . . . . . . . . . . . . . . 95

Primary GUI Server and Device Server Installation . . . . . . . . . . . . . . . . . . . . . 96

Secondary GUI Server and Device Server Installation Script . . . . . . . . . . . . . 101

Installing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring the HA Cluster in the UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Installing NSM In an Extended HA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Example: Installing NSM in an Extended HA Configuration . . . . . . . . . . . . . . . 111

Primary GUI Server Installation Script . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Secondary GUI Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Primary Device Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Secondary Device Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Chapter 6 Upgrading to NSM 2010.4 from an Earlier Version . . . . . . . . . . . . . . . . . . . . . 131

Upgrade Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Standalone Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Distributed Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

HA Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Shared Disk Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Prerequisite Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Running the System Update Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Configuring Shared Memory Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Setting the rsysnc Timeout Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Increasing Shared Memory Segment Maximum Size . . . . . . . . . . . . . . . . . . 139

Preparing a Solaris Server for NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Page 10

Network and Security Manager Installation Guide

Upgrading NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Typical Output for a Standalone Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Upgrading the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Downloading and Installing the UI Client Automatically . . . . . . . . . . . . . . . . 149

Downloading and Installing the UI Client Manually . . . . . . . . . . . . . . . . . . . . 150

Validating the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Upgrading NSM in a Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Upgrading NSM with HA Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Upgrading the Database Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Restoring Data if the Upgrade Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Chapter 7 Upgrading NSM Appliances to NSM 2010.4 . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Upgrading NSM Regional Server and NSMCM Appliances . . . . . . . . . . . . . . . . . . 155

Upgrading to NSM Release 2010.4 on an NSM Regional Server Appliance

Upgrading to NSM 2010.4 Release on an NSM Central Manager Appliance

Upgrading to NSM 2010.4 Release on an NSM Appliance (Offline Mode) . . 160 Upgrading to NSM Release 2010.4 on an NSM Central Manager Appliance

Migrating Data to an NSM Regional Server Appliance . . . . . . . . . . . . . . . . . . . . . 165

Data Migration from a Solaris Server to an NSM Regional Server

Data Migration from a Linux Server to an NSM Regional Server

User Privileges on an NSM Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Chapter 8 Maintaining NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Controlling the Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Viewing Management System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Common Management System Commands . . . . . . . . . . . . . . . . . . . . . . . . . 172

Starting All Server Processes Using the HA Server . . . . . . . . . . . . . . . . . . . . . 172

Starting GUI Server and Device Server Processes Manually . . . . . . . . . . . . . 173

Stopping Server Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Configuring Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Changing the Management System IP Address . . . . . . . . . . . . . . . . . . . . . . . 174

Changing the Device Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Changing the GUI Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring Disk Space Management on the Device Server . . . . . . . . . . . . . 175

Configuring Disk Space Management on the GUI Server . . . . . . . . . . . . . . . . 176

Configuring Connection Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Setting Core File Naming on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

(Online mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

(Online mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

(Offline Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

On the Solaris server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

On the NSM appliance: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

On the Linux Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

On the NSMAppliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Page 11

Table of Contents

Archiving and Restoring Logs and Configuration Data . . . . . . . . . . . . . . . . . . . . . 178

Archiving Logs and Configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Restoring Logs and Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Configuring High Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Enabling and Disabling High Availability Processes . . . . . . . . . . . . . . . . . . . 180

Configuring Other High Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Backing Up the Database Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Restoring the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Validating the Database Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Changing the HA Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Relocating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Archiving the GUI Server Database and Device Server Log Database . . . . . . 183

Installing NSM On a New System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Moving the Databases to the New System . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Installing a Trivial File Transfer Protocol Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Installing a TFTP Server on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Installing a TFTP Server on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Modifying Timeout Values on the Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Downgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Removing the Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Uninstalling the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Part 2 Appendixes

Appendix A Technical Overview of the NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 193

About the Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

HA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

About the NSM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

About Managed Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Communication Ports and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Using the Secure Server Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Communications with Devices Running ScreenOS 5.X and Later . . . . . . . . . . . . 198

Communications with Device Management Interface-Compatible Devices . . . . 199

Creating a Separate Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Appendix B Hardware Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Standalone or Distributed System for GUI Server and Device Server . . . . . . . . . . 201

Network Card Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Configuring Multiple Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . 202

Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

UI Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Storage Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Page 12

Network and Security Manager Installation Guide

Device Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Processor Speed Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Device Server Managing IDP Standalone Devices Running Profiler . . . . . . . 207

Recommendations for Large-Scale Installations . . . . . . . . . . . . . . . . . . . . . . . . . 207

Appendix C Profiler Performance Tuning Recommendations . . . . . . . . . . . . . . . . . . . . . 209

Performance Tuning Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Recommendations for Low-End Configurations: . . . . . . . . . . . . . . . . . . . . . 209

Medium-Size Configuration (3 to 8 IDP Profiling Devices) . . . . . . . . . . . . . . 210

High-End Configuration (9 to 20 IDP Profiling Devices) . . . . . . . . . . . . . . . . . 211

Setting Preferences to Improve Profiler Performance . . . . . . . . . . . . . . . . . . . . . . 212

UI System Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

PostgreSQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Shared Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Device Configuration Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Nightly Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

NSM Generated Logs’ Impact on Performance . . . . . . . . . . . . . . . . . . . . 215

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Page 13

List of Figures

Part 1 Network and Security Manager Installation Procedures

Chapter 3 Installing NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 1: UI Installer Introduction Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 2: UI Installation—Choose Install Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Figure 3: UI Installation—Choose Shortcut Folder . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 4: UI Installation—Preinstallation Summary . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 5: Validating the NSM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 5 Installing NSM with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Figure 6: Simple HA Management System Configuration . . . . . . . . . . . . . . . . . . . . 72

Figure 7: HA Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 8: Configuring the HA GUI Server Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Figure 9: Configuring the HA Device Server Cluster . . . . . . . . . . . . . . . . . . . . . . . 109

Figure 10: Configuring e-mail Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 11: Extended HA Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Part 2 Appendixes

Appendix A Technical Overview of the NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 193

Figure 12: NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Figure 13: NSM Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Page 14

Network and Security Manager Installation Guide

Page 15

List of Tables

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Table 2: Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Table 3: Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Table 4: Network and Security Manager Publications . . . . . . . . . . . . . . . . . . . . . . xix

Part 1 Network and Security Manager Installation Procedures

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 5: NSM Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Table 6: Minimum System Requirements—Management System on Same

Table 7: Minimum System Requirements—Management System on Separate

Table 8: Minimum System Requirements—User Interface . . . . . . . . . . . . . . . . . . . . 7

Chapter 2 Generating the NSM License Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Table 9: Licensing FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Installing NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 10: Common System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 4 Installing NSM in a Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 11: Distributed Configuration—System Parameters . . . . . . . . . . . . . . . . . . . 50

Chapter 5 Installing NSM with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Table 12: HA Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 13: Simple HA Configuration—System Parameters . . . . . . . . . . . . . . . . . . . 80

Table 14: Extended HA Configuration—System Parameters . . . . . . . . . . . . . . . . . 83

Table 15: Shared Disk System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 16: Useful Installation and Troubleshooting Commands . . . . . . . . . . . . . . . 94

Chapter 6 Upgrading to NSM 2010.4 from an Earlier Version . . . . . . . . . . . . . . . . . . . . . 131

Table 17: Standalone Configuration—System Parameters . . . . . . . . . . . . . . . . . . 132

Table 18: Distributed Configuration — System Parameters . . . . . . . . . . . . . . . . . . 134

Table 19: HA Configuration — System Parameters . . . . . . . . . . . . . . . . . . . . . . . . 134

Table 20: Shared Disk Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Chapter 8 Maintaining NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Table 21: Management System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Part 2 Appendixes

Appendix A Technical Overview of the NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 193

Page 16

Network and Security Manager Installation Guide

Table 22: Inbound ports on the NSM Management System . . . . . . . . . . . . . . . . . 196

Table 23: Outbound ports on the NSM Management System . . . . . . . . . . . . . . . 197

Table 24: Management System Communications With Devices Running

ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Table 25: Management System Communications With DMI-Compatible

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Appendix B Hardware Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Table 26: GUI Server RAM Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Table 27: Device Server RAM Requirements for Firewall/VPN or Junos

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Table 28: Device Server RAM Requirements for IDP, Secure Access, or Infranet

Controller Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Table 29: Audit Log Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Table 30: Storage Requirements for Device Server Managing Firewall/VPN

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Table 31: Storage Requirements for Device Server Managing IDP (w/Profiler)

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Table 32: CPU Requirements for Device Server Managing IDP (w/Profiler)

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Appendix C Profiler Performance Tuning Recommendations . . . . . . . . . . . . . . . . . . . . . 209

Table 33: Performance Turning Recommendations for Low-End

Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Table 34: Performance Turning Recommendations for Medium-Sized

Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Table 35: Performance Turning Recommendations for High-End

Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Table 36: Profiler Settings in UI System Preferences . . . . . . . . . . . . . . . . . . . . . . . 212

Table 37: PostgreSQL Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Table 38: Device Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Page 17

About This Guide

•

Objectives on page xvii

•

Audience on page xvii

•

Conventions on page xvii

•

Documentation on page xix

•

Requesting Technical Support on page xx

Objectives

This Network and Security Manager Installation Guide describes how you can install an initial working Network and Security Manager (NSM) system.

Audience

This guide is intended primarily for IT administrators who are responsible for installing, upgrading, and maintaining NSM.

Conventions

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Table 1 on page xviii defines notice icons used in this guide.

Page 18

Network and Security Manager Installation Guide

Table 1: Notice Icons

Table 2 on page xviii defines text conventions used in this guide.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text Conventions

Bold typeface like this

fixed-width font

Keynames linkedwith a plus (+) sign

Italics

The angle bracket (>)

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3 on page xix defines syntax conventions used in this guide.

Page 19

Table 3: Syntax Conventions

About This Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by an asterisk ( [ ]*)

Documentation

Table 4 on page xix describes documentation for NSM.

Table 4: Network and Security Manager Publications

Network and Security Manager Installation Guide

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

DescriptionBook

Describes the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSMuser interface.This guideis intended for IT administrators responsible for the installation or upgrade of NSM.

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Network and Security Manager Administration Guide

Network and Security Manager Configuring ScreenOS Devices Guide

Network and Security Manager Configuring Intrusion Detection and Prevention Devices Guide

Describes how to use and configure key management features in the NSM. Itprovides conceptual information, suggested workflows, and examples. This guide is best used in conjunction with the NSM Online Help,which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Provides details about configuring device features for all supported ScreenOS platforms.

Provides details about configuring device features for all supported Intrusion Detection and Prevention (IDP) platforms.

Page 20

Network and Security Manager Installation Guide

Table 4: Network and Security Manager Publications (continued)

DescriptionBook

Network and Security Manager Online Help

Network and Security Manager API Guide

Network and Security Manager Release Notes

Network and Security Manager Configuring Infranet Controllers Guide

Network and Security Manager Configuring Secure Access Devices Guide

Network and Security Manager Configuring EX Series Switches Guide

Provides procedures for basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and description of the SOAP messaging interface to NSM.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notesdiffers from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available on the Juniper Networks website.

Provides details about configuring the device features for all supported Infranet Controllers.

Provides details about configuring the device features for all supported Secure Access Devices.

Provides details about configuring the device features for all supported EX Series platforms.

Network and Security Manager Configuring J Series Services Routers and SRX Series Services Gateways Guide

Network and Security Manager M Series and MX Series Devices Guide

Requesting Technical Support

Technical productsupport is availablethrough theJuniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

Provides details about configuring the device features for all supported J Series Services Routers and SRX Series Services Gateways.

Provides details about configuring the device features for M Series and MX Series platforms.

Page 21

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

About This Guide

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verifyservice entitlement byproduct serial number,use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

Page 22

Network and Security Manager Installation Guide

Page 23

PART 1

Network and Security Manager Installation Procedures

•

Introduction on page 3

•

Generating the NSM License Key File on page 13

•

Installing NSM in a Standalone Configuration on page 21

•

Installing NSM in a Distributed Configuration on page 49

•

Installing NSM with High Availability on page 71

•

Upgrading to NSM 2010.4 from an Earlier Version on page 131

•

Upgrading NSM Appliances to NSM 2010.4 on page 155

•

Maintaining NSM on page 171

Page 24

Network and Security Manager Installation Guide

Page 25

CHAPTER 1

Introduction

This chapter provides you with the information you need to install Network and Security Manager (NSM) and integrate it into your network. It provides an overview of the NSM installation process. It also reviews minimum hardware and software requirements and options for configuring the management system to provide enhanced functionality, performance, and scalability.

This chapter contains the following sections:

•

Installation Process Overview on page 3

•

Installation Package on page 4

•

Minimum System Requirements on page 5

•

Choosing Standalone, Distributed, or High Availability Configurations on page 7

•

Other Configuration Options on page 9

•

Next Steps on page 11

Installation Process Overview

NSM is softwarethat enables youto integrateand centralize managementof your Juniper Networks environment.

You need to install two main software components that you need to install to run NSM: the NSM management system and the NSM user interface (UI).

The overall process for installing NSM is as follows:

•

Management System Installation Process on page 3

•

User Interface Installation Process on page 4

Management System Installation Process

The management system installer enables you to install all the software required to run each component of the NSM management system.

The management system installer is a shell archive script that you can run on any of the following dedicated platforms that meets minimum requirements:

•

Solaris 10 (for SPARC)

Page 26

Network and Security Manager Installation Guide

•

Red Hat Enterprise Linux (RHEL) ES/AS 4.0 or ES/AS 5.0 (Minimal and Full Install)

See “Minimum System Requirements” on page 5 for more information on the minimum required hardware and software that you need to install the NSM management system. To plan for larger deployments, refer to “Hardware Recommendations” on page 201.

NOTE: NSM 2008.1 and later no longer support installations on servers

running Solaris 8 or 9. If you plan to install the management system on a server running Solaris 8 or 9, you must upgrade the system to Solaris 10. Similarly, NSM 2008.1 and later no longer support installations on RHEL ES/AS 3.0. If you plan to install the management system on a server running RHEL ES/AS 3.0, you must upgrade the system to either RHEL ES/AS 4.0 or RHEL ES/AS 5.0.

RHEL and Solaris installations use different installer scripts. When you launch the management system installer, the script guides you through all the steps required to install and configure each management system component.

User Interface Installation Process

The NSM user interface (UI) installer launches an InstallAnywhere wizard that you can run onany Windows or Linux-basedcomputer that meetsminimum system requirements. See Table 8 on page 7 for more information on the minimum required hardware and software that you need to install the NSM UI.

The InstallAnywhere wizard guides you through all the steps required to configure and install the UI. After you install the UI, you can connect it to the management system.

Installation Package

All the software files required to install NSM are located on the NSM installation CD or on the Internet at the Juniper Networks corporate support web site. We recommend you download these files to the computers on which you plan toinstall NSM before youbegin the installation process.

Table 5 on page 4 describes the contents of the NSM installation CD.

Table 5: NSM Installation Files

DescriptionFilename

Installer for the NSM UI (for Windows-based computers).nsm2010.4_ui_win_x86.exe

Installer for the NSM UI (for Linux-based computers).nsm2010.4_ui_linux_x86.bin

Installer for the NSM management system for Linux.nsm2010.4_servers_linux_x86.sh

Installer for the NSM management system for Solaris.nsm2010.4_servers_sol_sparc.sh

Page 27

Table 5: NSM Installation Files (continued)

DescriptionFilename

Chapter 1: Introduction

nsm2010.4-systemupdate-linuxES_4.tar

nsm2010.4-systemupdate-linuxES_5.tar

nsm2010.4-systemupdate-solaris10.tar

Minimum System Requirements

The following minimum hardware and software requirements must be met to properly install and run NSM.

System Requirements—Management System

Table 6 on page 5 describes the minimum requirements that must be met for the GUI Server and Device Server on the same server.

Table 6: Minimum System Requirements—ManagementSystemon Same Server

Minimum RequirementsComponent

Operating System

Solaris 10 operating system with End User Solaris Software Group package, or

Systemupdate utility forRHEL ES4.0. Use this file toupdate files onyour system required forthe installerto run properly.

Systemupdate utility forRHEL ES5.0. Usethis file toupdate files onyour system required forthe installerto run properly.

System update utility for Solaris 10. Use this file to update files onyour system required forthe installerto run properly.

CPU

Storage

RHEL 32-bitES/AS 4.0-Update7 or 32-bit ES/AS 5.0-Update 3(Minimal and Full Install)

Only Sun Microsystems UltraSPARC III (Cu) 1.2 GHz or UltraSPARC T2, or

Linux 2 GHz (x86) processor (or higher)

4 GBRAM

4 GB for both GUI Server and Device ServerSwap Space

Hard diskdrive with 7200RPM (minimum); 15,000RPM (recommended); 40 GB disk space (minimum); 80 GB disk space (recommended)

By directory:

•

/usr—7 GB minimum

•

/var—10 GB min

•

/tmp—2 GB minimum

100 Mbps(minimum) Ethernetadapter; higher speeds arerecommendedNetwork Connection

Page 28

Network and Security Manager Installation Guide

Table 6: Minimum System Requirements—ManagementSystemon Same Server (continued)

Minimum RequirementsComponent

Other

Server must be dedicated to running NSM.

NSM should not be installed on virtual systems such as VMWare and Microsoft VM Server due to high system I/O requirements.

Table 7 on page 6 describes the minimum requirements that must be met for each server when the GUI Server and Device Server are installed on separate servers.

Table 7: Minimum System Requirements—Management System on Separate Servers

Minimum RequirementsComponent

Operating System

CPU

Solaris 10 operating system with End User Solaris Software Group package, or

RHEL 32-bit ES/AS 4.0-Update 7 or 32-bit ES/AS 5.0-Update 3 (Minimal and Full Install)

NOTE: Both servers must be runningthe same operatingsystem version. For example, you cannot run the GUI Server on a server running Linux, and the Device Server on a server running Solaris.

Only Sun Microsystems UltraSPARC IIi 1GHz (or higher), OR

Linux 2 GHz (x86) processor (or higher)

Storage

bandwidth to NSM

Other

4 GBRAM

2GB for the GUI Server, 2 GB for the Device ServerSwap Space

Hard diskdrive with 7200RPM (minimum); 15,000RPM (recommended); 40 GB disk space (minimum); 80 GB disk space (recommended)

By directory:

•

/usr—7 GB minimum

•

/var—10 GB min

•

/tmp—2 GB minimum

100 Mbps(minimum) Ethernetadapter; higher speeds arerecommendedNetwork Connection

56 Kbps (minimum)Device Connection

Each server must be dedicated to running NSM.

NSM should not be installed on a virtual system such as VMWare and Microsoft VM Server due to high system I/O requirements.

Page 29

NOTE: You can extend systemperformance and data capacity by expanding

the minimum requirements specified for each component. See “Hardware Recommendations” on page 201 for more information about the hardware and software appropriate for your specific network.

System Requirements—User Interface

Table 8 on page 7 describes the minimum system requirements that must be met for the User Interface.

Table 8: Minimum System Requirements—User Interface

Chapter 1: Introduction

Minimum RequirementComponent

Software

Hardware

Microsoft Windows Vista, or

Microsoft Windows XP, or

RHEL 32-bit ES 4.0 or 32-bit ES 5.0, RHEL 32-bit AS 4.0 or RHEL 32-bit AS

5.0 (Minimal and Full Install) US English versions only

IBM compatible PC

Pentium 4 or equivalent

RAM: 2 GB. For managing large scale setups (for example, with more than 1000 devices on the NSM server), Juniper recommends a minimum of 4 GB RAM.

384 Kbps (DSL) or LAN connection — minimum bandwidth required to connect to the NSM management system.

Choosing Standalone, Distributed, or High Availability Configurations

The two most important installation considerations are:

•

Scale — The size of the network.

The NSM management system is designed to scale from the management of a few devices to huge networks of up to 3000 devices. For smaller networks, you can install the entire system on a single Linux or Solaris server. For larger networks, you can distribute the NSM management system by installing the Device Server and GUI Server on separate machines, and by using external shared disk systems.

•

Failure tolerance — The effect on the organization upon failure of an NSM component and the downtime during repair.

You can increase fault tolerance by installing a standby management system on a single server for smaller installations, or on distributed servers for larger installations.

Page 30

Network and Security Manager Installation Guide

Some of the factors to consider include, but are not limited to:

•

Number of devices managed

•

Size of devices managed (for example, a NetScreen 5200 firewall/VPN system might have a larger impact than a NetScreen 5GT firewall appliance)

•

Impact on the organization to temporary loss of logs during server failure (if not using multiple Device Servers the logs from firewalls would be lost until the single server is repaired)

•

Amount of log data stored (this is a combination of the number of logs per day sent from the devices and the number of days the logs are required to remain on the management system)

•

Customer's Linux/Solaris knowledge/skills

•

Industry regulations governing the customer that might dictate the efforts they must go to in order to protect continuous log collection

•

Main reason for using NSM (for example, firewall configuration only with occasional logging; heavy logging)

•

Budget

•

Future expansion of firewall network (future proofing)

For more information about recommended hardware for various types of networks, see “Hardware Recommendations” on page 201.

You can design and implement NSM to scale to small, medium, and large enterprises, as well asservice provider deployments. There are fourmain optionsfor configuring NSM:

•

Standalone Configuration on page 8

•

Distributed Configuration on page 8

•

Simple High Availability Configuration on page 9

•

Extended High Availability Configuration on page 9

Standalone Configuration

The most straightforward implementation of the NSM management system is to install both components of the management system—GUI Server and Device Server—on the same server. This configuration is appropriate for most small firewall networks (recommended for no more than 100 devices, considerably less for networks containing large firewalls). It has the advantage of low cost and simplicity. Local backup for disaster recovery and external data storage are options for this configuration.

The NSM appliances can run as standalone configurations. See the NSMXpress and NSM3000 User Guide for details.

Distributed Configuration

For large enterprise networks that generate and store many traffic logs, we recommend that you install the GUI Server and Device Server on separate servers. The distributed system enables greater processing power per service. In addition, a failure of the GUI

Page 31

Server would not result in the loss of log information as the Device Server can continue to communicate with firewalls. You can also tailor the choice of hardware to the needs of each service (typically large RAM for GUI Server and large disk capacity for the Device Server).

Simple High Availability Configuration

You can also installand configure the management systemto provide for highavailability. This configuration option is recommended to minimize the impact of unplanned server outages.

To implement the management system for high availability, you need to install two physical servers: a primary server that runs on a server machine in active mode; and a secondary server that runs on a different server machine in standby mode. Upon the failure of any service on the primary server (or a hardware fault which results in the same effect) would cause both the GUI Server and Device Server to fail over to the standby server. The added benefitis automatic recovery of management service resulting in fewer lost firewall logs and reduced administrative down time. Note that the device logs would not be replicated to the peer server (only the config database).

Chapter 1: Introduction

During the installation or upgrade process, the installer script prompts you to specify whether or not you want the current server machine to participate in an HA cluster. If you choose to do so, the installer script prompts you to configure additional parameters enabling the high availability features on the management system.

NOTE: The NSM appliances can run in a simple high-availability configuration

for fault tolerance.

Extended High Availability Configuration

The extended high availability configuration is the most extensive and complex configuration but has the greatest protection against component failure. A failure of the primary Device Server would causefailoverto thestandby Device Server. This new Device Server would attempt connection with the primary GUI Server. Failure of a GUI Server would also cause failover to the standby GUI Server. The current Device Server would attempt to connectto the standby GUI Server aftera timeout period. In this configuration the failure of a single component has minimal impact on the system as a whole. In addition, the distributed system gives each service more system resource.

For more information about installing the management system for high availability, see “High Availability Overview” on page 71.

Other Configuration Options

In addition to scale and fault tolerance, other configuration options include:

Page 32

Network and Security Manager Installation Guide

Local/Remote Database Backup

You can also configure the management system to perform an automatic backup of the GUI Server database to the local server machine and, if necessary, to a remote server machine.

NOTE: You cannot perform backups to a remote server without also

configuring the management system to perform backups to the local server.

During the installation or upgrade process, the installer script prompts you to specify whether this server machine requires local database backups. If you choose to do so, the installer script prompts you to configure the following additional parameters enabling the management system to perform automatic daily backups of the database:

•

Hour of Day to store the database backup

•

Number of database backups to keep

•

Directory where local database backups are stored

•

Full path to the rsync command—the management system uses the rsync utility to perform the database backup

NOTE: The NSM appliances are preconfigured to perform local database

backups. See the NSMXpress and NSM3000 User Guide for details.

If you want to send copies of the file backups to a remote machine, the installer script prompts you to configure the IP Address of the remote machine

NOTE: If you want the management system to perform remote file backups,

you will need to setup a trust relationship between the management system server and the remote machine.

NetScreen-Statistical Report Server Interoperability

If you are installing NetScreen-Statistical Report Server, you must configure it to work with NSM. During the installation or upgrade process, the installer script prompts you to configure parameters enabling the management system to communicate with the Statistical Report Server database and web server. If you choose to do so, the installer script prompts you to configure the following additional parameters enabling the management system to work with the NetScreen-Statistical Report Server database:

•

Database type

•

Database server IP address

•

Database port

Page 33

•

You must restart theNSM GUIServer process afterinstalling NetScreen-Statistical Server to begin gathering statistics about managed devices.

Refer to the NetScreen-Statistical Report Server Installer’s Guide for more information.

Device Server Database

The installer also prompts you to configure the additional parameters enabling the management system to work with a PostgreSQL Database used for the Device Server. This database stores data related to the Profiler in NSM. You must specify a port number, superuser name and password. By default, the PostgreSQL Database uses port 5432; the superuser is “nsm”.

Chapter 1: Introduction

Database name

Database username

Database password

NOTE: The Netscreen-Statistical Report Server must be installed on a

separate server from the NSM Servers.

Next Steps

NOTE: If you specify a username that does not already exist, the installer creates the user for you. In this case, the installer prompts you to create a password for the user. This password will not expire.

NOTE: The NSM appliance settings for PostgreSQL are preconfigured.

This chapter has provided you with the following:

•

Overview of the NSM installation process

•

Description of the contents in the NSM installation package

•

Minimum system requirements to help you identify the appropriate hardware and software to install and run NSM

•

Options for implementing components of the NSM management system to provide for enhanced performance, scalability, and high availability

Use thisinformation to helpyou implement NSMand integrateit intoyour network. When you are ready to installNSM, there are fourmain options for configuring the management system depending upon the size and requirements of your specific network: Standalone, Distributed, Simple HA, or Extended HA configuration.

Page 34

Network and Security Manager Installation Guide

•

“Installing NSM in a Standalone Configuration” on page 21—Includes specific information describing how to install and run the management system on the same server.

•

“Installing NSMin aDistributed Configuration” onpage 49—Includes specific information describing howto install and run the GUI Serverand Device Server on separate servers. This configuration option enables you to extend performance and scalability for large enterprises.

•

“Installing NSM with High Availability” on page 71—Includes specific information describing how to install and run the GUI Server and Device Server on the same server with HA (simple high availability configuration) or separate servers with HA (extended high availability configuration). This configuration option enables you to configure a primary and secondary management system that is highly available.

•

“Upgrading to NSM 2010.4 from an Earlier Version” on page 131— Includes specific information describing how to upgrade previous installations of NSM to this version.

•

“Maintaining NSM” on page 171— Includes specific information describing how to maintain, control, backup/restore, and uninstall the management system and User Interface.

For installation instructions for the NSM appliances, see the NSMXpress and NSM3000 User Guide.

Page 35

CHAPTER 2

Generating the NSM License Key File

In Release 2007.3 and later releases, the NSM product line uses a licensing mechanism to prevent access to an unlicensed copy of NSM and to enforce a limit on the maximum number of devices that can be managed by NSM. New installations and installations upgrading from a release prior to 2007.3 must obtain a license to use NSM.

The base license supports 25 devices with high availability (HA),including devices running ScreenOS,IDP,or Junos OS with Enhanced Services;EX Series,Secure Access, or Infranet Controllerdevices; and including any modeled orvsys devices. Fordetails onthese devices, see the Network and Security Manager Administration Guide.

To manage more than 25 devices, a license key must be purchased separately, retrieved from the Juniper License Management Server (LMS), and then installed onto the NSM Server or NSM appliance.

LMS provides an interface to generate licenses based upon serial number, authorization code and installation ID.

Procedures provided in the following sectionsuse theInstaller to generatethe installation ID. Alternatively, youcan download a utilityfrom theJuniper Networks Software Download site for generating the installation ID.

•

Installing NSM for the First Time on page 13

•

Upgrading to an NSM Release that Requires a License on page 15

•

Example of an NSM License File on page 17

•

Installing the License Key File in Various Configurations on page 18

•

Upgrading the License Key on page 18

•

Viewing License Key Information on page 18

•

Enforcing Licenses on page 18

•

Licensing FAQ on page 19

Installing NSM for the First Time

The first time you install NSM 2007.3 or later release software only, you need to generate a license key file that requires an installation ID.

Page 36

Network and Security Manager Installation Guide

NSM Trial Licenses

You can generate a trial license for NSM for periods of 30, 60or 90 days. The NSMLicense

Information dialog box displays the validity period in the Expires in (Days) field. Licenses

can only be installed or updated from the NSM GUI. When the trial period is over, NSM notifies you and prompts you to install a new license. If you install the new license, you can proceed to log in to NSM. If not, you must exit from the GUI.

Generating the License Key for an NSM Software-Only Installation

To generate the license key file for an NSM 2007.3 or later software-only installation:

1. Run the installer image on the server designated for NSM. The NSM Server generates

an installation ID.

2. Log in to the LMS system and select License key generation for NSM.

3. Enter the serial number and authorization code.

Your serial number is printed on the paper license certificate given to you when you purchased NSM.

Depending onthe package you purchased, Juniper Networks provides an authorization code by e-mail. If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks Customer Service. The Customer Service will validate your purchase and generate a license key file.

4. Enter the installation ID that was generated by the NSM Server.

The LMS system generates a license key file for the SKU recorded. You can choose to download the license key file, or to receive it by e-mail.

5. Save the license key file to your local drive for use during installation.

Generating the License Key for an NSM Appliance Installation

To generate the license key file for an NSM appliance installation:

1. Log in to the LMS system and select License key generation for NSM.

2. Enter the serial number and authorization code.

The serial number is on the back of the NSM appliance chassis.

Depending onthe package you purchased, Juniper Networks provides an authorization code via e-mail. If you received a paper license certificate, and are managing more than 25devices, call Juniper Networks Customer Service. Customer Service will validate your purchase and generate a license key.

The LMS system generates a license key file for the SKU recorded. You can choose to download the license key file, or to receive it by e-mail.

3. Save the license key file to your local drive for use during installation.

Generating the License Key for a High Availability NSM Installation

To generate the license key file for an NSM 2007.3 or later HA installation:

Page 37

Chapter 2: Generating the NSM License Key File

1. Run the NSM installerimage on the server designated asyour primaryNSM (or primary

GUI Server). The NSM Server generates an installation ID.

2. Run the NSM 2007.3 or later installerimage on the server designated as your secondary

NSM (or secondary GUI Server). The NSM Server generates an installation ID.

3. Log in to the LMS system and select License key generation for NSM.

4. Enter the serial number and authorization code of your primary NSM.

For an NSM appliance installation, enter the serial number of the primary server. The hardware serial number is located on the back of the NSM appliance chassis.

For a software-only installation:

a. Enter the serial number.

The serial number of your software is printed on the paper license certificate given to you when you purchased NSM. If you do not have the software serial number or the LMSSystemfails to recognizethe serial number, call Juniper Networks Customer Service.

b. Enter the installation ID of the primary NSM.

5. Select the Need High Availability Key check box. The LMS systems prompts you to

provide the NSM Secondary serial number and Secondary Installation ID.

The LMS system generates a license key file for the SKU recorded. You can choose to download the file, or to receive it by e-mail.

6. Save the license key file to your local drive for use during installation.

Upgrading to an NSM Release that Requires a License

When you upgrade to an NSM 2007.3 or later release from a version that is older than

2007.3, you need to generate a license key file that requires an installation ID.

Generating the License Key for an NSM Software-Only Upgrade

To generate the license key file to upgrade to NSM 2007.3 or later release:

1. Run the NSM installer image on the server designated for NSM. The NSM Server

generates an installation ID.

2. Log in to the LMS system and select License key generation for NSM.

3. Enter the serial number and authorization code.

Your serial number is printed on the paper license certificate given to you when you purchased NSM. If you do not have the serial number or the LMS System fails to recognize the serial number, call Juniper Networks Customer Service.

Page 38

Network and Security Manager Installation Guide

Depending onthe package you purchased, Juniper Networks provides an authorization code via e-mail. If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks Customer Service. The Customer Service will validate your purchase and generate a license key.

4. Enter the installation ID that was generated by the NSM Server.

The LMS system generates a license key file for the SKU recorded. You can choose to download the file or to receive it by e-mail.

5. Save the license key file to your local drive for use during installation.

NOTE: The NSM upgrade to 2007.3 or later release will not proceed without

the license key file if NSM manages more than 25 devices.

Generating the License Key for an NSM Appliance Upgrade Installation

To generate the license key file to upgrade an NSM appliance:

1. Log in to the LMS system and select License key generation for NSM.

2. Enter the hardware serial number and authorization code.

The hardware serial number is located on the back of the NSM appliance chassis.

The LMS system generates a license key file for the SKU recorded. You can choose to download the file or to receive it by e-mail.

3. Save the license key file to your local drive for use during installation.

NOTE: The NSMXpress upgrade to 2007.3 or later release will not proceed

without the license key file if NSM manages more than 25 devices.

Generatingthe License Key File for an NSM 2007.3 or Later High AvailabilityUpgrade Installation

To generate the license key file to upgrade to NSM 2007.3 or later release with high availability:

1. Run the NSM installerimage on the server designated asyour primaryNSM (or primary

GUI Server). The NSM Server generates an installation ID.

2. Run the NSM 2007.3 or later installerimage on the server designated as your secondary

NSM (or secondary GUI Server). The NSM Server generates an installation ID.

3. Log in to the LMS system and select License key generation for NSM.

Page 39

Chapter 2: Generating the NSM License Key File

4. Enter the serial number and authorization code of your primary NSM.

For an NSM appliance installation, enter the serial number of the primary server. The hardware serial number is located on the back of the NSM appliance chassis.

For a software-only installation:

a. Enter the serial number.

b. Enter the installation ID of the primary NSM.

5. Select the Need High Availability Key check box. The LMS systems prompts you to

provide the NSM Secondary serial number and Secondary Installation ID.

The LMS system generates a license key file for the SKU recorded. You can choose to download the file, or to receive it by e-mail.

6. Save the license key file to your local drive for use during installation.

NOTE: The NSM upgrade to 2007.3 or later release will not proceed without

the license key file if NSM manages more than 25 devices.

Example of an NSM License File

-----BEGIN PGP SIGNED MESSAGE----Hash: SHA1

NSM License File (v1) Generated on Thu Sep 20 19:11:08 IST 2007

This license file is for: Serial Number: 0000000 Installation ID: 200003AC65C52 Serial Number: 00000 Installation ID: ID-2

This license file enables the following features: High-Availability: Enabled Max-Device: 100 Evaluation-Mode: P30D

This license file reflects the following SKUs: NS-SM-ADD-50 NS-SM-ADD-50

-----BEGIN PGP SIGNATURE----Version: GnuPG v1.2.6 (GNU/Linux)

Page 40

Network and Security Manager Installation Guide

iQCVAwUBRvJ4dCNvzN729P/TAQI+rgQAoG7fGLDh9vCFxbjeMrCGp+zd1AZ0KUxp 7xOrhIZnuT9urbumyQq9ySO3ovFjXzTJbiIbncmj6IUh4bkfKpu9H4WIu5qrsBvK iRHzGJFMBcSCCleqV0TTBZVF82wblwy+RjWLhW71EHKtU46mVPSYQvy9vZKu/AZf TwQ3So2hRqg= =DTk4

-----END PGP SIGNATURE-----

NOTE: If your downloaded license key file has any extra lines before "-----BEGIN PGP SIGNED MESSAGE-----" or after "-----END PGP SIGNATURE-----", delete those lines before installing the license key file.

Installing the License Key File in Various Configurations

Instructions for installing the license key are included in the various installation chapters.

Upgrading the License Key

License upgrades can be purchased at any time for any supported product. After purchasing a license upgrade, you receive a Right to Use (RTU) certificate containing an authorization code thatallows you tolog into theLMS system and generate a permanent license key that can be applied to the NSM product.

Viewing License Key Information

You can view key information about licenses, in the NSM License Information window. From the menu bar, select Tools > NSM License Information to view this information

Enforcing Licenses

The maximum number of devices allowed for NSMXpress appliance installations is 525. The maximum number of devices allowed for NSM software-only installations is 6025. These numbers include all modeled devices, vsys devices, and cluster devices.

NOTE: Each cluster member of a cluster device counts as one device.

Even though the SKU installation is cumulative, NSM restricts the maximum number of manageabledevices. NSM rejectsthe applicationfor alicense when the maximumdevice supported limit is reached for both appliance and software installations.

If you add a device after the number of devices added reaches 90 percent of the license limit, a warning message appears. If you try to add an extra device after the maximum limit is reached, a dialog box appears with the message “Maximum number of supported devices is reached.” You are not allowed to add devices after reaching the license limit. you must purchase an upgrade before adding more devices.

Page 41

Licensing FAQ

Table 9: Licensing FAQ

Chapter 2: Generating the NSM License Key File

Table 9 on page 19 answers frequently asked questions about NSM licensing.

AnswerQuestion

Which devicetypes does NSMcount towards the total device count?

Does NSM Central Manager (NS-SM-A-CM) require a license key file?

Are there any differences in licenses for an NSM appliance and software-only installations?

What is the procedure to add a new license after the device count limit is reached?

more than25 devicesinstalled on NSM. Do I need a license key file to upgrade to 2007.3 or later release?

What is the procedure to obtain the license key file?

NSM counts each single addition of a firewall, IDP, router, switch, Secure Access, or Infranet Controller device as one device. Each cluster member counts as one device.Each vsys device addedto afirewallroot devicecounts as one device.

NSM Central Manager does not require a license key file for installation. Enforcement is built into the product.

No. Both follow the same licensing scheme, but their installation methods are different. NSM software version uses NSM Installer to install the new license. An NSM appliance uses the Web UI to install the license. A license can also beinstalled via the NSMUI after the baseinstallationis completed.

License upgrades can be purchased at any time for any supported product. After purchasing a license upgrade, you receive a Right to Use (RTU) certificate containing an authorization code that allows you to log in to the LMS system and generate a permanent license key that can be applied to the NSM product. License key updates can then be applied from NSM GUI from Tools > NSM License Information.

Yes, if you are upgrading from a release that is older than 2007.3.I already have NSM installedin mynetwork. I have

For new installations, see “Installing NSM for the First Time” on page 13. For upgrades, see “Upgrading to an NSM Release that Requires a License” on page 15.

What do I do?

Call Juniper Networks Customer Service.I don't have an NSM Serial number available.

Page 42

Network and Security Manager Installation Guide

Page 43

CHAPTER 3

Installing NSM in a Standalone Configuration

After you decide how you want to deploy Network and Security Manager (NSM) in your network and you have identified and procured the appropriate hardware, you are ready to begin the installation process.

This chapter describes how to install the NSM management system for most typical cases: GUI Server and Device Server on the same server. These procedures include performing any prerequisite steps, running the management system installer, running the User Interface installer on your Windows or Linux client, and validating that you have installed the management system successfully.

NOTE: The NSM appliance uses a simplified installation procedure. See the

NSMXpress and NSM3000 User Guide for details.

This chapter contains the following sections:

•

Suggested Standalone Configuration Installation Order on page 21

•

Defining System Parameters on page 22

•

Prerequisite Steps on page 24

•

Installing NSM 2010.4 on page 29

•

Installing the User Interface on page 40

•

Next Steps on page 47

Suggested Standalone Configuration Installation Order

The following procedure summarizes the process for installing NSM for most typical cases:

1. Define system parameters that you need to provide during the installation process.

2. Perform prerequisite steps.

3. Download the management system and user interface installer software from the

NSM installation CD, or from the Juniper Networks website. Alternatively, you can

Page 44

Network and Security Manager Installation Guide

download the user interface software from the GUI server on the HTTPS port, after the NSM GUI Server has been installed.

4. Run the management system installer on the system where you want to install the

management system. During installation, you will need to:

•

Install a license. Obtain a license from the Juniper License Management Server (LMS) if you will be managing more and 25 devices (see “Generating the NSM License Key File” on page 13).

•

Specify that you want to install both the GUI Server and Device Server.

•

Install and configure the local database backup option.

If you are installing the GUI Server and Device Server on separate systems, see “Installing NSM in a Distributed Configuration” on page 49 for more information.

5. Install the User Interface.

6. Launch the User Interface, then connect it to the management system.

7. Verifythat you have successfully installed themanagement system and UserInterface.

Defining System Parameters

During theinstallation process, you arerequired to configure commonsystem parameters such as the location of the directories where you want to store data for the GUI Server and Device Server. We recommend that you define these system parameters before performing the management system installation.

Table 10 on page 22 identifies the system parameters that you need to identify.

Table 10: Common System Parameters

Device Server data directory

Your ValueDescriptionParameter

Directory location on the Device Server where device data is stored. Because the data on the Device Server can grow to be large, consider placing this data in another location. If you decide to have data stored in an alternative location, then specify the new location during the install process.

By default, the Device Server stores data in:

/var/netscreen/DevSvr/

CAUTION: Do not place your data directory in

/usr/netscreen. That pathnormally contains binary files

and should not be used for data.

Page 45

Chapter 3: Installing NSM in a Standalone Configuration

Table 10: Common System Parameters (continued)

Your ValueDescriptionParameter

GUI Server data directory

GUI Server database log directory

Management IP address

Directory location on the GUI Server where user data is stored. Because the data on the GUI Server can grow to be large, consider placing this data in another location. If you decide to have data stored in an alternative location, then specify the new location during the install process.

By default, the GUI Server stores data in:

/var/netscreen/GuiSvr/

CAUTION: Do not place your data directory in

/usr/netscreen. That pathnormally contains binary files

and should not be used for data.

Directory location on the GUI Server where database logs are stored. Becausethe dataon the GUI Servercan grow to be large, consider placing this log data in another partition. If you decide to have data stored in an alternative location, then specify the new location during the install process.

By default, the GUI Server stores data in:

/var/netscreen/GuiSvr/xdb/log

The IP address used by the running GUI Server.

The default is the IP address of the machine that you are installing on.

https port

Initial “super” user password

One-time GUI Server password

Configuration file management password

The port number for listening for messages from the NSM API. The range is from 1025 through 65535. The default value is 8443.

The password required to authenticate the initial user in the system. By default, the initial superuser account receives all administrative privileges in the system.

A password that authenticates the server to its peers in a high-availability configuration, or authenticates a regional server with a central manager.

Configures a user and password for NSM to perform configuration file management operations, and a corresponding UNIX user and password. The NSM and UNIX passwords must be identical.

Page 46

Network and Security Manager Installation Guide

Table 10: Common System Parameters (continued)

Your ValueDescriptionParameter

Localdatabasebackup directory

Path to the rsync utility executable

Hour of the Day to Start Local Database Backup

Number of Local Database Backup Files Stored

Directory location where local database backup data is stored.

By default, the GUI Server stores localdatabasebackup data at:

/var/netscreen/dbbackup/

Path to the rsync utility executable.

The default path is:

/usr/bin/rsync

Time ofday that youwant theGUI Serverto backup the database. Type a two-digit number representing the time of day in a24 hourclock notation (00through 23). For example, if you want the backup to begin at 4:00 AM, type 04; if at 4:00 PM, type 16. We recommend that you set this parameter to a time of day that effectively minimizes your network downtime. The GUI Server completes the daily backup process within the hour specified every day.

By default, the GUI Server performs the daily backup within an hour after 2 AM.

Total number of database backup files that the GUI Server stores. When the GUI Server reaches the maximum number of backup files you configure, it overwrites the oldest file.

Prerequisite Steps

By default, the GUI Server stores seven backup files.

Rsync Backup Timeout

Device Server Database Parameters

Time value (in seconds) that the rsync utility waits before timing out backup operations. By default, the rsync utility waits 3600 seconds before timing out.

Enable logging related to local backup and HA.Enable Logging

Parameters required for the Postgres Database used for the Device Server. You must specify a port number, superuser nameand password. By default, the Postgres Database uses port 5432; the superuser is “nsm”.

Beforeyou installthe managementsystem,you needto perform the following prerequisite steps:

Page 47

Chapter 3: Installing NSM in a Standalone Configuration

1. Ensure that the computer you install the management system on is connected to a

serial console or monitor and keyboard.

2. Log in to the computer as root.

If you arealready logged inas auser other than root, then enter thefollowingcommand to become root:

At the password prompt, enter the root password for the computer.

NOTE: Although the management system runs with NSM user permissions,

you must have root user permissions to run the installer.

3. Partition drives for sufficient disk space to accommodate your planned data

requirements. Ensure that you have allocated a maximum amount of disk space for the data partition (/var/netscreen directory).

See “Hardware Recommendations” on page 201 for more information about the disk space requirements appropriate for your specific network.

4. Run the system update utility for your appropriate platform to verify that you have all

the prerequisite utilities and packages to run the installer properly. See “Running the SystemUpdate Utility” on page 25 for moreinformation on running thesystem update utility.

NOTE: Some packages in the system update have specific version

requirements,such as PostgreSQL. Be sure to use the packagesdistributed in the system update.

5. Configure shared memory size on your appropriate platform. See “Configuring Shared

Memory Size” on page 26 for more information.

6. If you plan to send copies of your file backups to a remote machine, then you must

establish a trust relationship between themanagement system server and the remote machine. See “Establishing a Trust Relationship” on page 27 for more information.

7. If you are installing NSM on a Solaris server, ensure that all required locales have been

installed and that the necessary edits to the /etc/default/init files have been made. See “Preparing a Solaris Server for NSM” on page 28 for details.

8. If you plan to manage more than 25 devices, you must obtain a license key file from

the Juniper License Management Server (LMS) and installthat file on the NSM Server or the NSM appliance. See “Generating the NSM License Key File” on page 13.

Running the System Update Utility

Use the system update utility to upgrade your system with the latest patches and packages required to run the NSM management system installer properly.

To run the system update utility:

Page 48

Network and Security Manager Installation Guide

1. Copy the system updateutility appropriate for your platform from the NSM Installation

CD directory to a suitable directory on the server.

2. Uncompress the system update utility file using the gzip command. For example:

gzip -d nsm2010.4-systemupdate-linuxES_5.tar.gz

3. Uncompress the appropriate system update utility .tar file. For example:

tar xfv nsm2010.4-systemupdate-linuxES_5.tar

A subdirectory for the platform (for example, “es4", "es5", or "sol10") is created and all of the files required to update your system packages and utilities are extracted into that directory.

4. Navigate to the subdirectory.

5. Run the update shell archive script. For example, you can execute the shell archive

script by running the following command:

NOTE: We recommend that you save the utility in the /usr subdirectory.

<platform>.sh

For example, on Linux es4, the update script is named "rhes4_upd3.sh" and located in the directory "es4".

For Solaris, the systemupdate-solaris platform.tar file expands to platform and the update script is put in that directory. The script for Solaris is located in the same directoryas the tar file.The name of the update script for Solaris is update_solaris10.sh.

The script proceeds to check your system for required updates. It next prompts you to press Enter to continue or Ctrl-C to stop.

6. Press Enter to continue. The script proceeds to cleanup the RPM database. Let the

script run to completion. This process can take up to 20 minutes depending upon the number of packages that need to be installed.

Configuring Shared Memory Size

Both the GUI and Device Server require that you modify the operating system shared memory in order to start and run.

On Solaris systems, you can do this by adding/updating the following in /etc/system:

set shmsys:shminfo_shmmax= 402653184 set shmsys:shminfo_shmmin=1 set shmsys:shminfo_shmmni=256 set shmsys:shminfo_shmseg=256 set semsys:seminfo_semmap=256 set semsys:seminfo_semmni=512 set semsys:seminfo_semmns=512 set semsys:seminfo_semmsl=32

On Linuxsystems, you can do this by adding/updating the following line in/etc/sysctl.conf:

Page 49

kernel.shmmax= 402653184

After updating the shared memory requirements on your Linux or Solaris system, you must reboot the server for your new settings to take effect.

Establishing a Trust Relationship

If you want to send copies of your file backups to a remote machine, then you must establish a trust relationship between the management system server and the remote machine.

To establish a trust relationship between two machines:

1. Run the following commands on the management system server:

cd /home/nsm su nsm ssh-keygen -t rsa chmod 0700 .ssh

If prompted to enter a password, leave the value blank.

Chapter 3: Installing NSM in a Standalone Configuration

2. Run the following commands on the remote machine:

cd /home/nsm su nsm ssh-keygen -t rsa chmod 0700 .ssh

If prompted to enter a password, leave the value blank.

3. From the remote machine, copy .ssh/id_rsa.pub to the management system server’s

.ssh/authorized_keys directory. For example:

scp .ssh/id_rsa.pub root@<IP addr management system>:/root.ssh/authorized_keys

4. From the server running the management system, copy .ssh/id_rsa.pub to the remote

machine’s .ssh/authorized_keys. For example:

scp .ssh/id_rsa.pub root@<IP addr remote machine>:/root.ssh/authorized_keys

NOTE: If the remote machine already has established trust relationships with other computers,overwriting the authorized_keys file will break those trust relationships. Instead, copy the contents of the id_rsa.pub file onto a new line at the end of the authorized_keys file on the remote machine.

5. Test connectivity via SSH from the primary server to the remote machine and vice

versa. For example, to test SSH connectivity from NSM Server1 to remote machine, enter the following command:

ssh root@<IP ADDRESS of remote machine>

6. Change the permissions of the .ssh directory on each machine to owner-only, using

the following command:

Page 50

Network and Security Manager Installation Guide

chmod -r 0700 ~/.ssh

7. Validate that you do not receive a prompt to enter a password to access the remote

machine.

If you do receive a password prompt, the remotedatabase replication will not function properly.

If you do receive a password prompt, the remotedatabase replication will not function properly. check for errors in the steps for establishing a trust relationship and repeat the process from step 1.

Preparing a Solaris Server for NSM

Perform these steps if you plan to install NSM on a Solaris 10 server:

1. Install required locale files.

Use the following command to check which locale files are currently installed:

/usr/bin/locale –a

Ensure that the following locales are installed. If you have all required locales, proceed to Step 2.

C POSIX en_CA en_CA.ISO8859-1 en_CA.UTF-8 en_US en_US.ISO8859-1 en_US.ISO8859-15 en_US.ISO8859-15@euro en_US.UTF-8 es es.UTF-8 es_MX es_MX.ISO8859-1 es_MX.UTF-8 fr fr.UTF-8 fr_CA fr_CA.ISO8859-1 fr_CA.UTF-8 iso_8859_1

Use theSolaris 10 installationDVD to load any missing locales. The minimum supported Solaris 10 revision is 6/06. You can download the DVD from www.sun.com. Mount the DVD (in this example, /solaris) and issue the following commands:

/usr/sbin/pkgadd -d /solaris/Solaris_10/Product SUNWladm

/usr/sbin/localeadm -a en_US -d /solaris/Solaris_10/Product

2. Edit the /etc/default/init file to include the following lines:

LC_COLLATE=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 LC_MESSAGES=C LC_MONETARY=en_US.UTF-8

Page 51

3. Reboot the Solaris server.

Installing NSM 2010.4

The installer is designed to guide you through all of the steps to configure the required system parameters.

To install the management system on the same system:

1. Load the installer softwareonto theserver whereyou have decided to use NSM2010.4.

2. Unless installing from CD,navigate to the directory whereyou saved the management

Chapter 3: Installing NSM in a Standalone Configuration

LC_NUMERIC=en_US.UTF-8 LC_TIME=en_US.UTF-8

/usr/sbin/reboot

You can run the installer directly from the NSM installation CD, copy the installer to a directory on the server, or download theinstaller from the Juniper NetworksCustomer Services online website.

system installer file. We recommend that you save the installer in the /tmp subdirectory.

3. Run the management system installer.

On Linux, run the following command:

sh nsm2010.4_servers_linux_x86.sh

On Solaris, run the following command:

sh nsm2010.4_servers_sol_sparc.sh

The installation begins automatically by performing a series of preinstallation checks. The installer ensures that:

•

The OS version and specified architecture are compatible.

•

You are installing the correct software for your operating system.

•

All of the needed software binaries and packages are present.

If anycomponent ismissing, theinstaller displays amessage identifying the missing component:

Checking for platform-specific packages.....................FAILED

The Following list of Packages are Required for NSM installation. Please install the system update utility before continuing. chkfontpath

•

You have the correct version of the PostgreSQL database.

•

You have correctly logged in as root and that the NSM user exists. The installer creates the NSM user, if it does not already exist.

•

For Linux servers, the installer checks whether iptables is running. If not, then the installer continues.

Page 52

Network and Security Manager Installation Guide

If iptables is running, the installer displays a message similar to the following:

Checking for iptables service………………………ok Iptables is found to be running on the system. Please make sure the ports 7801 7802, 443, 7800, 7804 are open and available for NSM to run.

Please press enter to continue:

Ensure the required ports for NSM are available before continuing.

•

The system has sufficient disk space and RAM.

The installer stops any running servers.

NOTE: The management system installer indicates the results of its

specific tasks and checks:

•

“Done” indicates that the installer successfully performed a task.

•

“OK” indicates that the installer performed a check and verified that the condition was satisfied.

•

“FAILED” indicates that the installer performed a task or check, but it was unsuccessful. See the install log for information about the failure. This log is usually stored in /usr/netscreen/DevSvr/var/errorLog. If the failurehappens in the early stages of the install, the log might be in /tmp.

The installer extracts the software payloads and prompts you to install NSM with the base license.

[root@/h ~]# sh nsm2010.4_servers_linux_x86.sh

########## PERFORMING PRE-INSTALLATION TASKS ########## Creating staging directory...ok Running preinstallcheck...

Checking if platform is valid...............................ok

Checking for correct intended platform......................ok

Checking for CPU architecture...............................ok

Checking if all needed binaries are present.................ok

Checking for platform-specific binaries.....................ok

Checking for platform-specific packages.....................ok

Checking in System File for PostgreSQL and XDB parameters...ok

Checking for PostgreSQL.....................................ok

Checking if user is root....................................ok

Checking if user nsm exists.................................ok

Checking if iptables is running.............................ok

Checking if system meets RAM requirement....................ok

Checking for sufficient disk space..........................ok

Noting OS name..............................................ok

Stopping any running servers

########## EXTRACTING PAYLOADS ##########

Extracting and decompressing payload........................ok

Extracting license manager package..........................ok

########## GATHERING INFORMATION ##########

Page 53

Chapter 3: Installing NSM in a Standalone Configuration

1) Install Device Server only

2) Install GUI Server only

3) Install both Device Server and GUI Server Enter selection (1-3) []> 3

4. The installer prompts you to specify the components that you want to install. Enter

3 to specify that you want to install both the GUI Server and the Device Server.

NOTE: If you have installed a previous version of the management system,

you might see different menu options.

Do you want to do NSM installation with base license? (y/n) [y]>

Enter base directory location for management servers [/usr/netscreen]>

5. For a base license installation—that is, one that does not require the license key

file—enter y.

For an installation that requires a license key file, enter n. You enter the license file path later. See “Generating the NSM License Key File” on page 13 for information about obtaining license keys.

6. The installer prompts you to specify a base directory in which to install the

management server files.

Press Enter to accept the default /usr/netscreen directory, or type the full path name to a directory and then press Enter.

The installer prompts whether you want to enable FIPS support.

7. If yourequire FIPSsupport, enter y. Otherwise, pressEnter to accept the default value.

What happens next depends on whether you selected to install with a base license or with a license key file. If you are installing with a base license, skip step 8.

8. If you chose to install a license key file, the installer displays the installation ID of the

system and prompts you to enter the license key file path.

The installation ID for this system is: 3FFFEA90278AA

Enter the License File Path>

a. Use the installation ID to obtain a license key file from the LMS system and save

it on your local drive as described in “Generating the License Key for an NSM Software-Only Installation” on page 14.

b. Enter the license key file path.

The installer validates the license key file.

Page 54

Network and Security Manager Installation Guide

The installer prompts you to determine if you want this server to participate in an HA cluster.

9. Enter n if you do not want the server to participate in an HA cluster. If you are planning

to configure the management system with HA enabled, enter y. See “Introduction” on page 3 formore information, and then turnto “InstallingNSM with High Availability” on page 71, and follow the instructions there.

The installer prompts you to specify a location to store the NSM data files.

10. Set the directory location for storing the management system data files:

a. Type the directory location for storing the Device Server data files or press Enter

to accept the default location /var/netscreen/DevSvr.

NOTE: If the license key file is not there, press Ctrl+Z to exit the installer.

If the NSM Server stops while doing this, you need to manually start the server.

The installer prompts you to specify a location for storing the GUI Server data files.

b. Type the directory location for storing the GUI Server data files or press Enter to

accept the default location /var/netscreen/GuiSvr.

c. Type the directory location for storing the database files for the GUI Server or press

Enter to accept the default location /var/netscreen/GuiSvr/xdb/log.

NOTE: You cannot store files in an existing directory location. This

feature safeguards against overwriting any existing data. If you specify an existing directory, the installer prompts you to try again.

The installer next prompts you to specify the management IP address for the server.

11. Type the management IP address for the server. This address should be the same IP

address as the server that you are installing on. The installer sets the IP address and port number on the GUI Server enabling the Device Server to connect. The Device Server attempts to connect to the GUI Server using port 7800 by default.

12. Enter a port number for listening for messages from the NSM API. The default value

is 8443. This parameter must be between 1025 and 65535.

The installer prompts you to type a password for the superuser account. The initial administrator or superuser account is the account that you use when you first log in to NSM using the NSM user interface (UI).This account authenticates communication between the management system and the NSM UI. It possesses all administrative privileges by default.

13. Type any text string longer than eight characters for the password. Type the password

again for verification.

Page 55

Chapter 3: Installing NSM in a Standalone Configuration

NOTE: Make a note of the password that you have set for the superuser

account. You need this when you first log in to the UI.

14. Enter a one-time password for the GUI Server. This password authenticates this server

to its peers in a high-availability configuration and to the central manager.

The installer prompts you to determine if you want to use a Statistical Report Server with the GUI Server.

15. Enter n if you are not installing NetScreen-Statistical Report Server with NSM. Enter

y if you are installing NetScreen-Statistical Report Server with NSM.

If you typed y, the installer prompts you to configure parameters required for the management system to work with the Statistical Report Server (that is, database type, database server IPaddress, database port, database name, database username, database password). Refer to the NetScreen-Statistical Report Server Installer's Guide for more information about these parameters.

The installer next creates a user in the NSM group for performing configuration file management actions and prompts for a password.

16. Enter a password for the configuration-file management (CFM) user.

Because the UNIX password cannot be saved inplain text format,the installer prompts a second time to enterthe same password to save in guiSvr.cfg file, which will be used for auto archival configuration settings.

NOTE: The CFM passwords for NSM and for UNIX must be identical,

although NSM does not check that they are the same.

The installer next prompts if you want the server processes to be restarted automatically on failure.

17. Enter y to have the server processes restarted automatically on failure.

The installer next prompts if you want this server to perform a daily backup of the database locally.

18. Enter y if you want NSM to perform a local backup of the database on a daily basis.

Enter n if you do not want the management system to backup the database locally.

If you specify that you want to perform automatic backups, the installer prompts you to configure options for the backup operation:

NOTE: If you want to specify remote backup, you must allowlocalbackup.

Page 56

Network and Security Manager Installation Guide

a. Enter a two-digit number (00 through 23) to specify the hour of day that you want

the management system to perform the daily backup operation. For example, if you want the management system to perform the daily backup operation at noon, type 12; for midnight, type 00. Press Enter to accept the default setting of 02 (2:00 AM).

b. Enter n to specify that you do not want daily backups to be sent to a remote server.

If youenter y,the installer prompts youto enter an IP address forthe remotebackup server.

c. Enter a number (from 0 to 7) to specify how many database backup files NSM

stores. After the management system reaches the maximum number of files configured, it overwrites the oldest file and creates a new backup. Press Enter to accept the default setting of seven backup files. By default, the management system stores backup files in /var/netscreen/dbbackup.

NOTE: If you want to perform backups to a remote server, make sure

to establish a trust relationship with that server. See “Establishing a Trust Relationship” on page 27.

d. Type a number specifying how many seconds you want NSM to wait while

performing backups until the process times out.

e. Designate a directory location for locally storing the NSM database backup. Press

Enter to accept the default location /var/netscreen/dbbackup.

The installer prompts you to configure the Device Server database.

19. Configure the Device Server database as follows:

a. Enter a port number for the Device Server database.

b. Enter aname forthe database superuser. If you specify auser that doesnot already

exist, the installer prompts you for a password. Enter the password again for verification.

The installer prompts you to start servers after installation is complete.

20. If you want to start the GUI and Device Servers after the installation has finished, enter

y. The installer will start the server processes with NSM user permissions.

Enter n if you do not want to start the servers.

The installer prompts you to verify your installation configuration settings.

21. Verify your settings. If they are correct, enter y to proceed. If you enter n, the installer

returns you to the original selection prompt.

The installer performs the following actions:

•

Installs the Device Server.

•

Installs the GUI Server.

Page 57

Chapter 3: Installing NSM in a Standalone Configuration

•

Installs the HA Server.

•

Performs post installation tasks.

Several messages display to confirm the installation progress.

The installer generates a log file with the output of the installation commands for troubleshooting purposes. The naming convention used for the installation log file is:

netmgtInstallLog.<current date><current time>

For example if you ran the installer on December 1, 2003 at 6:00 PM, the installation log file would be named:

netmgtInstallLog.20031201180000

After the installation script finishes, it indicates the name of the installation log file and the directory location where it is saved.

NOTE: If the installation script fails to install NSM, the installation log file

will be in /tmp.

The installer runs for several minutes, and then returns you to the command prompt.

NOTE: If you are installing NSM for the first time on a Solaris server, you must

reboot the server after installation.

Typical Output for a Standalone Installation

An example of the output for a typical standalone installation is as follows: