Page 1
Network Virus Wall
n
s
Enforcer 1500i
(CR100 Series)
Network Security for Enterprise and Medium Business
Installation and Deployment Guide
TM
Network Security
Page 2
Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the product,
please review the readme files, release notes, and the latest version of the applicable user
documentation, which are available from the Trend Micro Web site at:
http://www.trendmicro.com/download
Trend Micro, the Trend Micro t-ball logo, ActiveUpdate, OfficeScan, Control Manager,
and Network VirusWall are trademarks or registered trademarks of Trend Micro,
Incorporated. All other product or company names may be trademarks or registered
trademarks of their owners.
Copyright © 2003-2010. Trend Micro Incorporated. All rights reserved.
Document part no. NVEM34453/100419
Release date: August 6, 2010 (Version 3.0 Patch 3)
Product name: Trend Micro™ Network VirusWall™ Enforcer 1500i
Protected by US patent no. 5,623,600
Page 3
The user documentation for Network VirusWall Enforcer is intended to introduce the
main features of the product and installation instructions for your production
environment. Read through it prior to installing or using the product.
Detailed information about how to use specific features within the product are available
in the Online Help and the Knowledge Base at the Trend Micro Web site.
Trend Micro is always seeking to improve its documentation. Your feedback is always
welcome. Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Page 4
Contents
Preface
Network VirusWall Enforcer Documentation ............................................viii
About This Installation and Deployment Guide .......................................... ix
Audience .............................................................................................................. ix
Document Conventions .................................................................................... x
Chapter 1: Introducing Network VirusWall Enforcer
Network VirusWall Enforcer Overview ..................................................... 1-2
Key Concepts .................................................................................................. 1-3
Device Ports .................................................................................................... 1-3
Port Functions ............................................................................................ 1-4
Chapter 2: Getting Started
Package Contents ............................................................................................ 2-2
Front Panel ...................................................................................................... 2-4
Installing the Bezel ..................................................................................... 2-7
Back Panel ........................................................................................................ 2-9
Network Port Indicators ......................................................................... 2-10
Indicators on Onboard Ports ............................................................ 2-10
Indicators on the Copper Expansion Cards ................................... 2-11
Technical Specifications ............................................................................... 2-11
Installing the Device ..................................................................................... 2-12
iii
Page 5
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Chapter 3: Deploying Network VirusWall Enforcer
Planning for Deployment ............................................................................... 3-2
Deployment Overview ..............................................................................3-2
Phase 1: Plan the Deployment ............................................................ 3-2
Phase 2: Perform Preconfiguration ....................................................3-3
Phase 3: Manage Devices .....................................................................3-3
Deployment Notes ..................................................................................... 3-3
Identifying What to Protect ........................................................................... 3-4
Remote Access Endpoints ........................................................................ 3-5
Guest Endpoints ........................................................................................ 3-8
Key Segments and Critical Assets ............................................................3-9
Dual-Switch VLAN Environment .........................................................3-10
Single-Switch VLAN Environment .......................................................3-12
Networks with IPv6 Addresses ..............................................................3-13
IPv6 Limitations ..................................................................................3-13
Pure IPv6 Environments ...................................................................3-14
Dual-Stack and Mixed Environments ..............................................3-14
Planning for Network Traffic ......................................................................3-15
Determining the Number of Devices to Deploy ................................3-15
Conducting a Pilot Deployment .................................................................3-16
Choosing a Pilot Site ................................................................................3-16
Creating a Contingency Plan ..................................................................3-16
Deploying and Evaluating your Pilot ....................................................3-16
Redefining Your Deployment Strategy ......................................................3-16
Deployment Scenarios ..................................................................................3-17
Basic Deployment Scenario ....................................................................3-17
Failopen Considerations .....................................................................3-18
iv
Page 6
Chapter 4: Preconfiguring Network VirusWall Enforcer
Before Preconfiguration ................................................................................ 4-2
Verifying Network Support ...................................................................... 4-2
Preparing for Preconfiguration ................................................................ 4-2
Understanding Preconfiguration .................................................................. 4-3
The Preconfiguration Console ...................................................................... 4-3
Performing Preconfiguration ........................................................................ 4-4
Logging on the Preconfiguration Console ............................................. 4-4
Configuring Device Settings ..................................................................... 4-6
Enabling Ports and Selecting Port Functions ........................................ 4-7
Setting the Interface Speed and Duplex Mode ..................................... 4-9
Connecting to the Network ........................................................................ 4-10
Configuring Network VirusWall Enforcer ............................................... 4-10
Chapter 5: Troubleshooting and Technical Support
Device Issues ................................................................................................... 5-2
Contents
Index
Getting Technical Support ............................................................................ 5-3
Before Contacting Technical Support .................................................... 5-3
Contacting Technical Support ................................................................. 5-3
v
Page 7
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
vi
Page 8
Preface
Preface
Welcome to the Trend Micro™ Network VirusWall™ Enforcer 1500i Installation and
Deployment Guide. This book contains basic information about the tasks you need to
perform to deploy the device. It is intended for novice and advanced users of who want
to plan, deploy, and preconfigure Network VirusWall Enforcer.
This preface discusses the following topics:
• Network VirusWall Enforcer Documentation on page viii
• About This Installation and Deployment Guide on page ix
• Audience on page ix
• Document Conventions on page x
vii
Page 9
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Network VirusWall Enforcer Documentation
The Network VirusWall Enforcer documentation set consists of the following
documents:
• Dell™ Product Information Guide—this printed document provides safety,
environmental, and regulatory information about the device. Read the safety
information in this document before using Network VirusWall Enforcer.
• Readme—a text file on the USB flash drive, the Readme covers basic getting started
instructions, new features, known issues, and late-breaking information.
• Online Help—Web-based documentation that is accessible from the device’s Web
console; the Online Help explains product screens and discusses administrative
tasks and relevant concepts.
• Installation and Deployment Guide (IDG)—PDF documentation that is accessible
from the provided USB flash drive or downloadable from the Trend Micro Web site.
This IDG contains instructions for deploying the device, a task that includes
planning, testing, and preconfiguration. See About This Installation and Deployment
Guide for chapters available in this book.
If you are planning a large-scale deployment or have a complex network and need
more details about the product and deployment scenarios, refer to the Network
VirusWall Enforcer Administrator’s Guide.
• Administrator’s Guide (AG)—PDF documentation that is accessible from the
provided USB flash drive or downloadable from the Trend Micro Web site.
The AG provides a comprehensive overview of the device and its capabilities. It
discusses policy enforcement scenarios and provides instructions on how to
configure and administer the device using the applicable management tools. It also
includes sections covering frequently asked questions and troubleshooting and
provides a glossary of relevant terms.
Tip: Trend Micro recommends checking the Update Center
(http://www.trendmicro.com/download
components.
viii
) for updates to documentation and product
Page 10
Preface
About This Installation and Deployment Guide
The Network VirusWall Enforcer Installation and Deployment Guide discusses the following
topics:
• Introducing Network VirusWall Enforcer—an overview of the device and its
components
• Getting Started—details of the actual device and its specifications, including
instructions for mounting and powering on the device
• Deploying Network VirusWall Enforcer—recommendations to help you plan for the
deployment of one or more devices
• Preconfiguring Network VirusWall Enforcer—considerations and procedures on how to
perform preconfiguration
• Troubleshooting and Technical Support—troubleshooting tips for issues encountered
during preconfiguration
• Ethernet Cable Usage Guidelines—information on the cables to use depending on port
speed and duplex modes
Audience
This Installation and Deployment Guide is targeted at network administrators who will
deploy the device. Network VirusWall Enforcer documentation assumes basic
understanding of security and networking concepts, including:
• Antivirus and content security protection
• Network concepts (such as IP addressing, subnet masks, dual-stack networks)
• Various network topologies
• Network devices and their administration
• Network configuration (such as the use of VLAN, SNMP)
ix
Page 11
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Document Conventions
To help you locate and interpret information easily, this document uses the following
conventions.
TABLE P-1. Conventions used in this document
CONVENTION DESCRIPTION
ALL CAPITALS
Bold
Italics
Monospace
Note:
Tip:
WARNING!
Acronyms, abbreviations, and names of certain
commands and keys on the keyboard
References to user interface items, including
menus, buttons, tabs, and other labels
References to other documentation
Actual text, typed commands, URLs, file names,
and program output
Important information
Recommendations
Critical information
x
Page 12
Chapter 1
Introducing Network VirusWall Enforcer
This chapter introduces Trend Micro™ Network VirusWall™ Enforcer 1500i and
provides an overview of important concepts and features.
This chapter discusses the following topics:
• Network VirusWall Enforcer Overview on page 1-2
• Key Concepts on page 1-3
• Device Ports on page 1-3
1-1
Page 13
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Network VirusWall
Enforcer
L2 Switch
L3 Switch
L3 Switch
L3 Switch
Endpoint
Network VirusWall Enforcer Overview
Network VirusWall Enforcer is an outbreak prevention and policy enforcement
appliance. It helps stop network viruses (Internet worms), block high-threat
vulnerabilities during outbreaks, and quarantine and clean up infection sources. Network
VirusWall Enforcer, deployed at the network layer, uses threat intelligence from Trend
Micro to protect against threats as they enter the network. The device scans all the
traffic on a specific network segment and applies one policy to an endpoint based on a
first-match rule.
FIGURE 1-1. The device monitors network packets and events that could
Tip: Refer to Understanding Network VirusWall Enforcer in the Administrator’s Guide for a more
comprehensive overview of Network VirusWall Enforcer.
1-2
indicate an attack
Page 14
Introducing Network VirusWall Enforcer
Key Concepts
Before proceeding to the succeeding sections of this document, take note of the
following concepts. These concepts are discussed in detail in the Administrator’s Guide.
• Ethernet—located on the back panel, these ports link to other devices (usually
Layer 2 or Layer 3 devices).
The documentation sometimes refers to copper ports as ports or interfaces (see Device
Ports on page 1-3). Each port functions as one of the following:
• Management port (RJ-45)—dedicated for management purposes. You can
specify only one management port.
• Mirror port (RJ-45)—sends all traffic passing the device to a computer to
capture all data. The data can then be used for debugging purposes. You can
specify one mirror port. Using this port type can impact performance.
• Regular port (RJ-45)—carries analyzed traffic to and from segments. You can
specify multiple regular ports.
• Failopen —a fault-tolerance solution also known as "LAN bypass" that allows the
Network VirusWall Enforcer device to continue to pass traffic even if a software or
hardware failure occurs within the device.
• Link-state failover—a port group setting that turns off the working port if only
one port in a port group is left connected. This ensures that switches immediately
recognize the port group failure and can channel traffic to another route.
Device Ports
Network VirusWall Enforcer supports four network ports, with the first two ports (port
1 and 2) providing management functionality. More specifically, these ports can be
configured as management (MGMT) or mirror (MIRR) ports. Ports 3 and 4 are regular
data ports that connect to the network and provide security functionality. The device
applies its protection features to packets that pass through these data ports.
1-3
Page 15
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Data ports 3 and 4
Management ports
1 and 2
FIGURE 1-2. Network VirusWall Enforcer ports
Port Functions
Network VirusWall Enforcer ports can be classified based on their function. As
described earlier, there are regular data ports and management ports. Management ports
can be assigned different functions as shown in the table below.
TABLE 1-1. Port types
TYPE
(INTERFACE
TYPE; PORT
NUMBER)
FUNCTION
(CODE)
DEFAULT
STATE
DESCRIPTION
Data (Copper
or Fiber; ports
3 onwards)
1-4
Regular
(REG)
Enabled These are the standard ports
used for policy enforcement.
Network VirusWall Enforcer
can assess endpoints connected to this port through L2
or L3 switches.
Page 16
TABLE 1-1. Port types (Continued)
TYPE
(INTERFACE
TYPE; PORT
NUMBER)
FUNCTION
(CODE)
DEFAULT
STATE
Introducing Network VirusWall Enforcer
DESCRIPTION
Management
(Copper;
ports 1 to 2)
Management
(MGMT)
Mirror
(MIRR)
Disabled You can access the Web con-
sole through all regular ports,
but you can also dedicate a
single port for accessing the
Web console and managing the
device.
Assign this function to send all
traffic going through this port.
You can use this port to capture
all scanning data, which can be
used for debugging. Note that
having a mirror port can impact
performance.
While the management ports are onboard ports, Network VirusWall Enforcer data ports
are provided using Silicom PEG2BPi-SD-RoHS (Dual port Copper Gigabit Ethernet
PCI Express Bypass Server Adapter). This server adapter provides maximum network
uptime with copper bypass circuitry.
By using bypass server adapters, Network VirusWall Enforcer data ports provide a
fault-tolerance solution known as "failopen" or "LAN bypass". This solution allows the
Network VirusWall Enforcer to continue passing network traffic even if other device
components fail or when the device loses power.
Note: Management ports do not support failopen.
1-5
Page 17
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
1-6
Page 18
Chapter 2
Getting Started
This chapter guides you through setting up and powering on a Trend Micro™ Network
VirusWall™ Enforcer 1500i device.
This chapter discusses the following topics:
• Package Conten ts on page 2-2
• Front Pan el on page 2-4
• Back Panel on page 2-9
• Technical Specifications on page 2-11
• Installing the Device on page 2-12
2-1
Page 19
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Device with bezel
Power cord
Rack kit
Documents
and USB drive
Package Contents
Figure 2-1 illustrates the package contents.
FIGURE 2-1. Package contents
Note: The actual items in your package may appear slightly different from those shown in
this document.
Refer to Table 2-1 to check whether the package is complete. If any of the items is
missing, please contact Trend Micro support (see Getting Technical Support on page 5-3).
2-2
Page 20
TABLE 2-1. Network VirusWall Enforcer package contents
QUANTITY ITEM DESCRIPTION
Getting Started
1 unit Network VirusWall
Enforcer device
1 piece Power cord Supplies power to the device
1 set Rack kit Mounts the device to a standard 19-inch
1 unit Network VirusWall
Enforcer USB flash
drive
The device and the lockable bezel
rack cabinet
Bootable USB flash drive that can be
used to restore the device operating system and software. This flash drive also
includes tools and device documentation, specifically:
• Image file for the Network VirusWall
Enforcer operating system
• Security Appliance License
Agreement
• Third-party License Attributions
• Administrator’s Guide
• Installation and Deployment Guide
• Quick Start Guide
• Readme
• Trend Micro™ Control Manager™
patches
• Syslog and TFTP tools
Note: Refer to the troubleshooting
section in the Administrator’s
Guide for instructions on how to
use the provided tools.
2-3
Page 21
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
TABLE 2-1. Network VirusWall Enforcer package contents (Continued)
QUANTITY ITEM DESCRIPTION
3 printed
documents
• Security
Appliance
License
Agreement
Printed documents that provide safety,
licensing, and getting started information. Consult these documents before
using Network VirusWall Enforcer.
• Quick Start
Guide
• Dell™Product
Information
Guide
Front Panel
Figure 2-2 shows the controls, indicators, connectors, and features on the front panel,
behind the removable bezel. Table 2-2 provides component descriptions.
2-4
Page 22
Getting Started
7
3
2
5
4
1
8
6
FIGURE 2-2. Front panel
TABLE 2-2. Front panel features
ITEM COMPONENT ICON DESCRIPTION
1 Power-on indi-
cator, power
button
2 Diagnostic indi-
cators (4)
The power button turns the device on
and off. The indicator lights up when
the device is on.
The diagnostic indicators aid in troubleshooting hardware-related issues
with technical support.
2-5
Page 23
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
TABLE 2-2. Front panel features (Continued)
ITEM COMPONENT ICON DESCRIPTION
3 USB connectors
(2)
4 Hard drive
activity indicator
5 Video connector Connects to a monitor; can be used
6 Device status
indicator
7 Device identifi-
cation button
The connectors accept USB 2.0-compliant devices. Use these connectors
to attach a keyboard and configure
the device.
The green hard drive activity indicator flashes when the hard drive is in
use.
to locally access and configure the
device.
The blue device status indicator
lights up during normal device operation.
The amber device status indicator
flashes when the device needs attention due to a hardware problem.
You can use the device identification
buttons on the front and back panels
to locate a particular device within a
rack. When one of these buttons is
pushed, the blue device status indicators on the front and back panels
blink until one of the buttons is
pushed again.
8 NMI button The nonmaskable interrupt (NMI)
button is used to troubleshoot software and device driver errors. This
button can be pressed using the end
of a paper clip. Use this button only if
directed to do so by qualified support
personnel.
2-6
Page 24
A photo of the Network VirusWall Enforcer front panel appears below.
USB ports
Power button
VGA port
FIGURE 2-3. Network VirusWall Enforcer front panel
Installing the Bezel
The device is supplied with a removable bezel as shown in Figure 2-4.
Getting Started
FIGURE 2-4. Network VirusWall Enforcer with the bezel
To prevent users from inadvertently powering off the device, attach the bezel.
2-7
Page 25
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
2
1
1 Keylock 2 Bezel
FIGURE 2-5. Installing and removing the bezel
To install the bezel:
1. Hook the right end of the bezel into the bezel slot on the right side of the device
front plate
2. Rotate the other end of the bezel toward the front panel and press the bezel onto
the panel to engage the latch.
3. Lock the bezel.
To remove the bezel:
1. Unlock the bezel.
2. Unlatch the left end of the bezel and rotate it away from the front panel.
3. Unhook the right end of the bezel and pull the bezel away from the device.
2-8
Page 26
Back Panel
32456 91
10
11
78
Figure 2-6 shows the controls, indicators, and connectors located on the back panel.
Getting Started
1 Power supply
connector
4 USB connectors (2) 5 Serial connector 6 Video connector
7 Network port 1 8 Network port 2 9 NIC expansion slot
10 Device status
indicator
FIGURE 2-6. Back panel
2 Keyboard
connector
11 Device
identification button
3 Mouse connector
2-9
Page 27
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Port 1 Port 3 Port 4
Port 2
1
2
A dual port server adapter occupies the expansion slot. The two ports in this card
correspond to ports 3 and 4, as shown in the image below, for a total of four network
ports.
FIGURE 2-7. Standard four-port configuration
Network Port Indicators
Each Network VirusWall Enforcer port has an indicator that allows you to determine
the port’s current state.
Indicators on Onboard Ports
Each onboard port (ports 1-2) on the back panel has an indicator that provides
information on network activity and link status. The following figures and tables
describe the indicators on the onboard ports.
1 Link indicator 2 Activity indicator
FIGURE 2-8. Onboard port indicators
2-10
Page 28
Getting Started
TABLE 2-3. Indicator codes for onboard ports
INDICATOR CODE STATUS
Link and activity indicators are off. The port is not connected to the network.
Link indicator is green. The port is connected to a valid link part-
ner on the network.
Activity indicator is blinking yellow. Network data is being sent or received.
Indicators on the Copper Expansion Cards
Network VirusWall Enforcer has a two-port gigabit server adapter in its expansion slot.
Each port in the card corresponds to three LED indicators that provide the following
information:
• Link/Activity (top LED, green)—lit at any speed and blinks with activity
• 100 (middle LED, green)—lit when connected at 100Mbit/s
• 1000 (middle LED, green)—lit when connected at 1000Mbit/s
Technical Specifications
The following table lists the technical specifications of Network VirusWall Enforcer:
TABLE 2-4. Technical specifications
SPECIFICATION DETAILS
Base unit Dell™ OEM CR100 Rack Mount Server
Processor Intel™ Core™ 2 Duo E2160 Processor, 2GHz
Memory 1GB ECC
2-11
Page 29
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
TABLE 2-4. Technical specifications (Continued)
SPECIFICATION DETAILS
Onboard NIC Two RJ-45 10/100/1000 Mbps Ethernet
Network adapter
(expansion slot)
Power supply 345W
Silicom™ PEG2BPi-SD-RoHS (Dual Port Copper
Gigabit Ethernet PCI Express Bypass Server
Adapter)
Installing the Device
To use Network VirusWall Enforcer:
• Mounted to a standard 19-inch four-post rack cabinet
The device requires 1 rack unit (RU) of vertical space in the rack.
Tip: If mounting more than one device, position and mount the devices in close
proximity. Doing so allows you to easily maintain the devices.
• On any stable surface as a freestanding device
For freestanding installation, ensure that the device has at least 2in (5.08 cm) of
clearance on each side to allow for adequate airflow and cooling.
WARNING! Ensure that the fan vent is not blocked.
Installing the device involves performing the following tasks.
WARNING! Before performing the following tasks, review the safety instructions in
the Product Information Guide that came with the device.
2-12
Page 30
Getting Started
Rail member lock
(press to release)
Inner
member
Outer
member
Step 1: Unpack the device
Unpack your device. The Network VirusWall Enforcer rack kit is very simple to use but
will require a #2 Phillips-head screwdriver. The kit contains two rail assemblies as well as
screws and brackets for attaching the device.
Step 2: Install the rails and device in a rack
Assemble the rails and install the device in the rack.
To assemble the rack kit:
1. Release and detach the inner member from each of the rails.
FIGURE 2-9. Releasing the inner member
2-13
Page 31
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
FIGURE 2-10. Sliding the inner member out to detach it
2. Using the provided screws, attach the outer member to the rack frame.
FIGURE 2-11. Attaching the outer member to the rack frame
3. Using another set of provided screws, attach the inner member to the Network
VirusWall Enforcer device.
2-14
Page 32
FIGURE 2-12. Attaching the inner member to the device.
Press member lock
4. Mount the device onto the rack.
Getting Started
FIGURE 2-13. Mounting the device
Step 3: Connect the keyboard and monitor (optional)
Connect the keyboard and monitor. The connectors on the back of your device have
icons indicating which cable to plug into each connector. Be sure to tighten the screws
(if any) on the monitor's cable connector.
2-15
Page 33
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Step 4: Connect the power cables
Connect the power cable(s) to the device and, if using a monitor, connect the monitor’s
power cable to the monitor.
Step 5: Turn on the device
Press the power button on the device and on the monitor (optional). The power
indicators should light up.
Step 6: Install the bezel (optional)
Install the bezel. For detailed information, see Installing the Bezel on page 2-7.
2-16
Page 34
Chapter 3
Deploying Network VirusWall Enforcer
Before configuring a Network VirusWall Enforcer device, plan how to integrate the
device into your network. Determine the topology it will support.
This chapter explains how to plan for the deployment. It also provides deployment
scenarios to help you understand the various ways the device can protect your network.
This chapter discusses the following topics:
• Planning for Deployment on page 3-2
• Identifying What to Protect on page 3-4
• Planning for Network Traffic on page 3-15
• Conducting a Pilot Deployment on page 3-16
• Redefining Your Deployment Strategy on page 3-16
• Deployment Scenarios on page 3-17
3-1
Page 35
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
PHASE 1: PLAN DEPLOYMENT
PHASE 2: PERFORM PRECONFIGURATION
Gather network information
Identify your deployment strategy
Conduct a pilot deployment
Redesign your deployment strategy
Perform initial preconfiguration tasks
Perform preconfiguration
Connect the device to your network
Deploy components
Configure basic settings
PHASE 3: MANAGE DEVICES
Planning for Deployment
To take advantage of the benefits Network VirusWall Enforcer can bring to your
organization, you will need to understand the possible ways to deploy one or more
devices. This section provides a deployment overview and introduces important
considerations.
Deployment Overview
Follow three stages of deployment to successfully install the device(s).
Tip: This Installation and Deployment Guide discusses phases 1 and 2. Refer to the Administrator’s
Guide for information related to phase 3.
Phase 1: Plan the Deployment
During phase 1, plan how to best deploy the device(s) by completing these tasks:
• Identify the segments of your network that are in the greatest need of
3-2
protection.
Page 36
Deploying Network VirusWall Enforcer
• Plan for network traffic, considering the location of critical computers, such as
email, Web, and application servers.
• Determine the number of devices needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot
deployment.
Phase 2: Perform Preconfiguration
In phase 2, begin implementing the plan you created in phase 1 by performing the
following tasks:
• Perform the initial preconfiguration tasks (see Before Preconfiguration on page
4-2).
• Perform preconfiguration on the device(s) (see Performing Preconfiguration on
page 4-4).
• Connect the device(s) to your network (see Connecting to the Network on page
4-10).
Phase 3: Manage Devices
During phase 3, manage Network VirusWall Enforcer devices from the Web console.
For this phase, consult the following sections of the Administrator’s Guide:
• Understanding Network VirusWall Enforcer provides details about relevant concepts,
including management options, endpoints, security risks, policy enforcement, device
ports, fault tolerance, updatable components, SNMP support, and VLAN support.
• Preparing for Policy Enforcement discusses the tasks you need to perform before creating
policies and deploying them to your network.
• Policy Creation and Deployment covers actual policy creation, providing sample
scenarios and instructions.
Deployment Notes
Consider the following when planning for a deployment:
• All traffic to and from a network segment must go through the device.
3-3
Page 37
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
To protect an organization from network threats, position the device in a key place
on your network segment. The device should be able to scan all network traffic to
prevent, detect, or contain threats.
• Each of the interfaces supports the following port speed and duplex mode settings:
• 10Mbps x
half-duplex
• 10Mbps x
full-duplex
• 100Mbps x
full-duplex
• 1000Mbps x
full-duplex
• 100Mbps x
half-duplex
Note: Both the connected L2/L3 and Network VirusWall Enforcer devices should have
the same port speed and duplex mode. Otherwise, the Network VirusWall
Enforcer port will operate in half-duplex mode. To simplify configuration, you
can set Network VirusWall Enforcer to auto-select the optimum port speed and
duplex mode. Likewise, allow your switch to auto-select the port speed and
duplex mode.
• For IPv4 addresses, the device supports addresses belonging to any class (class A, B,
or C). For IPv6 addresses, it supports global unicast and link-local addresses.
Tip: Although each range is in a different class, you are not required to use any
particular range for your internal network. However, selecting a fixed range
greatly diminishes the chance of IP addressing conflicts.
• Policy enforcement and network virus scan support various actions for
noncompliant or infected endpoints.
Identifying What to Protect
Position Network VirusWall Enforcer between layer 2 (L2) or layer 3 (L3) devices. This
way, the device can apply its protection to packets coming in or out of your network.
3-4
Page 38
Deploying Network VirusWall Enforcer
RAS server
Dialup endpoint
Public switched
telephone network
To the LAN
Identify segments of your network to protect by considering which kinds of endpoints
may introduce security risks or violate security policies. Also, consider the location of
resources that are critical to your organization, such as:
• Remote endpoints that access your internal network resources
• Guest endpoints that temporarily connect to your network
• Key network segments/important network assets, such as places on the network
that contain email, Web, or application servers
Remote Access Endpoints
Remote endpoints access internal network resources in the same manner as the
endpoints already on your network and comprise essentially another internal network
segment. You must consider whether to protect remote endpoints as you do internal
endpoints.
You can consider two types of remote endpoints:
• Dialup/VPN users—telecommuters who typically dial up or use VPN to connect
to your network
• External business units—offices located outside the main network site that need
access to resources on the main network
A home user could establish a dialup connection or a VPN connection to access a
company’s internal network resources. Most likely, business units would establish a VPN
connection.
FIGURE 3-1. Dialup service deployment scenario
3-5
Page 39
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Endpoint
Internet Access
Switch
VPN server
VPN tunnel
To the LAN
Figure 3-1 illustrates a dialup connection between a home user and an organization’s
internal network. A RAS server, the point where the dialup connection terminates, is
connected to a regular port (see Key Concepts on page 1-3 for information about different
types of ports). This means that all packets going between the RAS server and the LAN
pass through the device. Once the home user establishes a connection with the RAS
server, it essentially becomes part of the internal network, as illustrated in the basic
deployment scenario (see Basic Deployment Scenario on page 3-17). The home user accesses
both network resources and the Internet in the same way that internal endpoints access
them.
3-6
FIGURE 3-2. Endpoint-to-site VPN deployment scenario
Figure 3-2 illustrates a connection between a home user and an organization’s internal
network through a VPN server connected to a regular port (see Key Concepts on page 1-3
for information about different types of ports). In this configuration, the home user’s
VPN connection is considered part of the internal network.
Note: Network VirusWall Enforcer must be behind the VPN server, which encrypts and
decrypts VPN traffic.
Page 40
Deploying Network VirusWall Enforcer
Business unit A
Business unit B
VPN tunnel
Network A
Network B
The recommended settings for this scenario are the same as the settings for the dialup
user scenario (see Figure 3-1).
FIGURE 3-3. Site-to-site VPN deployment scenario
Figure 3-3 illustrates a VPN connection between two business units. As in the home user
scenario, a VPN server is connected to a regular port on each device (see Key Concepts on
page 1-3 for information about different types of ports).
3-7
Page 41
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Guest endpoint
Guest endpoint
Guest Endpoints
Guest endpoints are endpoints that do not belong to an internal network domain. They
are often visitors who temporarily access your network resources through their portable
computers. Guest endpoints represent a major risk because they are typically outside the
scope of the network security infrastructure. These endpoints are more likely to violate
antivirus policies and introduce security risks to the network.
3-8
FIGURE 3-4. Guest network deployment scenario
Figure 3-4 illustrates a segment of an internal network for guest endpoints. A wireless
access point, switch, or hub is connected to the regular port (see Key Concepts on page 1-3
for information about different types of ports). This type of topology ensures that the
device scans all traffic before it leaves the guest network segment and makes isolation of
the guest segment possible in the event of a virus outbreak.
Page 42
Deploying Network VirusWall Enforcer
Critical hosts
L2 switch
L3 switch
Key Segments and Critical Assets
Key network segments need to be protected from network-based threats. This may
include a group of endpoint computers or network resources critical to your
organization, such as email, Web, or application servers.
FIGURE 3-5. Key network segments scenario
The diagram above illustrates a segment of an internal network containing email and
Web servers, including endpoints. An internal switch or hub is connected to a regular
port (see Key Concepts on page 1-3 for information about different types of ports),
creating a segment where all packets going in and out of the segment can be scanned.
Installing the device in this position adds the benefits of virus scanning and segment
isolation in the event of a virus outbreak.
3-9
Page 43
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
The device can also guard against attacks that not only originate on the Internet, but also
attacks that may originate from within your network. Since traffic first passes through
the device before reaching email and Web servers, the device can scan and detect
infected packets that come from endpoints on the LAN.
Dual-Switch VLAN Environment
Network VirusWall Enforcer must be placed in line on the physical network to provide
security. In most situations, this means placing it between an upstream switch and one or
more downstream switches.
Most VLAN configurations will utilize two switches. Single-switch VLAN
configurations are possible; for more information, refer to Single-Switch VLAN
Environment on page 3-12. The figures in this section illustrate multiple downstream
switches in a flat topology; however, a single in line configuration is also possible.
In Figure 3-6, the devices are installed between an upstream switch and downstream
switches. This configuration is appropriate when multiple VLANs carry moderate
network traffic, and the upstream switch carries high-bandwidth traffic.
Note: Ensure that Spanning Tree Protocol (STP) is enabled. If STP is not enabled, packets
may loop for an indefinite period.
3-10
Page 44
Deploying Network VirusWall Enforcer
802.1Q Trunk
VLAN 10 VLAN 20 VLAN 30
FIGURE 3-6. Multiple VLAN segments with each device protecting one
segment
In Figure 3-6, the devices are installed on an 802.1Q trunk line between two switches.
3-11
Page 45
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
VLAN 10
VLAN 20
VLAN 30
FIGURE 3-7. Multiple VLAN segments with each device protecting all
segments
Single-Switch VLAN Environment
A single-switch configuration may have the following properties:
• Possible only when using a switch that can be configured to carry individual VLAN
traffic on specific physical ports.
• VLAN 20 is assigned to ports 1 and 2 on the switch.
3-12
Page 46
Deploying Network VirusWall Enforcer
• The upstream network is connected to port 2 on the switch.
• The regular port on Network VirusWall Enforcer is connected to port 1 on the
switch.
• Endpoints are connected to other regular ports on Network VirusWall Enforcer.
FIGURE 3-8. Single-switch VLAN environment
Networks with IPv6 Addresses
Administrators deploying Network VirusWall Enforcer in an environment with IPv6
addresses must plan carefully to ensure that the device can provide protection and does
not interfere with network connectivity.
IPv6 Limitations
Network VirusWall Enforcer provides support for IPv6 environments; however, certain
features, particularly those provided through the Threat Management Agent, are not
supported on IPv6 environments. These unsupported features include:
• Policy enforcement
• Cleanup of infected endpoints detected through threat mitigation
• Trend Micro™ Control Manager™ support
• LDAP authentication
3-13
Page 47
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Pure IPv6 Environments
In environments with purely IPv6 hosts, administrators do not need to perform special
deployment tasks. As long as Network VirusWall Enforcer is supplied with a valid IPv6
address, it can function normally. Note, however, that certain device features are not
available in pure IPv6 environments as described in IPv6 Limitations on page 3-13.
Note: Many resources on the Internet, including the Trend Micro™ ActiveUpdate™ and
product registration servers, are accessible only through IPv4 traffic. When configured
as an IPv6-only host, Network VirusWall Enforcer traffic to and from the Internet
can be translated using a dual-stack proxy.
Dual-Stack and Mixed Environments
Environments with dual-stack hosts or those with both IPv6 and IPv4 hosts require
relatively complex deployment planning. Consider the following key points during
planning:
• Ensure that you configure both an IPv4 and IPv6 address for Network VirusWall
Enforcer if it will be processing both kinds of traffic.
• Network VirusWall Enforcer cannot perform traffic translation when in dual-stack
mode. It will treat IPv6 and IPv4 traffic independently.
• Note the limitations of the device on IPv6 networks as discussed in IPv6 Limitations
on page 3-13.
3-14
Page 48
Deploying Network VirusWall Enforcer
Planning for Network Traffic
The scenario presented in Key Segments and Critical Assets on page 3-9 is a good example
of how to plan for network traffic. There is a strategic advantage to positioning the
device in front of resources that endpoints access regularly, such as an email server or an
Internet gateway. Because many viruses make their way into networks through email
attachments and Web browsers, forcing traffic to pass through the device significantly
reduces the risk of virus infection. Identify other places on your network through which
large amounts of traffic pass and consider placing the device where it can scan the most
traffic.
Determining the Number of Devices to Deploy
Determine how many devices would best meet your security requirements. Consider the
following factors:
• Existing network topology—based on your network topology, identify the
segments that you want the device to protect (see Identifying What to Protect on page
3-4)
• Existing network device interfaces—because a device handles 10/100Mbps or
1Gbps Fast Ethernet traffic, identify the network device interfaces that handle the
same type of traffic and can therefore connect to Network VirusWall Enforcer
devices
• Desired effectiveness of protection—to lower the risk of a virus outbreak
spreading, segment several sections of your network with Network VirusWall
Enforcer devices
• Desired degree of performance—consider the number of endpoints and the
amount of traffic that a device can handle
3-15
Page 49
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Conducting a Pilot Deployment
Trend Micro recommends conducting a pilot deployment in a controlled environment
to help you understand how the device features work. A pilot deployment also helps you
determine how the device can be used to accomplish your security goals and the level of
support you will likely need after a full deployment.
Perform the following tasks to conduct a pilot deployment:
• Choose a pilot site.
• Create a contingency plan.
• Deploy and evaluate your pilot.
Choosing a Pilot Site
Choose a pilot site that matches your planned deployment. Look at other devices on
your network, such as switches or firewalls, and other software installations, such as
OfficeScan
serve as an adequate representation of your production environment.
™ and Control Manager™. Try to simulate the type of topology that would
Creating a Contingency Plan
Trend Micro recommends creating a contingency plan in case there are issues with the
installation, operation, or upgrade of the device. Consider your network’s vulnerabilities
and how you can retain a minimum level of security if issues arise.
Deploying and Evaluating your Pilot
Deploy and evaluate the pilot based on expectations regarding both security
enforcement and network performance. Create a list of items that meet or do not meet
the expected results during the pilot process.
Redefining Your Deployment Strategy
Identify the potential pitfalls and plan accordingly for a successful deployment. Consider
especially how the device performed with the security installations on your network.
This pilot evaluation can be rolled into the overall production and deployment plan.
3-16
Page 50
Deploying Network VirusWall Enforcer
Deployment Scenarios
A deployment plan is dependent upon the options you select. This section provides
examples of a basic deployment scenario.
Tip: See Performing Preconfiguration on page 4-4 and Verifying Network Support on page 4-2
for checklists on how to prepare a device for deployment.
Basic Deployment Scenario
The device can be installed on a network that contains Ethernet devices such as hubs,
switches, and routers. Deploy Network VirusWall Enforcer between a switch that leads
to the public network and a switch that protects a segment of the local area network
(LAN). It can also be installed between an edge switch and a hub.
Figure 3-9 illustrates a basic deployment scenario. A layer 2 (L2) or layer 3 (L3) device is
connected to a regular port.
FIGURE 3-9. Basic deployment
3-17
Page 51
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Network VirusWall Enforcer protects your network as follows:
• Scans traffic to and from endpoints
• Prevents endpoints that violate your security policies from gaining access to
resources
• Isolates endpoints in the event of a virus infection
In this deployment setup, you may opt to enable failopen. With failopen enabled, traffic
can still pass through the device if the device encounters a hardware or system error that
prevents it from filtering network packets.
Failopen Considerations
Consider the following points when using failopen mode:
• All regular ports (ports 3 and 4) on the device support LAN bypass and will allow
traffic to pass when the device is powered off.
• The total length of the network cable connecting a regular port to other devices
must not exceed 100 meters (328 feet) for copper port connections.
Note: This constraint only applies to failopen deployments. The network cable should
not exceed 50 meters. A cable that is longer than the maximum length will
prevent failopen from working, because the natural electrical resistance of copper
wire significantly weakens the signal.
3-18
Page 52
Chapter 4
Preconfiguring Network VirusWall Enforcer
This chapter discusses the following topics:
• Before Preconfiguration on page 4-2
• Understanding Preconfiguration on page 4-3
• The Preconfiguration Console on page 4-3
• Performing Preconfiguration on page 4-4
• Connecting to the Network on page 4-10
• Configuring Network VirusWall Enforcer on page 4-10
4-1
Page 53
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Before Preconfiguration
Complete the following tasks before you preconfigure Network VirusWall Enforcer:
• Test the failopen functionality. Network traffic should still pass through the device
after a hardware or system error or if the device loses power.
• Determine the password for the
Tip: There are two default accounts: Admin and PowerUser. These accounts use
admin and poweruser, respectively, as their default passwords.
• Determine the host name for the device.
Verifying Network Support
In a failopen deployment, the total length of the network cable connecting regular ports
to other devices must not exceed 100 meters (~328 feet).
A cable longer than the maximum length will prevent failopen from working. See
Failopen Considerations on page 3-18 for more information.
admin account.
Preparing for Preconfiguration
To prepare for preconfiguration, check if you have completed the instructions in Before
Preconfiguration on page 4-2 before starting with the succeeding steps.
4-2
Page 54
Preconfiguring Network VirusWall Enforcer
Also, ensure that you can access Network VirusWall Enforcer directly. Before powering
on the device, attach the following peripherals:
• VGA monitor
• Keyboard
Tip: For instructions on how to connect peripherals and power on the device, see Installing
the Device on page 2-12.
Understanding Preconfiguration
Ensure that the tasks in Preparing for Preconfiguration on page 4-2 have been completed
before starting preconfiguration.
To perform preconfiguration:
1. Plan and determine the deployment strategy (see Deploying Network VirusWall
Enforcer on page 3-1).
2. Perform preconfiguration (see instructions in The Preconfiguration Console on page
4-3).
3. Perform configuration tasks (see Configuring Policy Enforcement and Device Settings in
the Administrator’s Guide).
After completing the initial configuration tasks (see Preparing for Preconfiguration on page
4-2), use the Preconfiguration console to proceed.
The Preconfiguration Console
The Preconfiguration console lets you configure basic device settings directly using a
keyboard and a monitor. All initial configuration tasks, like specifying port functions and
the device IP address must be done through the Preconfiguration console.
The Preconfiguration console can also be accessed using an SSH client such as PuTTY.
However, before this can be done, you must configure the device IP address and ensure
that the device can connect to the network. For more information on accessing the
Preconfiguration console remotely, see the Administrator’s Guide.
4-3
Page 55
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Performing Preconfiguration
You must complete the following tasks to preconfigure the device:
1. Logging on the Preconfiguration Console on page 4-4
2. Configuring Device Settings on page 4-6
3. Setting the Interface Speed and Duplex Mode on page 4-9
Logging on the Preconfiguration Console
A few minutes after powering on the device, the attached monitor will display the
Preconfiguration console. If this screen does not display, press CTRL+R.
4-4
FIGURE 4-1. The Preconfiguration console logon screen
Page 56
Preconfiguring Network VirusWall Enforcer
To log on to the Preconfiguration console
1. To get full access to the Preconfiguration console, type the default administrator
user name and password:
User name:
admin
Password: admin
Note: Only the administrator and power user accounts can be used to log on to
the Preconfiguration console. Immediately after logging on to the Web console,
change the passwords to these accounts for increased security. For more
information, see the Administrator’s Guide.
2. After logging on, the Main Menu appears.
Note: The Preconfiguration console has a timeout value of ten minutes. If the console
is idle for ten minutes, it automatically logs off the account. Also, to help protect
the console from unauthorized access, users must wait between each logon
attempt after three unsuccessful attempts.
IGURE 4-2. The Preconfiguration console main menu
F
4-5
Page 57
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Configuring Device Settings
Immediately after logging on to the Preconfiguration console for the first time,
configure the device host name and network settings.
To configure the device settings:
1. On the Main Menu of the Preconfiguration console, type 2 to select Device
Settings. The Device Settings screen appears.
FIGURE 4-3. Device Settings screen
Note: When configuring the device for the first time, factory default settings appear.
2. Type a host name that properly represents the device in the network.
Each device on your network must have a unique host name. Control Manager™
uses this unique host name during registration and as the managed product name.
4-6
Page 58
Preconfiguring Network VirusWall Enforcer
Host names may contain up to 30 alphanumeric characters without spaces. Trend
Micro recommends a unique descriptive host name to represent and identify the
device as seen through the management console. For example, designate
NVWE-NY-main as the host name for a device protecting a New York main office.
3. Type or select the management IP address settings under Management IP settings.
Specify either the IPv4 or the IPv6 settings as necessary. When using Network
VirusWall Enforcer as a dual-stack host, provide both IPv4 and IPv6 settings.
WARNING! If there is a NAT device in your environment, Trend Micro recom-
mends assigning a static IP address to the device. Because different
port settings are assigned from your NAT, your device may not work
properly if dynamic IP addresses are used.
4. After specifying the network settings, press ENTER.
Enabling Ports and Selecting Port Functions
Depending on your desired deployment, you may need to enable certain ports and
specify their function. By default, only the regular ports are enabled. So, if you need to
use management or mirror port functionality, you need to enable the management ports,
which are ports 1 and 2.
4-7
Page 59
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
3
4
1
2
1
2
34
To enable non-regular ports and modify their function:
1. On the Main Menu of the Preconfiguration console, type 4 to open the Interface
Settings screen.
FIGURE 4-4. Interface Settings screen
2. Type 2 to select Interface setting.
The Interface Settings screen changes so that the function of each port can be
selected and modified.
3. Select a port by using the up and down arrows. Each port number corresponds to
the physical ports as shown below.
FIGURE 4-5. Network VirusWall Enforcer ports
4-8
Page 60
Preconfiguring Network VirusWall Enforcer
4. To modify the function of the selected port depending on your deployment
strategy, press the
SPACEBAR. Disabled management interface (onboard) ports can
be assigned the following functions:
• DIS—the port is disabled; this is the default setting
• MGMT—the port is specifically used to manage the device
• MIRR—the port is used to mirror network traffic to another computer; this is
typically used for debugging
Tip: For more information about different port functions, see Port Functions on page 1-4.
5. Select Return to the previous menu and press ENTER.
Setting the Interface Speed and Duplex Mode
Both the connected L2/L3 and Network VirusWall Enforcer devices should have the
same port speed and duplex mode. Otherwise, the Network VirusWall Enforcer port
will operate in half-duplex mode. To simplify configuration, you can set Network
VirusWall Enforcer to auto-select the optimum port speed and duplex mode. However,
manual selection of the correct port speed and duplex mode can help ensure optimal
network performance. Use the Preconfiguration console to configure the interface
speed and duplex mode.
To set the interface speed and duplex mode:
1. On the Interface Settings screen, type 1 to open the Interface speed & duplex
mode setting screen, which displays the current interface speeds and duplex
settings of all ports.
2. Select a port by using the up and down arrows.
3. Select the speed, using the SPACEBAR to scroll through the speed and duplex
mode options. For more information on the supported speed and duplex modes,
see Deployment Notes on page 3-3.
4. After configuring all port speeds and duplex modes, select Return to the previous
menu to go back to the Interface Settings screen.
4-9
Page 61
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
5. Type 3 to select Return to Main menu. The Main Menu displays.
6. Select Save and Log Off to make changes take effect.
Note: In order to apply the configuration changes made in the Preconfiguration console,
you must save and log off.
Connecting to the Network
Make sure you preconfigure the device before attempting to connect the device to the
network. After preconfiguration, switch off the device before connecting it to the
network.
To connect the device to your network:
1. Connect one end of the cable to a regular port and the other to a segment of your
network.
2. Power on the device.
Note: Network VirusWall Enforcer can handle various interface speed and duplex mode
network traffic. See Setting the Interface Speed and Duplex Mode on page 4-9.
Configuring Network VirusWall Enforcer
After preconfiguring Network VirusWall Enforcer, you can configure the device and
start protecting your network.
Trend Micro recommends performing the following tasks after preconfiguring a device:
• Change the password for the default accounts
• Activate the device
• Update components
• Configure policy enforcement
For more information, refer to the Online Help and the Administrator’s Guide. See Network
VirusWall Enforcer Documentation on page viii.
4-10
Page 62
Chapter 5
Troubleshooting and Technical Support
This chapter provides troubleshooting information for issues that may arise during the
preconfiguration.
Tip: Refer to the Administrator’s Guide for answers to frequently asked questions and other
troubleshooting tips.
This chapter discusses the following topics:
• Device Issues on page 5-2
• Getting Technical Support on page 5-3
5-1
Page 63
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Device Issues
#ISSUE CORRECTIVE ACTION/EXPLANATION
1 admin pass-
word misplaced
or forgotten
2 Unable to
access the Preconfiguration
console remotely
3 Network packet
delivery is too
slow and seems
to be blocked
You have two options:
1. If the device has registered to Control Manager, you
can access the Web console and change the password
through the Control Manager console using a Control
Manager account.
2. You can reload the device image from the provided
USB flash drive. Note that this will remove any settings
and policies stored on the device.
Note: Reloading the Network VirusWall Enforcer
image will restore the default settings. You can
only recover device settings if you exported
them to a file earlier.
Verify secure console port connections and SSH client
software settings.
See the Administrator's Guide for more information on
accessing the Preconfiguration console remotely.
Network VirusWall Enforcer does not refresh its MAC
address table if one of the links fails. The result is a
temporary delay in packet delivery.
5-2
Page 64
Troubleshooting and Technical Support
Getting Technical Support
Trend Micro is committed to providing service and support that exceeds your
expectations. You must register your product to qualify for support.
Before Contacting Technical Support
Before contacting technical support, see if these resources can help you address your
problem:
• Product documentation—the Administrator’s Guide, Installation and Deployment
Guide, and Online Help provide comprehensive information about Network
VirusWall Enforcer. Search these documents for helpful information.
• Knowledge Base—a key part of our technical support Web site, the Trend Micro
Knowledge Base contains the latest information about Trend Micro products.
To search the Knowledge Base, visit:
http://esupport.trendmicro.com
Contacting Technical Support
In addition to phone support, Trend Micro provides the following resources:
• Email support
support@trendmicro.com
• Online Help—configuring the product and parameter-specific tips
• Readme—late-breaking product news, installation instructions, known issues, and
version specific information
• Knowledge Base—technical information procedures provided by the Support team:
http://esupport.trendmicro.com
• Product updates and patches
http://www.trendmicro.com/download/
To locate the Trend Micro office nearest you, visit:
http://www.trendmicro.com/en/about/contact/overview.htm
5-3
Page 65
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
Having the following information ready before you contact our support staff can help
them resolve problems faster:
• Device model and image (firmware) version
• Deployment setup
• Interface speed and duplex mode settings
• Exact text of any error messages
• Steps to reproduce the problem
5-4
Page 66
Index
A
activation
4-10
activity indicator
Administrator’s Guide
airflow and cooling
audience
B
back panel
basic deployment
bezel
2-3, 2-7–2-8, 2-16
installation 2-8
removal 2-8
C
cabling
3-18
concepts
configuration
Control Manager
conventions
critical hosts
D
data interface
data ports
delayed packets
Dell
viii
Dell OEM CR100
deployment
identifying what to protect 3-4
2-10
viii, 2-3
2-12
ix
2-9
3-17
1-3
4-6, 4-10
2-3, 5-2
x
3-9
1-4
1-3
5-2
2-11
number of devices 3-15
overview 3-2
planning 3-2
deployment scenarios
basic deployment 3-17
deployment strategy
device identification button
device image
device ports
device settings
device status indicator
diagnostic indicators
dialup
3-5–3-6
DIS
4-9
document sections
documentation
audience ix
conventions x
dual-stack
dual-switch VLAN environment
duplex mode
E
Ethernet
expansion slot
F
failopen
failopen considerations
4-7
1-3
1-3, 1-5
cable length 3-18
3-17
3-16
2-6, 2-9
5-2
1-3
4-6
2-6, 2-9
2-5
ix
4-9
2-11
3-18
3-10
IX-1
Page 67
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
fault-tolerance
first-match rule
freestanding installation
frequently asked questions (FAQs)
front panel
G
glossary
guest endpoints
H
hard drive activity indicator
host names
I
image file
installation
connecting the power cable 2-16
installing the bezel 2-16
keyboard and monitor 2-15
rack mounting 2-13
rail assembly 2-13
turning on the device 2-16
Installation and Deployment Guide
Intel Core 2 Duo
interface speed
introduction
IPv4 addresses
IPv6 addresses
IPv6 networks
dual-stack and mixed environments 3-14
limitations 3-13
pure environments 3-14
issues
K
key network segments
keyboard
keylock
1-3, 1-5
1-2
2-12
viii, 5-1
2-4, 2-7
viii
3-8
2-6
4-7
2-3
2-12
viii, 2-3
2-11
4-9
1-1
3-4
3-4
3-13
5-2
3-9
4-3
2-8
L
LAN bypass
LED indicators
link indicator
link-state failover
M
management interface
management IP address
management port
memory
MGMT
MIRR
mirror port
monitor
mounting the device
N
NAT devices
network cables
network layer
network port
network traffic, planning for
network virus scan
NIC expansion slot
nonmaskable interrupt (NMI) button
non-regular ports
O
onboard NIC
Online Help
outbreak prevention
overview
P
package contents
packet delivery
passwords
1-3, 1-5
2-11
2-10
1-3
1-5, 4-8
4-7
1-3, 1-5
2-11
1-3, 1-5, 4-9
1-3, 1-5, 4-9
1-3, 1-5
2-6, 4-3
2-12
4-7
4-2
length 3-18
1-2
2-9
3-15
3-4
2-9
4-8
2-12
viii
1-2
viii
2-2–2-3
5-2
4-10
2-6
IX-2
Page 68
Index
default 4-5
lost passwords 5-2
pilot deployment
contingency plan 3-16
evaluation 3-16
site 3-16
policy enforcement
policy enforcement scenarios
port functions
port indicators
copper expansion cards 2-11
onboard ports 2-10
ports
1-3
default state 1-4
power button
power cord
power supply
power-on indicator
preconfiguration
network verification 4-2
performing 4-4
preparations 4-2
troubleshooting 5-1
understanding 4-3
Preconfiguration console
access issues 5-2
logon 4-4
password 4-5
remote access 4-3, 5-2
saving changes 4-10
timeout 4-5
preface
vii
printed documents
processor
Product Information Guide
PuTTY
3-16
1-2, 3-4, 4-10
1-4, 4-7
2-5
2-3
2-12
2-5
4-1
4-3
2-4
2-11
viii, 2-4
4-3
viii
Q
Quick Start Guide
R
rack cabinet
rack kit
2-3, 2-13
RAS server
Readme
viii, 2-3
REG
1-4
regular port
remote access service
remote clients
S
safety information
safety instructions
Security Appliance License Agreement
serial connector
server adapter
Silicom
1-5, 2-12
single-switch VLAN environment
specifications
SSH client
standard configuration
static IP address
syslog
2-3
T
TFTP tool
Third-party License Attributions
troubleshooting
U
unpacking
Update Center
updates
4-10
USB connectors
USB flash drive
2-3–2-4
2-12
3-6
1-3–1-4
3-5
3-5
viii
2-12
2-9
1-5, 2-11–2-12
3-12
2-11
4-3
2-10
4-7
2-3
2-3
viii, 5-1
2-13
viii
2-6, 2-9
viii, 2-3, 5-2
2-3–2-4
IX-3
Page 69
Trend Micro™ Network VirusWall™ Enforcer 1500i (CR100 Series) Installation and Deployment Guide
V
VGA
4-3
video connector
VLAN
VPN
3-5
2-6, 2-9
3-12
IX-4
Loading...