SGN7 - Installation Best Practice - Sophos
SafeGuard EnterpriseInstallation Best PracticeProduct Version: 7Document date: December 2014
ContentsIntroduction . 4Technical prerequisites . 5Installation order . 61.2.Installing the SafeGuard Enterprise Server . 71.1Quick installation reference . 81.2Installing IIS services . 91.3Installing the SafeGuard Enterprise Server package . 13Creating the SafeGuard Enterprise Database . 152.1Quick installation reference . 152.2Configuring a Windows user to logon to the SQL Server . 152.3Creating the SafeGuard Database . 172.4Changing access permissions for the SafeGuard Database . 182.5Checking the SQL Server Service Settings and the Named Pipes Configuration . 202.6Adding the SQL user to the SGNSRV-Pool and to the required Active Directoryuser groups including local permissions. 213.4.5.6.www.utimaco.comInstalling the SafeGuard Management Center . 243.1Quick installation reference . 243.2Installing the SafeGuard Management Center . 243.3Running the SafeGuard Management Center Wizard . 243.4Importing the Active Directory into SafeGuard Enterprise (optional) . 293.5Importing the license file . 32Installing the SafeGuard Enterprise Server configuration package . 344.1Quick installation reference . 344.2Creating the SafeGuard Enterprise Server configuration package . 344.3Installing the SafeGuard Enterprise Server configuration package . 364.4Running the invoke test . 37Configuring the SGNSRV web page to use SSL transport encryption . 395.1Quick installation reference . 395.2Creating a self-signed certificate . 405.3Configuring the SGNSRV web page to accept certificates . 425.4Deploying the certificate to the clients . 44Installing the SafeGuard Enterprise Client on Windows . 486.1Quick installation reference . 486.2Checking the availability of the SSL certificate on the client . 48
Installation Best Practice7.6.3Preparing the client for installation . 516.4Installing the SGNClient x64.msi and the SGxClientPreinstall.msi. 526.5Creating the SafeGuard Enterprise Client configuration package . 536.6Installing the client configuration package . 546.7Rebooting the machine after installation and initializing the user . 54Installing the SafeGuard Enterprise Clients on Mac OS X . 557.1Quick installation reference . 557.2Install Fuse (only required for File Encryption) . 557.3Install SafeGuard Enterprise File Encryption for Mac . 557.4Install SafeGuard Enterprise Disk Encryption for Mac . 557.5Import the SSL certificate to the system keychain . 557.6Import the SafeGuard Enterprise configuration zip file . 568.Technical support . 579.Legal notices . 5833
SafeGuard EnterpriseIntroductionThis document guides you through a typical SafeGuard Enterprise installation with best practiceexamples and recommendations.It does NOT replace the SafeGuard Enterprise Installation Guide, but should help with first stepsand simple troubleshooting hints during the installation/implementation of SafeGuard Enterprise.Note: Some steps refer to the SafeGuard Enterprise Administrator help or to the SafeGuardEnterprise User help which can be found in your product delivery.Please follow the steps in this guideline chapter by chapter and do not skip any – the chapternumbering follows a chronological order. This guideline is designed for system/network/databaseadministrators installing SafeGuard Enterprise (SGN).This document describes a set-up that is focused on a maximum of security and performance withregards to the communication between the single components. In case a different setup methodcan be used to install a module this will be highlighted extra.All installation examples refer to the Windows Server 2012, IIS Server 8 and Microsoft Windows8.1. Besides this, the document describes a domain situation in which all machines are members ofthe same domain. As a result of this, operating system specific tasks may differ when using othersoftware or a workgroup environment.4
Installation Best PracticeTechnical prerequisitesSafeGuard Enterprise supports a large variety of operating systems and hardware. The minimumhardware requirements and the supported operating systems can be found in the release notes ofthe product which are available in the Sophos Knowledge Database.It is highly recommended to read the release notes prior to the installation of SafeGuardEnterprise in order to have all the latest information before starting.55
SafeGuard EnterpriseInstallation orderSafeGuard Enterprise consists of several different modules.The minimum modules in order to build up a working SafeGuard Enterprise infrastructure are The SafeGuard Enterprise Server.The SafeGuard Management Center.The SafeGuard Database.The SafeGuard Client.Even if the SafeGuard Enterprise Database is not an extra module of the SafeGuard Enterpriseproduct, it is a vital part of the backend structure to have the product working.Before being able to deploy any SafeGuard Client regardless of the function installed (SafeGuardDevice Encryption, Data Exchange, File Share, Cloud Storage, Native Device Encryption) aworking backend is required. As a result of this the installation order of SafeGuard Enterprise is likethis:1.2.3.4.5.6.Installing the SafeGuard Enterprise Server.Creating the SafeGuard Database.Installing the SafeGuard Management Center and (optionally) importing the Active Directory.Installing the SafeGuard Enterprise Server Configuration package.Configuring the SGNSRV web page to accept a certificate and assigning the certificate for SSLInstalling the SafeGuard Client.All chapters of this document should be passed in chronological order.6
Installation Best Practice1. Installing the SafeGuard Enterprise ServerOn the machine that is hosting the SafeGuard Enterprise web server interface, the installation ofMicrosoft .Net Framework Version 4 is required (on Windows Server 2012 that is already part ofthe OS).Using a dedicated server to host the SafeGuard Enterprise Server is highly recommended. It isrdpossible to run other applications on the same machine but under heavy load from a 3 partyapplication, the communication between SafeGuard Clients and the SafeGuard Enterprise Servermight be impacted.From a design perspective, we recommend locating the SafeGuard Server(s) close to the Serverthat hosts the SafeGuard Database. The traffic caused by a communication between a SafeGuardClient and the SafeGuard Server, results in up to three times that amount between the Server andDatabase. Therefore, WAN connections between Client and Server are preferable to WANconnections between SGN Server(s) and the Database Server.77
SafeGuard Enterprise1.1Quick installation reference1. Install IIS Services.2. Install the SafeGuard Enterprise Server.8
Installation Best Practice1.2Installing IIS servicesTo install SafeGuard Enterprise on an IIS 8 server it is required to install the IIS services on theWindows Server 2012. Please follow these steps:1. Start the Server Manager2. In the Server Manager Dashboard choose Add roles and features.The Add Roles and Features Wizard starts with a Before You Begin page. The wizard asks forverification of the following:a. The administrator account has a strong password.b. The network settings, such as IP addresses, are configured.c. The most security updates from Windows Update are installed.3. On the Installation Type step choose Role-based or feature-based installation and click next4. Select your destination Server and click next99
SafeGuard Enterprise5. Select Web Server (IIS) on the Select server roles page. Include the management tools andClick on Add Features.6. On Select features add ASP.NET 4.5 and click next10
Installation Best Practice7. On Role Services check Basic Authentication plus Windows Authentication underSecurity8. Check .Net Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions and ISAPI Filters underApplication Development9. Verify the installation selections and click Install1111
SafeGuard Enterprise10. IIS is now installed with a default configuration for hosting ASP.NET on Windows server. ClickClose to complete the process.11. Confirm that the web server works using http://(Enter machine name without brackets). In casethat the web page is not shown properly please consider the Microsoft knowledge base(http://support.microsoft.com) for further information.12
Installation Best Practice1.3Installing the SafeGuard Enterprise Server packageThe installation of the SafeGuard Enterprise Server is divided into two steps:1. Installing the SafeGuard Enterprise Server package.2. Installing the SafeGuard Enterprise Server configuration package which is described later inthis document. Please proceed with the guide step by step to avoid side effects.Note: This step cannot be done until the SafeGuard Management Center is installed.The installation of the SafeGuard Enterprise Server msi package is quite easy. The detailed stepsare:1. Copy the SGNServer.msi package from the installation DVD or a network location to themachine that runs the IIS Server.2. Start the installation by double clicking the MSI package.Please note: The installation of the SGNServer.msi on Windows Server 2012 and WindowsServer 2012 R2 should be run with already elevated privileges, otherwise the installation mayfail.3. The SafeGuard Enterprise server installation wizard comes up and you can choose whetherthe scheduler service (required for running automated scripts e.g. for maintenance tasks)should get installed in addition to the server itself.Note: It is not recommended to change the suggested installation path. Especially wheninstalling other modules of SafeGuard on the same machine this could cause unwanted sideeffects.4. To ensure that the installation has completed successfully, open the Internet InformationServices Manager (run inetmgr) and check if a web page named SGNSRV is now available.1313
SafeGuard EnterpriseTo check that everything is working, click on SGNSRV in the left hand pane the /SGNSRV Homepage opens in the center pane. In the right hand pane click on Browse *:80 (http) in the ManageApplication section.5. A new Internet Explorer window opens up and shows the following page:The first part of the SafeGuard Enterprise Server installation is completed now.14
Installation Best Practice2. Creating the SafeGuard Enterprise DatabaseSafeGuard Enterprise stores all relevant back-end data within a database. The creation of thedatabase can be done automatically during the SafeGuard Management Center initialization ormanually using the SQL scripts which are part of the SafeGuard Enterprise product delivery.Before setting up the database please check the release notes for a list of supported SQL serverversions.Note: When using the SQL Express Edition to host the SafeGuard Database remember themaximum file size limitation of the database given by Microsoft. In large environments, using theSQL Express Edition might be inappropriate.This example is based on an SQL 2008 Server Standard Edition including the administrativecomponents. The authentication is configured to mixed mode (SQL and Windows Authenticationpossible). All SQL services are configured to run in the LOCAL\SYSTEM context (of course thiscan be configured to run in a different context as well).2.1Quick installation reference1. Promote a Windows user account to log on to the SQL Server.2. Create the database using the SafeGuard Management Center configuration wizard or byrunning the SQL script provided on the product CD in the SQL Server Management Studio.3. Change the SQL permissions according to your security need.4. Check the SQL Browser Service status and the Named Pipes settings.5. Enter the Windows/SQL user in the SGNSRV-Pool and the required Active Directory Groupsincluding local permissions.2.2Configuring a Windows user to logon to the SQLServerThe logon to the SQL server can be done using either a SQL user account or using a Windowsuser account which has the right to authenticate at the SQL Server.If you want to use a SQL user account to authenticate to the database this section can be skipped.Note: Due to security reasons we recommend using Windows authentication to access theSafeGuard database.Please follow the steps below:1. Create a new user account in Windows if no existing user should be used. In this example weare using a new user account named SGNSQL.2. Open the SQL Server Management Studio.1515
SafeGuard Enterprise3. In the left hand pane of the Object Explorer section browse to Security Logins.4. Right click on Logins New Login 5. Select Windows authentication (default) and then Search 6. Search the user that should be used for authentication – in this case SGNSQL Click OK.7. The user logon name is displayed now in the initial dialog press OK to complete the usercreation. Further actions are not required at this point.Please consider:Every user that should be able to use the SafeGuard Management Center must have avalid SQL User account when using Windows authentication to connect to the SafeGuarddatabase.16
Installation Best Practice2.3Creating the SafeGuard DatabaseThe creation of the SafeGuard Database can be done either by using the available SQLscripts which can be found on the product CD or by running the SafeGuard ManagementCenter configuration wizard.This chapter describes the creation of the database using the SQL scripts.If you want to use the Management Center configuration wizard to create the database thisstep can be skipped.The required steps to create the SafeGuard Database are:1. Copy the script CreateDatabase.sql and CreateTables.sql from the SafeGuard Enterpriseproduct delivery to the SQL server.2. Double click the CreateDatabase.sql script. The SQL Server Management Studio willopen.Log on using a user that is allowed to create a database (the newly created user does nothave the right by default! In this case do not use the SGNSQL user.)3. Execute the script either by pressing the relevant GUI button or by using the F5 hot key.4. Another window pane below the script area opens. The screen output should beCommand(s) completed successfully.5. Now double click on the CreateTables.sql script.6. Another tab opens in the SQL Server Management Studio.7. Add the following line at the top of the script area:use safeguard8. Execute the script.1717
SafeGuard Enterprise9. Another window pane below the script area opens. The screen output should beCommand(s) completed successfully.The SafeGuard Enterprise Database is now created successfully. At the moment only user‘sa’ and the Administrative account created during the SQL Server installation can be usedto access the database.2.4Changing access permissions for the SafeGuardDatabaseThe last step is enabling the user account to access the SafeGuard Database. Thereforethe user account must be granted access to the database. These access rights are requiredfor all Security Officers who work with the SafeGuard Management Center when WindowsNT authentication is used.As it is possible to assign different roles and permissions to a user on a database only theminimum required ones are described.Please follow these steps:1.2.3.4.5.6.Open the SQL Server Management Studio.In the Object Explorer section in the left hand pane browse Security Logins.Select the user that should be enabled (in this example SGNSQL).Right click on the user name Properties.A new Login Properties window opens.Under Select a page (left hand side) select User Mapping.7. On the right hand side check the Map box for the SafeGuard database.18
Installation Best Practice8. Below this the Database role membership for: section can now be edited. Select thefollowing roles for the user:db datareaderdb datawriterpublic9. Confirm the configuration using the OK button.1919
SafeGuard Enterprise2.5Checking the SQL Server Service Settings and theNamed Pipes ConfigurationIn order to install the SafeGuard Management Center it is required that the SQL BrowserService is running and that “Named Pipes” “TCP/IP connection” is activated. These settingsare required to access the
application, the communication between SafeGuard Clients and the SafeGuard Enterprise Server might be impacted. From a design perspective, we recommend locating the SafeGuard Server(s) close to the Server
HTTPS Sophos UTM Manager IP Address 192.168.2.200 Sophos UTM (UTM01) Port 4433 Ext. IP Address 65.227.28.232 WebAdmin Port 4444 Port 4433 InternetInte Sophos UTM (UTM03) Sophos UTM (UTM04) Sophos UTM (UTM02) Sophos UTM (UTM06) Sophos UTM (UTM07) Sophos UTM (UTM05) Sophos UTM (UTM08) Customer/Of ce 1 Customer/Of ce 2 Port 4422 Gateway Manager
This section describes the Sophos products required for managed endpoint security: Sophos Enterprise Console Sophos Update Manager Sophos Endpoint Security and Control 2.1 Sophos Enterprise Console Sophos Enterprise Console is an administration tool that deploys and manages Sophos endpoint software using groups and policies.
Sophos Server Protection Sophos Email Protection EMC NetApp Sophos for Network Storage ストレージサーバー 外部用サーバー SafeGuard Sophos Anti-Virus for vShield - VDI Windows Mac Linux Windows クライアント 支店 / 支社 2 Sophos RED Sophos Wi-Fi Ac
Sep 21, 2018 · Sophos Anti-Virus for NetApp Storage Systems 4 Before you install Sophos Anti-Virus for NetApp Storage Systems Before installing Sophos Anti-Virus for NetApp Storage Systems, you need to do the following: Install Sophos Endpoint Security and Control (antivirus component only
EventTracker: Integrating Sophos UTM 11 Figure 11 . Verify Sophos UTM Alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Alerts. 3. In the Search field, type ' Sophos UTM ', and then click the Go button. Alert Management page will display all the imported Sophos UTM alerts. Figure 12 . 4.
This guide is intended to help you install and get up and running with Sophos iView v2. Reports for Device Type iView v2 provides reports for following device types: - Sophos Firewall OS - Sophos UTM 9 - CyberoamOS Licensing Sophos iView licenses are available in multiple tiers based on storage requirements and support terms
Sophos XG Firewall v 15.01.0 – Release Notes Sophos XG Firewall Web Interface Reference and Admin Guide v17 For Sophos Customers Document Date: October 2017
Sophos Central Admin 2 Activate Your License When you buy a new license, you need to activate it. You do this in Sophos Central (unless a Sophos Partner handles license activation for you).
