Date post: | 01-Nov-2014 |
Category: |
Documents |
Upload: | j-jonas-janson |
View: | 185 times |
Download: | 4 times |
trusted Professional Services
Implementation Training SafeGuard Enterprise 5.50
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam
2
SafeGuard Enterprise Implementation Training
By the end of this course you will be able to …Install and configure the product in a customer environment.
Tell what are the technical prerequisites for the product.
Design a reliable and scalable SGN environment.
To implement the customer’s data security requirements with SGN.
3
Base Training ImplementationTraining
MaintenanceTraining
1 day 2 days 1 day
Learning style
This training works with four learning styles
Theoretical Power Point presentation
Step by step hands-on exerciseswith printed exercise scripts
Trainer led exercises
Demos presented by trainer
All to be done in VMWare4
Environment used in this training
Training environment
Virtual LAN in bridged mode
External notebook for feature demos
- Active Directory- DHCP, DNS- IIS- SQL
This training environment is limited to three virtual machines therefore
IIS and SQL are running on the domain controller
6.5
5
Training environment *)
SERVER XP-ADMIN XP-CLIENTDomain ControllerSGN ServerSGN SQL database
SGN Management CenterSGN Client
SGN Client / SGE 5.50 Client
Domain Administratorpassword: utimacoSQL sa userpassword: utimaco
To be used by:John (SGN MSO)password: utimaco
To be used by:Marc (SGN user)Administrator (standalone user)password: utimaco
6*) This setup is for training only and does not follow the “real live” SGN recommendations.
Before we start, we revert the training environment to the „base“ snapshots
Do the following steps for all virtual machines
Training environment
7
Training environment
8
Agenda
1. Introduction
2. Installation and configuration• SGN Back-end
• SGN Client
• SGE Client
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam9
Installation and configuration
This chapter will provide insight into:
Preparation and Installation of SafeGuard Enterprise back-end components
SafeGuard Enterprise Server
SafeGuard Enterprise Management Center
Creation of a database for SafeGuard Enterprise
Installation and configuration of SafeGuard Easy 5.50
10
Preconditions
SafeGuard Enterprise 5.50 requires (1/2)
For the SGN Servers
Microsoft Windows 2003 Server >= SP1
Microsoft Windows 2008 / R2 Server
Internet Information Services 6.0/7.0 incl. ASP.net >=3.1 SP1
For the SGN Database
Microsoft SQL Server which can be
MS SQL 2005 / 2008 Express Edition
MS SQL 2005 / 2008
Already prepared in virtual training environment11
Preconditions
SafeGuard Enterprise 5.50 requires (2/2)
For SGN Management Center
Microsoft Windows XP >= SP2
Windows Vista
Windows 7
Microsoft .NET Framework >= 3.1 SP1
For SGN Client
Microsoft Windows XP >= SP2
Windows Vista
Windows 7Already prepared in virtual training environment
12
SafeGuard Enterprise installation
Microsoft SQL Server
Active Directory
MicrosoftIIS
MicrosoftWindows XP orWindows Vista orWindows 7
MicrosoftWindows XP orWindows Vista orWindows 7
(optional)
1364 bit OS versions are supported
SafeGuard Enterprise installation
2. Install SGN Management Center3. Establish connection to SQL Server4. Create initial Master Security Officer
6. Set up database7. Install SGN Servers
8. Create and installSGN Server Config.Contains: DB credsDNS name DB ServerCompany Certificate
13. Create and installSGN Client Config.contains: DNS name(s) SGN server(s) Company Certificate
12. Install SGN Client
10. Establish connection to AD11. Import objects from AD
5. Create Company Certificate
1. Prepare SQL Server
14
9. Setup SSL
Single dedicated machines in a „real“ environment
SafeGuard Enterprise installation in training
SERVER
XP-Admin XP-Client
15
SGN Management Center
SafeGuard Enterprise components at work
SGN Server(s)
SGN Client with SGN User
Active Directory
SGN Database
SGN Security Officer Policies enable e.g.:
AuthenticationEncryptionConfiguration ProtectionLogging
Logging
Logging
16
SGN Management Center
Communication matrix – ports & protocols
SGN Server(s)
SGN Clients
Active DirectoryData exchange/direct database access using SGN management center via ADO.net
tcp#1433/1434
SGN MSO/SO access to database Data exchange via SOAP
tcp#80 default (443 for SSL)
SGN Clients loading SGN settings from IIS and reporting back
SGN database
Database server exchanges SGN config data with IIS
Data exchange via ADO.net
tcp#1433/1434
SGN MSO/SO imports users and computers from AD
Objects import via SGN management center using ldap
tcp#389 (636*)
* )If SSL login to AD is used
17
SafeGuard Enterprise installation
Side note: Setup help is available
Installation Best Practice Guidewww.sophos.com/support/knowledgebase/article/110259.html
Installation Advisior on the product CD
Installation videos on the product CD
18
SafeGuard Enterprise Database
The SafeGuard Enterprise Database stores (amongst others) …
objects
encryption keys and certificates
configuration Policies
Security Officers
SGN events for auditing
It is accessed by…SafeGuard Enterprise Management Center used by Security Officers
SafeGuard Enterprise Servers
19
SafeGuard Enterprise Database
SafeGuard Enterprise objects can beImported from an Active Directory
Autoregistered
Manually generated
Objects areUsers
Computers
Active Directory Domains
Organizational Units (OUs)
Workgroups
Manually generated groups20
SafeGuard Enterprise Database
Two ways to create the SGN database :Using the Management Center configuration wizard, done by the initial Master Security Officer
Using a SQL script by a SQL server operator
Authentication methods to the database:Windows authentication
Preferred method in productive customer environments
Refer to SGN Best Practice Guide in the Sophos knowledge database
SQL user authentication
Preferred method for customer demos and test installations
Quick and easy setup
Usually not used in productive customer environments
21
recommended method
SafeGuard Enterprise Database
ExerciseIT1 - Setting up accounts for SGN on a Microsoft SQL Server
22
SafeGuard Enterprise Server
SGN Servers are basically interfaces between the SGN Database and the SGN Clients.
SGN Servers
provide on request settings to the SGN clients
run as an application on a Web Server
Microsoft‘s Internet Information Services (IIS)…
…with ASP.net installed
have access to the SGN database
23
SafeGuard Enterprise Management Center
The SafeGuard Management Center is the central management tool
To be used by Security Officers
It‘s used for management of
policies
keys
certificates
tokens
objects
…
24
Installation
ExerciseIT2 - Implementation of SGN Server and SGN Management CenterIT3 – Setting up the SGN Server
25
Client Server communication with SSL
SGN supports two encryption modes for a secure client server communication:
Integrated Sophos encryption default mode
Certificate based SSL encryption
SSL is generally recommended.
SSL is approximately 40% faster
SSL supports furthermore parallel connections to multiple threads and CPUs
But the initial setup is slightly more complex
26
recommended method
Client Server communication with SSL
Next is to set up SSL for Client Server communication
There is a knowledge base article in the support area on www.sophos.com
Take this article from your training binder and do the described steps for the IIS 6.0 on the Windows 2003 Server
We do the exercise with a self signed certificate
27
Client Server communication with SSL
ExerciseImplementing SSL for Client Server Communication
28
Database creation script
As mentioned already:
SGN needs a database to store the objects (machines, users, policies…)
The database can be generated by the installation wizard provided by the SGN Management Center.
Therefore a user with (temporary) „dbcreator“ right is necessary on the SQL Server
Some customers do not want to give users „dbcreator“ rights on the SQL Server
To solve this issue, SGN provides a database creation script29
ExerciseIT4 – Creation of the SGN Database by the SQL Administrator
Database creation script
30
Objects imported from the Active Directory
SGN can work with objects imported from the Active DirectoryImportable objects are basically:
UsersComputers
Objects are imported including their membership belonging to:DomainsOrganizational Units (OUs)User groups
Whenever something has changed in the AD, a re-import can be done
ManuallyVia synchronization script on a SO machineVia synchronization script on an SGN Server
31
Manually created objects
Instead of AD import SGN objects can also be createdin the Management Centerby using a script
Objects which can be created areUser groupsWorkgroupsDomains
Suitable for:Customers who have no ADCustomers with mixed environments
32
Objects import from the Active Directory
Side note:
Before customers do their first ActiveDirectory import, they should consider whether or not they want SGN to auto-generate encryption keys for every manageable object in the AD.
Doing so, will give them much freedom in creating encryption policies for any organizational unit or group
This may result in a long list of inherited keys in the user key-rings in larger environments.
Alternatively customers may choose to turn off auto generation of keys and manually create those few group keys they actually intend to use in their organization.
33
ExerciseIT5 - Importing objects from the Active Directory
Objects import from the Active Directory
34
Installation Advisor
Side note: We have an SGN Installation Advisor
It is a graphical user interface (GUI) program
Designed to help customers to install and configure a new SafeGuard Enterprise environment
It provides Step-by-Step instructions for a new Installation
It can also installnecessary support programs
It’s on the product CD
35
Security Officer Management
SO Management
SOs can have sub SOs and manage them
SOs can delegate a subset of their rights to sub-officers
SOs can be grouped now
Includes an easy handling with drag and drop
SO permissions are now more fine grained
Large numbers of SOs can now be managed easier
SO menus have been modified
SO properties setup has been overworked
SO role creation menu has been simplified
36
Security Officer Management
Hierarchical Security Officer management
MSO logged in: SO logged in:
All SOs visible and configurable
Only sub SOs visible and configurable
37
Security Officer Management
SO properties setup
38
Security Officer Management
Simple SO role creation
39
ExerciseIT6 -Working with SGN Security Officers
SGN Security Officers
40
Agenda
1. Introduction
2. Installation and configuration• SGN Back-end
• SGN Client
• SGE Client
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam41
Installation and configuration
This chapter will provide insight into:
Preparation of user machines for SGN
Installation of SafeGuard Enterprise clients
User Machine Assignment (UMA)
SGN Service Accounts
42
SafeGuard Enterprise Client
The SafeGuard Enterprise Clientprevents unauthorized machine boots with its POA
allows only assigned users can authenticate with:
Token
User ID and password
puts SafeGuard Policies into operation, e.g. forAuthentication
Pin- and password rules
Volume based or file based encryption
File based encryption
Configuration Protection
Data Exchange
… and many more … 43
ExerciseIT7 - Deployment of SGN client
SafeGuard Enterprise Client
44
bootboot
User - machine – assignment (UMA)
After initial client installation POA is in autologon mode
First user who logs on to Windows on an SGN protected machine becomes assigned as the owner and POA gets activated
It‘s possible to assign additional users by several methos
45
User - machine – assignment (UMA)
Users can also be assigned by the SGN Client owner
Possible by default
Just “passthrough to Windows” has to be disabled in POA by the SGN Client owner
Security Officers can assign users to machines
Precondition is that the user has a certificate and the respective machine is up and running in Windows and can synchronize with the SGN back end
46
SGN Service Accounts
SGN 5.50 introduces Service Accounts
All users in the SG database can be flagged to be a Service Account (SA)
SA users are ignored for the User Machine Assignment (UMA)
Main purpose: Software roll out
SA users do not activate POA
SA users do not take ownership on an SGN machine where they log into Windows
47
SGN Service Accounts
Service Accounts to be added manually in the policy section
Wildcards can be used such as
admin* for user - * for the domain
john* for user – utimaco* for the domain
Service Accounts to be assigned to SGN machines via Authentication Policy
Systray icon
The "SGN user state“ message shows the possible states: Pending: The replication of the user in the POA is pending
SGN user (owner): The user logged on is the SGN owner.
SGN user: The user logged on is an SGN user, but not the owner.
SGN guest: The user logged on is an SGN guest user.
SGN guest (service account): The user logged on is an SGN guest user who has logged on using a service account .
Unknown: Indicates the user state cannot be determined.
49
ExerciseIT8 - SGN Service Accounts and User Machine Assignment (UMA)
SafeGuard Enterprise Client
50
Agenda
1. Introduction
2. Installation and configuration• SGN Back-end
• SGN Client
• SGE Client
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam51
SafeGuard Easy 5.50
SGN does also exist in an “unmanaged” version, called SafeGuard Easy 5.50, former known as “SGN Standalone”
No server backend
No automatically key deployment and key exchange
No automatically policy deployment
Policy Editor instead of SGN Management Center
Just “install and forget”
For small/medium customer environments
There are limitations, but most important features are included
Power On Authentication
Encryption 52
SafeGuard Easy 5.50
Policy
SGN Management Center
SGN Server(s)
SGN Clients
Active Directory
SGN Database
„classical“ SGN environment
SGN Policy Editor
SGE 5.50
Option 1:
Policies are generated with the PolicyEditor
Option 2:
Policies are generated with the Management Center (e.g. for remote clients in small branch offices)
53
SafeGuard Easy 5.50
What to consider when working with SafeGuard Easy 5.50Policies can be generated with:
Policy Editor
Management Center
Policies are deployed:
via client configuration MSI file
Client backups up key file e.g. on network share
Migration of SGE 5.50 to „classical/managed“ SGN environment possible
But backend and frontend have to be migrated the same time
Moving a single unmanaged client to normal SGN environment is not possible.
54
SGN 5.50 – SGE 5.50 comparison chart
SGN 5.50 SGE 5.50 (former „standalone“)
Installation package SGNClient.msi SGNClient.msi
Available modules Device Encryption, Data Exchange, ConfigurationProtection
Device Encryption, Data Exchange
Management Management Center Policy Editor
Settings deployment Automatically via SGN Server
Manually via configurationMSI files
Support features Challenge/Response, Local Self Help, Virtual Client
Challenge/Response, Local Self Help, Virtual Client
55
SafeGuard Easy 5.50 - POA Users
SafeGuard Easy 5.50 provides so called “POA” users
POA users have to be generated manually
The can be grouped to POA user groups
The have to be assigned within an SG Easy configuration file
Challenge/Response is possible for POA users
56
SafeGuard Easy 5.50 - POA Users
POA users are SGE users only, not Windows related
They are maintenance users and can always logon to POA
They have to be created manually
They are delivered to SGE clients within a configuration package
Once one was activated on a new client they do not activate POA
So UMA must be already passed to log on as POA user
57
SafeGuard Easy 5.50 - POA Users
POA user workflow
1. Security Officer creates POA User with their password and POA user group
• POA User might be a helpdesk guy or the like
2. Security Officer assigns POA User to POA user group
3. Security Officer adds POA User group to SG Easy configuration package
4. Administrator installs SG Easy 5.50 + configuration package on Windows computer
5. Windows user logs on to Windows which starts UMA
6. From now on POA User and Windows user can log on to POA58
SafeGuard Easy 5.50 - POA Users
Note the different log on modes in the domain selection field
POA user logs on
“Normal” user logs on
either local machine or domain
59
ExerciseIT9 - SG Easy 5.50 / SGN Standalone client
SafeGuard Easy 5.50
60
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam
61
Environment recommendations
This chapter will provide insight into:
Hardware and software requirements
POA hardware compatibility
Necessary preparations prior to SGN client installation
Limitations and restrictions in SGN
Update / Migration options
62
Environment recommendations
SGN Server Hardware:Intel or AMD X86 CPU>= 512 MB RAM1 GB free hard disk space>= 100 Mbit/s NIC
SGN Server Operating System:Microsoft Windows 2003 >= SP 1Microsoft Windows 2008
See release notes for more detailed information
63
Environment recommendations
Client Hardware:Intel or AMD X86 CPU>= 512 MB RAM>= 5 GB free hard disk space
Client Operating System:
Microsoft Windows XP >= SP 2
Microsoft Windows Vista Enterprise , Business or Ultimate Edition >= SP1
Microsoft Windows 7
See release notes for more detailed information
64
Environment recommendations
SGN Client limitations (frequently asked)RAID is not tested and therefore not supportedMachines with dynamic disks are not supportedGPT disks are not supportedImaging tools for encrypted volumes are not tested and therefore not supported3rd party Bootmanagers are not tested and therefore not supported
See release notes for more detailed information
65
Environment recommendations
Preparations prior to SGN client installation
Backup your data
Run checkdisk for the system drive with parameters /L /V /X /F
Remove 3rd party boot managers
Re-write the MBR with Microsoft tools when the data on the hard disk was restored from an imaging/cloning tool
Reboot the system after converting the boot volume from FAT to NTFS
Deactivate 3rd party virus scanners and anti spyware tools temporarely during installation
66
Hardware compatibility *)
Customers may experience hardware related issues at Power On Authentication (POA) level on SGN Clients
Issues can be solved with POA hotkeys
During installation SGN compares several hardware conditions against the list of tested devices such as
BIOS version
Modell
Built-in hardware
… and others
The installer can determine if your system requires non-default POA settings applied.
*) More to be covered in the Maintenance Training
Hardware compatibility *)
Each SGN release has a built in list of tested devices
Monthly updated hardware compatibility list is also available
Accessible for customers via the SOPHOS knowledge basewww.sophos.com/support/knowledgebase/article/65700.html
Can be applied for any roll out
There is also a tool to gather hardware information for POA
Accessible for customers via the SOPHOS knowledge base www.sophos.com/support/knowledgebase/article/110285.html
Results to be sent back to [email protected].
Their results will be added to the next edition of the HW compatibility list.
*) More to be covered in the Maintenance Training
Environment recommendations
Supported Smartcard readers
Supported Smartcards
Supported tokens
Gemalto GemPC Express ExpressCard
GemPC Twin USB-CCID
GemPC Key USB-CCID SIM size
Reflex USB v3 USB-CCID
HP SC Terminal (KUS0133)
USB-CCID keyboard
PC-Card SCR 243 OEM
Kobil KAAN Base USB-CCID
KAAN Advanced USB-CCID PIN pad for secure PIN entry is not supported
Lenovo Integrated Smart Card Reader integrated (USB) Reader might be replaced by another type – depending on market situation
o2micro Oz776 integrated-CCID
Omnikey CardMan 3021 3121 USB-CCID
CardMan 4040 PC-Card
CardMan 4321 ExpressCard
CardMan 5125 5321 USB-CCID contactless interface is not supported
CardMan 6121 USB-CCID SIM size
SCM SCR 331 USB-CCID Requires firmware version 5.18 or higher!
SCR 335 CR 3310SCR 3311
USB-CCID
SCR 3320 USB-CCID SIM size
SCR 3340 ExpressCard
SDI 010 USB-CCID contactless interface is not supported
SPR 532 USB-CCID PIN pad for secure PIN entry is not supportedRequires firmware version 5.10 and updated Windows drivers
Vendor Card Versions Card Type Data Format
ActivIdentity Smart Card 64K v2 (Oberthur)v2c (Axalto)GND (G&D)
Java Card ActivIdentity
AET Aspects OS755 2.8 Java Card PKCS#15
Atmel ATOP36 Java Card PKCS#15
Axalto eGate Java Card PKCS#15
Axalto Cyberflex Developer64Kv164Kv2Palmera
Java Card PKCS#15
Belgium eID card
G&D Sm@rtCafe Expert 2.0, Expert 3.0Expert 3.164K
Java Card PKCS#15
G&D STARCOS SPK 2.32.42.5DI3.0
ISO 7816 PKCS#15
Gemplus GemXpresso 211PKPro R3Pro R4
Java Card PKCS#15
Gemplus GemXplore 3G PKCS#15
IBM JCOP 2021id21303131bio[1]41 72K
Java Card PKCS#15
KEBT KONA21T Java Catd PKCS#15
KeyCorp MultOS V4.2 48KV4.2 64K
MultOS PKCS#15
MartSoft Java Card Java Card PKCS#15
Oberthur CosmopolIC V4 Java Card PKCS#15
Oberthur IDone Cosmo 32Cosmo 64
Java Card PKCS#15
AET (continued) ORGA JCOP 202130
Java Card PKCS#15
Sagem Orga J-IDMark 64 Java Card PKCS#15
Charismathics Siemens CardOS M4.3b ISO 7816 CSSID
Siemens Siemens CardOS M4.3b ISO 7816 PKCS#15
RSA Java Card RSA
Vendor USB Token Middleware Supplier Comment
ActivIdentity ActivKey SIM ActivIdentity
ActivIdentity OTP function not supported
Aladdin (CardOS) eToken ProeToken NG-Flash
Aladdin
eToken NG-OTP Aladdin OTP function is not supported
Charismathics OTP Sign Charismathics OTP function is not supported
plug’n’crypt ID Charismathics
Eutronsec CryptoIdentity ITSEC AETCharismathics
Charismathics OTP function is not supported
MARX CrypToken AET
Vasco DigiPass 860 Charismathics OTP function is not supported
RSA RSA OTP
See release notesfor more detailedinformation and
a list ofsupported
devices
69
Environment recommendations
Operating Systems supported in SGN 5.50
70
SGN – Microsoft Windows Platform SupportSGN 5.50
DE DEBitLocker
DX CP SGN Server
MC
XPProfessional Edition
SP2SP3
32 Bit .NET 2.0
.NET 3.01
Vista
Home PremiumBusinessEnterpriseUltimate
SP1SP2
32 Bit
--
.NET 3.01
Vista
Home PremiumBusinessEnterpriseUltimate
SP1SP2
64 Bit
--
.NET 3.01
7 Home PremiumProfessionalEnterpriseUltimate
32 Bit--
NET 3.01
7 Home PremiumProfessionalEnterpriseUltimate
64 Bit--
NET 3.01
Server 2003 / R2 .NET 3.0
IIS 6 SP1SP2
32 Bit64 Bit
Server 2008 Server 2008 R2
.NET 3.0
IIS 7.0IIS 7.5
SP1 64 Bit64 Bit
Environment recommendations
Database systems supported by SGN 5.50
Note that some SQL Server versions are not supported anymore by version 5.50
Customers who update from an older SGN version have to update their SQL server too
Migration scripts are available
71
SGN Server - Database Server Support
SGN 5.40 SGN 5.50
Microsoft SQL Server 2005 SP1Microsoft SQL Server 2005 Express SP1Microsoft SQL Server 2005 SP2Microsoft SQL Server 2005 Express SP2Microsoft SQL Server 2005 SP3Microsoft SQL Server 2005 Express SP3Microsoft SQL Server 2008 SP1Microsoft SQL Server 2008 Express SP1
Environment recommendations
Which client can communicate with which server?
72
SGN - Client/Server MatrixSGN Clients
SGN Server 5.2x 5.30 5.35 5.40 5.50
SGN 5.50SGN 5.40.xSGN 5.35.xSGN 5.35 GASGN 5.30.2SGN 5.30.2SGN 5.30.1SGN 5.30 GASGN 5.21SGN 5.20
SGE to SGN migration matrix
Not all versions of SGE can be updated to SGN
For supported versions it depends on...
...the used algorithm
... the SGE installation mode
Sophos SafeGuard Disk Encryption (SDE) 4.60 can also be migrated to SGN 5.50
73
SGE- SGN Migration Matrix IDEA DES 3DES
AES128
AES256 Blowfish Stealth XOR
SGE 4.50SGE 4.40SGE 4.30SGE 4.20SGE 4.1xSGE 3.x
3.12 SGN Client/Server Matrix
SGN Update matrix
74
SGN Update MatrixUpdate from
Update To
SGN 5.20
SGN5.20.1
SGN 5.20.2
SGN 5.20.3
SGN 5.20.4
SGN 5.20.5
SGN 5.21
SGN 5.21.1
SGN 5.30 RC1
SGN 5.30GA
SGN 5.30.1
SGN 5.30.2
SGN 5.30.3
SGN5.35GA
SGN 5.35.x
SGN 5.40.x
SGN 5.50
SGN 5.40.x
SGN 5.35.x
SGN 5.35 GA
SGN 5.30.3 1 1 1 1 1 1 1 1
SGN 5.30.2
SGN 5.30.1
SGN 5.30 GA
SGN 5.30 RC 1
SGN 5.21.1 (Patch)
SGN 5.21
SGN 5.20.5 (Patch)
SGN 5.20.4 (Patch)
SGN 5.20.3 (Patch)
SGN 5.20.2 (Patch)
SGN 5.20.1 (Lenovo)SGN 5.20
SGN Update process
• Steps to update an older SGN version to SGN 5.50 (1/2)1. Take all SGN - Servers (IIS) offline* and close all SGN Management
Centers .
2. Create a backup of the SafeGuard database - strongly recommended.
3. Put the database in SINGLE_USER mode.
4. Run the update script, e.g. "UpdateSGN540_SGN550.sql".
5. Put the database in MULTI_USER mode again.
6. Update one SafeGuard Management Center machine including the underlying SGN client.
• If not done, Windows logon might fail.
75
SGN Update process
• Steps to update an older SGN version to SGN 5.50 (2/2)7. Start the updated SafeGuard Management Center.
• Database consistency will be checked.
• Select repair to recalculate the checksums for those tables that were modified.
8. Update the SafeGuard Enterprise Server(s) .
9. Update the remaining Management Centers .
10. Create a new client configuration package for future installations.
76
SGN Update
Useful update hints for SGN Management Center
If the SGN client is installed together with the Management Center it must be updated too.
Windows logon might fail after reboot if not done so.
77
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies• Power On Authentication
• Volume based and file based encryption
• Configuration protection
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam78
Client configuration policies
This chapter will provide insight into:
How to work with policies
What is the best practice for several policies
How to use the RSOP
How to set up a useful auditing
79
Client configuration policies
Policies can be set for e.g.
Authentication, e.g.With user ID and password
With token
Fingerprint
Kerberos
Device protection rules, e.g.Hard disk encryption
File based encryption
Port and file protection/restriction
Machine specific settings, e.g.CSP to be used (e.g. for Aladdin eToken)
Logging 80
SGN policy concept
81
Policies
are inherited
are additive
can be assigned toRoot
Domain
OU
SGN container like „autoregistered machines“
But not to single…
…machines
…users
Client configuration policies
What to consider when working with Policies?
Policies cannot be assigned to single objects like
Users
Machines
Use a recognizable policy name for policies:
according to functions, e.g. „Authentication Policy“
according to functions + assigned object, e.g. „Memory Stick Encryption Board“
Policies can also be used to exclude settings
„Resultant Set Of Policies“ (RSOP) tool available
82
Client configuration policies
SGN client triggers policy update Client requests SGN Server for policy updateSGN Server sends query to SGN database
Policies are loadedafter machine and SGN service has startedduring user logonupdate interval (default 90 min.)manually initialized by SGN systray toolby command (sgmcmdintn.exe –s)
request
requ
est
83
Client configuration policies
Let‘s setup the VMWare machines with SGN policies for these features:
Power On Authentication with User ID and password or token optionally
Volume based hard disk encryption for the boot volumes
File based encryption on memory sticks
Configuration Protection
Client logging for security auditing
84
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies• Power On Authentication
• Volume based and file based encryption
• Configuration protection
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam85
Client configuration policies
Exercise policy 1 – SGN authentication
User authentication in POA with user ID and password
Setting up LSH for user logon recovery
Booting from other media than internal hard disk possible
86
Client configuration policies
What to consider when configuring the POA?It should always be activated
It can be customized
It can be deactivated if necessary
Temporarely while deploying software unattended
Temporarely while a machine is maintained
Log on mode can be
User name and password
Token and smartcard
Fingerprint on selected models
Kerberos
In case of user forgot their password they can get help by
Challenge/Response
Local Self Help87
SafeGuard Enterprise Client
Side note:SGN supports a wide range of token and smartcards
See release notes and KBA 107804 The product terms „token“ also for smart cardsToken and smart cards can be used for
User authentication in POAUser authentication in Windows SO authentication in Management Center
Token and smartcards achieve a „two-factor-authentication“ which is based on:
Possession (your token / smart card) Knowledge (your PIN)
882-factor Authentication
Local Self Help on managed clients
If SGN users forgot their password they can recover it by Local Self Help (LSH)
Users have to pre-answer and re-answer question, in order to identify themselve in POA once the forgot their password.
10 questions at least
Different themes are available
89
Local Self Help theme set
LSH themes are predefined in 6 different languages
Spanish, English, German and French are present in the Management Center
Japanese and Italian can be imported from the SGN program folder
90
Local Self Help customer themes
Customers may provide their own themes
Themes do not have to be a language, they could also be organized by departments
HR Theme – asking specific human ressources question
Development themes – asking programmer stuff
…
91
ExerciseIT10 - Authentication and LSH Policy
Client configuration policies
92
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies• Power On Authentication
• Volume based and file based encryption
• Configuration protection
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam93
Client configuration policies
Exercise policy 2 – SGN volume based encryption (VBE)Volume based hard disk encryption of the boot volumeAuditing for volume based encryption
94
Client configuration policies
What to consider when encrypting the boot volume?It encrypts all data areas of the volume
Including also the sectors which keepOS files, page file hibernation file etc.
Booting the OS is from now on only possible after authentication
Regular Windows PE based recovery CDs will not work anymore for an encrypted boot volume
A Windows PE based recovery CD with implemented SGN protected mode driver will be necessary now
Tools CDs which boot in real mode might still work for an encrypted boot volume
The Maintenance Training will deal with this topic
compression becomes impossible
CBC mode is used for encryption to avoid data pattern
95
ExerciseIT11 – Boot volume encryption Policy
Client configuration policies
96
Client configuration policies
Exercise policy 3 – SGN file based encryption (FBE)
Encryption of files
On all removable media
Initially and user transparent
97
Client configuration policies
What to consider when working with file based encryption?It cannot be used for boot volumes, because
FBE works in user context
FBE would not encrypt page file and hibernation file
It is recommended for removable media
Because a mixture of encrypted and plain files is possible
Because SafeGuard Portable can be used
In case of encrypted files should only be used inside one user group, dedicated FBE policies are necessary
It might be advisable to force a key
Be careful in using the settings
All keys in user key ring
All keys in user key ring except user key98
ExerciseIT12 – File based encryption Policy
99
Client configuration policies
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies• Power On Authentication
• Volume based and file based encryption
• Configuration protection
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam100
Client configuration policies
Exercise policy 4 – Configuration Protection
USB restriction
Only company devices allowed
File access restricted
101
Client configuration policies
What to consider when working with Configuration Protection?Port Control works „top – down“
E.g.: USB –> storage devices –> removable storage devices –> distinct storage devices
Port Control should be used „firewall-like“ Restrict/block everything you don‘t wantAllow all what you need in a whitelist
The Port Auditor simplifies Port Control handlingAll computers can be scanned
• SGN computers• Non SGN computers
Scan first, then work with a white list in your policiesAdmin rights are necessary to trigger remote computer‘s WMI service
102
ExerciseIT13 – Configuration Protection
Client configuration policies
103
Client configuration policies
Exercise policy 5 – Logging
Logging of SGN events
Logging of SO actions
104
Client configuration policies
What to consider when working with the logging?Using the SGN Database is more secure than logging to the SGN client‘s event log
Because the database logging is tamper resistentOnly SGN Security Officers can manage it
All the logging tables are hashed with a MAC keyso manipulations will always be reported
But logging tables are not encryptedSQL Select operations for logging entries are possibleSo further processing with tools like Microsoft System Center Operations Manager (SCOM) is possible
Try to set up a moderate loggingAs an extended logging “blows” up the database too muchCreate and assign an extended logging to a OU when necessary 105
ExerciseIT14 – Auditing of SafeGuard Enterprise events
Client configuration policies
106
Resultant set of policies (RSOP)
The RSOP feature can be used to calculate the effective result for combinations of
Different assigned machine policiesAssigned user and machine policies
The tool calculatesThe result of all policies which are assigned to a machineThe result of all policies which are assigned to a user when they log on to a machine which comes with policies (and vice versa)
107
Resultant set of policies (RSOP)
RSOP example
User to machine
Machine to user
108
Demo
Resultant set of policies (RSOP)
109
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam
110
Dealing with installation issues
This chapter will provide insight into:How to solve possible misconfiguration in 3rd party toolsWhat are possible SGN client installation issuesHow to work with SafeGuard Knowledge Items
111
IIS / SGN Server Issues
Top IIS / SGN Server issues during installation
Wrong or no ASP.net
Wrong or no server configuration
Wrong or no credential on the SQL Server
Wrong or no IIS service account
112
ExerciseIT15 - Troubleshooting of an SGN Server
Dealing with installation issues
113
Dealing with failed Active Directory import
SGN can work with objects imported from the Active Directory
AD users with the read right can read and import objects from the AD
Under some circumstances the import can fail
114
ExerciseIT16 - Failed AD Import
Dealing with failed Active Directory import
115
bootboot
POA user logon issues
Revision: User machine assignment (UMA):
After initial client installation POA is in autologon mode
First user who logs on to Windows on an SGN protected machine becomes assigned as the owner and POA gets activated
Under some circumstances the UMA fails and POA stays in autologon mode
116
POA logon issues – UMA failed
Reasons for POA autologon might be:
On SGN client:
No SGN client configuration package on client installed
SGN client has no connection to SGN Server
Transport encryption mode misconfigured
Wrong SGN Server entries in client configuration package
Wrong/Invalid company certificate
On SGN Server
No SGN Server configuration package on IIS server installed
SGN Server has no connection to SGN clients
SGN Server cannot reach and logon to SGN database 117
ExerciseIT17 - POA in autologon mode - failed User Machine Assignment
POA user logon issues
118
Dealing with 3rd party GINA issues (Windows XP)
GINA
Stands for Graphical Identification and Authentication
It performs all identification and authentication user interactions to Windows
Examples for 3rd party GINA providers: Checkpoint, Imprivata, Lenovo…
SGN comes with ist own GINA named SGGINA
119
Dealing with 3rd party GINA issues (Windows XP)
SGGINA on an SGN client deals with
POA to Windows logon passthrough
Windows to POA password sychronization
User Machine Assignment
Local Cache tamper protection
User key ring access during Windows logon
User token issueing during Windows logon
SGGINA „knows“ well known 3rd party GINAs and cooperates
GINAs are different in general
For „exotic“ 3rd party GINAs a compatibility test might be necessary 120
Dealing with 3rd party GINA issues (Windows XP)
A 3rd party GINA on an SGN machine might cause troubles
GINA loop
Logon issues – logon not possible
Forcing the MS GINA
No user Single Sign On (POA Windows passthrough)
Token Single Sign On
The 3rd party software malfunctions
BSOD during user logon
No user desktop
121
Correct GINA order, SGN and Windows only:
1. SGGINA calls
2. MSGINA
Correct GINA order, SGN, Windows and 3rd party GINA:
1. SGGINA calls
2. 3rd party GINA calls
3. MSGINA
Dealing with 3rd party GINA issues (Windows XP)
122
ExerciseIT18 - Troubleshooting SGN Client – conflict with 3rd party GINA
Dealing with 3rd party GINA issues
123
Trouble Shooting – POA hardware setting
At the beginning of a project customers might experience issues with some hardware at POA state:
POA hangs
POA reports “no init”
External USB keyboards fail
...
Hotkeys are available in POA
124
POA hot keys
Side note: Hotkeys in POA to be pressed once the machine has issues at boot time
Shift F3 = switch USB Legacy support (Off/On)
Shift F4 = toggle from VESA to VGA graphics mode (Off/On)
Shift F5 = switch USB support (Off/On)
Shift F6 = switch from ATA to Int13 (Off/On)
Shift F7 = switch USB 2.0 support (Off/On)
Shift F9 = switch ACPI/APIC (Off/On)
Default settings are in red
All keys have to be pressed when SGN is in this mode:
125
POA hot keys
Hardware setting (POA flags) can be verified in POA
F5 = show hardware settings
Settings cannot be changed on the fly here
Settings are just displayed
126
POA hardware settings
SGN “knows” already several hardware platforms and applies the necessary hardware settings from a database to the POA
Example:
Hardware is detected based on “conditions”
Example:
127
Vendor Model CommandDell Inc OptiPlex 740 USBLEGACY OFF,VESA ON,USB OFF,ATA ON,USB20 ON,ACPIAPIC OFFDell Inc. Precision M6300 USBLEGACY OFF,VESA OFF,USB OFF,ATA ONDell Inc. Precision M4300 USBLEGACY OFF,VESA OFF,USB ON,ATA ON,USB20 ON
POA hardware settings
If a specific hardware configuration (e.g. specific graphic card on specific machines) is found which is defined in the database, a corresponding command string is built to set the kernel flags in the base encryption kernel automatically.
Example:
USBLEGACY OFF,VESA ON,USB ON,ATA ON,USB20 OFF
128
POA hardware settings
For unknown hardware the Hardware Information Tool can be used to
Pre-set necessary hardware settings
Show warning during installation (e.g. special BIOS settings required,…)
Abort installation on “blacklisted” devices
Pre-settings can then be used for installation with help of a POACFGfile
129
Customized POA hardware settings
The default configuration database file (POACFG.XML) is part of the client installation package and can be found in the Utimaco\SafeGuard Enterprise\BaseEncryption folder.
Individual configuration database files can be customized
Customized files can be used
With a MSI file property or command line parameter such asMSIEXEC /i <client.msi> POACFG=<path of the POACFG file>
Within a MST file
If a customized POACFG file is defined, only this file will be used.
If no custom file is defined or found then the default database file is applied.
130
Customized POA hardware settings
POA hardware settings can now also be changed afterwards within Windows.
Therefore the command line tool “BESetFlags.exe can be used
The tool can be given to partners / customers on request
Handling of the tool:
KBA107785
Example to switch off USB and VESA support:besetflags USB OFF,VESA OFF
131
Hardware information tool
The tool can collect useful information of machines were SGN
SGN works out of the box
SGN installation caused issues
SGN does not work at all
Collected infos can be written into an XML file
XML file to be sent to SOPHOS GES DP
Collected XMLs will enhance configuration database (POACFG)
132
Hardware information tool
SGNHWInfo.exe collects hardware information
It’s available on each SGN Client in the program directory
Settings can be defined...
...and be written to XML files
Hardware “blacklists” can becreated
Abort / Warning messages can be defined
133
DemoWorking with POA hardware settings
POA Hardware settings
134
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam
135
Working with the Scripting API
Useful for administrative tasksCan be performed unattended
Can be triggered automatically e.g. by a customer’s provisioning system
Batch jobs can be created
Issuing many tokens at once
Automatically importing objects from the AD
…
Administrative tasks can be scheduled
E.g. cleaning the EVENT Table every month
136
Working with the Scripting API
Very simple interface
Works with the most common scripting engines (VB, Perl,…)
Using the API in the wrong way can destroy data
Script programmer must know what they are doing!
Programmer skills are necessary
Handle it with care - “What you code is what you get”
Wrong entries in a script can destroy data!
137
ExerciseIT19 - Scripting of SGN tasks
Working with the Scripting API
138
Agenda
1. Introduction
2. Installation and configuration
3. Environment recommendations
4. Client configuration policies
5. Dealing with installation issues
6. Working with the scripting API
7. Product implementation in practice
8. Online exam
139
Product implementation in practice
This chapter will provide insight into:
How to plan a SafeGuard Enterprise project at customers
Sizing of a SafeGuard Enterprise environment
Examples of SafeGuard Enterprise installations
Scalability of SafeGuard Enterprise installations
140
How to plan an SGN project at customers
Components to plan:
Database
SGN Servers
Helpdesk
Things to take under consideration
Sizing
Scalability
Backup/Restore
Compatibility
Limitations
… 141SGN Management Center
SGN Server(s)
SGN Clients
Active Directory
SGN Database
How to plan an SGN project at customers
A project starts usually with an initial meeting
Goal: To find out:
What‘s the customers requirement?
What is already available?
Where might problems arise?
…
Therefore we provide a helpful document
Which deals with a lot of constantly recurring questions
142
How to plan an SGN project at customers
143
SafeGuard Enterprise Database
Questions about the database to be used:
Can the preferred database system be used for the SGN Database?
Which Database Software can be used (e.g Microsoft SQL 2005, Express Edition, ...)?
Do we use an existing database or do we create a new one?
Facts to consider
What‘s the database‘s size (table space calculation)?
How to backup the database?
144
SafeGuard Enterprise Database
Database sizing (1/2)Expected table space sizes
• Microsoft SQL Server 2005 SP1• SGN 5.20• No logging• Database is not shrinked and with default configuration.
Amount of Objects Tablespace without Logging
Users Machines OUs UserGroups
After import
After user registration
1 1 (0,2) 0 0,016 MB
0,058 MB
10 10 2 0 0,16 MB 0,58 MB
100 100 20 0 1,60 MB 5,80 MB
1000 1000 200 0 16 MB 58 MB
10000 10000 2000 0 160 MB 580 MB
50000 50000 10000 0 800 MB 2900 MB
145
SafeGuard Enterprise Database
Database sizing (2/2)The space required for logging depends on:
The number of installed modules
Occuring errors
The amount of events to be loggedThe logging data will grow permanently over time.Recommendation: 5 GB table space for the logging should be ok for the most installations for approximately three years.Plan with 10 GB Tablespace for the whole SGN Database.
That should be feasible for the most envrionments and gives flexibility and buffer for the long run
146
SafeGuard Enterprise Database
Database backupRegular backup mechanisms can be used
SGN has no builtin database backup functionMain reasons for database backup (amongst others):
Database contains all keys (e.g. Machine keys, File encryption keys)
Database contains company certificate
Database contains user/machine assignments
… and many more …Backup schedule suggestions:
After initial import
After every significant change
Periodically (e.g. Daily or weekly)
147
SafeGuard Enterprise Server
Questions about the SGN server(s) to be used
Can the preferred Webserver be used?SGN supports
IIS 6.0 / 7.0 incl. ASP.net on Windows 2003/2008
Microsoft .NET Framework >= 3.1 + SP1 must be installedDedicated Webserver recommended because of
Higher performance
Other applications can harm the SGN Server
Other application might need different ASP.net version• Different ASP.net versions on one IIS might cause problems
148
SafeGuard Enterprise Server
Facts to considerAmount of Servers
How many server for how many clients?Server Load Balancing necessary?Server locations
Where to place the SGN Server(s)?Network traffic from SGN Server to Clients and Database?
149
Network traffic tests
Network traffic results (in KByte)
These values might have an influence on the decission where to place the SGN Server(s)…
…in terms of network traffic which can be expected
…especially in distributed environments
150
Test Case Client Server Server DBClient registration & User registration 117,63 ~ 5 times more
Start machine incl. Log on & Tick (50:50) 61,76 ~ 4 times more
Tick 28,92 ~ 5 times more
SafeGuard Enterprise Server
SGN Server locations
A good connection to the database is necessary
Consider the fact, that the SGN Server SGN Database connection generates up to five times more traffic than the SGN Client SGN Server connection
How do the SGN Clients find the right server?
By different configuration msi
With help of intelligent DNS Systems (e.g. 3DNS) which resolves the name according to the region where the client is located.
151
SafeGuard Enterprise Server
Server Load BalancingSGN Servers can be load balanced with 3rd party services such as
Windows Network Load Balancer
BIG-IP® Load Balancer
To set up load balancing is a difficult task and should be done by people which are trained in the Load Balancer solution
The SGN Server performance is at its highest during the rollout,
because the user certificates will be generated by the SGN Server when a new user is registered.
But in fact this is also relative to the amount of clients which are being rolled out at the same time. So in practice it should not be a big issue.
152
SafeGuard Enterprise Management Center
Questions about the Management Center usage
Which connection to Active Directory is available/necessary?
How can the connection to the SGN Database be ensured?
What are the main tasks for using SGN MC?
153
SafeGuard Enterprise Management Center
Who needs to have a Management Center installed?Depends on the defined tasks, such as
Helpdesk Officer (e.g. Password reset, Account management)
Recovery Officer (Password reset)
Master Security Officer (e.g. Manage SGN environment, create Security Officer, set permissions)
Security Officer (e.g. Manually synchronisation, Smartcard issuing, Key management)
Auditor (e.g. Report analyzing, verify inventory, check security breaches)
„Synchronisation Host“ (Scheduled Synchronisation via SGN API)
154
Active Directory
Example
155
America Europe Asia
1000 Clients 5000 Clients 4000 Clients
Domain Controller
Helpdesk Helpdesk Helpdesk
Client Client Client
Active Directory
Example
156
America Europe Asia
1000 Clients 5000 Clients 4000 Clients
Domain Controller
Helpdesk Helpdesk Helpdesk
Database
SGN MC SGN MC SGN MC
Client Client Client
SGN MC/Scriptfor AD Sync
Active Directory
Example
157
America Europe Asia
Client
1000 Clients
Client
5000 Clients
Client
4000 Clients
Domain Controller
Helpdesk Helpdesk Helpdesk
SGN MC SGN MC SGN MC
Server1 Server2
Database
Not recommended !
SGN MC/Scriptfor AD Sync
Active Directory
Example
158
America Europe Asia
Client
1000 Clients
Client
5000 Clients
Client
4000 Clients
Domain Controller
Helpdesk Helpdesk Helpdesk
SGN MC SGN MC SGN MC
Server1 Server2
Database
SGN MC/Scriptfor AD Sync
Active Directory
Example
159
America Europe Asia
Client
1000 Clients
Client
5000 Clients
Client
4000 Clients
Domain Controller
Helpdesk Helpdesk Helpdesk
SGN MC SGN MC SGN MC
SGN MC/Scriptfor AD Sync
Database
Server1 Server2
Network Loadbalancer
Penetration test
Test environment (main components)SGN Server environment:
2 IIS Server (Network Load Balanced)
Primergy R450 w/ 4-way Xeon 1,90 GHz
4 GB RAM
Windows 2003 Enterprise R2 SP2 (IIS 6.0)
Microsoft .NET 3.5
SGN DB:1 Database Server
Proliant DL380 G5 w/ 1-way Xeon (quad core) 3.0 GHz
8 GB RAM
Windows 2003 Enterprise R2 SP2 x64
Microsoft SQL Server 2005 x64
Directory Structure:50000 User, 50000 Computer, 380 OU‘s, 2000 Groups, 50000 Group memberships
160
Test tool:Microsoft Visual Studio 2008 Team Edition for Software Testers
Tested with SGN 5.21
Workload in the different phases (1/2)
Workload from Rollout until day by day usage
161
Rolled out clients over time
Wor
k lo
ad
5000All Clients rolled out
Rollout Phase day by day usage
During Rollout:- User Certificate generation- Policy update (new & existing Clients)
During Rollout:- User Certificate generation- Policy update (new & existing Clients)
Maintenance:- User Certificate generation- Policy update (existing Clients)
Maintenance:- User Certificate generation- Policy update (existing Clients)
Summary:During the rollout, the work load of the IIS is higher than afterwards (relative to the Database workload).
100%
Workload in the different phases (2/2)
The SGN Server performance is at its highest during the rollout
because the user certificates will be generated by the SGN Server when a new user is registered.
But in fact this is also relative to the amount of clients which are being rolled out at the same time. So in practice it should not be a big issue.
162
Test adaption
The test has been made with fixed parameters such as:Hardware
Structure size
Network load
SGN configuration (e.g. Logging)
For customer projects, this means (amongst others) :Better hardware causes better results (and vice versa)
The AD structure has no influence on the SGN Server/Database performance.
Place the SGN Server close to the SGN database
An intensive log generates high traffic and work load.Set up a moderate logging policy!
There were additional tests done, but they all came to the same conclusion.
163
How to detect performance problems?
Major performance counters
CPU Problems
(e.g. often runs over 80%)
Memory Problems
(e.g. often over 80% of memory always in use, swapping )
Harddisk Problems
(e.g. slow, high workload)
Network Problems
(e.g. slow network connection, bandwidth exhausted)
164
How to improve the SGN Server performance
What can be done if a SGN Server limit is reached?Add an additional SGN Server
With a Network Load Balancer
X Clients per Server (passive)
New Clients contact Server 1, Clients which are rolled out contact Server 2
Set policy setting „Connection interval to Server“ to a higher value
Change IIS performance setting „Maximum number of worker processes“
165
How to improve the SGN Server performance
Network Load Balancing (NLB)
Balances the requests between all SGN Servers in the NLB System
NLB Systems which are in use with SGN at customers
Microsoft Windows Network Load Balancing Service(Included e.g. in Windows 2003 Enterprise Server)
BIG-IP ® (Vendor: F5)
166
How to improve the SGN Server performance
Configuring SGN config packages for a NLB System1. Register the „real“ SGN Servers as usual.
2. Create an additional Server with the virtual IP/Servername from the NLB System (e.g. „NLB for Server“) (choose any certificate).
3. The server packages will be created as usual
4. For the client configuration packages, the NLB entry (e.g. „NLB for Server“) will be chosen as SGN Server
167
How to improve the SGN Server performance
X Clients per Server
A specific amount of Clients will contact one dedicated SGN Server
The configuration, which client will contact which Server, will be defined using the „Primary Server“ entry for the SGN Client config package
The challenge will be how many clients can be handled by one SGN Server.
168
How to improve the SGN Server performance
New Clients contact „Server 1“, already rolled out Clients contact „Server 2“
New clients contacting the SGN Server the first time will contact „Server 1“.
Clients, which have already passed UMA switch to „Server 2“.
Server main functions:
Server 1 Machine registrationUser certificate generation
Server 2Policy updateUser changes 169
Primary Server:Server 1
Status 1SGN Client
installed
Status 2SGN Client
registred
Status 3SGN User registred
Primary Server:Server 2
Client Config
Package2
Client Config
Package1
How to improve the SGN Server performance
Extend policy setting „Connection interval to Server“In which interval do clients contact the SGN Server
Default value: 90 minutes
If one policy update per day is acceptable, set the value to e.g. 480.
Server will be contacted at machine start (e.g. 09:00 am)
Machines that run overnight will contact the Server every 480 minutes (8 hours).
Clients will contact the Server at least once a day.
However, the highest workload can be expected in the morning, when everybody starts & logs on to their machines.But the calculation „How many Clients per Server“ is based on this (called „9:00 am peak“). 170
How to improve the SGN Server performance
IIS Performance Setting „Maximum number of worker processes“
Is the maximum number of worker processes per application pool.
Default value: 1
For an application such as the SGN Server, which conducts numerous database requests,increasing it can improve the performance.
The effect can differ between environments. 171
How to improve the Database performance
Notice Microsoft recommendations, such asPhysical memory (should be larger than the size of the database)
Harddisk space (min. 20% of HD array should be free NTFS recom.)
RAID Lvl 10 or RAID 0+1 combination (RAID 5 not recommended)
Tempdb-System DB (recommended to save TempDB in a seperated array)
Transaction protocol file (should be written to its own separated array)
Splitting of Tables or Indexes in Partitions (e.g. SAFE_GUARD_DIR)
172
How to improve the Database performance
Not recommended: Database Replica (second Database Server)
Replication TypesSnapshot replication not supportedTransactional replication not supportedMerge replication supported
SGN Database merge replication should be your LAST CHOICE for performance improvement.
Not completely testedAdvanced knowledge about Microsoft SQL Server is necessaryReplication conflicts can occur
Conflicts can occur during Update, Insert (uniqueness) and DeleteoperationsMixing of parallel changes of the same object (Merge replication)Probability of conflicts will grow exponentially the longer the time period is between the replication operation
173
Example for a growing SGN environment
2.000 Clients5.000
Clients10.000 Clients
2.000 Clients
2.000 Clients5.000
Clients10.000 Clients
Wor
kloa
d
Wor
kloa
dW
orkl
oad
Wor
kloa
d
Total amount of 22.000
SGN Clients
How to balance the Server work
load?
Place a Network Load Balancer
174
Agenda
1. Introduction
2. Helpdesk Scenarios
3. SafeGuard Enterprise Client Engine
4. Backup / Restore Scenarios
5. Trouble Shooting
6. Online Exam
175
Online exam
Go to gpp.partners.sophos.com for the assessment
176
trusted Professional Services
Implementation Training SafeGuard Enterprise 5.50