RSA EnVision 4.0 Configuration Guide

RSA enVision Configuration Guide

enVision 4.0

RSA enVision 4.0 Configuration Guide Copyright 1996 - 2009 RSA Security Inc.

enVision, Enterprise Dashboard, and Internet Protocol Database (IPDB) are trademarks of RSA Security Inc. LogSmart is a registered trademark of RSA Security Inc.

All other trademarks, service marks, registered trademarks, registered service marks mentioned in this document are the property of their respective owners.

Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written permission of RSA Security Inc.

RSA Security Inc. 200 Lowder Brook Drive, Suite 2000 Westwood, MA 02090 U.S.A. 781.375.9000

Contents

1. INTRODUCTION ....................................................................................................1-1

Site Deployment......................................................................................................................................... 1-2

2. SINGLE APPLIANCE SITE....................................................................................2-1

Configuration Tasks.................................................................................................................................. 2-2

Next Steps................................................................................................................................................... 2-2

Configuration Wizard Planning Worksheet Single Appliance Site ...................................................... 2-3 Name the Site .......................................................................................................................................... 2-3 IP Address............................................................................................................................................... 2-4 Identify External Storage ........................................................................................................................ 2-4 DNS Servers............................................................................................................................................ 2-5 Time ........................................................................................................................................................ 2-6 External IP Address ................................................................................................................................ 2-7

3. MULTIPLE APPLIANCE SITE ...............................................................................3-1

Site Deployment......................................................................................................................................... 3-2 Multiple Site Deployment ....................................................................................................................... 3-3 Site Access in the NIC Domain .............................................................................................................. 3-6 Multiple Appliance Site with Enhanced Availability.............................................................................. 3-6

Configuration Tasks.................................................................................................................................. 3-7

Next Steps................................................................................................................................................... 3-8

Configuration Wizard Planning Worksheet Multiple Appliance Site .................................................. 3-9 NIC Domain............................................................................................................................................ 3-9 Site .......................................................................................................................................................... 3-9 Identify Appliances in the Site.............................................................................................................. 3-10 Identify External Storage ...................................................................................................................... 3-10 DNS Servers.......................................................................................................................................... 3-11 Time ...................................................................................................................................................... 3-12 Local Site Time..................................................................................................................................... 3-12 Site to Site Connection.......................................................................................................................... 3-13 Data Server External IP Address........................................................................................................... 3-13

4. REMOTE COLLECTOR SITE ................................................................................4-1

Configuration Tasks.................................................................................................................................. 4-2 Verify the RC Configuration................................................................................................................... 4-3 Configure the Data Forwarding Task...................................................................................................... 4-4 Test the Configuration ............................................................................................................................ 4-5

Configuration Wizard Planning Worksheet Remote Collector Site ..................................................... 4-6 Name the Site .......................................................................................................................................... 4-6 Identify Appliance................................................................................................................................... 4-7

RSA enVision 4.0 Configuration Guide iii

Contents

RSA enVision 4.0 Configuration Guide iv

DNS Servers............................................................................................................................................ 4-7 Time ........................................................................................................................................................ 4-8 Site to Site Connection............................................................................................................................ 4-9 Data Server External IP Address............................................................................................................. 4-9

5. NEXT STEPS .........................................................................................................5-1

Set Up enVision.......................................................................................................................................... 5-1

Log In to enVision ..................................................................................................................................... 5-2

enVision Client Software and Hardware Requirements........................................................................ 5-3

Log Out of enVision .................................................................................................................................. 5-4

APPENDIX A. CONNECT TO THE APPLIANCE USING A KEYBOARD, MONITOR, AND MOUSE ........................................................................................... A-1

APPENDIX B. DELL REMOTE ACCESS CONTROLLER UTILITY........................... B-1

Ports Used by enVision for the DRAC Utility.........................................................................................B-1

Set Up the Remote Access Controller Utility ..........................................................................................B-2

Access the Appliance from a Remote Location.......................................................................................B-4

APPENDIX C. CHANGE PRIVATE RSA ENVISION NETWORK IP ADDRESSES... C-1

Rename IP Address for Each Appliance before Setting Up Your Site ................................................ C-2

Add Trusted Sites ..................................................................................................................................... C-3

Change the IP Addresses in the Configuration Wizard to Match Renamed Appliance Addresses ................................................................................................................................ C-3

Preface This guide contains information on configuring your RSA enVision site. Use this guide in conjunction with the Hardware Guide.

Audience

The Configuration Guide is for system administrators who need to configure an enVision site.

Documentation Set

The enVision documentation set consists of the following:

Documentation Description

Configuration Guide Instructions on configuring your enVision site. Intended audience is the system administrator.

Hardware Guide Instructions on setting up your RSA enVision appliances. Intended audience is the system administrator.

Migration Guide Instructions on migrating your data from a previous version of enVision to the current version.

Online Help Comprehensive online guide to setting up enVision processing options and using enVision analysis tools.

Go to https://knowledge.rsasecurity.com and log into RSA SecurCare Online to download all product documentation.

Conventions This guide uses the following conventions:

Item Formatting

Literals (exact values that the user must type)

Bold font.

Example: Type New Report.

Variables (adjustable values that the user must type)

Bold, italicized font.

Example: Type user-name.

Fields, buttons, menu items, and so forth

Bold font. (Note: Screen names are not bold.)

Example: Type New Report in the Description field on the Report Setup window.

Keys (on the keyboard) Bold font.

Example: Press Enter.

RSA enVision 4.0 Configuration Guide v

Preface

RSA enVision 4.0 Configuration Guide vi

Contact RSA Contact RSA at:

200 Lowder Brook Drive Suite 2000 Westwood, MA 02090 U.S.A.

Telephone: 781.375.9000

Fax: 781.375.9100

World Wide Web: http://www.rsa.com

Sales You can purchase enVision directly from RSAs dedicated team of sales professionals or through RSAs North American and international resellers. Call RSA at 781.375.9000.

Technical Support You can contact Technical Support as follows:

By Telephone - Technical support is available during business hours via telephone at 800.995.5095.

Through the Internet - The RSA SecurCare Online support page contains answers to common questions and solutions to known problems. It also provides information on new releases, important technical news, device configuration guides, product documentation, and software downloads. You can visit the RSA SecurCare Online web site at https://knowledge.rsasecurity.com. You can visit the RSA Technical Support web site at https://www.rsa.com/support.

1. Introduction RSA enVision is a feature-rich compliance and security application. It allows you to capture and analyze log information automatically from your network, security, application, operating and storage environments. The enVision's LogSmart Internet Protocol Database (IPDB) provides the only architecture proven to collect and protect all the data automatically, from any network device, without filtering or agents. It gives you an accurate picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance.

enVision is tightly coupled with its underlying appliance operating system and hardware, and together they comprise a highly scalable platform that provides guaranteed levels of performance.

enVision is made up of three components:

Applicationsupports interactive users and runs the suite of analysis tools. Collectorcaptures incoming events. Databasemanages access and retrieval of captured events.

RSA enVision 4.0 Configuration Guide 1-1

1. Introduction


Site Deployment enVision is deployed on a site basis. The enVision components are deployed based on the type of site you have. The two types of sites are:

Single appliance site. The ES series appliances are designed to operate in a stand-alone, non-distributed mode. They have all three enVision componentsApplication, Collector, and Databaseinstalled on one appliance. The single appliance is a site. Some single appliance sites have an external storage system. See Chapter 2 Single Appliance Site, for information on a single appliance site.

Multiple appliance site. The LS series appliances are designed to operate in a distributed installation. Each enVision componentApplication, Collector, and Databaseis on its own appliance. The appliances together form a site. Distributed multiple appliance sites allow multiple installations of any of the three appliance types to be deployed in order to manage the variety of network infrastructures found in production environments. All multiple appliance sites have external storage systems. See Chapter 3 Multiple Appliance Site for information on a multiple appliance site.

See Chapter 4 Remote Collector Site for information on associating a Remote Collector site with a multiple appliance site.

2. Single Appliance Site The ES series appliances are designed to operate in a stand-alone, non-distributed mode. The ES appliances have all three enVision componentsApplication, Collector, and Databaseinstalled on one appliance. The single appliance is a site.

See the Hardware Guide for information on the hardware.


2. Single Appliance Site

Configuration Tasks The configuration process takes approximately 30 minutes to complete. You cannot change any of the site configuration options after the wizard is finished. The configuration tasks for a single appliance site are as follows:

Task Activity

1 Plan the installation. Complete the Configuration Wizard Planning Worksheet - Single Appliance Site in this chapter.

2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 3 Single Appliance Site in the Hardware Guide.

3 Connect to the appliance using a KVM switch. (You can also connect remotely using DRAC instead of using a local KVM. See Appendix B Dell Remote Access Controller Utility.)

The Configuration Wizard starts automatically.

4 Complete the enVision Configuration Wizard.

Note: enVision uses the default IP address 192.168.1.55. IP address conflicts can occur if the LAN cable is connected to an existing network when you run the configuration wizard. For this reason, you should verify the LAN cable is not connected to an existing network or confirm the IP address is not being used before you run the configuration wizard.

If you click Cancel at any time while using the wizard, you must restart the wizard to configure your site. To restart the wizard, double-click the lsconfigurationwizard.exe file in the c:\windows\installations directory.

When the wizard displays the Review Page window, verify that everything is correct on the Review Page. Click Finish. (If the Review page is not correct, click Cancel and check your hardware setup.)

In the last step, the wizard displays the enVision Configuration Wizard Log window. The log displays the steps the system is performing to configure the site. The system restarts several times while completing the setup.

The appliances restart automatically when the site configuration process is complete.

5 Immediately after you configure RSA enVision 4.0, RSA strongly recommends that you download and install two Content Updates: Event Source Update Package and VAM & Signature Content Update Package.

Go to RSA SecurCareOnline https://knowledge.rsasecurity.com. Click on Products. Under RSA enVision click Content Updates. Complete the instructions available on that page to download and install the updates.

6 Apply the license keys that were sent, via email, to the contact provided when you ordered the enVision appliance.

Next Steps After the site configuration is complete, you must set up the processing options in enVision. See Chapter 5 Next Steps for more information.



Configuration Wizard Planning Worksheet Single Appliance Site

Name the Site

Site Name

Selecting the site name is extremely important. Once you name the site you cannot change the name. A valid site name is a unique 2- to 11-character, alphanumeric string.

The site name cannot be the same as any other enVision site name, nor can it be the same as any existing Windows domain name, or NetBIOS name for a Windows domain. (The NetBIOS name for a Windows domain is the name preceding the dot). For example if your Windows domain name is MyDomainName.com, then the NetBIOS name for this Windows domain would be MyDomainName; it would then be wrong to install an enVision site with the name MyDomainName.

The site name is used in the following names:

Node name for the appliance. For example, for an ES series appliance site, if your site name is Seattle, the ES appliance node name is Seattle-ES.

NIC Windows domain name created for your site. The site name also becomes the name of the Windows domain created for your site, sitename.nic. For example, if your site name is Seattle, the Windows domain for the site is Seattle.nic.



IP Address The default addresses for the appliance are:

LAN IP addressused to access the appliance on the LAN. Subnet maskused to determine to which subnet an IP address belongs. Gateway addressidentifies the computer that routes the traffic to the outside network.

You can override the default values during configuration. If you want to override the default values, write the new values in the table.

Default Override Value

LAN IP Address 192.168.1.155

Subnet Mask 255.255.255.0

Gateway Address 192.168.1.1

Identify External Storage If your ES series appliance has external storage, the wizard recognizes this and prompts you to enter the IP address of the DAS external storage device. If you want to override the default IP address value shown below, write the new value in the table.

DAS IP Address 10.203.2.101



DNS Servers Identify the primary and secondary DNS servers on your network, and options for the servers. enVision uses the DNS servers to resolve IP addresses found in events for reporting and alerting.

DNS Server IP Address

Primary

Secondary

Identify processing options for the DNS Servers.

Field Description Option

Do Not Use Recursion Select this check box to indicate that the DNS server uses forwarders exclusively to resolve queries on behalf of its DNS clients. If the process using forwarders for resolution fails to resolve a query, a failure message is returned.

Do not Use Recursion

Forwarding Timeout Type the number of seconds that the DNS server continues to attempt to contact and use a listed forwarder. When the timeout expires, DNS moves to the next forwarder on the list and repeats the process. The default value is 5.

_____ seconds



Time

Network Time Protocol

You can identify a server to which enVision will periodically synchronize its time.

If you are using a server to synchronize time, you should be aware that known NTP time servers, such as atomic clocks, are outside your network and may be a security issue. RSA assumes no risk to your network if you choose to use a known NTP server.

The enVision Configuration Wizard allows you to use the Windows Date and Time Properties window to update your date and time directly from the wizard. If you change the time zone on the Time Zone tab, you must click Apply before clicking on the Date & Time tab to change the time. If you do not click Apply on the Time Zone tab, changing the time on the Date & Time tab changes the time for the previously selected time zone.

Select NTP Servers

ntp2.usno.navy.mil tock.usno.navy.mil tick.usno.navy.mil navobs1.oar.net ntp0.mcs.anl.gov navobs1.wustl.edu tick.usnogps.navy.mil tock.usnogps.navy.mil tick.ucla.edu bigben.cac.washington.edu ntp.alaska.edu tick.mhpcc.hpc.mil

Local Site Time

Identify the time zone in which your site is located.

Time Zone

(While running the configuration wizard, you must confirm the current date and time in your selected time zone.)




External IP Address Indicate whether this site uses an external address.

This site uses an external IP address and port number. Data Server LAN IP Address (internal IP address)

Data Server LAN Port Number (internal port number)

Data Server External IP Address

Data Server External Port Number

3. Multiple Appliance Site The LS series appliances are designed to operate in a distributed installation. Each enVision componentApplication, Collector, and Databaseis on its own appliance. The appliances together form a site. Distributed, multiple appliance sites allow multiple installations of any of the three appliance types to be deployed in order to manage the variety of network infrastructures found in production environments. All multiple appliance sites use external storage systems.

See the Hardware Guide for information about the hardware.


3. Multiple Appliance Site

Site Deployment The appliance types used in a multiple appliance site are as follows:

Component Appliance Type

Description Each site has...

Database server D-SRV Manages access and retrieval of captured events.

One

Application server A-SRV1

A-SRV2

A-SRV3

Supports interactive users. Runs the suite of analysis tools.

Up to three.

You may want multiple A-SRVs so that you can separate the alerting processes from the reporting processes.

Collector (Local Collector)

LC1

LC2

LC3

Captures incoming events locally.

Up to three Each site has at least one LC.

Remote Collectors (RCs) capture incoming events remotely and forward data to their master site. Each multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances. Each RC is considered a site. RCs capture incoming events remotely. Remote collectors forward data collected to the enVision site (using the NIC Forwarder Service). (The Administrator sets up the remote collector's Forwarder parameters on the Modify Collector Service window in enVision. See Chapter 5 Remote Collector Site for information on configuring RCs.

Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.

The following diagram illustrates a possible configuration of a multiple appliance site:



Multiple Site Deployment A group of multiple appliance sites is referred to as a NIC domain. You can deploy up to ten D-SRVs in a NIC domain.

The NIC domain is set up in a specific configuration with one site acting as the NIC domain master site. Data flow and configuration information are based on your NIC domain configuration.

You set up the NIC domain during installation, using the enVision Configuration Wizard.

The following diagram illustrates a possible configuration of a NIC domain.



Master/Slave Relationship

The following diagram illustrates a basic enVision multiple site setup with a master site and a slave site. In a configuration with more than one site, the master is always Site 1 in the hierarchy.

In a multiple site NIC domain, Site 1 is the NIC domain master site. You can only have one NIC domain master site and it is always Site 1. The sites connected to Site 1 are slaves to Site 1.

A slave site can also be a master site in a multiple site deployment.



In the following example, the NIC domain consists of seven sites:

Site 1 is the NIC domain master site.

Sites 2 and 5 are slaves to site 1; site 1 is the master site for sites 2 and 5, in addition to being the NIC domain master site.

Sites 3 and 4 are slaves to site 2; site 2 is the master site for sites 3 and 4.

Sites 6 and 7 are slaves to site 5; site 5 is the master site for sites 6 and 7.

In enVision, the Set Up Site Communications window (OverviewSystem ConfigurationServicesSet Up Site Communications) lists the site names and the names of their corresponding master sites. If a multiple site deployment is set up as shown in the example illustration, the master/slave relationship of the sites in this NIC domain is as follows:

Site Name Master Site

Site 1 None

Site 2 Site 1

Site 3 Site 2

Site 4 Site 2

Site 5 Site 1

Site 6 Site 5

Site 7 Site 5



Site Access in the NIC Domain You can access and maintain data globally across all sites in the NIC domain with a few exceptions.

The exceptions are these site-specific items that only have meaning to the site where they were configured:

Directories Module or tool settings that you set for:

System Performance tool - display options Query tool - process options and storage directory for saved queries Reports module - storage directory and format for saved report results Executive Dashboard - item settings (Note: Permissions for the items are set globally.)

Custom reports that you added Scheduled reports (can only be scheduled to run on the site where they were configured) Custom queries that you added

Multiple Appliance Site with Enhanced Availability The LS series appliances are designed to operate in a distributed installation. Each enVision componentApplication, Collector, and Databaseis on its own appliance. The appliances together form a site. Distributed, multiple appliance sites allow multiple installations of any of the three appliance types to be deployed to manage the variety of network infrastructures found in production environments. All multiple appliance sites use external storage systems.

Optionally, you can set up enhanced availability (EA) for the Local Collectors (LCs). This allows you to define up to six cluster appliances (CAs) for a site to perform the LC roles.

The implementation of the enhanced availability feature for the Local Collectors is a Professional Services package. You can arrange for a Professional Services package by contacting RSA at 781.375.9000.



Configuration Tasks The configuration process takes approximately 30 minutes to complete. You cannot change any of the site configuration options after the wizard is finished. In a multiple site domain, repeat the tasks on each site, with the exception of Task 5. Task 5 only needs to be performed once in a NIC domain.

Task Activity

1 Complete the Configuration Wizard Planning Worksheet - Multiple Appliance Site in this chapter.

Note: enVision uses the default IP address 192.168.1.55. IP address conflicts can occur if the LAN cable is connected to an existing network when you run the configuration wizard. For this reason, you should verify the LAN cable is not connected to an existing network or confirm the IP address is not being used before you run the configuration wizard.

2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 4 Multiple Appliance Site in the Hardware Guide.

3 Connect to the D-SRV appliance using a KVM switch. (You can also connect remotely using DRAC instead of using a local KVM. See Appendix B Dell Remote Access Controller Utility.)

The enVision Configuration Wizard starts automatically.






5 Within the NIC domain, verify that Replication is working correctly. To do so, open the Services window, locate the NIC DB Replication Client service, and ensure it is running.

6 Install and start the NIC App Server service:

Important: You must have the NIC App Server installed on the A-SRV of the NIC domain master site. Only one instance of the NIC App Server can be running in a given enVision domain.

a. Before you begin, make sure that you have installed the RSA enVision 4.0 software.

b. Run the appserver_install.bat batch script in the nic\4000\servername\bin\ folder providing the external LAN IP address of the A-SRV machine in the NIC Domain master site, as an input parameter to the batch script. For example:

E:\nic\4000\servername\bin\ appserver_install.bat a-srv-ip_address This batch program installs and starts the NIC App Server Service on the A-SRV and adds it to the list of services in the Manage Services window in enVision.

Even if you have only one A-SRV in the NIC Domain, you must run the appserver_install.bat batch program to install and start the NIC App Server Service.



Task Activity

7 Immediately after you configure RSA enVision 4.0, RSA strongly recommends that you download and install two Content Updates: Event Source Update Package and VAM & Signature Content Update Package.

Go to RSA SecurCareOnline https://knowledge.rsasecurity.com. Click on Products. Under RSA enVision click Content Updates. Complete the instructions available on that page to download and install the updates.


Next Steps If there are Remote Collectors (RCs) for this site, see Chapter 4 Remote Collector Site for information on configuring the remote sites.

After the site configuration is complete, you must set up the processing options in enVision. See Chapter 5 Next Steps for more information.



Configuration Wizard Planning Worksheet Multiple Appliance Site

The worksheet consists of two sections:

NIC domain. Complete this section for your NIC domain. Site. Complete this section for each site in your NIC domain. (Make a copy of the worksheet, so

that you can complete a worksheet for each site.) If you are configuring a remote collector for a multiple appliance site, see Chapter 4 Remote Collector Site.

NIC Domain

Draw a topology diagram of your NIC domain. Label the NIC domain master site. Label each site with a site name to identify it for additional planning purposes.

Site Complete this section of the worksheet for each site in the NIC domain.

Name the Site

Site Name

Selecting the site name is extremely important. Once you name the site you cannot change the name. A valid site name is a unique 2- to 11-character, alphanumeric string.



Node name for each of the appliances in the site. For example, if your site name is Boston, the Database server appliance node name is Boston-DS1.

NIC Windows domain name created for your site. The site name also becomes the name of the Windows domain created for your site, sitename.nic. For example, if your site name is Boston, the Windows domain for the site is Boston.nic.



Identify Appliances in the Site The default addresses for each appliance in the site are:

LAN IP addressused to access the appliance on the LAN. Subnet maskused to determine to which subnet an IP address belongs. Gateway addressused to identify the computer that routes the traffic to the outside network.

Select each appliance type in your site. If you want to override the default values, write the new values in the table.

Select Appliance Type

IP Address Subnet Mask Gateway Address

A-SRV1 192.168.1.155 255.255.255.0 192.168.1.1

A-SRV2 192.168.1.155 255.255.255.0 192.168.1.1

A-SRV3 192.168.1.155 255.255.255.0 192.168.1.1

D-SRV 192.168.1.155 255.255.255.0 192.168.1.1

LC1 192.168.1.155 255.255.255.0 192.168.1.1

LC2 192.168.1.155 255.255.255.0 192.168.1.1

LC3 192.168.1.155 255.255.255.0 192.168.1.1

If there are remote collectors for this site, complete the Configuration Wizard Planning Worksheet Remote Collector Site in Chapter 4, Remote Collector Site.

Identify External Storage If you want to override the default IP address value shown below, write the new value in the table.

NAS IP Address 10.203.2.101



DNS Servers Identify the primary and secondary DNS servers on your network and options for the servers. enVision uses the DNS servers to resolve IP addresses found in events for reporting and alerting.


Primary

Secondary






_____ seconds



Time

Network Time Protocol (NTP)




Select NTP Servers


Local Site Time Identify the time zone in which your site is located.

Time Zone

While running the configuration wizard, you must confirm the current date and time in your selected time zone.




Site to Site Connection If this site is not the NIC domain master site, identify the master site, the site to which this site is connected.

This site is connected to another site in the NIC domain. Master Site Data Server (D-SRV) IP Address (external IP address)

Master Site Name

Data Server External IP Address Indicate whether this sites database server (D-SRV) requires an external address and port number.

This sites data server (D-SRV) uses an external IP address and port number. Data Server LAN IP Address (internal IP address)




4. Remote Collector Site Each multiple appliance site has the option of having up to 16 Remote Collector (RC) server appliances. Each RC is considered a site. RCs capture incoming events remotely. Remote collectors forward data collected to the enVision site (using the NIC Forwarder Service). (The Administrator sets up the remote collector's Forwarder parameters on the Modify Collector Service window in enVision.)

The RCs use the LS series appliances. See Appendix A Hardware Specifications in the Hardware Guide for the specifications for the LS series appliances.

Note: The total events per second (EPS) for all Collectors per site (per D-SRV) cannot exceed 30,000 EPS.

Important! Before you configure the RC, make sure that its master is configured, and up and running.


4. Remote Collector Site

Configuration Tasks The configuration process takes approximately 30 minutes to complete. You cannot change any of the site configuration options after the wizard is finished. The configuration tasks to configure an RC site are as follows:

Task Activity

1 Complete the Configuration Wizard Planning Worksheet - Multiple Appliance Site in this chapter.

2 Set up the RSA enVision appliance hardware. Complete the tasks in Chapter 5 Remote Collector Site in the Hardware Guide.

3 Connect to the RC appliance using a KVM switch.

The enVision Configuration Wizard starts automatically.






5 Verify the RC configuration on the RCs master sites A-SRV. See Verify the RC Configuration later in this chapter for complete instructions.

6 Configure the data forwarding scheduled task on the RCs master sites A-SRV. See Configure the Data Forwarding Task later in this chapter for complete instructions.

7 Test the configuration. See Test Configuration section later in this chapter for complete instructions.




Verify the RC Configuration

To verify the RC configuration on the master site's A-SRV:

1. Log in to enVision on the application server (A-SRV) of the master site.

2. Make sure that the RC is listed as a site:

a. Click OverviewSystem ConfigurationServicesSet Up Site Communication.

enVision displays the Set Up Site Communication window.

b. Make sure that the RC is listed as a site and the information displayed is correct.



Configure the Data Forwarding Task

To schedule the data forwarding task for the RC on the master site's A-SRV:

1. Complete the following steps to log in to enVision on the application server (A-SRV) of the master site:

a. Start your web browser.

b. Type http://address:8080 in the Address field, where address is the machine name or IP address of the A-SRV and 8080 is the port through which you access enVision.

For example, http://sunshine:8080 or http://10.10.30.140:8080.

c. Press Enter.

The system displays the Log In window.

d. Type your password and click Log In.

2. Click OverviewSystem ConfigurationServicesScheduler ServiceSchedule Task.

enVision displays the Schedule Task window.

3. Select the remote collector from the Site drop-down list.

enVision displays: NIC Forwarding (the data forwarding task).

By default, the data forwarding task runs every hour.

4. To specify when the data forwarding task is performed and how often, click Set Recurrence.

enVision displays the Set Recurrence window.

5. Complete the window and click Apply.

enVision displays the Schedule Task window.

6. Click Schedule.

enVision displays the task on the Manage Scheduled Tasks window.

7. Click Apply.

8. If the NIC Scheduler Service is not running, start the NIC Scheduler Service.



Test the Configuration

To test the configuration:

1. After the Data Forwarding task runs, from the A-SRV analyze the devices collected on the RC site.

2. Run a report (for example, Bandwidth Usage by Address) to analyze the devices collected. Important! When you select the time range of the report, the forwarded data is four hours old by default (and, at a minimum, one hour old).

3. Make sure that data was returned for your devices.



Configuration Wizard Planning Worksheet Remote Collector Site

Name the Site

Site Name

Selecting the site name is extremely important. Once you name the site, you cannot change the name. A valid site name is a unique, 2- to 11-character, alphanumeric string.



Node name for the appliance. For example, if your site name is Hartford, the appliance node name is Hartford-RC1.

NIC Windows domain name created for your site. The site name also becomes the name of the Windows domain created for your site, sitename.nic. For example, if your site name is Hartford, the Windows domain for the site is Hartford.nic.



Identify Appliance The default addresses for the site are:

LAN IP addressused to access the appliance on the LAN. Subnet maskused to determine to which subnet an IP address belongs. Gateway addressused to identify the computer that routes the traffic to the outside network.

If you want to override the default values, write the new values in the table.

Appliance Type

IP Address Subnet Mask Gateway Address

RC1 192.168.1.155 255.255.255.0 192.168.1.1

DNS Servers Identify the primary and secondary DNS servers on your network and options for the servers. enVision uses the DNS servers to resolve IP addresses found in events for reporting and alerting.


Primary

Secondary






_____ seconds



Time

Network Time Protocol (NTP)




Select NTP Servers


Local Site Time

Identify the time zone in which your site is located.

Time Zone

(While running the configuration wizard, you must confirm the current date and time in your selected time zone.)




Site to Site Connection Identify the master site, the site to which this site is connected.

Master Site Data Server (D-SRV) IP Address (external IP address)

Master Site Name


Indicate whether this sites database server (D-SRV) requires an external address and port number.

This sites data server (D-SRV) uses an external IP address and port number. Data Server LAN IP Address (internal IP address)




5. Next Steps After you complete the RSA enVision site configuration, you must set up the processing options in enVision. First you should plan how to set up the system to accomplish your security goals, policies, and requirements. See the enVision online Help for information on setting up and using the enVision analysis tools.

Set Up enVision Setting up enVision involves three sets of tasks:

I. Event source and vulnerability assessment (VA) tool configuration tasks. These are tasks that you perform outside of the enVision software.

II. Basic setup tasks. These tasks to set up the enVision software allow you to collect, report, and alert on events from supported event sources.

1. Set up event collection.

2. Set up vulnerability and asset management.

3. Set up system access permissions.

4. Set up views.

5. Set up Alerts module tools.

6. Schedule reports.

III. Optional setup tasks. These are tasks to set up additional features or processing options.

1. Set up data storage.

2. Set up data processing options.

3. Set up message handling.

4. Set up customized reporting.

5. Set up application display options.


5. Next Steps

See the enVision online Help for a list of the required reading topics for each task. Additional tasks may be required to perform the specific processing that you want.

To access Help within enVision:

1. Click OverviewBest Practices.

enVision displays the Best Practices menu and splash screen.

2. Select Help from the menu.

Log In to enVision You log in to enVision through a remote system, connecting to the enVision appliance (for multiple appliance sites, connect to the Application Server, A-SRV). Use one of two protocols to access the system, depending on how enVision has been configured:

HTTPS (Hypertext Transfer Protocol Secure), using default port 8443. HTTP (Hypertext Transfer Protocol), using default port 8080.

To log in to enVision:

1. Start your web browser.

2. Type https://address:port in the Address field, where:

address is the machine name or IP address of the machine on which the system is installed; for multiple appliance sites, this is the A-SRV (Application Server).

port is the port through which you access enVision. For example, https://sunshine: 8443 or sunshine: 8443 or https://10.10.10.10: 8443.

3. Press Enter.

When you connect through HTTPS, your browser may display certificate validation messages the first time you access enVision. (Depending on how server certificates are configured on the appliance, these messages may cite validation issues, such as, a host name mismatch between the server and its certificate.)

The system displays the Log In window.

4. Type your password and click Log In.

Immediately change your password to a more secure one after you log in to enVision. See the online Help for instructions.


5. Next Steps

enVision Client Software and Hardware Requirements The hardware and software requirements for running the enVision client software are:

Windows Macintosh

O/S Microsoft Windows 2000 or Windows XP

OS X 10.4.6

Browser Microsoft Internet Explorer v6.x

Mozilla Firefox 2.0 or later*

Mozilla Firefox 2.0 or later *

Java Plug-In Recommended: 1.5.x 1.1.0.0_13 Also Support: v1.4.2, v 1.4.1

1.5.x 1.1.0.0_13

Processor Minimum: P3:1Ghz or P4:1.8Ghz Athlon 1800+

Minimum: G5

RAM Minimum: 512 MB Minimum: 1 GB RAM

Network Minimum: 100baseTX Minimum: 100baseTX

Display Resolution Minimum: 1024x768 at 16 bit color Minimum:1024x768 at 16 bit color

* You cannot use Mozilla Firefox to view the Enterprise Dashboard tool.

Earlier versions of enVision automatically launched the Java Plug-In Installation. Because of the security constraints in the image for RSA enVision 3.5.0 and later, this no longer happens and you must install the JRE manually.

Pop-up blockers, ad banner blockers, and personal firewalls can all interfere with the launching of enVision, especially at first login. Make sure that you set up the blockers to allow enVision to operate normally, or disable these blockers. (You can disable pop-up blockers in your browser under Tools/Pop-Up Blocker or by clicking on the Pop-Ups icon). Configure personal firewalls to allow connections between the enVision client and appliance.

You must enable animation for web pages in your browser.

To enable animation for web pages in Microsoft Internet Explorer:

1. In the browser, click ToolsInternet Options. 2. In the Internet Options dialog box, click the Advanced tab.

3. Scroll to Multimedia and select the box Play animations in web pages.

4. Click OK.

5. Restart the browser.


5. Next Steps


Log Out of enVision To log out of the user interface:

Click Log Out in the bottom left-hand side of window.

enVision closes all open windows. All enVision services and processes continue to run without interruption.

Appendix A. Connect to the Appliance Using a Keyboard, Monitor, and Mouse

The first time you work with an appliance, you must connect using a Keyboard, Video and Mouse (KVM). You can continue to work using the KVM or you can use the Remote Controller Access utility. See Appendix C Remote Access Controller (DRAC) Utility for information on setting up the utility.

To connect to the appliance through KVM:

1. Connect the keyboard, monitor, and mouse to the appliance. You can connect from the USB connectors and the video connector on either the front or back panel.

2. If the appliance is off, turn on the power using the front panel.

See Chapter 2 Hardware Layout, in the Hardware Guide for diagrams of the front and back panel of the appliance.

RSA enVision 4.0 Configuration Guide A-1

Appendix B. Dell Remote Access Controller Utility This appendix describes how to configure enVision on your appliance from a remote location. To do this you must:

1. Set up the Dell Remote Access Controller (DRAC) utility.

2. Using a web browser, access the appliance from a remote location and configure enVision.

Ports Used by enVision for the DRAC Utility

Item Port Service Direction Appliance Type

DRAC HTTP 80

HTTPS 443

VNC proxy server 5900

Video VNC Port 5901

A random number larger than 32768 - RAC FW update through RAC GUI

Terminal Server (part of the appliance OS)

Dell Remote Access Card for OOB Management

Inbound and Outbound All

RSA enVision 4.0 Configuration Guide B-1

Appendix B. Dell Remote Access Controller Utility

Set Up the Remote Access Controller Utility To set up the Remote Access Controller utility:

1. Reboot the machine, and when prompted, press Ctrl-E to set up remote access.

The system displays the initial Remote Access Controller (setup utility) screen with several options. You only need to configure the options described in these instructions to configure enVision.

3. Highlight NIC Selection and press the spacebar to set NIC Selection to Dedicated.

4. Highlight the LAN Parameters option and press ENTER.

The setup utility opens a smaller screen with RCMP+ Encryption Key as the first option.

5. Highlight the IP Address Source option and use the plus (+) and minus () keys to select DHCP or Static.

If you are going to select DHCP, attach your network cable to a network that has DHCP or contact your network administrator.

If you select DHCP, the rest of the values are completed by the utility and you cannot change them.

If you select Static, the values for MAC Address VLAN ID are completed by the utility and you cannot change them, but you must specify a value for the following parameters:

i. Highlight Ethernet IP Address and enter a value in the right column.

ii. Highlight Subnet Mask and enter a value in the right column.

iii. Highlight Default gateway and enter a value in the right column.

iv. Highlight VLAN Enable and press the spacebar to set VLAN Enable to Off.

6. Press the Esc key to close the smaller screen.

7. Highlight the Advanced LAN Parameters option and press ENTER.

The setup utility opens the smaller DNS Configuration Options screen.



8. Depending on the IP Address Source option you selected in step 5, do one of the following:

If you selected DHCP, the DNS Configuration Options values are completed by the utility and you cannot change them.

If you selected Static, the DNS Server from DHCP option is set to Off by the utility and you cannot change it, but you must enter a value for the following options:

DNS Server1

DNS Server2

Register RAC Name (defaults to Off)

Domain name from DHCP (defaults to Off)

9. Press the Esc key twice.

The setup utility prompts you to do one of the following:

Save Changes + Exit, Discard Changes + Exit Return to Setup

10. Highlight Save Changes + Exit and press ENTER.

The setup utility finishes the boot process.




Access the Appliance from a Remote Location To access the appliance remotely:

1. Start a web browser and go to the Ethernet IP Address you specified in step 5 b of the Set Up the Remote Access Controller Utility procedure.

The system prompts you to proceed.

2. Click Yes.

The system displays the Remote Access Login window.

3. To log in:

a. Type root for username (all lower case letters).

b. Type calvin for password (all lower case letters).

c. Click OK.

(Change your password as soon as you can for security purposes.)

The utility displays the Remote Access Controller window.

4. Click the Console tab at the top of the window.

If this is your first time accessing the Remote Access Controller utility, the system prompts you to load the Console Redirection Plug-in.

5. Click Connect to access the enVision Configuration wizard.

6. Complete the configuration instructions for your type of appliance site as described in one of the following chapters:

Chapter 2. Single Appliance Site Chapter 3. Multiple Appliance Site Chapter 4. Remote Collector Site

Appendix C. Change Private RSA enVision Network IP Addresses

Use the instructions in this appendix only in multiple appliance sites if you are installing RSA enVision on pre-existing Celerra hardware and you want to maintain your IP address structure for this hardware.

To change the IP addresses in accordance with enVisions automatic IP address assignments:

1. Rename the IP address for each appliance after factory typing and before you start the set up tasks.

2. Change IPaddresses in the lsconfigurationwizard.cfg file to match the addresses you renamed on the appliances.

RSA enVision 4.0 Configuration Guide C-1

Appendix C. Changing Private enVision Network IP Addresses

Rename IP Address for Each Appliance before Setting Up Your Site

To rename the IP addresses for each enVision appliance at your site:

1. Access the appliance with a KVM (see Appendix A) or from a remote location (see Appendix B).

2. In Windows, select Network Connections/SWITCH/Internet Protocol Settings and click properties (SWITCH is the name of the interface).

3. Change the C class of the IP address (for example, change 10.203.2 to 10.0.0). You can use any value for the C class of the IP address, but enVision appends a value to each IP address as illustrated in the diagram below:


Appendix C. Changing Private enVision Network IP Addresses

Add Trusted Sites To allow enVision to install the application on the other nodes in your NIC domain, you must add trusted sites. If you do not do this, the enVision installation will fail.

To add trusted host so remote sites can access various appliances:

1. Open Internet Explorer.

2. Click ToolsInternet options and select Security tab.

3. Click the Local Intranet icon.

4. Select Sites radio button.

5. Type *://site-ip-address.* in the Add this web site to the zone section.

Where site-ip-address can consist of your IP Address naming conventions for the 1st octet and 2nd octet of the address, but you must use 1-255 for the 3rd octet. For example, *://10.203.1-255.*

6. Click AddCloseOK. The system closes Internet Options.

Change the IP Addresses in the Configuration Wizard to Match Renamed Appliance Addresses

Factory and system typing of your appliance is done before delivery. However, if you are reimaging your appliance, you must do this before you change IP addresses in enVision configuration wizard to match renamed appliance addresses.

To update the enVision configuration wizard for the renamed IP addresses:

1. When the configuration wizard starts automatically, click Cancel to stop the wizard.

2. Go to C:\WINDOWS\system32\drivers\etc. This folder contains the lsconfiguration.cfg file, the enVision configuration wizard.

3. Edit the SwIpBase=10.203.2 IP address in the lsconfiguration.cfg file so that the IP addresses of the enVision appliances match the newly renamed addresses. For example, change SwIpBase=10.203.2 to SwIpBase=10.0.0.

4. Save the edited lsconfiguration.cfg file.

5. Double-click E:\nic\4000\servername\bin lsconfiguratiuonwizard.exe to restart the configuration wizard so you can finish configuring enVision with the renamed IP addresses.

6. Ping each machine to make sure that the renamed IP addresses are correct.


1. IntroductionSite Deployment2. Single Appliance SiteConfiguration TasksNext StepsConfiguration Wizard Planning WorksheetSingle Appliance SiteName the SiteIP AddressIdentify External Storage DNS ServersTimeNetwork Time ProtocolLocal Site TimeExternal IP Address

3. Multiple Appliance SiteSite DeploymentMultiple Site DeploymentMaster/Slave RelationshipSite Access in the NIC DomainMultiple Appliance Site with Enhanced Availability

Configuration TasksNext StepsConfiguration Wizard Planning WorksheetMultiple Appliance SiteNIC DomainSiteName the SiteIdentify Appliances in the SiteIdentify External StorageDNS ServersTimeNetwork Time Protocol (NTP)

Local Site TimeSite to Site ConnectionData Server External IP Address

4. Remote Collector SiteConfiguration TasksVerify the RC ConfigurationConfigure the Data Forwarding TaskTest the Configuration

Configuration Wizard Planning WorksheetRemote Collector SiteName the SiteIdentify ApplianceDNS ServersTimeNetwork Time Protocol (NTP)Local Site TimeSite to Site ConnectionData Server External IP Address

5. Next StepsSet Up enVisionLog In to enVisionenVision Client Software and Hardware RequirementsLog Out of enVisionAppendix A. Connect to the Appliance Using a Keyboard, Monitor, and Mouse Appendix B. Dell Remote Access Controller UtilityPorts Used by enVision for the DRAC UtilitySet Up the Remote Access Controller UtilityAccess the Appliance from a Remote LocationAppendix C. Change Private RSA enVision Network IP AddressesRename IP Address for Each Appliance before Setting Up Your SiteAdd Trusted SitesChange the IP Addresses in the Configuration Wizard to Match Renamed Appliance Addresses

Date post:	22-Nov-2015
Category:	Documents
Upload:	steve-bunde
View:	37 times
Download:	4 times

RSA EnVision 4.0 Configuration Guide

Documents