Checkpoint Integrity Advanced Server User manual
Installation Guide
Installing, Configuring, and Maintaining Integrity Advanced Server
1-0276-0650-2006-04-07
Editor's Notes: ©2006 CheckPoint Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement,
ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1,
Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle
Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecurRemote, SecurServer,
SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense,
SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,
SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1
Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone
Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or
its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected
by other U.S. Patents, foreign patents, or pending applications.
Integrity Advanced Server Installation Guide iii
Contents
Chapter 1:
Integrity Advanced Server Overview .................................................1
Integrity Advanced Server system components ................2
System requirements ......................................................2
Single host deployments ................................................. 2
Clustered Integrity Advanced Server ................................3
Integrity Advanced Server communications ..................... 4
Integrity Advanced Server services and ports ....................4
IAS services details .........................................................6
Chapter 2:
Installing and Configuring the Integrity Advanced Server ......... 7
Clustering Integrity Advanced Servers .............................. 7
Backing up an existing installation ...................................7
Upgrading and Migrating Integrity Advanced Server ........8
Performing a New Integrity Advanced Server
Installation ......................................................................... 8
Configuring the databases and gathering information .....9
Synchronizing Clocks .......................................................12
Running the Installer .......................................................13
Installation Information ...................................................14
Installation types .......................................................... 14
Server Type .................................................................. 14
Server Properties ..........................................................15
Domain Options ............................................................15
Clustering Options ........................................................15
Clustering Information ..................................................15
Database Information ....................................................16
Setting Client Languages ..............................................17
Completing the installation ...........................................18
Configuring the RADIUS Server ......................................18
Prerequisites ................................................................18
Updating the configuration file ...................................... 19
Configuring the properties file .......................................19
Copying the files to the cluster ...................................... 20
Configuring Integrity Advanced Server Cluster Load
Balancer ...........................................................................20
Setting up the virtual server ..........................................20
Setting status verification ............................................21
Using Integrity with a proxy server ..................................22
Updating the logo ............................................................23
Integrity Advanced Server Installation Guide iv
Chapter 3:
Starting and Stopping Integrity Advanced Server ......................24
Managing a Windows Setup ............................................25
Stopping, starting, and resetting the services .................25
Managing a Linux Setup .................................................. 26
Starting, stopping, and restarting the Integrity Advanced
Server ..........................................................................26
Starting, stopping, and restarting the Apache server .......26
Chapter 4:
Migrating Data .................................................................................... 27
Understanding Data Migration ........................................27
Migrated data ...............................................................27
Data that is not migrated ..............................................28
Migrating your Data .........................................................28
Running the Installer .................................................... 29
Completing the Migration Pages ....................................29
Redeploy policies to users .............................................30
Chapter 5:
Setting Up System Event Logs ......................................................31
Understanding events and logging ..................................32
Recommended event logs .............................................33
Using SNMP with Integrity ..............................................36
General Information ......................................................36
Trap Formats ................................................................36
Managing events .............................................................. 37
Creating and editing events ...........................................37
Deleting event ..............................................................37
Sending Logs to the SmartCenter Server ........................ 38
Configuring SmartDashboard .........................................38
Configuring Integrity Advanced Server ...........................39
Creating a Custom Query ...............................................39
Chapter 6:
Testing Integrity Advanced Server ..................................................40
Setting up the Integrity Advanced Server test ................41
Logging on to the Integrity Advanced Server Administrator
Console ........................................................................ 41
Creating a custom user catalog ......................................43
Performing the Integrity Advanced Server Tests ............44
Create, deploy, and assign a new policy to the client ......44
Verifying the Integrity Advanced Server session on the
Integrity client .............................................................. 47
Integrity Advanced Server Installation Guide v
Chapter 7:
Maintaining Integrity Advanced Server .......................................48
Monitor your database tablespace ..................................48
Update your database statistics .....................................48
Optimize query performance .........................................48
Monitor your disk space ................................................48
Index .......................................................................................................50
Integrity Advanced Server Installation Guide 1
Chapter 1
Integrity Advanced Server Overview
This chapter describes Integrity Advanced Server components and communications.
“Integrity Advanced Server system components,” on page 2
“Integrity Advanced Server communications,” on page 4
Integrity Advanced Server Installation Guide 2
Integrity Advanced Server system components
This section provides an overview of the Integrity Advanced Server system components.
Integrity Advanced Server is scalable and can be deployed on one host in smaller
environments or clustered in a server farm on many hosts to support a high volume of
connections in a larger environment.
System requirements
For information about Integrity Advanced Server system requirements, see the Integrity
Advanced Server System Requirements Document on the Check Point Web site.
Single host deployments
Figure 1-1 shows the Integrity Advanced Server system installed on a single host and
configured with the additional components required to operate the system. The
Integrity Advanced Server system components are:
1. Integrity Advanced Server with a configured Apache httpd server
2. Integrity clients (Integrity Flex and/or Integrity Agent)
3. RADIUS server (optional)*
4. Database server*
Figure 1-1: Single Integrity Advanced Server host configuration
Integrity Advanced Server Installation Guide 3
Clustered Integrity Advanced Server
Figure 1-2 shows the Integrity Advanced Server system cluster. In a distributed
installation, Integrity Advanced Server is installed on several different hosts and
configured with the additional components required to operate the system.
The additional system components are:
Load balancer: Routes traffic to/from Integrity Advanced Server.
NTP server (Optional): An internal or external server that ensures all Integrity
Advanced Server hosts have the same time and date.
* These components are not supplied as part of the Integrity Advanced Server distribution, and
must be obtained from a third party. You may use a RADIUS server, or use the Integrity
Advanced Server’s Administrator Authentication feature for authentication.
Use the instructions in Chapter 2, ”Installing and Configuring the Integrity
Advanced Server” to set up all Integrity Advanced Server nodes in a cluster.
Differences between single and clustered configurations are noted.
Figure 1-2: Clustered Integrity Advanced Server Configuration
Integrity Advanced Server Installation Guide 4
Integrity Advanced Server communications
This section explains the internal and external communication protocols and ports
used by the Integrity Advanced Server and the Apache httpd server.
Integrity Advanced Server operations are implemented by separate Integrity services.
An Apache httpd server proxies requests to these services from entities external to
Integrity Advanced Server, such as Integrity clients or administrators logging on to
Integrity Advanced Server from remote computers. The Apache httpd server acts as a
single point of entry, managing requests using SSL, file caching, UDP, and/or TCP
socket off loading functionality (see page 4).
This service and proxy configuration enables Integrity Advanced Server to be set up in
a highly scalable and fault-tolerant clustered environment.
Integrity Advanced Server services and ports
The diagram below represents the services that make up Integrity Advanced Server and
shows which ports the services use.
The services are divided into two types:
Client services allow an Integrity client to get configuration information, policies,
and communicate session state information.
Administration services allow administrators to create groups and users; manage
policies; manage system configuration; and perform other administrative tasks.
Integrity Advanced Server uses the ports listed below to communicate with
Integrity clients. Make sure these ports are all available on the Integrity
Advanced Server:
80
443
6054
Integrity Advanced Server Installation Guide 5
Figure 1-3: Integrity Advanced Server services and ports
Integrity Advanced Server Installation Guide 6
IAS services details
The table below lists the individual services that make up the Integrity Advanced
Server. The Configuration name is the parameter name of the service in the Integrity
Advanced Server and Apache httpd server configuration files. The URL is the service
location information embedded in the request from the client that allows the Apache
httpd server to proxy requests.
Service name Configuration name URL Description
Connection
Manager service.enable.con
nectionManager /cm/* Sychronizes with the server.
The Connection Manager service allows the
endpoint to establish a session, verify endpoint
state information, and get information needed
to download the current policy and
configuration. It can also end a previously
synchronized session with the endpoint. Also
sends heartbeats to communicate policy or
state changes
Policy
download service.enable.poli
cy /policy/* Policy download service.
Log upload service.enable.logU
pload /logupload/* Provides the mechanism endpoint computers
use to upload client log files.
Program
permission service.enable.logU
pload /ask/* Provides the mechanism endpoint computers
use to upload client log files.
Sandbox server service.enable.sand
Box /sandbox/* Serves remediation Web pages to non-
compliant, authenticated endpoint users.
Package
Manager service.enable.pack
age /package/* Serves the client installer packages that install
an Integrity client on an endpoint computer.
Administrator
Console service.enable.adm
inConsole / Serves the user interface that allows
administrators to manage the Integrity
Advanced Server.
Table 1-1: Description of Integrity Services
Integrity Advanced Server Installation Guide 7
Chapter 2
Installing and Configuring the Integrity
Advanced Server
This chapter describes the configuration and installation steps you need to perform to
get your Integrity Advanced Server system up and running. It contains the following
topics:
“Clustering Integrity Advanced Servers,” on page 7
“Backing up an existing installation,” on page 7
“Upgrading and Migrating Integrity Advanced Server,” on page 8
“Performing a New Integrity Advanced Server Installation,” on page 8
“Configuring the databases and gathering information,” on page 9
“Synchronizing Clocks,” on page 12
“Running the Installer,” on page 13
“Installation Information,” on page 14
“Configuring the RADIUS Server,” on page 18
“Configuring Integrity Advanced Server Cluster Load Balancer,” on page 20
“Using Integrity with a proxy server,” on page 22
“Updating the logo,” on page 23
Clustering Integrity Advanced Servers
When deploying a cluster of Integrity Advanced Servers, you should first configure
and test a single Integrity Advanced Server. After you confirm that the single server
is functioning properly, install and configure Integrity Advanced Server on the
remaining nodes of the cluster. When deploying a clustered environment, make sure
that all the node clocks are synchronized. Instructions specific to clustered
environments are given where appropriate in this document.
Backing up an existing installation
If you are upgrading from an existing Integrity installation, back up the current
installation before you install the new version.
Integrity Advanced Server Installation Guide 8
To back up your Integrity installation:
1. Make a copy of the entire home directory and save it to a safe location.
The default is C:\Program Files\Zone Labs\Integrity for 5.x versions and
C:\Program Files\CheckPoint\Integrity for 6.x versions.
2. Back up your database.
If your installation includes an embedded database, your backup is already
complete.
If your installation uses a third-party database, use the preferred vendor-specific
tool to back up the database.
Upgrading and Migrating Integrity Advanced Server
You can preserve some of the data from a previous installation of Integrity Advanced
Server.
Integrity Advanced Server supports two methods of changing from an earlier to a later
version of Integrity Advanced Server:
Upgrading —To upgrade from 6.0.448.01 and later versions, select the Upgrade
option in the installer. You will later be prompted to choose a location. Specify the
current location of your Integrity installation.
Migrating —To change to a higher version from an Integrity Advanced Server 5.x
installation, you must install the new Integrity Advanced Server and migrate your
data. See Chapter 4, Migrating Data, for more information. You can only migrate
from versions that are 5.1 or later but prior to 6.0.
No other upgrades are supported.
Performing a New Integrity Advanced Server Installation
Use the steps in this chapter to perform a new Integrity Advanced Server installation.
To install and configure the Integrity Advanced Server:
1. Gather the database information and configure your databases.
See “Configuring the databases and gathering information,” on page 9.
2. Synchronize clocks.
See “Synchronizing Clocks,” on page 12.
Before upgrading Integrity Advanced Server, you should first back up your existing
installation. See “Backing up an existing installation,” on page 7.
Integrity Advanced Server Installation Guide 9
3. Run the Integrity Installer.
See “Running the Installer,” on page 13.
4. Configure the RADIUS server (optional).
See “Configuring the RADIUS Server,” on page 18.
5. Configure load balancing (clustering only)
See “Configuring Integrity Advanced Server Cluster Load Balancer,” on page 20
6. Customize the logo (optional).
See “Updating the logo,” on page 23.
Configuring the databases and gathering information
The Integrity Advanced Server stores operational and logging information in a
database. You can use any of the following databases with Integrity Advanced Server:
Before you configure Integrity Advanced Server, configure your database and gather
the necessary information.
To ensure good performance, you may have to periodically perform database
maintenance. For more information about maintaining your database, see Chapter 7,
“Maintaining Integrity Advanced Server,”.
Database Version JDBC version
IBM DB2 ES 3.1 8.1.7 Bundled with the DB2 installation
Oracle 9.2.0.4.0 ojdbc14.zip (download from Oracle)
SQL Server 2000 SP3a SQL Server Driver for JDBC SP3 (download
from Microsoft)
JDataStore
(Embedded) 7.2 Bundled with JDataStore
If you are using a single server, instead of a clustered system, you can choose to use
the embedded database. If you use the embedded database, it will be automatically
configured by the Integrity Advanced Server Installer and you can skip the steps in
this section.
If you are using a clustered environment, you will need to configure the maximum
connections allowed by the database according to how many Integrity Advanced
Servers you are using. By default, each Integrity Advanced Server uses a maximum
of 150 JDBC connections at peak load, so you should configure your database to
allow 150 * n connections, where ‘n’ is the number of Integrity Advanced Servers in
your cluster.
Integrity Advanced Server Installation Guide 10
To configure IBM DB2:
1. Create your database.
Be sure to specify the UTF-8 character set.
2. Record the database server host name.
3. Record your database port for connections with the Integrity Advanced Server.
4. Create the Integrity Advanced Server database name.
The preconfigured database name in Integrity Advanced Server is iss_main.
5. Record the database username and password for the Integrity Advanced Server.
To configure Oracle 9i:
1. Create your database.
Be sure to specify the UTF-8 character set.
2. Record the database server host name.
3. Record your database port for connections with the Integrity Advanced Server.
4. Create a user with the name ‘iss_main’ with a matching schema name.
5. Assign the user the ‘CONNECT’ and ‘RESOURCE’ roles and grant the following
system privileges:
QUERY REWRITE
ALTER ANY PROCEDURE
CREATE ANY PROCEDURE
DROP ANY PROCEDURE
EXECUTE ANY PROCEDURE
UNLIMITED TABLESPACE
6. In the Enterprise Manager Console, in Network | Databases | <database name> |
Instance | Configuration set the following parameters:
QUERY_REWRITE_INTEGRITY = TRUSTED
QUERY_REWRITE_ENABLED = TRUE
NLS_SORT= <blank>
Use a host name rather than an IP address to specify your database. This allows you
to later change your database.
Use a host name rather than an IP address to specify your database. This allows you
to later change your database.
Integrity Advanced Server Installation Guide 11
7. Record the database username and password for the Integrity Advanced Server.
To configure SQL Server:
1. Create your database.
2. Record your database server host name.
3. Record your database port for connections with the Integrity Advanced Server.
4. Create a database login.
The database login must have the following roles:
public
db_owner
ddl_admin
db_datareader
db_datawriter
5. Create the Integrity Advanced Server database names.
The preconfigured database name in Integrity Advanced Server is iss_main.
6. Use the Enterprise Manager (found in the properties for the server instance) to set
your authentication types.
In order for the JDBC drivers to log in correctly, your SQL Server security must be
set up to handle both SQL authentication and Windows authentication (Mixed
Mode). The JDBC drivers use a SQL authenticated user and password and will not
be able to connect if SQL Server is configured for Windows security authentication
only.
7. Set the recovery model to simple.
By default, SQL Server Enterprise uses “FULL” recovery mode. This means that all
transactions are logged until the database is backed up. This requires a log file
that is at least as large as the database file. As an alternative it is recommended
that you set the SQL Server recovery mode to Simple. Setting the recovery mode to
simple truncates the log at certain intervals. Be aware that if you choose to set the
Use a host name rather than an IP address to specify your database. This allows you
to later change your database.
The database login must not have the system administrator role.
Integrity Advanced Server Installation Guide 12
recovery mode to simple and a server crashes, the data can only be recovered to
the last full or differential backup.
a. Open the SQL Server Enterprise Manager.
b. Highlight the Integrity database.
c. Right-click on the entry and select Properties.
d. Click the Options tab.
e. For Model, select Simple.
f. Click OK.
Alternatively, you can also set the recovery mode to simple using the following
command:
exec sp_dboption N'integrity', N'trunc. log', N'true'
8. Record the database username and password for Integrity Advanced Server.
Synchronizing Clocks
It is recommended that you synchronize the clocks on the Integrity Advanced Server
with those on your database. If you are using clustering, you must synchronize all
nodes on the cluster.
To synchronize clocks in Linux:
1. Use the ntpdate command to synchronize with public network time protocol (NTP)
servers every 15 minutes.
$ ntpdate <primary NTP server> <secondary NTP server>
To synchronize clocks in Windows:
1. Use a third party synchronization tool to synchronize with NTP servers every 15
minutes.
Perform this tuning operation during intervals that do not effect the performance of your
Integrity environment.
Integrity Advanced Server Installation Guide 13
Running the Installer
The Integrity Advanced Server installers use wizards to help you to install and
configure your Integrity Advanced Server. There is a wizard for Windows installations
and a wizard for Linux installations. Choose the installer appropriate for your system.
The Integrity Advanced Server Installer for Windows
To run the Integrity Advanced Server Installer for Windows
1. Double click the ISSetup_X_X_XXX_X.exe file.
The Integrity Advanced Server Installer for Windows starts.
2. Follow the instructions in the wizard to complete your installation. See
“Installation Information,” on page 14 for help in completing the wizard.
The Integrity Advanced Server Installer for Linux
To run the Integrity Advanced Server Installer for Linux
1. Log in as root.
[root@localhost /] #
2. Change the permissions on the ISSetup_X_X_XXX_X.bin file.
[root@localhost /usr/local] chmod +x ISSetup_X_X_XXX_X.bin
3. Run the ISSetup_X_X_XXX_X.bin .
The Integrity Advanced Server Installer for Linux starts.
4. Follow the instructions in the wizard, entering the information for your installation.
See “Installation Information,” on page 14 for help in completing the wizard.
To go back to the previous step, type ‘back’.
The installers create the following directories:
Directory Description
apache2/ Contains the pre-configured Integrity
Apache server
apache2/conf Apache configuration
apache2/conf/ssl Apache ssl configuration and
certificates
engine/ Contains Integrity Service
engine/jdk The location of the Java JM i
Table 2-1:
By default the directories are created in usr/local/checkpoint/integrity.
Integrity Advanced Server Installation Guide 14
Installation Information
Use the following information to complete the installation wizards.
Installation types
The installers give you a choice of the following installation types:
New Installation—Use this option to install Integrity Advanced Server without
clustering or to set up the first server in a cluster.
Import data from existing Integrity 5.x system—Use this option to import data
from an Integrity 5.x server after a successful installation. You will be
prompted for import information after logging into the newly-installed system.
Upgrade from 6.x—Use this option to upgrade from version 6.0.448.001 or later.
Join Cluster Installation—Use this option to install Integrity Advanced Server for
joining with an existing cluster.
Server Type
There are two server types:
Integrity Advanced Server—Choose this option if you want clustering. Integrity
Advanced Server can function as either a single or multiple domain installation.
Integrity Server —Choose this option for a single domain installation without
clustering.
engine/webapps/ROOT The location of the Integrity Web
application
engine/webapps/
ROOT/bin The location where some of the server
utilities are hosted
logs/ All Apache, Tomcat, and Integrity logs.
When monitoring a server, all log files in
this directory should be monitored.
Directory Description
Table 2-1:
By default the directories are created in usr/local/checkpoint/integrity.
See Chapter 4, Migrating Data, for more information about upgrading from 5.x
versions.
Make sure you have backed up your system before choosing this option. See
“Backing up an existing installation,” on page 7.
Integrity Advanced Server Installation Guide 15
Server Properties
Enter the properties for your local server.
Local Host IP Address—Enter the IP address or host name of the local server
machine that the server will run on. If the machine has multiple NIC cards, then
you must provide an IP address for the NIC card you use.
External Host IP Address—Enter the external IP address that is used by the
Integrity clients to connect to the server. In the case of a clustered installation, this
IP address can be the load balancer’s IP address.
External Host Name—Enter the host name that maps to the external IP address.
This field is used in browser URLs and to create the certificate. This field can be
the IP address.
Heartbeat port—Enter the UDP heartbeat port.
Domain Options
Single Domain—Single domain Integrity Advanced Server installations can only
have one domain segment for all administrators, user directories, and policies
Multiple Domains—Multiple domain Integrity Advanced Server installations can
have multiple data segments for different administrators, user directories, and
policies. You can use this feature to create virtual grouping for users to reflect
company branches, sub-organizations, etc. Each domain can have its own security
policies and system administrators can assign local administrators to each domain.
Clustering Options
Enable Clustering—Choose this option to enabled clustered installation with
multiple servers.
Clustering Information
Use the following information to complete the clustering information for your
implementation.
Clustering Multicast Addresses—These addresses used for session replication and
server to server communication in a cluster. Multicasting allows the servers to find
each other dynamically in a cluster. Valid addresses are in the range: 224.0.0.0 to
239.255.255.255. The default is usually sufficient.
Clustering Ports—These ports used on the servers for multicasting.
If you use an IP address instead of a host name, you will not be able to change the
IP address.
If you intend to use clustering and have only one server you can enable this option
now and later install additional servers.
This manual suits for next models
1
Table of contents
Other Checkpoint Server manuals
Checkpoint
Checkpoint 21000 Appliances G-70 User manual
Checkpoint
Checkpoint 21400 Platform User manual
Checkpoint
Checkpoint Smart-1 25 User manual
Checkpoint
Checkpoint Smart-1 150 User manual
Checkpoint
Checkpoint QUANTUM SMART-1 6000-L Operating and safety instructions
Checkpoint
Checkpoint Smart-1 50 User manual
