agent install guidedownload01.norman.no/enterprise_security_suite/docs/8.2/... · 2015. 3. 15. ·...

Agent Install GuideNorman Enterprise Security 8.2

Norman Enterprise Security

- 2 -

- 3 -

NoticesVersion InformationNorman Enterprise Security Agent Install Guide - Norman Enterprise Security Version 8.2 - Published:January 2015Document Number: 02_017M_8.2_15082111

Copyright Information

Lumension Security, Inc.8660 East Hartford Drive, Suite 300Scottsdale, AZ 85255

Copyright© 1999-2014; Lumension Security, Inc.; all rights reserved. Covered by one or more ofU.S. Patent Nos. 6,990,660, 7,278,158, 7,487,495, 7,823,147, 7,870,606, and/or 7,894,514; otherpatents pending. This manual, as well as the software described in it, is furnished under license. No partof this manual may be reproduced, stored in a retrieval system, or transmitted in any form – electronic,mechanical, recording, or otherwise – except as permitted by such license.

LIMITATION OF LIABILITY/DISCLAIMER OF WARRANTY: LUMENSION SECURITY, INC. (LUMENSION)MAKES NO REPRESENTATIONS OR WARRANTIES WITH REGARD TO THE ACCURACY OR COMPLETENESSOF THE INFORMATION PROVIDED IN THIS MANUAL. LUMENSION RESERVES THE RIGHT TO MAKECHANGES TO THE INFORMATION DESCRIBED IN THIS MANUAL AT ANY TIME WITHOUT NOTICE ANDWITHOUT OBLIGATION TO NOTIFY ANY PERSON OF SUCH CHANGES. THE INFORMATION PROVIDED INTHIS MANUAL IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND, INCLUDING WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE INFORMATION PROVIDED INTHIS MANUAL IS NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULT, AND THEADVICE AND STRATEGIES CONTAINED MAY NOT BE SUITABLE FOR EVERY ORGANIZATION. NO WARRANTYMAY BE CREATED OR EXTENDED WITH RESPECT TO THIS MANUAL BY SALES REPRESENTATIVES ORWRITTEN SALES MATERIALS. LUMENSION SHALL NOT BE LIABLE TO ANY PERSON WHATSOEVER FORANY LOSS OF PROFIT OR DATA OR ANY OTHER DAMAGES ARISING FROM THE USE OF THIS MANUAL,INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHERDAMAGES.


- 4 -

Trademark Information

Lumension®, Lumension® Endpoint Management and Security Suite, Lumension® Endpoint ManagementPlatform, Lumension® Patch and Remediation, Lumension® Enterprise Reporting, Lumension® SecurityConfiguration Management, Lumension® Content Wizard, Lumension® Risk Manager, Lumension®

AntiVirus, Lumension® Wake on LAN, Lumension® Power Management, Lumension® Remote Management,Lumension® Scan™, Lumension® Application Control, Lumension® Device Control, Lumension® EndpointSecurity, Lumension® Intelligent Whitelisting, PatchLink®, PatchLink® Update™, their associated logos, andall other Lumension trademarks and trade names used here are the property of Lumension Security, Inc.or its affiliates in the U.S. and other countries.Norman®, Norman SandBox®, Norman Virus Control®, the Norman product and service names, theirassociated logos, and all other Norman trademarks and trade names used here are the property ofNorman ASA in the U.S., the European Union, and other countries.RSA Secured® is a registered trademark of RSA Security Inc.Apache is a trademark of the Apache Software Foundation.In addition, any other companies' names, trade names, trademarks, and products mentioned in thisdocument may be either registered trademarks or trademarks of their respective owners.

Table of Contents

- 5 -

Table of Contents

Preface: About This Document.................................................................................................................... 7Typographical Conventions..............................................................................................................................................................................7Contacting Norman.............................................................................................................................................................................................8

Chapter 1: Agent Requirements................................................................................................................ 11Supported Endpoint Operating Systems................................................................................................................................................. 11

Windows Endpoint Operating Systems.............................................................................................................................................12Mac Endpoint Operating Systems.......................................................................................................................................................13Linux Endpoint Operating System.......................................................................................................................................................14UNIX Endpoint Operating System.......................................................................................................................................................15

Supported Endpoint Browsers..................................................................................................................................................................... 16Windows Endpoint Requirements...............................................................................................................................................................16Mac, Linux, or UNIX Endpoint Requirements........................................................................................................................................ 18Agent Locales and Internationalization....................................................................................................................................................20Supported Endpoint Module Operating Systems................................................................................................................................21

Windows Endpoint Supported Modules.......................................................................................................................................... 21Linux, Unix, and Mac Supported Modules...................................................................................................................................... 22

Chapter 2: Understanding Agent Installation..........................................................................................23The Norman ESEC Agent Workflow.......................................................................................................................................................... 23Understanding Agent Installation Methods........................................................................................................................................... 25

Chapter 3: Installing the Agent on Windows.......................................................................................... 27Windows Installation Methods.................................................................................................................................................................... 27Agent Management Job for Windows..................................................................................................................................................... 27

Agent Management Job Checklist...................................................................................................................................................... 28Port and ICMP Requirements for an Agent Management Job............................................................................................... 29Configuring Windows XP or Windows Server 2003 Endpoints.............................................................................................. 30Configuring Vista or Later Endpoints................................................................................................................................................ 39Configuring the Norman ESEC Server for Discovery Scanning...............................................................................................48Installing Agents by Agent Management Job............................................................................................................................... 49

Command Line for Windows........................................................................................................................................................................68Command Line Workflow for Windows............................................................................................................................................68Downloading the Installer.......................................................................................................................................................................69Silently Installing the Agent by Command Line for Windows................................................................................................ 71

Install of the Agent for Windows Manually........................................................................................................................................... 74Manual Install Workflow for Windows..............................................................................................................................................75Downloading the Installer.......................................................................................................................................................................75Manually Installing the Agent for Windows................................................................................................................................... 77

Chapter 4: Installing the Agent on Mac...................................................................................................81Mac Installation Methods...............................................................................................................................................................................81Installing Java Runtime Environment........................................................................................................................................................ 82Command Line Workflow for Mac.............................................................................................................................................................83

Downloading the Installer.......................................................................................................................................................................84Installing the Agent by Command Line for Mac.......................................................................................................................... 86


- 6 -

Silent Install by Command Line for Mac..........................................................................................................................................91Agent Installer Workflow for Mac.............................................................................................................................................................. 95

Downloading the Installer.......................................................................................................................................................................96Manually Installing the Agent for Mac............................................................................................................................................. 98

Chapter 5: Installing the Agent on Linux or UNIX................................................................................103Linux and UNIX Installation Method...................................................................................................................................................... 103Installing Java Runtime Environment......................................................................................................................................................104Command Line Workflow for Linux or UNIX...................................................................................................................................... 105

Downloading the Installer.................................................................................................................................................................... 106Installing the Agent by Command Line for Linux or UNIX.................................................................................................... 108Silent Install by Command Line for Linux or UNIX................................................................................................................... 110

Appendix A: Upgrading Agents...............................................................................................................115Agent Upgrade on Windows..................................................................................................................................................................... 115

Upgrading Agents From the Web Console.................................................................................................................................. 115Agent Upgrade on Mac, Linux, or UNIX............................................................................................................................................... 118

Upgrading Agents by Command Line for Mac, Linux, or UNIX........................................................................................... 118

Appendix B: Uninstalling Agents............................................................................................................ 121Agent Uninstall on Windows..................................................................................................................................................................... 121

Uninstalling the Agent by Agent Management Job................................................................................................................. 121Uninstalling the Agent on Windows............................................................................................................................................... 133

Agent Uninstall on Mac, Linux, or UNIX............................................................................................................................................... 136Uninstalling the Agent for Mac, Linux, or UNIX......................................................................................................................... 137

- 7 -

Preface

About This Document

This Agent Install Guide is a resource written for all users of Norman Enterprise Security 8.2. Thisdocument defines the concepts and procedures for installing, configuring, implementing, and usingNorman Enterprise Security 8.2.

Tip: Norman documentation is updated on a regular basis. To acquire the latest version of this or anyother published document, please refer to the Norman User Manuals page at http://www.norman.com/support/user_manuals/.

Typographical ConventionsThe following conventions are used throughout this documentation to help you identify variousinformation types.

Table 1: Typographical Conventions

Convention Usage

bold Buttons, menu items, window and screen objects.

bold italics Wizard names, window names, and page names.

italics New terms, options, and variables.

MONOSPACE UPPERCASE Keyboard keys.

BOLD UPPERCASE SQL Commands.

monospace File names, path names, programs, executables, command syntax, andproperty names.

http://www.norman.com/support/user_manuals/




- 8 -

Contacting NormanHeadquarters

Norman ASAP.O. Box 43N-1324 Lysaker, NorwayTel: +47 67 10 97 00Fax: +47 67 58 99 40E-mail: [email protected] (To be used if you want to contact Norman HQ)Web: www.norman.com

Denmark

Norman Data Defense Systems A/SBlangstedgårdsvej 1, DK-5220 Odense SØTel: +45 7025 3508Fax: +45 6590 5102Email: [email protected]: www.norman.com/dk

Spain

Norman Data Defense SystemsCamino Cerro de los Gamos 1, Edif.128224 Pozuelo de Alarcón MADRIDTel: +34 917 90 11 31Fax: +34 917 90 11 12Email: [email protected]: www.norman.com/es

France

Norman France8 Rue de Berri, F-75008 ParisTel: +33142999509Fax: +33142999501Email: [email protected]: www.norman.com/fr

Sweden

Norman Data Defense Systems ABNorrköping Science Park, S-602 86 NorrköpingTel: +46 11 230 330Fax: +46 11 230 349Email: [email protected]: www.norman.com/se

Germany

Norman Data Defense Systems GmbHZentrale, Gladbecker Str. 3, D-40472 DüsseldorfTel: +49 0211 586 99-0Fax: +49 0211 586 99-150Email: [email protected]: www.norman.com/de

Switzerland

Norman Data Defense Systems AGMünchensteinerstrasse 43, CH-4052 BaselTel: +41 61 317 25 25Fax: +41 61 317 25 26Email: [email protected]: www.norman.com/ch

mailto:[email protected]

http://www.norman.com


http://www.norman.com/dk


http://www.norman.com/es


http://www.norman.com/fr


http://www.norman.com/se


http://www.norman.com/de


http://www.norman.com/ch

Preface

- 9 -

Italy

Norman Data Defense SystemsMilano San Felice, Strada 2, Torre 120096 Pioltello (MI)Tel: +39 02 7030 5479Fax: +39 02 7030 5480Email:[email protected]: www.norman.com/it

United Kingdom

Norman Data Defense Systems (UK) LtdCBXII, West Wing, 382-390 Midsummer BoulevardCentral Milton Keynes, MK9 2RGTel: +44 1908 847413Fax: +44 870 1202901Email:[email protected]: www.norman.com/en-uk

Netherlands

Norman SHARK B.V.Postbus 159, 2130 AD HoofddorpTel: +31 23 78 90 222Fax: +31 23 56 13 165Email: [email protected]: www.norman.com/nl

United States

Norman Data Defense Systems Inc.9302 Lee Highway, Suite 950A,Fairfax, Virginia 22031Tel: +1 703 267-6109Fax: +1 703 934-6368Email: [email protected]: www.norman.com/en-us

Norway

Norman ASA(Headquarter and sales Norway / Hovedkontor og salg Norge)Visit: Strandveien 37, LysakerMail: PO Box 43, N-1324 LysakerTel: +47 67 10 97 00Fax: +47 67 58 99 40Email: [email protected]: www.norman.com/no

For additional contact information, please visit the Norman offices page at http://www.norman.com/about_norman/contact/information/offices/.

Norman Technical SupportFor a list of contact information for Norman Support, please visit the Contact support page at http://contact-support.norman.com/


http://www.norman.com/it


http://www.norman.com/en-uk


http://www.norman.com/nl


http://www.norman.com/en-us


http://www.norman.com/no

http://www.norman.com/about_norman/contact/information/offices/

http://www.norman.com/about_norman/contact/information/offices/

http://contact-support.norman.com/

http://contact-support.norman.com/


- 10 -

- 11 -

Chapter

1Agent Requirements

In this chapter:

• Supported Endpoint OperatingSystems

• Supported Endpoint Browsers• Windows Endpoint Requirements• Mac, Linux, or UNIX Endpoint

Requirements• Agent Locales and

Internationalization• Supported Endpoint Module

Operating Systems

The Norman Enterprise Security Agent is supported on avariety of operating systems and platforms. Before installingthe agent on an endpoint, ensure that system meets the agentrequirements.Your endpoints must meet the hardware and softwarerequirements for the Norman Enterprise Security Agent. Thefollowing sections include system requirements that you shouldverify prior to installing the Norman ESEC Agent. The completelist of requirements are listed in the following topics:

• Supported Endpoint Operating Systems on page 11• Supported Endpoint Browsers on page 16• Windows Endpoint Requirements on page 16• Mac, Linux, or UNIX Endpoint Requirements on page 18• Agent Locales and Internationalization on page 20

Supported Endpoint Operating SystemsNorman Enterprise Security Agent functionality is supported on a variety of operating systems.

The agent is supported on endpoints that contain one of the supported endpoint operating systemtypes:

• Windows Endpoint Operating Systems on page 12• Mac Endpoint Operating Systems on page 13• Linux Endpoint Operating System on page 14• UNIX Endpoint Operating System on page 15


- 12 -

Windows Endpoint Operating SystemsThe following table lists supported Windows platforms on which the Norman Enterprise Security Agentis supported.

Table 2: Supported Windows Endpoint Operating Systems

Supported OSVersions

Supported Editions SupportedProcessors

DataWidth

Supported Agent

Windows Server 2012R2

• Standard1

• Datacenter1

• Foundation• Essentials

Intel 64 bit Norman ESEC 8.2

Windows 8.1 • Enterprise• Enterprise N• Professional2

• Professional N

Intel 32/64 bit Norman ESEC 8.2

Windows StorageServer 2012

• Standard• Workgroup


Windows Server 2012 • Standard1

• Datacenter1

• Foundation• Essentials


Windows 8 • Enterprise• Enterprise N• Professional2

• Professional N



• Enterprise• Standard• Web


Windows Server 2008 • Enterprise• Standard• Web


Agent Requirements

- 13 -


Supported Editions SupportedProcessors

DataWidth

Supported Agent

Windows 7 • Enterprise• Standard• Web


Windows Vista3• Business• Enterprise• Ultimate


Windows Server 2003SP1+

• Enterprise4

• Standard4

• Web



• Enterprise4

• Standard4

• Web


Windows XP SP2+5 Professional Intel 32/64 bit Norman ESEC 8.21Core mode for this edition is supported.2This edition is also supported when Windows Media Center is installed.3When installing the Device Control endpoint module on these editions, SP1+ is required.4When installing the Device Control endpoint module on these editions, SP2+ is required.5On Windows XP SP2 endpoints, the Microsoft Windows Installer 3.1 or higher must be present onthe endpoint prior to installing or upgrading to the Norman ESEC 8.0 Agent. Refer to the NormanSupport Site (http://www.norman.com/support/) for additional information.

Mac Endpoint Operating SystemsThe following table lists supported Mac platforms on which the Norman Enterprise Security Agent issupported.

Table 3: Supported Mac Endpoint Operating Systems


Supported Editions SupportedProcessor(s)

Supported Agent

Mac OS X 10.10 All Intel Patch Agent for Linux, UNIX,and Mac 8.1


http://www.norman.com/support/




- 14 -



Supported Agent


Mac OS X 10.7 1 All Intel Patch Agent for Linux, UNIX,and Mac 8.1

Mac OS X 10.6 1 All Intel Patch Agent for Linux, UNIX,and Mac 8.1

Mac OS X 10.51 All • Intel• PowerPC

Patch Agent for Linux, UNIX,and Mac 8.1

Mac OS X 10.41 All • Intel• PowerPC


Mac OS X 10.31 All PowerPC Patch Agent for Linux, UNIX,and Mac 8.1

1. The installation wizard is not supported for OS X 10.7.2 and lower. It is only supported on 10.7.3and higher.

Linux Endpoint Operating SystemThe following table lists supported Linux platforms on which the Norman Enterprise Security Agent issupported.

Table 4: Supported Linux Endpoint Operating Systems



Supported Agent

CentOS Linux 7 Intel Patch Agent for Linux, UNIX,and Mac 8.1



Oracle EnterpriseLinux 7

Intel Patch Agent for Linux, UNIX,and Mac 8.1



Agent Requirements

- 15 -



Supported Agent





Novell SUSE Linux 11 • Desktop• Server


Novell SUSE Linux 10 • Desktop• Server


Red Hat EnterpriseLinux 7

Server Intel Patch Agent for Linux, UNIX,and Mac 8.1


• Client• Server



• Client• Server


UNIX Endpoint Operating SystemThe following table lists supported UNIX platforms on which the Norman Enterprise Security Agent issupported.

Table 5: Supported UNIX Endpoint Operating Systems



Supported Agent

Oracle Solaris 11 All • Intel• SPARC


Oracle Solaris 10 All • Intel• SPARC


Hewlett Packard HP-UX 11.31

All • PA-RISC• Itanium



All PA-RISC Patch Agent for Linux, UNIX,and Mac 8.1


All PA-RISC Patch Agent for Linux, UNIX,and Mac 8.1


- 16 -



Supported Agent

IBM AIX 7.1 All Power Patch Agent for Linux, UNIX,and Mac 8.1

IBM AIX 6.1 All Power Patch Agent for Linux, UNIX,and Mac 8.1

Supported Endpoint BrowsersNorman Enterprise Security (Norman ESEC) is an Internet application that conforms to standard Webconventions. Norman recommends you download the most recent version of the Norman ESEC Agentinstaller using a supported Web browser.

Table 6: Supported Web Browsers

Supported Browser Supported Versions

Microsoft Internet Explorer • 11• 10• 9

Mozilla Firefox • 31.x Extended Support Release• 24.x Extended Support Release

Windows Endpoint RequirementsBefore installing the Norman Enterprise Security (Norman ESEC) Agent on a supported Windowsendpoint, ensure that it meets the necessary hardware and software requirements.

Processor 500 MHz or higher for Windows XP SP2+ and Windows Server 2003SP1+800 MHz or higher for Windows Vista and later

Physical RAM 256 MB for Windows XP SP2+ and Windows Server 2003 SP1+(minimum)1 GB for Windows Vista and later (minimum)

Note: Your Norman ESEC endpoint may require additional RAMdepending on the RAM requirements of other applications installed.

Free Disk Space 1 GB of free space

Agent Requirements

- 17 -

Network Connection A 10 Mbps network connection with access to the Norman EnterpriseSecurity server.

Antivirus Ensure any third-party antivirus software on the endpoint computeris disabled prior to Norman ESEC Agent installation.

Port Requirements • Port 80This must be open for Norman ESEC module downloads.

• Port 443This must be open for Norman ESEC policy download and generalcommunication.

• Ephemeral portsThis is used to listen for Notification Manager connectionrequests (Patch and Remediation) only.

• For Windows XP and Windows Server 2003, open ports1024-4999.

• For Windows Vista and later, open ports 49152-65535.

Microsoft .NET Framework Microsoft .NET Framework (is required for Patch and Remediationonly). The required version of the .NET Framework changes accordingto operating system.

Table 7: .NET Framework Version

Operating System .Net FrameworkVersion

Microsoft Windows 8 4.0+

Microsoft Windows Storage Server 2012 4.0+

Microsoft Windows Server 2012 4.0+

Microsoft Windows Server 2012 R2 4.0+

Microsoft Windows 7 3.0+

Microsoft Windows Server 2008 R2 3.0+

Microsoft Windows Vista 3.0+

Microsoft Windows Server 2008 3.0+

Microsoft Windows 2003 SP1+ 2.0+

Microsoft Windows XP SP2+ 2.0+


- 18 -

Other SoftwareRequirements

Windows Installer 3.1 or laterMicrosoft Visual C++ 2010 Redistributable Package or later

Note: If not installed at time of agent installation, the MicrosoftVisual C++ 2010 Redistributable Package is installed during agentinstallation.

Mac, Linux, or UNIX Endpoint RequirementsBefore installing the Norman ESEC Agent on a supported Mac, Linux, or UNIX endpoint, ensure that itmeets the necessary hardware and software requirements.

Processor 500 MHz processor or higher

Physical RAM 256 MBs or greater

Note: Your Norman ESEC endpoint may require additional RAMdepending on the RAM requirements of other applications installed.

Disk Requirements • Presence of a /tmp directory (/var/tmp on Oracle Solaris) with100 MB of free space.

• 50 MB of free space for the agent installation directory.• Norman ESEC also recommends 100 Mb of unused disk space to

download and install content.

Java Runtime Environment(JRE)

• Ensure Java Runtime Environment (JRE) 1.4.0 or later is installed.

Note:

• If installing using the installation wizard for OS X (versions10.7.3-10.10), JDK 1.7 or later is required.

• Open JDK can be substituted for Oracle Java JRE on thefollowing operating systems:

• Cent OS Linux• Novell SUSE Linux• Oracle Linux• Red Hat Enterprise LinuxRefer to IcedTea Project (http://openjdk.java.net/projects/icedtea/)for additional information.

http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

http://openjdk.java.net/projects/icedtea/


Agent Requirements

- 19 -

Perl Perl is needed for Linux content. Perl is automatically installed for allopen-source Linux operating systems unless uninstalled.

Tip: To determine if you have perl installed, type perl -v on acommand line. Refer to Perl Download (http://www.perl.org/get.html) todownload.

Network Connection A 10 Mbps network connection with access to the Norman EnterpriseSecurity server. Refer to Supported Endpoint Browsers on page 16for a list of supported browsers.

Antivirus Ensure any antivirus software installed on the applicable endpointcomputer is disabled.

Port Requirements • Port 80. This must be open for Norman ESEC module downloads.• Port 443. This must be open for Norman ESEC policy download

and general communication.• Ports 49152-65535. These ports are used as listener ports for

check now commands, which are server-sent requests that agentsuse to check for tasks. Closing these ports delays agent tasks untilthey check in themselves.

http://www.perl.org/get.html

http://www.perl.org/get.html


- 20 -

Agent Locales and InternationalizationThe Norman Enterprise Security Agent is localized and internationalized for a variety of languages.

The agent has been fully localized and translated for the following locales.

• en-AU: English (Australia)• en-BZ: English (Belize)• en-CA: English (Canada)• en-IN: English (India)• en-IE: English (Ireland)• en-JM: English (Jamaica)• en-NZ: English (New Zealand)• en-PH: English (Philippines)• en-SG: English (Singapore)• en-ZA: English (South Africa)• en-GB: English (United Kingdom)• en-US: English (United States)• fr-FR: French (France)• de-DE: German (Germany)• it-IT: Italian (Italy)• ja-JP: Japanese (Japan)• nl-NL: Dutch (Netherlands)• pt-BE: Portuguese (Brazil)• ru-RU: Russian (Russia)• es-ES: Spanish (Spain)• sv-SE: Swedish (Sweden)• zh-CN / zh-CHS: Chinese (China [Simplified])• zh-TW / zh-CHT: Chinese (Taiwan [Traditional])

Note: The agent has been internationalized to operate in the following locales. However, the agent UItext has not been translated. English text is displayed.

• da-DA: Danish (Denmark)• fi-FI: Finnish (Finland)• ko-KR: Korean (Korea)• no-NO: Norwegian - Nynorsk (Norway)

Agent Requirements

- 21 -

Supported Endpoint Module Operating SystemsThe modules that you can install vary by operating system and your licensing.

• Windows Endpoint Supported Modules on page 21• Linux, Unix, and Mac Supported Modules on page 22

A list of module abbreviations within the tables:

NPR:Norman Patch and RemediationLAC:Norman Application ControlNDC:Norman Device ControlNAV:Norman AntiVirusWOL:Norman Wake on LANRSM:Norman Remote Systems Management

Windows Endpoint Supported ModulesThe following table lists the modules you can install on endpoints that contain a Windows operatingsystem.

Table 8: Supported Endpoint Windows Operating Systems by Module

Modules(2)Operating System(1)

NPR LAC NDC NAV WOL RSM

Microsoft Windows 8.1

Microsoft Windows 8

Microsoft Windows Server2012

Microsoft Windows Server2012 R2

Microsoft Windows StorageServer 2012


- 22 -

Modules(2)Operating System(1)

NPR LAC NDC NAV WOL RSM

Microsoft Windows 7


Microsoft Windows Vista


Microsoft Windows XPSP2+

Microsoft Windows Server2003 SP1+

(1) Refer to Supported Endpoint Operating Systems on page 11 for a complete list of operatingsystem versions.(2) Refer to Supported Endpoint Module Operating Systems on page 21 for a list of moduleabbreviation definitions.

Linux, Unix, and Mac Supported ModulesNorman offers a version of the agent for Linux, Unix, and Mac that provides Patch and Remediationfunctionality.

Patch Agent for Linux, Unix, and Mac supports functionality for the Patch and Remediation moduleand only the Patch and Remediation module. All other NESEC modules are not supported for theseplatforms.

- 23 -

Chapter

2Understanding Agent Installation

In this chapter:

• The Norman ESEC Agent Workflow• Understanding Agent Installation

Methods

The Norman ESEC agent is installed on network endpoints tomanage their behavior.

The Norman ESEC Agent WorkflowNorman Enterprise Security uses a server/client relationship to manage network endpoints. Review thischart to understand the Norman ESEC Agent workflow.

Install the Norman Enterprise Security (Norman ESEC) server and complete aninitial replication with the Global Subscription Server. You must have completed aserver install prior to installing a Norman ESEC Agent.

Note: For server installation information, refer to the Norman Enterprise SecurityServer Installation Guide (http://www.norman.com/support/user_manuals/).

Prior to installing the agent on an endpoint, determine agent requirements. Referto Agent Requirements on page 11 for all requirements. For requirements on theendpoint by operating system, refer to:

• Windows Endpoint Requirements on page 16• Mac, Linux, or UNIX Endpoint Requirements on page 18

Prior to installing the agent on an endpoint, ensure you understand the methodsused to install the agent. Refer to Understanding Agent Installation Methods on page25.





- 24 -

Install the agent. You may install agents on any endpoints that you want tomanage. Agent installation is based on administrator need and operating systemtype. Refer to the following:

• Installing the Agent on Windows on page 27• Installing the Agent on Mac on page 81• Installing the Agent on Linux or UNIX on page 103

Following initial installation, the agent and server components begincommunicating. The agent downloads the following data from the Norman ESECserver:

• Agent policies, which contain information about how the agent should behave.• Agent packages, which contain files to modify the agent.The agent uploads the following data to the Norman ESEC server:

• Host endpoint operating system information.• Heartbeats, which are notification messages the agent sends to the server.

This message is used continually to notify the server that the agent is availablewithin the network.

• The state of the endpoint and applicable module logs.

After you install the agent on an endpoint, you may access its available controls using the AgentControl Panel. Refer to Using the Norman ESEC Agent in the Norman Enterprise Security User Guide (http://www.norman.com/support/user_manuals/) for additional information.Additionally, if you are licensed for additional Norman ESEC modules, you can install these modules onthe Norman ESEC endpoint that has an agent. Installing modules expands agent functionality.

Note: For more information on modules and module installation, refer to Norman Enterprise SecurityUser Guide (http://www.norman.com/support/user_manuals/).







Understanding Agent Installation

- 25 -

Understanding Agent Installation MethodsYou can install the Norman ESEC Agent on your network using a variety of methods.Network administrators should carefully consider which method to use when installing the agent aseach method has its own unique steps. The following table describes each installation method.

Table 9: Installation Methods

Installation Method Description

Agent Management Job Benefits in using this method:

• Using this method you search for endpoints in your network and theninstall the agent on network endpoints based on criteria you define.

• You complete the Agent Management Job within the NormanEnterprise Security Web console using an easy-to-use wizard.

• Using this method eases administrative workload, since you do nothave to install agents locally on endpoints.

• Using this method you may uninstall the agent on network endpointsbased on criteria you define.

Important: This method only supports endpoints that contain aWindows operating system. Refer to the Command Line or InstallWizard method to install an agent on an endpoint that has a supportedMac, Linux or UNIX operating system.

Command Line Benefits in using this method:

• You may use command line to install the agent.• You may complete silent installs when using a command line

parameters. When using silent installs using a command line, theinstallation of the agent can be run unattended (without userinteraction).

• This install method supports an endpoint that has one of the followingoperating systems:

• Windows• Mac• Linux or UNIX

Important: On Linux and UNIX endpoints, the command line is the onlymethod that can be used to install the agent.


- 26 -

Installation Method Description

Install Wizard Benefits in using this method:

• This method utilizes an easy-to-use installation wizard to install a singleagent on a network endpoint.

• This installation method is useful if you are unfamiliar with using thecommand line prompt to install a single agent on a network endpoint.

• The agent is installed using an installation wizard and accessed usinga graphical user interface via the Control Panel (Windows) or SystemPreferences (Mac).

• The installer for Windows uses the familiar EXE file format, and theinstaller for Mac uses the DMG file format.

• This method supports an endpoint that has one of the followingoperating systems:

• Windows• Mac

Other Methods Third-Party Software In some environments, customers mayprefer to use third-party software, suchas PsExec, to install the agent.

Golden Image In networks making substantial use ofgolden images, which are compressedoperating system archives that areentirely installed and configuredaccording to an organization'sspecifications, network administratorsmay benefit from adding the NormanESEC Agent to their image.

Attention: These installation methods are not documented in this guide.For additional information on these installation methods, contact NormanSupport ([email protected]).

Note: Supported operating systems listed in this topic are generalized for each operating system.Before installing the agent on an endpoint, ensure its operating system is supported by referring toSupported Endpoint Operating Systems on page 11.




- 27 -

Chapter

3Installing the Agent on Windows

In this chapter:

• Windows Installation Methods• Agent Management Job for

Windows• Command Line for Windows• Install of the Agent for Windows

Manually

There are various methods when installing the NormanEnterprise Security Agent on a Windows endpoint.

Windows Installation MethodsTo install the Norman Enterprise Security Agent on a Windows platform you can utilize variousmethods.

• An Agent Management Job. This method supports installing an agent on endpoints that have aWindows operating system using the Norman ESEC Web console. For additional information, referto Installing Agents by Agent Management Job on page 49.

• You may use a command line to install an agent on Windows endpoints. For additional information,refer to Silently Installing the Agent by Command Line for Windows on page 71.

• You may use the Norman ESEC installer. This method uses an easy-to-use installation wizard thatallows you to install a single agent on an endpoint. For additional information, refer to ManuallyInstalling the Agent for Windows on page 77.

For a description of the benefits of each install method, refer to Understanding Agent Installation Methodson page 25.

Agent Management Job for WindowsThe Norman Enterprise Security Web console utilizes the Agent Management Job method to installagents on Windows endpoints. This method uses an easy-to-use wizard to discover endpoints withinyour network and then install the agent.This method only supports endpoints that use the Windows operating system.


- 28 -

Each Agent Management Job consists of two parts; endpoint detection and agent management itself.

Detection The initial portion of an Agent Management Job detects endpointsand their operating systems in a network. This is done by scanningthe network. Access to the endpoints is based on credentials usedduring job configuration.

Management During agent management, the agent is installed (or uninstalled)based on information found during scanning. The AgentManagement Job determines which type of agent to install onapplicable endpoints. Agent installation occurs silently on theendpoint; endpoint users are unaware of the installation.

After installing Norman Enterprise Security (Norman ESEC) on a server, you must perform additionalconfiguration on the endpoint and server prior to an Norman ESEC Agent Management Job.Refer to Agent Management Job Checklist on page 28 for a description of the configuration needs onthe endpoint and server prior to an Agent Management Job.

Agent Management Job ChecklistThis checklist itemizes the information and tasks an administrator needs to perform prior to an AgentManagement Job.

Prior to configuring your network to successfully use Agent Management Jobs, confirm the followinginformation:

Tasks Performed on the Endpoint

Verify your target endpoints meets or exceeds the requirements defined in the Windows EndpointRequirements on page 16.

Verify that your target endpoints are all supported Windows endpoints. You cannot complete anAgent Management Job on Linux, UNIX, or Mac endpoints. Refer to the list of Windows operatingsystems in the Supported Endpoint Operating Systems on page 11.

Ensure any antivirus software installed on target endpoints is disabled.

Verify that your target endpoints have applicable ports open. Refer to Port and ICMP Requirements foran Agent Management Job on page 29.

Configure your target endpoints to accept an Agent Management Job. Target endpoints must beconfigured to allow the Agent Management Job access to the endpoint. This includes verifying thatthe C$ and ADMIN$ network shares are enabled, Refer to the following:

• To configure Windows XP or Windows 2003 endpoints for Agent Management Jobs, completeConfiguring Windows XP or Windows Server 2003 Endpoints on page 30.

• To configure Windows Vista and later endpoints for Agent Management Jobs, completeConfiguring Vista or Later Endpoints on page 39.

Tasks Performed on the Server

Installing the Agent on Windows

- 29 -

Verify that your Norman ESEC server can utilize the Discovery Scanning process needed in by theAgent Management Job. Refer to Configuring the Norman ESEC Server for Discovery Scanning on page48.

Gather credentials for the endpoints. A user name and password that authenticates with Windows-based endpoints is required during configuration of the Agent Management Job. Type the username in a local format (UserName) or a domain format (DOMAIN\UserName).

Gather proxy information if your agents will be required to use a proxy to access your NormanEnterprise Security server. The proxy information is required during configuration of the AgentManagement Job that is using a proxy server.

Note: A Squid proxy server will only properly resolve using a fully qualified domain name.

Once you have completed the tasks in the list you may begin installing or uninstalling the NormanESEC Agent using an Agent Management Job. For information on this install method, refer to InstallingAgents by Agent Management Job on page 49.

Port and ICMP Requirements for an Agent Management JobCertain ports are required on the endpoint during the installation process of the Agent ManagementJob. Firewall configuration changes may be required to access applicable ports.

Note: If your firewall policies cannot allow needed port access, contact Norman Support Site (http://www.norman.com/support/) for a recommended configuration.

On the endpoint, open the ports listed in the following table.

Table 10: Required Ports

Required Ports Direction Description

• 445/TCP• 139/UDP• 135/UDP• 137/UDP

Inbound NESEC uses these ports to access the endpoint during theinstallation of the Agent Management Job. After the AgentManagement Job completes, you can close these ports.

Tip: In addition, the Discovery Scan Job also use theseports to discover information about the endpoint.

• 443/TCP• 80/TCP

Outbound Following agent installation, the Norman ESEC Agent usesthese ports to register and communicate with the NormanESEC server. After the Agent Management Job completes,you need to leave these ports open.

Both the Discovery Scan Job and the Agent Management Job requires the endpoint to accept pingrequests from the Norman ESEC server. Ping operates by sending Internet Control Message Protocol(ICMP) echo request packets to the target host and waiting for an ICMP response. Therefore, you needan exception within your endpoint firewall for inbound Internet Control Message Protocol (ICMP) echorequest.





- 30 -

Refer to Enable or disable Internet Control Message Protocol requests for ICF (http://technet.microsoft.com/en-us/library/cc738771(v=ws.10).aspx) for additional information.

Configuring Windows XP or Windows Server 2003 EndpointsPrior to using an Agent Management Job to install agents on your Windows XP or Windows Server2003 endpoints, you must first configure the endpoints.

Prerequisites:

Prior to configuring, review the following requirements:

• You can perform these steps on endpoints with the following operating systems:

• Windows XP SP2+

Note: On a endpoint containing a Windows XP SP2+ platform, the Microsoft Windows Installer3.1 or higher must be present on the endpoint prior to installing or upgrading to the 8.0 agent.Refer to the Norman Support Site (http://www.norman.com/support/)

• Windows 2003 SP1+• Windows 2003 R2

• You have gathered and confirmed the information and tasks in the Agent Management Jobchecklist. Refer to Agent Management Job Checklist on page 28 for a description.

• Verify your Windows endpoint meets the defined hardware and software requirements. Refer toAgent Requirements on page 11 for a complete list of agent requirements.

Note: If your organization uses a third-party firewall:

• Do not complete the steps for creating Windows Firewall exceptions. Your third-party firewall makesthem unnecessary.

• However, you must create exceptions for NESEC within you third-party firewall. For additionalinformation, refer to Port and ICMP Requirements for an Agent Management Job on page 29.

1. Start applicable Windows services.

Tip: There are specific Windows services that are necessary for successful Agent Management Jobcompletion.

a) Open Windows Control Panel.

Step Result: Control Panel opens.

b) Open Administrative Tools.

Step Result: The Administrative Tools dialog opens.

c) Open Services.

Step Result: The Services dialog opens.

http://technet.microsoft.com/en-us/library/cc738771(v=ws.10).aspx






- 31 -

d) Ensure the necessary services are started for an Agent Management Job.The following list itemizes the services that must be started for Agent Management Jobcompletion.

• DCOM Server Process Launcher• Remote Procedure Call (RPC)• Server• Windows Firewall• Windows Management Instrumentation

Note: In environments that use a third-party firewall, ensure the Windows Firewall service isinstead disabled.

e) If all of the listed services required for your configuration purposes have a Server status ofStarted, continue to the next step. If any of the listed services for your configuration purposesare not started, complete the following:

1. Right-click the applicable service and select Properties.2. Ensure the Startup type list is set to Automatic. If edits are necessary, click Apply after

selecting Automatic from the list.3. Click Start.4. Click OK.5. If necessary, repeat the above steps for each unstarted service.

f) Close the Services dialog and the Administrative Tools dialog.

Step Result: The applicable Windows services for a successful Agent Management Job are started.

2. Ensure Simple File Sharing is disabled on the endpoint.

Tip: You must have Simple File Sharing disabled so that the Norman ESEC can access the necessaryfiles during agent installation

a) Select Start > My Computer.

Step Result: The My Computer dialog opens.

b) From the dialog toobar, select Tools > Folder Options.

Step Result: The Folder Options dialog opens.

c) Select the View tab.

Step Result: The View tab opens.

d) Ensure the Use simple file sharing (Recommended) check box is clear. You may have to scrollto find this setting.

e) Click OK.f) Close the My Computer dialog.


- 32 -

3. Ensure File and Printer sharing is enabled.

Tip: Norman ESEC needs access to certain endpoint folders. Enabling File and Printer sharinggrants this access.

a) Select Start > Control Panel.

Step Result: The Control Panel dialog opens.

b) Double-click Network Connections.

Step Result: The Network Connections dialog opens.

c) Right-click your local area connection and select Properties.

Step Result: The Local Area Connection Properties dialog opens.

Note: In Windows Server 2003, the Local Area Connection Status dialog opens.

d) Ensure the File and Printer Sharing for Microsoft Networks check box is selected.e) Click OK.

Step Result: The Local Area Connection Properties dialog closes.

f) Click Close.

Step Result: The Network Connections dialog closes.

4. Ensure the Windows Firewall is configured to allow exceptions.

Tip: A Windows Firewall that does not allow exceptions will block pings and other agentmanagement processes necessary for a successful Agent Management Job.

a) Select Start > Run.

Step Result: The Run prompt opens.

b) Type gpedit.msc in the Open field and press ENTER.

Step Result: The Local Group Policy Editor opens.

Note: In Windows Vista, this dialog is called the Group Policy Object Editor.

c) Expand the local computer policy tree to Computer Configuration > AdministrativeTemplates > Network > Network Connections > Windows Firewall > Domain Profiles.Ensure the Domain Profiles folder is selected.

Step Result: The Domain Profile windows opens.


- 33 -

d) Ensure the following settings (and their subsettings) are configured for the Domain Profile:

Name Step

Windows Firewall: Do not allowexceptions

1. Right-click and select Edit to open the settingdialog.

2. Ensure the Disabled option is selected.3. Click OK.

Windows Firewall: Allow inbound fileand printer sharing exception


2. Ensure the Enabled option is selected.3. Define an IP range in the Allow unsolicited

incoming messages from field.

Note: Norman recommends defining this fieldusing your Norman ESEC Server IP address. Thisinput is not validated. To define a range, youmay use the following syntax:

• * (any IP address)• 10.3.2.0/24 (specific Class C subnet)• localsubnet (for local subnetwork access

only)

4. Click OK.

Windows Firewall: Allow ICMPexceptions


2. Ensure the Enabled option is selected.3. Click OK.


- 34 -

Name Step

Windows Firewall: Allow inboundremote administration exception






only)

4. Click OK.

e) Expand the local computer policy tree to Computer Configuration > AdministrativeTemplates > Network > Network Connections > Windows Firewall > Standard Profiles.Ensure the Standard Profiles folder is selected.

Step Result: The Standard Profile windows opens.

f) Ensure the following settings (and their subsettings) are configured for the Standard Profile:

Tip: These settings will mimic the Domain Profile.

Name Step



2. Ensure the Disabled option is selected.3. Click OK.


- 35 -

Name Step







only)

4. Click OK.



2. Ensure the Enabled option is selected.3. Click OK.







only)

4. Click OK.


- 36 -

g) Close the Group Policy dialog.

Step Result:Note: The creation of Windows Firewall exceptions opens the following ports,which are required for job completion:

• 445/TCP• 139/UDP• 135/UDP• 137/UDP

5. Ensure your endpoint has an NT LAN Manager (NTLM) setting that is compatible with the NormanESEC server. You can define this setting for your endpoint using the Registry Editor.

a) Select Start > Run.


b) In the Open field, type regedit and press ENTER.

Step Result: The Registry Editor opens.

Figure 1: Registry Editor

c) In the tree panel, expand the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Ensure the Lsa folder is selected.

Step Result: The Lsa folder keys open in the main panel.

d) In the main panel, double-click lmcompatibilitylevel.

Step Result: The Edit DWORD Value dialog for the lmcompatibilitylevel key opens.

e) In the main panel, double-click lmcompatibilitylevel.

Step Result: The Edit DWORD Value dialog for the lmcompatibilitylevel key opens.


- 37 -

f) Ensure that the Value data field is set to 3 or 5. If the field is not set correctly, complete thefollowing:

1. Type 3 or 5 in the Value data field.2. Click OK.

Note: Under most network conditions, a setting of 3 or 5 is sufficient. However, in somenetworks, this key may require a different value. To determine which value to use, refer to How toenable NTLM 2 authentication (http://support.microsoft.com/kb/239869).

g) Close the Registry Editor.

6. Ensure that the C$ and ADMIN$ network shares are enabled.The C$ and ADMIN$ network shares are necessary for remote management. This is necessary for asuccessful Agent Management Job completion.

a) From the Command Prompt, type net share and press ENTER.

Step Result: The endpoint network shares are listed.

b) Ensure that the following shares are listed in the Share name column.

• C$

• ADMIN$

Note: If these shares are not listed, complete the following steps to enable them. If one of thenecessary shares is enabled but not the other, only enable the share that needs to be enabled

c) From the Command Prompt, type the necessary commands to enable the required networkshares.

Example: Complete the following:

• To enable the C$ share, type NET SHARE C$=C and press ENTER.• To enable the ADMIN$ share, type NET SHARE ADMIN$ and press ENTER.

Step Result: You have enabled the required share(s).

Note: All enabled shares remain active until the system reboots.

d) Close the Command Prompt window.

Step Result: The Command Prompt closes.

Step Result: You have verified that the C$ and ADMIN$ network shares are enabled.

http://support.microsoft.com/kb/239869




- 38 -

7. [Optional] For Windows Server 2003 and Windows XP 64-bit endpoints, ensure WMI WindowsInstaller Provider is installed.

Tip: This Management and Monitoring Tool is used to complete the Norman ESEC Agent uninstallby Agent Management Job. This tool is not installed by default on these operating systems. Thesesteps apply only to Windows Server 2003 and Windows XP 64-bit endpoints. You do not have tocomplete these steps for Windows XP 32-bit endpoints.

a) Select Start > Control Panel.


b) Double-click Add or Remove Programs.

Step Result: The Add or Remove Programs dialog opens.

c) Click Add/Remove Windows Components.

Step Result: The Windows Components Wizard opens.

d) Select Management and Monitoring Tools and ensure the check box is selected.e) Click Details.

Step Result: The Management and Monitoring Tools dialog opens.

f) Ensure the WMI Windows Installer Provider check box is selected and click OK.

Tip: If Management and Monitoring Tools and WMI Windows Installer Provider are alreadyinstalled, you do not need to complete the remaining steps. Continue to the end of theprocedure.

g) Click Next.

Step Result: Installation of WMI Windows Installer Provider begins.

h) When prompted, insert your Windows installation disc and continue the install. Repeat this stepas needed.

Step Result: Installation continues.

i) Click Finish and restart the endpoint.

Result: You have completed all necessary configuration steps.

After Completing This Task:Refer to Agent Management Job Checklist on page 28 prior beginning the Agent Management Job.


- 39 -

Configuring Vista or Later EndpointsPrior to using an Agent Management Job to install agents on your Windows Vista or later endpoints,you must first configure your endpoints.

Prerequisites:

Prior to configuring, review the following requirements:

• You can perform these steps on endpoints with the following operating systems:

• Windows Vista• Windows 7• Windows 8• Windows 8.1• Windows Server 2008• Windows Server 2012• Windows Server 2012 R2


• Verify your Windows endpoint meets the defined hardware and software requirements. Refer toAgent Requirements on page 11 for a complete list of agent requirements.

Note: If your organization uses a third-party firewall:

• Do not complete the steps for creating Windows Firewall exceptions. Your third-party firewall makesthem unnecessary.

• However, you must create exceptions for NESEC within you third-party firewall. For additionalinformation, refer to Port and ICMP Requirements for an Agent Management Job on page 29.

1. Start applicable Windows services.

Tip: There are specific Windows services that are necessary for successful Agent Management Jobcompletion.

a) Open Windows Control Panel.


b) Ensure Control Panel is set to the Control Panel Home or Category view.c) Open your system settings.

Operating System Step

Windows Vista or Windows Server 2008 Click System and Maintenance.


- 40 -


Windows 7, Windows 8, or Windows Server2012

Click System and Security.

Step Result: Control Panel opens to system options.

d) Click Administrative Tools.

Step Result: The Administrative Tools dialog opens.

e) Double-click Services.

Step Result: The Services dialog opens.

f) Ensure the necessary Windows services are started for an Agent Management Job.The following list itemizes the services that must be started for Agent Management Jobcompletion.

• DCOM Server Process Launcher• Remote Procedure Call (RPC)• Server• Windows Firewall• Windows Management Instrumentation

Note: In environments that use a third-party firewall, ensure the Windows Firewall service isinstead disabled.

g) If all of the listed services required for your configuration purposes have a Server status ofStarted, continue to the next step. If any of the listed services for your configuration purposesare not started, complete the following:

1. Right-click the applicable service and select Properties.2. Ensure Startup type list is set to Automatic. If edits are necessary, click Apply after selecting

Automatic from the list.3. Click Start.4. Click OK.5. If necessary, repeat the previous steps for each unstarted service.

h) Close the Services dialog and the Administrative Tools dialog.

Step Result: The applicable Windows services for a successful Agent Management Job are started.


- 41 -

2. Configure Sharing and Discovery settings.

Tip: The discovery setting allows the endpoint to be seen by the Norman ESEC server, while thefile sharing setting allows the Norman ESEC server to install the agent during agent management.These settings are necessary for a successful Agent Management Job.

a) From Control Panel, click Network and Internet.

Step Result: Control Panel opens to the Network and Internet options.

b) Click Network and Sharing Center.

Step Result: Control Panel opens to the Network and Sharing Center.

c) Ensure Network discovery is enabled.Enabling this setting makes the endpoint publicly known within the network.

Tip: Norman ESEC uses the information shared by this setting to return more detailedinformation about the endpoint during discovery scanning.

Based on the endpoint operating system, complete the applicable steps.


Windows Vista or Windows Server 2008 1. Click the arrow icon adjacent to Networkdiscovery.

2. Ensure Turn on network discovery option isselected.

3. If necessary, click Apply.


- 42 -


Windows 7 1. Click Change advanced sharing settings.2. Expand one of the following network locations:

• Home or Work• Public• Domain

3. Scroll to Network discovery.4. Ensure Turn on network discovery option is

selected.5. If necessary, click Save Changes.6. Repeat these steps for each profile section.

• Windows 8• Windows 8.1• Windows Server 2012• Windows Server 2012 R2

1. Click Change advanced sharing settings.2. Expand one of the following network locations:

• Private• Guest or Public• Domain

3. Scroll to Network discovery.4. Ensure Turn on network discovery option is

selected.5. Ensure Turn on automatic setup of network

connected devices option is cleared.6. If necessary, click Save Changes.7. Repeat these steps for each profile section.

d) Ensure File sharing is enabled.Based on the endpoint operating system, complete the applicable steps.


Windows Vista or Windows Server 2008 1. Click the arrow icon adjacent to File Sharing.2. Ensure Turn on file sharing option is selected.3. If necessary, click Apply.


- 43 -


Windows 7 1. Click Advanced sharing settings.2. Expand one of the following network locations:

• Home or Work• Public• Domain

3. Scroll to File and printer sharing.4. Ensure Turn on printer sharing option is

selected.5. If necessary, click Save Changes.6. Repeat these steps for each profile section.

• Windows 8• Windows 8.1• Windows Server 2012• Windows Server 2012 R2

1. Click Change advanced sharing settings.2. Expand one of the following sections:

• Private• Guest or Public• Domain

3. Scroll to File and printer.4. Ensure Turn on file and printer sharing option

is selected.5. If necessary, click Save Changes.6. Repeat these steps for each profile section.

e) Close Network and Sharing Center.

Step Result: Network and Sharing Center closes.

Step Result: The Sharing and Discovery settings is configured for the Agent Management Job.

3. Ensure Windows Firewall is configured to allow exceptions.

Tip: A Windows Firewall that does not allow exceptions will block pings and other agentmanagement processes necessary for a successful Agent Management Job.

a) Open a run prompt using the Start Menu or Start Screen.


b) Type gpedit.msc in the Open field and press ENTER.

Step Result: The Local Group Policy Editor opens.

Note: In Windows Vista, this dialog is called the Group Policy Object Editor.


- 44 -

c) Expand the local computer policy tree to Computer Configuration > AdministrativeTemplates > Network > Network Connections > Windows Firewall > Domain Profiles.Ensure Domain Profiles folder is selected.

Step Result: The Domain Profile windows opens.

d) Ensure the following settings (and their subsettings) are configured for the Domain Profile.

Name Step



2. Ensure Disabled option is selected.3. Click OK.



2. Ensure Enabled option is selected.3. Define an IP range in the Allow unsolicited




only)

4. Click OK.



2. Ensure Enabled option is selected.3. Click OK.


- 45 -

Name Step







only)

4. Click OK.

e) Expand the local computer policy tree to Computer Configuration > AdministrativeTemplates > Network > Network Connections > Windows Firewall > Domain Profiles.Ensure Standard Profiles folder is selected.

Step Result: The Standard Profile windows opens.

f) Ensure the following settings (and their subsettings) are configured for the Standard Profile.

Tip: These settings will mimic the Domain Profile.

Name Step



2. Ensure Disabled option is selected.3. Click OK.


- 46 -

Name Step







only)

4. Click OK.



2. Ensure Enabled option is selected.3. Click OK.







only)

4. Click OK.


- 47 -

g) Close the Local Group Policy Editior (or the Group Policy Object Editor).

Step Result:Note: The creation of Windows Firewall exceptions opens the following ports,which are required for job completion:

• 445/TCP• 139/UDP• 135/UDP• 137/UDP

Step Result: The Windows Firewall is configured to allow exceptions for an Agent ManagementJob.

4. Complete the configuration of your endpoint by verifying that the C$ and ADMIN$ network sharesare enabled.

Tip: The C$ and ADMIN$ network shares are necessary for remote management. This is necessaryfor a successful Agent Management Job completion.

a) Open Windows Control Panel.b) From the Command Prompt, type net share and press ENTER.

Step Result: The endpoint network shares are listed.

c) Ensure that the following shares are listed in the Share name column.

• C$

• ADMIN$

Note: If these shares are not listed, complete the following steps to enable them. If one of thenecessary shares is enabled but not the other, only enable the share that needs to be enabled.

d) From the Command Prompt, type the necessary commands to enable the required networkshares.

Example: Complete the following:

• To enable the C$ share, type NET SHARE C$=C and press ENTER.• To enable the ADMIN$ share, type NET SHARE ADMIN$ and press ENTER.

Step Result: You have enabled the required share(s). All enabled shares remain active until thesystem reboots.


- 48 -

e) Close the Command Prompt window.

Step Result: The Command Prompt closes.

Step Result: You have completed the configuration of your endpoint for an Agent ManagementJob by verifying that the C$ and ADMIN$ network shares are enabled.

Result: You have completed all necessary configuration steps.

After Completing This Task:Refer to Agent Management Job Checklist on page 28 prior beginning the Agent Management Job.

Configuring the Norman ESEC Server for Discovery ScanningThe Norman Enterprise Security server must be configured to accept session security encryption sothat you may run the Agent Management Job on your managed endpoints.

Prerequisites:

• Norman Enterprise Security (Norman ESEC) is installed and initial replication has been completed.For details regarding installing Norman ESEC, refer to the Norman Enterprise Security Server InstallationGuide (http://www.norman.com/support/user_manuals/).

On the server the authentication package for the local security authority has values defined in theserver registry. You need to authenticate that the server has the correct security encryption value inorder to run the Agent Management Job on endpoints within your network.

1. Log in to the Norman ESEC server using an account with System Administrator privileges.

2. Open the Registry Editor.

a) From the Start Menu or Start Screen, open a Run prompt.b) Type regedit.exe and press ENTER.

Step Result: The Registry Editor window opens.

3. Expand the registry tree to HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Control\Lsa.

4. Ensure the value for the LmCompatibilityLevel registry value is set to 3.

a) Ensure Lsa is selected in the registry tree.b) In the right-window area, select the LmCompatibilityLevel binary value.c) Right-click on the LmCompatibilityLevel binary value select Modify.

Step Result: The Edit Binary dialog opens.





- 49 -

d) Ensure 3 is visible in the Value data field. If not present, then change the value to 3.

Note: Under most network conditions, a setting of 3 (Send NTLM 2 response only) is sufficient.However, in some networks, this key may require a different value. To determine which value touse, refer to How to Enable NTLM 2 Authentication (http://support.microsoft.com/kb/239869).

Result: The Norman ESEC server is configured to utilize discovery scanning.

After Completing This Task:If you are configuring the server for scanning in preparation for an Agent Management Job, ensureyou have complete the tasks needed for an Agent Management Job. For more information, see AgentManagement Job Checklist on page 28.

Installing Agents by Agent Management JobYou may install agents on network endpoints remotely using an Agent Management Job.

Prerequisites:


• Ensure that your endpoint meets the minimum requirements for agent installation. For additionalinformation, refer to Agent Requirements on page 11.

Note: You cannot complete an Agent Management Job on Linux, UNIX, or Mac endpoints.


Configuration using an Agent Management Job is similar to configuration using the Discovery ScanJob. Configuration occurs using the Install Agents Wizard.

1. Log in to Norman Enterprise Security.For additional information, refer to Norman Enterprise Security User Guide (http://www.norman.com/support/user_manuals/).

2. Begin configuration of the Install Agent Wizard.Complete one of the following steps to begin configuration.

Context Steps

To open the Wizard withouttargets predefined:

Select Discover > Assets and Install Agents.










- 50 -

Context Steps

To open the Wizard withtarget predefined:

1. Select Manage > Endpoints.2. Select the endpoints you want to install the agent on.3. From the toolbar, select Manage Agents > Install Agents.

Step Result: The wizard opens to the Job Name and Scheduling page.

Figure 2: Job Name and Scheduling Page

3. [Optional] Type a new name in the Scan job name field.

Note: By default, a new Agent Management Job for installation is named New Agent InstallManagement Job, followed by the server's date and time.


- 51 -

4. Schedule the job.Use one of the following methods.

Tip: During job scheduling, you can use the following shortcuts:

• Click the Calender icon to select a Start date. Selecting a date automatically fills the Start datefield.

• Click the Clock icon to select a Start time. Selecting a time automatically fills the Start timefield.

Method Steps

To schedule an immediatejob:

Select the Immediate option.

To schedule a one-time job: 1. Ensure the Once option is selected.2. Define a start date by typing a date in the Start date field.

Note: Type the date in a mm/dd/yyyy format.

3. Define a start time by typing a time in the Start time field.

Note: Type the time in hh:mm format followed by AM or PM (ifnecessary). This field supports both 12- and 24-hour time.

Tip: Scheduling a one-time job for a past date and time willlaunch the job immediately.

To schedule a recurringweekly job:

1. Select the Weekly option.2. Define a start date by typing a date in the Start date field.




4. Define the day of the week the job runs by selecting a dayfrom the Run every week on the following day list.


- 52 -

Method Steps

To schedule a recurringmonthly job:

1. Select the Monthly option.2. Define a start date by typing a date in the Start date field.




4. Define the day of the month the job runs by typing a day inthe Run every month on the following day field.

Tip: One-time and recurring jobs scheduled for the last day of a 31-day month are automaticallyrescheduled for the last day of shorter months.

5. Click Next.

Step Result: The Targets page opens.

Figure 3: Targets Page


- 53 -

6. Define targets (endpoints) for the job to locate.Select one or more of the following discovery methods to build a list of targets to scan.

Method Steps

To define targets using asingle IP address:

1. From the Scan for list, select Single IP Address.2. Type an IP address in the empty field. Wildcards are

supported.

Note: For additional information refer to Defining TargetsUsing Wildcards on page 65.

3. Select an item in the Timeout list.

Note: The Timeout list item defines the number ofseconds per attempt before a scan fails due to inactivityfor a particular target. Under most network conditions, theTimeout list item does not require editing.

4. Edit the Number of retries list.

Note: The Number of retries list defines the number of timesa scan retries on that target if the scan times out.

To define targets using an IPrange:

1. From the Scan for list, select IP Range.2. In the first empty field, type the beginning of IP range.

Note: Wildcards are supported. For additional informationrefer to Defining Targets Using Wildcards on page 65.

3. In the second empty field, type the ending of the IP range.4. Select an item in the Timeout list.

Note: The Timeout list defines the number of seconds perattempt before a scan fails due to inactivity for that particulartarget. Under most network conditions, the Timeout list itemdoes not require editing.

5. Select an item in the Number of retries list.

Note: The Number of retries item defines the number oftimes a scan retries on that target if the scan times out.

To define targets using acomputer name:

1. From the Scan for list, select Computer name.2. In the empty field, type an endpoint name in one of the

following formats: computername or domain\computername.


- 54 -

Method Steps

To define targets usingnetwork neighborhood:

1. From the Scan for list, select Network Neighborhood.2. From the second list, select the desired network

neighborhood.

To define targets usingactive directory:

1. From the Scan for list, select Active Directory.2. In the Fully-qualified domain name field, type the DNS

domain name of the domain controller you want to scan.

Note: For example, if your domain controller DNSname is box.domain.company.local, you would typedomain.company.local in this field.

3. Optionally, in the Organizational Unit field, type the activedirectory organizational unit string from specific to broad,separating each string with front slashes (such as Techpubs/Engineering/Corporate).

Note: The omission of this field returns job results containingthe full contents of all the active directory organizationalunits. View the following figure for an example of how toenter data using Active Directory.

4. In the Domain controller field, type the domain controller IPaddress.

5. In the Username field, type a user name that authenticateswith the domain controller.

Note: Type the user name in one of the following format:domainname\username or username.

6. In the Password field, type the password associated with theuser name.


- 55 -

Method Steps

To define targets using animported file:

1. From the Scan for list, select Import file.2. Click Browse.3. Browse to the file you want to use for target discovery.

Note: The following file types are supported: .txt and .csv.

4. Click Open.

Note: Refer to Defining Targets Within an Imported File on page66 for additional information on file types.

Figure 4: Active Directory Input Example


- 56 -

7. Add targets to the wizard list. This list indicates whether defined targets are included in or excludedfrom the job.Use one of the following methods.

Note: You must include at least one target for Next to become available. You can also deletetargets from the list by selecting the applicable check boxes and clicking Remove.

Method Steps

To include defined targets inthe job:

Click Add to Scan.

To exclude defined targetsfrom the job:

Click Exclude from Scan.

Tip: Repeat this step to add additional targets to the list.

8. [Optional] Edit the Targets list.

• To remove targets from the list, select the list item(s) and click Remove.• To edit targets on the list, select the list item(s) and click Edit.

For additional information on editing, refer to Editing Targets on page 62.

9. Click Next.

Step Result: The Scan Options page opens.

Figure 5: Scan Options Page


- 57 -

10.Select or clear the desired Scan Options.The following table defines each Scan Option.

Option Description

Verify With Ping Jobs using this option send ping requests to all networkendpoints targeted for discovery. Endpoints that respond to therequest are flagged for scanning; unresponsive endpoints areskipped. Endpoints unresponsive to Verify With Ping are notscanned by other selected discovery options.

Note: Anti-virus software and host firewalls may block VerifyWith Ping. If necessary, adjust any antivirus and firewallconfigurations to permit ping requests.

ICMP Discovery Jobs using this option request a series of echoes, information,and address masks from endpoints. Endpoint responses arethen compared to a list of known ICMP fingerprints to identifyendpoint operating systems.

Note: ICMP Discovery is ineffective on endpoints configuredto ignore ICMP requests. For best results identifying Windowsoperating systems, use this option in conjunction with WindowsVersion Discovery.

Port Scan Discovery Jobs using this option perform a limited scan on endpoint FTP,Telnet, SSH, SMTP, and HTTP ports. Based on the applicationbanners found in these ports, endpoint operating systems aregenerically identified.

Note: For best results in identifying Windows operating systems,use this option in conjunction with Windows Version Discovery.

SNMP Discovery Jobs using this option request system properties for SNMPdevices (routers, printers, and so on) from the managementinformation base. Following credential authentication, SNMPdevices are identified.

Note: Without authenticated credentials, SNMP devices ignoreSNMP Discovery requests. In this event, one of two outcomesoccur: the SNMP device is misidentified as a UNIX endpoint orthe SNMP device is not detected. Jobs with no SNMP credentialsuse the public credential by default.


- 58 -

Option Description

Windows Version Discovery Jobs using this option identify an endpoint's specific versionof Windows following generic operating system identificationduring ICMP or Port Scan Discovery.

Note: Correct operating system identification is contingentupon authenticated credentials. This option must be used inconjunction with either ICMP or Port Scan Discovery.

Resolve DNS Names Jobs using this option acquire the endpoint DNS name through alocal DNS server query. These names are displayed in job resultsfor easy endpoint identification.

Resolve MAC Addresses Jobs using this option acquire endpoint MAC addresses throughendpoint queries. These addresses are displayed in job results foreasy endpoint identification.

Note: Monitor network inventory reports to prevent MACaddress spoofing that may alter the Resolve MAC Addressesresults.

Resolve NetBIOS Names Jobs using this option acquire endpoint NetBIOS names throughWINS NetBIOS mapping. These names are displayed in jobresults for easy endpoint identification.

Note: Security-hardened networks running Windows 2003or Windows XP may require enabling of NetBIOS over TCP/IP for Resolve NetBIOS Names to acquire NetBIOS names.Additionally, firewalls protecting endpoints using Windows XPProfessional SP2 may require adjustment to permit NetBIOScommunication.

11.Click Next.

Step Result: The Agent Options page opens.

12.Select the desired Agent Options.These options control which version of the agent is installed on Windows-based endpoints.

a) Select an agent version from the Agent version list.

Note: The agent versions available for selection are defined by the Agent Version Options,which you can edit from the Options page Agents tab within the Norman Enterprise SecurityWeb console. For additional information, refer to Agent Versions in the Norman Enterprise SecurityUser Guide (http://www.norman.com/support/user_manuals/).





- 59 -

b) Select the modules you want to install with the agent.Select the check boxes associated with the modules you want to install.

c) [Optional] Select the Overwrite existing agents check box.This option reinstalls the agent on endpoints.

Attention: Selecting this option will cause data loss when an endpoint's Norman EnterpriseSecurity Agent is overwritten. However, you may select Agent Versions on the ManageEndpoints page to upgrade agents without losing data. Refer to Upgrading the Agent Using theEndpoints Page on page 117 for details.

13.Click Next.

Note: If a dialog opens that notifies you that an endpoint reboot is required following agentinstallation, click Continue to dismiss the dialog.

Step Result: The Credentials page opens.

Figure 6: Credentials Page

14.Define Windows credentials for the target.Type the applicable information in the following fields.

Note: When configuring an Agent Management Job, you must define valid Windows credentials.

Field Description

Username A user name that authenticates with Windows-based endpoints.Type the user name in a local format (UserName) or a domainformat (DOMAIN\UserName).

Note: When configuring Agent Management Jobs, Normanrecommends using the built-in Administrator account.

Password The password associated with the Username.


- 60 -

Field Description

Confirm password The Password retyped.

15.Click Next.

Step Result: The Agent Settings page opens.

Figure 7: Agent Settings Page

16.Define the Distribution options.The following table describes each list their available values.

List Description

Timeout(list)

Defines the number of minutes before the Agent ManagementJob terminates an install attempt due to a non-responsive agentinstallation or removal (0-30).

Number of retries(list)

Defines the number of attempts an agent installation or removalwill retry if the initial attempt fails (1-10).

Number of simultaneousinstalls(list)

Defines the maximum number of agents that can installed orremoved simultaneously during the job (1-25). A value of 1indicates that serial installs or removals should occur.


- 61 -

17.Define the Norman Enterprise Security server that the agent will report to using the Server Identityfield.Define the Server identity using one of the following formats.

• DNS name (computername.domainname.com)• Computer name (computername)• IP address (10.10.10.10)

Tip: The wizard fills this field with the server computername by default.

18.If the target endpoints will communicate with the Norman ESEC server through a proxy serverfollowing initial agent installation, select the Use a proxy server check box and define the followingfields.

Note: In many network environments, although a proxy is used for Internet access, a proxy bypassis used for all access within the corporate network. Therefore, only enter proxy information if youragents will be required to use a proxy to access your Norman Enterprise Security server.

Field Description

Server address The applicable proxy IP address.

Port The applicable proxy port number used to communicate.

19.If the target endpoints will use a proxy for agent to server communication, and that proxy requiresauthentication, select the Authentication required check box and define the following fields.

Field Description

Username A user name that authenticates with the proxy.



20.Click Finish.

Result: The Install Agents Wizard closes. Depending on how you configured the job, it movesto either the Scheduled tab or Active tab on the Job Results page. The job will run at theapplicable time, installing agents on the defined targets, and move to Completed tab whenfinished.

Note: After the Agent Management Job completes, install agent modules. For additionalinformation, refer to Managing Endpoint Modules in Norman Enterprise Security User Guide (http://www.norman.com/support/user_manuals/).





- 62 -

Editing TargetsWhile configuring jobs, you can edit items included in the Targets list in the Install Agents Wizard.

Edit Target list items from the Targets page of the wizard.

1. From the Targets list, select the check box associated with the item you want to edit.

Step Result: The Edit button becomes active.

2. Click Edit.

Step Result: The Edit Targets dialog opens.

Figure 8: Edit Targets Dialog

3. Based on the type of discovery method, edit the item.

Discovery Method Steps

Single IP Address 1. Type a new IP address in the field. Wildcards are supported.For additional information, refer to Defining Targets UsingWildcards on page 65.

2. If necessary, edit the Timeout list. The Timeout list definesthe number of seconds before a scan fails due to inactivity.Under most network conditions, the Timeout field does notrequire editing.

3. If necessary, edit the Number of retries list. The Number ofretries list defines the number of times a discover assets scanretries if the scan times out.


- 63 -


IP Range 1. In the field, type the beginning of IP range. Wildcards aresupported. For additional information, refer to Defining TargetsUsing Wildcards on page 65.

2. In the field, type the ending of the IP range.3. If necessary, edit the Timeout list. The Timeout list defines

the number of seconds before a scan fails due to inactivity.Under most network conditions, the Timeout field does notrequire editing.

4. If necessary, edit the Number of retries list. The Number ofretries list defines the number of times a discover assets scanretries if the scan times out.

Computer Name In the empty field, type a new endpoint name in one of thefollowing formats: endpointname or domain\endpointname.

Network Neighborhood From list, select the desired network neighborhood.


- 64 -


Active Directory 1. In the Fully-qualified domain name field, type theDNS domain name of the domain controller you wantto scan. For example, if your domain controller's DNSname was box.domain.company.local, you would typedomain.company.local in this field.

2. Optionally, in the Organizational Unit field, type the activedirectory organizational unit string from specific to broad,separating each string with front slashes (such as Techpubs/Engineering/Corporate). The omission of this field returnsjob results containing the full contents of all the activedirectory organizational units. View the following figure for anexample of how to enter data using Active Directory.

3. In the Domain controller field, type the domain controller'sIP address.

4. In the Username field, type user name that will authenticatewith the domain controller. Type the user name in one of thefollowing format: domainname\username or username.




- 65 -


Method Steps


Click Add to Scan.



5. Review the Targets list.

Result: The Targets list reflects your changes.

Defining Targets Using WildcardsWhen configuring a Discovery Scan Job or Agent Management Job, you can define scan targets usingwildcard IP addresses. Wildcards are characters that can be used to substitute for any other character orcharacters in a string. In otherwords, you can use wildcards to scan for numerous IP address instead ofjust one. Use wildcards to scan specific IP address ranges.

The following table lists examples of how to define targets using wildcards.

Table 11: Wildcard Examples

Discovery Method Step Example Targets Defined

To define wildcard IPaddresses:

Type a wildcardIP address usingcommas (,).Type a wildcardIP address usingdashes (-).Type a wildcardIP address usingasterisks (*).

10.1.1.2,910.1.1.2-510.1.1.*

10.1.1.2 and 10.1.1.910.1.1.2, 10.1.1.3,10.1.1.4, and 10.1.1.510.1.1.0 through10.1.1.255

To define wildcard IP addressesusing dashes in various octets:

Type a wildcardIP address usingdashes, placingthe dashes whereapplicable. You canuse dashes in anyoctet.

10.2-4.5.9 10.2.5.9, 10.3.5.9,10.4.5.9


- 66 -

Discovery Method Step Example Targets Defined

To define wildcard IP addressesusing asterisks in variousoctets:

Type a wildcardIP address usingasterisks, placingthe asterisks whereapplicable. You canuse asterisks in anyoctet.

*.6.65.9210.25.*.*

1.6.65.92 through255.6.65.9210.25.0.0 through10.25.255.255

To define wildcard IP addressesusing commas in variousoctets:

Type a wildcardIP address usingcommas, placingthe commas whereapplicable. You canuse commas in anyoctet.

10,12,19.2.5.9 10.2.5.9, 12.2.5.9,19.2.5.9

To define wildcard IP addressesusing a combination ofwildcard characters:

Type a wildcardIP address usingdashes, commas,and asterisks.

10-13.*.12.2,4,710.2-4.5,23.*

10, 11, 12,13.0-255.12.2, 4, 710.2, 3, 4.5, 23.0-255

Defining Targets Within an Imported FileUsing imported files, you can define job targets using a combination of single IP addresses, wildcard IPaddresses, IP ranges, DNS names, NetBIOS names, and so on. To create a file containing targets, opena text editor that allows you to create .txt or .csv (like Notepad). This topic also explains how to usewildcards for any job type.

Using the Install Agents Wizard within an Agent Management Job you may define targets using animported file.The following table lists the methods you can use to define discovery methods within an importablefile type, and then follows those methods with examples. Use one method per line.

Table 12: Basic Use

DiscoveryMethod

Step Example Targets Defined

To definesingle IPaddresses:

Type a single address. 10.1.1.2 10.1.1.2


- 67 -

DiscoveryMethod

Step Example Targets Defined

To definewildcard IPaddresses:

Type a wildcard IP address usingcommas (,).Type a wildcard IP address usingdashes (-).Type a wildcard IP address usingasterisks (*).

10.1.1.2,910.1.1.2-510.1.1.*

10.1.1.2 and 10.1.1.910.1.1.2, 10.1.1.3,10.1.1.4, and 10.1.1.510.1.1.0 through10.1.1.255

To define IPranges:

Type two IP addresses separated bya greater-than sign (>).Type two IP addresses separated bya dash (-).

10.1.1.2 > 10.1.1.910.1.1.2 - 10.1.1.9

10.1.1.2 through10.1.1.910.1.1.2 through10.1.1.9

To defineDNS names:

Type a DNS host name for anendpoint.

DNS.dom.com The defined DNSname.

To defineNetBIOSnames:

Type a NetBIOS name for anendpoint.

NetBIOSname The defined NetBIOSname.

Table 13: Advanced Use

Discovery Method Steps Examples Targets Defined

To define wildcard IPaddresses using dashesin various octets:

Type a wildcard IPaddress using dashes,placing the dasheswhere applicable. Youcan use dashes in thefirst, second, and lastoctet.

10.2-4.5.9 10.2.5.9, 10.3.5.9,10.4.5.9

To define wildcardIP addresses usingasterisks in variousoctets:

Type a wildcard IPaddress using asterisks,placing the asteriskswhere applicable. Youcan use asterisks in anyoctet.

*.6.65.9210.25.*.*

1.6.65.92 through255.6.65.9210.35.0.0 through10.35.255.255

To define wildcardIP addresses usingcommas in variousoctets:

Type a wildcard IPaddress using commas,placing the commaswhere applicable. Youcan use commas in first,second, and last octet.

10,12,19.2.5.9 10.2.5.9, 12.2.5.9,19.2.5.9


- 68 -

Discovery Method Steps Examples Targets Defined

To define wildcardIP addresses using acombination of wildcardcharacters:

Type a wildcard IPaddress using dashes,commas, and asterisks.You can use the dashand comma wildcardsin the first, second,and lost octets. Theasterick can be used inall octets.

10-13.*.12.2,4,710.2-4.5,23.*

10, 11, 12,13.0-255.12.2, 4, 710.2, 3, 4.5, 23.0-255

Command Line for WindowsYou can use the command line to install an agent on a Windows endpoint.An advantage in using a command line is silent installation. When using silent installation, you canenter all the information necessary prior to the silent installation and then the installation itself runsunattended (without user interaction).

Command Line Workflow for WindowsReview this chart to understand the Norman Enterprise Security Agent workflow for a command lineinstallation on a Windows endpoint.

Determine agent requirements. Refer to Agent Requirements on page 11 for acomplete list of hardware and software requirements for the agent.

Download the agent installer on Windows endpoints. Refer to Downloading theInstaller on page 69.

Silently install the agent using a command line on any Windows endpoints. Referto Silently Installing the Agent by Command Line for Windows on page 71.


- 69 -

Following initial installation, the agent and server components begincommunicating. Additionally, if you are licensed for additional modules, you caninstall these modules on any endpoint that has the Norman Enterprise SecurityAgent.

Note: For more information on modules and module installation, refer to NormanEnterprise Security User Guide (http://www.norman.com/support/user_manuals/).

Downloading the InstallerDownload the agent installer from your Norman Enterprise Security server by using the Web console.

To download the installer, log in to the target endpoint, and then download the installer.

1. Log on to the target endpoint as the local administrator (or a member of the Local Administratorsgroup).

2. Log in to Norman Enterprise Security (Norman ESEC) server console as user with administratorprivileges.For additional information on log in, refer to the Norman Enterprise Security User Guide (http://www.norman.com/support/user_manuals/).

Step Result: The Norman ESEC Home page opens.








- 70 -

3. Select Tools > After > Download Agent Installer.

Step Result: The Download Agent Installers dialog opens.

Figure 10: Download Agent Installers Dialog

Tip: The icon allows you to copy information to your clipboard.

4. Select your endpoint's operating system from the Operating System drop-down list.

5. Select the version of the agent that you want to install from the Agent Version drop-down list.

Note: The agent versions available for selection are defined by the Agent Version Options,which you can edit from the Options page Agents tab within the Norman Enterprise Security Webconsole. For additional information, refer to Configuring the Agents Tab in the Norman EnterpriseSecurity User Guide (http://www.norman.com/support/user_manuals/).

6. Click Download.

Step Result: A dialog opens, prompting you to define a download location.

Tip: The Download Agent Installers dialog remains open during the installerdownload.

7. Using the dialog controls, define a download location and begin the download.





- 71 -

8. After the download completes, close the dialog.

Tip: You may click Cancel to close the Download Agent Installers dialog or leave open whileinstalling the agent. The dialog contains Norman ESEC server and agent information.

Result: You have successfully downloaded the Norman ESEC Agent installer.

Silently Installing the Agent by Command Line for WindowsComplete a silent install of the agent using a command line. When configured using command lineparameters, the installation of the agent can be run unattended.

Prerequisites:



• Ensure any antivirus software installed on the computer is disabled.• Ensure you are logged on with an administrative user account.• Download the Windows agent installer. Refer to Downloading the Installer on page 69.

After downloading the agent installer for Windows, you can begin a silent install from the WindowsCommand Prompt. In addition to setting the Norman ESEC URL (or IP), you can define a proxy foragent-to-server communication and auto-assign groups during silent installation.

1. Using the Start Menu or Start Screen, open a Command Prompt.

Step Result: The Command Prompt opens.

2. Change directories to the root directory.Type cd\ and press ENTER.

Step Result: The directory is changed to the root directory.

3. Change directories to the location where you downloaded the installer.Type cd <Your\Download\Directory> and press ENTER.

Step Result: The directory changes to the directory where you downloaded the installer.

4. Install the agent by typing the install command followed by parameters.

Note: If you downloaded the 64-bit installer, replace lmsetup.exe with lmsetupx64.exe whentyping install commands.

Example parameters:

Example: lmsetup.exe install SERVERIPADDRESS="<xxx.xxx.xxx.xxx>"





- 72 -

(required parameters)

Example: lmsetup.exe install SERVERIPADDRESS="<xxx.xxx.xxx.xxx>" PROXYADDRESS="<xxx.xxx.xxx.xxx>" PROXYPORT="<xx>" PROXYUSERNAME="<ProxyUser>" PROXYPASSWORD="<ProxyUserPassword>" MODULELIST="<Module>|<Module2>" GROUPLIST="<Group>|<Group2>"

(all parameters)

Note: When installing the Norman ESEC agent from a command line, you can add a number ofparameters to modify how the agent is installed on the endpoint. Read the following table fordetailed instructions about how to use each parameter. Remember the following information whenusing these parameters:

• Parameters do not have to be entered in a specific order.• The only required parameter is SERVERIPADDRESS.• The parameter name may be capitalized or lowercase, or mixed.• Surround variables with double quotes. Words wrapped in carrots are variables relative to your

environment. For example when defining the SERVERIPADDRESS parameter, you might typeSERVERIPADDRESS="10.19.0.133"

• With the exception of password variables, variables are not case sensitive.

Table 14: Description of Installation Parameters

Parameter Description

SERVERIPADDRESS The IP address of your Norman ESEC server.Example: SERVERIPADDRESS="<xxx.xxx.xxx.xxx>"

Note: This can also be a local name or fully qualified domainname of your Norman ESEC server. A fully qualified domain name isrecommended over local.

PROXYADDRESS The IP address for your proxy server.Example: PROXYADDRESS="<xxx.xxx.xxx.xxx>"

Note:This can also be a local name or fully qualified domain name of yourNorman ESEC server. A fully qualified domain name recommended overlocal.A Squid proxy server will only properly resolve using a fully qualifieddomain name.

PROXYPORT The port your proxy server is using for communication.Example: PROXYPORT="<xx>"

PROXYUSERNAME Login user for an authenticated proxy.Example: PROXYUSERNAME="<ProxyUserName>"


- 73 -


PROXYPASSWORD Login password for an authenticated proxy.Example: PROXYPASSWORD="<ProxyUserPassword>"

Tip: The password will be encrypted and saved on the endpoint.

GROUPLIST This parameter adds the target endpoint to existing Norman ESEC groupsduring agent installation. The following list includes information aboutusing this parameter.

• You can only use this parameter to add endpoints to existing groups.This parameter cannot create new groups.

• When using this parameter, you can add the endpoint to two or moregroups. To add the endpoint to multiple groups, type a pipe symbol| between two group names. Do not type spaces between the groupnames and the pipe(s).Example (single group): GROUPLIST="<Group>"Example (multiple groups):GROUPLIST="<Group>|<Group2>|<Group3>"

• When using this parameter, you can use either the group name or thedistinguished name.

• If two or more groups exist that share the same name, using thegroup name will add the endpoint to all groups using the name.

• If two or more groups exist that share the same name, using thedistinguished name will add the endpoint to a specific group.Example (distinguished name use):GROUPLIST="OU=<Group>,OU=Custom Groups,OU=My Groups"

• To view your group names and distinguished names, view the Groupspage Group Membership view in the Norman ESEC Web console.


- 74 -


MODULELIST This parameter installs Norman ESEC endpoint modules along withthe Norman ESEC Agent during installation. The following list includesinformation about using this parameter.

• You can use this parameter to add endpoint modules you are licensedfor.

• When using this parameter, you can add two or more modules. Formultiple modules, type a pipe symbol | between two module names.Do not type spaces between the modules names and the pipe(s).Example: MODULELIST="<Module>|<Module2>|<Module3>"

The following list includes the MODULELIST parameter for each NormanESEC module:

• Patch and Remediation (Patch and Remediation)• Application Control (Application Control)• AntiVirus (AntiVirus)• Power Management (Power Management)• Device Control (Device Control)

INSTALLDIR This parameter defines the directory where the Norman ESEC agent willbe installed.Example: INSTALLDIR="C:\<Your>\<Install>\<Directory>"

Note: Omitting this parameter installs the agent to the default directoryof C:\Program Files\Norman\NESECAgent. Only ASCII characters areallowed in the folder name.

Install of the Agent for Windows ManuallyNorman Enterprise Security Agents can be installed on a single Windows endpoint using the agentinstaller.You can log in to the Norman Enterprise Security Web console, download the agent, and then run theagent installer.

Tip: If you are unfamiliar with the command prompt, you may prefer this agent installation method toinstall the agent.


- 75 -

Manual Install Workflow for WindowsA simple method to install the Norman ESEC agent on an endpoint is manually installing the agent ona Windows endpoint. The Norman ESEC agent installer features a straightforward wizard that can beused to install the agent on a single endpoint.


Download the agent installer on a Windows endpoint. Downloading the Installer onpage 75.

Install the agent. You may install agents on Windows endpoints that you want tomanage. Agent installation is based on administrator need and operating systemtype. Refer to Manually Installing the Agent for Windows on page 77.















- 76 -

3. Select Tools > After > Download Agent Installer.






Note: The agent versions available for selection are defined by the Agent Version Options,which you can edit from the Options page Agents tab within the Norman Enterprise Security Webconsole. For additional information, refer to Configuring the Agents Tab in the Norman EnterpriseSecurity User Guide (http://www.norman.com/support/user_manuals/).

6. Click Download.


Tip: The Download Agent Installers dialog remains open during the installerdownload.






- 77 -

8. After the download completes, close the dialog.

Tip: You may click Cancel to close the Download Agent Installers dialog or leave open whileinstalling the agent. The dialog contains Norman ESEC server and agent information.


Manually Installing the Agent for WindowsEndpoints running Windows XP or later communicate with the Norman Enterprise Security server usingthe Norman Enterprise Security Agent.

Prerequisites:



• Ensure any antivirus software installed on the computer is disabled.• Download the appropriate installer for your operating system. See Downloading the Installer on page

75 for more information.• Ensure you are logged on with an administrative user account.

After downloading the agent installer for Windows, you can begin an install using the Agent SetupWizard.

1. From the download location, open the Agent Setup Wizard.

• On 32-bit endpoints, double-click lmsetup.exe.• On 64-bit endpoints, double-click lmsetupx64.exe.

2. Review the License agreement and select the I accept the terms in the License agreementoption.

Tip: Click Print to perform the following actions:

• Open a text file of the license agreement.• Open a Print dialog.

3. Click Next.

Step Result: The Destination folder page opens.





- 78 -

4. [Optional] Change the Norman ESEC agent installation location.

Tip: Only ASCII characters are allowed in the folder name.

a) Click Browse.

Step Result: The Browse for Folder dialog opens.

b) Define the desired file path using either the Look in lists or the Folder name field.c) Click OK.

Step Result: The Browse for Folder dialog closes and the Destination folder page reflects thenew location.

5. Click Next.

Step Result: The Server Information page opens.

6. Type the appropriate server address information in the Server identity field.

Server Definition Option Step

To define the server with anIP address:

Type xxx.xxx.xxx.xxx

To define the server with aserver name:

Type ServerName

To define the server usinga fully qualified domainname:

Type ServerName.DomainName.com

7. [Optional] If the agent will communicate with the Norman ESEC server through a proxy server, selectthe A proxy server is required check box and complete the following steps.

Note: In many network environments, although a proxy is used for Internet access, a proxy bypassis used for all access within the corporate network. Therefore, only enter proxy information if youragents will be required to use a proxy to access your Norman Enterprise Security server. Proxyinformation is not validated. A Squid proxy server will only properly resolve using a fully qualifieddomain name.

a) Type the proxy IP address or host name in the Proxy server address field.b) Type the port number that the proxy uses in the Port number field.c) [Optional] If the proxy server requires authentication, complete the following steps:

1. Select the Authentication is required check box.2. Type the user name in the Username field.3. Type a new password for the proxy in the Password field.


- 79 -

4. Re-type the proxy password for the proxy in the Confirm Password field.

Figure 12: Server Information Page With Proxy Fields Enabled

Tip: Select the Show password check box to display the password text.

8. Click Next.

Step Result: The Installation Ready page opens.

Figure 13: Installation Ready Page


- 80 -

9. Review the installation information and click Install to install the agent.

Note: Once installation begins it cannot be cancelled.

Step Result: The agent is installed and the Installation Complete page displays.

Tip: Click Open setup log to open lmsetup.log in your text editor.

10.Click Close to exit the wizard.

- 81 -

Chapter

4Installing the Agent on Mac

In this chapter:

• Mac Installation Methods• Installing Java Runtime Environment• Command Line Workflow for Mac• Agent Installer Workflow for Mac

There are various methods when installing the NormanEnterprise Security Agent on a Mac endpoint.

Mac Installation MethodsTo install the Norman Enterprise Security Agent on a Mac platform you can utilize different methods.

• A command line method utilizes command line parameters to install the agent. For additionalinformation, refer to:

• You may install using a command line. Refer to Installing the Agent by Command Line for Mac onpage 86.

• You may use a silent install in a command line. Refer to Silent Install by Command Line for Mac onpage 91.

• The Norman ESEC installer utilizes an easy-to-use installation wizard to install a single agent. Referto Manually Installing the Agent for Mac on page 98.

For a description of the benefits of each install method, refer to Understanding Agent Installation Methodson page 25.


- 82 -

Installing Java Runtime EnvironmentPrior to installing the Norman Enterprise Security Agent, you must have Java Runtime Environment(JRE) 1.4.x or higher.

Note:

• If installing using the installation wizard for OS X (versions 10.7.3-10.10), JDK 1.7 or later is required.• Open JDK can be substituted for Oracle Java JRE on the following operating systems:

• Cent OS Linux• Novell SUSE Linux• Oracle Linux• Red Hat Enterprise LinuxRefer to IcedTea Project (http://openjdk.java.net/projects/icedtea/) for additional information.

Verify you are running Java Runtime Environment (JRE) 1.4.xor later on your target endpoint.

1. Log in to the target endpoint using the root user account.

2. Open the Terminal window.

3. Type java -version and press ENTER.

Step Result: The Terminal window displays the installed version of the Java Runtime Environment(JRE).

4. Use the output in the Terminal window to verify that the java version is 1.4.x or later.

• If your java version is 1.4.x or later, your target endpoint is ready for Norman EnterpriseSecurity Agent installation.

• If your java version is earlier than 1.4.x, you must update the Java Runtime Environment.Proceed to the next step.

5. Download and install the latest version of Java Runtime Environment (JRE).

a) Open your Web browser and go to Java Web site (http://java.com/en/download/manual.jsp) for thelatest version.




http://java.com/en/download/manual.jsp


Installing the Agent on Mac

- 83 -

b) Download and install the version of Java Runtime Environment (JRE) that is applicable to yourtarget environment.

Tip: The Java Web site contains instructions to complete the install of Java Runtime Environment(JRE) for each applicable operating system.

Result: The latest version of Java Runtime Environment (JRE) is installed on your target endpoint.

After Completing This Task:For Mac endpoints complete the agent install. Agent installation may be done using:

• Installing the Agent by Command Line for Mac on page 86• Silent Install by Command Line for Mac on page 91For Linux/UNIX endpoints complete the agent install. Agent installation may be done using:

• Installing the Agent by Command Line for Linux or UNIX on page 108• Silent Install by Command Line for Linux or UNIX on page 110

Command Line Workflow for MacReview this chart to understand the Norman ESEC Agent workflow for command line installation on aMac endpoint.

Note: An advantage in using a command line is silent installation. When using silent installation, youcan enter all the information necessary prior to the silent installation and then the installation itself runsunattended (without user interaction).


Download the agent installer on a Mac endpoint. Refer to Downloading the Installeron page 84.

Install the agent. You may install agents on any endpoints that you want tomanage. Agent installation may be done using:

• You may install using a command line. Refer to Installing the Agent by CommandLine for Mac on page 86.

• You may use a silent install in a command line. Refer to Silent Install byCommand Line for Mac on page 91.


- 84 -















- 85 -

3. Select Tools > Download Agent Installer.






Note: The agent versions available for selection are controlled by defining the Agent Versionsoption within Norman ESEC. For additional information, refer to Configuring the Agents Tab in theNorman Enterprise Security User Guide (http://www.norman.com/support/user_manuals/).

6. Click Download.


Tip: The Download Agent Installer dialog remains open during the installerdownload.





- 86 -

8. After the download completes, close the Download Agent Installers dialog by clicking Cancel.

Tip: Leave the dialog open while installing the agent to have easy access to Norman ESEC serverinformation used during the installation procedure.


Installing the Agent by Command Line for MacComplete the agent install using a command line.

Prerequisites:

• Ensure the Patch and Remediation module is installed on your Norman Enterprise Security (NormanESEC) server.


• Ensure have Java Runtime Environment (JRE) 1.4.x or higher on your endpoint. See Installing JavaRuntime Environment on page 82 for more information.

• Ensure any antivirus software installed on the endpoint is disabled.• Download the appropriate installer for your operating system. See Downloading the Installer on page

84 for more information.• Ensure you are logged on using the root user account.

Complete the following steps to install the agent using a command line.

1. In the /root directory, create the directory.

Tip: You can create this directory a variety of ways depending on your endpoint operating systemversion. Only ANSI characters are allowed in the folder name.

Step Result: The /root/ directory is created.


- 87 -

2. From the downloaded location, select the UnixPatchAgent.tar file and extract its contents to /root/.

Step Result: The following files are extracted to /root/:

• env.class• install• install.ncf• InstallArchive.jar• patchagent.properties• patchagent.tar• README.txt• support.tar

Note: If a new directory is created during the extraction, move its contents to /root/and delete the directory created during extraction.

3. Open Terminal.

Note: How you open Terminal varies depending on your operating system.

4. Change the directory to /root// by typing cd /root/MacPatchAgent and press ENTER.

Step Result: The directory changes to /root/.

5. Type ./install to start the installation process.

Step Result: Installation begins.

6. At the Enter the Directory where the Agent should be installed [/usr/local] prompt,define the directory where you want to install the agent.

Installation Location Option Step(s)

To install the agent to thedefault path of /usr/local:

Press ENTER.

To install the agent to acustom patch:

1. Type the custom path you want to install to in the followingformat: /customlocation.

Note: When defining a custom path, type front slashesbetween directories. For example, if you wanted todefine path for the theoretical Administrator directorynested within the usr directory, you would type /usr/Administrator.

2. Press ENTER.


- 88 -

7. At the Enter your Norman Patch and Remediation server address prompt, define theNorman ESEC server address definition for the agent.

Server Definition Option Step

To define the server with anIP address:

Enter http://xxx.xxx.xxx.xxx

To define the server with aserver name:

Enter http://ServerURL

To define the server usingSSL with an IP address:

Enter https://xxx.xxx.xxx.xxx

To define the server usingSSL with a server name:

Enter https://ServerURL

a) Press ENTER.

8. At the Enter the product serial number that appears as xxxxxxxx-xxxxxxxx prompt, typeyour serial number in a xxxxxxxx-xxxxxxxx format and press ENTER.

Tip: The serial number is displayed on the Norman ESEC Web console Home page and theDownload Agent Installers dialog.

9. At the Do you have a Proxy [Y/N] prompt, define whether the agent will use a proxy duringcommunication with the Norman ESEC server.


Proxy Use Option Step(s0

To skip proxy definition: Type n and press ENTER.


- 89 -

Proxy Use Option Step(s0

To define a proxy: 1. Type y and press ENTER.2. At the Enter your proxy address prompt, type the proxy

IP address in one of the following format and press ENTER:

• http://xxx.xxx.xxx.xxx

• http://ServerURL

Note: A Squid proxy server will only properly resolveusing a fully qualified domain name.

3. At the Enter your proxy port [1-65535] prompt, typethe port that will be used for communication with the proxyand press ENTER.

4. At the Proxy username [press return if your proxydoes not require authorization] prompt, type a validproxy username and press ENTER if the proxy requiresauthentication. If the proxy does not require authentication,forgo typing a username and press ENTER.

5. At the Proxy password prompt, type the passwordassociated with the user name you entered, if necessary.

10.At the Do you wish to add this agent to existing groups on Norman Patch andRemediation server? [Y/N] prompt, define whether you want to add the endpoint to an existingNorman ESEC group.

Group Addition Option Step(s)

To skip adding the endpointto an existing group:

Type n and press ENTER.


- 90 -

Group Addition Option Step(s)

To add the endpoint to anexisting group:

1. Type y and press ENTER.2. At the Enter the group name separated by ' | ' (Eg.

OU=group1|OU=group2|OU=group3) prompt, define theexisting group or groups you want to add the endpoint to.

• You can define groups either by the group name or thedistinguished name.

Tip: You can view group names and distinguished namesfrom the Group Membership view within the Groups pagein the Norman ESEC Web console.

• To add the endpoint to a single group, type <GroupName>and press ENTER.

• To add the endpoint to two or more groups, type<GroupName>|<GroupName2> and press ENTER. Typeadditional pipes and group names when adding theendpoint to more than two groups.

Note:

• If two or more groups share the same name, and youwant to add the endpoint to all groups sharing thename, use the group name to define the target group.

• If two or more groups share the same name, and youwant to add the endpoint to a specific group, usethe distinguished name to define the target group.For example, type OU=<GroupName>,OU=CustomGroups,OU=My Groups

11.At the Do you wish to set the agent process nice value: prompt, define whether you wantto define an agent process nice value.

Agent Process Nice ValueOption

Step(s)

To skip defining an agentprocess nice value:

Type n and press ENTER.


- 91 -

Agent Process Nice ValueOption

Step(s)

To define an agent processnice value:

1. Type y and press ENTER.2. Type a nice value (-20 to 20) and press ENTER.

Result: The installation completes and the terminal link can be disconnected.

Note: Open ports 49152-65535. Norman recommends opening ports 49152-65535 on Linux,UNIX, and Mac endpoints. The agent randomly opens one of these ports to listen for check nowcommands, which are server-sent requests that agents use to check for tasks. Closing theseports delays agent tasks until they check in themselves.

Silent Install by Command Line for MacComplete a silent install using a command line. When configured using command line parameters, theinstallation of the agent can be run unattended.

Prerequisites:


• Ensure the Patch and Remediation module is installed on your Norman ESEC server.• Ensure that your endpoint meets the minimum requirements for agent installation. For additional

information, refer to Agent Requirements on page 11.• Ensure have Java Runtime Environment (JRE) 1.5 or higher on your endpoint. See Installing Java

Runtime Environment on page 82 for more information.• Ensure any antivirus software installed on the endpoint is disabled.• Download the appropriate installer for your operating system. See Downloading the Installer on page

84 for more information.• Ensure you are logged on using the root user account.

In addition to the Norman ESEC URL (or IP) and serial number, you can define a proxy and auto-assigngroups when performing a silent install using the single agent installer for Mac.

1. In the /root directory, create the directory.

Tip: You can create this directory a variety of ways depending on your endpoint operating systemversion. Only ANSI characters are allowed in the folder name.

Step Result: The /root/ directory is created.





- 92 -

2. From the downloaded location, select the UnixPatchAgent.tar file and extract its contents to /root/.

Step Result: The following files are extracted to /root/:

• env.class• install• install.ncf• InstallArchive.jar• patchagent.properties• patchagent.tar• README.txt• support.tar

Note: If a new directory is created during the extraction, move its contents to /root/and delete the directory created during extraction.

3. Open Terminal.

Note: How you open Terminal varies depending on your operating system.

4. Change the directory to /root// by typing cd /root/MacPatchAgent and press ENTER.

Step Result: The directory changes to /root/.

5. Begin the install by typing the install command followed by the parameters needed to install theagent in your environment.

• To perform a silent install with a proxy, type the following syntax and press ENTER:./install -silent -d “/usr/local” -p “http://<MyServer>” -sno “<xxxxxxxx>-<xxxxxxxx>” -proxy “http://<MyProxy>” -port <xx> -g “<GroupName>|<GroupName2>”

• To perform a silent install without a proxy, type the following syntax and press ENTER:./install -silent -d “/usr/local” -p “http://<MyServer>” -sno “<xxxxxxxx>-<xxxxxxxx>” -g “<GroupName>|<GroupName2>”

When installing the Patch Agent from command line, you can add a number of parameters tomodify how the agent is installed on the endpoint. The following table lists all available command


- 93 -

line parameters. Read the following table for detailed instruction about how to use each parameter.Remember the following information when using these parameters:

• Parameters do not have to be entered in a specific order.• Words surrounded in carrots are variables relative to your environment. When defining

these parameters, omit the carrots and replace the variable with information relevant in yourenvironment. For example when defining the -p, you might type -p "http://10.19.0.133"


Table 15: Parameter Descriptions


-silent Performs installation silently.Example: -silent

-d The install directory. Norman recommends using /usr/local for most Linuxendpoints.Example: -d "install/directory"

-p The URL (or IP) of your Norman ESEC server.Examples:

• -p "http://MyServer"

• -p "http://xxx.xxx.xxx.xxx"

-sno The serial number of your Norman Enterprise Security.Example: -sno "xxxxxxxx-xxxxxxxx"

-proxy The URL (or IP) of your proxy.Examples:

• -proxy "http://MyServer"

• -proxy "http://xxx.xxx.xxx.xxx"

Note: A Squid proxy server will only properly resolve using a fully qualifieddomain name.

-port The proxy port.Example: -port "xx"


- 94 -


-g This parameter adds the target endpoint to existing Norman ESEC groupsduring agent installation. The following list includes information about usingthis parameter.

• You can only use this parameter to add endpoints to existing groups. Thisparameter cannot create new groups.

• When using this parameter, you can add the endpoint to two or moregroups. To add the endpoint to multiple groups, type a pipe between twogroup names. Do not type spaces between the group names and the pipe(s).

• Example (single group): -g "<Group>"• Example (multiple groups): -g "<Group>|<Group2>|<Group3>"


• If two or more groups exist that share the same name, using the groupname will add the endpoint to all groups using the name.

• If two or more groups exist that share the same name, using thedistinguished name will add the endpoint to a specific group.Example (distinguished name use): -g "OU=<Group>,OU=CustomGroups,OU=My Groups"

Tip: You can view group names and distinguished names from the GroupMembership view within the Groups page in the Norman ESEC Webconsole.

Result: The agent is installed.

Note: Norman recommends opening ports 49152-65535 on Linux, UNIX, and Mac endpoints.The agent randomly opens one of these ports to listen for check now commands, which areserver-sent requests that the agent checks for tasks. Closing these ports delays agent tasksuntil they check in themselves.


- 95 -

Agent Installer Workflow for MacThe simplest method to install the Norman ESEC agent on an endpoint is through use of the agent'sinstaller. Like most software, the Norman ESEC agent features an straightforward wizard that can beused to install the agent on a single endpoint.


Attention: The installation wizard cannot be used on OS X 10.3 through 10.7.2.Complete the Command Line Workflow instead.

Ensure that JDK 1.7 or later is installed on the Mac endpoint.

Download the agent installer on a Mac endpoint. Refer to Downloading the Installeron page 96.

Install the agent. You may install agents on Mac endpoints that you want tomanage. Agent installation is based on administrator need and operating systemtype. Refer to Manually Installing the Agent for Mac on page 98.








- 96 -



Tip: For some operating systems, you have the option of downloading and installing the commandline version of the agent installer or the graphical user interface version of the agent installer. Thecommand line agent is installed and accessed after installation using the command prompt. Thegraphical user interface version of the agent is installed using an installation wizard and accessed afterinstallation via the Control Panel (Windows) or System Preferences (Mac).








- 97 -








6. Click Download.







- 98 -




Manually Installing the Agent for MacFor OS X versions 10.7.3 and higher, you have the option of installing the agent using an install wizard.

Prerequisites:

• Complete Downloading the Installer on page 96.• Ensure JDK 1.7 or later is installed. The installer will not open if the JDK isn't installed.• Ensure that your endpoint meets the minimum requirements for agent installation: Mac, Linux, or

UNIX Endpoint Requirements on page 18.

Note: You are installing the agent on OS X 10.3 through 10.7.2, you must install the agent using terminal.

1. Ensure you are logged on to the endpoint as an administrative user.

2. From the downloaded location, open PatchAgentforMac.dmg.

3. Click Next.

Step Result: The License Agreement page displays.

Figure 16: License Agreement Page

4. Review the License agreement and select the I accept the terms of the License Agreementoption.



- 99 -

5. Click Next.

Step Result: The Verify Sudo Password page opens.

6. Enter your system password in the Please Enter the Password field. This password is identical tothe one entered earlier.

7. Click Next.

Step Result: The Choose Install Folder page opens.

8. [Optional] Change the agent installation location.

Tip: Only ANSI characters are allowed in the folder name.

a) Click Choose.

Step Result: Finder opens.

b) Define the desired file path for the installation location.c) Select Open.

Tip: Click Restore Default Folder to restore the default installation location at any time.

9. Select Next.

Step Result: The Server Information page displays.

10.Type the Norman Enterprise Security server URL in the URL field.

• To use a server name, type http(s)://servername and press ENTER.• To use an IP address, type http(s)://IP address (http://10.10.10.10 for example) and

press ENTER.

11.Type your serial number in the Serial Number field.

Tip: The Norman Enterprise Security serial number is available on the Norman Enterprise SecurityHome page.


- 100 -

12.[Optional] If the agent will use a proxy server during communication with the Norman ESEC server,select the Use a Proxy Server check box and complete the following steps.


a) Click Next.

Step Result: The Proxy Configuration page opens.

Figure 17: Proxy Configuration Page

b) In the Proxy URL field, type the proxy URL.c) [Optional] In the Proxy Port field, type the port number that the proxy uses for communication.d) [Optional] If your proxy require authentication, complete the following steps.

1. Type a user name that authenticates with the proxy server in the Proxy User (ifauthenticated) field.

2. Type the user name password in the Proxy Password (if authenticated) field.3. In the Confirm Password field, retype the password.


- 101 -

13.Click Next.

Step Result: The Additional Options page displays.

Figure 18: Additional Options Page

14.[Optional] In the Groups field, define the existing groups you want to add the endpoint to. Addthe agent to specific device groups, and enter the names of the groups in the Groups field. Valuesshould be separated by a (|) symbol.Syntax rules:

• Separate each group using a pipe ( | ). If only adding the endpoint to a single group, omit thepipe.

• If you want to add the group to multiple groups, and those groups share the same short name,used the group distinguished name instead.

Tip: You can view group names and distinguished group names within the Group Membership viewin the NESEC console.

15.[Optional] Set the operating system's prioritization value for the agent by typing a value in theAgent Nice Value field.

Note: The nice value sets a higher priority process value. A value of -20 in this field gives the agentthe highest priority and 20 gives the lowest priority.

16.[Optional] To configure the agent so that it is detectable, yet cannot have packages deployed to it,select the Detect Only check box.

17.Click Next.

Step Result: The Pre-Installation Summary page displays.

18.Verify the agent pre-installation summary information is accurate.


- 102 -

19.Click Next to begin the installation.

Step Result: The Install Complete Success page displays when the installation process is finished.

20.Click Done to complete the installation and close the installer.

- 103 -

Chapter

5Installing the Agent on Linux or UNIX

In this chapter:

• Linux and UNIX Installation Method• Installing Java Runtime Environment• Command Line Workflow for Linux

or UNIX

Use the Command Line method when installing the NormanEnterprise Security Agent on a Linux or UNIX endpoints.

Note: To install an agent on Linux or UNIX you are restricted tothe command line method. For a description of the commandline method, refer to Understanding Agent Installation Methods onpage 25.

Linux and UNIX Installation MethodA command line is the only method that can be used to install the Norman Enterprise Security Agenton Linux or UNIX platform.Install the Norman Enterprise Security (Norman ESEC) Agent on an endpoint that contains a Linux orUNIX operating system using one of the following;

• Use an install parameter in a command line. For additional information, refer to: Installing the Agentby Command Line for Linux or UNIX on page 108.

• Use a silent install parameter in a command line. Refer to Silent Install by Command Line for Linux orUNIX on page 110.

Note: For a description of agent install methods, refer to Understanding Agent Installation Methods onpage 25.


- 104 -

Installing Java Runtime EnvironmentPrior to installing the Norman Enterprise Security Agent, you must have Java Runtime Environment(JRE) 1.4.x or higher.

Note:

• If installing using the installation wizard for OS X (versions 10.7.3-10.10), JDK 1.7 or later is required.• Open JDK can be substituted for Oracle Java JRE on the following operating systems:

• Cent OS Linux• Novell SUSE Linux• Oracle Linux• Red Hat Enterprise LinuxRefer to IcedTea Project (http://openjdk.java.net/projects/icedtea/) for additional information.

Verify you are running Java Runtime Environment (JRE) 1.4.xor later on your target endpoint.

1. Log in to the target endpoint using the root user account.

2. Open the Terminal window.

3. Type java -version and press ENTER.

Step Result: The Terminal window displays the installed version of the Java Runtime Environment(JRE).

4. Use the output in the Terminal window to verify that the java version is 1.4.x or later.

• If your java version is 1.4.x or later, your target endpoint is ready for Norman EnterpriseSecurity Agent installation.

• If your java version is earlier than 1.4.x, you must update the Java Runtime Environment.Proceed to the next step.

5. Download and install the latest version of Java Runtime Environment (JRE).

a) Open your Web browser and go to Java Web site (http://java.com/en/download/manual.jsp) for thelatest version.






Installing the Agent on Linux or UNIX

- 105 -

b) Download and install the version of Java Runtime Environment (JRE) that is applicable to yourtarget environment.

Tip: The Java Web site contains instructions to complete the install of Java Runtime Environment(JRE) for each applicable operating system.

Result: The latest version of Java Runtime Environment (JRE) is installed on your target endpoint.

After Completing This Task:For Mac endpoints complete the agent install. Agent installation may be done using:

• Installing the Agent by Command Line for Mac on page 86• Silent Install by Command Line for Mac on page 91For Linux/UNIX endpoints complete the agent install. Agent installation may be done using:

• Installing the Agent by Command Line for Linux or UNIX on page 108• Silent Install by Command Line for Linux or UNIX on page 110

Command Line Workflow for Linux or UNIXReview this chart to understand the Norman ESEC Agent workflow for command line installation on aLinux or UNIX endpoint.

Note: An advantage in using a command line is silent installation. When using silent installation, youcan enter all the information necessary prior to the silent installation and then the installation itself runsunattended (without user interaction).


Ensure that Java Runtime Environment 1.4.x or higher is installed on the Linux orUNIX endpoint. Refer to Installing Java Runtime Environment on page 82.

Download the agent installer on a Linux or UNIX endpoint. Refer to Downloadingthe Installer on page 106.


- 106 -

Install the agent. You may install agents on any Linux or UNIX endpoints that youwant to manage. Agent installation may be done using either:

• A command line. Refer to Installing the Agent by Command Line for Linux or UNIXon page 108.

• A silent install parameter in a command line. Refer to Silent Install by CommandLine for Linux or UNIX on page 110.





Tip: For some operating systems, you have the option of downloading and installing the commandline version of the agent installer or the graphical user interface version of the agent installer. Thecommand line agent is installed and accessed after installation using the command prompt. Thegraphical user interface version of the agent is installed using an installation wizard and accessed afterinstallation via the Control Panel (Windows) or System Preferences (Mac).











- 107 -








6. Click Download.







- 108 -




Installing the Agent by Command Line for Linux or UNIXComplete the agent install using a command line.

Prerequisites:

• Review Mac, Linux, or UNIX Endpoint Requirements on page 18.• Complete Downloading the Installer on page 106.

Complete the following steps to install the agent using a command line.

1. Browse to the location that you downloaded UnixPatchAgent.tar.

2. Extract UnixPatchAgent.tar to any location.

3. Open Terminal and change directory to the location of the extracted UnixPatchAgent, which youshould have downloaded from the NESEC Server.


- 109 -

4. Elevate your command line privaleges.

a) Type sudo -s and press ENTER.b) Type the root password and press ENTER.

5. Begin installation by typing ./install and press ENTER.

6. When prompted, define a Patch Agent install location.

• Press ENTER to accept the default location.• Type your own location and press ENTER to choose a custom path.

7. Enter your NESEC Server URL.


press ENTER.

8. Type your NESEC serial number and press ENTER.

Tip: You can view the serial number from the Home page of the NESEC Web console.

9. If your enterprise uses FastPath servers (also known as caching proxies) to speed up contentdeployment, enter FastPath server information.

Note:

• If you don't use FastPath servers, press ENTER to default to N, and continue to the next step.• This prompt isn't used to define a firewall proxy.

a) Type y and press ENTER.


- 110 -

b) Enter your proxy server URL and press ENTER.


press ENTER.

Note: A Squid proxy server will only properly resolve using a fully qualified domain name.

c) If your proxy requires authentication, enter a username and password that authenticate with theproxy. If the proxy doens't require authentication, just press ENTER to continue.

10.If you want the endpoint to add itself to existing NESEC groups during registration, complete thefollowing substeps. If not, simply press ENTER and continue to the next step.

a) Type y and press ENTER.b) Type the groups that you want the endpoint to register with, using the syntax rules that follow.

Press ENTER when you're done.

Example: GroupName1|GroupName2|GroupName3

Syntax rules:

• Separate each group using a pipe ( | ). If only adding the endpoint to a single group, omit thepipe.

• If you want to add the group to multiple groups, and those groups share the same shortname, used the group distinguished name instead.

Tip: You can view group names and distinguished group names within the Group Membershipview in the NESEC console.

11.If you want to define a nice value for the UnixPatchAgent.tar, type a value (-20 through 20) andpress ENTER. If you don't want to define a nice value, just leave the prompt empty and pressENTER.

Result: The agent is installed. When the process is complete, you can close terminal.

Silent Install by Command Line for Linux or UNIXComplete a silent install using a command line. When configured using command line parameters, theinstallation of the agent can be run unattended.

Prerequisites:

• Review Mac, Linux, or UNIX Endpoint Requirements on page 18.• Complete Downloading the Installer on page 106.

Complete the following steps from your Linux and Unix endpoints.

1. Browse to the location that you downloaded UnixPatchAgent.tar.

2. Extract UnixPatchAgent.tar to any location.


- 111 -

3. Open Terminal and change directory to the location of the extracted UnixPatchAgent, which youshould have downloaded from the NESEC Server.

4. Elevate your command line privaleges.

a) Type sudo -s and press ENTER.b) Type the root password and press ENTER.

5. Begin the install by typing the install command followed by the parameters needed to install theagent in your environment.

• To perform a silent install with a proxy, type the following syntax and press ENTER:./install -silent -d “/usr/local” -p “http://<MyServer>” -sno “<xxxxxxxx>-<xxxxxxxx>” -proxy “http://<MyProxy>” -port <xx> -g “<GroupName>|<GroupName2>”

• To perform a silent install without a proxy, type the following syntax and press ENTER:./install -silent -d “/usr/local” -p “http://<MyServer>” -sno “<xxxxxxxx>-<xxxxxxxx>” -g “<GroupName>|<GroupName2>”

When installing the Patch Agent from command line, you can add a number of parameters tomodify how the agent is installed on the endpoint. The following table lists all available command


- 112 -

line parameters. Read the following table for detailed instruction about how to use each parameter.Remember the following information when using these parameters:

• Parameters do not have to be entered in a specific order.• Words surrounded in carrots are variables relative to your environment. When defining

these parameters, omit the carrots and replace the variable with information relevant in yourenvironment. For example when defining the -p, you might type -p "http://10.19.0.133"


Table 16: Parameter Descriptions


-silent Performs installation silently.Example: -silent

-d The install directory. Norman recommends using /usr/local for most Linuxendpoints.Example: -d "install/directory"

-p The URL (or IP) of your Norman ESEC server.Examples:

• -p "http://MyServer"

• -p "http://xxx.xxx.xxx.xxx"

-sno The serial number of your Norman Enterprise Security.Example: -sno "xxxxxxxx-xxxxxxxx"

-proxy The URL (or IP) of your proxy.Examples:

• -proxy "http://MyServer"

• -proxy "http://xxx.xxx.xxx.xxx"

Note: A Squid proxy server will only properly resolve using a fully qualifieddomain name.

-port The proxy port.Example: -port "xx"


- 113 -


-g This parameter adds the target endpoint to existing Norman ESEC groupsduring agent installation. The following list includes information about usingthis parameter.

• You can only use this parameter to add endpoints to existing groups. Thisparameter cannot create new groups.

• When using this parameter, you can add the endpoint to two or moregroups. To add the endpoint to multiple groups, type a pipe between twogroup names. Do not type spaces between the group names and the pipe(s).

• Example (single group): -g "<Group>"• Example (multiple groups): -g "<Group>|<Group2>|<Group3>"


• If two or more groups exist that share the same name, using the groupname will add the endpoint to all groups using the name.

• If two or more groups exist that share the same name, using thedistinguished name will add the endpoint to a specific group.Example (distinguished name use): -g "OU=<Group>,OU=CustomGroups,OU=My Groups"

Tip: You can view group names and distinguished names from the GroupMembership view within the Groups page in the Norman ESEC Webconsole.

Result: The agent is installed.


- 114 -

- 115 -

Appendix

AUpgrading Agents

In this appendix:

• Agent Upgrade on Windows• Agent Upgrade on Mac, Linux, or

UNIX

For users upgrading older Norman Enterprise Security Agents tothe most recent version, there are several options for updatingyour Norman Enterprise Security Agent. The methods availablefor upgrading vary based on the endpoint's operating system.

Agent Upgrade on WindowsYou can you the Norman Enterprise Security Web console to upgrade your Norman ESEC Agentsautomatically.For more information, see Upgrading Agents From the Web Console on page 115.

Note: You may overwrite your Norman ESEC Agent on an endpoint. You can overwrite using an AgentManagement Job if needed. Using this method will cause data loss when an endpoint's Norman ESECAgent is overwritten. Refer to Installing Agents by Agent Management Job on page 49 for instruction.

Upgrading Agents From the Web ConsoleYou may use the Norman Enterprise Security Web console to upgrade your Windows endpoints to thenewest agent version.Window agents can be upgraded from the Endpoints page. The following tasks are needed to executean automatic upgrade of existing network agents.

• Ensure that your agent options are configured so that the latest Norman ESEC Agent is available forinstallation. For additional information, refer to Defining Installable Agent Versions on page 116.

• Select the endpoints you want to upgrade and complete the agent upgrade. For additionalinformation, refer to Upgrading the Agent Using the Endpoints Page on page 117.


- 116 -

Defining Installable Agent VersionsUse the Norman Enterprise Security Web console to define that the latest version of the NormanEnterprise Security Agent is available for agent installation.

Prerequisites:

Ensure Norman Enterprise Security replicates with the Global Subscription Service. This will makecertain you have the latest agent version available. Refer to Replication in the Norman Enterprise SecurityUser Guide (http://www.norman.com/support/user_manuals/) for additional information.

Define the Agent Versions from within the Norman Enterprise Security (Norman ESEC) Web console.

1. Log in to the Norman ESEC Web console.For additional information, refer to the Logging in to Norman Enterprise Security in the NormanEnterprise Security User Guide (http://www.norman.com/support/user_manuals/).

2. Select Tools > Options.

Step Result: The Options page opens.

3. Select the Agents tab.

Step Result: The Agents tab opens.

4. Define the Agent Version.

a) Locate the Agent Versions area.b) Select Newest available in the Windows XP and newer agent version field.

Tip: The Newest available option determines that only the latest agent is available forendpoints. However, you can alternatively select NESEC<AgentVersion>+ when selectingan agent version. This selection makes available all agent versions released after the selectedversion.

5. Click Save.

Result: Your agent version selection is saved.

After Completing This Task:Complete the agent upgrade. For additional information, refer to Upgrading the Agent Using the EndpointsPage on page 117.







Upgrading Agents

- 117 -

Upgrading the Agent Using the Endpoints PageYou may upgrade your Windows agent by using the Norman Enterprise Security Web console.

Prerequisites:

• You have a Norman ESEC Agent installed on an endpoint containing a supported Windowsoperating system. Refer to Supported Endpoint Operating Systems on page 11 for a list of supportedoperating systems.

Note: On a endpoint containing a Windows XP SP2+ platform, the Microsoft Windows Installer 3.1or higher must be present on the endpoint prior to installing or upgrading to the 8.0 agent. Refer tothe Norman Support Site (http://www.norman.com/support/)

• Complete Defining Installable Agent Versions on page 116.• The agent status for the endpoint is Online.

Upgrade your Windows agents from the Endpoints page of the Norman Enterprise Security (NormanESEC) Web console.

1. Log in to the Norman ESEC Web console.

2. Select Manage > Endpoints.

Step Result: The Endpoints page opens to the All tab.

3. From the page list, select the endpoints that you want to upgrade to the latest agent version.

4. Click Agent Versions.

Step Result: The Manage Agent Versions dialog opens.

5. From the Select One list, select the most recent agent version and click Apply to All Agents.

Tip: You may want to test the upgrade on a few endpoints before upgrading your entire network.Do so, by selecting endpoints to test and then select the latest agent version for the endpoints fromthe Agent Version list.

6. Click OK.

Step Result: The agent begins upgrading and the Manage Agent Versions dialog closes.

Note: The upgrade process may take several minutes. You may only upgrade anendpoint again once the first upgrade has completed.

Result: The agent is upgraded on all selected endpoints.




- 118 -

Agent Upgrade on Mac, Linux, or UNIXYou can only upgrade the Norman Enterprise Security Agent on a Mac, Linux, or UNIX platform with anoverwrite.An overwrite means no data from your previous installation is retained. For additional information, referto Upgrading Agents by Command Line for Mac, Linux, or UNIX on page 118.

Note: For Patch and Remediation users, Norman recommends upgrading the agent for Mac, Linux,and UNIX using a deployment.

Upgrading Agents by Command Line for Mac, Linux, or UNIXUpgrading the agent overwrites the version of the Norman Enterprise Security (Norman ESEC) Agentrunning on Mac, Linux. or UNIX endpoints with the most recent version of the agent.

Prerequisites:

• You have a Norman ESEC Agent installed on a Mac, Linux, or UNIX supported operating system.Refer to Supported Endpoint Operating Systems on page 11 for a list of supported operating systems.

• Ensure you are logged on to the endpoint using a root user account.

Perform these steps on a Mac, Linux, or UNIX endpoint. The upgrade is an install of the most recentversion of the a Norman ESEC Agent.

Note: Overwriting an agent deletes all agent history.

1. Download the most recent version of the agent that is applicable to your target endpoint.

Upgrading Agents

- 119 -

2. Install the agent. For a detailed description, refer to one of the following install methods that isapplicable to your target endpoint operating system and install method of choice.

Option Description

Command Line on Mac • You may install using a command line. Refer to Installing theAgent by Command Line for Mac on page 86 for additionalinformation.

• You may use a silent install in a command line. Refer to SilentInstall by Command Line for Mac on page 91 for additionalinformation.

Manual Install on Mac • You may use the Norman ESEC installer which utilizes aneasy-to-use installation wizard to install the agent. Refer toManually Installing the Agent for Mac on page 98 for additionalinformation.

Command Line on Linux orUNIX

• You may install using a command line. Refer to Installing theAgent by Command Line for Linux or UNIX on page 108 foradditional information.

• You may use a silent install in a command line. Refer to SilentInstall by Command Line for Linux or UNIX on page 110 foradditional information.

Step Result: The agent is installed.

Result: Upon completion of upgrade you may utilize new agent.


- 120 -

- 121 -

Appendix

BUninstalling Agents

In this appendix:

• Agent Uninstall on Windows• Agent Uninstall on Mac, Linux, or

UNIX

You can uninstall the Norman Enterprise Security Agent usingseveral methods. The methods available for uninstall vary basedon the endpoint's operating system.

Agent Uninstall on WindowsTo uninstall the Norman Enterprise Security Agent on a Windows platform you can utilize the followingmethods:

• For uninstalling the agent using an Agent Management Job, refer to Uninstalling the Agent by AgentManagement Job on page 121.

• For uninstalling the agent manually, refer to Uninstalling the Agent on Windows on page 133.

Uninstalling the Agent by Agent Management JobYou can remotely uninstall an agent from Windows endpoints using an Agent Management Job. AnAgent Management Job allows you to uninstall the agent from the Norman ESEC Web console.

Prerequisites:

• You completed the configuration needs for an Agent Management Job. Refer to Agent ManagementJob Checklist on page 28 for a description.

• Verify that your target endpoint that you installed an agent on is a Windows endpoint. Mac, Linux,and UNIX endpoints cannot have agents uninstalled using an Agent Management Job.

• The agent status for the endpoint is Online.

You complete the Agent Management Job within the Norman ESEC Web console using an easy-to-usewizard. Configuration occurs in the Uninstall Agents Wizard.

Note: Configuration of the Agent Management Job is similar to configuration of a Discovery Scan Job.


- 122 -

1. Begin configuration of the Uninstall Agent Wizard.Complete one of the following sets of steps to begin configuration.

Context Steps

To open the Wizard withouttargets predefined:

Select Discover > Assets and Uninstall Agents.

To open the Wizard withtarget predefined:

1. Select Manage > Endpoints.2. Select the endpoints you want to uninstall agents from.3. From the toolbar, select Manage Agents > Uninstall Agents.

Step Result: The wizard opens to the Job Name and Scheduling page.

Figure 20: Job Name and Scheduling Page

2. [Optional] Type a new name in the Scan job name field.

Note: By default, a new Agent Management Job for uninstallation is named New Agent UninstallManagement Job, followed by the server's date and time, which is formatted according to yourbrowser's locale setting.

Uninstalling Agents

- 123 -

3. Schedule the job.Use one of the following methods.

Tip: During job scheduling, you can use the following shortcuts:

• Click the Calender icon to select a Start date. Selecting a date automatically fills the Start datefield.

• Click the Clock icon to select a Start time. Selecting a time automatically fills the Start timefield.

Method Steps

To schedule an immediatejob:

Select the Immediate option.

To schedule a one-time job: 1. Ensure the Once option is selected.2. Define a start date by typing a date in the Start date field.




Tip: Scheduling a one-time job for a past date and time willlaunch the job immediately.

To schedule a recurringweekly job:

1. Select the Weekly option.2. Define a start date by typing a date in the Start date field.




4. Define the day of the week the job runs by selecting a dayfrom the Run every week on the following day list.


- 124 -

Method Steps

To schedule a recurringmonthly job:

1. Select the Monthly option.2. Define a start date by typing a date in the Start date field.




4. Define the day of the month the job runs by typing a day inthe Run every month on the following day field.

Tip: One-time and recurring jobs scheduled for the last day of a 31-day month are automaticallyrescheduled for the last day of shorter months.

4. Click Next.

Step Result: The Targets page opens.

Figure 21: Targets Page

Uninstalling Agents

- 125 -

5. Define targets (endpoints) for the job to locate.Use one or more of the following discovery methods.

Method Steps

To define targets using asingle IP address:

1. From the Scan for list, select Single IP Address.2. Type an IP address in the empty field.

Note: Wildcards are supported. For additional information,refer to Defining Targets Using Wildcards on page 65.

3. Edit the Timeout list.

Note: The Timeout list defines the number of secondsbefore a scan fails due to inactivity for a particular target.Under most network conditions, the Timeout field does notrequire editing.


Note: The Number of retries list defines the number oftimes a scan retries on that target if the scan times out.

To define targets using an IPrange:

1. From the Scan for list, select IP Range.2. In the first empty field, type the beginning of IP range.

Note: Wildcards are supported. For additional information,refer to Defining Targets Using Wildcards on page 65.

3. In the second empty field, type the ending of the IP range.4. Edit the Timeout list.

Note: The Timeout list defines the number of secondsbefore a scan fails due to inactivity for that particular target.Under most network conditions, the Timeout field does notrequire editing.


Note: The Number of retries list defines the number oftimes a scan retries on that target if the scan times out.

To define targets using acomputer name:

1. From the Scan for list, select Computer name.2. In the empty field, type an endpoint name.

Note: Use one of the following formats: endpointname ordomain\endpointname.


- 126 -

Method Steps

To define targets usingnetwork neighborhood:

1. From the Scan for list, select Network Neighborhood.2. From the second list, select the desired network

neighborhood.

To define targets usingactive directory:

1. From the Scan for list, select Active Directory.2. In the Fully-qualified domain name field, type the DNS

domain name of the domain controller you want to scan.

Note: For example, if your domain controller DNSname is box.domain.company.local, you would typedomain.company.local in this field.

3. Optionally, in the Organizational Unit field, type the activedirectory organizational unit string from specific to broad,separating each string with front slashes (such as Techpubs/Engineering/Corporate).

Note: The omission of this field returns job results containingthe full contents of all the active directory organizationalunits. View the following figure for an example of how toenter data using Active Directory.

4. In the Domain controller field, type the domain controller IPaddress.

5. In the Username field, type a user name that authenticateswith the domain controller.

Note: Type the user name in one of the following format:domainname\username or username.


Uninstalling Agents

- 127 -

Method Steps

To define targets using animported file:

1. From the Scan for list, select Import file.2. Click Browse.3. Browse to the file you want to use for target discovery.

Note: The following file types are supported: .txt and .csv.

4. Click Open.



- 128 -


Note: You must include at least one target for Next to become available. You can also deletetargets from the list by selecting the applicable check boxes and clicking Remove.

Method Steps


Click Add to Scan.



Tip: Repeat this step to add additional targets to the list.

7. [Optional] Edit the Targets list.

• To remove targets from the list, select the list item(s) and click Remove.• To edit targets on the list, select the list item(s) and click Edit.

For additional information on editing, refer to Editing Targets in the Norman Enterprise SecurityUser Guide (http://www.norman.com/support/user_manuals/).

8. Click Next.

Step Result: The Options page opens.

Figure 23: Options Page




Uninstalling Agents

- 129 -

9. Select or clear the desired Scan Options.The following table defines each Scan Option.

Option Description

Verify With Ping Jobs using this option send ping requests to all networkendpoints targeted for discovery. Endpoints that respond to therequest are flagged for scanning; unresponsive endpoints areskipped. Endpoints unresponsive to Verify With Ping are notscanned by other selected discovery options.

Note: Anti-virus software and host firewalls may block VerifyWith Ping. If necessary, adjust any antivirus and firewallconfigurations to permit ping requests.

ICMP Discovery Jobs using this option request a series of echoes, information,and address masks from endpoints. Endpoint responses arethen compared to a list of known ICMP fingerprints to identifyendpoint operating systems.

Note: ICMP Discovery is ineffective on endpoints configuredto ignore ICMP requests. For best results identifying Windowsoperating systems, use this option in conjunction with WindowsVersion Discovery.

Port Scan Discovery Jobs using this option perform a limited scan on endpoint FTP,Telnet, SSH, SMTP, and HTTP ports. Based on the applicationbanners found in these ports, endpoint operating systems aregenerically identified.

Note: For best results in identifying Windows operating systems,use this option in conjunction with Windows Version Discovery.

SNMP Discovery Jobs using this option request system properties for SNMPdevices (routers, printers, and so on) from the managementinformation base. Following credential authentication, SNMPdevices are identified.

Note: Without authenticated credentials, SNMP devices ignoreSNMP Discovery requests. In this event, one of two outcomesoccur: the SNMP device is misidentified as a UNIX endpoint orthe SNMP device is not detected. Jobs with no SNMP credentialsuse the public credential by default.


- 130 -

Option Description

Windows Version Discovery Jobs using this option identify an endpoint's specific versionof Windows following generic operating system identificationduring ICMP or Port Scan Discovery.

Note: Correct operating system identification is contingentupon authenticated credentials. This option must be used inconjunction with either ICMP or Port Scan Discovery.

Resolve DNS Names Jobs using this option acquire the endpoint DNS name through alocal DNS server query. These names are displayed in job resultsfor easy endpoint identification.

Resolve MAC Addresses Jobs using this option acquire endpoint MAC addresses throughendpoint queries. These addresses are displayed in job results foreasy endpoint identification.

Note: Monitor network inventory reports to prevent MACaddress spoofing that may alter the Resolve MAC Addressesresults.

Resolve NetBIOS Names Jobs using this option acquire endpoint NetBIOS names throughWINS NetBIOS mapping. These names are displayed in jobresults for easy endpoint identification.

Note: Security-hardened networks running Windows 2003or Windows XP may require enabling of NetBIOS over TCP/IP for Resolve NetBIOS Names to acquire NetBIOS names.Additionally, firewalls protecting endpoints using Windows XPProfessional SP2 may require adjustment to permit NetBIOScommunication.

Uninstalling Agents

- 131 -

10.Click Next.

Step Result: The Credentials page opens.

Figure 24: Credentials Page

11.Define Windows credentials for the target.Type the applicable information in the following fields.

Note: When configuring an Agent Management Job, you must define valid Windows credentials.

Field Description

Username A user name that authenticates with Windows-based endpoints.Type the user name in a local format (UserName) or a domainformat (DOMAIN\UserName).

Note: When configuring Agent Management Jobs, Normanrecommends using the built-in Administrator account.




- 132 -

12.Click Next.

Step Result: The Agent Settings page opens.

Figure 25: Agent Settings Page

13.Define the Distribution options.The following table describes each list their available values.

List Description

Timeout(list)

Defines the number of minutes before the Agent ManagementJob terminates an install attempt due to a non-responsive agentinstallation or removal (0-30).

Number of retries(list)

Defines the number of attempts an agent installation or removalwill retry if the initial attempt fails (1-10).

Number of simultaneousinstalls(list)

Defines the maximum number of agents that can installed orremoved simultaneously during the job (1-25). A value of 1indicates that serial installs or removals should occur.

14.Click Finish.

Result: The Uninstall Agents Wizard closes. Depending on how you configured the job, it movesto either the Scheduled tab or Active tab on the Job Results page. The job will run at theapplicable time, uninstalling agents on the defined targets, and move to the Completed tabwhen finished.

Uninstalling Agents

- 133 -

Uninstalling the Agent on WindowsYou can uninstall Norman Enterprise Security Agent on a Windows endpoint manually using the AgentSetup Wizard.

Prerequisites:

• You have a Norman ESEC Agent installed on an endpoint containing a supported Windowsoperating system. Refer to Supported Endpoint Operating Systems on page 11 for a list of supportedoperating systems.

• Ensure you are logged on with an administrative user account.

To uninstall the agent, perform the following procedure on an endpoint with a supported Windowsoperating system.

1. Open Control Panel.

Operating System Steps

Windows XP, Windows Vista,Windows 7, or WindowsServer 2008

Select Start > Control Panel.

Windows 8 or WindowsServer 2012

1. Press the Windows Logo key.2. Type Control Panel and press ENTER.


2. Open Add or Remove Programs or Programs and Features based on your operating system.


• Windows XP• Windows Server 2003

Double-click Add or Remove Programs.

• Windows Vista• Windows 7• Windows 8• Windows Server 2008• Windows Server 2012

Click Programs and Features.


- 134 -

3. Begin the agent uninstall.


• Windows XP• Windows Server 2003

• Select NESEC Agent.• Click Remove.

• Windows Vista• Windows 7• Windows 8• Windows Server 2008• Windows Server 2012

Double-click NESEC Agent.

Tip: You can also uninstall the agent by downloading and opening the Agent Setup Wizard. Foradditional information about obtaining this wizard, refer to Downloading the Installer on page 75.

Step Result: The Agent Setup Wizard opens to the Authorization Required to Upgrade orUninstall page.

Note: The Authorization Required to Upgrade or Uninstall page does notopen when the Agent Uninstall Protection policy is set to Off for the endpoint.For additional information on agent uninstall protection, refer to Editing an AgentPolicy Set in the Norman Enterprise Security User Guide (http://www.norman.com/support/user_manuals/).If this page does not open, proceed to 5 on page 136.




Uninstalling Agents

- 135 -

4. Type the global uninstall password or the agent uninstall password for the endpoint in the Globalor agent uninstall password field and click Next.

Note: Norman does not recommend providing end users with the global uninstall passwordin uninstall scenarios. The Global uninstall password should be used by the Norman ESECAdministrator only.

Tip: Use the Norman Enterprise Security Web console to find these passwords.

• View an endpoint uninstall password from its Endpoint Details page.• View the global uninstall password from the Agent Policy Sets page by editing the Global

System Policy.

Step Result: The Previous Agent Installation Detected page opens.

Figure 26: Previous Agent Installation Detected Page


- 136 -

5. Select the Uninstall the agent option and click Uninstall.

Step Result: The uninstall begins. Upon completion the Uninstall Complete page opens.

Note: If the Microsoft Visual C++ 2010 Redistributable package or later was installedduring agent install, it is not removed during agent uninstall.

Figure 27: Uninstall Complete Page

Tip: Click Open setup log to open lmuninstall.log in your text editor.

6. Complete the uninstall.

• If no further steps are needed, click Close.• If you are prompted to reboot your endpoint, click Restart Now.

Result: The agent is uninstalled.

Tip: If desired, you may reinstall the agent. Refer to Understanding Agent Installation Methods onpage 25 for additional information.

Agent Uninstall on Mac, Linux, or UNIXTo uninstall the Norman Enterprise Security Agent on a Mac, Linux, or UNIX platform you can utilize acommand line.You may uninstall the Norman Enterprise Security (Norman ESEC) Agent on an endpoint that containsa Mac, Linux, or UNIX operating system. Refer to Uninstalling the Agent for Mac, Linux, or UNIX on page137.

Uninstalling Agents

- 137 -

Uninstalling the Agent for Mac, Linux, or UNIXUninstall of Mac, Linux, or UNIX agents can only be completed by command line.

Prerequisites:

• You have a Norman ESEC Agent installed on an your endpoint that contains either a Mac, Linux,or UNIX operating system. Refer to Supported Endpoint Operating Systems on page 11 for a list ofsupported operating systems.

• Ensure you are logged on to the endpoint using a root user account.

To uninstall the agent, perform the following procedure on an endpoint with a Mac, Linux, or UNIXoperating system.

1. Open Terminal.

Note: How you open Terminal varies by operating system.

Step Result: Terminal opens.

2. Change directory to the agent installation directory. The following table lists the default installationdirectory for various operating systems.

Operating System Command

Mac /private/var/patchagent

Linux /usr/local/patchagent

UNIX /export/home/patchagent

Note: If you installed the agent to a directory other than the default directory, navigate to thatdirectory.

3. Type ./uninstall at the command prompt and press ENTER.

Step Result: The agent is uninstalled.

4. Change directory to the parent directory of the installation directory. Type the command for youroperating system below and press ENTER.


Mac cd /private/var/

Linux cd /usr/local/


- 138 -


UNIX cd /export/home/

Note: If you installed the agent to a directory other than the default directory, navigate to theparent directory of the agent installation directory.

5. Type rm –rf patchagent and press ENTER.

Result: The agent installation directory is deleted.

Tip: If desired, you may reinstall the agent using the Command Line method. Refer toUnderstanding Agent Installation Methods on page 25 for additional information.

agent install guidedownload01.norman.no/enterprise_security_suite/docs/8.2/... · 2015. 3. 15. ·...

Documents