Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, Con
Trang 1Endpoint Security
January 16, 2008
Installation Guide
Version NGX 7.0 GA
Trang 2© 2008 Check Point Software Technologies Ltd.
All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice.
©2003–2008 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,
SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security
Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd or its affiliates ZoneAlarm
is a Check Point Software Technologies, Inc Company All other product names mentioned herein are trademarks or registered trademarks of their respective owners The products described in this document are protected by U.S Patent No 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S Patents, foreign patents, or pending applications.
Trang 4Preface
About this Guide 7
Available Formats .7
Obtaining the Correct Version .7
Obtaining New Issues of this Guide .7
About the Endpoint Security Documentation Set 8
Documentation for Administrators .8
Documentation for Endpoint Users .8
Feedback 10
Chapter 1 Endpoint Security Overview Endpoint Security System Components 12
System Requirements .12
Architecture 12
Endpoint Security Communications 14
The Endpoint Security Sync 14
Other Endpoint Security Communications .14
Endpoint Security Services .15
Chapter 2 Installation Overview Master Installer 18
Supported Installations 18
Upgrading and Migration 19
Gateway Integration 20
Chapter 3 Upgrading and Migration Introduction to Upgrading 21
Supported Upgrades .21
Migration 22
Upgrade Workflow 22
Backing Up Data 23
SPLAT Upgrade Instructions 23
Clustered Upgrade Instructions 24
Chapter 4 Installing on a Dedicated Host Windows 26
Linux 27
Check Point SecurePlatform (Command Line Version) 28
Check Point SecurePlatform (GUI Version) 30
Trang 5Chapter 5 Installing with SmartCenter on the Same Host
Windows 33
Linux 35
Check Point SecurePlatform (Command line Version) 36
Check Point SecurePlatform (GUI Version) 38
Installing Endpoint Security with an Existing SmartCenter 40
Connecting Endpoint Security and SmartCenter 40
Chapter 6 Installing with SmartCenter on Separate Hosts Workflow 43
Installing SmartCenter in a Distributed Installation 44
Windows 44
Linux 45
Check Point SecurePlatform (Command Line Version) .46
Check Point SecurePlatform (GUI Version) .47
Connecting Endpoint Security and SmartCenter 49
Chapter 7 Installing Endpoint Security and Provider-1 Provider-1 Overview 51
Workflow 52
Installing Endpoint Security on the Same Host as Provider-1 53
Connecting Endpoint Security and Provider-1 54
Chapter 8 Endpoint Security Installation Wizard Reference Completing the Endpoint Security Installation Wizard 56
Completing the Installation 57
Chapter 9 Check Point Configuration Tool Starting the Configuration Tool 59
Configuration Tool Options 60
Chapter 10 Remote Logging Connecting the Log Server and SmartCenter 63
Connecting the Log Server and Endpoint Security 64
Chapter 11 High Availability Overview of High Availability 65
Architecture 66
Configuring High Availability 67
Forcing Replication 68
Changing an Active Server to a Standby Server 69
Changing a Standby Server to an Active Server 69
Trang 6In This Preface
About the Endpoint Security Documentation Set page 8
Trang 7Endpoint Security Installation Guide 7
About this Guide
The Endpoint Security Installation Guide provides detailed instructions for installing, configuring, and maintaining Endpoint Security This document is intended for global administrators Please make sure you have the most up-to-date version available for the version of Endpoint Security that you are using
Before using this document to install Endpoint Security, you should read and understand the information in the Endpoint Security Implementation Guide in order to familiarize yourself with the basic features and principles
Available Formats
This guide is available as a PDF This document is available from the Check Point CD Updated editions of the document may be available on the Check Point Website after the release of Endpoint Security The version of this document on the Check Point Website may be more up-to-date than the version on the CD
Obtaining the Correct Version
Make sure that this document has the Version Number that corresponds to the version
of your Endpoint Security The Version Number is printed on the cover page of this document
Obtaining New Issues of this Guide
New issues of this guide are occasionally available in PDF format from the Check Point Website When using the PDF version of this document, make sure you have the most up-to-date issue available The issue date is on the cover page of this document
When obtaining updated PDF editions from the Check Point Website, make sure they are for the same server version as your Endpoint Security Do not attempt to administer Endpoint Security using documentation that is for another version
When obtaining the most up-to-date issue of the documentation, make sure that you are obtaining the issue that is for the appropriate server
Trang 8About the Endpoint Security Documentation Set
A comprehensive set of documentation is available for Endpoint Security, including the documentation for the Endpoint Security clients This includes:
“Documentation for Administrators,” on page 8
“Documentation for Endpoint Users,” on page 8
Documentation for Administrators
The following documentation is intended for use by Endpoint Security administrators
Documentation for Endpoint Users
Although this documentation is written for endpoint users, Administrators should be familiar with it to help them to understand the Endpoint Security clients and how the policies they create impact the user experience
Table 1-1: Server Documentation for Administrators
Endpoint Security Administrator Guide
Provides background and task-oriented information about using Endpoint Security It is available in both a Multi and Single Domain version
Endpoint Security Administrator Online Help
Contains descriptions of user interface elements for each Endpoint Security Administrator Console page, with cross-references to the associated tasks in the Endpoint Security Administrator Guide
Endpoint Security System Requirements
Contains information on client and server requirements and supported third party devices and applications
Endpoint Security Gateway Integration Guide
Contains information on integrating your gateway device with Endpoint Security
Endpoint Security Client Management Guide
Contains detailed information on the use of third party distribution methods and command line parameters
Endpoint Security Agent for Linux Installation and Configuration Guide
Contains information on how to install and configure Endpoint Security Agent for Linux
Trang 9Endpoint Security Installation Guide 9
Table 1-2: Client documentation for endpoint users
Agent
Provides basic information to familiarize new users with Endpoint Security Agent This document is intended to be customized by an Administrator before distribution See the Endpoint Security Implementation Guide for more information
Trang 10Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to:
cp_techpub_feedback@checkpoint.com
Trang 111 Endpoint Security Overview
In This Chapter
Endpoint Security System Components page 12
Endpoint Security Communications page 14
Trang 12Endpoint Security System Components
This section provides an overview of the Endpoint Security system components
Figure 1-1: Typical Endpoint Security Configuration
A typical Endpoint Security configuration includes the following components:
Endpoint Security Server-Allows you to centrally configure your Endpoint Security
enterprise policies
Trang 13Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 13
Endpoint Security Clients-Monitor your endpoints and enforce your security
policies These clients are installed on your endpoint computers There are two types of Endpoint Security clients that work with Endpoint Security server:
Flex-has a full user interface that allows the user to control security settings
under some conditions
Agent-Has a limited interface and does not allow the user to control his or her
security settings
Apache HTTP Server-Provides secure HTTPS communication between the
Endpoint Security server and Endpoint Security clients It also provides secure communication with the Endpoint Security server for Administrators logging onto the Endpoint Security Administrator Console The Apache HTTP server also improves performance by serving your security data to Endpoint Security clients using a high speed cache
Administrator Workstation-Administrators can use a workstation to access Endpoint
Security through the Endpoint Security Administrator Console, a Web-based Graphical User Interface that allows Administrators to create security policies, view reports, and perform other administrative tasks
Other Check Point Components-When you install the Endpoint Security server, you
are also automatically installing some Check Point SmartCenter components to create an integrated security solution These components are installed in the background even if you choose an ‘Endpoint Security only’ installation Integration points include:
Endpoint Security also integrates with a variety of gateways, such as VPN or wireless devices, to provide client enforcement capabilities at the gateway level for more information about these sorts of configurations, see the Endpoint Security Administrator Guide and the chapter of the Endpoint Security Gateway Integration Guide appropriate to your gateway device The Endpoint Security System
Requirements document lists all supported gateways These documents are available on the Check Point Web site
Trang 14Endpoint Security Communications
This section explains the internal and external communication protocols and ports used by the Endpoint Security system
When an Endpoint Security client is initialized it performs a sync with the Endpoint Security This allows the Endpoint Security client to get the security policy that is assigned to it Other communications take place either by the request of administrators
or as determined by your security policies
The Endpoint Security Sync
1 The Endpoint Security client requests the policy location from the Endpoint
Security server
2 The server returns a sync response to the Endpoint Security client with the location
of the policy
3 The client then downloads the policy assigned to it This is done over HTTP on port
80 The policy is encrypted before it is sent The Web server transmits the request
to the Endpoint Security server over an internal channel of communication, using AJP13 on ports 8009 and 8010 The policy contains both your security policy information as well as the location of the remediation sandbox and log upload server
Once the Endpoint Security client receives the policy, it immediately enforces it
Other Endpoint Security Communications
Once the sync has been established between the Endpoint Security server and the Endpoint Security client, the following types of communication may occur, depending
on circumstances and the security policy you configure
Heartbeats-Once the sync request has completed successfully, a heartbeat
regularly occurs according to the interval specified by the Administrator
Heartbeats occur over UDP on port 6054 Heartbeats contain various pieces of information concerning the status and compliance state of the endpoint computer This information is stored in the Endpoint Security datastore and is used for the Endpoint Monitor report
Remediation Requests-The Endpoint Security client may request remediation
resources from the Endpoint Security sandbox
For example, if the client is out of compliance with the policy’s enforcement rules, the policy might specify that the client should restrict the endpoint computer’s access to your network and attempt to download a remediation file from the sandbox remediation area The initial Endpoint Security client connection to the sandbox is done over HTTPS on port 2100, while the download is done on port 80 because the Endpoint Security client verifies the sandbox files after download by checking the MD5 hash
Trang 15Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 15
Program Permission Requests-Depending on your policy settings, as programs are
run on the endpoint computer, Endpoint Security clients may request program permission information from the Endpoint Security server These real-time, encrypted requests are performed over HTTP on port 80
Log Upload-Periodically, the Endpoint Security client uploads logs to the Endpoint
Security server These logs are stored in SmartCenter’s log data files using the ELA API You can configure the frequency of the log upload using the Endpoint Security Administrator console
Administrator Workstation Access-Administrators can use a workstation to access
the Endpoint Security Administrator console to make changes to configure security policies, view reports and perform other administration tasks The administrator workstation contacts the Endpoint Security via HTTPS on port 443 Some reports are viewed on SmartPortal via HTTPS on port 4433 by drilling down in the Endpoint Security Administrator console
Endpoint Security Services
Endpoint Security operations are implemented by separate Endpoint Security services.The services are divided into two types:
Client services allow an Endpoint Security client to get policies and configuration
information, and to communicate session state information
Administration services allow administrators to create groups and users; manage
policies; manage system configuration; and perform other administrative tasks
Ports and Protocols
The Endpoint Security server uses the ports and protocols listed below to communicate with Endpoint Security clients Make sure all these ports and protocols are available on the Endpoint Security server:
“Endpoint Security services and ports,” on page 16 represents the services that make
up Endpoint Security and shows which ports the services use
Trang 16Service Details
The table below lists the individual services that make up Endpoint Security The configuration name is the parameter name of the service in the Endpoint Security server and Apache HTTPS server configuration files The URL is the service location information embedded in the request from the Endpoint Security client that allows the Apache HTTPS server to proxy requests
Figure 1-2: Endpoint Security services and ports
Trang 17Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 17
Table 1-1: Description of Endpoint Security Services
Service name Configuration Name URL Description
Connection
Manager
service.enable.connectionManager
/cm/* Sychronizes with the server
The Connection Manager service allows the endpoint to establish a session, verify endpoint state information, and get information needed
to download the current policy and configuration It can also end a previously synchronized session with the endpoint this service also sends heartbeats to communicate policy or state changes
Policy
download
service.enable.policy
/policy/* Policy download service
Log upload service.enable.logU
pload
/logupload/* Provides the mechanism endpoint computers
use to upload client log files
Program
permission
service.enable.logUpload
/ask/* Provides the mechanism endpoint computers
use to upload client log files
Sandbox server service.enable.sand
Box
/sandbox/* Serves remediation Web pages to
non-compliant, authenticated endpoint users.Package
Manager
service.enable.package
/package/* Serves the client installer packages that install
an Endpoint Security client on an endpoint computer
Administrator
Console
service.enable.adminConsole
/ Serves the user interface that allows
administrators to manage the Endpoint Security
Trang 18Chapter 2 Installation Overview
In This Chapter
You can install the Endpoint Security server as a standalone product or with other Check Point products, such as SmartCenter or VPN-1 Use this guide to perform these installations This guide provides the workflows you need to perform installations with other Check Point products and the details of the Endpoint Security server installation steps For details of general installation steps for other Check Point products, see the appropriate Check Point documentation
Master Installer
For all installation options, you use a master installer that lets you select which products to install Note that all Endpoint Security installations (standalone or integrated) include Check Point SmartPortal, which provides some of Endpoint Security’s reporting functionality If you choose standalone mode, the installer also silently installs some necessary components of Check Point SmartCenter, which remain invisible
Supported Installations
This guide explains how to install Endpoint Security in the following supported
configurations:
NT Domain catalogs are not available in SPLAT installations If you plan on using NT Domain catalogs, you must install on Windows or Linux
Trang 19Endpoint Security Installation Guide 19
Endpoint Security alone
You can install just Endpoint Security and the necessary supporting components (Endpoint Security installations always include Check Point SmartPortal and some Check Point SmartCenter components.)
To install Endpoint Security alone, follow the instructions for installing Endpoint Security on its own host See “Installing on a Dedicated Host,” on page 25
Endpoint Security with other Check Point products
You can install Endpoint Security with the following Check Point products:
SmartCenter
The SmartCenter components that come with Endpoint Security are invisible
If you want to have the full range of SmartCenter functionality, you can choose
to install SmartCenter in one of the following configurations:
Same Host
You can install Endpoint Security on the same host as SmartCenter You can install Endpoint Security either at the same time as you install SmartCenter, or you can install it on a server with an existing SmartCenter installation See “Installing with SmartCenter on the Same Host,” on page
32
Distributed
You can install Endpoint Security and SmartCenter on different servers and then configure them to communicate See“Installing with SmartCenter on Separate Hosts,” on page 42
Provider-1
You can install Endpoint Security with Provider-1 in the following configurations:
Same Host
You can install Endpoint Security with Provider-1 on the same server See
“Installing Endpoint Security and Provider-1,” on page 50
Distributed
You can install Endpoint Security and Provider-1 on different servers and then configure them to connect See “Installing Endpoint Security and Provider-1,” on page 50
Upgrading and Migration
For information about changing from an earlier version of Endpoint Security to this one, see “Upgrading and Migration,” on page 21
Trang 20Gateway Integration
This guide does not include information about configuring Endpoint Security to work with gateways, including Check Point gateways Gateway integration and Cooperative Enforcement is achieved through post-installation steps described in the Endpoint Security Administrator Guide and the Endpoint Security Gateway Integration Guide
Trang 213 Upgrading and Migration
Endpoint Security supports upgrading from previous installations which:
Are version 6.5 or higher
For versions prior to 6.0, see “Migration,” on page 22
Use only the embedded database
You cannot upgrade if you are using a third-party database
Use Windows, Linux or the SPLAT command line interface
Upgrading using the SPLAT GUI is not supported
Clustered Upgrade Instructions page 24
Trang 22Migration
If you are using a version of Endpoint Security prior to 6.0 you cannot upgrade directly
to this version
To Migrate data from a pre-6.0 version:
1 Back up your data.
See “Backing Up Data,” on page 23
2 Migrate your data to the 6.5 version of Endpoint Security.
For instructions, see the 6.5 version of the Endpoint Security Installation Guide
3 Upgrade from version 6.5 to this version.
See “Upgrade Workflow,” on page 22
Upgrade Workflow
Use the following instructions to upgrade from a 6.x version of Endpoint Security to this one
To upgrade:
1 Back up your data.
It is highly recommended that you back up your information before upgrading See
“Backing Up Data,” on page 23
2 Perform your installation.
Perform your installation according to the instructions for your installation option See “Installation Overview,” on page 18 When the Endpoint Security Installation
Wizard runs it will detect the previous version Choose the Upgrade option
If you are upgrading a SPLAT installation, incorporate the steps in the “SPLAT Upgrade Instructions,” on page 23
This version of Endpoint Security does not support client packages from previous installations All the client packages from your previous installation will be deleted You will need to create new client packages in your new installation
When you choose the upgrade option in the Endpoint Security Installation Wizard, the Wizard will skip many of the other installation screens This is because it will install the Endpoint Security using the same location, domain option, host information, and password, as the previous version
Trang 23Endpoint Security Installation Guide 23
If you are upgrading from a clustered environment, incorporate the steps in
“Clustered Upgrade Instructions,” on page 24
3 Complete your installation.
Complete your installation by logging in and setting your password See “Completing the Installation,” on page 57
4 Redeploy client packages
Since upgrading deletes all your previous installation’s client packages, you will need to recreate these Redeploy your clients to update your endpoint computers to the new version You may want to use a client enforcement rule with automatic remediation to more easily upgrade your endpoint computers For more information about client enforcement rules, see the Administrator guide
Backing Up Data
Before you upgrade or migrate, it is recommended that you back up your data These are the instructions for backing up data for previous versions of Endpoint Security For information about backing up data for this version of Endpoint Security, see the Endpoint Security Administrator Guide
To back up data from a previous installation
1 Make a copy of the entire home directory and save it to a safe location.
The default locations are:
C:\Program Files\Zone Labs\Integrity for migrating from 5.x versions
C:\Program Files\CheckPoint\Integrity for upgrading from 6.x and later versions
C:\Program Files\CheckPoint\EndpointSecurityServer for upgrading from 7.0 and
later installations
SPLAT Upgrade Instructions
Use these instructions if you are upgrading your Endpoint Security server on SPLAT You can only upgrade using the command line interface
For best results, use the version of the client included with your server, unless otherwise instructed by your Check Point representative This will ensure that the server settings are supported by the client
5.x clients are not supported
Using newer clients with older servers is not supported
Trang 24To upgrade on SPLAT:
1 Log into the SPLAT command line interface
2 Log in with expert privilege using the “expert” command and appropriate
password
3 Place the upgrade files on the SPLAT server.
Depending on your situation, you can do this by inserting the CD, by loading the iso image, or by copying the bin file
4 Copy the upgrade file, <filename.bin>, to a local directory on the SPLAT server
5 Navigate to the local directory used in the previous step and ensure the file
permissions on the upgrade file allow execution
6 Being the installation process by executing the ./<filename.bin> command
7 Follow the prompts throughout the upgrade to agree to licensing and upgrade your
Endpoint Security server
Clustered Upgrade Instructions
Use these instructions if you are upgrading from a clustered environment
To upgrade a clustered environment:
1 Take on of your clustered Endpoint Security servers offline.
Be sure that the remaining are able to handle the client load without this server If they cannot, you may need to temporarily add another server to the cluster before taking this one offline
2 Install the new Endpoint Security server on the offline server.
When installing, choose the Upgrade option from the installation wizard.
3 Start and configure your new Endpoint Security server.
4 Redeploy your client packages.
5 Shut down the remaining clustered Endpoint Security servers.
Once you are sure that all your endpoint computers are using the new server, you may shut down the remaining clustered Endpoint Security servers
If you want to mirror the Endpoint Security server to provide High Availability, you can install one or more Standby Servers on those servers See the High Availability White Paper for more information
Trang 254 Installing on a Dedicated Host
In This Chapter
This chapter explains how to install Endpoint Security on a dedicated server These
instructions apply to Endpoint Security standalone installations as well as to the Endpoint Security portion of distributed installations (in which Endpoint Security and either
SmartCenter or Provider-1 are installed on separate hosts) Follow the instructions
appropriate for your operating system Where necessary, the instructions refer you to more detailed explanations in subsequent sections
The Endpoint Security installer is contained in a master installer that includes options for installing other Check Point products with which you can integrate Endpoint Security When installing Endpoint Security without any other Check Point products, ignore the options for installing other products Note, however, that Endpoint Security installations always include Check Point SmartPortal, which provides some of Endpoint Security’s reporting functionality The installer also silently installs some necessary Check Point SmartCenter components
If you are installing Endpoint Security in standalone mode, the log server is installed on the same host as the Endpoint Security server If you prefer to install the log server on a remote host, see “Remote Logging,” on page 62
Check Point SecurePlatform (Command Line Version) page 28
Check Point SecurePlatform (GUI Version) page 30
Trang 26To install Endpoint Security on Windows:
1 On the intended host server, double-click the setup.exe file.
The Check Point master installer begins
2 Click Next.
3 Accept the license agreement and click Next.
4 Choose Check Point UTM and click Next.
5 Choose New Installation and click Next.
6 Choose Endpoint Security, making sure to deselect any other default selections
Click Next.
7 Do one of the following:
If you are installing Endpoint Security in standalone mode, choose Endpoint
Security Standalone and click Next.
If you are installing Endpoint Security as part of a distributed installation (in
which SmartCenter or Provider-1 runs on another host), chooseEndpoint
Security with Remote SmartCenter and click Next.
8 Click Next to start the installation.
An Installation Status bar appears, displaying the chosen installation package The master installer then starts the Endpoint Security installer (It may take a few minutes to start.)
9 Work through the Endpoint Security installation wizard
For information on completing the wizard, see “Endpoint Security Installation Wizard Reference,” on page 55
When the Endpoint Security installer completes, the Check Point Configuration Tool launches
10 Perform basic configuration steps with the Check Point configuration program
For details, see “Check Point Configuration Tool,” on page 58 (If you are planning
to set up a distributed installation with either SmartCenter or Provider-1, be sure to create and make note of the activation key You will use this later when
establishing communication between Endpoint Security and SmartCenter or Provider-1.)
11 Click Finish to close the master installer Then restart the computer.
Trang 27Endpoint Security Installation Guide 27
Linux
To install Endpoint Security on Linux:
1 On the intended host server, go to the installer directory and issue the following
command:
./UnixInstallScriptThe Check Point master installer starts to run
2 Read the master installer welcome screen and type N.
3 Read the license agreement and type Y to accept.
4 Select Check Point UTM and type N.
For more information about Check Point Enterprise and Check Point Pro, see the Check Point documentation set
5 Select the appropriate option (New Installation or Installation Using Imported Configuration) and type N.
6 When the product menu appears, choose Endpoint Security by typing the
corresponding number Then type N to continue.
7 When prompted to specify the Endpoint Security configuration type, do one of the
following:
If you are installing Endpoint Security in standalone mode, choose Endpoint
SecurityOnly (by typing the corresponding number) and type N.
If you are installing Endpoint Security as part of a distributed installation (in
which SmartCenter or Provider-1 runs on another host), choose Endpoint
Security with Remote SmartCenter (by typing the corresponding number) and
type N.
8 When the Validation screen appears, verify the installation settings and type N.
The Endpoint Security installation wizard begins
9 Work through the Endpoint Security installation wizard.
For information on completing the wizard, see “Endpoint Security Installation Wizard Reference,” on page 55
When the Endpoint Security installer completes, the Check Point Configuration Tool launches automatically
10 Perform basic configuration steps with the Check Point Configuration Tool.
For details, see “Check Point Configuration Tool,” on page 58 (If you are planning
to set up a distributed installation with either SmartCenter or Provider-1, be sure to create and make note of the activation key You will use this later when
establishing communication between Endpoint Security and SmartCenter or Provider-1.)
11 Type E to exit the master installer.
Trang 28Check Point SecurePlatform (Command Line Version)
When installing Endpoint Security on SecurePlatform, install the version of SecurePlatform that corresponds to the Endpoint Security version you plan to install The appropriate SecurePlatform version is included on the installation CD
To install Endpoint Security on SecurePlatform:
1 Insert the CD and reboot from the CD to start the installer.
The installer begins by guiding you through the installation of the SecurePlatform operating system
2 Complete the installation wizard for the SecurePlatform operating system.
For details on installing SecurePlatform, see the SecurePlatform and SecurePlatform Pro User Guide
3 Run the cpconfig command to start the installer.
4 Read the master installer welcome screen and type N (for Next).
5 Read the license agreement and type Y to accept.
6 Choose Check Point Power or Check Point UTM and click N.
7 Select the appropriate option (New Installation or Installation Using Imported Configuration) and type N.
8 When prompted to specify the Endpoint Security configuration type, do one of the
following:
If you are installing Endpoint Security in standalone mode, choose Endpoint
Security Only (by typing the corresponding number) and type N.
If you are installing Endpoint Security as part of a distributed installation (in
which SmartCenter or Provider-1 runs on another host), choose Endpoint
Security with Remote SmartCenter (by typing the corresponding number) and
type N.
9 When the Validation screen appears, verify the installation settings and type N.
The Endpoint Security installation wizard begins
10 Work through the Endpoint Security installation wizard
For information on completing the wizard, see “Endpoint Security Installation Wizard Reference,” on page 55
When the Endpoint Security installer completes, the Check Point Configuration Tool launches automatically
11 Perform basic configuration steps with the Check Point Configuration Tool.
For details, see “Check Point Configuration Tool,” on page 58 (If you are planning
to set up a distributed installation with either SmartCenter or Provider-1, be sure to
Trang 29Endpoint Security Installation Guide 29
create and make note of the activation key You will use this later when establishing communication between Endpoint Security and SmartCenter or Provider-1.)
12 Type E to exit the master installer.
13 Press Enter, log out by exiting the master installer (by typing exit and pressing Enter, and then repeating), and then log in again to complete the installation
You can now start the installed product by running cpstart.
Trang 30Check Point SecurePlatform (GUI Version)
When installing Endpoint Security on SecurePlatform, install the version of SecurePlatform that corresponds to the Endpoint Security version you plan to install The appropriate SecurePlatform version is included on the installation CD
To install Endpoint Security on SecurePlatform:
1 Insert the CD and reboot from the CD to start the installer.
The installer begins by guiding you through the installation of the SecurePlatform operating system
2 Complete the installation wizard for the SecurePlatform operating system For
details on installing SecurePlatform, see the SecurePlatform and SecurePlatform Pro User Guide
3 Using Internet Explorer, navigate to https://<SPLAT IP>:<Port number>.
Use the port number you specified during the installation of SecurePlatform If you are prompted to allow popups, allow them always for this site The welcome page appears
4 Click Next to continue In the subsequent pages you will have the opportunity to
configure the following:
Network Connections
Routing Tables
DNS Servers
Host and Domain Name
Device Date and Time
Web/SSH ClientsYou may configure any of these you wish, or skip them, depending on your
installation needs Use the Next button to proceed through the pages until you reach the Installation Options page.
5 Choose Check Point Power or Check Point UTM and click Next.
6 Select Endpoint Security and SmartPortal and click Next.
7 Do one of the following:
If you are installing Endpoint Security in standalone mode, select Endpoint
Security Only and click Next.
If you are installing Endpoint Security as part of a distributed installation (in
which SmartCenter or Provider-1 runs on another host), select Integrity with
Remote SmartCenter and click Next.
Trang 31Endpoint Security Installation Guide 31
8 Select New Installation and click Next.
9 Proceed through the installation wizard, entering the following information for your
installation:
Endpoint Security server type
Endpoint Security server information
Domain options
Master Administrator Password
Use the Next button to proceed through the wizard pages For more information
about these options, see“Completing the Endpoint Security Installation Wizard,”
on page 56
10 The Smart Center configuration begins
Use the Next button to proceed through the configuration pages, entering your
information For more information about these options, see “Check Point Configuration Tool,” on page 58
11 Click Finish to finish the installation.
12 Confirm the installation When the installation and configuration process finishes,
reboot your computer
Trang 32Chapter 5 Installing with SmartCenter on the
Follow the instructions appropriate for your operating system
If you are installing Endpoint Security on a server with an existing SmartCenter see:
“Installing Endpoint Security with an Existing SmartCenter,” on page 40
Check Point SecurePlatform (Command line Version) page 36
Check Point SecurePlatform (GUI Version) page 38
Installing Endpoint Security with an Existing SmartCenter page 40
Trang 33Endpoint Security Installation Guide 33
Windows
To install Endpoint Security and SmartCenter on Windows:
1 On the intended host server, double-click the setup.exe file.
The Check Point master installer begins
2 Click Next.
3 Accept the license agreement and click Next.
4 Choose Check Point UTM and click Next.
5 Choose New Installation, or Installation Using Imported Configuration, as
appropriate, and click Next
The Imported Configuration option does not apply to Endpoint Security It applies only to other Check Point products
6 Choose SmartCenter and Endpoint Security, making sure to deselect any other
default selections
It is recommended that you install SmartConsole (Check Point’s administration
application) on a separate host If, however, you wish to administer the installation
from the current host, select SmartConsole as well Click Next.
7 Choose Primary SmartCenter and click Next.
8 Click Next to start the installation.
The Installation Status bar appears, displaying the chosen installation packages and highlighting the one that is currently active The master installer automatically launches the installers for the selected products, beginning with the SmartCenter installer
9 Specify the installation directory or accept the default, and click Next.
The installer begins It may take a couple minutes
10 When the SmartCenter installer completes, click OK.
The installer performs configuration in the background for up to five minutes Do not interrupt the configuration, even if it appears as if nothing is happening When the configuration is complete, the master installer launches the next package
If you chose not to install SmartConsole on the current host, the master
installer launches the Endpoint Security installer Go to step 11
If you chose to install SmartConsole on the current host, the master installer launches the SmartConsole installer Perform the following steps:
a Specify the installation directory or accept the default, and click Next.
b Select the UI client applications to install or accept the defaults, and click Next.
c When prompted to create desktop shortcuts, click Yes or No, as desired.
Trang 34d When prompted to confirm the successful installation, click OK and then click Finish.
The master installer launches the Endpoint Security installer It may take a couple minutes
11 Work through the Endpoint Security installation wizard.
For information on completing the wizard, see “Endpoint Security Installation Wizard Reference,” on page 55
When the Endpoint Security installer completes, the master installer launches the SmartPortal installer, which runs silently and requires no administrator input When the SmartPortal installer completes, the Check Point Configuration Tool launches automatically
12 Perform basic configuration steps with the Check Point Configuration Tool.
For details, see “Check Point Configuration Tool,” on page 58
13 Click Finish to close the master installer Then restart the computer.
Trang 35Endpoint Security Installation Guide 35
Linux
To install Endpoint Security and SmartCenter on Linux:
1 Log in to the host server with an account that has root privileges.
2 Go to the installer directory and issue the following command:
./UnixInstallScriptThe Check Point master installer starts to run
3 Read the master installer welcome screen and type N (for Next).
4 Read the license agreement and type Y to accept.
5 Select Check Point UTM and type N.
6 Select the appropriate option (New Installation or Installation Using Imported Configuration) and type N.
7 When the product menu appears, choose SmartCenter and Endpoint Security by
typing the corresponding numbers Then type N to continue.
SmartConsole does not run on Linux To use SmartConsole with a SmartCenter installation on Linux, you must install SmartConsole on another host
8 Select Primary SmartCenter and type N.
9 When the Validation screen appears, verify the installation settings and type N.
The SmartCenter installer runs, requiring no user input When the SmartCenter installer completes, the master installer prompts you to continue
10 Press Enter to continue.
The Endpoint Security installer begins
11 Work through the Endpoint Security installation wizard.
For information on completing the wizard, see “Endpoint Security Installation Wizard Reference,” on page 55
When the Endpoint Security installer completes, the Check Point configuration program launches automatically
12 Perform basic configuration steps with the Check Point configuration program.
For details, see “Check Point Configuration Tool,” on page 58
13 Type E to exit the master installer.