How To Use The Logon Collector On A Pc Or Macafeeo.Com (Windows) On A Network (Windows 7) On Your Pc Or Ipad (Windows 8) On An Uniden Computer (Windows Xp) On The Mac

Transcription

1 Administration Guide Revision B McAfee Logon Collector 3.0

2 COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, , TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Logon Collector 3.0 Administration Guide

3 Contents 1 Introduction to McAfee Logon Collector 7 Important terminologies Domain controllers and logon collection Deployment Ports used by Logon Collector Viewing online help Installation 11 Key considerations for installation Prerequisites Planning for installation System requirements DNS resolution requirements Install Logon Collector Download the software Install the software on Windows Server Uninstall the software Uninstall Microsoft SQL Server 2008 Express Edition Access the Logon Collector web interface Install Logon Monitor Install a Logon Monitor Uninstall Logon Monitor Upgrade 21 Key considerations for an upgrade Upgrade the software from 2.2 to 3.0 using the installer Verify the upgrade Identities collection 23 About identities collection Manage monitored domains Add a domain to monitor View monitored domain details Add Logon Monitor Edit username and password Managing exchange servers Manage Query Order Remove a monitored domain Server settings 33 About server settings Active Directory User login Server Identity replication certificate Local Logon Monitor settings McAfee Logon Collector 3.0 Administration Guide 3

4 Contents MLC Advanced Settings MLC Group / IP Ignore List MLC Group Filter Configuring the IP address for Logon Collector server client communication MLC User Login Timeout Printing and exporting Server certificate About Personal Settings Logon Monitor configuration Configuration tab Remote tab Use MMC to manage Logon Monitor certificates Use NTLMv2 with Logon Monitors High Availability (Clustering) 49 Overview Configuration basics Prerequisites for High Availability High Availability setup Configure High Availability in Public Key Infrastructure (PKI) setup Check the status of cluster formation Configuration data replication Logon events replication Limitations Disable a cluster Reconfigure a cluster On-demand group and user refresh 61 MFS Scheduler On-demand group refresh Options of group refresh On-demand user refresh Options of user refresh Server s Log User management 75 Manage users Add or modify a user Delete a user Manage permission sets Create permission sets Delete permission sets Duplicate permission sets Manage contacts Add or modify a contact Delete a contact Reporting 79 About the Status page View who is logged on Export report of who is logged on View the audit log Export the audit log Manage audit log queries Create a query group Delete a query group McAfee Logon Collector 3.0 Administration Guide

5 Contents Edit a query group Create audit log queries Import audit log queries Query actions Define filter criteria Define export criteria View dashboards Integration with other McAfee products 89 Integration with McAfee Next Generation Firewall Integration requirements for McAfee Next Generation Firewall Integration with McAfee Firewall Enterprise Integration requirements Passive identity validation Configure Passive Passport Integration with McAfee Firewall Enterprise Control Center Integration requirements Integration with McAfee Network Security Manager Benefits User groups for Sensor Important terms Integration requirements How Logon Collector - McAfee Network Security Manager integration works Configuration details for Logon Collector integration Display of Logon Collector details in the Threat Analyzer Display of Logon Collector details in Network Security Manager reports Integration with McAfee Data Loss Prevention Integration requirements Using Active Directory User elements Using McAfee DLP on remote LDAP servers How Logon Collector is used with McAfee DLP How Logon Collector enables user identification Setting up Logon Collector Authenticating McAfee DLP Manager and Logon Collector Scalability 101 Scalability details Troubleshooting 103 Verify the domain credentials Connect to a domain controller Run a CPU performance query Run a back log query Run a forward log notification query Create a non-administrator account to access the security event log on a domain controller Create an account on Windows Server 2003 and Create an account on Windows Server Create an account on Windows 2000 server Additional resources Logon Monitor logs Internal messages Messages generated due to Logon Collector communication Messages generated due to Logon Monitor communication Common Domain Controller errors Logon Collector logs Logon Collector Active Directory communication errors log records McAfee Logon Collector 3.0 Administration Guide 5

6 Contents Troubleshooting DNS problems Troubleshooting NSLookup failure Error uninstalling SQL database instance for Logon Collector Configure Database Settings page to connect to the SQL server Ports used by Logon Collector High memory usage of lsass.exe Saved group filter configuration Index McAfee Logon Collector 3.0 Administration Guide

7 1 Introduction 1 to McAfee Logon Collector The McAfee Logon Collector is software that monitors Active Directory domains and collects logon information. Logon Collector polls Microsoft Active Directory domain controllers for user logon events and sends this information to security appliances to correlate network traffic with user behavior. Logon Collector is installed on separate Windows-based servers to communicate with the Active Directory, and supports distributed deployment. Logon Collector deployment does not require any modification to the Active Directory or the Active Directory schema and requires no agents. Logon Monitors can be used to poll nearby domain controllers and forward collected information to the Logon Collector, shortening the distance domain controller communication must travel. Contents Important terminologies Domain controllers and logon collection Deployment Ports used by Logon Collector Viewing online help Important terminologies A domain is a logical group of identified resources on a network, whether users, computers, or networked application services. These resources are collected for the domain into a distributed directory, shared in a group of domain controllers. Members of a domain only need to authenticate one time to the closest domain controller. All the other resources in the domain are made accessible based on their privileges in the domain. An identity is the set of characteristics that uniquely identifies a user. A user s identity includes user name, authentication status, group membership, primary group, and current IP address. The user or system primary group can be fetched and passed on to clients. Domain controllers and logon collection Logon Collectors and Logon Monitors interact with domain controllers and enable McAfee products such as Next Generation Firewall and McAfee Network Security Platform to continuously gather identity information. This information is used to map network transactions to actual identities. Each time a user logs on to the network or requires access to any domain-controlled resource such as a printer, server, or file share, the domain controller creates an event log entry in a special, protected log file called the Security Event Log. This log file is available to remote systems such as the Logon Collector and the Logon Monitor by way of a Microsoft interface called Windows Management Instrumentation (WMI). McAfee Logon Collector 3.0 Administration Guide 7

8 1 Introduction to McAfee Logon Collector Deployment To minimize the burden placed on a domain controller by Security Event Log queries (using WMI), the Logon Collector or Logon Monitor contacts the domain controller on behalf of McAfee appliances that require the Security Event Log information. Each domain controller only has to accommodate a single connection instead of multiple connections for each McAfee appliance. Because the overhead of using WMI can be expensive, you can deploy Logon Monitors close to the domain controllers on your network. Doing so routes the greatest amount of traffic, WMI communication between the domain controllers and Logon Monitor, along a relatively short distance. The communication overhead between a Logon Monitor and a Logon Collector is low, enabling you to optimize your deployment of logon collecting. See also Install Logon Monitor on page 18 Deployment The Logon Collector and Logon Monitor can connect to multiple domain controllers across multiple domains and forests. Each Logon Collector can be contacted by multiple clients and can have multiple Logon Monitors. When deploying Logon Collectors and Logon Monitors, consider the following: The network overhead of WMI communication can be expensive. WMI communication occurs between the domain controller and the Logon Monitor. McAfee recommends that you use a single Logon Monitor for all your McAfee security devices so that only one WMI session is needed on each domain controller. McAfee recommends that you place a Logon Collector or Logon Monitor on the same geographical location as that of the domain controller. Communication between a Logon Monitor and the Logon Collector over a WAN link is often faster than the communication between the domain controller and the Logon Collector over the same WAN link. The faster the Logon Collector receives this information, the faster the client can associate an IP address with the matching identity. Connect to domain controllers that add value to the monitoring strategy. The Logon Monitor should connect to the domain controller from which the users to be monitored log on. For example, if you are monitoring in an area of the network such as New York, and you never see users from San Francisco, then you might not need to monitor the users that log on to a domain controller in San Francisco. Conversely, if the users in San Francisco use services in the New York data center you are monitoring, then you will greatly benefit from watching the security event log of the San Francisco domain controller and determining the identity of these users. Take advantage of the IT support infrastructure. If your infrastructure is administered by different groups of system administrators that correspond to the already existent Windows architecture, you might want to work with them. The Logon Collectors and Logon Monitors are installed as services on Windows Server 2008 R2 or Windows Server The administration of these servers might already be part of a larger system administration strategy, and you might want to abide by it. Depending on your security requirements, you might want to dedicate a Windows Server 2008 R2 or Windows Server 2012 to run the Logon Collector or a pair of servers in High Availability mode. If the server on which the Logon Collector is installed is compromised, it might cause great loss of functionality to your security architecture. It is important to keep the server on which the Logon Collector or Logon Monitor is installed up to date by applying the Microsoft security patches on a timely basis. It is equally important to follow the Microsoft security best practices to harden this server. If possible, remote and local access to the Logon Collector or Logon Monitor server should be limited to its administrators only. 8 McAfee Logon Collector 3.0 Administration Guide

9 Introduction to McAfee Logon Collector Ports used by Logon Collector 1 Follow the instructions from the Use NTLMv2 with Logon Collectors section to securely protect the credentials in the server and to use only secure authentication protocols. It is possible to configure domain controllers to allow the Logon Monitor to access the Security Event Log without using Administrator logon credentials. This is recommended. Refer to the section on Create a non-administrator account to access the security event log on a domain controller. Figure 1-1 Logon Collector deployment See also Use NTLMv2 with Logon Monitors on page 47 About identities collection on page 23 Ports used by Logon Collector These ports must be enabled in your network. Table 1-1 Logon Collector Port table Port Type of port Used for 8443 Logon Collector HTTPS Web Server Secure port 8444 Logon Collector HTTPS Web Server authorization port Logon Collector JMS Communication between Logon Collector and point products Communication among Logon Collector cluster members McAfee Logon Collector 3.0 Administration Guide 9

10 1 Introduction to McAfee Logon Collector Viewing online help Table 1-1 Logon Collector Port table (continued) Port Type of port Used for Logon Collector JMS (STOMP) Communication between Logon Collector and 2.0+ C client based point products Local or Remote Logon Monitor TCP Communication between Logon Collector and Logon Monitor 389 Domain Controller (AD) LDAP/Secure LDAP LDAP or Secure LDAP query from Logon Collector to Domain Controller Logon Collector does not function if you have enabled SSL port 636 on the Domain Controllers (Active Directory) and have disabled non-ssl port 389. Logon Collector fails to connect to Domain Controller (Active Directory) on SSL port 636. The WMI communication happens between Logon Monitor and domain controller. Viewing online help You can view the online help for Logon Collector by clicking the question mark (?) button on the menu bar. The online help includes a table of contents and has full-text search capability. 10 McAfee Logon Collector 3.0 Administration Guide

11 2 Installation 2 This section includes the installation process of McAfee Logon Collector and Logon Monitor. Contents Key considerations for installation Prerequisites Install Logon Collector Access the Logon Collector web interface Install Logon Monitor Key considerations for installation This section gives the details of the key considerations for installation. When you install the Logon Collector on Windows Server 2008 R2 or 2012 for the first time, you might see a message that states, The Windows registry entry NtfsDisable8dot3NameCreation value will be changed to 0. You will receive this message only if the Windows registry entry value has not been modified. You can either proceed by making this change in the registry or you can proceed without the change. If you accept the change in the registry and proceed, you can have spaces in the installation location. If you do not accept the change in the registry, you must ensure that the installation location path does not contain any folder with white spaces in its name. You must also ensure that the folder name does not exceed 8 characters. Prerequisites Review the installation prerequisites for the Logon Collector and the Logon Monitor before installing the software. Planning for installation Before installation, ensure that you complete the following: You must be logged on to the server as a local computer administrator. Make sure your hardware meets or exceeds the minimum requirements. McAfee Logon Collector 3.0 Administration Guide 11

12 2 Installation Prerequisites You do not need a special passphrase or license key to install the Logon Collector or Logon Monitor software. You can install as many instances of the Logon Collector or Logon Monitor (each on its own server) as are needed to provide adequate coverage for the domain controllers in your monitored domain. For Windows Server 2012, enable.net framework 3.5 to successfully install Logon Collector 3.0. Client Server compatibility Logon Collector 1.0 client supports Logon Collector 1.x and 2.x servers. Logon Collector client supports Logon Collector 2.x servers. The client does not support Logon Collector 1.x servers. Logon Collector 2.2 and 3.0 client supports Logon Collector 3.0 servers. 3.0 client does not support Logon Collector 1.x and 2.x servers. System requirements The Logon Collector and Logon Monitor run as Microsoft Windows services on a Windows Server, and require a system that meets these minimum requirements: Component Operating System Minimum requirement Any one of the following Microsoft operating systems: Windows Server 2008 R2 (64-bit) Windows Server 2012 and 2012 R2 (64-bit) Windows Server 2003 is not supported. Operating System Domain controllers Any one of the following Microsoft servers: Windows Server 2008 R2 Windows Server 2012 and 2012 R2 RAM (memory) Disk space Processor 4 GB or higher 20 GB free space Pentium IV 2 GHz or faster Software framework Microsoft.NET framework 3.5 We highly recommend to enable the.net framework 3.5 to successfully install Logon Collector 3.0. Browser Microsoft Internet Explorer 8.x and above Mozilla Firefox 25 and above Google Chrome 40 and above. Recommended to use the latest browser versions. Network connectivity Resolution From Logon Collector servers to the domain controllers of the Microsoft Active Directory domain that the Logon Collector or Logon Monitor is monitoring Display set to a resolution of 1024x768 or greater 12 McAfee Logon Collector 3.0 Administration Guide

13 Installation Install Logon Collector 2 Component Monitored Domains Domain controllers Minimum requirement The domain user (entered while adding domain in Logon Collector) must have access rights to the security events logs on each domain controller Domain controller's functional level should not be higher than Logon Collector's Windows Server version. Refer to the section, Key considerations for installation. Domain controllers must have port 389 enabled for LDAP and Secure LDAP queries. Consider installing the Logon Monitor on a virtual machine as the Logon Monitor is a less demanding application, and does not transmit as much information as the Logon Collector. The Logon Monitor memory usage depends on the number of users and groups in its database. DNS resolution requirements Proper Domain Name System (DNS) resolution is a critical prerequisite for identities collection. The computers on which the Logon Collector or Logon Monitor are installed, and the client configured to collect identities must be configured to refer to a DNS server that must be able to: Resolve any domain from which logons are collected. Provide forward resolution for all domain controllers from which logons are collected. Provide reverse resolution for all domain controllers from which logons are collected. Provide SRV records for one or more domain controllers in the domain from which logons are collected. When the DNS settings are changed, Logon Collector cancels its old DNS cache after 30 seconds, and then applies new DNS settings. You should wait at least for 30 seconds to resolve the domain. See also Troubleshooting DNS problems on page 113 Install Logon Collector A Logon Monitor is installed locally on the same server when you install Logon Collector. This Logon Monitor is referenced in the user interface as localhost. You can install Logon Monitor separately, if you need a remote Logon Monitor. If you are already running a McAfee Foundation Services (MFS)-based application (for example, McAfee epolicy Orchestrator), the Logon Collector service will be incompatible with it. See also Uninstall the software on page 17 Uninstall Logon Monitor on page 19 Download the software Download the bundled Logon Collector and Logon Monitor software from the McAfee website. McAfee Logon Collector 3.0 Administration Guide 13

14 2 Installation Install Logon Collector 1 In a web browser, go to region=us. 2 Provide your grant number, and select the appropriate product category (for example, McAfee Firewall Enterprise Appliance). 3 Select the McAfee Logon Collector version, for example McAfee Logon Collector Download the zip file for the Logon Collector installation. Extract the files to your local directory. 5 Find the Logon Collector installation program and download it to your local directory. The Logon Monitor is part of the Logon Collector bundle that you download. If you want to have a separate remote Logon Monitor installation, select the McAfee Logon Monitor folder and find the installation program. See also Install a Logon Monitor on page 19 Install the software on Windows Server The Logon Collector installation wizard will install the Logon Collector, local Logon Monitor, and Microsoft SQL Server 2008 Express (64 bit) on any one of the following Operating Systems: Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 If you already have an instance of Microsoft SQL Server on your server, you can skip that part of the installation. At any point of the installation, click Back or Cancel to return to the previous step or cancel the installation, respectively. 14 McAfee Logon Collector 3.0 Administration Guide

15 Installation Install Logon Collector 2 1 Navigate to the downloaded Logon Collector folder in your local directory. 2 Double-click Setup.exe. The Logon Collector installation wizard opens. If your system has less than 4 GB RAM, a memory error message is displayed. Click Yes to continue the installation with the current available memory. You can click No to cancel the installation and proceed with the same after a sufficient memory of minimum 4 GB RAM is ensured. If you are installing the software on Windows 2008 R2, the following Security Warning window will be displayed. Figure 2-1 Security Warning window Click Run to proceed. A pop-up window might appear to enable the Windows 8.3 file naming convention. Click Yes to continue with the installation. Enabling this option generates a short name in the Windows 8.3 file naming convention for lengthy file names. 3 The Logon Collector installation wizard opens. Click Next to continue. The McAfee End User Licensing Agreement window opens. 4 Select any one of the following licenses from the drop-down list under the License expire type option: 1 Year Subscription - the license expires in a year 2 Year Subscription - the license expires in two years Perpetual License - the license has no expiry Read the license agreement, select the I accept the terms in the license agreement option, and then click OK. McAfee Logon Collector 3.0 Administration Guide 15

16 2 Installation Install Logon Collector 5 By default, the destination folder for the installation is set to C:\Program Files\McAfee\McAfee Logon Collector\. Click Change to select a new location. The uninstallation process can remove the folder containing the installed Logon Collector along with any existing folder in the path. McAfee recommends that you to select an empty folder or follow the default installation location format to avoid this issue. Click Next to continue. The Global Administrator Information window is displayed. 6 Enter the Username and Password for the Logon Collector web interface administrator. Re-enter the password for verification purpose. Click Next. The HTTP Port Information window opens. 7 Leave the Logon Collector ports at their default values unless a default port is already in use. You will need the Web Server port for opening the Logon Collector web interface. 8 Click Next. The SQL Express Option window opens. There can be any one of the following results: Result 1 Options enabled in the SQL Express Option window: A pop-up opens. Click Yes to continue with the Microsoft SQL 2005 Express installation. Result 2 Options disabled in the SQL Express Option window: During the installation process, you might find both the options disabled in the SQL Express Option window. Click Why are the above options disabled? option to view the reasons of this action. Click OK to continue. Additional scenario If you are installing Microsoft SQL 2008 Express on Windows Server 2008 (64-bit) for the first time, the a warning message is displayed. Click Yes to open the Program Compatibility window. Click Run Program to continue. Figure 2-2 Program Compatibility Assistant window 16 McAfee Logon Collector 3.0 Administration Guide

17 Installation Install Logon Collector 2 9 The Microsoft SQL 2008 Express installation is in progress window is displayed. The Database Information window opens. 10 Select the following options in the Database Information window: Windows authentication: Select to enter the domain and logon credentials for the server that will house the Logon Collector database. The SQL server TCP port details are set by default. SQL authentication: Select only when you have a separate Microsoft SQL Server installation prior to the Logon Collector installation. In this case, enter the Microsoft SQL Server user name and password that was used during Microsoft SQL Server installation. 11 Click Next. The Ready to Install the Program window opens. 12 Click Install to proceed. The Installing McAfee Logon Collector window is displayed. 13 Click Finish to complete the installation. Uninstall the software Follow these steps to uninstall the Logon Collector. 1 On the Windows server, from the Start menu, select Control Panel menu, and then click Add or Remove Programs. 2 Select Logon Collector, then click Remove and follow the on-screen instructions. 3 If you want to remove the Logon Collector database, leave the checkbox selected and click Next to proceed. Configuration information such as which domains are being monitored and which Logon Monitors are connected is not saved. If you have numerous users configured for administering the Logon Collector, you might want to preserve the database. 4 When you are prompted for the database password, click Next to proceed. 5 In the Add or Remove Programs window, select Logon Collector, and click Remove. 6 Click Yes when prompted to remove Logon Collector. 7 Close Add or Remove Programs. See also Install Logon Collector on page 13 Install Logon Monitor on page 18 Uninstall Microsoft SQL Server 2008 Express Edition If you have installed Microsoft SQL Server 2008 Express Edition as part of installing the Logon Collector, you might want to remove it when you remove the Logon Collector from your computer. If you intend to re-install the Logon Collector, you must leave Microsoft SQL Server 2008 Express Edition on your computer. Follow these steps to uninstall Microsoft SQL Server 2008 Express Edition. McAfee Logon Collector 3.0 Administration Guide 17

18 2 Installation Access the Logon Collector web interface 1 On Windows server, from the Start menu, select Control Panel menu, and click Add or Remove Programs. 2 Select Microsoft SQL Server 2008, and click Remove. 3 In the Component Selection window, select MLCSERVER: Database Engine and Workstation Components, and click Next. 4 Click Finish. 5 In the Add or Remove Programs window, select Microsoft SQL Server Native Client, and click Remove. 6 Click Yes when prompted to remove Microsoft SQL Server Native Client. 7 Close Add or Remove Programs. Access the Logon Collector web interface Use the Logon Collector web interface to monitor domains and Logon Monitors, generate reports, and perform administrative tasks. 1 Open a browser and enter the URL of the Logon Collector. For example, if you accepted the default ports, you might enter The value "8443" in the URL might differ depending on the installation. If you are connecting to the web interface for the first time over an HTTPS connection, an invalid certificate warning will appear. Click Continue to this website (or the equivalent) to continue. The Log On window appears. 2 Enter the user name and password configured during installation, and click Log On. The Main Status window of the web interface appears. Install Logon Monitor A local Logon Monitor is included in the Logon Collector installation. You do not need a special passphrase or license key to install the Logon Monitor. You may install as many instances of the Logon Monitor (each on its own server) as are needed to provide adequate coverage for the domain controllers in your monitored domain. You should install a Logon Monitor as close as possible to the domain controllers with which it will communicate. This minimizes the impact of the traffic resulting from the communication. The Logon Monitor is part of the Logon Collector download bundle. 18 McAfee Logon Collector 3.0 Administration Guide

19 Installation Install Logon Monitor 2 Prerequisites: Earlier versions of the Logon Collector or Logon Monitor must be uninstalled before installing this version of the software. You must be logged on to the server as an administrator. See also Domain controllers and logon collection on page 7 Uninstall the software on page 17 Uninstall Logon Monitor on page 19 Install a Logon Monitor 1 Using Windows Explorer, locate the Logon Monitor folder. Download the software from the location described in the Download the software section of this guide. 2 Double-click Setup.exe. 3 For a new installation of the Logon Monitor, click Generate Self Signed Certificate on the Configuration tab of the McAfee Logon Monitor Configuration window. The certificate is required to communicate with the Logon Collector. If you are re-installing the Logon Monitor, the previous installation s certificate remains in the store, and you can continue to use it. 4 Complete the configuration changes, and click OK. See also Logon Monitor configuration on page 44 Download the software on page 13 Uninstall Logon Monitor Follow the steps below to uninstall a Logon Monitor. Ensure that the Logon Monitor you want to uninstall is not being used to watch any domain controllers for any Logon Collector. 1 On the Windows server, from the Start menu, select the Control Panel menu, and click Add or Remove Programs. 2 Click McAfee Logon Monitor, then click Remove. 3 When prompted by the InstallShield Wizard for McAfee Logon Monitor, click Next to begin the removal process. 4 On the Program Maintenance window, click Remove, and click Next. 5 Click Remove. 6 Click Finish. If you plan to re-install the Logon Monitor, then consider that the previous installation s certificate remains in the store and you can continue to use it. McAfee Logon Collector 3.0 Administration Guide 19

20 2 Installation Install Logon Monitor See also Install Logon Collector on page 13 Install Logon Monitor on page McAfee Logon Collector 3.0 Administration Guide

21 3 Upgrade You can upgrade from Logon Collector 2.2 to Logon Collector 3.0. Contents Key considerations for an upgrade Upgrade the software from 2.2 to 3.0 using the installer Verify the upgrade Key considerations for an upgrade be aware of these issues before upgrading. You cannot upgrade from Logon Collector 2.1 to Logon Collector 3.0 because Microsoft SQL Server 2008 Express Edition supports only from Logon Collector 2.2 and later. If Logon Collector 2.1 is installed, you must uninstall Logon Collector 2.1 and Microsoft SQL Server 2005 Express Edition before upgrading. The entire Logon Collector configuration along with the following information is retained on the Logon Collector server when an upgrade is done: Configured domains Added certificates Remote Logon Monitors After an upgrade, the local Logon Monitor settings and configuration are reset to default values. Make sure to note these values prior to an upgrade. As with any upgrade, McAfee strongly recommends that you always first try the upgrade in a test environment. Logon Collector3.0 does not support upgrades from epo versions of Logon Collector 2.x. McAfee Logon Collector 3.0 Administration Guide 21

22 3 Upgrade Upgrade the software from 2.2 to 3.0 using the installer Upgrade the software from 2.2 to 3.0 using the installer Before you begin Note the local Logon Monitor settings and configuration values. After upgrade, these values are reset to default. These Microsoft operating systems are supported for an upgrade: Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2.NET framework 4.5 is installed as part of Windows Server 2012 / R2. This version has compatibility issues with SQL Server 2008 Express. We highly recommend enabling the.net framework 3.5 to successfully install Logon Collector 3.0. Use the installer you downloaded to upgrade Logon Collector. 1 Navigate to the folder on your local directory that contains the downloaded Logon Collector installer. Double-click Setup.exe and start the Logon Collector 3.0 setup. 2 Read and accept the license, and proceed with the installation. 3 Confirm the destination folder. Click Next. This password must be the same as in the previous (Logon Collector 2.2) installation. 4 Enter the user name and password for the Logon Collector administrator. Verify the password. This must be the same as in the previous (Logon Collector 2.2) installation. 5 Confirm the port numbers. Since you already have an existing database, the Microsoft SQL Server options are disabled. 6 Verify that the Database Server option in the Database Information window retains the same information as that in the Logon Collector 2.2 installation. Click Next. The Ready to Install the Program window opens. 7 Click Install to begin the upgrade process. The Installing McAfee Logon Collector window opens. 8 Click Finish to complete the upgrade process. See also Install the software on Windows Server on page 14 Verify the upgrade Select Menu Configuration About to verify a successful upgrade. 22 McAfee Logon Collector 3.0 Administration Guide

23 4 Identities 4 collection This section gives the details of identities collection. Contents About identities collection Manage monitored domains About identities collection Identities can be collected in one of the following ways: Monitor a domain with a local Logon Monitor: Any Logon Collector installation contains the Logon Monitor. You must add a domain that the Logon Collector collects information from. Monitor a domain with a remote Logon Monitor: You can add remote Logon Monitors to the Logon Collectors. See the Deployment section for a discussion of when to use Logon Monitors to monitor a domain. See also Add a domain to monitor on page 24 Add a Logon Collector certificate to a Logon Monitor on page 28 Deployment on page 8 Manage monitored domains You can manage the domains that are monitored in the Monitored Domains page. In this page you can perform the following tasks: Add a new domain Manage Exchange Servers/Domain Controllers View the monitored domain details Manage Query Order Edit username and password Remove a monitored domain Identity Data Store (IDDS) is the in-memory database specific to the Logon Collector. A size limit is set to the Logon Collector which means the total number of the directory objects (users and groups) must always be less than Make sure that the domain you are adding to the Logon Collector does not exceed this limit. Also, check the existing number of users and groups in IDDS before adding a new domain. Exceeding the size limit will stop the Logon Collector from monitoring all the domains and the clients will lose connection with the Logon Collector. The following sections gives you more information on managing the monitored domains. McAfee Logon Collector 3.0 Administration Guide 23

24 4 Identities collection Manage monitored domains s Add a domain to monitor on page 24 Add a domain to monitor Before you begin Enter the credentials for the domains that are monitored directly by the Logon Collector. Obtain management access to the client that polls a given domain for identities. Install and configure a Logon Collector. Acquire the appropriate domain credentials from your Windows domain administrator. The administrator account you intend to use to access the domain controller must be in the same domain from which you want to obtain identities. If you want to use an account other than the administrator account, see the Create a non-administrator account section to access the security event log on a domain controller section. Follow these steps to add a monitored domain: 1 Select Menu Configuration Monitored Domains. 2 Click New Domain. The Domain Name tab is displayed. Update the following fields: 24 McAfee Logon Collector 3.0 Administration Guide

25 Identities collection Manage monitored domains 4 Parameter Description Domain Name Secure LDAP Type the name of the domain in the Domain Name field. Secure LDAP is a feature where the LDAP connection gets encrypted by TLS (Transportation Layer Security) for the protection of data exchanges. Before enabling this feature, it is required to verify that the Secure LDAP is also enabled in the domain controller. Secure LDAP communication between the Logon Collector and the domain controller is enabled in port 389. SSL connection is not enabled on port Select the checkbox Secure LDAP, if you want to enable LDAP communication to be secure. The domain certificate window is displayed with the certificate details. The domain certificate is issued by Certification Authority(CA) that is setup in the domain controller. The domain certificate displays the following information: Subject - Specifies the Computer name of the domain. Issuer - Specifies the details of the issuer. Issued On - Specifies the date of issue of the certificate. Expires On - Specifies the expiry date of the certificate. SHA 1 Fingerprint - Specifies the 40-digit hexadecimal hash value number of the secure hash algorithm. MD 5 Fingerprint - Specifies the 32-digit MD 5 hexadecimal hash value number. 2 Click OK to close the window. The Secure LDAP feature gets enabled only when you click OK. It remains disabled when you click Cancel. User Name Password Type the name of the user of the monitored domain. By default only the admin user of the domain can be added. To add non-admin users, permissions should be set in the domain controller. Type the relevant password for the username. 3 Click Next. The Domain Controller tab is displayed. Connections are made to each domain controller belonging to that particular domain. If the connection is not successful with any of the domain controllers, an error message with the details of the failure is displayed. 4 For each listed domain controller, specify a primary and, optionally, a backup logon monitor. McAfee Logon Collector 3.0 Administration Guide 25

26 4 Identities collection Manage monitored domains To add a backup logon monitor, click New Logon Monitorbutton in the Logon Monitors page. a Click the drop-down list under Primary and select a Logon Monitor. b c [Optional] Click the drop-down list under Backup and select a Logon Monitor that operate in the event the primary logon monitor is unavailable. Click Next. The Query Order tab is displayed. 5 Click the up or down arrow buttons to move and arrange the domain controllers in the list. Only those domain controllers for which the Logon Collectors are chosen are displayed in this page. Specify the order in which LDAP queries are made to the domain controllers for user and group information. In general, the closest domain controllers should be placed at the top of the list to increase response times and reduce network bandwidth. The Secure LDAP checkbox is displayed as selected, if you have already selected this option in the Domain Name tab. If the Secure LDAP checkbox is selected in the Domain Name tab while adding a domain, one of the Domain Controllers in the Query Order tab will automatically have this option selected. 6 Click Save to save the changes. If a domain controller is disconnected, the LDAP query fails and the status button goes red. By default, Logon Collector is configured to perform LDAP query every 12 hours. After the network connection is re-established and the status still shows red, we recommend removing the domain and add it again. When there is a change in domain controller's certificate, remove the domain and add it again from the Monitored Domains page. In Secure LDAP, TLS encryption is made using Start TLS command. The authentication during binding and unbinding of the LDAP connection to the domain controller is done using Kerberos and not TLS. So, when the communication logs are viewed using a packet analyzer tool, it can be observed that only the data packets are encrypted and not the binding and unbinding logs. In the High Availability mode, when the primary Logon Collector server goes down, all configurations including the Secure LDAP connection that is enabled are replicated from the primary Logon Collector server to the secondary Logon Collector server. 26 McAfee Logon Collector 3.0 Administration Guide

27 Identities collection Manage monitored domains 4 s The domain controllers that are connected to the primary Logon Collector server, switch-over to the secondary Logon Collector server when the primary Logon Collector server becomes unreachable. If the Secure LDAP communication is enabled in the primary Logon Collector server, after the switch-over, the Secure LDAP connection remains enabled. After the switch-over, the configuration changes can only be done in the active secondary Logon Collector server. When the primary Logon Collector comes up again after a time, it receives the replicated configuration from the active secondary Logon Collector server and so the Secure LDAP configuration gets replicated to the primary Logon Collector server. When both the primary and the secondary Logon Collector server goes down, the server that comes up first becomes the active Logon Collector server. Error Scenarios in LDAP connections on page 27 Add a Logon Monitor on page 28 See also About identities collection on page 23 Error Scenarios in LDAP connections LDAP connection to the domain controller may get an error in certain scenarios. The following are some of the reasons that could cause an error. Time mis-match between Logon Collector and domain controller. The DNS information is incorrect. The username and password does not match. In a Secure LDAP scenario, when TLS is not enabled in the domain controller, you may experience connectivity issues to the domain controller. View monitored domain details This section describes the details that can be viewed on the monitored domains. 1 Select Menu Configuration Monitored Domains. The Monitored Domains page is displayed. 2 In the left panel, select the domain in the Domains list. The following details are displayed in the right panel. Field DomainName User Name Domain Controllers Exchange Servers Description Displays the name of the domain that is monitored. Displays the name of the user in the monitored domain Displays the name of the domain controllers, the configured logon monitor, and the LDAP communication type (Secure or Non Secure). Displays the exchange server IP address and the configured logon monitor To search for a monitored domain, you can use the Filter list text field in the left panel and type the name of the monitored domain. Add Logon Monitor This section describes how to add remote Logon Monitor to the Logon Collector. McAfee Logon Collector 3.0 Administration Guide 27

28 4 Identities collection Manage monitored domains Contents Add a Logon Collector certificate to a Logon Monitor Add a Logon Monitor Remove a Logon Monitor Add a Logon Collector certificate to a Logon Monitor Before you can add a remote Logon Monitor to a monitored domain on a Logon Collector, you must first provide the Logon Collector certificate information to the Logon Monitor. 1 Install the Logon Monitor and have the McAfee Logon Monitor Configuration application running. 2 On the computer on which you installed the Logon Monitor, open a web browser. You will be trading information between the Logon Monitor and the Logon Collector. Having a web browser open with the Logon Collector web interface makes this task easier to accomplish. 3 Log on to the Logon Collector web interface and click Menu Configuration Server Settings. 4 Click Identity Replication Certificate in the list of Setting Categories. 5 In the McAfee Logon Monitor Configuration application, click the Remote tab. 6 If necessary, click New to add a new certificate to the Logon Monitor. 7 Copy the value for Common Name (CN) on the Logon Collector to the Common Name field on the Logon Monitor. 8 In the Logon Collector web interface, scroll down until Logon Monitor Fingerprint field is visible. 9 Copy the value for Logon Monitor Fingerprint on the Logon Collector to the Certificate Hash field on the Logon Monitor. 10 Click OK. 11 Repeat these steps for any other Logon Collectors that the Logon Monitor will be communicating with. With the Logon Collector certificate(s) on the Logon Monitor, you can add the Logon Monitor to any of the Logon Collectors to collect logons for a monitored domain. See also About identities collection on page 23 Remote tab on page 45 Add a Logon Monitor 1 Select Menu Configuration Logon Monitors. 2 Click New Logon Monitor. 3 Type a name for the remote Logon Monitor in the Logon Monitor Name field. The name is an arbitrary label used within Logon Collector to identify the Logon Monitor. 4 Type the host name or IP address for the remote Logon Monitor. 5 Type the port number, or accept the default value of McAfee Logon Collector 3.0 Administration Guide

29 Identities collection Manage monitored domains 4 6 Click Next or OK depending on how you are adding the Logon Monitor. A connection is attempted to the Logon Monitor. If the connection is successful, the certificate is displayed. To accept the certificate, click Save or OK depending on how you are adding the Logon Monitor. If the connection is unsuccessful, an error message is displayed. Remove a Logon Monitor If you want to remove a remote Logon Monitor, you must ensure it is not monitoring any domain controllers. Follow these steps to remove a Logon Monitor. 1 Select Menu Configuration Monitored Domains. 2 Select a domain and then click Manage Exchange Servers / Domain Controllers. 3 For each domain controller, ensure the Logon Monitor you want to delete is not listed as either the Primary or Backup Logon Monitor. If the Logon Monitor is listed, click the drop-down list and select a different Logon Monitor. 4 Repeat steps 2 and 3 until you are sure the Logon Monitor you want to delete is not being used. 5 Select Menu Configuration Logon Monitors. 6 Select the Logon Monitor you want to delete, then click Delete Logon Monitor. 7 Click OK to confirm the deletion. Edit username and password Sometimes, the password may require to be reset for some users in the domain controller. When it is reset, it is you should edit it in the Logon Collector. The following are the steps to edit the username or password. 1 Select Menu Configuration Monitored Domains. The Monitored Domains page is displayed 2 Click Edit Username/Password.The following fields are displayed. Field Domain Name User Name Password Description Displays the name of the domain that is monitored. This field is not editable Displays the name of the user for the monitored domain. Edit the username if required. Type the password for the user that is reset in the domain controller. 3 Click Save to save the changes. Managing exchange servers Logon Collector can monitor exchange servers. Logon Collector supports logon events for users logging in through Microsoft Outlook thick client or Outlook Web Access (OWA) from internet browsers running on Windows and MAC systems. POP3 and IMAP clients are not supported. McAfee Logon Collector 3.0 Administration Guide 29

30 4 Identities collection Manage monitored domains Add an exchange server to a monitored domain You can add an exchange server and monitor logon events from Outlook users. View the Status page for the added exchange servers. You can add an exchange server only to an existing monitored domain. 1 Select Menu Configuration Monitored Domains. The Domains page is displayed. 2 Select a domain and click Manage Exchange Servers / Domain Controllers. 3 In the Exchange Servers area, click Add Exchange Server. 4 In Exchange Server, enter the fully qualified domain name (FQDN) of the exchange server. We recommend to add an exchange server's IP address to the IP Ignore List. Navigate to Menu Configuration Server Settings. Select MLC Group / IP Ignore List and enter the server IP address. 5 Under Logon Monitor, go to Primary drop-down list and select localhost if you want to use Logon Collector server's local Logon Monitor or select a remote Logon Monitor if the Logon Monitor is installed on a different system. 6 [Conditional] If you have more than one Logon Monitor, you can select a backup Logon Monitor from the Backup drop-down list. You can select a local Logon Monitor as primary and a remote Logon Monitor as backup or vice versa. Alternatively, you can select different remote Logon Monitors as primary and backup. Logon Collector server uses the backup Logon Monitor if the primary Logon Monitor goes down. 7 Click Save. 8 Click Status <domain name> Controller Logon Collecting. Make sure the Message area's Status displays Collecting logons from <exchange server>. Remove an exchange server You can remove and stop monitoring logon events from an exchange server. 1 Select Menu Configuration Monitored Domains. 2 Select a domain and click Manage Exchange Servers / Domain Controllers. 3 From the existing Exchange Servers, decide on the exchange server you want to delete and click Delete Exchange Server. Manage Query Order You can set the order in which the LDAP queries are made. 30 McAfee Logon Collector 3.0 Administration Guide

31 Identities collection Manage monitored domains 4 1 Select Menu Configuration Monitored Domains and click Manage Query Order. The Active Directory Query Order page is displayed. 2 Click the up or down arrow buttons to move and arrange the domain controllers in the list. Only those domain controllers for which the Logon Collectors are chosen will be displayed in this page. Specify the order in which LDAP queries are made to the domain controllers for user and group information. In general, the closest domain controllers should be placed at the top of the list in order to increase response times and reduce network bandwidth. 3 Select or unselect the Secure LDAP check-box, to enable or disable Secure LDAP. 4 Click Save to save the changes Remove a monitored domain You can remove a monitored domain from the Logon Collector whenever required. 1 Select Menu Configuration Monitored Domains. 2 Click Remove Domain. 3 Click OK to confirm the removal of the monitored domain McAfee Logon Collector 3.0 Administration Guide 31

32 4 Identities collection Manage monitored domains 32 McAfee Logon Collector 3.0 Administration Guide

33 5 Server 5 settings This section gives the configuration details as well as the different features in the Server Settings window. Contents About server settings About Personal Settings Logon Monitor configuration About server settings Use the Server Settings window to configure a variety of settings. To edit a particular setting: 1 Select Configuration Server Settings. 2 Select a setting category and click Edit in the lower right corner of the window. 3 Edit the information and click Save. s MLC Advanced Settings on page 36 This section describes the advanced configuration settings of McAfee Logon Collector server. The Logon Collector configuration file has the parameters to configure the Logon Collector server. MLC Group / IP Ignore List on page 38 Logon Collector gives you the option to ignore user IP addresses and user group names based on your monitoring needs. MLC Group Filter on page 39 A group filter in Logon Collector enables you to filter user groups and send only relevant information to clients like McAfee Network Security Manager. See also Active Directory User login on page 34 Server on page 34 Identity replication certificate on page 34 Local Logon Monitor settings on page 34 Printing and exporting on page 43 Server certificate on page 43 McAfee Logon Collector 3.0 Administration Guide 33

34 5 Server settings About server settings Active Directory User login Select this option to allow Active Directory users to log on to the Logon Collector if they have at least one permission set. See also About server settings on page 33 Manage permission sets on page 76 Server Specify the (SMTP) server to be used for ing reports. Option Definition SMTP server name Name of the SMTP server. SMTP server port Port number of the SMTP server, usually port 125. Authentication The method of authentication, if any, for the SMTP server Select Authenticate and specify the required credentials if the specified SMTP server requires authentication. From address The address to be included in the From field. See also About server settings on page 33 Export the audit log on page 82 Define export criteria on page 86 Identity replication certificate The identity replication certificate identifies the Logon Collector to other entities with which it communicates and establishes a trusted connection. For example: The Logon Monitor Fingerprint value is provided to a Logon Monitor. The Base 64 value is provided to clients such as the McAfee Firewall Enterprise Control Center. You can generate a new self-signed certificate or use a provided certificate and private key by browsing to their locations. You must also provide a passphrase, if there is one, when you use a provided certificate. Changing the certificate can lead to any one of the following problems: Existing client may not be able to reconnect. The High Availability cluster might break. See also About server settings on page 33 Local Logon Monitor settings Configure the local Logon Monitor settings. 34 McAfee Logon Collector 3.0 Administration Guide

35 Server settings About server settings 5 Option Distinguished Name Store Name Store Type Server Port Certificate Checking Connection Type Debug Level File Location File Size Authentication Type CPU Disconnect Threshold Maximum Backlog Records Definition Contains the Common Name and other attributes that the local Logon Monitor needs to identify the certificate found in its store (see Store Name below) to be used to authenticate to the Logon Collector server. For example, cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name, comprised of the certificate s Common Name (cn), organization name (o) and country of origin (c). To use a self-signed certificate, you only need to use the Common Name (prefixed with cn=) for identification. The Store Name, or Certificate Store name, is where the local Logon Monitor looks to find its certificates. The default setting for the Store Name is McAfeeLogonMonitor \MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES. Certificate stores are organized by type. The default type (CERT_SYSTEM_STORE_SERVICES) should suffice in most instances. The port for the local Logon Monitor service to listen on. As long as another service is not listening on the specified port, use your choice of port. The default is port Valid port numbers are Specifies the type of check to perform on any Accepted Remote Certificates. Certificate Hash [Recommended] Verifies that the hash configured for the given common name matches the hash stored. Certificate Store The Certificate Store check is where the certificate must be signed by a certificate authority found in the Certificate Store. Certified Not Required It does not check any certificate. This option does not provide secure communications to access the Logon Collector. McAfee recommends using Certificate Hash as the most secure method. Specifies whether the Logon Collector connection is encrypted or not. This setting is intended for troubleshooting only. This setting must be set to the default value (Encrpted (TLS)) or the Logon Collector may not function correctly. The amount of information written to the log file. The level of detail increases with the debug level. The default value is zero (0), with no extra log detail recorded. Where in the system the log file is stored. By default the installation location for Logon Collector is C:\Program Files\McAfee\McAfee Logon Collector\Login Collector. The maximum size, in kilobytes, to which the log file may grow before rotating. The system keeps up to five log files in the selected location. LoginMonitor.log is the most recent file, followed chronologically by LoginMonitor.log.1 to LoginMonitor.log.4. The type of authentication for the connection between the local Logon Monitor service and any domain controllers. Kerberos and NTLM authentication are supported, with Kerberos as the default. Specifies when the local Logon Monitor introduces rate-limiting if services on a monitored domain controller consume too much CPU too quickly. If the CPU threshold is crossed, the local Logon Monitor stops polling a domain for twenty minutes. After the twenty minute window, which should give the CPU time to handle its load, the local Logon Monitor reconnects. If you find that the local Logon Monitor frequently resorts to rate-limiting, try disabling the Allow Backlog Queries option. Maximum number of records for which a backlog query will run. McAfee Logon Collector 3.0 Administration Guide 35

36 5 Server settings About server settings Option Allow Backlog Queries Accepted Remote Certificates Definition Specifies whether the local Logon Monitor checks the domain controller security event logs for identity-related events that may have occurred while it was not connected. With this option enabled, the local Logon Monitor can query back into the time it was disconnected rather than simply resuming at the time it reconnects. Note that backlog querying cannot occur when the local Logon Monitor first connects to the domain controller. The query is done for the value of Maximum Backlog Records or until the time of the last connection, whichever comes first. Backlog queries are likely to affect the performance of heavily loaded or legacy computers and are not recommended. If you find that the local Logon Monitor is frequently resorting to rate-limiting, try disabling this feature. Certificates from remote Logon Collectors accepted by this Logon Collector. Certificates must pass the criteria defined in Certificate Checking. See also About server settings on page 33 Logon Monitor configuration on page 44 MLC Advanced Settings This section describes the advanced configuration settings of McAfee Logon Collector server. The Logon Collector configuration file has the parameters to configure the Logon Collector server. You can use the MLC Advanced Settings option or edit the mlc-config.xml file to configure these settings. Domain Controller Backoff Time Logon Collector stops sending the WMI queries to the domain controller if the CPU usage of the latter is beyond the configured CPU threshold. The Logon Collector waits for 20 minutes by default before sending the WMI queries to that domain controller. Setting too small value for controllerbackofftime is not recommended as it might increase the load on domain controller. McAfee recommends a minimum value of 10 minutes. 36 McAfee Logon Collector 3.0 Administration Guide

37 Server settings About server settings 5 Logon Collector V1 Compatibility Logon Collector 1.0 and Logon Collector do not propagate the user or group name changes in the Active Directory to the clients. However, Logon Collector 3.0 propagates the user and group name changes information to the clients. This causes McAfee Firewall ACLD to core as it depends on this functionality of Logon Collector. Using the v1 compatibility mode of Logon Collector 3.0 behaves exactly as Logon Collector 1.0 with respect to this functionality. As a result of this, Firewall ACLD does not core as soon an upgrade to Logon Collector 3.0 happens. By default, Logon Collector 3.0 runs on the compatibility mode. Remove White Space from Unique Name Logon Collector 1.x used an algorithm for generating uniquename for user and group objects that would remove the white spaces. As a result of this, the algorithm responsible for the generation of unique names was not creating the uniquename. Example: Group 1 cn: ProductServices un: ProductServices@DistributionLists.scur.com Group 2 cn: Product Services un: ProductServices@DistributionLists.scur.com The same "un" is generated for Group 1 and Group 2 even though their "cn"s are different. Configure Logon Collector using MLC Advanced Settings Select Server Settings MLC Advanced Settings to configure advanced settings for the Logon Collector. Alternatively, you can configure these settings using the xml file. 1 Select Menu Configuration Server Settings. 2 Select MLC Advanced Settings and click Edit. The Edit MLC Advanced Settings page is displayed. 3 [Logon Collector setting] In the Domain Controller Backoff Time field, enter the time in minutes. 4 [For clients] Select or deselect the MLC V1 Compatibility checkbox. By default, this checkbox is selected. 5 [For clients] Select or deselect the Remove White Space from Unique Name checkbox. By default, this checkbox is deselected. In Logon Collector these user and user group names remain as-is. 6 Click Save. 7 Restart the Logon Collector service. McAfee Logon Collector 3.0 Administration Guide 37

38 5 Server settings About server settings Configure Logon Collector advanced settings using the xml file Follow the steps below to configure advanced settings on the xml file if you want to configure the Logon Collector server. 1 Stop the Logon Collector service. 2 Go to <MLC_INSTALL_FOLDER>/server/conf/mlc config.xml. 3 Edit the xml file. Domain Controller Backoff Time Change the value of the parameter (in minutes): <config name="controllerbackofftime" value="20" type="common" /> Logon Collector V1 Compatibility Change the value of the parameter (true or false): <config name="enable-v1-compatibility" value="true type="common"/> Remove White Space from Unique Name Change the value of the parameter (true or false): <config name="removewhitespacefromuniquename" value="false" /> 4 Restart Logon Collector service. If the Logon Collector service takes a longer time to stop, open Manager, select the Processes tab, locate the Tomcat process, and click End Process. MLC Group / IP Ignore List Logon Collector gives you the option to ignore user IP addresses and user group names based on your monitoring needs. In many organizations, there are Exchange Servers. When users log on to OWA, the domain controller gets the IP Address of the Exchange Server. The system administrator can add the exchange server IP Address to the IP Ignore List. Similarly, many systems are configured to perform some automated tasks. These systems continuously log on to domain controller using bot user credentials. The system administrator can create a user group and add these bot users to the group. This user group can be added to the Group Ignore List. Group Ignore List If a user is member of a group and this user group name (or one of its parent group) is added to Group Ignore List, all logon events from that user are ignored. IP Ignore List If a user logs on from an IP Address and that IP Address is added to IP Ignore List, all logon events from that IP Address are ignored. Ignore user IP addresses and user group names You can select Server Settings MLC Group / IP Ignore List to ignore user IP addresses and user group names. 1 Select Menu Configuration Server Settings. 2 Select MLC Group / IP Ignore List and click Edit. The Edit MLC Group / IP Ignore List page is displayed. 3 In Group Ignore List, enter the user group names as comma-separated values. 38 McAfee Logon Collector 3.0 Administration Guide

39 Server settings About server settings 5 4 In IP Ignore List, enter the user IP addresses as comma-separated values. 5 Click Save. MLC Group Filter A group filter in Logon Collector enables you to filter user groups and send only relevant information to clients like McAfee Network Security Manager. The group filter feature optimizes data sent to clients from Logon Collector. On the other hand, the filtered user groups minimize the volume of transactions in the network and enable clients to use less resources when caching the data from Logon Collector. The MLC Group Filter option is available under Menu Configuration Server Settings Setting Categories. Considerations for High Availability mode Make sure to take care of these points when Logon Collector is in High Availability mode: The group filter settings can be configured on primary server only. Group filter configuration is replicated from primary to secondary server. When the secondary server is in standby mode, it is not possible to make group filter changes. If the primary goes down, you can make group filter changes from the secondary server. Contents Configure a group filter Send filtered groups to clients Configure a group filter You can create a group filter and send only relevant details to clients. Before you begin If the client is connected, disconnect the client from Logon Collector server prior to configuring the group filter. If the client is in connected state before configuring a group filter, the client has already received all the user groups instead of the filtered user groups. For option definitions, press F1 or click Help in the interface. 1 Go to Menu Configuration Server Settings Setting Categories and click MLC Group Filter. 2 Click Edit. The Edit MLC Group Filter page is displayed. 3 Select the Enable Filter checkbox. 4 From Quick Find, select ALL DOMAINS or select a specific domain. The Available Groups and details for a domain are displayed. You can also enter a search keyword and click Apply. McAfee Logon Collector 3.0 Administration Guide 39

40 5 Server settings About server settings 5 Press the Ctrl key and select the user groups from the list. Click Add. The Added Groups are displayed. You can click Add all to select all user groups. If you then click Save, the group filter is disabled. This is because all user groups are selected and no filter as such is created. If you wish to remove any user groups, click Remove to refine your filter. 6 Click Save. The group filter is configured and the MLC Group Filter page is displayed. You can now connect the client to Logon Collector so that it can receive only filtered user groups and details. Users who are members of the selected user groups are sent to the client, and also the logon events are sent only for users of the selected user groups. Send filtered groups to clients Logon Collector can configure a group filter, save the filter settings, connect to the client, and send filtered user groups and details. These are the high-level steps to send filtered user groups to clients. 1 Add a monitored domain Populates Logon Collector s database with all the user groups 2 Configure a group filter Select from the available user groups and save the group filter settings 3 Connect to the client Client receives the filtered user groups and information Users who are members of the selected user groups are sent to the client. The logon events are sent only for users of the selected user groups. Configuring the IP address for Logon Collector server client communication When multiple IP addresses are present in the Logon Collector server, it listens on all the IP addresses. During High Availability failover, when the primary server is inactive or is not reachable, the secondary server changes from standby to active state. The latter continues to establish communication with the primary server. Once the primary server is active, the secondary server changes its state to standby (or passive) and the primary server regains its active state. When the primary server is unavailable, the Logon Collector clients have to retry all the IP addresses of the primary server before switching over to the secondary server. This delays the failover process for the client. To overcome this problem, the Logon Collector allows you to selectively choose the IP addresses for communication. Logon Collector HTTPS port will continue to listen to all the IP addresses. The clients communication and High Availability communication will happen through the selected IP address. When the primary server is not available, the Logon Collector clients have to retry only the configured primary IP address before switching to the secondary server. Configure MLC Communication IP Address To configure MLC Communication IP Address: 1 Select Menu Configuration Server Settings. 2 Click MLC Communication IP Address. 40 McAfee Logon Collector 3.0 Administration Guide

41 Server settings About server settings 5 3 Click Edit at the bottom right corner to select an IP address from the drop-down list. Figure 5-1 Edit MLC Communication IP Address 4 Click Save. MLC User Login Timeout The Logon Collector provides an option to modify the duration of the logon event in the Logon Collector server. By default, the logon event is stored in the Logon Collector server for 6 hours. Configure MLC User Login Timeout To configure MLC User Login Timeout: McAfee Logon Collector 3.0 Administration Guide 41

42 5 Server settings About server settings 1 Select Menu Configuration Server Settings. 2 Click MLC User Login Timeout. Figure 5-2 MLC User Login Timeout 3 Click Edit at the bottom right corner to modify the time. The logon event will be stored in the Logon Collector server according to the configured time. Figure 5-3 Edit MLC User Login Timeout 4 Click Save. 42 McAfee Logon Collector 3.0 Administration Guide

43 Server settings About server settings 5 Printing and exporting Configure the settings for exported documents. Figure 5-4 Printing and Exporting option See also About server settings on page 33 Server certificate In this section, you configure the certificate that the Logon Monitor uses to authenticate itself to the Logon Collector. Ensure that you have a certificate for the Logon Monitor, whether it is a newly generated (by the Logon Monitor) self-signed certificate or one generated by a Certificate Authority. The Logon Monitor will not function without a certificate. However, for a local Logon Monitor, you do not need a self-signed certificate. Distinguished Name The Distinguished Name contains the Common Name and other attributes that the Logon Monitor needs to identify the certificate found in its store (see Store Name below) that should be used to authenticate to the server. For example, string cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name, comprised of the certificate s Common Name (cn), organization name (o) and country of origin (c). To use a self-signed certificate, you only need to use the Common Name (prefixed with cn=) for identification. Store Name The Store Name, or Certificate Store name, is where the Logon Monitor looks to find its certificates. The default setting for the Store Name is McAfeeLogonMonitor\MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES. If the Logon Monitor is running in standalone mode, use the Store Name MY. This uses the Store Type CERT_SYSTEM_STORE_CURRENT_USER. McAfee Logon Collector 3.0 Administration Guide 43

44 5 Server settings About Personal Settings Generate Self-Signed Certificate Only available when the Distinguished Name field is not blank, the Generate Self-Signed Certificate button generates a self-signed certificate and places it in the certificate store identified by Store Name. For a separate installation of Logon Monitor, you must generate a certificate so that you can connect the Logon Monitor to a Logon Collector. View Certificate Only available when the Distinguished Name field is not blank, the View Certificate button displays a Windows-standard certificate viewer displaying the certificate matching the Distinguished Name, if one is found in the store. See also About server settings on page 33 About Personal Settings Use the Personal Settings window in Menu Configuration Personal Settings to edit the password for whomever is currently logged on and the period in minutes for non-dashboard tables to refresh if they are set to auto-refresh.. Logon Monitor configuration The Logon Monitor runs as a Windows service and starts automatically after every power cycle. This section describes configuring the Logon Monitor software. You configure the Logon Monitor with an application named Logon Monitor Configuration on the Windows computer on which you installed the Logon Monitor software. If you are not configuring the Logon Monitor as part of the installation, go to the Start menu and select Logon Monitor Configuration (for example, by default in Start Programs McAfee Logon Monitor Logon Monitor Configuration) to display the McAfee Logon Monitor Configuration window. You do not have to restart the Logon Monitor service when you make configuration changes. Changes take effect after you click OK. Logon Monitor configuration information is stored in the Windows Registry. See also Install a Logon Monitor on page 19 Local Logon Monitor settings on page McAfee Logon Collector 3.0 Administration Guide

45 Server settings Logon Monitor configuration 5 Configuration tab The Configuration tab contains the settings for the Logon Monitor. Figure 5-5 Configuration tab Remote tab The Remote tab contains the certificate common name and certificate hash of any Logon Collector to which this Logon Monitor connects. McAfee Logon Collector 3.0 Administration Guide 45

46 5 Server settings Logon Monitor configuration The Logon Monitor accepts any number of certificates in the Remote tab. Figure 5-6 Remote tab See also Add a Logon Collector certificate to a Logon Monitor on page 28 Use MMC to manage Logon Monitor certificates Logon Monitor uses the Microsoft Certificate store to manage the certificates it generates. After you install the Logon Monitor, the easiest way to view the certificates is to use the Microsoft Management Console (MMC) to view the Certificate store for the Logon Monitor service. To use MMC: 1 Start MMC (Start Run MMC). 2 Navigate to File Add/Remove Snap-in to display the Add/Remove Snap-in window. 3 Click Add to display the Add Standalone Snap-in window. 4 Select Certificates and then click Add to display the Certificates snap-in window. 5 Select Service account on the Certificates snap-in window, and then click Next. 46 McAfee Logon Collector 3.0 Administration Guide

47 Server settings Logon Monitor configuration 5 6 Select Local Computer, and then click Next. 7 Select Logon Collector from the list of services and then click Finish. 8 Click Close on the Add Standalone Snap-in window. 9 Click OK on the Add/Remove Snap-in window to close the same. MMC displays the certificate information for the Logon Monitor. 10 Right-click a certificate or a store to import certificate lists in the display. Import or remove a server or client CA certificate for Logon Monitor See the Microsoft documentation on the Certificate snap-in for MMC for information on importing a certificate as a Certificate Authority (CA) for Logon Monitor. This is only useful when the Logon Monitor is using Certificate Checking. Use NTLMv2 with Logon Monitors McAfee recommends that you use Kerberos as the authentication type. If you want to use NTLM, you should use NTLMv2 as described in this section. The default authentication method in Windows environments, LM hash, generates a weak response that can be used by an attacker to perform an off-line, brute-force attack in order to guess the actual password. Read this section to learn how to use the NTLMv2 authentication method for a more secure connection between a Logon Monitor and a domain controller. McAfee recommends that you use the NTLMv2 authentication method on Windows 2008 and Windows 2012 servers when you are running a Logon Monitor. This enables the Logon Monitor to use NTLMv2 to authenticate to the domain controllers. This can only be accomplished by modifying the Registry; no changes are required on the domain controllers. This procedure requires modifying the Windows Server Registry. Improper editing of the Registry could leave your system completely unusable or in an unstable state. Make a backup of your Registry before leave your system completely unusable or in an unstable state. Make a backup of your Registry before proceeding. For more information, see Microsoft support article ( support.microsoft.com/kb/322756/). If the Windows Server offers other services and there are clients that do not support NTLMv2 (for example, Windows 95 or Windows 98), this change prevents these old clients from using the server. To force the use of NTLMv2: 1 Log on to the Windows Server where the Logon Monitor runs. 2 Start the Registry editor (Start Run regedit). 3 Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa 4 Right-click the value LmCompatibilityLevel. See: mspx 5 Click Modify. 6 Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if the server supports it) and click OK. McAfee Logon Collector 3.0 Administration Guide 47

48 5 Server settings Logon Monitor configuration 7 Restart the Windows Server. 8 Ensure the IAM status on the Logon Collector is UP after 10 minutes. 48 McAfee Logon Collector 3.0 Administration Guide

49 6 High 6 Availability (Clustering) This chapter discusses about the High Availability (HA) feature. The terms High Availability and cluster are used interchangeably throughout the chapter. Contents Overview Configuration basics Configuration data replication Logon events replication Limitations Disable a cluster Reconfigure a cluster Overview The high availability feature enables the McAfee Logon Collector to exist in the form of primary server and secondary server. In this scenario, when the primary server is inactive or is not reachable, the secondary server changes from standby to active mode. The latter keeps polling the primary server to check if it is available again. Once the primary server is active, the secondary server changes to the standby state. The clients that were connected to the primary server, switch over to the secondary server when the primary server becomes unreachable. When the primary server becomes active again, the clients switch back to the primary server. Logon Collector can exist in the following modes: Standalone Cluster Logon Collector can exist in the following states: Active Standby Configuration basics This section gives the details about the configuration basics of the High Availability feature. McAfee Logon Collector 3.0 Administration Guide 49

50 6 High Availability (Clustering) Configuration basics Prerequisites for High Availability Listed below are the prerequisites for the High Availability feature: Two Logon Collector servers (primary and secondary server) must be available. The domain controller(s) to be monitored must always be reachable from both the Logon Collector servers. Both the primary and secondary servers must communicate with each other. Both the primary and secondary servers should either have the self-signed certificate or the certificate signed by common CA. High Availability setup To configure a cluster: 1 Install Logon Collector on two different servers (Windows Server 2008 or Windows Server 2012). 2 On the server that you intend to select as primary, select Menu Configuration Cluster Configuration. Figure 6-1 Cluster Configuration option The Cluster Configuration window opens. 50 McAfee Logon Collector 3.0 Administration Guide

51 High Availability (Clustering) Configuration basics 6 3 Click Edit. The Edit Cluster Configuration window opens. Figure 6-2 Cluster Configuration window 4 Select the Enable clustering box, and select Primary. Click Save. Figure 6-3 Edit Cluster Configuration window for primary server configuration 5 On the server that you intend to select as secondary, select Menu Configuration Cluster Configuration to open the Cluster Configuration window. McAfee Logon Collector 3.0 Administration Guide 51

52 6 High Availability (Clustering) Configuration basics 6 In the Edit Cluster Configuration window, select the Enable Clustering box and select Secondary. Enter the following details: Primary Server (<IP Address>:<Https port>) Admin username for primary server Admin password for primary server Figure 6-4 Edit Cluster Configuration window for secondary server configuration Click Next. The Enable Cluster window opens. 52 McAfee Logon Collector 3.0 Administration Guide

53 High Availability (Clustering) Configuration basics 6 7 Click Yes to display the HTTPS port certificate of the primary server. The cluster will be formed only if you accept the certificate. This message gives the information about the configuration settings after a cluster formation is complete. Figure 6-5 Enable Cluster window Click No if you do not want to overwrite the configuration settings. 8 In the Primary MLC Certificate window, click Accept Certificate and Enable Clustering. This initiates the certificate exchange between the primary and secondary servers, and enables the trust establishment. Figure 6-6 Primary MLC Certificate window The Cluster Configuration window opens. McAfee Logon Collector 3.0 Administration Guide 53

54 6 High Availability (Clustering) Configuration basics 9 The Cluster Configuration window shows the following details: MLC Cluster Configuration Enabled: The status of cluster configuration Status The status of the server Primary Server IP address The IP address of the primary server Https port number of primary server The https port number used by the peer server during cluster creation JMS port number of primary server The Java Messaging Services (JMS) port number used by the peer server and clients for transferring data Figure 6-7 Cluster Configuration window after cluster formation See also Reconfigure a cluster on page 59 Configure High Availability in Public Key Infrastructure (PKI) setup You can also configure the High Availability feature in Public Key Infrastructure (PKI) setup. The steps to configure the cluster in this scenario remains the same as described earlier. Pre-requisites for High Availability in Public Key Infrastructure (PKI) setup The following steps are the pre-requisites for high availability in Public Key Infrastructure (PKI) setup: 1 Select Menu Configuration Trusted CAs and add the CA root certificate on both the High Availability peers. 2 Select Menu Configuration Server Settings Identity Replication Certificate to replace the Identity Replication certificate with the CA-signed certificate for the respective servers. The CA root certificate and the CA-signed certificate should be added for the clients. Error scenarios An error message will be displayed for any one of the following scenarios: 54 McAfee Logon Collector 3.0 Administration Guide

55 High Availability (Clustering) Configuration basics 6 The certificate used by the primary server is self-signed, while the certificate used by the secondary server is signed by CA. The certificate used by the secondary server is self-signed, while the certificate used by the primary server is signed by CA. The certificates used by the primary and secondary servers are signed by two different CAs. In this case, the cluster configuration is successful, but the status will be displayed in red. The following figure shows the error message. Figure 6-8 Error message Check the status of cluster formation This section discusses how to check the status of cluster formation. McAfee Logon Collector 3.0 Administration Guide 55

56 6 High Availability (Clustering) Configuration basics 1 Select Menu Reporting Status to verify the cluster formation status. 2 In the Status window, click Cluster Manager to view the message from the cluster member. Figure 6-9 Status message of cluster formation in the primary server Figure 6-10 Status message of cluster formation in the secondary server Important: The overall {IAM} status is RED since the {LAM} component status is RED. Figure 6-11 Status window 56 McAfee Logon Collector 3.0 Administration Guide

57 High Availability (Clustering) Configuration data replication 6 Configuration data replication When a cluster is created, the primary server overrides the existing configuration of the secondary server. The secondary server exists in any one of the following states: Active When the secondary server is disconnected from the primary server, it is known as the active secondary server. Standby When the secondary server is connected with the primary server, it is known as the standby secondary server. The passive secondary server does not allow you to make configuration changes; an error message will be displayed if you do so. The configuration changes can only be done on the active secondary server. Replication from the primary to the secondary server: Once the cluster is configured, the configurations are replicated from the primary to the secondary server. Replication from the active secondary server to the primary server: When the primary server goes down and comes up after a period of time, it receives the configuration details from the active secondary server. When the secondary server runs in standby mode, the {LAM} status is RED in the Status window. This is a normal behavior because the Logon Collector stops {LAM} when it runs in standby mode. Logon Collector should not be deployed on a DHCP machine: The peer Logon Collector servers should communicate with each other during a cluster formation. But, this may not be possible if the Logon Collector is deployed on a DHCP machine. McAfee products connected to the Logon Collector server on a given IP address will also be disconnected when there is a change in the IP address due to DHCP configuration. McAfee therefore, recommends that you avoid deploy the Logon Collector on a DHCP system. Logon events replication Replication from the primary to the secondary server The logon events on the active Logon Collector server are replicated to the standby Logon Collector server. Replication from the active secondary server to the primary server When the primary server goes down and comes up again after a period of time, it receives the replication data (logon events, users, groups) from the active secondary server. When both primary and secondary servers are down, you must bring up first the server that has the latest configuration followed by the other server. If you fail to do so, the data replicated across the servers might not be the latest. McAfee Logon Collector 3.0 Administration Guide 57

58 6 High Availability (Clustering) Limitations Limitations The following list shows the limitations of the High Availability feature: The split network scenario is not supported. It is important to ensure that the communications between primary and secondary are never interrupted. For example, if the network connectivity between the primary and the secondary server is down, the secondary server assumes that the primary server is not responding, waits for 5 seconds, and becomes active. When the communication is re-established, the primary server always overrides the configuration of the secondary server. The high availability feature works in the PKI setup, but the primary and secondary certificates must be signed by the same signer. Certificate Revocation List (CRL) is not supported. Other McAfee products using the Logon Collector 1.0 client library will not be benefitted with this feature; but they can continue to work in this scenario. Disable a cluster To disable a cluster: 1 On the secondary server, select Menu Configuration Cluster Configuration. 2 Deselect Enable clustering, and click Save. The Disable Cluster window opens. Click Yes to continue. Figure 6-12 Disable Cluster window for secondary server 58 McAfee Logon Collector 3.0 Administration Guide

59 High Availability (Clustering) Reconfigure a cluster 6 3 Go to the Cluster Configuration window of the primary server. 4 Deselect the Enable clustering checkbox and click Save. The Disable Cluster window opens. Click Yes to continue. Figure 6-13 Disable Cluster window for primary server When the cluster is disabled, the secondary server removes all configurations including logon monitors and domains, and functions as a standalone server. The primary server will retain the configurations and will continue to monitor the configured domains as a standalone server. See also Reconfigure a cluster on page 59 Reconfigure a cluster The cluster can be reconfigured if the role of the servers needs to be reversed (for example, if you want the secondary server to behave as the primary server and vice versa). Follow the steps below to reconfigure a cluster: 1 Disable the cluster. 2 Enable the cluster with new primary and secondary server configurations. McAfee Logon Collector 3.0 Administration Guide 59

60 6 High Availability (Clustering) Reconfigure a cluster 60 McAfee Logon Collector 3.0 Administration Guide

61 7 7 On-demand group and user refresh This chapter gives the details of on-demand group and user refresh. You can refresh the new user information anytime. This enables the Logon Collector server to synchronize its user/group data with the domain controller. If the administrator adds a user to an Active Directory group in order to grant access to a resource, the administrator may use on-demand group refresh to update the Logon Collector and allow user access to the resource, without having to wait until the group refresh happens in background. McAfee recommends you to avoid running the group and user refresh tasks at the same time. Run the group refresh task approximately 20 minutes before the user refresh task to allow the group refresh task to be completed. Other options displayed in the Server s user interface that are not explained in this chapter are not related to the Logon Collector. Contents MFS Scheduler 2.5 On-demand group refresh On-demand user refresh Server s Log McAfee Logon Collector 3.0 Administration Guide 61

62 7 On-demand group and user refresh MFS Scheduler 2.5 MFS Scheduler 2.5 You can perform the on-demand group and user refresh tasks if the MFS Scheduler 2.5 is enabled. MFS Scheduler 2.5 is enabled by default. Go to Menu Software Extensions to view the MFS Scheduler 2.5 in the list of the installed extensions. Figure 7-1 MFS Scheduler 2.5 Both the user refresh and group refresh are implemented using MFS Scheduler. The interval for the scheduler tasks are stored in the SQL server and not in mlc-config.xml. Any change in the interval of these tasks will not be replicated from the primary to the secondary server. On-demand group refresh Select Menu Automation Server s to configure MLC Refresh Groups server task. Figure 7-2 MLC Refresh Groups option Options of group refresh This section gives the details of the various options of group refresh. 62 McAfee Logon Collector 3.0 Administration Guide

63 On-demand group and user refresh On-demand group refresh 7 Option 1: Run Before you begin Use this option to manually refresh the group information in the Logon Collector database (IDDS) by retrieving the latest group information from the domain controller datastore. To manually refresh the group information: 1 Select Menu Automation Server s. Click the Run option of MLC Refresh Groups. 2 Under MLC Refresh Groups, click Run. The Server Log page opens. This page gives the results of group refresh action. By default, the records are sorted by time, with the latest record on top. Figure 7-3 Results of group refresh action 3 Click MLC Refresh Group record to view the details. Figure 7-4 Server Log Information page Option 2: Edit Use this option to change the scheduler settings for a task. Select Menu Automation Server s. Select MLC Refresh Groups and click Edit. McAfee Logon Collector 3.0 Administration Guide 63

64 7 On-demand group and user refresh On-demand group refresh Tab 1: Description 1 In the Server Builder page, the following details are displayed under the Description tab: Update the following fields: Parameter Name Notes Schedule status Description MLC Refresh Groups Refresh all groups for all directories The schedule of the task Enabled to enable an automatic refresh Disabled to disable an automatic refresh McAfee does not recommend using the Disabled action. Figure 7-5 Server Builder page 2 Click Next. The Actions tab opens. 3 Click Save. Tab 2: Actions This tab shows the actions performed by Logon Collector. 64 McAfee Logon Collector 3.0 Administration Guide

65 On-demand group and user refresh On-demand group refresh 7 1 Under the Actions field, the MLC Group Sync option is selected by default. Figure 7-6 Actions tab 2 Click Next. The Schedule tab opens. 3 Click Save. Tab 3: Schedule The Schedule tab enables you to change the scheduler settings for the task. 1 In the Schedule tab, enter the following details: Update the following fields: Parameter Description Schedule Type Select any one of the following schedule types from the drop-down list: Hourly Monthly Daily Yearly Weekly Advanced McAfee recommends that you to select the Daily option for Schedule Type. Start Date Select the date from when you want to start the task. McAfee Logon Collector 3.0 Administration Guide 65

66 7 On-demand group and user refresh On-demand group refresh Parameter Description End Date Select the date by when you want to stop the task. McAfee recommends you to select the No End Date option so that no end date is configured for the task. Schedule Click to add a new scheduled time. Click to remove an existing scheduled time. At Select the At option from the drop-down list to run the task at a specific time. Between Select the Between option from the drop-down list to run multiple tasks in a specific range of time. Figure 7-7 Schedule tab McAfee recommends that you set the schedule time such that the MLC Group Refresh task starts at least 20 minutes before the MLC User Refresh task. 2 Click Save. Tab 4: Summary Go to the Summary tab to view the following details: Parameter Name Notes Owner Schedule Status Description The name of the task Any notes related to the task The owner of the task The status of the scheduled task 66 McAfee Logon Collector 3.0 Administration Guide

67 On-demand group and user refresh On-demand group refresh 7 Parameter Schedule Actions Description The details about start date, end date, time frame, and next runtime of the scheduled task The actions of the scheduled task such as MLC Group Sync Figure 7-8 Summary window Click Save. Option 3: View Use this option to view the settings for the refresh groups. Select Menu Automation Server s. Select MLC Refresh Groups and click View. The Server s Details page opens. This page displays details of the group refresh action. Figure 7-9 Server Details page McAfee Logon Collector 3.0 Administration Guide 67

68 7 On-demand group and user refresh On-demand user refresh On-demand user refresh Select Menu Automation Server s to configure MLC Refresh Users server task. Figure 7-10 MLC Refresh Users option Options of user refresh This section gives the details of the various options of user refresh. Option 1: Run Before you begin Use this option to manually refresh the user information in the Logon Collector database (IDDS) by retrieving the latest user information from the domain controller datastore. To manually refresh the user information: 1 Select Menu Automation Server s. Click the Run option of MLC Refresh Users. The Server Log page opens. This page gives the results of user refresh action. By default, the records are sorted on time, with the latest record on top. Figure 7-11 Results of user refresh action 68 McAfee Logon Collector 3.0 Administration Guide

69 On-demand group and user refresh On-demand user refresh 7 2 Click the MLC Refresh Users record to view the details. Figure 7-12 Server Log Information page Option 2: Edit Use this option to change the scheduler settings for a task. Select Menu Automation Server s. Select MLC Refresh Users and click Edit. Tab 1: Description 1 In the Server Builder page, the following details are displayed under the Description tab: Name MLC Refresh Users Notes Refresh all users for all directories McAfee Logon Collector 3.0 Administration Guide 69

70 7 On-demand group and user refresh On-demand user refresh Schedule status The schedule of the task Enabled to enable an automatic refresh Disabled to disable an automatic refresh McAfee recommends that you avoid using the Disabled action. Figure 7-13 Server Builder page 2 Click Next to go to the Actions tab. 3 Click Save. Tab 2: Actions This tab shows the actions performed by Logon Collector. 70 McAfee Logon Collector 3.0 Administration Guide

71 On-demand group and user refresh On-demand user refresh 7 1 Under Actions field, MLC User Sync option is selected by default. Figure 7-14 Actions tab 2 Click Next. The Schedule tab opens. 3 Click Save. Tab 3: Schedule The Schedule tab enables you to change the scheduler settings for the task. 1 In the Schedule tab, enter the following details: Schedule Type Select any one of the following schedule types from the drop-down list: Hourly Monthly Daily Yearly Weekly Advanced McAfee recommends that you select the Daily option for Schedule Type. Start Date Select the date from when you want to start the task. End Date Select the date by when you want to stop the task. McAfee recommends that you select the No End Date option so that no end date is configured for the task. McAfee Logon Collector 3.0 Administration Guide 71

72 7 On-demand group and user refresh On-demand user refresh Schedule Click to add the new scheduled time. Click to remove existing scheduled time. At Select the At option from the drop-down list to run the task at a specific time. Between Select the Between option from the drop-down list to run multiple tasks in a specific range of time. Figure 7-15 Schedule tab McAfee recommends that you set the schedule time such that the MLC Group Refresh task starts at least 20 minutes before the MLC User Refresh task. 2 Click Save. Tab 4: Summary Go to the Summary page to view the following details: Name The name of the task Notes Any notes related to the task Owner The owner of the task Schedule Status The status of the scheduled task 72 McAfee Logon Collector 3.0 Administration Guide

73 On-demand group and user refresh On-demand user refresh 7 Schedule The details about start date, end date, time frame, and next run time of the scheduled task Actions The actions of the scheduled task such as MLC User Sync Figure 7-16 Summary Click Save. Option 3: View Use this option to view the settings for the refresh users. Select Menu Automation Server s. Select MLC Refresh Users and click View. The Server s Details page opens. This page displays the details of the user refresh action. Figure 7-17 Server Details page McAfee Logon Collector 3.0 Administration Guide 73

74 7 On-demand group and user refresh Server s Log Server s Log Select Menu Automation Server Log to view the group refresh and user refresh results of earlier executions. Figure 7-18 Server Log page 74 McAfee Logon Collector 3.0 Administration Guide

75 8 User 8 management This section gives the details of user management for administrative access to the Logon Collector itself. To add users to the Active Directory, use the normal Active Directory configuration mechanisms in Windows. Contents Manage users Manage permission sets Manage contacts Manage users You can add users to Logon Collector and specify what access they have to the system. Add or modify a user To add or modify a user: 1 Select Menu User Management Users. 2 Click New User to add, or click Actions Edit to modify. 3 Define the user. a Type a name for the user, or change the existing one. b c Specify whether the user is able to log on or not. You cannot disable the logon status of the last remaining global administrator. Select an authentication type. If you are modifying a user, first click Change Authentication or Credentials. For Logon Collector authentication, type a password and confirm it. For Windows authentication, type the user name and domain. d [Optional] Provide other details for the user: full name, address, phone number, and notes. McAfee Logon Collector 3.0 Administration Guide 75

76 8 User management Manage permission sets e Assign a permission set. Select Global administrator to provide complete access to the Logon Collector. Select a specific permission set or sets by clicking them. 4 Click Save. See also Manage permission sets on page 76 Delete a user To delete a user: 1 Select Menu User Management Users. 2 Select a user or users by selecting the checkbox next to the contact name. 3 Select Actions Delete. Manage permission sets A permission set is a group of permissions, divided into sections that can be granted to any user by assigning it to a user s account. One or more permission sets can be assigned to any user that is not a global administrator. Global administrators have all permissions to all features. Permission sets grant permissions only no permission set ever removes a permission. See also Active Directory User login on page 34 Add or modify a user on page 75 Create a query group on page 82 Create permission sets Use this task to create a permission set. 1 Select Menu User Management Permission Sets, then click New Permission Set. 2 Type a name for the permission set and select the users to which the set is assigned. 3 Click Save. 4 Select the new permission set from the Permission Sets list. Its details appear to the right. 5 Click Edit next to any section from which you want to grant permissions. 6 On the Edit Permission Set window that appears, select the appropriate options, then click Save. 7 Repeat for all desired sections of the permission set. 76 McAfee Logon Collector 3.0 Administration Guide

77 User management Manage contacts 8 Delete permission sets Use this task to delete a permission set. If the permission set has users assigned to it, those users will lose the permissions granted to them. You must be a global administrator to perform this task. 1 Select Menu User Management Permission Sets, then select the permission set that you want to delete in the Permission Sets list. Its details appear to the right. 2 Click Actions Delete. The Action pane informs you whether any users are assigned to the permission set and gives you the opportunity to cancel the action. 3 Click OK in the Action pane. The permission set no longer appears in the Permission Sets list. Duplicate permission sets Use this task to duplicate a permission set. Duplicating a permission set creates an in-memory copy of the selected permission that can be modified and saved with another name. You must be a global administrator to perform this task. 1 Select Menu User Management Permission Sets, then select the permission set that you want to edit in the Permission Sets list. Its details appear to the right. 2 Click Actions Duplicate, type a New name in the Actions pane, then click OK. 3 Select the new duplicate in the Permission Sets list. Its details appear to the right. 4 Click Edit next to any section for which you want to grant permissions. 5 On the Edit Permission Set window that appears, select the appropriate options, then click Save. 6 Repeat for all sections of the permission set for which you want to grant permissions. Manage contacts To make selecting recipients for reports and data easier, Logon Collector provides a Contacts feature where you can define names and address for contacts. See also Define export criteria on page 86 McAfee Logon Collector 3.0 Administration Guide 77

78 8 User management Manage contacts Add or modify a contact To add or modify a contact: 1 Click Menu User Management Contacts. 2 Click New Contact to add, or click Actions Edit to modify. 3 Type a name for the user, or change the existing one. The contact must include a name, and you can select either a first name only, a last name only, or both. 4 Type an address. 5 Click Save. Delete a contact To delete a contact: 1 Click Menu User Management Contacts. 2 Select a user or users by clicking the checkbox next to the contact name. 3 Click Actions Delete. 78 McAfee Logon Collector 3.0 Administration Guide

79 9 Reporting This section gives the details about the status of the product to verify that components are running as expected. Contents About the Status page View who is logged on View the audit log Manage audit log queries Define filter criteria Define export criteria View dashboards About the Status page Use the Status page to verify that components are running as expected. A round Status indicator is located beside each component. Components and statuses are described in the following table. For all systems, a green status indicator indicates that the system is operating correctly. Table 9-1 System components The system component Reports on Yellow status indicates Green status indicates Red status indicates ID Manager {iam} overall system status. one or more of the component statuses are yellow. Working fine One or more of the following components are red: Login Acquisition Manager Id Replication Manager Login State Manager Id Data Store Check specific components to identify the cause of the component failure. Check specific components to identify the cause of the component failure. Login Acquisition Manager lam current state of queries to domain controllers. one or more domains are yellow or red. Working fine All domains are red. McAfee Logon Collector 3.0 Administration Guide 79

80 9 Reporting View who is logged on Table 9-1 System components (continued) The system component ID Replication Manager Login State Manager {lsm} Reports on status of the Identity Replication to the clients. whether the Login State Manager initialized correctly. Yellow status indicates Green status indicates Red status indicates Not applicable Working fine An exception has occurred. A brief message describing the exception is provided. Check the Logon Collector logs to further identify the cause of failure. Not applicable Working fine Initiation failed. Check the Logon Collector logs to identify the cause of failure. ID Data Store {idds} statistics on the number of objected stored. Not applicable Working fine Initiation failed. Check the Logon Collector logs to identify the cause of failure. ID Resolution {pnd} Logon Flow {logons} Cluster Manager {cluster} whether queries for user information from Active Directory have been serviced after a logon is detected. how many logons have been detected within last minute. the health of cluster and the messages being exchanged between the cluster members. there are more than 1000 logons in the pending queue waiting for user information to be resolved. no logons have been detected in the last hour. Not applicable Working fine Working fine that the cluster manager is working fine. No red status. No logons have been detected in the last twelve hours. The communication between the cluster members is down or one of the cluster members is not available. See also View dashboards on page 87 View who is logged on Logon Collector provides a report of the IP addresses that a user is using. To view who is currently logged on and to what IP address: 1 Select Menu Reporting Logon Report. 2 [Optional] To search on a particular IP address or user name, type the value into the Quick find field, then click Apply. 80 McAfee Logon Collector 3.0 Administration Guide

81 Reporting View the audit log 9 3 [Optional] Configure the display of columns: a b c Select Actions Choose Columns. Align the columns by clicking a left or right arrow to move the column. Remove a column by clicking the X button. Reset your changes by clicking Use Default. s Export report of who is logged on on page 81 Export report of who is logged on Before you begin You can save reports of who is logged on and them. To a report of who is logged on: 1 Select Menu Reporting Logon Report. 2 Specify the contents of the report by applying filters as desired. 3 Select Actions Export Table. View the audit log Before you begin Logon Collector provides an audit log report that lists the changes made to the server configuration. To view the audit log: 1 Select Menu User Management Audit Log. 2 [Optional] Define an advanced filter. 3 [Optional] Select a pre-defined filter from the drop-down list. 4 [Optional] Click an audit log entry to see the information for a single row displayed as rows instead of columns. 5 [Optional] Configure the display of columns: a b c Select Actions Choose Columns. Align the columns by clicking a left or right arrow to move the column. Remove a column by clicking the X button. Reset your changes by clicking Use Default. McAfee Logon Collector 3.0 Administration Guide 81

82 9 Reporting Manage audit log queries s Export the audit log on page 82 See also Define filter criteria on page 85 Export the audit log You can save specific views of the audit log and them. To an audit log: 1 Select Menu User Management Audit Log. 2 Specify the contents by applying filters as desired. 3 Select Actions Export Table. See also Server on page 34 Define filter criteria on page 85 Define export criteria on page 86 Manage audit log queries Audit log queries enable you to retrieve specific views of the audit log instead of the more simple view available. Queries against the audit logs are grouped into private and shared groups. Create a query group 1 Select Menu Reporting Queries. 2 Select Group Actions New Group. 3 Type a name to identify the group. 4 Specify the group s visibility. Private group appears in My Groups. Public group appears in Shared Groups. By permission set appears in Shared groups but accessible only to those that are assigned the selected permission sets. See also Manage permission sets on page McAfee Logon Collector 3.0 Administration Guide

83 Reporting Manage audit log queries 9 Delete a query group 1 Click a group name. 2 Select Group Actions Delete Group. 3 Click OK to confirm the deletion. Edit a query group 1 Click a group name. 2 Select Group Actions Edit Group. 3 Change the name of the group, and optionally the group s visibility. 4 Click Save. Create audit log queries To create an audit log query: 1 Select Menu Reporting Queries. 2 Click New Query, then click Next to begin the Query Wizard. 3 Define the chart type. a Select the type of chart by clicking it. b c Configure the chart. The available options differ depending on the type of chart you select. Click Next to proceed in the query wizard. 4 Configure the display of columns. a Align the columns by clicking a left or right arrow to move the column. b c Remove a column by clicking the X button. Click Next to proceed in the query wizard. 5 [Optional] Configure filters. 6 Click Run. The query is run and the results are displayed. 7 [Optional] Click Edit Query to adjust criteria. 8 When you are satisfied with the report, click Save. McAfee Logon Collector 3.0 Administration Guide 83

84 9 Reporting Manage audit log queries 9 Finish configuring the query: a b c Type a name to identify the query. [Optional] Type notes to describe the query. Assign the query to a query group. Define a new group or select from the list of existing groups. 10 Click Save. The query appears on the main Queries window. You may need to clear the Quick find text box. Import audit log queries Before you begin You can save your audit log queries outside the Logon Collector as files, and then import them into the Logon Collector. To import a query as a file: 1 Select Menu Reporting Queries. 2 Select Actions Import Query. 3 Click Browse to navigate to the file that contains your audit log query. 4 Assign the query to a query group. Define a new group or select from the list of existing groups. 5 Click Save. The query appears on the main Queries window. You may need to clear the Quick find text box. Query actions Before you begin To apply Actions to queries: 84 McAfee Logon Collector 3.0 Administration Guide

85 Reporting Define filter criteria 9 1 Select the checkbox next to the desired query, or click the Queries checkbox at the top to apply an action to all queries. 2 Select an action from the list. Select this action Delete Duplicate Edit Export Data Export Query Definition To do this Delete the selected queries. For single queries only, create a duplicate of the selected query. In the Duplicate window, type a new name for the query, and assign the query copy to a query group. For single queries only, enables you to alter the properties that affect the results for the selected query. Export the results of the selected queries as an attachment. For single queries only, export the query definition as an XML file. In the Opening query window, specify whether to open the file with an XML application, or save the file. The file is saved according to the path defined for your web browser. Import Query Move to Different Group New Query Run View Query SQL Import a query stored as a file. Move the selected queries to a different group. Create a new query. Execute the query and view the results. For single queries only, view the selected query as a SQL statement. s Import audit log queries on page 84 Create audit log queries on page 83 See also Define export criteria on page 86 Define filter criteria Filter criteria are available when you select: The Boolean Pie Chart type Next after step 3 of the Query Wizard Advanced Filter for Audit Log Available properties are Action, Completion Time, Details, Priority, Start Time, Success, and User Name. McAfee Logon Collector 3.0 Administration Guide 85

86 9 Reporting Define export criteria To manage criteria for the filter: 1 Click the right arrow in the Available Properties column to activate that property. 2 [Optional] Click the plus sign at the end of the Property row to create an additional comparison item. 3 By default, an additional item is evaluated with an OR operator. Click and in the and/or box to change this. 4 [Optional] Click the left arrow next to the Property to remove it from consideration. 5 Click OK, or Update Filter depending on how you arrived at the filter criteria. See also View the audit log on page 81 Export the audit log on page 82 Define export criteria When you choose to export data or a table, you must define the format of the exported file. 1 Select an export action: For a query, select Export Data. For a Logged On report, or Audit Log, select Export Table. 2 Review the information to be exported. For queries, the names of the queries are listed. For a Logged On report, a unique identifier and the number of data items are displayed. 3 [Optional] Select Zip the output files to compress the report. 4 Select a file format from CSV, XML, HTML, and PDF. For PDF, also specify a page size, page orientation, optionally select to show filter criteria, and optionally specify cover page text. 5 Configure the . You must already have a configured server. a b c Specify recipients by typing them, or by selecting them from a dialog box. Type a subject line. Add text for the body of the message. 6 Click Export. See also Export the audit log on page 82 Query actions on page 84 Server on page 34 Manage contacts on page McAfee Logon Collector 3.0 Administration Guide

87 Reporting View dashboards 9 View dashboards The Dashboards user interface option is not applicable for Logon Collector 2.1. See also About the Status page on page 79 McAfee Logon Collector 3.0 Administration Guide 87

88 9 Reporting View dashboards 88 McAfee Logon Collector 3.0 Administration Guide

89 10 Integration with other McAfee products This chapter discusses about the integration of McAfee Logon Collector with other McAfee products. Every client (product) connecting to Logon Collector must have different certificates with unique Common Name. This ensures that more than two clients can seamlessly connect to Logon Collector. Contents Integration with McAfee Next Generation Firewall Integration with McAfee Firewall Enterprise Integration with McAfee Firewall Enterprise Control Center Integration with McAfee Network Security Manager Integration with McAfee Data Loss Prevention Integration with McAfee Next Generation Firewall McAfee Next Generation Firewall (NGFW) with McAfee Logon Collector improves user identification for access control by user. Integration with NGFW provides the following benefits: Support Active Directory (AD) domains High Availability using a primary and secondary Logon Collector server Monitoring of logon events from Microsoft Exchange Servers in addition to monitoring events from the domain controller (DC). Integration requirements for McAfee Next Generation Firewall The following list gives the details of the integration requirements: Logon Collector version 3.0 Next Generation firewall version 5.8 and later. Upgrade path If you are a Next Generation Firewall user and wish to upgrade to Logon Collector 3.0, perform these high-level steps: 1 Upgrade Logon Collector 2.2 to Logon Collector Upgrade Next Generation firewall to the new version that has the Logon Collector 3.0 support. The following sections provide you the steps to configure the integration with Next Generation Firewall. Export SMC certificate McAfee Logon Collector 3.0 Administration Guide 89

90 10 Integration with other McAfee products Integration with McAfee Next Generation Firewall You should export SMC certificate for communicating with MLC. 1 In SMC, navigate to Configuration Administration Expand Other Elements Internal Certificate Authorities. 2 Right click on StoneGate CA and select Properties. 3 In the Certificate tab click Export. 4 Copy the exported certificate to a local folder. Import SMC certificate to MLC Perform the following steps to import the SMC certificate to MLC. 1 In MLC, navigate to Menu Trusted CA New Authority Import Certificate. 2 Click Browse and select the certificate that you copied earlier from SMC. Export Certificate from MLC You should export the certificate from MLC and copy it to the SMC server. In the MLC, perform the following steps: 1 Navigate to Menu Server Settings Identity Replication Certificate. 2 From the Base 64 field, copy and paste the certificate to a notepad file. After pasting in the notepad, ensure that you type -----BEGIN CERTIFICATE----- at before the beginning of the certificate. And also type -----END CERTIFICATE----- after the end of the certificate. If you do not add these lines, it will cause fingerprint error when you upload the certificate in SMC. 3 Copy and paste the certificate to a local location. Configure Next Generation Firewall to MLC You should configure the Next Generation Firewall to the MLC. 1 Navigate to Configuration Security Engine Other Elements Engine Properties. 2 Right click on User Agents and navigate to New Logon Collector. 3 In the Name field, type the name for the Logon Collector. 4 Type the IP address of Logon Collector in the IP Address field and click OK. 5 In the Certificate tab, click Import and select the certificate copied from the MLC server. 6 Select the Next Generation Firewall that should be configured to the MLC. 7 Right click on the Next Generation Firewall and navigate to Edit Firewall Add-Ons User Agent. 90 McAfee Logon Collector 3.0 Administration Guide

91 Integration with other McAfee products Integration with McAfee Firewall Enterprise 10 8 In the User Agent drop-down list select the MLC that you configured in Step 3 and 4. 9 Click Save and upload. Verify MLC connection After configuring the Next Generation Firewall to MLC, perform the following steps to verify MLC connection. 1 In the System Status page, select the Firewall node. 2 Click on the Appliance Status tab. 3 MLC connection status displays the status in green when the MLC connection is up. You can also verify the logged in users from MLC, by navigating to Monitoring Users FW. Integration with McAfee Firewall Enterprise You can use Passive Passport in McAfee Firewall Enterprise to allow matching users to connect without prompting for authentication. If your organization uses Microsoft Active Directory, each user is defined as an Active Directory object. The firewall monitors the authentication status, group membership, and current IP address of each user by communicating with the McAfee Logon Collector software, which is installed on a Windows server. Users are authenticated by the Active Directory server. They are not prompted for authentication by the firewall. Integration requirements The following list gives the details of the integration requirements: Logon Collector version 3.0 Firewall Enterprise version 8.x and later Upgrade path If you are a Firewall Enterprise user and wish to upgrade to Logon Collector 3.0, perform these high-level steps: 1 Upgrade Logon Collector 2.2 server to Logon Collector 3.0 server. 2 Upgrade Firewall Enterprise to the new version that has the Logon Collector 3.0 client. Passive identity validation You can use Passive Passport to allow matching users to connect without prompting for authentication. The following high-level tasks must be performed to use Passive Passport: 1 Define users on an Active Directory server. 2 Install Logon Collector on a Windows server. You can choose to skip this step if you have already installed Logon Collector. McAfee Logon Collector 3.0 Administration Guide 91

92 10 Integration with other McAfee products Integration with McAfee Firewall Enterprise Control Center 3 On the Firewall Enterprise Passport window, enable Passive Passport and configure the connection between the Firewall Enterprise and Logon Collector. 4 In the Rule Properties window for access control rules or SSL rules, allow connections for selected users and groups based on organizational criteria. See also Install Logon Collector on page 13 Configure Passive Passport Configure the Passive Passport using the Firewall Enterprise Admin Console. Refer to the McAfee Firewall Enterprise Product Guide for details. Integration with McAfee Firewall Enterprise Control Center When integrated with McAfee Firewall Enterprise Control Center, Logon Collector polls Active Directory domain controllers for user characteristics, and sends this information to either or both the appliances to correlate network traffic with user behavior. Further, to minimize the burden placed on a domain controller by Security Event Log queries (using WMI), the Logon Collector or Logon Monitor contacts the domain controller on behalf of McAfee appliances that require the Security Event Log information. Integration requirements The following list gives the details of the integration requirements: Logon Collector version 3.0 Firewall Enterprise Control Center version 5.x and later Upgrade path If you are a Control Center user and wish to upgrade to Logon Collector 3.0, perform these high-level steps: 1 Upgrade Logon Collector 2.2 server to Logon Collector 3.0 server. 2 Upgrade Control Center to the new version that has the Logon Collector 3.0 client. Refer to the section, McAfee Logon Collector in the McAfee Firewall Enterprise Control Center Product Guide to integrate Logon Collector and Control Center. Integration with McAfee Network Security Manager McAfee Network Security Manager is a browser-based user interface used to view, configure, and manage McAfee Network Security Sensor appliance deployments. Together with the Sensor and the Manager, Mcafee Network Security Platform provides comprehensive network intrusion detection and can block, or prevent, attacks in real time, making it truly an intrusion prevention system (IPS). It is built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, and network misuse. The Manager can display a variety of information about the hosts inside and outside a network. 92 McAfee Logon Collector 3.0 Administration Guide

93 Integration with other McAfee products Integration with McAfee Network Security Manager 10 The Logon Collector integrates with the Manager to display user names of the hosts in your IPS and NTBA deployments. The Logon Collector provides an out-of-band method to obtain user names from the Active Directories. Benefits This integration helps to provide information about source and destination users. User groups for Sensor These are the number of user groups supported for different Sensor models. Sensor model Supported user groups 8.0 Sensors 8.1 and above Sensors M-series up to 2,000 up to 10,000 NS-series up to 2,000 Version 8.0 is not applicable to NS7x00 Sensors. up to 10,000 Virtual IPS up to 2,000 Not Applicable Important terms This section describes the important terms associated with this integration. Identity Acquisition Agent (IAA) Identity Acquisition Agent (IAA) is deployed on the Network Security Platform side and is used as an interface to listen to the message service where the updates are published by the Logon Collector server. McAfee Network Security Manager MLC Listener McAfee Network Security Manager MLC Listener is the registered listener that regularly receives new updates from the Logon Collector through IAA. Integration requirements The following list gives the details of the integration requirements: Logon Collector version 3.0 McAfee Network Security Manager version and later Upgrade path If you are a McAfee Network Security Manager user and wish to upgrade to Logon Collector 3.0, perform these high-level steps: 1 Upgrade Logon Collector 2.2 server to Logon Collector 3.0 server. 2 Upgrade McAfee Network Security Manager to the new version that has the Logon Collector 3.0 client. McAfee Logon Collector 3.0 Administration Guide 93

94 10 Integration with other McAfee products Integration with McAfee Network Security Manager How Logon Collector - McAfee Network Security Manager integration works Logon Monitors of the Logon Collector can be used to poll nearby domain controllers and forward collected information on to the Logon Collector, shortening the distance domain controller communication must travel. Identity Acquisition Agent (IAA) is deployed on the McAfee Network Security Manager side and is used as an interface to listen to the message service where the updates are published by the Logon Collector server. IAA listens to the Logon Collector Active Message Queue (MQ) service and regularly receives new updates from the Logon Collector server. A listener for receiving the updates is registered with the IAA. The registered listener regularly receives new updates from the Logon Collector through IAA. All IP to user bindings data are loaded into a newly created McAfee Network Security Manager cache for the first time. The cache is subsequently updated with the differences on subsequent updates. As all the other components of the McAfee Network Security Manager can query the McAfee Network Security Manager cache, it is not required to communicate with the Logon Collector server each time an update happens. The McAfee Network Security Manager and Logon Collector can co-exist in the same server. However, McAfee does not recommend this co-existence as it can hamper the performance depending on the flow of traffic. You do not need a special passphrase or license key to install the Logon Collector software. Configuration details for Logon Collector integration This section gives the configuration details for the integration between McAfee Network Security Manager and Logon Collector server. Configure integration at the admin domain level You can enable the integration between the McAfee Network Security Manager and the Logon Collector server at the admin domain level. 1 Navigate to Manage Integration Logon Collector The Enable page is displayed. 2 To enable the MLC integration, select the Enable MLC Integration checkbox. 94 McAfee Logon Collector 3.0 Administration Guide

95 Integration with other McAfee products Integration with McAfee Network Security Manager 10 3 Enter the Server Name or IP Address and Server Port details. Figure 10-1 Enable Logon Collector 4 To complete the integration, you have to synchronize the certificates between the MLC console and the Manager. Click the Export to file link to export the Manager certificate to MLC. 5 To import the MLC certificate, select Upload MLC Certificate, import the certificate from the location by clicking Choose File. 6 Click Save. To test the connection, click Test Connection. Establishment of trust between Network Security Manager and Logon Collector server Logon Collector communicates with the McAfee Network Security Manager through a two-way SSL authentication. This requires the exchange of certificate between the McAfee Network Security Manager and the Logon Collector server. Import the Manager certificate into Logon Collector Export the Manager certificate, save the file to your local directory, and import the file to Logon Collector. Refer to the McAfee Network Security Manager documentation for exporting the Manager certificate. 1 In the Logon Collector console, select Menu Configuration Trusted CAs. 2 Click New Authority to open the New Trusted Authority window. 3 Select Import From File, then click Browse to add the exported file saved in your local directory. You can also use the Copy/Paste Certificate option. 4 Click Save. Import the Logon Collector certificate By default, Logon Collector is pre-installed with a self-signed certificate. If you have a different certificate signed by a CA, you can import this certificate and replace the existing Logon Collector certificate. McAfee Logon Collector 3.0 Administration Guide 95

96 10 Integration with other McAfee products Integration with McAfee Data Loss Prevention 1 In the Logon Collector console, select Menu Configuration Server Settings. 2 In the Settings Categories section, click Identity Replication Certificate. 3 Upload the Logon Collector certificate. a Copy the Logon Collector certificate from the Logon Collector console and paste it in a newly created file in your local directory. b c Under Import Certificate section, click Upload MLC Certificate in the New MLC Certificate option. Select Upload MLC Certificate, then click Browse to add the Logon Collector certificate from your local directory. If the existing Logon Collector certificate is changed, the clients connecting to Logon Collector like Firewall Enterprise, Network Security Manager need to import the new Logon Collector certificate Display of Logon Collector details in the Threat Analyzer You can view user information received from the McAfee Logon Collector server in Threat Analyzer. Refer to the McAfee Network Security Manager documentation for details. Display of Logon Collector details in Network Security Manager reports Manager reports display the user information received for Logon Collector. Refer to the McAfee Network Security Manager documentation for details. Integration with McAfee Data Loss Prevention McAfee Data Loss Prevention (NDLP or McAfee DLP) is delivered through the low-maintenance appliance for streamlined deployment, management, updates, and reports. It provides complete data security, data protection outside network, and easy deployment and management. Historically, McAfee DLP Manager has been linked to SAMAccountName as the main user identification element. But if that attribute is applied to users in the same domain who have similar or matching user names, they cannot be positively identified. McAfee DLP now keys on the unique alphanumeric SID (Security Identifier) that is assigned to each user account by the Windows domain controller. For example, the user name jsmith might belong to John Smith or Jack Smith, so more information would be needed to distinguish between those two users. Those individuals might even be using the same IP address, which would aggravate the problem of discovering the identity of the actual user. But each account on an Active Directory server is made up of attributes that identify the individual who owns the account. Logon Collector matches the unique SIDs that are assigned to each Active Directory user to IP addresses, and all of the parameters associated with that SID are extracted when Logon Collector moves binding updates from the Active Directory server to McAfee DLP. Because SAMAccountName was used to index data in earlier releases, that information might be lost during ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capture database pre-dates the upgrade. 96 McAfee Logon Collector 3.0 Administration Guide

97 Integration with other McAfee products Integration with McAfee Data Loss Prevention 10 Integration requirements The following list gives the details of the integration requirements: Logon Collector version 3.0 McAfee DLP version 9.x and later Upgrade path If you are an McAfee DLP user and wish to upgrade to Logon Collector 3.0, perform these high-level steps: 1 Upgrade Logon Collector 2.2 server to Logon Collector 3.0 server. 2 Upgrade McAfee DLP to the new version that has the Logon Collector 3.0 client. Using Active Directory User elements All Active Directory elements are treated as word queries, and can be directed to specific LDAP servers. When these elements are used in a query, columns supporting the parameter are configured in the search window and on the dashboard. Each of the user elements retrieves the attributes listed. Parameters available User Name user's name, alias, department, location User Groups user's group User City user's city User Country user's country User Organization user's company or organization Using McAfee DLP on remote LDAP servers The ability to monitor user traffic on Active Directory servers now has been extended to directory servers, making global user management a reality. The ability of McAfee DLP 9.0 to connect to multiple domain controllers makes this possible. Not only is data on local networks captured, but it is extended to all traffic on up to two LDAP servers. When users can be recognized by name, group, department, city or country, a McAfee DLP administrator can extract a great deal of significant information by using a few seminal facts to gradually gather more details about potential violations. How Logon Collector is used with McAfee DLP Suppose you know that your company has lost intellectual property to a firm in X country, and you suspect that the leak came from an insider in your branch of Y city. Because McAfee DLP captures all traffic on your company's network, you can add an Active Directory server that contains the user account of that insider to McAfee DLP Manager, then search for the UserName of that individual and monitor his communications. McAfee Logon Collector 3.0 Administration Guide 97

98 10 Integration with other McAfee products Integration with McAfee Data Loss Prevention You might then search his communications for the name of the lost component, and then find the address and geographical location of users outside the company who might have received the information. You might not know what will be in those communications, but you can use what you find to ask the next logical question. Logon Collector can be configured with McAfee DLP Manager to resolve user identities by retrieving collections of user account information from all Active Directory servers that have been added to the McAfee DLP system. If your McAfee DLP Manager is configured with Logon Collector and an Active Directory server, endpoint protection can be extended to directory servers managing users all over the world. If you do not know the user's name, you can gradually develop his identity by searching for users in the Y city, searching the user groups in your Engineering division, and identifying a sub-group that might contain the user. How Logon Collector enables user identification Logon Collector is used to map IP addresses to user identities within Active Directory servers. Without it, users may be hard to identify because they may be logged into different or multiple workstations. IP addresses change when DHCP servers automatically assign new addresses, and more than one user might be logged on to the same workstation. When a Logon Collector is configured with an McAfee DLP Manager, it resolves user identities by retrieving collections of user account information from all Active Directory servers that have been added to the McAfee DLP system. Supporting multiple domain controllers means that large-scale enterprise operations can be served by McAfee applications. For McAfee DLP, that means that after Logon Collector is enabled, McAfee DLP administrators can configure Active Directory-based queries and rules to find out what activities specific users are engaging in on the network. Setting up Logon Collector Before you begin Before Logon Collector can be used with McAfee DLP, an Active Directory server must be added to McAfee DLP Manager. Then secure communications must be established between McAfee DLP and Logon Collector. To complete the SSL connections: 1 Export a certificate from Logon Collector. 2 Import the Logon Collector certificate into McAfee DLP Manager. 3 Export a certificate from McAfee DLP. 4 Import the McAfee DLP certificate into Logon Collector. 5 Restart Logon Collector. After these steps are complete, secure communications between McAfee DLP and Logon Collector are enabled, and data on Active Directory servers is available for searching and rule construction. 98 McAfee Logon Collector 3.0 Administration Guide

99 Integration with other McAfee products Integration with McAfee Data Loss Prevention 10 Authenticating McAfee DLP Manager and Logon Collector Before you begin Use this method to connect McAfee DLP to a Logon Collector so that certificates can be exchanged, authenticating each to the other. When the process is complete, an SSL connection will be set up between them. 1 Open a web browser and log on to the Logon Collector. 2 In the Logon Collector server, select Menu Configuration Server Settings Identity Replication Certificate. 3 Scroll to the bottom of the page. 4 Select and copy all text in the Base 64 field. 5 Open a web browser and log on to the McAfee DLP Manager. 6 Select System Directory Services. 7 Select Add a McAfee Logon Collector from the Actions menu. 8 Type the IP address of the Logon Collector. 9 Click the paste radio button and paste the text into the box. Save this Base 64 data to a text file on your desktop so you can re-use it. 10 Click Apply. 11 Click Export to save the Network McAfee DLP certificate to your desktop. 12 Open a web browser and type in the address of the Logon Collector. 13 Select Menu Configuration Trusted CA. 14 Click New Authority. 15 Go to the netdlp_certificate.cer file you saved to your desktop. 16 Click Open. 17 Click Save. This adds the McAfee DLP Manager to Logon Collector. 18 Open a Remote Desktop session on the Logon Collector server. 19 Shut down and restart the Logon Collector server. The connection is now complete. McAfee Logon Collector 3.0 Administration Guide 99

100 10 Integration with other McAfee products Integration with McAfee Data Loss Prevention 100 McAfee Logon Collector 3.0 Administration Guide

101 11 Scalability This chapter describes the details of the performance limits supported by the Logon Collector. Scalability details Listed below are the performance limits for the Logon Collector: Fields Numbers Users up to 2,00,000 Groups up to 35,000 The total objects(users and groups) should not exceed more than Logon rate Clients up to 150 up to 1200 logon events per minute McAfee Logon Collector 3.0 Administration Guide 101

102 11 Scalability Scalability details 102 McAfee Logon Collector 3.0 Administration Guide

103 12 Troubleshooting 12 This chapter gives the information that may assist you with solving a problem. Contents Verify the domain credentials Create a non-administrator account to access the security event log on a domain controller Logon Monitor logs Logon Collector logs Error uninstalling SQL database instance for Logon Collector Configure Database Settings page to connect to the SQL server Ports used by Logon Collector High memory usage of lsass.exe Saved group filter configuration Verify the domain credentials This section describes how to verify that the credentials you specify for a domain are correct and have sufficient privileges to connect to a domain controller using the Logon Collector. The domain controllers you access must be logging security events. Test your credentials by using the wbemtest.exe tool to connect to a domain controller and run several queries. If you are unable to specify credentials for an administrator account, you can use a non-administrator account on the domain controller. The administrator account that you intend to use to access the domain controller MUST be in the same domain from which you want to obtain identities. Successful execution of the queries verifies that the credentials, which you specified have sufficient privileges for accessing the following on the domain controller: security event log CPU performance WMI connection DCOM connection Connect to a domain controller Follow the steps below to use the wbemtest.exe tool to connect to a domain controller. These instructions only work if the Logon Collector is run on a remote computer and will not work if the Logon Collector is run on local domain controller. McAfee Logon Collector 3.0 Administration Guide 103

104 12 Troubleshooting Verify the domain credentials 1 Open a command prompt and navigate to \Windows\System32\WBEM. 2 Run wbemtest.exe: C:\Windows\System32\WBEM> wbemtest The Windows Management Instrumentation Tester window appears. Figure 12-1 Windows Management Instrumentation Tester window 104 McAfee Logon Collector 3.0 Administration Guide

105 Troubleshooting Verify the domain credentials 12 3 Click Connect to display the Connect window. Figure 12-2 Connect window 4 Specify the following information: Option unlabeled connection User password Authority Locale Impersonation level How to interpret empty password level Definition \\<dc_name>\root\cimv2 The user name to authenticate to the domain controller. The associated password. Leave this field blank. Leave this field blank. Select Impersonate. Select NULL. Select Packet privacy. McAfee Logon Collector 3.0 Administration Guide 105

106 12 Troubleshooting Verify the domain credentials 5 Click Connect to proceed. If the message Access Denied appears, you may have mis-typed the credentials, or the user account does not have the necessary privileges. Try re-typing the credentials, and verify the user account is properly set up. If you are not using an administrator account, you can use a non-administrator account on the domain controller. The Windows Management Instrumentation Tester window changes to display IWbemServices and Method Invocation Options. Figure 12-3 Windows Management Instrumentation Tester window Successfully authenticating to the domain controller and viewing the above window means the Logon Collector has access to WMI and DCOM connections. 6 Run each of the following queries: CPU performance query Success with this query means the Logon Collector has access to CPU performance on the domain controller. back log query Success with this query means the Logon Collector has access to the security event log. forward log notification query Success with this query means the Logon Collector has access to the security event log. You must successfully execute the CPU performance query and either one of the log queries to verify that you have the correct credentials and therefore, sufficient access privileges. Run a CPU performance query Follow these instructions to run a CPU performance query. 106 McAfee Logon Collector 3.0 Administration Guide

107 Troubleshooting Verify the domain credentials 12 1 Connect to a domain controller. 2 Click Query. 3 Type the following query: SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name= _Total Figure 12-4 CPU performance query 4 Click Apply to view the query results. Figure 12-5 Query Result window 5 Click Close when the query functionality is proven successful by displaying the contents of the screen shot above. 6 Run the other queries if you have not already done so. Run a back log query Follow these instructions to run a back log query. McAfee Logon Collector 3.0 Administration Guide 107