Symantec Enterprise Security Manager Installation Guide. Version 9.0.1

Transcription

1 Symantec Enterprise Security Manager Installation Guide Version 9.0.1

2 Enterprise Security Manager Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version Legal Notice Copyright 2009 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-control, Enterprise Security Manager, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , Rights in Commercial Computer Software or Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

5 Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 4 Chapter 1 Planning for installation About planning for installation About Symantec Enterprise Security Manager (ESM) About Symantec ESM architecture About policies About scalability About policy run disk space requirements About CPU utilization Virtualization support for ESM Chapter 2 Chapter 3 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM About backward compatibility About preserving user data Preserving the customized ".m" files Silently upgrading the Symantec ESM console, the manager, and the agent Upgrading Symantec ESM console Upgrading the ESM manager and the agent Silently upgrading the Symantec ESM manager and the agent Upgrading Symantec ESM agent Checking remote agent upgrade status Silently upgrading the Symantec ESM agent Upgrading Symantec ESM utilities Installing Symantec ESM managers and agents on Windows About installing Symantec ESM components Before you install Symantec ESM About licensing managers... 32

8 8 Contents System requirements for Windows computers Support for internationalization-compatible computers Configuring and editing the disclaimer Installing the ESM components by using the ESM Suite Installer Silently installing the console, the manager, and the agent Installing the Symantec ESM console by using the Suite Installer Silently installing the ESM console Installing the Symantec ESM console by using the Console Installer Installing the ESM manager and the agent by using the Suite Installer Silently installing the manager and the agent Installing the Symantec ESM agent by using the Agent Installer Silently installing and registering an ESM agent Error codes for silent installation or registration failure of an ESM agent Using the Encryption tool Installing the Symantec ESM utilities Post-installation tasks Registering the Symantec ESM agents Configuring the Symantec ESM console About setting the Web browser Changing LiveUpdate configuration for a Symantec ESM agent Changing a Symantec ESM agent port Uninstalling Symantec ESM from a local computer Silently uninstalling the ESM console Uninstalling Symantec ESM from Windows Server 2008 Core Uninstalling Symantec ESM utilities Chapter 4 Installing Symantec ESM managers and agents on UNIX About installing Symantec ESM components About licensing managers System requirements for UNIX computers Supported UNIX operating systems Support for internationalization-compatible computers Installing Symantec ESM on UNIX computers Silent installation of Symantec ESM on UNIX Installing Symantec ESM utilities... 77

9 Contents 9 Post-installation tasks Appendix A Symantec ESM communications About Symantec ESM communications security About Symantec ESM communication ports Appendix B System assessment checklist About system assessment checklists Console checklist Manager checklist Agent checklist... 89

10 10 Contents

11 Chapter 1 Planning for installation This chapter includes the following topics: About planning for installation About Symantec Enterprise Security Manager (ESM) About scalability Virtualization support for ESM About planning for installation Symantec ESM collects and evaluates security-related information from agent computers on the network. A large network with many agent computers generates a large volume of security-related information. Symantec ESM can process security information from multiple agents more efficiently in a large network environment when the agents are grouped into domains. The domains group computers on the network into units with common rules and procedures. You can then manage computers by domain rather than manage an individual computer. Domains can be defined to reflect the geographical location of agent computers, or defined to correspond to the functional areas of the organization. Domains can also be defined to reflect the installation of specific security policies on computers. Let us take a scenario that describes the grouped agents according to physical location. A company site includes two buildings. The site supports 600 Symantec ESM agent computers that are located in both buildings. Each building houses different departments. For employees who are located in different areas, the company groups the employees according to their respective departments. Different company security policies cover the employees in each building. Different security

12 12 Planning for installation About Symantec Enterprise Security Manager (ESM) personnel are assigned in each building. This scenario has a clear delineation of staff, duties, and policies by physical location without any overlap. Alternatively, there may be a scenario where the arrangement of security administration, company policies, and departments is not congruent. The physical location and management of each functional area is organized differently across geographical locations. Such a scenario is an example of grouping of agents into domains on the basis of the company security policy. About Symantec Enterprise Security Manager (ESM) Symantec ESM manages sensitive data and enforces security policies across a range of client-server platforms that includes the following: Microsoft Windows Sun Solaris IBM AIX HP-UX SuSE and Red Hat Linux Novell NetWare/NDS Symantec ESM secures information while ensuring confidentiality, integrity, and availability. Symantec ESM functions include the following: Manage security policies. Detect changes to security settings or files. About Symantec ESM architecture Evaluate and report computer conformity with security policies. Symantec ESM uses a manager-agent architecture to scale the product over the enterprise. This architecture lets Symantec ESM adapt to changes in network structure by adding new Symantec ESM agents for additional operating systems and platforms. Symantec ESM consists of three main components: agent, manager, and console (GUI).

13 Planning for installation About Symantec Enterprise Security Manager (ESM) 13 About the ESM console The console is one of the primary components of Symantec ESM. The console receives data and sends requests to the other Symantec ESM components. As the data returns, the console formats the information for display and creates spreadsheet reports, pie charts, bar charts, and other visual objects. The console can connect to any manager on the network across platforms. About Symantec ESM managers Symantec ESM managers perform the following functions: Control and store policy data, and pass the data to agents or to consoles. Gather and store security data from agents, and pass the data to consoles. About Symantec ESM agents The Symantec ESM agent gathers and interprets data about the security of a computer that a policy run request generates from a manager. Security modules in the policy analyze the configuration of the workstation, the server, or the computer node where the agent resides. The Security modules also analyze the configuration of the computer where the agent acts as a proxy. The agent server gathers the resulting data and returns the data to the manager that initiated the request. The manager responds by updating the appropriate files in its database. Modules are common to all agents. They contain the executables or security checks that do the actual checking at the server or the workstation level. Symantec provides frequent updates to the modules to protect network environments from unauthorized access, data corruption, and denial-of-service attacks. Symantec ESM groups its security checks into modules, and groups modules into policies. When a policy runs on an agent, the checks that are enabled in the modules examine the agent computer and report the detected vulnerabilities. Agents perform the following additional functions: Store snapshot files of computer-specific and user-account information. Make user-requested corrections to the files. Update the snapshot files when corrections occur. About Symantec ESM utilities The Symantec ESM utilities copy policies between managers and transfer the security information from the managers to an external database.

14 14 Planning for installation About Symantec Enterprise Security Manager (ESM) The following is a list of Symantec ESM utilities: Policy tool Database Conversion tool On large networks with several managers, the Policy tool provides an efficient way to standardize the settings of the enabled security checks, templates, and word lists. The Policy tool first exports policies from a selected manager, and then imports the policies to the other managers on the network. The policies that are imported to each new manager enable the same security checks as those of the source manager. The new managers and the source manager also share the same template and word list settings. The Database Conversion tool lets you transfer security data from the databases of managers that are running on supported Operating Systems to an external database. For example, you can transfer data from the database of a manager that is installed on Windows or UNIX systems to any of the following: Microsoft SQL server Oracle The transfer includes information about the following: Agents Domains Managers Policy run messages Message suppressions Message corrections Policy run reports About policies Symantec ESM groups its security checks into modules and groups its modules into policies. When a policy runs on an agent, the checks that are enabled in the modules examine the agent computer and report the detected vulnerabilities. Symantec ESM contains the following types of policies: Sample policies

15 Planning for installation About Symantec Enterprise Security Manager (ESM) 15 Standards-based policies Regulatory policies About sample policies Sample policies are included with Symantec ESM. These policies are already configured to assess a wide range of potential vulnerabilities. With a minimum amount of setup time, the sample policies let you prioritize security loopholes and fix them accordingly. You can discover and fix the most serious and the most easily corrected problems first, then move on to more complex problems and resolutions. Sample policies are not intended for long-term use. Every time you download a security update, the sample policies are overwritten that include the template and snapshot data and settings. About standards-based policies Standards-based policies are based on ISO and other industry standards. The policies come with preconfigured values, name lists, templates, and the word files that directly apply to the targeted operating system or application. Standards-based policies use the modules from Symantec ESM Security Updates to check OS patches and the various vulnerabilities on the targeted operating system or application. The standards-based policies may also introduce new templates and word lists to check the conditions that the supported standard requires. About regulatory policies Symantec ESM regulatory policies are based on governmental regulatory policies. You use them to assess compliance with the minimum requirements of each supported regulation. Regulatory policies come with preconfigured values, name lists, templates, and the word files that directly apply to the targeted operating system or application. They use the modules and templates from Symantec ESM Security Updates to check OS patches and the various vulnerabilities on the targeted operating system. Regulatory policies may also introduce new templates and word lists to check the conditions that the regulation requires.

16 16 Planning for installation About scalability About scalability Symantec conducted scalability tests using 100baseT networks to establish the scalability parameters for Symantec ESM. The Symantec ESM-base scalability tests determined the following: Minimum computer configuration. Maximum number of agents to register with a manager. Maximum number of agents to include in a policy run. The following table lists the number of agents that a Symantec ESM manager can scale to. The host computer must have the RAM and free disk space as indicated in the table for the Symantec ESM manager to scale. The minimum RAM requirement for ESM manager is 1 GB. Table 1-1 Symantec ESM manager scalability requirements Recommended RAM Maximum number of ESM agents registered to a manager Maximum number of ESM 6.x agents per policy run Maximum number of ESM agents per policy run 2 GB Symantec ESM managers that register a large number of agents may require several gigabytes of disk space to store policy run data. You can estimate the additional free disk space that the Symantec ESM manager requires to store policy run data. See About policy run disk space requirements on page 16. You can register up to 4000 agents for each Symantec ESM manager. However, the ESM console may take longer to update if you have more than 500 agents registered to a manager. About policy run disk space requirements Disk space requirements for policy run data vary based on the following: The number of agents in the policy runs The number of reports that you retain on the computer You can make the following calculations to estimate the additional disk space requirement for each policy run: Per policy run disk space = A*M*Msg* MSize Kilobytes

17 Planning for installation Virtualization support for ESM 17 Where: A = the number of agents on which the policy is to be executed. M = the number of modules per policy run. Msg = the expected number of messages that each module returns. MSize, a constant value = 13/100. For example, a single policy run with 10 modules is executed on 4000 agents and it returns 300 messages per module. Hence, the required disk space is (4000*10*300*13)/100 = KB, which is 1.49 GB. This requirement is in addition to the disk space that you must provide to install Symantec ESM on the computer. Note: Symantec ESM managers that register a large number of agents should have several gigabytes of free disk space to store the policy run data. About CPU utilization Symantec ESM processes do not take CPU resources from other processes. Higher priority processes can still obtain the CPU resources that they need. The Symantec ESM agents and the modules run at idle priority. This means that the operating system gives them CPU time only when other threads and processes are not in queue for input and output (I/O). When Symantec ESM processes run, the CPU can easily increase up to 100 percent utilization. This means that Symantec ESM processes use the available CPU cycles. Virtualization support for ESM The ESM components are currently supported on the following virtualized environments: The ESM console, manager, and agent on VMWARE virtualized environment for Windows. ESM manager and agent on Solaris 10 on both local and global zones. ESM manager, agent, and console on virtualized environment for VMWARE ESX servers. Virtual environments use more system resources than the physical environments do. If significant performance degradation occurs in a virtualized environment, try to recreate the issue in a physical environment. Doing so provides a benchmark for the performance.

18 18 Planning for installation Virtualization support for ESM If you face any issue while using ESM on VMWARE, recreate that issue on a physical computer. If the issue cannot be recreated on a physical computer, contact the VMWARE Technical Support. For more information and help, contact Symantec Technical Support.

19 Chapter 2 Upgrading the Symantec Enterprise Security Manager This chapter includes the following topics: Upgrading Symantec ESM Upgrading Symantec ESM console Upgrading the ESM manager and the agent Upgrading Symantec ESM agent Upgrading Symantec ESM utilities Upgrading Symantec ESM To use the new functions in this ESM release, you must upgrade the Symantec ESM software. You can upgrade to ESM only if you have ESM 9.0 installed on your computer. The Symantec ESM upgrade depends on the currently installed version and configuration of the ESM. The upgrade includes the following tasks: Install the 9.0 version of Symantec ESM on computers running Symantec ESM consoles. Install the 9.0 version of Symantec ESM on computers running Symantec ESM managers. Run LiveUpdate on a Symantec ESM console to ensure that the managers have the latest Symantec ESM security update or agent software.

20 20 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM Run Symantec ESM policies to ensure conformity with regulatory standards. Use the ESM console to edit the security checks, the templates, and the name lists in the latest security update to conform to company policy. You then run the ESM policy on a manager domain to update the updatable agents that are in the domain. If you run the policy on the All agents domain, the manager can update the updatable agents. You must upgrade the ESM console first, followed by the ESM managers, and then the ESM agents. For an ESM manager 9.0.1, you must have an ESM console with version or later. ESM agents with earlier versions are compatible with ESM manager Note: You cannot upgrade previous versions of ESM manager installation on AIX or HP-UX to ESM ESM does not support AIX or HP-UX platforms for ESM manager installations. You can install only ESM agents on AIX or HP-UX platforms. See Supported UNIX operating systems on page 71. If you have all the ESM components installed on one computer, then Symantec recommends that you maintain the same version for all the ESM components. During upgrade, the setup uninstalls the ESM components that you do not select for upgrade. For example, if you select the console and the manager for upgrade and do not select the utilities, the setup uninstalls the utilities during upgrade. About backward compatibility Symantec ESM managers are backward-compatible with Symantec ESM agents with version 6.0 or later. Symantec ESM agents that you register to a manager before an upgrade continue to function with the manager after the upgrade. Symantec does not support any other backward compatibility. When you upgrade a manager-only installation to ESM 9.0.1, Symantec ESM installs the agent on the same computer during the upgrade process. In such a scenario, you must register the new agent to the manager. Symantec ESM encrypts all internal communication between the managers and the agents. The Symantec ESM manager has the ability to adjust its encryption level to support the encryption level of the agent. For example, communication between a Symantec ESM manager and a Symantec ESM 6.0 agent uses the encryption level of the Symantec ESM 6.0 agent.

21 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM 21 About preserving user data Symantec ESM preserves customization when upgrading from an older version of Symantec ESM. Customization includes user modifications to policies, domains, templates, suppressions, and customized messages from the ".m" files. Note: Symantec ESM does not preserve.fmt files because they are obsolete. During the upgrade process, Symantec ESM does the following: Preserves any unexpired suppressions of security report items. Stores the template data in the \esm\template directory. During an upgrade, Symantec ESM preserves any modifications to the template files while it merges the new template information into the upgrade. Saves any changes that customize the policy database. These changes include the security checks that you enable in the security modules, as well as any changes to the name lists. Preserves the changes to the message database that result from changes to the ".m" files. Customized protection applies only to messages in the ".m" files. Security option information, such as the names of the security checks and the Help, have neither a customized flag nor the same protection. Overwrites the ".m" files. Overwriting of the ".m" files does not affect any customized messages, because the message database protects them. However, you lose the source of the customized messages. Preserves any changes that customize the Domains database. Preservation of the changes includes all agent registrations to the manager and the agent domains that you create on the manager. Symantec ESM agents continue to belong to the following domains: All agents domain Domain of the agent operating system (OS) For example, an ESM agent on a computer with Windows 2000 OS belongs to both the All agents domain and the Windows 2000 agents domain. Ports existing summary database information to the new sumfinal database on the manager. Converts the access records in the manager access database. You use the ESM console to do the following:

22 22 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM Add the access rights of all Symantec ESM manager accounts. Modify the access rights of all Symantec ESM manager accounts. Delete the access rights of all Symantec ESM manager accounts. You cannot add, modify, or delete the Symantec ESM superuser account. Replaces the registered manager information in a manager.dat file, which is located at the agent's \esm\config\folder. Agents register only with the manager that initiates the upgrade. You must register each agent to any other managers. Overwrites the other files in the \esm\config directory. Users must customize the new files. Preserving the customized ".m" files When you upgrade ESM or apply a new Security Update, the new ".m" files overwrite the existing ".m" files on the agent. The overwrite may result in loss of the customized files. You can preserve the ".m" files on the manager by changing the customized value of the modified messages to a "1" in the ".m" files. Note: You must restart the console to view the changes that you made in the ".m" file. Perform the indicated steps to preserve the customized ".m" files on the ESM manager. To preserve the customized ".m" files 1 If the Enterprise Security Manager version is or later, then open the ".m" file from the agent's \ESM\register\<platform name>\i18n folder. If the Enterprise Security Manager version is earlier than 6.5.2, then the location of the ".m" is \ESM\register\<platform name>. 2 Set the customized flag as 1 after you make the required changes in the message. 3 Re-register the modules or the agent to the manager by using following command: register -fav -m <manager name> -U <ESM username> -P <ESM user password> After you re-register the modules or the agent to the ESM manager, the customized ".m" file is stored in the manager with the changes that you have made. If you upgrade ESM or apply the latest SU, the ".m" files in the agents are overwritten. However, the ".m" file on the manager remains intact.

23 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM console 23 Silently upgrading the Symantec ESM console, the manager, and the agent You can use the Symantec ESM command-line options to silently upgrade the ESM components. The procedure to silently upgrade the ESM components is same as the procedure for silent installation of the components. See Silently installing the console, the manager, and the agent on page 38. Upgrading Symantec ESM console When you upgrade to the new version of the console, the Symantec ESM installer does the following: Takes a backup of the existing data. Uninstalls the earlier version of the ESM console. Installs the new version of the console. Restores the data. You can upgrade the ESM console by using any of the following: The ESM Suite Installer You must have the ESM 9.0 console installed if you want to upgrade to ESM console. The ESM Console Installer The ESM Console Installer supports upgrade from ESM console 6.5.x or later. The console installer aborts the installation process if you have a console with a version earlier than 6.5.x. In such a scenario, you can do one of the following to upgrade to ESM console: Use the ESM 9.0 Suite Installer and then select the ESM console component for upgrade. Upgrade the console to ESM 6.5 or later console, and then upgrade to ESM console by using the ESM Console Installer.

24 24 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM console To upgrade the ESM console by using the Suite Installer 1 Log on as an administrator to the computer on which you want to upgrade the ESM console. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. Note: If you want to configure the disclaimer for your console, then ensure that the Disclaimer.rtf file is present in the setup folder. See Configuring and editing the disclaimer on page Navigate to ESMInstaller\ESMSetupSuite and run the setup.exe. 4 On the prompt that informs you about the upgrade, click Yes. 5 In the Resuming the Setup Wizard panel, click Next. 6 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 7 In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM must be the same as the credentials of the ESM 9.0 superuser account. 8 In the Setup Wizard Completed panel, click Finish. To upgrade the ESM console by using the Console Installer 1 Log on as an administrator to the computer on which you want to install the ESM console. Alternatively, use a role that is equivalent to an administrator. 2 Navigate to the location where you have extracted the console installer. Note: If you want to configure the disclaimer for your console, then ensure that the Disclaimer.rtf file is present in the setup folder. See Configuring and editing the disclaimer on page Go to ESMInstaller\ESMConsole and run the setup.exe. 4 On the message prompt that asks for the upgrade confirmation, click Yes. 5 In the Welcome panel, click Next. 6 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next.

25 Upgrading the Symantec Enterprise Security Manager Upgrading the ESM manager and the agent 25 7 In the Destination Folder panel, click Next to accept the default location for the ESM console setup. Alternatively, do the following in the given order and then click Next: In the Destination Folder panel, click Change. In the Change Current Destination Folder panel, select the folder where you want to store the console installer binaries. You may also create a new folder to store the console installer binaries. Click OK. 8 In the Disclaimer Options panel, enter the password for the Disclaimer.rtf file and then click Next. The Disclaimer Options panel appears if you have the Disclaimer.rtf file copied in the Symantec\ESMConsole folder to your local computer. 9 In the Ready to Install the Program panel, click Install. The Installing Symantec Enterprise Security Manager Console panel displays the progress of the upgrade procedure. 10 On the message prompt that informs you about the deletion of the ESM files and the folders, click Yes. When you upgrade to ESM console, the setup deletes the installation files of the previous version of the console. This operation is a part of the upgrade. 11 Check Launch ESM Console if you want to launch the ESM console immediately after the installation is complete. 12 Check Show Release Notes if you want to view the Symantec Enterprise Security Manager Release Notes after the installation is over. You must have Adobe Reader to view the Symantec Enterprise Security Manager Release Notes. 13 In the Setup Wizard Completed panel, click Finish. Upgrading the ESM manager and the agent You must have an ESM 9.0 manager installed on the computer before you upgrade to an ESM SP1 manager. An ESM manager is compatible with 6.x or later agents. ESM manager and agent installations reside on the same computer in ESM You cannot have separate installations of the manager and the agent in ESM

26 26 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM agent You locally upgrade a manager by installing the new version over the old version of ESM manager on the computer that runs the manager software. To upgrade an ESM manager and agent 1 Log on as an administrator to the computer on which you want to install the ESM manager. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. 3 Go to ESMInstaller\ESMSetupSuite and run the setup.exe. 4 On the prompt that informs you about the upgrade, click Yes. 5 In the Resuming the Setup Wizard panel, click Next. 6 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 7 In the Superuser Password panel, enter the Superuser account password, and then click Next. 8 The Installing Symantec Enterprise Security Manager Suite panel displays the progress of the installation. 9 In the Setup Wizard Completed panel, click Finish. Silently upgrading the Symantec ESM manager and the agent You can use the Symantec ESM command-line options to silently upgrade the ESM manager and the agent. The procedure to silently upgrade the manager and the agent is same as the procedure for silent installation of the manager and the agent. See Silently installing the manager and the agent on page 48. Upgrading Symantec ESM agent You can upgrade Symantec ESM agents by using one of the following methods: Local upgrade Remote upgrade Install the new version over the old version on the computer that runs the agent software. Use the Symantec ESM console. You should run LiveUpdate on the Symantec ESM console before you upgrade agents remotely. LiveUpdate ensures that the ESM manager has the most current Symantec security information.

27 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM agent 27 If you do not register the agent during local upgrade, you need to register the agent manually to its manager after the upgrade is complete. Also, before you upgrade the agents to ESM 9.0.1, you must move the agents to an ESM manager. See Installing the Symantec ESM agent by using the Agent Installer on page 50. You must apply the Signature Fix before you remotely upgrade the agents that have a version earlier than ESM to ESM Note: The Security Update level does not get updated if you remotely upgrade an ESM agent to ESM Symantec recommends that you apply SU 35 after a remote upgrade, if SU 35 is not already applied on the agent. To remotely upgrade a Symantec ESM agent 1 In the ESM console menu bar, click LiveUpdate. 2 In the LiveUpdate Wizard, click Directory path and click Browse. 3 In the Browse for Folder dialog box, navigate to the folder that contains the Agent folder in the product disk and then click OK. 4 In the LiveUpdate Wizard, click Next. 5 The LiveUpdate Wizard displays the managers that are connected to the console. Select the managers on which you want to copy the remote upgrade binaries and then click Next > OK. 6 In the Symantec ESM console, in the Enterprise tree, right-click an agent or an agent in a domain, and then click Remote upgrade. 7 In the Upgrade Staus panel, click Close after the upgrade is complete. To remotely upgrade agents in a domain 1 In the ESM console menu bar, click LiveUpdate. 2 In the LiveUpdate Wizard, click Directory path and click Browse. 3 In the Browse for Folder dialog box, navigate to the folder that contains the Agent folder in the product disk and then click OK. 4 In the LiveUpdate Wizard, click Next. 5 The LiveUpdate Wizard displays the managers that are connected to the console. Select the managers on which you want to copy the remote upgrade binaries and then click Next > OK.

28 28 Upgrading the Symantec Enterprise Security Manager Upgrading Symantec ESM utilities 6 In the Symantec ESM console, in the Enterprise tree, right-click a domain and then click Remote upgrade. 7 In the Upgrade Staus panel, click Close after the upgrade is complete. You can double-click an agent's name to display additional information about the agent's upgrade status. Checking remote agent upgrade status You can disconnect the console from a manager during a remote agent upgrade without affecting the upgrade process. Like policy runs, the ESM manager controls the agent software upgrades. If you reconnect the console, you can monitor the progress of an agent upgrade. Agents that have not started to upgrade are displayed with a white status. Agents that are running the upgrade are available. Agents that successfully upgrade change to a green status. Agents that fail to upgrade change to a red status. To check the status of an agent upgrade 1 Right-click a manager, and then click Check remote upgrade status. 2 Double-click an agent's name to display additional information about the agent's upgrade status. Silently upgrading the Symantec ESM agent You can use the Symantec ESM command-line options to silently upgrade the ESM agent. The procedure to silently upgrade the ESM agent is same as the procedure for silent installation of the agent. See Silently installing and registering an ESM agent on page 52. Upgrading Symantec ESM utilities To upgrade an older version of the Symantec ESM utilities, you must install the new version. The procedure to upgrade the ESM utilities is same as the procedure for installation of the ESM utilities. See Installing the Symantec ESM utilities on page 59.

29 Chapter 3 Installing Symantec ESM managers and agents on Windows This chapter includes the following topics: About installing Symantec ESM components System requirements for Windows computers Configuring and editing the disclaimer Installing the ESM components by using the ESM Suite Installer Installing the Symantec ESM console by using the Suite Installer Installing the Symantec ESM console by using the Console Installer Installing the ESM manager and the agent by using the Suite Installer Installing the Symantec ESM agent by using the Agent Installer Installing the Symantec ESM utilities Post-installation tasks About installing Symantec ESM components You can install Symantec ESM managers, agents, consoles, and utilities on the computers that meet the system requirements. See System requirements for Windows computers on page 32.

30 30 Installing Symantec ESM managers and agents on Windows About installing Symantec ESM components You must have the ESM 9.0 components installed on your computer to install the ESM components. Symantec distributes Symantec ESM software on a product disc. To access this software, at least one computer with a Windows operating system must have access to a disk drive. Symantec locates the programs for each product on the disc according to the following directory structures: Content_Updates Documentation UNIX_Package Windows_Package Reporting_DatabaseLink The installation process includes the following tasks: Start the Symantec ESM installer. Install the ESM manager, agent, console, and utilities. You can install the manager, the agent, the console, and the utilities by using the ESM Suite Installer. Use the ESM Agent Installer to install only the ESM agent. Note: Remote installation of the agents is not supported from ESM 9.0 onwards. You must have the following rights on the computer on which you want to install Symantec ESM: Administrative privileges to access system resources. Write permissions on the path that you have selected to install Symantec ESM. Permissions to read, modify, and update registry data. Before you install Symantec ESM You must have the ESM 9.0 console and the manager installed on the computer before you install the ESM console and the manager. However, you can install the ESM agents even if you do not have the ESM 9.0 agents installed on the computer. The installation process of Symantec ESM on Windows consists of the following tasks: Install the ESM console.

31 Installing Symantec ESM managers and agents on Windows About installing Symantec ESM components 31 Install the ESM manager. Install the ESM agents that report to the ESM manager. Register the agents to the manager. Install the Symantec ESM utilities. Symantec ESM consoles are supported on Windows platforms only. Symantec ESM managers are supported on Windows and UNIX platforms. Perform the following tasks before installing Symantec ESM components on Windows computers. Symantec ESM console Install Java runtime environment (JRE) 1.5.0_15 or later. Prepare the Disclaimer.rtf if you want a disclaimer to be launched before you launch the ESM console. See Configuring and editing the disclaimer on page 35. Symantec ESM managers and agents Select the computers on which you want to install Symantec ESM manager and agent software. Obtain access to an account with administrator privileges on each selected computer. Select the Symantec ESM managers to which you want to register each Symantec ESM agent. Ensure that the following ports are not in use by any other application: List the following: Name/IP/FQDN of the host computer Name and password of a manager account that has privileges to register Symantec ESM agents The port number for each Symantec ESM manager to which you plan to register a Symantec ESM agent Select a password for the Symantec ESM superuser account on each manager. The superuser account has all of the privileges in Symantec ESM. You should choose a password with six or more characters including at least one non-alphabetical character. Manager account passwords can have up to 32 characters.

32 32 Installing Symantec ESM managers and agents on Windows System requirements for Windows computers Install MDAC 2.7 on the computer on which you plan to install ESM by using the ESM Suite Installer. The MDAC version that you install must be version or later. You can verify the MDAC version from the file version of the msado15.dll, which resides at the following location: \Program Files\Common Files\System\ado\msado15.dll Go to the following URL to download MDAC : familyid=b41304ca-874f-421d f179779a4&displaylang=en Symantec ESM utilities Select the computers on which you want to install the Symantec ESM utilities. Obtain access to accounts with administrator privileges on the computers that have Windows operating systems. Upgrade the Symantec ESM managers that are on the network to version 6.5 or later. The ESM Policy tool cannot run with earlier versions of Symantec ESM manager software. Install Java 1.5.0_15 if you plan to use the Database Conversion tool with ORACLE 9i and the native ORACLE drivers. You can choose to install Java 1.4.x as part of the default installation. About licensing managers Each Symantec ESM manager requires a permanent license to operate completely. Agents and consoles do not require licenses. Managers can register agents up to the number that is specified at the time of license distribution. To later register additional agents to the manager, you must change the manager s allocation by using the Enterprise License feature from the ESM console. You can install the ESM manager without a license. Without a license, the manager installs with limited functionality. For full functionality, you must assign a license using the Enterprise License feature from the ESM console. The license of the ESM 9.0 manager is maintained in ESM manager. You can continue with the same licenses that are allocated to the ESM 9.0 managers even after you upgrade to ESM managers. For information on how to assign a license to ESM Manager, see the Enterprise Security Manager User Guide. System requirements for Windows computers The Windows computers that have the ESM components installed must meet the minimum hardware requirements.

33 Installing Symantec ESM managers and agents on Windows System requirements for Windows computers 33 Table 3-1 lists the minimum hardware requirements for ESM consoles on Windows computers. Table 3-1 Hardware Physical memory Hard disk space Virtual memory CPU Network speed Hardware requirements for ESM consoles on Windows Minimum requirement 512 MB 75 MB 1 GB 1.33 GHz 10 Mbps Table 3-2 lists the minimum hardware requirements for ESM managers on Windows computers. Table 3-2 Hardware Physical memory Hard disk space Virtual memory CPU Network speed Hardware requirements for ESM managers on Windows Minimum requirement 2 GB 25 GB 3.5 GB 2.8 GHz (Xeon/x86/Opteron/Itanium) 100 Mbps Table 3-3 lists the minimum hardware requirements for ESM agents on Windows computers. Table 3-3 Hardware Physical memory Hard disk space Virtual memory CPU Network speed Hardware requirements for ESM agents on Windows Minimum requirement 512 MB 450 MB 1 GB 1.33 GHz 100 Mbps

34 34 Installing Symantec ESM managers and agents on Windows System requirements for Windows computers Table 3-4 lists the required operating systems and service packs for ESM manager, agent, and console. Table 3-4 Symantec ESM Manager Console Utilities Agent Supported operating systems and service packs for ESM manager, agent, and console Operating systems Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2, Intel (x86), Opteron (x64), Itanium (IA64), and EM64T (x64) Windows Server 2008 Core and GUI, Intel (x86), Opteron (x64), Itanium (IA64), and EM64T (x64) Virtual machine on ESX Server 3.x Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2, Intel (x86) Windows XP Professional or Windows XP Professional with Service Pack 2 or later Windows Vista, Windows Vista with Service Pack 1, Intel (x86), Opteron (x64), and EM64T (x64) Windows Server 2003 Windows XP Professional Windows 2000 Professional, Server, or Advanced Server with service pack 1.0 or later Windows 2000 Professional, Server, or Advanced Server with service pack 1.0 or later Windows Server 2003 or Windows Server 2003 with Service Pack 1 or 2, Intel (x86), Opteron (x64), EM64T (x64), and Itanium (IA 64) Windows XP Professional with Service Pack 1 or later Windows Vista, Windows Vista with Service Pack 1, Intel (x86), Opteron (x64), and EM64T (x64) Windows Server 2008 Core and GUI, Intel (x86), Opteron (x64), Itanium (IA64), and EM64T (x64) Virtual machine on ESX Server 3.x Support for internationalization-compatible computers Table 3-5 contains the languages and the locales that ESM supports in a heterogeneous environment.

35 Installing Symantec ESM managers and agents on Windows Configuring and editing the disclaimer 35 Table 3-5 Language German Spanish French Italian English Supported languages and locales Locale Germany Spain France Italy US On an internationalization-compatible computer, you must have the same character set for all the ESM components on the supported Windows and UNIX operating systems. For example, consider the following scenario: You have the UTF-8 character set for an ESM manager, which is installed on a French Operating System. When you register agents to the ESM manager, the character set for the agents must also be UTF-8. If you have different character sets, the components fail to establish communication between each other. Note: The ESM components that you install on the internationalization-compatible computers must have HI-ASCII character set. Configuring and editing the disclaimer You must create the Disclaimer.rtf file and use the file during upgrade if you want a disclaimer to be displayed before you launch the console. The Disclaimer.rtf is a configurable file and you can have customized information in the disclaimer as per the requirements of your organization. Before you upgrade the console to ESM 9.0.1, you must copy the ESMSetupSuite folder from the product disc and save it on your local computer. Alternatively, save the ESMSetupSuite folder in a shared folder in your network. To configure the disclaimer, you must edit the "DISCLAIMER_PASSWORD=" parameter in any of the following files to enter a valid password: ConsoleSilentInstallSample.bat Manager&ConsoleSilentInstallSample.bat

36 36 Installing Symantec ESM managers and agents on Windows Configuring and editing the disclaimer Note: You have to provide the same password if you want to change the disclaimer.rtf file contents in the future. You require the ConsoleSilentInstallSample.bat file to silently upgrade the console. The Manager&ConsoleSilentInstallSample.bat file silently upgrades the ESM manager and the console. The.bat files are present at the ESMSetupSuite\example folder. You can edit the disclaimer as per your need. However, to be able to modify the disclaimer, you must have an administrator's rights on the computer where you have the console installed. Note: The disclaimer must be in the Rich Text File format. If you do not want to configure a disclaimer, you have to delete the "DISCLAIMER_PASSWORD=" parameter from the ConsoleSilentInstallSample.bat file or the Manager&ConsoleSilentInstallSample.bat file. You also have to delete the disclaimer.rtf file from the ESMSetupSuite folder before you proceed with the upgrade. If the disclaimer file gets corrupted due to any reason, you must create a new Disclaimer.rtf. You have to use the Modify option in the setup wizard for an interactive upgrade of the console to use the newly created Disclaimer.rtf file. To configure the disclaimer during a silent upgrade of the ESM console 1 Open a WordPad and create a disclaimer.rtf file with the disclaimer information and save it in the ESMSetupSuite folder. The ESMSetupSuite folder must be present on your local computer or in a shared folder in your network. 2 Go to ESMSetupSuite\example and copy the appropriate.bat file that you require to silently upgrade the console, or the console and the manager. 3 Save the.bat file in the ESMSetupSuite folder. 4 In the.bat file, type your password for the Disclaimer.rtf file in the "DISCLAIMER_PASSWORD=" field. 5 Execute a silent upgrade of ESM console. See Silently upgrading the Symantec ESM console, the manager, and the agent on page 23.

37 Installing Symantec ESM managers and agents on Windows Installing the ESM components by using the ESM Suite Installer 37 To configure the disclaimer for an interactive upgrade of ESM console 1 Open a WordPad and create a disclaimer.rtf file with the disclaimer information and save it in the ESMSetupSuite folder. The ESMSetupSuite folder must be present on your local computer or in a shared folder in your network. 2 Execute an interactive upgrade of the ESM console or all the ESM components. The installation wizard displays the Disclaimer Option panel if you save the Disclaimer.rtf file in the ESMSetupSuite folder on your local computer. 3 In the Disclaimer Options panel, type the password for the Disclaimer.rtf file. 4 Execute an upgrade of the ESM console. See Upgrading Symantec ESM on page 19. To edit the disclaimer 1 Create a new.rtf file that contains the modified disclaimer information and save in your local computer. 2 On the ESM console menu bar, click Edit > Configure Disclaimer. 3 In the Configure Disclaimer dialog box, do the following: In the Password to change the file text box, enter your disclaimer password. The password must be the same as the password that you enter in the Disclaimer Option panel or in the DISCLAIMER_PASSWORD field of the.bat file. Click the browse option to navigate to the location where you have saved the.rtf file and then click OK. An error message is displayed if you select the Disclaimer.rtf file that is currently in use. Installing the ESM components by using the ESM Suite Installer You should begin the installation of Symantec ESM components by starting the Symantec ESM Suite Installer. The Suite Installer lets you install all the ESM components. However, you can select the components that you want to install from the Custom Setup panel of the install wizard. The Symantec ESM Suite Installer installs the components in the order in which they are listed on the Custom Setup panel.

38 38 Installing Symantec ESM managers and agents on Windows Installing the ESM components by using the ESM Suite Installer You cannot install the ESM console or the ESM manager if you do not have ESM 9.0 installed on your computer. You must be a built-in administrator on the computer to install ESM console on Windows Vista. You also have to have write access on the esm.mdb file to launch the console. If you do not have write permissions on the esm.mdb file, then an administrator must grant you the write permission. Note: An ESM manager is compatible only with an ESM console. ESM manager is compatible with ESM 6.0 or later agents. To install the console, the manager, and the agent by using the ESM Suite Installer 1 Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. 3 Go to ESMInstaller\ESMSetupSuite and run the setup.exe. 4 On the prompt that informs you about the upgrade, click Yes. 5 In the Resuming the Setup Wizard panel, click Next. 6 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 7 In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM must be the same as the credentials of the ESM 9.0 superuser account. 8 In the Disclaimer Option panel, enter a password for the Disclaimer.rtf file, and then click Next. The Disclaimer Option panel is displayed only if you have created and saved the Disclaimer.rt file in the console install directory. 9 In the Setup Wizard Completed panel, click Finish. See Configuring and editing the disclaimer on page 35. Silently installing the console, the manager, and the agent You can use Symantec ESM command-line options to perform a silent installation of the ESM components. The command-line options let you install the ESM console, the manager, and the agent on local computers without any prompts for user inputs.

39 Installing Symantec ESM managers and agents on Windows Installing the ESM components by using the ESM Suite Installer 39 To silently install the console, the manager, and the agent 1 Log on as administrator to the computer on which you want to install the console, the manager, and the agent. Alternatively, use a role that is equivalent to an administrator. 2 Copy the ESMSetupSuite folder and the Documentation folder from the product disc to a network installation folder or to a local folder. 3 Copy the Manager&ConsoleSilentInstallSample.bat file from the Examples folder in the product disc. Save the Manager&ConsoleSilentInstallSample.bat file in the local folder where you have saved the ESMSetupSuite folder. 4 Right-click the Manager&ConsoleSilentInstallSample.bat file, and then click Edit. 5 Specify the parameters of <COMMANDLINE>. Table 3-6 lists the command-line options to silently install the ESM console, the manager, and the agent. Table 3-6 Option /s Command-line options to silently install the ESM console, the manager, and the agent Description Perform the installation in silent mode. /v"<command LINE>" /qn /l*v <LOG FILE> <COMMAND LINE> is the parameter to pass on to the ESM installer. Perform the installation without GUI. Use the most verbose logging and write the output to the specified log file. Log on to for more log options. /le <LOG FILE> INSTALLDIR=<DIRECTORY> ADDLOCAL=ESMManager EXECUTEACTION=INSTALL Log errors only. Specify the directory where you want to install the ESM console, manager, and the console. Install ESM console, manager, and the console. Set the installation mode.

40 40 Installing Symantec ESM managers and agents on Windows Installing the ESM components by using the ESM Suite Installer Table 3-6 Option Command-line options to silently install the ESM console, the manager, and the agent (continued) Description PASSWORD=<PASSWORD> Specify the Superuser Password. A Superuser Account ESM is created with administrative privileges for the ESM manager. The password must fulfill the following criteria: The password must contain at least six characters. The password must contain at least one non-alphabetical character. The password must not contain the following special characters: space, tab - & ; ( ) < > REGAGENTLIST=[{mgr spec 1},{mgr spec 2},...{mgr spec n}] List of managers to which you want to register the agent. mgr spec has the following comma-delimited list of information: Manager name Logon name Logon password LURADIOGROUP=2 Specify the type of LiveUpdate (1 - disable, 2 - enable from all managers, 3 - enable from selected managers) LUALLOWEDMGRS=mgr1,mgr2,...,mgrn Comma-delimited list of managers to allow LiveUpdate for the agents. This option is ignored unless LURADIOGROUP is 3. EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=<password> This property is ignored if you upgrade ESM console from a previous version. Retain the ESM console user account credentials from the previous version.

41 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM console by using the Suite Installer 41 Table 3-6 Option Command-line options to silently install the ESM console, the manager, and the agent (continued) Description CHECKBOXINSTALLLIVEUPDATE=1 Set the value to 1 if you want to install the Symantec LiveUpdate server and register ESM to the LiveUpdate server. Set the value to 0 if you do not want to install the Symantec LiveUpdate server. For example, setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMManagerConsoleInstall.log\" INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" EXECUTEACTION=INSTALL EDITMANAGERUSERNAME=ESM PASSWORD=esm4now REGAGENTLIST=[{dev-imr50-2,esm,esm4now,1,default,5600}] LURADIOGROUP=2 LUALLOWEDMGRS=dev-imr50-2 EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1 REINSTALL=ALL" Installing the Symantec ESM console by using the Suite Installer Symantec Enterprise Security Manager lets you install the console on Windows computers that meet the system requirements. If you intend to install the Report Viewer tool, you should install the Symantec ESM utilities before you install the console. You can install the ESM console by using the Suite Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 32. Note: You must have the ESM 9.0 console installed on your computer to upgrade to ESM console. You must be a built-in administrator on the computer to install ESM console. Alternatively, you can use a role that is equivalent to an administrator. You also have to have write access on the esm.mdb file to launch the console. If you do not have write permissions on the esm.mdb file, then an administrator must grant you the write permissions. The installation process consists of the following:

42 42 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM console by using the Suite Installer Starting the Symantec ESM Suite Installer. Installing the Symantec ESM console. To install the Symantec ESM console by using the Suite Installer 1 Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. Note: If you want to configure the disclaimer for your console, then ensure that the Disclaimer.rtf file is present in the setup folder. See Configuring and editing the disclaimer on page Go to ESMInstaller\ESMSetupSuite and run the setup.exe. 4 On the prompt that informs you about the upgrade, click Yes. 5 In the Resuming the Setup Wizard panel, click Next. 6 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 7 In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. The superuser credentials that you provide for ESM must be the same as the credentials of the ESM 9.0 superuser account. 8 In the Setup Wizard Completed panel, click Finish. Silently installing the ESM console You can use Symantec ESM command-line options to perform a silent installation of the ESM console. The command-line options let you install the console on local computers without any prompts for user inputs. You can perform a silent installation of the ESM console by using the Suite Installer or by using the Console Installer.

43 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM console by using the Suite Installer 43 To silently install the ESM console by using the Suite Installer 1 Log on as administrator to the computer on which you want to install the Symantec ESM console. Alternatively, use a role that is equivalent to an administrator. 2 Copy the ESMSetupSuite folder and the Documentation folder from the product disc to a network installation folder or to a local folder. Symantec ESM provides you with a.bat file that you can use to perform a silent installation of only the ESM console. In f you want to perform a silent installation of the console, then copy the ESMConsole folder and the Documentation folder to a network installation folder or to a local folder. 3 Copy the ConsoleSilentInstallSample.bat file from the Examples folder to the folder where you have saved the setup.exe. 4 Right-click the ConsoleSilentInstallSample.bat file and click Edit. 5 Specify the parameters of COMMANDLINE. Table 3-7 lists the command-line options for silent installation of the ESM console. Table 3-7 Option /s Command-line options for silently installing the ESM console by using the Suite Installer Description Run the installation in silent mode. /v"<command LINE>" /qn /l*v <LOG FILE> <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI Use the most verbose logging and write the output to the specified log file. Log on to for more log options. /le <LOG FILE> INSTALLDIR=<DIRECTORY> ADDLOCAL=ESMConsole EXECUTEACTION=INSTALL Log errors only. Specify the directory where you want to install the ESM console. Install ESM console. Set the installation mode.

44 44 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM console by using the Suite Installer Table 3-7 Option Command-line options for silently installing the ESM console by using the Suite Installer (continued) Description EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=<password> CHECKBOXINSTALLLIVEUPDATE=1 DISCLAIMER_PASSWORD=<password> This property is ignored when you upgrade ESM Console from a previous version. Retains the ESM console User Account credentials. Set the value to 1 if you want to install Symantec LiveUpdate Server and register Symantec ESM to the LiveUpdate Server. Specify the password that is required to modify the Disclaimer.rtf file after the Symantec ESM console installation. For example, setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMConsoleInstall.log\" INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" ADDLOCAL=ESMConsole EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=esm4now CHECKBOXINSTALLLIVEUPDATE=1" To silently install the ESM console by using the Console Installer 1 Log on as administrator to the computer on which you want to install the console. Alternatively, use a role that is equivalent to an administrator. 2 Copy the ESMConsole folder and the Documentation folder to a network installation folder or to a local folder. 3 Copy the ConsoleSilentInstallSample.bat file from the Examples folder in the product disc. Save the ConsoleSilentInstallSample.bat file in the local folder where you have saved the Symantec ESM Enterprise Console folder. 4 Right-click the ConsoleSilentInstallSample.bat file, and then click Edit. 5 Specify the parameters of <COMMANDLINE> and then double-click the ConsoleSilentInstallSample.bat file. Table 3-8 lists the command-line options for silent installation of the ESM console.

45 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM console by using the Console Installer 45 Table 3-8 Option /s Command-line options for silently installing the ESM console by using the Console Installer Description Run the installation in silent mode. /v"<command LINE>" /qn /l*v <LOG FILE> <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI Use the most verbose logging and write the output to the specified log file. Log on to for more log options. /le <LOG FILE> INSTALLDIR=<DIRECTORY> EXECUTEACTION=INSTALL EDITCONSOLEUSERNAME=ESM EDITCONSOLEPASSWORD=<password> CHECKBOXINSTALLLIVEUPDATE=1 DISCLAIMER_PASSWORD=<password> Log errors only. Specify the directory where you want to install the ESM console. Set the installation mode. This property is ignored when you upgrade ESM Console from a previous version. Retains the ESM console User Account credentials. Set the value to 1 if you want to install Symantec LiveUpdate Server and register Symantec ESM to the LiveUpdate Server. Specify the password that is required to modify the Disclaimer.rtf file after the Symantec ESM console installation. Installing the Symantec ESM console by using the Console Installer You can install the ESM console by using the Console Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 32. You must be a built-in administrator on the computer to install ESM console. Alternatively, you can use a role that is equivalent to an administrator.

46 46 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM console by using the Console Installer The installation process consists of the following: Starting the Symantec ESM Console Installer. Installing the Symantec ESM console. Note: The ESM Console Installer aborts the installation if you already have a console that was installed by using the ESM Suite Installer. The configuration of the ESM components that are already installed on your computer is not modified when you install the console by using the Console Installer. After the console installation is complete, the installation logs for the ESM console are created in the %Temp% folder. You may have two entries of the console on your local computer in the following scenario: You have installed the ESM console by using the Console Installer and then you install the other ESM components by using the Suite Installer. To avoid two entries of the console on the same computer, do not select the console component in the Custom Setup panel of the Suite Installer. To install the Symantec ESM console by using the Console Installer 1 Log on to the computer on which you want to install the ESM console as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 Navigate to the location where you have extracted the console installer on your local computer. Note: If you want to configure the disclaimer for your console, then ensure that the Disclaimer.rtf file is present in the setup folder. See Configuring and editing the disclaimer on page Go to ESMInstaller\ESMConsole and run the setup.exe. 4 In the Welcome panel, click Next. 5 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 6 In the Destination Folder panel, click Next to accept the default location for the ESM console setup. Alternatively, do the following in the given order and then click Next: In the Destination Folder panel, click Change.

47 Installing Symantec ESM managers and agents on Windows Installing the ESM manager and the agent by using the Suite Installer 47 In the Change Current Destination Folder panel, select the folder where you want to store the installation files of the console. You may also create a new folder to store the installation files. Click OK. To set up the console account In the Console Initial Account Credentials panel, provide the credentials for the ESMconsole account. The credentials that you specify here are used when you launch the console for the first time. To install LiveUpdate In the InstallLiveUpdateDialog panel, check InstallLiveUpdateandregister Symantec ESM Console with LiveUpdate server if you want to install LiveUpdate now. To enable the disclaimer option for console In the Disclaimer Options panel, enter the password for the Disclaimer.rtf file and then click Next. The Disclaimer Options panel appears if you have the Disclaimer.rtf file saved in the Symantec\ESMConsole folder on your local computer. To complete the installation 1 In the Ready to Install the Program panel, click Install. The Installing Symantec Enterprise Security Manager Console panel displays the progress of the installation. 2 Check Launch ESM Console if you want to launch the ESM console immediately after the installation is complete. 3 Check Show Release Notes if you want to view the Symantec Enterprise Security Manager Release Notes. You must have Adobe Reader to view the Symantec Enterprise Security Manager Release Notes. 4 In the Setup Wizard Completed panel, click Finish. Installing the ESM manager and the agent by using the Suite Installer You can install the ESM agent by using the Suite Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 32.

48 48 Installing Symantec ESM managers and agents on Windows Installing the ESM manager and the agent by using the Suite Installer The installation process is as follows: Start the Symantec ESM Suite Installer. Perform the manager and the agent installation. Note: You must have the ESM 9.0 manager and the ESM 9.0 agent installed on your computer to upgrade to ESM manager and the agent. To install the manager and the agent 1 Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. 3 Go to ESMInstaller\ESMSetupSuite and run the setup.exe. 4 On the prompt that informs you about the upgrade, click Yes. 5 In the Resuming the Setup Wizard panel, click Next. 6 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 7 In the Superuser Account Credentials panel, enter the credentials for the ESM manager account, and then click Next. 8 The superuser credentials that you provide for ESM must be the same as the credentials of the ESM 9.0 superuser account. 9 In the Setup Wizard Completed panel, click Finish. Silently installing the manager and the agent You can use Symantec ESM command-line options to perform a silent installation of the manager and the agent. The command-line options let you install the components on local computers without any prompts for user inputs. To silently install the manager and the agent 1 Log on as administrator to the computer on which you want to install the ESM manager and the agent. Alternatively, use a role that is equivalent to an administrator. 2 Copy the ESMSetupSuite folder from the product disc to a network installation folder or to a local folder.

49 Installing Symantec ESM managers and agents on Windows Installing the ESM manager and the agent by using the Suite Installer 49 3 Copy the ManagerSilentInstallSample.bat file from the Examples folder in the product disc. Save the ManagerSilentInstallSample.bat file in the local folder where you have copied the ESMSetupSuite folder. 4 Right-click the ManagerSilentInstallSample.bat file, and then click Edit. 5 Specify the parameters of <COMMANDLINE>. Table 3-9 lists the command-line options for silent installation of the ESM manager and the ESM agent on Windows computers. Table 3-9 Option /s Command-line options for silent installation of the ESM manager and the ESM agent Description Run the installation in silent mode. /v"<command LINE>" /qn /l*v <LOG FILE> /le <LOG FILE> INSTALLDIR=<DIRECTORY> EXECUTEACTION=INSTALL PASSWORD=<PASSWORD> <COMMAND LINE> is the parameter to pass on to the ESM installer. Run the installation with no GUI. Use the most verbose logging and write the output to the specified log file. Log on to for more log options. Log errors only. Specify the directory where you want to install the ESM console. Set the installation mode. Specify the superuser password. A superuser account ESM is created with administrative privileges for the ESM manager. The password must fulfill the following criteria: The password must contain at least six characters. The password must contain at least one non-alphabetical character. The password must not contain the following special characters: space, tab - & ; ( ) < >

50 50 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer Table 3-9 Option Command-line options for silent installation of the ESM manager and the ESM agent (continued) Description REGAGENTLIST=[{mgr spec 1},{mgr spec 2},...{mgr spec n}] List of managers to which you want to register the agent. mgr spec has the following comma-delimited list of information: Manager name Login name Login password LURADIOGROUP=2 Specify the type of LiveUpdate (1 - disable, 2 - enable from all managers, 3 - enable from selected managers) LUALLOWEDMGRS=mgr1,mgr2,...,mgrn Comma-delimited list of managers to allow LiveUpdate for the agents. This option is ignored unless LURADIOGROUP is 3. REINSTALL=ALL Upgrade the existing ESM components that are detected by the setup. You cannot modify the value for REINSTALL. For example, setup.exe /s /v"/qn /l*v \"%TEMP%\SymantecESMManagerInstall.log\" ADDLOCAL=ESMManager INSTALLDIR=\"C:\Program Files\Symantec\Enterprise Security Manager\" EXECUTEACTION=INSTALL EDITMANAGERUSERNAME=ESM PASSWORD=esm4now REGAGENTLIST=[{dev-imr50-2,esm,esm4now,1,default,5600}] LURADIOGROUP=2 LUALLOWEDMGRS=dev-imr50-2" Installing the Symantec ESM agent by using the Agent Installer You can install the ESM agent by using the Agent Installer on Windows computers that meet the system requirements. See System requirements for Windows computers on page 32. The installation process is as follows:

51 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer 51 Start the Symantec ESM Agent Installer. Perform the agent installation. You can install the ESM agents on a computer that has ESM 6.0 or later agents installed. It is not mandatory to have ESM 9.0 agents installed on the computer before you install ESM agents. Note: You can register up to 4000 agents to one ESM manager during or after installation. You can register one agent to as many managers as you want. To install the agent 1 Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. 3 Go to ESMInstaller\ESMAgentInstall and run the setup.exe. 4 In the Welcome panel, click Next. 5 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 6 The Destination Folder panel displays the default location of the ESM agent on your computer. If you do not want to install the ESM agent in the default location, click Change. You can browse to the location where you want to install the agent. 7 Click OK to close the Change Current Destination Folder panel, and then in the Destination Folder panel, click Next. 8 In the Register Agent panel, do one of the following: If you do not want to register the agent to a manager, uncheck Register agent to a manager, and then click Next. If you choose not to register the agent now, the LiveUpdate Registration panel displays. See To select a LiveUpdate option on page 52. If you want to register the agent to a manager, do not uncheck Register agent to a manager, and then click Next. To register the ESM agent 1 In the Manager Information area of the Agent Registration panel, do the following for each Symantec ESM manager to which you want to register the agent:

52 52 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer Type the name of the Symantec ESM manager to which you want to register the agent. The port number for the ESM manager is auto-populated. If you want, you can change the port number. Type the name of a Symantec ESM user account with privileges on the manager to register the agent. Type the password for the Symantec ESM user account that you specify. 2 In the Agent Name area of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. 3 Click Add. The manager that you add is displayed in the list box. 4 Repeat steps 1 to 3 if you want to add multiple managers. 5 Click Next. To select a LiveUpdate option In the LiveUpdate Options panel, select a LiveUpdate option, and then click Next. To complete the installation 1 In the Ready to Install the Program, click Install. 2 In the Setup Wizard Completed panel, click Finish. Silently installing and registering an ESM agent When you install Symantec ESM, the installer prompts for necessary information such as the type of installation or the name of a directory. If you use the same settings to install Symantec ESM on a large number of computers, you can avoid the prompts by performing silent installations. The silent installation feature lets you install Symantec ESM agents and register Symantec ESM agents to managers. If the silent installation fails for any reason, check the SymantecESMAgentInstall.log file at the Temp folder for the error logs. If the silent registration fails for any reason, check the SymantecESMAgentReg.log file at the following location for the error logs: #Symantec\Enterprise Security Manager\ESM\system\<name of the computer where you have installed the agent> See Error codes for silent installation or registration failure of an ESM agent on page 55.

53 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer 53 Note: The GPGV.exe, which is a third-party application licensed by GNU GPL, is installed when you perform a silent or an interactive installation of Symantec ESM. The GPGV.exe installs in the same location where you install Symantec ESM. Symantec ESM internally uses the GPGV.exe for security verification. To silently install an agent 1 Log on as administrator to the computer on which you want to install the Symantec ESM agent. Alternatively, use a role that is equivalent to an administrator. 2 Copy the ESMAgentInstall folder from the product disc to a network installation folder or to a local folder. 3 Copy the AgentSilentInstallSample.bat file from the ESMAgentInstall\Examples folder in the product disc. Save the AgentSilentInstallSample.bat file in the local folder where you have copied the ESMAgentInstall folder. 4 Right-click the AgentSilentInstallSample.bat file, and select Edit. 5 Specify the parameters of <COMMANDLINE>. See Table 3-10 on page 54. To silently register an agent 1 Log on as administrator to the computer on which you want to install the Symantec ESM agent. Alternatively, use a role that is equivalent to an administrator. 2 Copy the ESMAgentInstall folder from the product disc to a network installation folder or to a local folder. 3 Copy the AgentRegSilentInstallSample.bat file from the ESMAgentInstall\Examples folder in the product disc. Save the AgentRegSilentInstallSample.bat file in the local folder that contains the setup.exe file. 4 Right-click the AgentRegSilentInstallSample.bat file, and then click Edit. 5 Specify the parameters of <COMMANDLINE>. Table 3-10 contains the information on the silent installation options and their descriptions.

54 54 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer Table 3-10 Option /l*v<logfile> Command-line options Description Use a verbose log and write the output to the specified log file. Log on to for more log options. INSTALLDIR=<DIRECTORY> SELECTION REGAGENTLIST Specify the directory where you need to install the agent Specify if you want to register the agent or for LiveUpdate. Use a 1 to register the agent and a 2 to register for LiveUpdate. Specify the attributes of managers to whom the agent needs to be registered. Each manager specification includes the following information: Manager name Logon password Agent name type Agent name Port number for the manager to listen on To use encrypted passwords, do the following: Generate the encrypted password from the plain text password using the Encryption tool. The Encryption tool resides in the \ESMInstaller\ESMAgentInstall\util directory. Enclose the encrypted password in angle brackets while specifying the password at the command line. Make sure that the password is URL Encoded. A URLencoded password contains a % mark at several places. See Using the Encryption tool on page 58. The agent name type can be a 1 (long), a 2 (short), or a 3 (user-defined). The agent name is ignored during installation unless you specify the agent name type as a 3. REGAGENTLIST is ignored if you specify the SELECTION as a 2.

55 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer 55 Table 3-10 Option Command-line options (continued) Description LURADIOGROUP Specify the type of LiveUpdate. Select a 1 to disable LiveUpdate. Select a 2 to enable LiveUpdate for all managers. Select a 3 to enable LiveUpdate for all selected managers. LURADIOGROUP is ignored if you specify the SELECTION as a 2. LUALLOWEDMGRS Specify a list of the managers on which LiveUpdate is allowed. LUALLOWEDMGRS is ignored unless you specify LURADIOGROUP as a 3. Error codes for silent installation or registration failure of an ESM agent If the silent installation or registration of an ESM agent fails due to any reason, error logs are created in the SymantecESMAgentReg.log file. The SymantecESMAgentReg.log file is present at the following location: #Symantec\Enterprise Security Manager\ESM\system\<name of the computer where you have installed the ESM agent> Table 3-11 contains information on the error codes and the corresponding error messages that are created in the log file. Table 3-11 Error code ESM_REG_23151 ESM_REG_23185 Error codes and their descriptions Error message Error occurred while getting agent <Agent_Name> from database Error occurred while contacting local manager. Description Unable to locate the agent in the database during registration. The agent was unable to contact the ESM manager during the registration process. ESM_REG_23186 The <Transport_Layer_Name> transport layer is not supported on this operating system The transport layer like TCP/IP is not supported for the specific operating system.

56 56 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer Table 3-11 Error codes and their descriptions (continued) Error code ESM_REG_23187 ESM_REG_23188 ESM_REG_23189 ESM_REG_23193 ESM_REG_23862 ESM_REG_23863 ESM_REG_23864 ESM_REG_23899 ESM_REG_23900 Error message Error occurred while getting tcp port number Error occurred while contacting manager on <Manager_Name>, port <Manager_Port_Number> Error occurred while contacting manager on <Port_Number> Unexpected message type in open() from manager on <Manager_Name>: <Port_Number> Please specify agent name to use in load_agent() Please specify agent name to use in load_templates() Please specify agent name to use in register_agent_with_cif() Error occurred while getting agent TCP port number Error occurred while getting agent SPX port number Description Another application is using the TCP port. The ESM manager name is incorrect. The ESM manager is not working on the specified port number. Unhandled exception occurred while contacting the ESM manager. The agent name was not mentioned during registration. The agent name was not mentioned during registration. The agent name was not mentioned during registration. The TCP port through which the agent communicates with the manager is busy, or another application is using the port. The SPX port through which the agent communicates with the manager is busy, or another application is using the port. ESM_REG_23901 Error occurred while re-writing agent information The agent is registered to the same manager twice.

57 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer 57 Table 3-11 Error codes and their descriptions (continued) Error code ESM_REG_23902 Error message Error occurred while loading agent information Description Unable to load the agent information for any of the following reasons: The manager is not able to read the license file. The license is not provided to the manager. ESM_REG_23909 ESM_REG_23910 ESM_REG_23911 Error occurred while getting list of Template layouts Error occurred while loading <Agent_Name> No template files for <Agent _Name> found in directory <Directory_Name> The template layout is missing during registration. Unable to load the agent information if the agent and the manager are incompatible. The Template folder is missing in the agent installer. ESM_REG_23912 Hostname <Manager_Host_Name> not found Wrong host name for the manager has been specified. ESM_REG_23914 ESM_REG_23916 ESM_REG_24514 Error occurred while getting version from manager Manager is running an older version of ESM User <User_Name> not found; unable to register agent with manager <Manager_Name> Unable to get the ESM manager version. The version of the manager is earlier than the version of the agent. Invalid user account was used to register the agent to the manager. ESM_REG_24515 ESM_REG_24516 Unhandled exception while registering agent with manager <Manager_Name> User <User_Name> not authorized to register agents with manager <Manager_Name> Unhandled exception occurred while registering the agent to the manager. The user account that was used to register the agent to the manager did not have sufficient access rights.

58 58 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM agent by using the Agent Installer Table 3-11 Error codes and their descriptions (continued) Error code ESM_REG_24518 Error message Unable to get user record for user <User_Name? Description The specified user account has been deleted from the database. ESM_REG_24519 The <Account_Name> account password expired on <Date> The password of the user account that was used to register the agent to the manager has expired. ESM_REG_24534 ESM_REG_24549 ESM_REG_24550 ESM_REG_23122 Agent name must be 61 characters or less Unable to determine manager version Error occurred while getting description for agent <agent_name> from database Invalid user name or password The agent name exceeds 61 characters. The agent is unable to determine the version of the manager. The agent details have been deleted from the agent.dat file and the agent is still registered to a manager. The user name or password of the manager account is invalid. ESM_REG_23164 This agent is not authorized to communicate with components at CSP version 7. Only 8 or greater is allowed. Please upgrade this manager. The version of the agent is later than the version of the manager. Using the Encryption tool See Silently installing and registering an ESM agent on page 52. The Encryption tool lets you encrypt the ESM user password, which is required for a silent installation or registration for ESM agents. To encrypt passwords by using the Encryption tool 1 At the command prompt, change to the \ESMAgentInstall\util directory. 2 Type the following at the command prompt: EncryptionTool.bat <ESM_password> <command-line option>

59 Installing Symantec ESM managers and agents on Windows Installing the Symantec ESM utilities 59 Table 3-12 contains the command-line options and their descriptions for the Encryption tool. Table 3-12 Option e Command-line options for the Encryption tool Description Generate the encrypted password Installing the Symantec ESM utilities Symantec ESM lets you install the utilities on Windows computers that meet the system requirements. You can use the Symantec ESM utilities option on the Symantec ESM Suite installer Custom Setup panel to install the Symantec ESM utilities. The installation process is as follows: Start the Symantec ESM Suite installer. Perform the utilities installation. See Installing the ESM components by using the ESM Suite Installer on page 37. Note: You must have the ESM 9.0 utilities installed on your computer before you install the ESM utilities. To install ESM utilities 1 Log on to the computer on which you want to install the Symantec ESM as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 Insert the product disc into the drive. 3 Go to ESMInstaller\ESMSetupSuite and run the setup.exe. On the prompt that informs you about the upgrade, click Yes 4 In the Resuming the Setup Wizard panel, click Next. 5 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. 6 In the Setup Wizard Completed panel, click Finish.

60 60 Installing Symantec ESM managers and agents on Windows Post-installation tasks Post-installation tasks You can perform the following post-installation tasks after you have installed Symantec ESM managers and agents: Register Symantec ESM agents. Configure Symantec ESM console. Set the default Web browser. Change the LiveUpdate configuration for a Symantec ESM agent. Change a Symantec ESM agent port. Uninstall Symantec ESM from a local computer. Uninstall Symantec ESM agents from Windows. Uninstall Symantec ESM utilities. Registering the Symantec ESM agents Registration of a Symantec ESM agent with a manager establishes secured communications between the agent and manager. During installation, each agent must register to at least one manager. You can register the agent to additional managers during or after the installation. Your user account must have the following permissions to be able to register an agent to a specific manager: Register agent right in Advanced manager permissions Modify access right on All Agents domain Create domain right if <OS> Agents domain is not present Modify permission on all policies if the manager is not locked for any SU. If the manager is locked for an SU, then this permission is not required Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent. Note: You should not register an agent to an earlier version of ESM manager. Symantec ESM agents can only register with the managers that use the same communication protocol.

61 Installing Symantec ESM managers and agents on Windows Post-installation tasks 61 Symantec ESM agents that register before a manager upgrade continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features. You must re-register the agents if you change the IP address of a manager. When you register an agent to a manager, a key is generated and is stored in the manager database. The registration key is used to establish communication between the manager and its agent. If you change the IP address of the manager, the registration key becomes invalid. When you re-register the agent, a new registration key is generated, which is used for re-establishing the communication between the manager and its agent. Note: If an agent is registered to multiple managers, then you must use the same format for the agent name to register the agent to the other managers. For example, if you use the IP address to register an agent, then use the IP address to register the agent to other managers. You can register Symantec ESM agents for Windows operating systems on managers running Windows or UNIX operating systems. Note: The ESM manager must have a valid license to register ESM agents. To register a Symantec ESM agent 1 Log on as administrator or use a role that is equivalent to an administrator. 2 On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. 3 In the Welcome panel, click Next. 4 In the Software License Agreement panel, click I accept the terms of the license agreement, and then click Next. 5 In the Register Agent or LiveUpdate panel, click Register Agent, and then click Next. 6 In the Manager Information section of the Agent Registration panel, do the following: In the Manager Name text box, type the name of the Symantec ESM manager. In the Username text box, type the name of the Symantec ESM user account with privileges on the manager to register the agent. In the Password text box, type the password of the ESM user account.

62 62 Installing Symantec ESM managers and agents on Windows Post-installation tasks In the Porttext box, type the port number for the Symantec ESM manager. Computers that run Symantec managers and agents must use the same communication protocol to register the agents. See About Symantec ESM communication ports on page 84. Click > to add the manager. 7 In the Agent Name section of the Agent Registration panel, click the appropriate option for the agent name. The Fully Qualified Domain Name option is selected by default. 8 Click Next. 9 In the Ready to Install the Program panel, click Install. 10 Check the Show the agent registration logs check box if you want to view the registration log. The registration log is displayed in a notepad if the agent registration fails. 11 In the Registration Wizard Completed panel, click Finish. Registering the ESM agents by using the Register binary You can register the ESM agents on both Windows and UNIX operating systems by using the register binary. The following table contains information on the command-line options that you can use to register ESM agents by using the register binary. Table 3-13 Options -r -A -T -a -h -M -t -u Register binary options and their descriptions Description Complete key-exchange registration Write an agent record for this system Merge templates for this agent into the manager's template directory Register all.m files in the register directory for this operating system Write C include file for security module compilation Write VMS Macro file for security module compilation Connect to the manager by TCP The agent is updatable. That is, the agent takes live updates from the manager

63 Installing Symantec ESM managers and agents on Windows Post-installation tasks 63 Table 3-13 Options -v -f -F -q -m -U -P -p -D -d -o -N -L -K -R -C Register binary options and their descriptions (continued) Description Set verbose mode, log each action as it is performed Force the loading of security module information Log the program finish Use FQDN for local agent name Specify the manager name ESM access record name ESM access record password The TCP port to use Optional agent description The domain on the manager into which the agent is installed The agent OS detail description Override default agent name Register the application module for content LiveUpdates The name of the token file that is used to register the agent Replace old agent name with the new agent name Create a duplicate entry using new agent name For example, to register an ESM agent on Windows by using the register.exe, type the following: register.exe [-rathmtiuvffq] -m <manager name> -U <user> -P <password> -p <TCP port> -N <agentname> -L <Application module name> -o <agent OS details> -d <domain> -D <agent description> -a <module config file> To register an ESM agent on UNIX by using the register binary, type the following:./register [-rathmtiuvffq] -m <manager name> -U <user> -P <password> -p <TCP port> -N <agentname> -L <Application module name> -o <agent OS details> -d <domain> -D <agent description> -a <module config file>

64 64 Installing Symantec ESM managers and agents on Windows Post-installation tasks Note: The -K option must not be used with other options. In the token file that is used to register the agent, you must type \r\n at the end of the options that you provide. Alternatively, press the Enter key on your keyboard. Configuring the Symantec ESM console Symantec ESM graphics in printed reports look best when you set the Windows display to at least 256 colors and 800 x 600 pixels. To verify the display settings 1 On the Windows taskbar, click Start > Settings> Control Panel > Display. 2 On the Settings tab, do the following: About setting the Web browser Set the color palette to at least 256 colors, although the ESM console can run in 16 colors. Set the desktop area to at least 800 x 600 pixels, although the ESM console can run in 640 x 480 pixels. Use the default Web browser or choose another browser for the Symantec ESM help links. The Symantec ESM console automatically launches the system default browser to display ESM reports. Most browsers are already set to handle.htm and.html files. If your browser does not support frames, disable the show table of contents option in the report options. This change causes the browser to open the report.html version of a report. Changing LiveUpdate configuration for a Symantec ESM agent Symantec ESM uses LiveUpdate to distribute Symantec ESM agent upgrades and install security updates. You can specify the Symantec ESM managers that are permitted to perform LiveUpdate on the agent. You must enable LiveUpdate on the local agent and on the Symantec ESM console. To change the LiveUpdate configuration on the local agent 1 Log on as administrator to the computer on which the agent is installed. Alternatively, use a role that is equivalent to an administrator. 2 On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > ESM Agent and LiveUpdate Registration. 3 In the Welcome panel, click Next.

65 Installing Symantec ESM managers and agents on Windows Post-installation tasks 65 4 In the Symantec Software License Agreement panel, click I accept terms of the license agreement, and then click Next. 5 In the Setup panel, click LiveUpdate, and then click Next. 6 In the LiveUpdate options panel, do one of the following: Click Disable to disable LiveUpdate on the agent. Click Enable to enable LiveUpdate from all managers to which the agent is registered. Click Selective, and then in the Registered Managers list, select the managers that are allowed to perform LiveUpdate. Use the right-arrow to move the managers into the Allowed LiveUpdate managers list. 7 Click Next. 8 Click Install and then click Finish. Note: If a manager is connected to multiple consoles, do not apply LiveUpdate simultaneously on that manager from the consoles that the manager is connected to. Changing a Symantec ESM agent port Symantec ESM uses specific ports, which you can change. See About Symantec ESM communications security on page 83. To change a Symantec ESM agent port 1 On the Windows taskbar, click Start > Programs > Administrative Tools > Services, and stop the Symantec ESM Agent service. 2 In the tcp_port.dat file, enter the port number. Following are the field names for the agents that are installed on various operating systems: Type of ESM agent UNIX agent VMS agent Netware agent Windows NT agent Field name for port number PORT_AGENT_UNIX PORT_AGENT_VMS PORT_AGENT_NETWARE PORT_AGENT_NT

66 66 Installing Symantec ESM managers and agents on Windows Post-installation tasks 3 Start the Symantec ESM Agent service. 4 Reregister the agent with the manager. See Registering the Symantec ESM agents on page 60. Uninstalling Symantec ESM from a local computer On the computers that have Windows operating systems, you can use Add/Remove Programs in the Control Panel to remove everything under the ESM directory. This option removes any files, reports, executable code, and services that Symantec ESM creates during installation. This option also removes the Symantec ESM icons from the program menu. Before you remove ESM, make sure that Symantec ESM directory or any of its subdirectories are currently not in use. If a Symantec ESM directory or a subdirectory is in use, the uninstall program reports an error message and does not remove that directory. Note: Unpredictable results may occur if you uninstall a Symantec ESM agent during a policy run that includes the agent. To uninstall Symantec ESM from a local computer 1 Log on to the host computer as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 On the Windows taskbar, click Start > Settings > Control Panel. 3 Double-click Add/Remove Programs. 4 Select Symantec ESM from the list. 5 Click Change/Remove. 6 Click Yes. Silently uninstalling the ESM console You can uninstall the ESM console by using the command-line options. To silently uninstall the ESM console 1 Navigate to the location where you have extracted the console installer on your local computer. 2 Go to the ESMConsole\examples folder and double-click the Uninstall_Console.bat file.

67 Installing Symantec ESM managers and agents on Windows Post-installation tasks 67 Uninstalling Symantec ESM from Windows Server 2008 Core On the computers that have Windows Server 2008, you can uninstall the ESM components by using the command-line options. Use the following batch files to uninstall agents from Windows Server 2008 Core: Uninstall_Agent.bat Uninstall_Suite.bat Lets you unistall an ESM agent that was installed by using the ESM Agent installer. Lets you unistall the ESM components that were installed by using the ESM Suite installer. To uninstall an agent that was installed by using the ESM Agent installer 1 At the command prompt, change to the \ESMAgentInstall\examples directory. 2 Type the following at the command prompt: Uninstall_Agent.bat To uninstall the ESM components that were installed by using the ESM Suite installer 1 At the command prompt, change to the \ESMSetupSuite\examples directory. 2 Type the following at the command prompt: Uninstall_Suite.bat Uninstalling Symantec ESM utilities On Windows computers, you can use Add/Remove Programs in the Control Panel to remove everything under the Symantec ESM utilities directory. This option removes any files, reports, and executable code that Symantec ESM creates during installation. You must close the Symantec ESM utilities before you remove the software. If you continue to run the Symantec ESM utilities, the uninstall program cannot remove the software. To uninstall Symantec ESM from Windows systems 1 On a computer with a Windows operating system that is running Symantec ESM utilities, log on as an administrator. Alternatively, use a role that is equivalent to an administrator. 2 On the Windows taskbar, click Start > Settings > Control Panel. 3 Double-click Add/Remove Programs. 4 Select the instance for Symantec Enterprise Security Manager, and then click Change.

68 68 Installing Symantec ESM managers and agents on Windows Post-installation tasks 5 In the Welcome panel of the wizard, click Next. 6 In the Program Maintenance panel, click Modify and then click Next. 7 In the Custom Setup panel, click the Utilities node, and then select This feature will not be available from the drop-down list. 8 Click Next. 9 In the Ready to Modify the Program panel, click Install. 10 In the Setup Wizard Completed panel, click Finish.

69 Chapter 4 Installing Symantec ESM managers and agents on UNIX This chapter includes the following topics: About installing Symantec ESM components System requirements for UNIX computers Installing Symantec ESM on UNIX computers About installing Symantec ESM components You can install Symantec ESM managers and agents on the computers that have supported UNIX operating systems. You must have the ESM 9.0 manager and the console installed on your computer to upgrade to ESM manager and the console. Note: ESM does not support remote installation of the ESM agents. About licensing managers Each Symantec ESM manager requires a permanent license to operate completely. Agents and consoles do not require licenses. Managers can register agents up to the number that is specified at the time of license distribution. To later register additional agents to the manager, you must change the manager allocation by using Enterprise Licensing from the ESM console.

70 70 Installing Symantec ESM managers and agents on UNIX System requirements for UNIX computers You can install ESM manager without a license. Without a license, the manager installs with limited functionality. For full functionality, you must assign a license using the Enterprise License feature from the ESM console. Note: You can continue with the ESM 9.0 manager licenses to upgrade to ESM manager. For information on how to assign a license to the ESM manager, see the Enterprise Security Manager User Guide. System requirements for UNIX computers UNIX computers must meet the minimum hardware requirements. Table 4-1 lists the minimum hardware requirements for the ESM managers on UNIX computers. Table 4-1 Description Physical memory Hard disk space Swap space CPU Network speed Hardware requirements for ESM managers on UNIX computers Manager and agent 2 GB 25 GB 4 GB UltraSPARC 100 Mbps Table 4-2 lists the disk space requirements for UNIX computers. Table 4-2 Disk space requirements for UNIX computers Operating system AIX (RS/6000) AIX (PPC 64) HP-UX (HPPA) HP-UX (IA 64) Red Hat Linux, SuSE Linux (s390x) Manager and agent Not supported Not supported Not supported Not supported Not supported Agent only 249 MB 265 MB 129 MB 154 MB 87 MB

71 Installing Symantec ESM managers and agents on UNIX System requirements for UNIX computers 71 Table 4-2 Disk space requirements for UNIX computers (continued) Operating system Red Hat Linux, SuSE Linux (PPC 64) Red Hat Linux, SuSE Linux (IA 64) Red Hat Linux, SuSE Linux (x86) Solaris (Intel) Solaris (SPARC) Manager and agent Not supported Not supported Not supported Not supported 110 MB Agent only 71 MB 128 MB 92 MB 119 MB 97 MB Supported UNIX operating systems Symantec ESM managers must be installed on UNIX computers that have a supported operating system version. The following table lists the operating system versions that are supported for Symantec ESM managers. Table 4-3 Platforms Solaris (SPARC) Versions 2.9, 2.10 (Global and Local zones) Symantec ESM agents must be installed on the computers that have a supported operating system version. The following table lists the operating system versions that are supported for Symantec ESM agents. Symantec ESM managers and agents must be installed on the computers that have the latest operating system patches. Support for internationalization-compatible computers Table 4-4 contains the languages and the locales that ESM supports in a heterogeneous environment.

72 72 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers Table 4-4 Language German Spanish French Italian English Supported languages and locales Locale Germany Spain France Italy US On an internationalization-compatible computer, you must have the same character set for all the ESM components on the supported Windows and UNIX operating systems. For example, consider the following scenario: You have the UTF-8 character set for an ESM manager, which is installed on a French Operating System. When you register agents to the ESM manager, the character set for the agents must also be UTF-8. If you have different character sets, the components fail to establish communication between each other. Note: The ESM components that you install on the internationalization-compatible computers must have HI-ASCII character set. Installing Symantec ESM on UNIX computers You can install Symantec ESM managers and agents on UNIX computers. For the installation process, you run the installation program and register the Symantec ESM agents with their managers. Symantec distributes Symantec ESM software on a disc. To install this software, at least one computer with a UNIX operating system must have access to a disc drive. Symantec provides the software files in a compress-format tar file for the computers that have UNIX operating systems. The ESM90SP1 folder in the disc contains the following installation files: esmsetup esm.tgz esmuppd

73 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers 73 The util folder in the disc contains the following installation file: gzip A new folder by the name "lib" is created at the following location: #esm/lib The "lib" folder contains the libraries that Enterprise Security Manager requires. Only ESM installation on HP-UX platform has libraries in the "lib" folder. The esmsetup is the installation program. The esm.tgz is the compressed tar file that contains the Symantec ESM program files. The gzip is the GNU uncompress utility. The esmuppd is the remote agent install-upgrade daemon. The installation process is as follows: Mount the disc drive. Start the Symantec ESM installer. Select the type of installation. Perform the installation. To mount the disc drive 1 Use su or log in to root on a computer with a UNIX operating system that has access to a disc drive. 2 Type the appropriate command to mount the disc drive to device /dvdrom. To start the Symantec ESM installer 1 Use su or log in to root on the computer with a UNIX operating system that you use to install the Symantec ESM software. 2 Copy the disc to the /dvdrom directory. 3 Type./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc. To select the type of installation 1 Type 2 to install a manager or agent on a local computer. 2 Type A if you agree to the terms of the License Agreement. 3 Do one of the following: Type 1 to perform a Symantec ESM agent installation. Type 2 to perform a Symantec ESM manager and agent installation.

74 74 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers To upgrade a Symantec ESM manager and agent 1 Do one of the following: Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The Symantec ESM installer creates the directory if the directory does not already exist. The installer creates a /esm symbolic link that points to the directory. Type? to list the partitions that have sufficient disk space to install Symantec ESM. 2 Do one of the following: Type the name of the product disc drive that contains the distribution media. Type the full path of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape. 3 Type a password for the ESM superuser account on the manager. 4 Type the name of the computer that is to install the Symantec ESM agent. The Symantec ESM manager uses the name to search for the IP address of the agent computer. This name can have up to 61 characters. 5 Do one of the following: Type 1 to disable LiveUpdate on the agent. Type 2 to enable all managers that register the agent to update the agent. Type 3 to select the managers that can update the agent. To install a Symantec ESM agent Follow the steps in the manager and the agent installation procedure, except for steps 5-8. Silent installation of Symantec ESM on UNIX When you install Symantec ESM, the installer prompts you for information such as the type of installation or the name of a directory. You can use Symantec ESM command-line options to avoid the prompts. The command-line options let you install Symantec ESM managers or agents on local computers.

75 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers 75 Using the help option You can use the help option to display the local installation command-line options. To use the help option Type./esmsetup -h to display the command line options. Silently installing Symantec ESM manager on Solaris You can use command-line options to silently install a Symantec ESM manager or agent while avoiding the prompts that display during a standard installation. You can specify the following command-line options in advance to speed up and simplify the installation process. The following table lists the command-line installation options. Note: You must use the -U and -W options together. Table 4-5 Option -a -m -p -d -u -g -t -M -O -U -W Description Installs or upgrades a Symantec ESM agent on a local computer. Installs or upgrades a Symantec ESM manager and agent on a local computer. Specifies the installation phases to include (enter 1-14 separated by commas). Specifies the directory where Symantec ESM installs on the local computer. If the string esm is not part of the path, symantec/enterprise Security Manager/esm is added to it. The directory is created if it does not exist. Specifies the user owner of the Symantec ESM files. Specifies the group owner of the Symantec ESM files. Specifies the location of the Symantec ESM installation files. Specifies the Symantec ESM manager name. Specifies the Symantec ESM manager port number. Specifies the ESM account name on the local computer. Specifies the ESM super-user account password on the local computer.

76 76 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers Table 4-5 Option -N -b -B (continued) Description Specifies the agent name that the manager uses to look up the agent's IP address. Lets the managers that register the agent update the agent with LiveUpdate. Specifies the manager that can update the agent with LiveUpdate. For example, to install a local agent that all registered managers can update with Symantec LiveUpdate, type the following:./esmsetup -a -p <installation phases to include> -d <installation directory> -u <user owner> -g <group owner> -t <installation file location> -M <manager name> -O <Symantec ESM port number> -U <Symantec ESM account name> -W <user password> -N <agent name> -b Installing Symantec ESM using Solaris PKGADD For Solaris 2.x computers only, you can use the Solaris package add utility to install Symantec ESM. The installation process is as follows: Start the Symantec ESM installer. Perform the installation. To start the Symantec ESM installer 1 Use su or log in to root on a computer with a UNIX operating system that you use to install the Symantec ESM software. 2 Mount the Symantec ESM software product disc on the host computer. 3 Type dvd /sun/solaris/sparc/esm90 to change to the Symantec ESM installation directory. 4 Type./pkgsetup to use Solaris PKGADD to start the Symantec ESM installer. 5 Type the name of the directory in which you want to install the Symantec ESM pkgadd installation files. Specify a directory other than the root on a volume that has at least 20 MB of free disk space. The Symantec ESM installer creates the directory if it does not exist.

77 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers 77 To perform a Symantec ESM agent installation with PKGADD 1 Type the name of the directory in which you want to install the Symantec ESM files. 2 Type the name of the temporary directory that contains the Symantec ESM pkgadd installation files. 3 Type the name of the tar or tgz file in the temporary directory. The default file name is esm.tgz. 4 Type the name of the manager computer where you want to register the agent. 5 Type the manager port number. The default port number is Type the name of an account of the Symantec ESM manager with rights to register agents. 7 Type the password of the manager account. Installing Symantec ESM utilities You can install Symantec ESM utilities on the computers that have supported UNIX operating systems. The installation process consists of extracts of the Symantec ESM files from the disc and runs of the installation program. Symantec distributes ESM utilities software on a disc. To access this software, at least one computer with a UNIX operating system must have access to a disc drive. For UNIX installations, Symantec locates the programs that are associated with the ESM utilities on the disc. These utilities are in the same compressed-format tar file that is used to install the ESM manager or agent. To start the installation program on UNIX 1 Use su or log in to root on a computer with a UNIX operating system that has a disc drive. 2 Mount the product disc on the computer. 3 Start the Symantec ESM installer. The installer is named esmsetup. To install the ESM Utilities application on UNIX 1 At the command prompt, type 5 to install the ESM Utility tools on a local computer. For UNIX computers, these consist of the Database Conversion tool and the Policy tool. 2 Read through the terms of the license agreement. Type A if you agree to the terms of the License Agreement.

78 78 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers 3 Type the full path of the Java VM including the executable name. 4 Type the full path of the JDBC driver. 5 Type the name of the Oracle server. 6 Type the port of the Oracle server. 7 Type the SID of the Oracle server. 8 Do one of the following: Type the name of the product disc drive that contains the distribution media. Type the full path name of the tar or tgz file on a disk. Type the special device file name of the tape drive that contains the installation tape. Post-installation tasks 9 After completing the Symantec ESM utilities installation, run the create.sql script in the mssql directory. This script creates the required database schema tables and procedures for the ORACLE database. The following tasks can be performed after installing Symantec ESM: Uninstall the Symantec ESM Uninstall the Symantec ESM utilities Register the Symantec ESM agents Change the ESM agent ports on UNIX computers Change the LiveUpdate configuration Registering Symantec ESM agents on UNIX When you register a Symantec ESM agent with a manager you establish a secured communication between the agent and manager. During installation, each agent must register to at least one manager. You can register up to 4000 agents to one ESM manager during or after installation. You can register one agent to as many managers as you want. Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent. You can register an ESM agent to multiple ESM managers during or after

79 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers 79 the installation. However, for the registration to succeed, each ESM manager must be in the connected state. You should not register an ESM agent to an ESM manager with an earlier version. If you have an earlier version of ESM manager, Symantec recommends that you upgrade the manager to before you register an ESM agent. The manager must be running to register the agent. If the manager is not running, you restart the manager and use the Register agent option in the Symantec ESM installer to register the agent. Symantec ESM agents can only register with the managers that use the same communication protocol. Symantec ESM agents that register before a manager upgrade continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features. You can also register the ESM agents on UNIX by using the register binary. See Registering the ESM agents by using the Register binary on page 62. To register a Symantec ESM UNIX agent 1 Use su or log in to root on the agent computer. 2 Type./esmsetup to run the Symantec ESM installer from the product disc. You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the product disc. 3 Type 4 to select the post-installation configuration options. 4 Type 4 to register the Symantec ESM agent with a manager. If you do not want to register the ESM agent with a manager, press Enter. 5 Type the name of the manager computer where you want to register the agent. 6 Type the manager port number. The default port number is Type the name of an account on the Symantec ESM manager with rights to register agents. 8 Type the password of the manager account. 9 Type the name of the Symantec ESM agent computer that you want to register with the manager. The Symantec ESM manager uses the name to look up the IP address of the agent computer. 10 A message appears that asks you if you want to register the agent to one more manager. Type y if you want to register the agent to one more manager. 11 Repeat step 5 to 9 to register the agent to multiple managers.

80 80 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers Changing Symantec ESM agent ports Symantec ESM uses specific ports. You can change the agent port number to an alternate number. To change the Symantec ESM agent port 1 Type shutdown at the configuration procedure prompt. 2 Access the /esm/config/tcp_port.dat file and change the agent port number to the new port number. 3 Type startup at the configuration procedure prompt. 4 Do the following: Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM manager. Mount the Symantec ESM DVD-ROM on the computer. Start the Symantec ESM installer. Type 4 to select the post-installation configuration options. Type 2 to turn off the Symantec ESM agent. 5 Access the /esm/config/tcp_port.dat file and change the agent port to the new port number. 6 Restart the Symantec ESM agent. Start the Symantec ESM installer. Type 4 to select the post-installation configuration options. Type 1 to start the Symantec ESM software. 7 Re-register the agent with the manager. Changing the LiveUpdate setting for an agent You can specify whether or not the agent can be updated. You can also specify which managers can update the agent. You must change the setting on the local agent computer as well as from the Symantec ESM console. Note: If a manager is connected to multiple consoles, do not apply LiveUpdate simultaneously on that manager from the different consoles where the manager is connected.

81 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers 81 To change the LiveUpdate setting for an agent 1 Use su or log in to root on the agent computer. 2 Mount the Symantec ESM product disc on the computer. 3 Type./esmsetup to run the Symantec ESM installer from the product disc. 4 Type 4 to select the post-installation options. 5 Type 6 at the Symantec ESM installation phases prompt. 6 At the LiveUpdate prompt, do one of the following: Type 1 to disable LiveUpdate on the agent. Type 2 to enable the managers that register the agent to run LiveUpdate on the agent. Type 3 to select the managers that can run LiveUpdate on the agent. Uninstalling Symantec ESM from a UNIX computer On the computers that have a UNIX operating system, the esmdeinstall program removes everything under the /esm directory. It also removes the files, links, ESM daemons, and rc scripts that Symantec ESM creates during installation. Before you uninstall Symantec ESM, make sure that you not using the Symantec ESM directory or any of its subdirectories. If you use a Symantec ESM directory or subdirectory, the esmdeinstall program reports an error message and does not remove the directory. Note: Unpredictable results can occur if you uninstall a Symantec ESM agent during a policy run that includes the agent. To uninstall Symantec ESM from a UNIX computer 1 At the command prompt, type./esm/esmdeinstall. 2 Type Yes to remove Symantec ESM. Uninstalling Symantec ESM utilities On UNIX computers, the esmtoolsdeinstall program removes all ESM Java tool-related files from the computer. To uninstall ESM utilities from UNIX computers At the command prompt type./esmtoolsdeinstall at the system command prompt.

82 82 Installing Symantec ESM managers and agents on UNIX Installing Symantec ESM on UNIX computers

83 Appendix A Symantec ESM communications This appendix includes the following topics: About Symantec ESM communications security About Symantec ESM communication ports About Symantec ESM communications security Symantec ESM protects the security information that it gathers from the computers on your network in the following ways: Symantec ESM encrypts the account names, passwords, and other data that it stores on your computers and transfers over your network. Symantec ESM authenticates each of the incoming and outgoing connections to ensure that both connections involve valid Symantec ESM software. To initiate the authentication process, Symantec ESM uses the Diffie-Helman algorithm to exchange secure keys between Symantec ESM components. Symantec ESM uses the secure key to initialize the DESX encryption engine. Symantec ESM encrypts all communication between the components using the industry standard DESX algorithm. The originator verifies the transformed key. Unauthorized users cannot easily spoof Symantec ESM connections because Diffie-Helman exchanges a different key each time. An authorized Symantec ESM access record is required for: all processes that involve Symantec ESM agents, the Symantec ESM console, or the installation program that connects to a Symantec ESM manager. These access records consist of a name and a password. ESM encrypts the password using an algorithm that is similar to the encryption algorithm that most UNIX operating systems use in the /etc/passwd or A

84 84 Symantec ESM communications About Symantec ESM communication ports Appendix /etc/shadow files. Symantec ESM stores the encrypted password in a Symantec ESM data file. Only privileged users such as root, supervisor, system, or administrator can access the file. If a Symantec ESM manager rejects an access record password, Symantec ESM delays for a second before the return of an acknowledgment. This delay can defeat brute force attacks against passwords. Symantec ESM protects agents from unauthorized access through the manager registration process. Agents accept network connections only from Symantec ESM managers with whom they have previously registered. Symantec ESM maintains a list of authorized managers on each agent in the /esm/config/manager.dat file. The agent checks this file each time a manager attempts a connection. The file stores the Symantec ESM manager name for the TCP/IP communication protocols. Before Symantec ESM makes changes to a system file using a correction from the Symantec ESM console, the user must log on to the system. Only a valid privileged system account can authorize the agent to perform the correction. About Symantec ESM communication ports The following table lists the communication ports between managers and agents. Operating system Symantec ESM version Port monitored by Protocol Port Port Windows ESM manager TCP 5600 Windows Vista 6.5.2, 6.5.3, SP 1 and SP 2, 9.0 ESM manager TCP 5600 Windows Server , 6.5, , 6.5, 6.0 ESM manager ESM agent TCP TCP Windows XP , 6.0 ESM agent TCP 5601 Windows , 6.0 ESM manager TCP , 6.0 ESM agent TCP 5601 Windows NT 6.5, 6.0 ESM manager TCP , 6.0 ESM agent TCP 5601

85 Symantec ESM communications About Symantec ESM communication ports 85 Operating system Symantec ESM version Port monitored by Protocol Port Port UNIX 9.0, 6.5, 6.0 ESM manager TCP , 6.5, 6.0 ESM agent TCP 5600 OS/ , 6.0 ESM agent TCP 5600 NetWare/NDS 9.0, 6.x, 5.0 ESM agent TCP 5601 OpenVMS 9.0, 5.1 ESM agent TCP 5601 TRU64 9.0, 6.0, 5.5 ESM agent TCP 5600 Symantec ESM also uses the following ports: Symantec ESM managers use port 5599 for connections to perform remote upgrades of the systems that connect using the TCP protocol. Symantec ESM managers use ports in the range 1024 to range that TCP dynamically allocates for servers to use when making connections to clients. The Symantec ESM console does not require a port number because Symantec ESM managers do not initiate connections to the Symantec ESM console. You must open any firewalls that separate Symantec ESM components to the ports in Table A-1, port 5599, and the ports that range from 1024 to In some situations, you may have to modify or create a firewall proxy or tunnel to enable Symantec ESM component connections through a firewall. All TCP applications require the opening of ports 1024 to Servers making connections back to clients reserve the ports in this range. You must open these ports in both directions. This practice is secure, as long as the TCP servers do not listen within this port range.

86 86 Symantec ESM communications About Symantec ESM communication ports

87 Appendix B System assessment checklist This appendix includes the following topics: About system assessment checklists Console checklist Manager checklist Agent checklist About system assessment checklists You can use the system assessment checklist to verify that the selected computers can function as Symantec ESM managers, agents, or consoles. You can use the checklists to help complete the following tasks: Assess the available disk space on the computers where you plan to install Symantec ESM components. Establish TCP/IP connectivity between the computers in a heterogeneous configuration. Verify TCP/IP communications by sending a ping command to each agent computer from the manager computer, and vice versa. Select the network disc drive. With this drive, you can determine the computer's ability to distribute files using a file transfer program such as FTP. See System requirements for Windows computers on page 32. See System requirements for UNIX computers on page 70.

88 88 System assessment checklist Console checklist Console checklist You can use the Console checklist to ensure that you have the information that you need to install the console. Question Response Do you have access to an account on the computer with privileges to install software? What disc drive can you use to load the software? What is the installation file system path name? What is the computer communication protocol? Can the computer ping all of the manager computers? Manager checklist The information that you enter on the ESM manager checklist lets you verify that the selected computer can function as a Symantec ESM manager. Question Response What is the name of the computer? What operating system is running on the computer? What version of the operating system is running on the computer? Does the computer have sufficient memory and free disk space to load and run the software? For computers with Solaris operating systems, does the computer have sufficient swap space to run the software?

89 System assessment checklist Agent checklist 89 Question Response For computers with Solaris operating systems that install ESM utilities, what is the Java runtime environment path name? Do you have access to an account on the computer with privileges to install software? What disc drive can you use to load the software? What is the installation file system path name? What is the computer communication protocol? Can the computer ping all of the agent computers that must register to the manager? Can the computer ping all of the console computers? Agent checklist The information that you enter on the Agent checklist lets you verify that the selected computers can function as Symantec ESM agents. Question Response What is the name of the computer? What operating system is running on the computer? What version of the operating system is running on the computer? Does the computer have sufficient memory and free disk space to load and run the software? For computers with UNIX operating systems, does the computer have sufficient swap space to run the software?

90 90 System assessment checklist Agent checklist Question Response For computers with UNIX operating systems that install ESM utilities, what is the Java Runtime Environment path name? For computers with AS/400 operating systems, is the pool size large enough to run the software? Do you have access to an account on the computer with privileges to install software? What disc drive can you use to load the software? What is the installation file system path name? What is the computer communication protocol? Can the computer ping all of the manager computers that must register the agent?