Installation Guide. McAfee Vulnerability Manager 7.5

Transcription

1 Installation Guide McAfee Vulnerability Manager 7.5

2 COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARKS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. Issued 5/22/ :01 / McAfee Vulnerability Manager Installation Guide

3 Contents Introducing McAfee Vulnerability Manager... 6 Installation checklist... 6 Components and what they do... 7 Audience... 8 Finding product documentation... 8 System Requirements and Architectures... 9 Number of servers required... 9 Hardware and software requirements Single server requirements Multiple server requirements Microsoft Windows Server 2003 support Browser requirements Disable Enhanced Security Configuration Network requirements Deployment architectures Dual-server architecture Three-server architecture More than three servers Installing on a Single Server Audience Process overview McAfee Vulnerability Manager architecture How the pieces fit together Installing and configuring McAfee Vulnerability Manager on a single server Creating your first vulnerability scan and report Post-installation activities Installing on Multiple Servers Before you install McAfee Vulnerability Manager McAfee Vulnerability Manager 7.5 components System component preparation Preparing the database server Preparing the scan engine server Preparing the web server McAfee Vulnerability Manager 7.5 installation Installing using a recommended installation type Adding an extra scan engine Installing using the custom installation type Installation setting descriptions Login information Hiding a Microsoft SQL Server 2005 instance Hiding a Microsoft SQL Server 2008 instance Changing the SQL instance name Uninstalling McAfee Vulnerability Manager Uninstalling a previous version of McAfee Vulnerability Manager Do NOT remove registry keys Configuring Your Servers McAfee Vulnerability Manager Update Setting up McAfee Vulnerability Manager Update Adding proxy information for connecting to the update server McAfee Vulnerability Manager 7.5 Installation Guide iii

4 Contents Running McAfee Vulnerability Manager Update as a service Troubleshooting the McAfee Vulnerability Manager Update service Register McAfee Vulnerability Manager Sending a registration request to McAfee Activate McAfee Vulnerability Manager Enable notifications Enabling SNMP notifications Enabling notifications Hardening your servers Update your servers with the latest patches Setting up SSL Add the enterprise manager trust site certificate Check the server_name in the CONFIG.INI file Installing the McAfee Vulnerability Manager Trust Site Certificate Upgrading to McAfee Vulnerability Manager Back up the SQL server database using SQL Server Management Studio Backing up the Windows registry Upgrading Microsoft SQL Server Microsoft SQL server 2005 installation settings Changing the Microsoft SQL memory settings Microsoft SQL server 2008 and 2008 R2 installation features Restoring the Windows registry Restoring the McAfee Vulnerability Manager database Upgrading from a previous version Merging the config.ini and php.ini files Starting and stopping the SQL server database Rerunning scans Microsoft Windows Server 2003 upgrade support Upgrading appliances Troubleshooting and Tips Finding the NetBIOS name Creating strong passwords Application Layer Gateway Message Performance issues when running a large number of reports SQL settings Changing the database authentication settings Optimize dynamic memory settings Setting the SA password in SQL Changing the TCP/IP protocol Optional enterprise manager settings Using McAfee VirusScan Enterprise 8.0i and later Setting up a logon message Allowing root organization administrators to switch to global administrator Setting up the CONFIG.INI and PHP.INI files Disabling SSL Turning off SSL in configuration manager Restarting the API server Modifying the CONFIG.INI file on the enterprise manager Turning off SSL on the enterprise manager Why does my Foundstone Configuration Agent system tray icon have an exclamation mark Installation error when FIPS is enabled Appendix Microsoft SQL 2005 Express Settings Microsoft SQL Server 2005 Express installation settings Internet access Microsoft SQL 2008 Express Settings Disabling Admin Approval Mode (Windows 2008 R2) Move the database Move the enterprise manager McAfee Vulnerability Manager 7.5 Installation Guide iv

5 Contents Changing the Foundstone Configuration Agent Settings Using the United States Federal Information Processing Standard McAfee Vulnerability Manager 7.5 Installation Guide v

6 Introducing McAfee Vulnerability Manager McAfee Vulnerability Manager is an agentless network scanner that helps you identify and protect the assets (systems) on your network. This allows managers to monitor and respond to changing risks in their environment. This installation guide contains system requirements and suggestions on how many servers to deploy based on the size of your network. This guide also contains the concepts and tasks for installing the product, what to do after installation, and upgrading from a previous version. Note: The Foundstone product is now known as McAfee Vulnerability Manager. For this release, some portions of the product retain the Foundstone label. Installation checklist These are the basic steps for preparing your network and installing McAfee Vulnerability Manager 7.5. Each step is explained in further detail later in this guide. Installing on a single server For users who want to install McAfee Vulnerability Manager on a single server. This section describes installing McAfee Vulnerability Manager, running your first scan, and reviewing the report. See Installing on a single server (page 24). Upgrade instructions For users who are upgrading from a previous version of the product, follow the instructions in Upgrading to McAfee Vulnerability Manager 7.5 (on page 63). Custom installation For users who want to install McAfee Vulnerability Manager on a more than one server. This installation process requires some planning and configuration for proper installation. Step 1: Pre-installation planning Scope out the size and shape of your network. Take special note of geographic challenges and firewalls. Determine which deployment architecture to use, based on the size and accessibility of the network. If a scan engine needs to access the entire network, are there any barriers? Using the system requirements guidelines for your chosen architecture, acquire systems and software to host the McAfee Vulnerability Manager servers. For details about pre-installation planning, see Before you install McAfee Vulnerability Manager (on page 31). Note: McAfee Vulnerability Manager does not support installation on a system with an underscore in the host name. Step 2: System component preparation Install Microsoft SQL Server (see "Preparing the database server" on page 32) and its latest service pack on the database server. Make sure that it is fully functional, and that the system administrator (SA) password is available. McAfee Vulnerability Manager 7.5 Installation Guide 6

7 Introducing McAfee Vulnerability Manager Components and what they do On the web server, install Microsoft IIS Web Server (see "Preparing the web server" on page 35) and its latest security patches. For details about preparing your servers, see System component preparation (on page 32). Step 3: Install McAfee Vulnerability Manager 7.5 Run the McAfee Vulnerability Manager 7.5 installation program on each server. For more information, see How to install McAfee Vulnerability Manager 7.5 (see "McAfee Vulnerability Manager 7.5 installation" on page 35). Post installation tasks On one scan engine, run the McAfee Vulnerability Manager 7.5 update program (see "McAfee Vulnerability Manager Update" on page 51) to get the latest vulnerability updates. This updates the database and any other scan engines connected to it. Register McAfee Vulnerability Manager 7.5 to activate it (see "Register McAfee Vulnerability Manager 7.5" on page 56). You have 60 days to use McAfee Vulnerability Manager 7.5 before the product ceases to function. Harden your servers (see "Hardening your servers" on page 61) to comply with your organization security policies. Maintain your database with regular backups and updated statistics to keep it running at optimal performance. For more information, see Configuring your servers (on page 51). Components and what they do McAfee Vulnerability Manager consists of components that work together to monitor your systems. Enterprise manager Uses Microsoft Internet Information Services (IIS) to provide authorized users with access to McAfee Vulnerability Manager through their web browsers. It allows them to manage and run the product from anywhere on the network. Access is protected by user identification and authentication. Set up Secure Socket Layers (SSL) through the web server to provide encrypted communication to browsers. Scan engine Scans the network environment. Depending on the logistics and size of your network, you might need more than one scan engine to scan the network. Scan controller Provides the communication between the scan engine and the database. Most network environments only need one scan controller. For a large network (class A) or segmented network (WAN), use multiple scan controllers. Database The data repository for the product. It uses Microsoft SQL Server to store everything from scan settings and results to user accounts and scan engine settings. It contains all of the information needed to track organizations and workgroups, manage users and groups, run scans, and generate reports. API server Provides the communication between the enterprise manager and the database. Notification service Provides SNMP and (SMTP) notification messages for integration with third-party help desk management systems and servers. Data synchronization service Gathers information from McAfee epo databases, LDAP servers, and other McAfee Vulnerability Manager 7.5 databases. For McAfee epo databases, it provides data to the product for host and OS identification. For LDAP servers, it provides assets you can add to scan configurations. For other McAfee Vulnerability Manager databases, it provides scan data. Report engine Generates scan-based and asset-based reports. Configuration manager Distributes initial certificates to the other product components and manages the updates to the product components. Web application scanner Provides a scan configuration, vulnerability checks, and scan reports for web applications. The web application scanner is a module that must be purchased. McAfee Vulnerability Manager 7.5 Installation Guide 7

8 Introducing McAfee Vulnerability Manager Finding product documentation Audience This information is intended for network administrator responsible for installing and configuring software on network servers. Finding product documentation McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. 1 Go to the McAfee Product Download site. 2 Type in your grant number, then click Submit. 3 Select McAfee Vulnerability Manager. After a product is released, information about the product is entered into the McAfee online KnowledgeBase at McAfee Vulnerability Manager 7.5 Installation Guide 8

9 System Requirements and Architectures Number of servers required System Requirements and Architectures These guidelines describe the McAfee Vulnerability Manager 7.5 system requirements for each component. Number of servers required The number, type, and placement of product servers depend on the total amount of address space, total number of live devices, network topology, desired scan performance, network constraints, and network policies. Note: McAfee Vulnerability Manager supports only servers running English-language operating systems. The following matrix provides guidelines for determining the number of McAfee Vulnerability Manager servers. Number of live IPs Number of servers Notes 0 2,500 One product server with an Allin-One configuration Ideal for small networks and product evaluations 2,500 10,000 10,001 20,000 Two product servers: One configured as enterprise manager web portal and the other configured as a database, API server, scan controller, and a scan engine with additional components. Two product servers: One configured as enterprise manager web portal and the other configured as database, API server, scan controller, and scan engine with additional components. One product server configured as a dedicated scan engine. Very common configuration for small to mid-sized deployments Well-suited for large, distributed environments McAfee Vulnerability Manager 7.5 Installation Guide 9

10 System Requirements and Architectures Number of servers required Number of live IPs 20,001 - >100,000 Number of servers Three product servers: One configured as enterprise manager web portal, one configured as database, and one configured as API server, scan controller, and scan engine with additional components. n product servers configured as dedicated secondary scan engines. Notes Ideal for large, global, distributed and diverse networks Consider these factors: Number of IP addresses to be scanned. The primary factor is the number of IP addresses to be scanned. Small to medium-sized networks, as well as installations for product evaluation purposes, can deploy a single product server. Larger networks are better accommodated with additional hardware. Network connectivity to, and reachability of, all desired target environments. A scan engine must be able to reach its targets for the results to provide value. When placing scan engines, consider the networks that are to be scanned and place the scan engine so that it is able to reach the maximum number of assets with as few firewalls or packet filtering devices as possible. Firewall traversing. The purpose of a firewall is to restrict traffic to legitimate users and prohibit traffic that might be malicious. Depending upon the nature of the vulnerability and the discovery methodology, vulnerability scanning signatures might resemble malicious traffic and be blocked or filtered by a firewall or port filter. The result of such well-intentioned security devices might be that the quality of data returned from a vulnerability scan is adversely affected. For example, hosts behind a firewall might not be discovered correctly or at all, or a firewall might make it appear that every host behind the firewall is present when they are not. Another possible effect is that discovery and assessments might take longer to complete when having to traverse a firewall compared to scans that do not have to traverse firewalls. A common technique to mitigate the impact is to either avoid sending the assessment traffic through a firewall altogether, or to create an exception rule in the firewall rule base to allow any and all packets to and from the scan engine to traverse the firewall unaltered. WAN links and latency. To ensure a manageable vulnerability assessment schedule, McAfee Vulnerability Manager employs various timing and monitoring components. Such components monitor the total time a thread has taken to run a check against a host. If a certain threshold is exceeded, the thread is terminated under the assumption that the host is down, or that packets have been lost in transit to or from the host. This technique is necessary to ensure that a scan is not in an infinite waiting state. Therefore, WAN links, or heavily congested networks in general, might need special consideration in a deployment. Tests have shown that scanning via WAN links with a latency of more than 150 milliseconds is likely to produce results of an improper quality. For example, a set of systems can only be reached via a WAN link, then consider placing a scan engine in the remote environment so scanning is done locally and not be subject to packet loss and timeouts that are common on a congested WAN link. McAfee Vulnerability Manager 7.5 Installation Guide 10

11 System Requirements and Architectures Hardware and software requirements Other network traffic (business-critical data/sessions). Any active scanning technology, such as McAfee Vulnerability Manager, sends some amount of data to assets on the network. This is an unavoidable consequence of any vulnerability scanning technology. McAfee Vulnerability Manager provides robust and detailed controls that allow customers to optimize the scanning behavior and speed of McAfee Vulnerability Manager. The product has default settings that have proved safe and effective in most networks. However, no matter how McAfee Vulnerability Manager is deployed and configured, you should always pay attention to network segments, WAN links, firewalls, and so on, where particularly important data is passing. Consider a remote site that is transmitting transactions from a website through a congested or slow WAN link during local business hours. Since this system only operates during certain hours, you should configure scans so that the environment is scanned while the web server is not processing transactions and not relying on bandwidth on the WAN link. Security or performance. When two product servers are used, McAfee recommends that you deploy the enterprise manager on one system and the other product components on the second system. This provides more security because the enterprise manager can be placed outside your firewall, so users can access it, while the second system can be placed inside the firewall to gather accurate data from scanned systems. However, having the scan engine and scan controller on the same system as the database can slow performance, based on the amount of data being processed. To improve performance when using two product servers, you could separate the scan engine and scan controller from the database. For example: the enterprise manager, scan engine, and scan controller on one system and the database and other McAfee Vulnerability Manager components on the second system. Hardware and software requirements This section covers the minimum hardware and software requirements for installing McAfee Vulnerability Manager. Note: When installing McAfee Vulnerability Manager on a server running Windows 2008 R2, you must either be logged in as the root administrator for the server or the Admin Approval Mode (see "Disabling Admin Approval Mode (Windows 2008 R2)" on page 101) must be disabled. Single server requirements These are the system requirements for installing McAfee Vulnerability Manager on a single server (Allin-One). If you are installing McAfee Vulnerability Manager on multiple servers, see Multiple Server requirements (page 12). Note: McAfee Vulnerability Manager components require an Internet Protocol version 4 (IPv4) address to properly communicate. Systems running product components must have an IPv4 address and can have an IPv6 address to facilitate scanning IPv6 targets. Single server system requirements Component Processor Memory Disk space Dedicated system Requirement Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 4 GB RAM 160 GB Partition Yes Administrator account McAfee Vulnerability Manager 7.5 Installation Guide 11

12 System Requirements and Architectures Hardware and software requirements Component Disk partition formats Network card Requirement NTFS Ethernet Single server software requirements Microsoft Windows 2008 R2 Microsoft Windows 2008 R2 Service Pack 1 and later The Foundstone Configuration Agent requires administrator rights to start and stop services. If the logged in user does not have administrator rights, McAfee Vulnerability Manager might not function properly. Microsoft SQL Server Microsoft SQL Server 2005 Service Pack 4 and later (32-bit and 64-bit) Microsoft SQL Server 2008 Service Pack 1 and later (32-bit and 64-bit) Microsoft SQL Server 2008 R2 Service Pack 1 and later (32-bit and 64-bit) Microsoft SQL Express 2008 R2 Service Pack 1 and later (64-bit) Also: All Microsoft SQL and.net hotfixes and patches. McAfee recommends using 750 MB for the SQL memory setting. SQL Browser (SQL Express 2008 R2) Additional software (covered by default Microsoft Windows and Microsoft SQL installations) IIS 7.5, including current IIS security patches MDAC 2.8 World Wide Web Publishing must be running SQL Client Tools Note: McAfee Vulnerability Manager does not support installing the database with.net 4.0. If you must use.net 4.0, install the database first. Note: If you change the network settings on the server running the scan engine, the system should be restarted or the scan components must be restarted. Multiple server requirements McAfee Vulnerability Manager consists of several components. Any McAfee Vulnerability Manager component requiring a minimum amount of system resources are listed below. If you are installing multiple McAfee Vulnerability Manager components on a single server, use the highest minimum system requirements as your guide. Operating system requirements for all McAfee Vulnerability Manager 7.5 servers Windows Server 2008 R2, without a service pack, or with Service Pack 1 or later. McAfee Vulnerability Manager only supports English operating systems. The Foundstone Configuration Agent requires administrator rights to start and stop services. If the logged in user does not have administrator rights, McAfee Vulnerability Manager might not function properly. Note: To ensure scan accuracy and device communication, McAfee recommends specifying a static IP address. Note: McAfee Vulnerability Manager components require an Internet Protocol version 4 (IPv4) address to properly communicate. Systems running product components must have an IPv4 address and can have an IPv6 address to facilitate scanning IPv6 targets. McAfee Vulnerability Manager 7.5 Installation Guide 12

13 System Requirements and Architectures Hardware and software requirements Enterprise manager system requirements Component Processor Memory Disk space Additional software Dedicated system Disk partition formats Network card Requirement Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 4 GB RAM 80 GB Partition IIS 7.5 Current IIS security patches World Wide Web Publishing must be running Yes Administrator account NTFS Ethernet Database system requirements Component Processor Disk space Requirement Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 160 GB Partition Tip: 250 GB of disk space is recommended for large networks. Memory Additional software 4 GB Microsoft SQL Server 2005 SP4 and later (32-bit and 64-bit) Microsoft SQL Server 2008 SP1 and later (32-bit and 64-bit) Microsoft SQL Server 2008 R2 SP1 and later (32-bit and 64-bit) Also: All SQL hotfixes and patches All.NET hotfixes and patches Note: Microsoft SQL Server Express 2008 R2 is not recommended for a distributed environment. Dedicated system Virtual memory Disk partition formats SQL server memory settings Yes 4 GB minimum NTFS 900 MB McAfee Vulnerability Manager 7.5 Installation Guide 13

14 System Requirements and Architectures Hardware and software requirements Component Network card Requirement Ethernet SQL server memory recommendations McAfee recommends using the following SQL memory settings: When the database is the only component on the system, set the Maximum SQL memory to 1.4 GB. When the database and the Report Server are both running on the same system, use 900 MB. When the database and the scan engine are both running on the same system, use 750 MB. Note: McAfee Vulnerability Manager does not support installing the database with.net 4.0. If you must use.net 4.0, install the database first. Scan engine system requirements Component Processor Memory Disk space Requirements Dual Xeon 2 GHz, Dual Core Xeon 2.33 GHz, or higher 4 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Virtual memory Disk partition formats Required services Network card Recommended when running large scans 4 GB minimum NTFS NetBIOS over TCP/IP Ethernet Note: Microsoft Windows does not allow the hostname and user name to be the same. Do not use FS as the hostname for the system running the scan engine. Note: If you change the network settings on the server running the scan engine, the system should be restarted or the scan components must be restarted. Scan controller system requirements Component Memory Disk space Additional software Dedicated system Network card Requirements 2 GB RAM 80 GB Partition MDAC 2.8 SQL Client Tools No Ethernet Note: The scan controller provides communication between the scan engines and the database. McAfee Vulnerability Manager 7.5 Installation Guide 14

15 System Requirements and Architectures Hardware and software requirements Configuration manager system requirements Component Memory Disk space Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Network card No Ethernet API server system requirements Component Memory Disk space Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Network card No Ethernet Notification service system requirements Component Memory Disk space Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Network card No Ethernet Note: To provide notifications through , this server must have access to the relay server on your network. Data synchronization service system requirements Component Memory Disk space Requirements 1 GB RAM 80 GB Partition Additional software MDAC 2.8 McAfee Vulnerability Manager 7.5 Installation Guide 15

16 System Requirements and Architectures Browser requirements Component Dedicated system Network card Requirements No Ethernet Report engine system requirements Component Memory Disk space Requirements 2 GB RAM 80 GB Partition Additional software MDAC 2.8 Dedicated system Network card Recommended for report-intensive environments Ethernet Microsoft Windows Server 2003 support McAfee Vulnerability Manager 7.5 allows the use of Microsoft Windows Server 2003 for the scan controller and scan engine only, with some limitations. No support for scanning Internet Protocol version 6 (IPv6) targets. No support for McAfee epolicy Orchestrator or McAfee Policy Auditor integration. No support for McAfee Network Security Manager (NSM) integration. For installation information, see Adding an extra scan engine (page 38). For upgrade information, see Microsoft Windows Server 2003 upgrade support (page 75). Browser requirements Depending on the network settings, authorized users can access McAfee Vulnerability Manager through the web browser from anywhere. If you are upgrading to McAfee Vulnerability Manager 7.5, users should clear their web browser cache to ensure updated pages display properly. Individual browser requirements Microsoft Internet Explorer 8.0 or 9.0 running on a Microsoft Windows operating system. The recommended minimum screen resolution is 1024 x 768. Note: Searching for vulnerabilities in large reports might take a long time to complete. Use Microsoft Internet Explorer 9.0 for the best results. McAfee recommendations Install the latest service packs for your browser and operating system. Disable third-party pop-up blockers, web filters, and other extensions because these products can interfere with the ability to display certain pages in the enterprise manager. Install the Trusted Site Certificate (page 62) for all users accessing the enterprise manager. Turn off Display intranet sites in compatibility View. McAfee Vulnerability Manager 7.5 Installation Guide 16

17 System Requirements and Architectures Network requirements Note: Large fonts are not supported in Internet Explorer. Disable Enhanced Security Configuration If you are using Microsoft Internet Explorer 9 and Microsoft Windows Server 2008 (or Windows Server 2008 R2) to access the enterprise manager, Enhanced Security Configuration should be disabled. 1 Select Start Administrative Tools Server Manager. 2 Under Security Information, click Configure IE ESC. 3 Under Administrators, select Off. Note: Don't disable the Enhanced Security Configuration for Users, unless nonadministrators use the Microsoft Windows Server 2008 (or Windows Server 2008 R2) system for accessing the portal. 4 Click OK. 5 Close the Server Manager window. Network requirements McAfee Vulnerability Manager components use the network ports and protocols in the following tables. If there is a firewall separating components, these ports and protocols must be opened in your firewall configuration before installing McAfee Vulnerability Manager 7.5. The network requirements diagrams use a distributed deployment architecture to display communication paths. If you use a different deployment architecture, be sure to note which system is running a McAfee Vulnerability Manager component, and use the port number and communication path specified in the communication path tables. The network requirements diagrams are separated into two groups: connecting McAfee Vulnerability Manager components and connecting to external components. External components include other databases, McAfee epo databases, LDAP or Active Directory servers, and external ticketing or issue management systems. Connecting McAfee Vulnerability Manager components Figure 1: Network requirements McAfee Vulnerability Manager 7.5 Installation Guide 17

18 System Requirements and Architectures Network requirements McAfee Vulnerability Manager component communication paths # Title Description System 1 Enterprise manager System 2 API service, scan controller, and scan engine System 3 Database* System 4 Report server System 5 Scan Engine Authenticated User 1 Assessment management search results Enterprise manager Scan controller API server Scan engine Data synchronization service Notification service Database Configuration manager Report engine Scan engine Users log on to the enterprise manager. Ports: 443 or 80 SOAP over HTTPS or HTTP 2 Command and control Port: 3800 SOAP over HTTPS or HTTP 3 API service Port: 1433 (SSL over) TCP/IP 4 Scan data Port: 1433 (SSL over) TCP/IP 5 Data synchronization service** Port: 1433 (SSL over) TCP/IP 6 Notification service*** Port: 1433 (SSL over) TCP/IP 7 Scan data Port: 1433 (SSL over) TCP/IP 8 Report data Port: 1433 (SSL over) TCP/IP 9 Scan data (scan engine to scan controller) Ports: 3803 REST over HTTPS or HTTP McAfee Vulnerability Manager 7.5 Installation Guide 18

19 System Requirements and Architectures Network requirements 10 Generating reports or changing report templates Ports: 3802 REST over HTTPS or HTTP 11 Generated reports Ports: 443 or 80 REST over HTTPS or HTTP 12 Web browser traffic Ports: 443 or 80 HTTPS or HTTP *Changing the location of the configuration manager requires a communication path between the configuration manager and the database, using Port: 1433, (SSL over) TCP/IP. **Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram. ***Changing the location of the notification service changes the communication path(s) displayed in this diagram. Note: All McAfee Vulnerability Manager components have an FCM Agent installed. The communication between each FCM Agent and the configuration manager server is Port: 3801, (SSL over) TCP/IP. Connecting external components Figure 2: External component communications External component communication paths # Title Description System 2 API service, scan controller, and scan engine Scan controller API server Scan engine Data synchronization service Notification service A B External ticketing or issue management External SMTP server McAfee Vulnerability Manager 7.5 Installation Guide 19

20 System Requirements and Architectures Deployment architectures C D External LDAP / Active Directory (AD) External McAfee epo Database 1 Notification service* Port: 162 SNMP 2 Notification service* Port: 161 SNMP 3 Notification service* Port: 25 SMTP 4 Data synchronization service** 5 Data synchronization service** Port: 389 LDAP Port: 1433 (SSL over) TCP/IP *Changing the location of the notification service changes the communication path(s) displayed in this diagram. **Changing the location of the data synchronization service changes the communication path(s) displayed in this diagram. McAfee Vulnerability Manager 7.5 Installation Guide 20

21 System Requirements and Architectures Deployment architectures Deployment architectures When installing McAfee Vulnerability Manager 7.5 components on multiple servers, use these general guidelines to help determine the best setup for your network: Dual-server architecture (on page 21) Three-server architecture (on page 22) Distributed server architecture (see "More than three servers" on page 23) Dual-server architecture This architecture is appropriate for small to medium (class C and class B) networks. The scan controller, scan engine and the database are installed on the same server; the enterprise manager is installed on its own server. This allows fast, efficient communication between the scan controller, scan engine, and database while a dedicated server runs the enterprise manager interface for your users. Figure 3: Dual server architecture System 1: Web portal Web portal Report engine System 2: Database and scan engine Scan controller Scan engine API server Notification service Data synchronization service Database Configuration Manager McAfee Vulnerability Manager 7.5 Installation Guide 21

22 System Requirements and Architectures Deployment architectures Three-server architecture This architecture is designed for large, global enterprises, and is appropriate for scanning multiple class B and class A networks. In this configuration, all three components reside on individual servers. Figure 4: Three server architecture System 1: Web portal Web portal System 2: Scan engine Scan controller Scan engine API server Notification service Data synchronization service System 3: Database Database Report engine Configuration manager McAfee Vulnerability Manager 7.5 Installation Guide 22

23 System Requirements and Architectures Deployment architectures More than three servers Larger, more complicated environments need multiple scan engines. Each engine generates scan traffic on their local network segments, and sends the resulting scan data back over the WAN to the database. This dramatically reduces the amount of traffic on the WAN resulting from network scans. Multiple scan engines can be added to this architecture. Figure 5: Distributed server architecture System 1: Web portal Web portal System 2: API server Scan controller Scan engine API server Notification service Data synchronization service System 4: Report server Report engine System 3: Database Database Configuration manager System 5: Scan engine Scan engine McAfee Vulnerability Manager 7.5 Installation Guide 23

24 Installing on a Single Server McAfee Vulnerability Manager architecture Installing on a Single Server The goal of this chapter is to give you an outline of the steps needed to conduct your first vulnerability scan with the McAfee Vulnerability Manager Software. This chapter is not intended to provide all of the detailed information you might need, rather simply provides a brief overview of the process. Later chapters in this guide contain more detailed information, including installing McAfee Vulnerability Manager on more than one server. This chapter takes a layered approach to help you better understand the overall McAfee Vulnerability Manager solution and how the pieces fit together. This chapter provides the following information: An outline of the overall process necessary to conduct your first vulnerability scan A high-level overview of the McAfee Vulnerability Manager architecture How the pieces fit together A checklist to help you install and configure McAfee Vulnerability Manager to run on a single appliance A checklist to help you conduct your first vulnerability scan and produce a report Note: McAfee Vulnerability Manager does not support installation on a system with an underscore in the host name. Audience This chapter is designed for the new user installing McAfee Vulnerability Manager on a single server (also known as Standard or an All-in-One). If you need to install McAfee Vulnerability Manager on more than one server, review later chapters in this document for more information. Process overview There are several steps necessary to set up and configure McAfee Vulnerability Manager and begin scanning. This list highlights the general steps: 1 Configure Microsoft SQL 2005 or Install and configure McAfee Vulnerability Manager 7.5 on a single system (All-in-One) 3 Set up your first scan and review the report McAfee Vulnerability Manager architecture McAfee Vulnerability Manager consists of several components. The three major components of McAfee Vulnerability Manager are: Enterprise Manager (web user interface) Database using Microsoft SQL Server (Microsoft SQL Server 2005, 2008 R2, 2005 Express, 2008, or 2008 Express) Scan Engines (there can be several scan engines per McAfee Vulnerability Manager instance and the scan engines can be remote) McAfee Vulnerability Manager 7.5 Installation Guide 24

25 Installing on a Single Server Installing and configuring McAfee Vulnerability Manager on a single server Other McAfee Vulnerability Manager configuration applications and services include a scan controller, an API service, a reporting service, a notification service, configuration manager, an update service, and data synchronization. In large enterprises, scanning hundreds of thousands of assets, these components and services should be installed on three to five separate appliances. This process is described in later sections of this guide, and is not be the focus of this chapter. However, for most customers not scanning hundreds of thousands of assets, a simpler approach is adequate. Either a single server or two servers (database separate) provides sufficient capacity. This chapter takes you through the process of installing McAfee Vulnerability Manager on a single server. How the pieces fit together After the initial system configuration, all vulnerability management functions (scanning, reporting, and remediation) are driven through the web portal. As McAfee Vulnerability Manager scans targets, the data is stored in the SQL database and reports are generated by the report server. Reports can be delivered by or viewed through the web portal. When deploying remote scanning engines (or other distributed McAfee Vulnerability Manager components) on other servers, the secure communication link between the distributed components is managed by the configuration manager. The configuration manager is mainly for infrastructure management, not for every day vulnerability management. Installing and configuring McAfee Vulnerability Manager on a single server You can install and configure McAfee Vulnerability Manager on a single server that uses Microsoft SQL Server as its database. The SQL settings are similar for both Microsoft SQL 2005 and SQL 2008, but the setting locations are different in each installation wizard. The SQL Server settings for both versions are included in this guide. For Microsoft SQL Express 2008 settings, see Using Microsoft SQL 2008 Express (page 101). Configuring Microsoft SQL 2005 (15-30 minutes) McAfee Vulnerability Manager 7.5 uses Microsoft SQL Server as its database. Install the Microsoft SQL Server database as directed by the SQL Server documentation. For information about installing Microsoft SQL Server Express 2005 or 2008, see the Appendix in this guide. Before installing the SQL Server, make sure your systems meet the minimum system requirements (see "System Requirements and Architectures" on page 9). Note: If you are upgrading from SQL Server 2000 to SQL Server 2005, go to Upgrading to SQL Server 2005 (page 67). SQL server installation suggested settings The following table shows the page names and recommended settings for each step of the installation. These settings are based on a typical Microsoft SQL Server 2005 installation. McAfee Vulnerability Manager 7.5 Installation Guide 25

26 Installing on a Single Server Installing and configuring McAfee Vulnerability Manager on a single server Installation Page Components to Install Instance Name Setting Select SQL Server Database Services and the Workstation components, Books Online and development tools. Select Default instance. Note: It is possible to give the instance a name. You must type this instance name when installing other McAfee Vulnerability Manager components. See Changing the SQL Instance Name (page 46). Service Account Select Use the built-in System account, then select Local system from the list. Select SQL Server under Start services at the end of setup. Authentication Mode Select Mixed mode. This mode is required to create or upgrade the database. See Changing the Database Authentication Settings (on page 77) for information on how to change this setting later. Create a password for the SA account. The maximum password length is 128 characters. Important: Remember the SA account password. You can use the SA account to access the database for maintenance or to back up the database. Collation Settings Error and Usage Report Settings Accept the defaults. Accept the defaults (none selected). After the installation has completed, McAfee recommends that you restart the computer before using SQL Server. Then, make sure the system has the latest SQL server service pack. Configuring SQL Server 2008 (15-30 minutes) The following lists show the recommended and minimum Microsoft SQL Server 2008 and 2008 R2 features for using McAfee Vulnerability Manager. Note: If you are upgrading from Microsoft SQL Server 2000 to Microsoft SQL Server 2008, go to Upgrading Microsoft SQL Server 2000 (page 67). SQL server installation (recommended) Database Engine Services, including all sub-features Client Tools Connectivity Client Tools Backward Compatibility SQL Server Books Online Management Tools (complete) SQL server installation (minimum) Database Engine Services Client Tools Connectivity Client Tools Backward Compatibility McAfee Vulnerability Manager 7.5 Installation Guide 26

27 Installing on a Single Server Installing and configuring McAfee Vulnerability Manager on a single server After the installation finishes, McAfee recommends that you restart the computer to begin using SQL Server. Then, make sure you have the latest SQL server service pack. Installing McAfee Vulnerability Manager (30 minutes - 1 hour) 1 Run the McAfee Vulnerability Manager installation program. The Welcome to McAfee Vulnerability Manager screen appears. Click Next. The end user license agreement appears. 2 Read the end user license agreement. Select Accept, then click Next. The Select Installation Type screen appears. 3 Select Standard, then click Next. 4 Select the database server where you want to install the database. Note: For 64-bit operating systems, you must type in the database server name. You must have administrative access to the SQL database to install the database. You can select Windows authentication or SQL Server authentication. If you select SQL Server authentication, type the SQL database credentials. Click Next. 5 Review the system checklist. The installation program runs a system check to ensure that all dependencies (critical and noncritical) are met. If any of the dependency checks fails, you must resolve the issue before you can install McAfee Vulnerability Manager. To resolve a dependency check, you must exit the installation program, fix the issue, then rerun the installation program. If all system checks pass, click Next. The Database Connection Information screen appears. 6 Type a McAfee Vulnerability Manager user password for the database. Type and re-type a password for the McAfee Vulnerability Manager user. The host name or IP address of this server is already entered in the field. The McAfee Vulnerability Manager user is used for connecting other McAfee Vulnerability Manager components to the database. Click Next. The Global Administrator Password page appears. 7 Create a password for the McAfee Vulnerability Manager Global Administrator. The McAfee Vulnerability Manager Global Administrator can create organizations and manage workgroups (sub-organizations) through the web interface. Type and re-type a password for the Global Administrator. There is only one global administrator per McAfee Vulnerability Manager deployment. Click Next to continue. When logging on as the Global Administrator, the organization name is fsglobal and the user name is globaladmin. 8 Create a new organization and type an administrator password. McAfee Vulnerability Manager uses organizations and workgroups (sub-organizations) as a way of managing access to the McAfee Vulnerability Manager web interface. Type the name of your first organization. Then type and re-type a password for the Administrator. Click Next. The Installation Settings page appears. 9 Click Install to install McAfee Vulnerability Manager. Since all components are installed on one server, there is no need to change any settings on the Installation Settings page. 10 When the installation process is complete, click Finish. A message states that a system restart is required. 11 Click OK to restart the system. Note: When installing McAfee Vulnerability Manager on Windows 2008 R2, a FS user account is created and appears on the logon screen. The FS account is reserved for the McAfee Vulnerability Manager scan engine and should not be used or modified. The McAfee Vulnerability Manager single server system is configured and you can create your first vulnerability scan, run it, and review the results. McAfee Vulnerability Manager 7.5 Installation Guide 27

28 Installing on a Single Server Creating your first vulnerability scan and report Note: Any changes made to the server hosting the McAfee Vulnerability Manager web portal (e.g. system name or domain name) after installation requires a manual change to the shortcut on the desktop. Creating your first vulnerability scan and report Once your McAfee Vulnerability Manager is installed and configured on a single server, you can create a Full Vulnerability scan and view the report. This section describes the steps required to set up your first vulnerability scan, run the scan, then review the results. Suggestions and tips are included to help you understand the workflow for McAfee Vulnerability Manager scans and scan data. More detailed information is available in the McAfee Vulnerability Manager product guide. McAfee Vulnerability Manager scans begin by creating a scan configuration through the web interface. A full vulnerability scan assesses your network for vulnerabilities using all existing non-intrusive vulnerability checks. The vulnerability scan report shows you the comprehensive data collected by the scan that provides an executive overview of the scan results and detailed information for each system scanned. It is recommended for your first scan to use a small set of the IP addresses available on your network. Full vulnerability scans require more time than other McAfee Vulnerability Manager scans due to the amount of data being assessed during the scan. By providing a small set of systems to scan, you can see the benefits of McAfee Vulnerability Manager scanning and reports in a shorter period of time. You can create your own scan configuration or select a pre-configured scan template. In a scan configuration you assign IP addresses or ranges to be scanned, type the credentials for accessing systems during scanning, select which vulnerabilities to scan for, select formats for your reports, and set up a schedule for running the scan. Providing credentials in a scan configuration allows the scan engine credentialed access to the systems being scanned, and returns a more accurate report on which systems are vulnerable and which are not. You can create a credential set which is a list of user credentials that can be used during a scan. A credential set can be used in multiple scan configurations and saves you time when user credentials change. You can update one credential set and have it applied to multiple scan configurations rather than having to update each scan configuration. Building your first vulnerability scan Create a Full Vulnerability scan to find asset vulnerabilities on your network. 1 Log on to the enterprise manager as an organizational administrator. Double-click the McAfee Vulnerability Manager icon on the desktop to open the logon page. Use the organization name, organization administrator name and password you created. For the organization you created during installation, the user name is Administrator. The home page displays key information about the systems scanned within an organization or workgroup. This page is populated with data once you have completed your first scan. 2 Open the new scan window and select a McAfee Vulnerability Manager template. Select Scans New Scan, the Scan Details window appears. Select Use a McAfee Vulnerability Manager template and a list of available McAfee Vulnerability Manager templates appears. Select Full Vulnerability Scan and click Next. The window displays the scan configuration tabs. McAfee Vulnerability Manager 7.5 Installation Guide 28