GRAVITYZONE HERE. Deployment Guide VLE Environment

GRAVITYZONE HERE Deployment Guide VLE Environment

LEGAL NOTICE All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from an authorized representative of Bitdefender. The inclusion of brief quotations in reviews may be possible only with the mention of the quoted source. The content cannot be modified in any way. Warning and Disclaimer. This product and its documentation are protected by copyright. The information in this document is provided on an as is basis, without warranty. Although every precaution has been taken in the preparation of this document, the authors will not have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. Trademarks. Trademark names may appear in this document. All registered and unregistered trademarks in this document are the sole property of their respective owners, and are respectfully acknowledged. Copyright 2013 Bitdefender 2

Table of Content 1. Introduction... 4 2. Deployment Prerequisites... 5 3. Deploying GravityZone Cluster... 6 3.1. Cluster Architecture... 6 3.2. Configuring the GravityZone VA... 7 3.3. Creating the GravityZone Cluster... 9 3.3.1. Creating the Database Server Role... 9 3.3.2. Creating a Web Console Role... 10 3.3.3. Creating a Update Server Role... 10 3.3.4. Creating a Communication Server Role... 11 3.3.5. Configuring GravityZone Load Balancing... 11 3.3.6. Configuring the External MDM Address... 13 4. Control Center Configuration... 14 4.1. Setup... 14 4.2. Integrations... 16 4.2.1. Active Directory Integration... 16 4.2.2. Virtualization Integrations... 17 4.3. Accounts... 19 4.4. Settings... 21 4.5. Update... 23 4.6. Certificates... 25 4.7. License... 27 4.8. Alerts and Notifications... 28 3

1. Introduction The purpose of this document is to assist Bitdefender customers with the GravityZone deployment in their IT infrastructure which may present similarities to the scenario on which the document is based on. This document is not replacing the GravityZone Administrator s Guide or the GravityZone Quick Start guide, and is rather a natural extension of those documents, providing other details and insights, focusing on the deployment and overall configuration processes. For a detailed overview of the GravityZone features, please review the Administrator s Guide. This document contains a deployment example of a GravityZone cluster running in the most complex architecture, designed to be used by very large enterprise organizations. This example is most eloquent for the solution s scalability, load-balancing and high-availability capabilities. IMPORTANT: Bitdefender s Professional Services team is providing this document as-is as a courtesy to its potential or existing customers and it is not to be reviewed as a replacement for Professional Services assistance. Bitdefender is not offering support for this document and the accuracy of the information presented in this document is solely the author s responsibility. Terms and Acronyms This document uses the following terms and acronyms: GravityZone Server Role - a software package used primarily to provide a single network service. The server roles available in the GravityZone architecture are: Database Server, Communication Server, Web Console, Update Server GravityZone Server Instance a virtual machine running one or more GravityZone server roles GravityZone Cluster a collection of multiple GravityZone instances pooled together for horizontal scalability purposes GZ GravityZone MDM Mobile Device Management EPS Endpoint Security, the Antimalware agent used by GravityZone to protect physical devices SVE Security for Virtualized Environments, the module used by GravityZone to protect virtualized environments using a centralized scanning approach 4

2. Deployment Prerequisites The following steps must be completed before moving forward to the product deployment: Register for a GravityZone trial on the Bitdefender Enterprise website. After you enroll in the GravityZone trial you will receive license keys for each GravityZone service. Download the GravityZone VA corresponding to your virtualized environment Make sure you have available the administrative credentials for every environment you want to integrate GravityZone Control Center with: Active Directory, vcenter Server, XenServer Reserve the necessary amount of IP addresses to be used by this GravityZone deployment. Every virtual appliance part of the GravityZone product requires either static IP addresses or DHCP reservations for IP addresses. Create DNS entries for every machine that will be part of GravityZone. Check for hardware resource availability, based on the hardware requirements data presented in the GravityZone Administrator Guide Create an email account in your organization s email server for GravityZone to use for sending out email notifications to its users 5

3. Deploying GravityZone Cluster 3.1. Cluster Architecture The current GravityZone cluster deployment model is presented as an example that may be used by a very large enterprise environment, allowing the reader to understand the GravityZone architecture and its horizontal scalability. For deployments that focus on protecting less than 15.000 endpoints, GravityZone is deployed as a single instance with all GravityZone server roles installed on the same virtual machine. With deployments that target to protect up to 50.000 endpoints, GravityZone is deployed in a 3 instance cluster. The GravityZone cluster is built using 3 server instances, each instance containing one of the following roles: Database Server, Communication Server, Web Server + Update Server. The present document is focused and contains the necessary steps that need to be completed by an organization deploying GravityZone to protect more than 50.000 endpoints in an environment containing physical systems, virtual machines and mobile devices. 6

3.2. Configuring the GravityZone VA The following configuration steps are common for every new GravityZone Virtual Appliance and they are the pre-requisite for every new instance added to the GravityZone cluster. a. Import the GravityZone Virtual appliance once for every GravityZone server instance that you want to create. b. Edit virtual machine settings and define CPU and RAM memory according to the role it has in the GravityZone deployment. c. Upon the first boot of a new virtual machine, you are required to configure the password for the built-in bdadmin system administrator account: d. Login to the CLI menu using the bdadmin account password. e. From the Appliance Options menu, configure the following options: 7

- Option 1 Configure Hostname and Domain Settings. Each GravityZone instance needs to be configured with a hostname that is resolved by the organizations DNS and can also be added into the organization s Active Directory. - Option 2 Configure Network settings. The appliance can be configured to automatically receive the network settings from a DHCP server or can have the network settings configured manually. If the DHCP configurations are used, make sure the IP address is reserved and will not be changed upon renewal. - Option 3 Configure Proxy Settings. Each GravityZone instance requires Internet connectivity during the initial configuration. If the Internet access is routed through a proxy server, configure its address as shown in the example below. - Option 4 Configure Language. This setting controls the CLI language and can be configured to English, French, Spanish or German. 8

- Option 6 Configure Update Server. During the initial configuration, every new GravityZone machine requires Internet access for the Bitdefender repositories and update servers. If such access cannot be configured, you can configure a separate Bitdefender local update server in your organization s DMZ to mirror our repositories and update servers. Using that DMZ local update server, you can configure every GravityZone machine to access it and download updates from there. 3.3. Creating the GravityZone Cluster For the current deployment scenario, the GravityZone server cluster is created using 6 server instances, covering the following roles: - Database Server Role 1 instance - Web Console Role 2 instances - Communication Server Role 2 instances - Update Server Role 1 instance The GravityZone cluster provides load balancing and high-availability capabilities that can be configured for the two front-end server roles, Web Console and Communication Server. If the built-in load balancer software (HAproxy) is used, the GravityZone cluster will need another instance added to host this role. The load balancing configuration is further explained in section 3.3.5 Configuring GravityZone Load Balancing. 3.3.1. Creating the Database Server Role The first role to be installed in a new GravityZone cluster is the Database Server role. To install this role, follow the next steps: a. Create a new GravityZone instance and login to the Appliance Options menu. b. Choose option 5 Install/Modify Roles and then option 1 Add or Remove Roles. c. Select Database Server role by pressing space and then start the role installation. After creating a new database server in a new GravityZone cluster the other server roles will register with the Database Server role so that they can be added in the newly created cluster. 9

3.3.2. Creating a Web Console Role To create a new Web Server role, follow the next steps: a. Create a new GravityZone instance and login to the Appliance Options menu. b. Choose option 7 Configure Database address c. Go back to the Appliance Options menu and select option 5 Install/Modify Roles then select the Web Console role by pressing space and start the role installation. For the current deployment scenario, the recommended GravityZone cluster architecture contains two Web Console instances, so you will need to follow the above procedure twice. 3.3.3. Creating a Update Server Role To create a new Update Server role, follow the next steps: a. Create a new GravityZone instance and login to the Appliance Options menu. b. Choose option 7 Configure Database address. c. Go back to the Appliance Options menu and select option 5 Install/Modify Roles then select the Update Server role by pressing space and start the role installation. 10

3.3.4. Creating a Communication Server Role To create a new Communication Server role, follow the next steps: a. Create a new GravityZone instance and login to the Appliance Options menu. b. Choose option 7 Configure Database address c. Go back to the Appliance Options menu and select option 5 Install/Modify Roles then select the Communication Server role by pressing space and start the role installation. For the current deployment scenario, the recommended GravityZone cluster architecture contains two Communication Server instances, so you will need to follow the above procedure twice. 3.3.5. Configuring GravityZone Load Balancing In the GravityZone cluster, the role balancer (server role) provides high availability and load balancing functionality for the two front-end server roles, Web Console and Communication Server. For configuring a role balancer server role, GravityZone provides a built-in load balancer configured by using HAproxy. Alternatively, if the customer already has a different load balancer in his environment, GravityZone can be instructed to use that appliance. To configure GravityZone built-in load balancer role, follow the next steps: a. Create a new GravityZone instance and login to the Appliance Options menu. b. Choose option 7 Configure Database address. c. Go back to the Appliance Options menu, select option 6 Configure Role Balancers and then option 2 Use the built-in balancers. On the next window select the Web Console Balancer and Communication Server Balancer options. To configure GravityZone to use an existing (external) load balancer, you need to configure that load balancer to execute TCP load balancing for two ports on the public IP address or domain name assigned to it. On those ports the load balancer receives requests designated for the Web Console roles and Communication Server roles, forwarding them internally to those servers. 11

For example: External Web Server address on LB: - https://ws.domain.com:4444 Internal Web Server addresses (as configured on the respective GZ instances) - ws1.domain.local:443 - ws2.domain.local:443 External Communication Server address on LB: - https://cs.domain.com:8888 Internal Communication Server addresses (as configured on the respective GZ instances) - ecs1.domain.local:8443 - ecs2.domain.local:8443 After the external load balancer is configured, follow the next steps: 1. Login to the Database Server instance Appliance Options menu. 2. Select option 6 Configure Role Balancers and then option 1 Use external balancers. 3. Fill in the external Web Server and Communication Server addresses configured on the external load balancer Note: If at any point, due to scalability considerations and environment growth, you decide to add more Web Console instances or Communication Server roles, after you configure them as new instances in the GravityZone cluster, you need to add their addresses to the external load balancer configuration. 12

3.3.6. Configuring the External MDM Address GravityZone contains the Security for Mobile Devices module allowing the GravityZone administrator to manage the users mobile devices. The management capabilities for mobile devices are handled exclusively over the Internet and for that reason the GravityZone Communication Server has to be configured with an external network address from which it receives communication from the managed mobile devices. To facilitate this communication, the infrastructure administrators have to configure a NAT rule on the border firewall to correlate the external address with the internal communication server address. If the configured Communication Server load balancing address is already configured as an external address, that address can be used. The External MDM Address is configured in the GravityZone cluster following the next steps: 1. Login to the Database Server instance Appliance Options menu. 2. Select option 6 Configure Communication Server and then option 2 Configure MDM Server external address 3. Fill in the external Web Server and Communication Server addresses configured on the external load balancer 13

4. Control Center Configuration Once you finish configuring the GravityZone cluster, you will need to setup the GravityZone Control Center. During the initial setup of Control Center, you are required to configure the root level account, allowing you to do all configurations related to: Integrations setup Email server connectivity and global proxy settings Updates management Security Certificates management Administrator accounts management Notification management 4.1. Setup To start the GravityZone Control Center setup: a. Access the Control Center web interface. Open a web browser and access the configured IP address/domain name and port of the Web Console role balancer address. b. Create the root account. During the creation of the root level account, GravityZone will register with an existing MyBitdefender account and validate the license keys over the Internet. - Login with your MyBitdefender account. If you don t have one, click I don t have a MyBitdefender account and you will be redirected to this portal where you will be able to create an account. 14

- Enter the product license keys to activate each GravityZone and click Next - Configure the root level account name, email address and password After the Root account has been created, GravityZone will automatically login to the root level using the created user. Note: There can only be one root user per GravityZone cluster; other accounts with the same level of privileges cannot be created. 15

4.2. Integrations GravityZone Control Center integrates with different parts of your environment so as to simplify the deployment and management processes. 4.2.1. Active Directory Integration The AD integration allows administrators to manage the physical environment and mobile devices. For physical devices management, Control Center will replicate the Computers tree, including groups and OUs, populating the internal network inventory with the same structure and contents. With regards to Mobile devices management, Control Center will replicate from AD the groups and OUs containing domain user accounts, allowing the administrators to bind mobile devices with user accounts and manage them centrally. To activate the AD integration, follow the next steps: - Go to the Integration menu and click the Active Directory tab. - Check the Synchronize with Active Directory box then enter the domain name and the administrative account (domain administrator account or member of Domain Admins) - Click Save and to initiate the first synchronization between Control Center and AD. The sync time will depend on the number of AD inventory objects: as an estimation, for more than 10k inventory objects, the synchronization will take for about one minute. 16

4.2.2. Virtualization Integrations The Control Center integration with VMware vcenter Server and Citrix XenServer can be configured from the Virtualization integrations tab. a. vcenter Server integration The vcenter Server integration allows the administrator to manage the virtualized environment running on VMware vsphere. Control Center replicates both the Hosts and Clusters and VMs and Templates trees (including Resource Pools and VM folders), allowing the internal network inventory to display the exact structure and contents of the vcenter inventory. To activate the vcenter Server integration, follow the next steps: - Go to the Integration menu and click the Virtualization tab. - Click the Add (+) button and select vcenter Server - On the Add vcenter Server configuration window, specify the name for this integration, Hostname or IP address of the target vcenter Server and connection port. Note: Change the port only if you configured a different listening port for vsphere client connections. For more details review VMware KB article 2031843 - Optionally, if you plan on using a vshield Endpoint integration to provide protection to your virtual machines, specify the hostname or IP address and port for vshield Manager. GravityZone SVE will then use a vshield Endpoint integration to protect the virtual machines of this vcenter server. Note: Change the port only if you configured a different listening port for REST API calls on vshield Manager. For more details please refer to the VMware vshield Manager Quick Start Guide - Enter the appropriate vcenter Server administrative credentials. If vcenter is integrated with AD, you can check the Use credentials provided for Active Directory synchronization box. 17

Click Save and Control Center will synchronize with vcenter Server for the first time. If your environment contains multiple instances of vcenter Server, repeat this operation for every instance. b. XenServer Integration The XenServer integration allows the administrator to manage the virtualized environment running on Citrix XenServer. Control Center replicates both the VMs and Folders trees allowing the internal network inventory to display the exact structure and contents of the XenServer or Resource Pool inventory. If Resource Pools are used, make sure the integration target for that pool is the XenServer pool master instance, to ensure a successful integration. To activate the XenServer integration, follow the next steps: - Go to the Integration menu and click the Virtualization tab. - Click the Add (+) button and select XenServer - On the Add XenServer configuration window specify the name for this integration, Hostname or IP address of the target XenServer and connection port. Note: Change the port only if you configured a different listening port for XenServer communication. For more details review the Citrix XenServer Administrator Guide - Enter the appropriate XenServer administrative credentials. Once the AD credentials are validated by XenServer, you can check the Use credentials provided for Active Directory synchronization box. 18

- Click Save and Control Center will synchronize with XenServer for the first time. If your environment contains multiple instances of XenServer or resource pools, repeat this operation for every instance. 4.3. Accounts GravityZone is using two main account types: - Root account this account allows the administrator to configure every option presented throughout Section 5 of the present document - User account when logged in with the user account, the administrator is able to handle all the configuration-related tasks GravityZone can apply to the protected environment: deploy the endpoint protection, issue configuration policies and tasks, review dashboard events and generate reports. From the Accounts menu, the root administrator can create, manage and delete User accounts. By default, Control Center does not have any administrator accounts created. To create a new administrator account, follow the next steps: - Go to the Accounts menu and click the Add (+) button - Select the user type. Control Center is integrated with AD and allows the root administrator to (re)create existing AD users and provide them login privileges in Control Center. When this user type is used, the email address and password are the same with the ones the user had in AD. Note: As you start to type the user name in the Username textbox, the existing user account will be suggested. If the account you are trying to create has been recently created and does not appear as a suggested option, click the Force Resync button, which will trigger an on demand AD synchronization. Alternatively the new user can be a Custom User, unrelated to AD. For this case a valid email address and a password must be provided. 19

- Select the Role, Timezone and Control Center language for the new user. In Control Center, a new user account can have an Administrator role (is allowed to use every feature of Control Center) or Reporter role (is only allowed to view the Dashboard section and generate reports). The rights are related to their managed environment. - Select the Service type for this new account to manage. You can assign permissions for a new user over Physical, Virtual Machines and Mobile devices, or just on one or two services. After you select the service, click the Target link and choose the groups to be managed by the user. - Once ready, click the Save button to create the new user. 20

4.4. Settings In the Settings menu you can configure the Control Center mail server connector and global proxy settings. a. Mail Server connector Control Center requires access to the organization s email server to gain the ability of sending email notifications and scheduled reports to its root and administrative accounts. Important: The root account password recovery mechanism relies on the mail server integration. If GravityZone is not integrated with an email server, the password recovery mechanism will not work. To configure the Mail Server connector, follow the next steps: - Go to the Settings menu and click the Mail Server tab - Activate the Mail Server Settings option and configure the mail server hostname or IP address, connection port, encryption method for the connection, email account and credentials for that email account Note: The email account credentials are only required if your email server requires authentication - Once ready, click the Save button. b. Proxy Settings GravityZone requires a permanent Internet connection to validate the license key and download product and signature definition updates. In case the Internet access is routed through a proxy server, the administrator needs to configure the correct proxy connection details in this section. - Go to the Settings menu and then click the Proxy tab - Activate the Use Proxy Settings option and configure the proxy address and port. If required by your proxy server, add the username and password. 21

- Once ready, click the Save button. c. Miscellaneous settings - SVE Security Server image availability. Upon the initial GravityZone deployment, the SVE Security Server VM templates are not downloaded automatically. From this section, administrators can instruct GravityZone to automatically download the Security Server VM template upon request, whenever required during a deployment task. Alternatively, you can download the templates in advance by using the Update settings described in section 4.5b Product Update. - Concurrent deployments. This setting controls the number of endpoint deployments that can run simultaneously. For instance, if this value is set to 20 and the administrator creates a deployment task for 100 targeted systems, GravityZone will process only 20 installations at a time. The default value for this setting is 10. 22

4.5. Update In the Update menu you can configure the local Update Server and the global Product Update settings for all Update Server roles included in the GravityZone cluster. a. Update Server The GravityZone cluster is delivered with a local Bitdefender Update Server role. The global Update Server settings need to be changed only if the administrator prefers to have the update servers from the GravityZone cluster update from a different instance of Bitdefender Update Server that is already present in the environment - Go to the Update menu and click the Update Server tab - On this section you can configure a new Bitdefender local update server as the default download location for all the Update server roles within the GravityZone Cluster. In addition, you can set the update interval and the reporting proxies (virus reporting, crash submitter and license registration). Note: Bitdefender recommends keeping the default settings in this section. b. Product Update In this section you can control the global product updates for the GravityZone cluster members and for the Security Servers and Components Updates: - Go to the Update menu and click the Product Update tab - When there is a new update available for GravityZone, the Update Now button is enabled allowing the administrator to trigger the GravityZone update for every server role deployed in the cluster. Every time there is a new update available for GravityZone Cluster or one of its components, Control Center will send the administrator an email notification, as configured in the Notification area, which is covered in section 4.8 Alerts and Notifications. Note: Depending on the Internet connection speed, the update might take up to 10 minutes to complete. 23

- The Components Update section allows administrators to download the required endpoint components: Endpoint Security Client the endpoint installer package used by Endpoint Security to protect and manage Physical devices Bitdefender Tools the endpoint installer package used by SVE to protect and manage virtual machines Security Server VM template of Security Server, the centralized scanning component of SVE offering remote scanning services to VMs protected by Bitdefender Tools. Security Server comes in 4 available templates depending on the environment it protects: VMware integrated with vshield Endpoint, VMware without vshield), XenServer and Hyper-V. Note: Upon request, Bitdefender can deliver templates which can be used on any other virtualized environment (e.g. KVM, Oracle VM etc.). For more details please contact the Bitdefender Enterprise Support team. To save bandwidth and resource consumption, GravityZone will not automatically download these packages. Depending on the specific needs of every protected environment, the product administrator can download only the required components for his environment. 24

Whenever Bitdefender releases a product update for one of its components, the available version for each product will be incremented and the administrator will have the option to install the package select that installer package and choose to update it. This action will only update the installer package stored by GravityZone and used for new product deployments. Existing deployed products are updating automatically using the live update mechanism. 4.6. Certificates This section allows the administrator to replace the self-signed certificates available by default on all Web Console and Communication Server instances with valid certificates issued for the organization. If the Security for Mobile Devices module is used to manage ios mobile devices, this section allows the administrator to create and add an Apple MDM Push Notifications certificate as well as to add ios MDM Identity and Profile Signing / ios MSM Trust Chain certificates. a. Control Center Security (Web Console roles) and Communication Server certificates - Click the corresponding certificate link - Select the certificate type with separate key or embedded key - Select the certificate file and private key (if necessary). Click Add. - Enter the password for the private key (if the key is encrypted). - Save the settings. b. Apple MDM Push Certificate - To start the process, click Apple MDM Push 25

- Create a new certificate signing request signed by Bitdefender and download it from your browser. If you already have a certificate signing request, choose the second option and you will be prompted to allow Bitdefender to sign your existing certificate signing request. Click Next. - Control Center redirects you to the Apple Push Certificates Portal. Using the existing certificate signing request, follow the steps on this portal and generate your own push notifications certificate. When the process is finished, click Next. - Add the generated push notifications certificate and click Finish 26

c. ios MDM Identity and Profile Signing / ios MSM Trust Chain - Click the corresponding certificate link - Select the certificate type with separate key or embedded key (if necessary) - Select the certificate file and private key (if necessary). Click Add. - Enter the password for the private key (if the key is encrypted). - Save the certificate Note: ios MDM Identity and Profile Signing and Communication Server certificates need to be trusted by the ios device in order for the ios MDM Trust Chain Certificate to work. The device needs the whole path to the Root certificate (if it's a self-signed certificate originating within the company) or to an intermediate certificate issued by a major vendor so it can trust these certificates. Please make a PEM file including all intermediate certificates up to the selfsigned Root or company CA, depending on your PKI. 4.7. License The License menu from Control Center allows the administrator to change, add or remove license keys for any module provided by GravityZone: Endpoint Security, SVE, Security for Mobile Devices. The existing entries are provided by the license keys used in the initial root account setup covered in section 4.1Setup 27

When keys need changing, you can simply type the new license key code in the Key textbox and click the Add (+) button. Control Center always remembers the last configured key for a module. 4.8. Alerts and Notifications Every Control Center user can configure GravityZone to send out email notifications for events related to new updates available, detected malware outbreaks or licensing. To configure these alerts, follow the next steps: - Access the Notifications Area as shown in the screenshot below - Click See all notifications and hit the Settings button - In the Notifications Settings window you can configure which type of notifications you want to receive by email and how long the notifications should be archived (zero means they will never be deleted). For the Malware Outbreak notification, you can setup the percentage threshold of infected systems from the total of protected systems that will trigger this alert. The alert is triggered by default if 5% of your managed systems become infected. - By default, the notifications are sent to the user account email address. However, other recipients can be defined in the Send also to textbox. 28