Agent Install Guide Lumension Endpoint Management and Security Suite 7.3
Lumension Endpoint Management and Security Suite - 2 -
Notices Version Information Lumension Endpoint Management and Security Suite Agent Install Guide - Lumension Endpoint Management and Security Suite Version 7.3 - Published: May 2013 Document Number: 02_017_7.3_131261142 Copyright Information Lumension 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 Phone: +1 888.725.7828 Fax: +1 480.970.6323 E-mail: info@lumension.com Copyright 1999-2013; Lumension Security, Inc.; all rights reserved. Covered by one or more of U.S. Patent Nos. 6,990,660, 7,278,158, 7,487,495, 7,823,147, 7,870,606, and/or 7,894,514; other patents pending. This manual, as well as the software described in it, is furnished under license. No part of this manual may be reproduced, stored in a retrieval system, or transmitted in any form electronic, mechanical, recording, or otherwise except as permitted by such license. LIMITATION OF LIABILITY/DISCLAIMER OF WARRANTY: LUMENSION SECURITY, INC. (LUMENSION) MAKES NO REPRESENTATIONS OR WARRANTIES WITH REGARD TO THE ACCURACY OR COMPLETENESS OF THE INFORMATION PROVIDED IN THIS MANUAL. LUMENSION RESERVES THE RIGHT TO MAKE CHANGES TO THE INFORMATION DESCRIBED IN THIS MANUAL AT ANY TIME WITHOUT NOTICE AND WITHOUT OBLIGATION TO NOTIFY ANY PERSON OF SUCH CHANGES. THE INFORMATION PROVIDED IN THIS MANUAL IS PROVIDED AS IS AND WITHOUT WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE INFORMATION PROVIDED IN THIS MANUAL IS NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULT, AND THE ADVICE AND STRATEGIES CONTAINED MAY NOT BE SUITABLE FOR EVERY ORGANIZATION. NO WARRANTY MAY BE CREATED OR EXTENDED WITH RESPECT TO THIS MANUAL BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. LUMENSION SHALL NOT BE LIABLE TO ANY PERSON WHATSOEVER FOR ANY LOSS OF PROFIT OR DATA OR ANY OTHER DAMAGES ARISING FROM THE USE OF THIS MANUAL, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. - 3 -
Lumension Endpoint Management and Security Suite Trademark Information Lumension, Lumension Endpoint Management and Security Suite, Lumension Endpoint Management Platform, Lumension Patch and Remediation, Lumension Enterprise Reporting, Lumension Security Configuration Management, Lumension Content Wizard, Lumension Risk Manager, Lumension AntiVirus, Lumension Wake on LAN, Lumension Power Management, Lumension Remote Management, Lumension Scan, Lumension Security Configuration Management, Lumension Application Control, Lumension Device Control, Lumension Endpoint Security, Lumension Intelligent Whitelisting, PatchLink, PatchLink Update, their associated logos, and all other Lumension trademarks and trade names used here are the property of Lumension Security, Inc. or its affiliates in the U.S. and other countries. RSA Secured is a registered trademark of RSA Security Inc. Apache is a trademark of the Apache Software Foundation. In addition, any other companies' names, trade names, trademarks, and products mentioned in this document may be either registered trademarks or trademarks of their respective owners. Feedback Your feedback lets us know if we are meeting your documentation needs. E-mail the Lumension Technical Publications department at techpubs@lumension.com to tell us what you like best, what you like least, and to report any inaccuracies. - 4 -
Table of Contents Table of Contents Preface: About This Document...7 Typographical Conventions...7 Contacting Lumension...8 Chapter 1: Agent Requirements... 9 Supported Endpoint Operating Systems... 9 Agent Supported Locales... 12 Agent Supported Languages... 13 Requirements... 14 Agent for Windows...14 Agent for Linux, UNIX, and Mac... 16 Chapter 2: Introduction and Installation Methods...19 About the Lumension EMSS Agent...19 Selecting an Agent Installation Method... 20 Additional Installation Methods...21 Chapter 3: Installing Agents by Agent Management Jobs... 23 About Agent Management Jobs...23 Preparing for Agent Installation by Agent Management Jobs...24 Port and ICMP Requirements for Agent Management Jobs...25 Configuring the Lumension EMSS Server for Discovery Scanning...26 Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs... 27 Configuring Vista or Later Endpoints for Agent Management Jobs... 37 Installing Agents by Agent Management Job... 49 Editing Targets... 60 Chapter 4: Installing Agents by Command Line...67 Preparing for Agent Installation by Command Line...67 Installing Java Runtime Environment...70 Downloading the Installer...71 Silently Installing the Agent by Command Line (Windows)... 73 Installing the Agent by Command Line (Linux, UNIX, or Mac)...76 Silently Installing the Agent by Command Line (Linux, UNIX, or Mac)...80 Chapter 5: Installing Agents by Installer... 85 Preparing for Installation by Agent Installer...85 Downloading the Installer...87 Installing the Single Agent for Windows XP and Later...89 Installing the Agent for Mac... 95 Appendix A: Upgrading Agents...99 Upgrading Agents Automatically... 99 Defining Installable Agent Versions... 100 Upgrading the Agent Automatically...101 Upgrading Agents Locally... 101-5 -
Lumension Endpoint Management and Security Suite Appendix B: Uninstalling Agents...103 Uninstalling Agents by Agent Management Job...104 Uninstalling the Lumension EMSS Agent Locally on Windows... 114 Uninstalling the Agent Locally on Linux, UNIX, or Mac...115-6 -
Preface About This Document This Agent Install Guide is a resource written for all users of Lumension Endpoint Management and Security Suite 7.3. This document defines the concepts and procedures for installing, configuring, implementing, and using Lumension Endpoint Management and Security Suite 7.3. Tip: Lumension documentation is updated on a regular basis. To acquire the latest version of this or any other published document, please refer to the Lumension Customer Portal (http://portal.lumension.com/). Typographical Conventions The following conventions are used throughout this documentation to help you identify various information types. Table 1: Typographical Conventions Convention bold bold italics italics MONOSPACE UPPERCASE BOLD UPPERCASE monospace Usage Buttons, menu items, window and screen objects. Wizard names, window names, and page names. New terms, options, and variables. Keyboard keys. SQL Commands. File names, path names, programs, executables, command syntax, and property names. - 7 -
Lumension Endpoint Management and Security Suite Contacting Lumension Arizona 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 United States of America Phone: +1 888 725 7828 Phone: +1 480 970 1025 Fax: +1 480 970 6323 Lumension Support Ireland Lumension Security Ireland Ltd. Lyrr Building, Second Floor Mervue Business & Technology Park Mervue, Galway Ireland Phone: +353 91 44 8980 Fax: +353 91 76 6722 Luxembourg Lumension Security SA Atrium Business Park Z.A Bourmicht 23, rue du Puits Romain L-8070 Bertrange Luxembourg Phone: +352 265 364 11 Fax: +352 265 364 12 phone: +1 480 970 1025 (USA) +1 877 713 8600 (USA - legacy Sanctuary products) +353 9142 2999 (EMEA) +44 800 012 1869 (UK) +61 (02) 8223 9810 (Australia) +852 3071 4690 (Hong Kong) +65 6622 1078 (Singapore) submit a ticket: Registered users can open a support ticket via the customer portal (http://support.lumension.com/). Lumension customers without a support account should contact our support team (support@lumension.com) to have an account created. Note: For additional contact information, please visit the Contact Lumension page at http:// www.lumension.com/contact-us.aspx. - 8 -
Chapter 1 Agent Requirements In this chapter: Supported Endpoint Operating Systems Agent Supported Locales Agent Supported Languages Requirements The agent is supported on a variety of operating systems and platforms. Before installing the agent on endpoint, make sure the endpoint meets the recommended hardware and software requirements. Supported Endpoint Operating Systems on page 9 Agent Supported Locales on page 12 Agent Supported Languages on page 13 Requirements on page 14 Supported Endpoint Operating Systems The Lumension EMSS Agent and all available endpoint modules can be installed on multiple operating systems. The following table lists the Windows platforms on which the Lumension EMSS Agent 7.3 is supported. Table 2: Supported Windows Operating Systems Operating System Version Edition Data Width Microsoft 6.2 Windows 8 Windows 8 (1) Professional Enterprise (2) Microsoft Windows Server 2012 (3) Microsoft Windows Storage Server 2012 6.2 Standard (2)(4) Datacenter (2)(4) Foundation Essentials 6.2 Standard Workgroup Proc. Family Software Prerequisites 32/64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ Agent Version Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent - 9 -
Lumension Endpoint Management and Security Suite Operating System Version Edition Data Width Proc. Family Software Prerequisites Agent Version Microsoft Windows 7 6.1 Professional Enterprise Ultimate 32/64 bit Intel Microsoft.NET Framework 3.0+ Lumension EMSS 7.3 Agent Microsoft Windows Server 2008 R2 6.1 Standard Enterprise Web 64 bit Intel Microsoft.NET Framework 3.0+ Lumension EMSS 7.3 Agent Microsoft 6.0 Business Windows Vista (5) Enterprise Ultimate 32/64 bit Intel Microsoft.NET Framework 3.0+ Lumension EMSS 7.3 Agent Microsoft Windows Server 2008 (6) 6.0 Web Standard Enterprise 32/64 bit Intel Microsoft.NET Framework 3.0+ Lumension EMSS 7.3 Agent Microsoft Windows 2003 SP1+ 5.2 Web Standard Enterprise 32/64 bit Intel Microsoft.NET Framework 2.0+ Lumension EMSS 7.3 Agent R2 Microsoft Windows XP SP2+ (7) 5.1 Professional 32/64 bit Intel Microsoft.NET Framework 2.0+ Lumension EMSS 7.3 Agent (1) The N editions of this family are supported. However, the RT edition of this family is not supported. (2) The evaluation version of this edition is supported. (3) The Hyper-V edition of this family is not supported. (4) Server Core mode for this edition is supported. (5) The Home edition of this family is not supported. (6) The Datacenter and Core editions of this OS family are not supported. (7) Home, Media Center, and Tablet PC editions are not supported. Note: The Software Prerequisites column applies only to Patch and Remediation and Security Configuration Management endpoints. Agents without these modules do not require the software prerequisites. Microsoft.NET Framework 4.0 is installed on Windows 8 and Server 2012 by default. - 10 -
Agent Requirements The following table lists the Linux, UNIX, and Apple platforms on which the agent is supported. This version of the agent can only be installed in environments that have Patch and Remediation installed. Table 3: Supported Linux, UNIX, and Apple Operating Systems Operating System Apple Mac OS X 10.5 Version Edition Data Width 10.4 10.3 Apple Mac OS X 10.8 (1) 10.7 (1) 10.6 10.5 10.4 HP-UX 11.31 11.23 11.11 Proc. Family Software Prerequisites All 32/64 bit PowerPC Sun Java JRE 1.5.0+ All 32/64 bit Intel Sun Java JRE 1.5.0+ All 64 bit PA-RISC Sun Java JRE 1.5.0+ HP-UX 11.31 All 64 bit Itanium Sun Java JRE 1.5.0+ IBM AIX 7.1 Novell SUSE Linux Red Hat Enterprise Linux 6.1 11 10 6 (1) Oracle Solaris 11 5 10 Oracle Linux 6 5 All 32/64 bit PowerPC Sun Java JRE 1.5.0+ Server Desktop Server Desktop 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK All 32/64 bit SPARC/ Intel Sun Java JRE 1.5.0+ Server 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Agent Version Patch 7.0 Agent Patch 7.0303 Agent Patch 7.0 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent - 11 -
Lumension Endpoint Management and Security Suite Operating System Version Edition Data Width Proc. Family Software Prerequisites Agent Version CentOS Linux 6 5 Server 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Patch 7.0303 Agent (1) This version of Apple Mac OS X is compatible with either Sun Java JRE 1.5.0+ or IcedTea/OpenJDK. Agent Supported Locales The Lumension Endpoint Management and Security Suite Agent is only supported on operating systems that use certain locales. Ensure the endpoint you are installing an agent on uses one of the listed locales. da-da: Danish (Denmark) en-au: English (Australia) en-bz: English (Belize) en-ca: English (Canada) en-in: English (India) en-ie: English (Ireland) en-jm: English (Jamaica) en-nz: English (New Zealand) en-ph: English (Philippines) en-sg: English (Singapore) en-za: English (South Africa) en-gb: English (United Kingdom) en-us: English (United States) es-es: Spanish (Spain) fi-fi: Finnish (Finland) fr-fr: French (France) de-de: German (Germany) it-it: Italian (Italy) ja-jp: Japanese (Japan) ko-kr: Korean (Korea) nl-nl: Dutch (Netherlands) no-no: Norwegian - Nynorsk (Norway) pt-br: Portuguese (Brazil) ru-ru: Russian (Russia) sv-se: Swedish (Sweden) zh-cn / zh-chs: Chinese (China [Simplified]) zh-tw / zh-cht: Chinese (Taiwan [Traditional]) - 12 -
Agent Requirements Agent Supported Languages The Lumension Endpoint Management and Security Suite Agent is only supported in certain languages. Ensure the endpoint you are installing an agent on uses one of the listed languages. Table 4: Agent Supported Languages Description Language Code LCID string Decimal Hexadecimal English - United States English - United Kingdom English - South Africa Chinese - China (Simplified) Chinese - Taiwan (Traditional) en en-us 1033 0409 en en-gb 0809 041d en en-za 7177 1c09 zh zh-cn / za-chs 2052 0804 zh zh-tw / zh-cht 1028 0404 Danish da da 0406 1030 Dutch - Netherlands nl nl-nl 1043 0413 Finnish - Finland fi fi 1035 040b French - France fr fr-fr 1036 040c German - Germany de de-de 1031 0407 Italian-Italy it it-it 1040 0410 Japanese ja ja 1041 0411 Korean - Korea ko ko 1042 0412 Norwegian - Nynorsk no no-no 1044 0414 Portuguese - Brazil pt pt-br 1046 0416 Russian ru ru 1049 0419 Spanish - Spain (Modern Sort) es es-es 3082 0c0a Swedish - Sweden sv sv-se 1053 041d - 13 -
Lumension Endpoint Management and Security Suite Requirements Endpoints that host the agent must meet defined hardware and software requirements. Note: You must disable any virus-scanning software prior to the installation of the Lumension Agent for Windows. Failure to do so may result in an unsuccessful agent installation. Agent for Windows The following minimum requirements must be met in order to install the agent on endpoints running the Microsoft Windows operating system. 500 MHz processor or higher. RAM requirements: 256 MB RAM for Windows XP and Windows Server 2003. 1 GB RAM for Windows Vista and later. 1 GB of free disk space. A single 10 Mbps network connection (with access to the Lumension Endpoint Management and Security Suite server). Port requirements: Port 80 must be open for module download purposes. Port 443 must be open for policy download and general communication. Ephemeral ports must be open to listen for Notification Manager connection requests (Patch and Remediation only). For pre-windows Vista releases, open ports 1024-4999. For Windows Vista and Windows releases after Windows Vista, open ports 49152-65535. Note: After the listener is established, you can discover the port number used for listening at the following location in the endpoint registry: HKLM\SOFTWARE\Patchlink.com\Gravitix\PDDMPort with a name of PDDMPort. Do not edit the registry entry. Irreversible damage might occur if you edit this registry key incorrectly. For added protection, Microsoft recommends backing up a Windows registry. Then, if a problem does occur, you may restore the Windows registry by using the backup. Windows Installer 2.0 or higher. One of the following: Microsoft Internet Explorer 8, Microsoft Internet Explorer 9, or Mozilla Firefox 17.x Extended Support Release (ESR) version. Note: Due to the accelerated release cycle of the Mozilla Firefox RapidRelease version, support for for Mozilla Firefox RapidRelease cannot be guaranteed. Network connectivity to your Lumension Endpoint Management and Security Suite server. - 14 -
Agent Requirements The following table lists the supported platforms on which the agent is supported. Table 5: Supported Windows Operating Systems Operating System Version Edition Data Width Microsoft 6.2 Windows 8 Windows 8 (1) Professional Enterprise (2) Microsoft Windows Server 2012 (3) Microsoft Windows Storage Server 2012 Microsoft Windows 7 Microsoft Windows Server 2008 R2 6.2 Standard (2)(4) Datacenter (2)(4) Foundation Essentials 6.2 Standard Workgroup 6.1 Professional Enterprise Ultimate 6.1 Standard Enterprise Web Microsoft 6.0 Business Windows Vista (5) Enterprise Microsoft Windows Server 2008 (6) Microsoft Windows 2003 SP1+ Microsoft Windows XP SP2+ (7) Ultimate 6.0 Web Standard Enterprise 5.2 Web Standard Enterprise R2 Proc. Family Software Prerequisites 32/64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 2.0+ 5.1 Professional 32/64 bit Intel Microsoft.NET Framework 2.0+ Agent Version Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent - 15 -
Lumension Endpoint Management and Security Suite Operating System Version Edition Data Width Proc. Family Software Prerequisites Agent Version (1) The N editions of this family are supported. However, the RT edition of this family is not supported. (2) The evaluation version of this edition is supported. (3) The Hyper-V edition of this family is not supported. (4) Server Core mode for this edition is supported. (5) The Home edition of this family is not supported. (6) The Datacenter and Core editions of this OS family are not supported. (7) Home, Media Center, and Tablet PC editions are not supported. Note: The Software Prerequisites column applies only to Patch and Remediation and Security Configuration Management endpoints. Agents without these modules do not require the software prerequisites. Microsoft.NET Framework 4.0 is installed on Windows 8 and Server 2012 by default. Agent for Linux, UNIX, and Mac The following minimum requirements must be met in order to install the agent on endpoints running the Linux, UNIX, or Mac operating systems. Presence of /tmp directory (/var/tmp directory on Solaris) for temporary file storage and processing. 105 MB of free disk space for the agent installation. It is recommended that there be 100 MB of free disk space in /temp (/var/tmp for Solaris) and a separate 50 MB of free disk space in the agent installation directory. 500 MHz or greater processor. 256 MB RAM. 10 Mbps network connection (with access to the Lumension Endpoint Management and Security Suite server). Sufficient free disk space to download and install patches. Network connectivity to your Lumension Endpoint Management and Security Suite server. Lumension recommends opening ports 49152-65535 on Linux, UNIX, and Mac endpoints. The agent randomly opens one of these ports to listen for check now commands, which are server-sent requests that the agent check for tasks. Closing these ports delays agent tasks until they check in themselves. Note: The install (and uninstall) must be done by the root user (superuser). - 16 -
Agent Requirements The following table lists the supported platforms on which the agent is supported. Table 6: Supported Linux, UNIX, and Apple Operating Systems Operating System Apple Mac OS X 10.5 Version Edition Data Width 10.4 10.3 Apple Mac OS X 10.8 (1) 10.7 (1) 10.6 10.5 10.4 HP-UX 11.31 11.23 11.11 Proc. Family Software Prerequisites All 32/64 bit PowerPC Sun Java JRE 1.5.0+ All 32/64 bit Intel Sun Java JRE 1.5.0+ All 64 bit PA-RISC Sun Java JRE 1.5.0+ HP-UX 11.31 All 64 bit Itanium Sun Java JRE 1.5.0+ IBM AIX 7.1 Novell SUSE Linux Red Hat Enterprise Linux 6.1 11 10 6 (1) Oracle Solaris 11 5 10 Oracle Linux 6 5 All 32/64 bit PowerPC Sun Java JRE 1.5.0+ Server Desktop Server Desktop 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK All 32/64 bit SPARC/ Intel Sun Java JRE 1.5.0+ Server 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Agent Version Patch 7.0 Agent Patch 7.0303 Agent Patch 7.0 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent - 17 -
Lumension Endpoint Management and Security Suite Operating System Version Edition Data Width Proc. Family Software Prerequisites Agent Version CentOS Linux 6 5 Server 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Patch 7.0303 Agent (1) This version of Apple Mac OS X is compatible with either Sun Java JRE 1.5.0+ or IcedTea/OpenJDK. - 18 -
Chapter 2 Introduction and Installation Methods In this chapter: About the Lumension EMSS Agent Selecting an Agent Installation Method Additional Installation Methods The Lumension EMSS agent is installed on network endpoints to manage their behavior through instructions from the Lumension Endpoint Management and Security Suite server. You can install the agent on your network endpoints using a variety of methods. About the Lumension EMSS Agent Lumension Endpoint Management and Security Suite uses a server/client relationship to manage network endpoints. Endpoints communicate with the Lumension Endpoint Management and Security Suite server using the Lumension EMSS Agent. After installing the Lumension Endpoint Management and Security Suite server, you can begin installation of Lumension EMSS Agent, which should be installed on any network endpoints you want to manage using the Lumension Endpoint Management and Security Suite Web console. The agent can be installed on network endpoints a variety of ways, all of which are documented in this guide. Following initial installation, the agent registers with the Lumension Endpoint Management and Security Suite server, and the two components begin communication. The agent downloads the following data from the Lumension Endpoint Management and Security Suite server: Agent policies, which contain information about how the agent should behave. Agent packages, which contain files to modify the agent. The agent uploads the following messages to the Lumension Endpoint Management and Security Suite server: Host endpoint operating system information. Heartbearts, which are notification messages the agent sends to the server. This message is used continually notify the server that the agent is available within the network. Additionally, if you are licensed for additional Lumension Endpoint Management and Security Suite modules, you can install these modules on the Lumension EMSS agent, which expands its functions. For more information on modules and module installation, refer to Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). - 19 -
Lumension Endpoint Management and Security Suite Selecting an Agent Installation Method You can install the Lumension EMSS Agent or Patch Agent on your network using a variety of methods. Because each company has a unique network environment, network administrators should carefully consider which method to use when installing the agent. The following list describes each installation method. Table 7: Installation Methods Installation Method Agent Management Jobs Command Line Description Agent Management Jobs are Lumension Endpoint Management and Security Suite's onboard method for agent installation across multiple network endpoints. These jobs search for endpoints in your network and then install the agent. You can complete Agent Management Jobs within the Lumension Endpoint Management and Security Suite Web console using an easy-to-complete Wizard. You can use this install method to install the agent on Windows operating systems. For additional information about this installation method, refer to Installing Agents by Agent Management Jobs on page 23. You can use the command prompt call the Lumension Endpoint Management and Security Suite Agent and Patch Agent installer and define installation parameters. Using this method, you can install a single agent on a local or remote endpoint. You can use this install method to install the agent on the following operating systems: Windows Linux UNIX Mac For additional information about this installation method, refer to Installing Agents by Command Line on page 67. - 20 -
Introduction and Installation Methods Installation Method Install Wizard Description The Lumension EMSS Agent and Patch Agent for Mac can be installed with a simple-to-use install wizard, which can be downloaded from the Lumension Endpoint Management and Security Suite console. After downloading the installer, complete the agent install wizard to complete agent installation. You can use this install method to install the agent on the following operating systems: Windows Mac For additional information about this installation method, refer to Installing Agents by Installer on page 85. Note: Supported Operating Systems listed in topic are generalized for each operating systems. Before installing the agent on an endpoint, ensure its operting system is supported by consulting Supported Endpoint Operating Systems on page 9. Additional Installation Methods Advanced network administrators with a high understanding of network administration may prefer to install the Lumension EMSS agent using other installation methods not documented in this guide. The following table lists alternative installation methods. Table 8: Additional Installation Methods Installation Method Third Party Software Golden Image Description In some environments, customers may prefer to use third-party software, such as PsExec, to install the agent. In networks making substantial use of golden images, which are compressed operating system archives that are entirely installed and configured according to an organization's specifications, network administrators may benefit from adding the Lumension EMSS Agent to their image. Attention: These installation methods are not documented in this guide. For additional information on these installation methods, contact Lumension Support (support@lumension.com). - 21 -
Lumension Endpoint Management and Security Suite - 22 -
Chapter 3 Installing Agents by Agent Management Jobs In this chapter: About Agent Management Jobs Preparing for Agent Installation by Agent Management Jobs Port and ICMP Requirements for Agent Management Jobs Configuring the Lumension EMSS Server for Discovery Scanning Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs Configuring Vista or Later Endpoints for Agent Management Jobs Installing Agents by Agent Management Job Lumension Endpoint Management and Security Suite includes an agent installation method that you can perform from the Lumension Endpoint Management and Security Suite Web console: Agent Management Jobs. After completing a step-by-step wizard, these jobs discover Windows endpoints within your network and then install the agent. About Agent Management Jobs Agent Management jobs let you install Lumension Endpoint Management and Security Suite agents remotely on multiple Windows endpoints within your network. Use of agent management jobs eases the task of agent installation by letting network administrator install agents from within the Lumension Endpoint Management and Security Suite console. These jobs are configured in the Agent Management Job Wizard, which is accessible from the Lumension Endpoint Management and Security Suite Web console. During job configuration, you must define the information the job uses to find endpoints in your network and then install agents on them. The initial portion of an agent management job detects endpoints and their operating systems in your network using pings and endpoint scanning. Agent management jobs then begin their next function: agent installation. Based on the operating system information found during scanning, agent management jobs determine which type of agent to install on applicable endpoints. To access the endpoint, the agent management job provides the endpoint with applicable - 23 -
Lumension Endpoint Management and Security Suite credentials. These credentials are entered during job configuration. After the endpoint authenticates the credentials, the agent management job begins agent installation. Installation occurs silently in an endpoint's background; endpoint users are unaware of the installation. Preparing for Agent Installation by Agent Management Jobs To complete agent installation using agent management jobs, you must first configure your Lumension Endpoint Management and Security Suite server and target endpoints for agent management jobs. To complete agent installation by agent management job, complete the following tasks: 1. Verify that your target endpoints are all supported Windows endpoints. You cannot complete agent management jobs on Linux, UNIX, or Mac endpoints. 2. Gather the credentials for target endpoints that have administrative access. Successful job outcome is contingent upon authenticated credentials. 3. Configure the Lumension Endpoint Management and Security Suite server for discovery scanning. For additional information, refer to Configuring the Lumension EMSS Server for Discovery Scanning on page 26. 4. Configure your target endpoints to accept agent management jobs. Target endpoints must be configured to allow agent management jobs access to the endpoint. To configure Windows XP or Windows 2003 endpoints for agent management jobs, complete Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs on page 27. To configure Windows Vista and later endpoints for agent management jobs, complete Configuring Vista or Later Endpoints for Agent Management Jobs on page 37 While configuring Windows Vista or later endpoints, ensure network discovery and file sharing are turned on. 5. Complete the Agent Management Job. For additional information, refer to Installing Agents by Agent Management Job on page 49. You can only use agent management jobs to install agents on Windows endpoints. The following table lists each operating system you can install to using agent management jobs. For a more through list of OS requirements, refer to Agent Requirements on page 9. Table 9: Agent Management Supported Operating Systems Operating System Version Edition Data Width Proc. Family Software Prerequisites Agent Version Microsoft 6.2 Windows 8 Windows 8 (1) Professional Enterprise (2) 32/64 bit Intel Microsoft.NET Framework 4.0+ Lumension EMSS 7.3 Agent - 24 -
Installing Agents by Agent Management Jobs Operating System Microsoft Windows Server 2012 (3) Microsoft Windows Storage Server 2012 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Version Edition Data Width 6.2 Standard (2)(4) Datacenter (2)(4) Foundation Essentials 6.2 Standard Workgroup 6.1 Professional Enterprise Ultimate 6.1 Standard Enterprise Web Microsoft 6.0 Business Windows Vista (5) Enterprise Microsoft Windows Server 2008 (6) Microsoft Windows 2003 SP1+ Microsoft Windows XP SP2+ (7) Ultimate 6.0 Web Standard Enterprise 5.2 Web Standard Enterprise R2 Proc. Family Software Prerequisites 64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 2.0+ 5.1 Professional 32/64 bit Intel Microsoft.NET Framework 2.0+ Agent Version Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Port and ICMP Requirements for Agent Management Jobs In environments that use third-party firewalls to protect endpoints, you must first create firewall exceptions for successfull completion of agent management jobs. These exceptions will also allow discovery scan jobs to return more detailed information about endpoints. - 25 -
Lumension Endpoint Management and Security Suite Within your firewall application, open the ports listed in the following table. Table 10: Required Ports Required Ports 445/TCP 139/UDP 135/UDP 137/UDP 443/TCP 80/TCP Description Lumension EMSS uses these ports to access the endpoint during the installation process of the agent management job. Discovery scan jobs also use this ports to discovery information about the endpoint. After the agent management job completes, you can reclose these ports. Following agent installation, the Lumension EMSS Agent uses these ports to register and communicate with the Lumension EMSS Server. After the agent management job completes, you should leave these ports open. Additionally, both discovery scan jobs and agent managements jobs require the endpoint to accept pings from the Lumension EMSSserver. Therefore, you should also create an exception for inbound ICMP echo requests within your third-party firewall. Configuring the Lumension EMSS Server for Discovery Scanning The Lumension Endpoint Management and Security Suite server must be configured in the following manner so that you can run agent management jobs on your managed endpoints. 1. Click Start > Run. 2. Enter regedit in the Open field. 3. Click OK. The registry editor displays. 4. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Control\Lsa. - 26 -
Installing Agents by Agent Management Jobs 5. Verify that the value for the lmcompatibilitylevel registry key is set to 3. Note: Under most network conditions, a setting of 3 is sufficient. However, in some networks, this key may require a different value. To determine which value to use, refer to How to Enable NTLM 2 Authentication (http://support.microsoft.com/kb/239869). Result: The Lumension Endpoint Management and Security Suite Server is configured for discovery scanning. After Completing This Task: If you are configuring the Lumension Endpoint Management and Security Suite server for scanning in preparation for agent management jobs, continue to endpoint configuration. For additional information about endpoint configuration for agent management jobs, refer to one of the following topics: Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs on page 27 Configuring Vista or Later Endpoints for Agent Management Jobs on page 37 Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs Before you can remotely install agents on your Windows XP and Windows Server 2003 endpoints, you must first configure your endpoints for agent management jobs. Endpoint configuration for agent management includes starting the required services; enabling file and print sharing; creating firewall exceptions, configuring your NTLM settings, and enabling network shares. Complete these instructions from the Windows 2003 or Windows XP endpoint you want to configure for agent management. Note: If your organization uses a third-party firewall: Do not complete the steps in this procedure for creating Windows Firewall exceptions. Your third-party firewall makes them unnecessary. You must create exceptions for Lumension EMSS within you third-party firewall. For additional information, refer to Port and ICMP Requirements for Agent Management Jobs on page 25. First, ensure that the services necessary for successful agent management are started. 1. Select Start > Control Panel. Control Panel opens. - 27 -
Lumension Endpoint Management and Security Suite 2. Double-click Administrative Tools. The Administrative Tools dialog opens. Figure 1: Administrative Tools Dialog 3. Double-click Services. The Services dialog opens. Figure 2: Services Dialog - 28 -
Installing Agents by Agent Management Jobs 4. Ensure the necessary services are started. The following list itemizes the services that must be started for job completion. Note: In environments that use a third-party firewall, ensure the Windows Firewall/Internet Connection Sharing service is instead disabled. DCOM Server Process Launcher Remote Procedure Call (RPC) Server Windows Firewall/Internet Connection Sharing (ICS) Windows Management Instrumentation If all of the listed services required for your configuration purposes have a Server status of Started, continue to the next step. If any of the listed services for your configuration purposes are not started, complete the following substeps to start them. a) Right-click the applicable service and select Properties. The properties dialog for the service opens. b) Ensure the Startup type list is set to Automatic. If edits are necessary, click Apply after selecting Automatic from the list. c) Click Start. The service starts. d) Click OK The properties dialog for the service closes. e) If necessary, repeat the substeps for each unstarted service. 5. Close the Services dialog and the Administrative Tools dialog. Next, ensure Simple File Sharing is disabled on the endpoint. You must have this setting disabled so that the Lumension EMSS can access the neccessary files during agent installation; Simple File Sharing can prevent this process. 6. Select Start > My Computer. The My Computer dialog opens. 7. From the dialog toobar, select Tools > Folder Options. The Folder Options dialog opens. 8. Select the View tab. The View tab opens. 9. Ensure the Use simple file sharing (Recommended) check box is clear. You may have to scroll to find this setting. - 29 -
Lumension Endpoint Management and Security Suite 10. Click OK. 11. Close the My Computer dialog. Next, ensure File and Printer sharing is enabled. To install an agent on you endpoint, Lumension EMSS needs access to certain endpoint folders. Enabling File and Printer sharing grants this access. 12. Select Start > Control Panel. Control Panel opens. 13. Double-click Network Connections. The Network Connections dialog opens. 14. Right-click your local area connection and select Properties. The Local Area Connection Properties dialog opens. Figure 3: Local Area Connection Properties Dialog 15. Ensure the File and Printer Sharing for Microsoft Networks check box is selected. 16. Click OK. The Local Areaa Connection Properties dialog closes. 17. Close the Local Area Connections Status dialog and the Network Connections dialogs. - 30 -
Installing Agents by Agent Management Jobs Next, ensure Windows Firewall is configured to allow exceptions for agent management jobs. A Windows Firewall that does not allow exceptions will block pings and other agent management processes. Ensure that firewall exceptions are in place for successfull agent management. Create the firewall exceptions using the Local Group Policy Editor. Create exceptions for both the standard and domain profiles. Note: In environments using a third-party firewall, do not complete the steps to create Windows Firewall exceptions. Instead, complete create exceptions in your third-party firewall. For additional information, refer to Port and ICMP Requirements for Agent Management Jobs on page 25. 18. Select Start > Run. The Run prompt opens. 19. Type gpedit.msc in the Open field and press ENTER. The Group Policy dialog opens. Figure 4: Group Policy Dialog Next, ensure firewall exceptions are created for the domain profile. These settings allow the Lumension EMSS to access the endpoint through the firewall. While in this dialog, ensure the settings (and their subsettings) are configured for agent management jobs: Windows Firewall: Do not allow exceptions Windows Firewall: Allow remote administration exceptions Windows Firewall: Allow file and printer sharing exceptions Windows Firewall: Allow ICMP exceptions Configure the following settings (and their subsettings) for agent management purposes: 20. Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profiles. Ensure the Domain Profiles folder is selected. - 31 -
Lumension Endpoint Management and Security Suite 21. Disable the Windows Firewall: Do not allow exceptions setting. a) From the main pane, right-click Windows Firewall: Do not all exceptions and select Properties. The exception dialog opens. b) Ensure the Disabled option is selected. c) Click OK. The Windows Firewall: Do not allow exceptions setting is configured. 22. Configure the Windows Firewall: Allow remote administration exceptions setting. a) From the main pane, right-click Windows Firewall: Allow remote administration exceptions and select Properties. The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow remote administration exceptions setting is configured for agent management. 23. Configure the Windows Firewall: Allow file and printer sharing exceptions setting. a) From the main pane, right-click Windows Firewall: Allow file and printer sharing exceptions and select Properties. The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow file and printer sharing exceptions setting is configured for agent management. - 32 -
Installing Agents by Agent Management Jobs 24. Configure the Windows Firewall: Allow ICMP exception setting. a) From the main pane, right-click Windows Firewall: Allow ICMP exceptions setting and select Properties. The setting dialog opens. b) Ensure the Enabled option is selected. c) Ensure the Allow inbound echo request check box is selected. d) Ensure all other check boxes are cleared. e) Click OK. The Windows Firewall: Allow ICMP exceptions setting is configured. After configuring firewall exceptions for the domain profile, you must also complete identical steps to configure firewall exceptions for your standard profile. Configure the following settings (and their subsettings) for agent management purposes: Windows Firewall: Do not allow exceptions Windows Firewall: Allow remote administration exception Windows Firewall: Allow file and printer sharing exception Windows Firewall: Allow ICMP exceptions The following steps fully explain how to configure each setting. 25. Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profiles. Ensure the Standard Profiles folder is selected. 26. Disable the Windows Firewall: Do not allow exceptions setting. a) From the main pane, right-click Windows Firewall: Do not all exceptions and select Properties. The exception dialog opens. b) Ensure the Disabled option is selected. c) Click OK. The Windows Firewall: Do not allow exceptions setting is configured. 27. Configure the Windows Firewall: Allow remote administration exceptions setting. a) From the main pane, right-click Windows Firewall: Allow remote administration exceptions and select Properties. The setting dialog opens. b) Ensure the Enabled option is selected. - 33 -
Lumension Endpoint Management and Security Suite c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow remote administration exceptions setting is configured for agent management. 28. Configure the Windows Firewall: Allow file and printer sharing exceptions setting. a) From the main pane, right-click Windows Firewall: Allow file and printer sharing exceptions and select Properties. The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow file and printer sharing exceptions setting is configured for agent management. 29. Configure the Windows Firewall: Allow ICMP exception setting. a) From the main pane, right-click Windows Firewall: Allow ICMP exceptions setting and select Properties. The setting dialog opens. b) Ensure the Enabled option is selected. c) Ensure the Allow inbound echo request check box is selected. d) Ensure all other check boxes are cleared. e) Click OK. The Windows Firewall: Allow ICMP exceptions setting is configured. - 34 -
Installing Agents by Agent Management Jobs 30. Close the Group Policy dialog. Note: The creation of Windows Firewall exceptions opens the following ports, which are required for job completion: 445/TCP 139/UDP 135/UDP 137/UDP Next, ensure your endpoint has an NTLM setting that is compatible with the Lumension EMSS server. You can define this setting for your endpoint within the Registry Editor. 31. Select Start > Run. The Run prompt opens. 32. In the Open field, type regedit and press ENTER. The Registry Editor opens. Figure 5: Registry Editor 33. In the tree panel, expand the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Lsa. Ensure the Lsa folder is selected. The Lsa folder keys open in the main panel. 34. In the main panel, double-click lmcompatibilitylevel. The Edit DWORD Value dialog for the lmcompatibilitylevel key opens. - 35 -
Lumension Endpoint Management and Security Suite 35. Ensure that the Value data field is set to one of the following values: 3 5 If the field is not set correctly, complete the following substeps. Note: Under most network conditions, a setting of 3 or 5 is sufficient. However, in some networks, this key may require a different value. To determine which value to use, refer to How to enable NTLM 2 authentication (http://support.microsoft.com/kb/239869). a) In the Value data field, type 3 or 5 (unless another value is required). b) Click OK. 36. Close the Registry Editor. Next, complete configuration of your endpoint by ensuring that the C$ and ADMIN$ network shares are enabled. These shares are required for agent management job completion. 37. Select Start > Run. The Run prompt opens. 38. In the Open field, type cmd and press ENTER. The Command Prompt opens. 39. From the Command Prompt, type net share and press ENTER. The endpoint network shares are listed. 40. Ensure that the following shares are listed in the Share name column. C$ ADMIN$ If they are already listed, proceed to the next step. If these shares are not listed, complete the following substeps to enable them. If one of the necessary shares is enabled but not the other, only enable the share that needs to be enabled. a) From the Command Prompt, type the necessary command(s) to enable any required network shares. To enable the C$ share, type NET SHARE C$=C and press ENTER. To enable the ADMIN$ share, type NET SHARE ADMIN$ and press ENTER. 41. Close the Command Prompt. You have enabled the required share(s). All enabled shares remain active until the system reboots. The Command Prompt closes. - 36 -
Installing Agents by Agent Management Jobs For Windows Server 2003 and Windows XP 64-bit endpoints, ensure WMI Windows Installer Provider is installed. This Management and Monitoring Tool is used to complete agent management uninstall jobs. The tool is not installed by default on these operating systems. Windows XP 32-bit endpoints come with this tool installed by default. Note: These steps apply only to Windows Server 2003 and Windows XP 64-bit endpoints. You do not have to complete these steps for Windows XP 32-bit endpoints. 42. Select Start > Control Panel. Control Panel opens. 43. Double-click Add or Remove Programs. The Add or Remove Programs dialog opens. 44. Click Add/Remove Windows Components. The Windows Components Wizard opens. 45. Select Management and Monitoring Tools and ensure the check box is selected. 46. Click Details. The Management and Monitoring Tools dialog opens. 47. Ensure the WMI Windows Installer Provider check box is selected and click OK. Tip: If Management and Monitoring Tools and WMI Windows Installer Provider are already installed, you do not need to complete the remaining steps. Continue to the end of the procedure. 48. Click Next. Installation of WMI Windows Installer Provider begins. 49. When prompted, insert your Windows installation disc and continue the install. Repeat this step as needed. Installation continues. 50. Click Finish and restart the endpoint. Result: The endpoint is configured for agent management. Configuring Vista or Later Endpoints for Agent Management Jobs Before you can remotely install agents on your Windows Vista or later endpoints, you must first configure your endpoints for agent management jobs. Endpoint configuration for agent management includes starting the - 37 -
Lumension Endpoint Management and Security Suite required services; editing your sharing and discovery settings; creating firewall exceptions; and enabling network shares. Note: If your organization uses a third-party firewall: Do not complete the steps in this procedure for creating Windows Firewall exceptions. Your third-party firewall makes them unnecessary. You must create exceptions for Lumension EMSS within you third-party firewall. For additional information, refer to Port and ICMP Requirements for Agent Management Jobs on page 25. You can perform these steps on endpoints with the following operating systems: Windows Vista Windows 7 Windows 8 Windows Server 2008 Windows Server 2012 First, ensure that the services necessary for successful agent management are started. 1. Open Control Panel. Operating System Windows Vista, Windows 7, or Windows Server 2008 Windows 8 or Windows Server 2012 Steps Select Start > Control Panel. 1. Press the Windows Logo key. 2. Type Control Panel and press ENTER. Control Panel opens. 2. Ensure Control Panel is set to the Control Panel Home or Category view. If Control Panel is already in this view, procede to the next step. If it is not set to this view, complete the step applicable to your operating system. Operating System Windows Vista or Windows Server 2008 Windows 7, Windows 8, or Windows Server 2012 Step Click Control Panel Home. From the View by list, select Category. - 38 -
Installing Agents by Agent Management Jobs 3. Open your system settings. Operating System Windows Vista or Windows Server 2008 Windows 7, Windows 8, or Windows Server 2012 Step Click System and Maintenance. Click System and Security. Control Panel opens to the system options. 4. Click Administrative Tools. The Administrative Tools dialog opens. 5. Double-click Services. The Services dialog opens. Figure 6: Services Dialog - 39 -
Lumension Endpoint Management and Security Suite 6. Ensure the necessary services are started. The following list itemizes the services that must be started for job completion. Note: In environments that use a third-party firewall, ensure the Windows Firewall service is instead disabled. DCOM Server Process Launcher Remote Procedure Call (RPC) Server Windows Firewall Windows Management Instrumentation If all of the listed services required for your configuration purposes have a Server status of Started, continue to the next step. If any of the listed services for your configuration purposes are not started, complete the following substeps to start them. a) Right-click the applicable service and select Properties. The properties dialog for the service opens. b) Ensure the Startup type list is set to Automatic. If edits are necessary, click Apply after selecting Automatic from the list. c) Click Start. The service starts. d) Click OK The properties dialog for the service closes. e) If necessary, repeat the substeps for each unstarted service. 7. Close the Services dialog and the Administrative Tools dialog. Tip: Leave Control Panel open. Next, ensure your Sharing and Discovery settings are configured to allow network discovery and file sharing. The discovery setting allows the endpoint to be seen by the Lumension EMSS server, while the file sharing setting allows the Lumension EMSS server access to install the agent during agent management. 8. From Control Panel, click Network and Internet. Control Panel opens to the Network and Internet options. 9. Click Network and Sharing Center. Control Panel opens to the Network and Sharing Center. - 40 -
Installing Agents by Agent Management Jobs 10. Ensure Network discovery is enabled. Enabling this setting makes the endpoint publically known within network. Lumension EMSS uses the information shared by this setting to return more detailed information about the endpoint during discovery scanning. Based on the endpoint operating system, complete the applicable substeps that follow. Operating System Windows Vista or Windows Server 2008: Windows 7: Substep 1. Click the arrow icon adjacent to Network discovery. 2. Ensure the Turn on network discovery option is selected. 3. If necessary, click Apply. 1. Click Change advanced sharing settings. 2. Expand one of the following sections: Home or Work Public Domain 3. Scroll to Network discovery. 4. Ensure the Turn on network discovery option is selected. 5. If necessary, click Save Changes. 6. Repeat these substeps for each profile section. Windows 8 or Windows Server 2012: 1. Click Change advanced sharing settings. 2. Expand one of the following sections: Private Guest or Public Domain 3. Scroll to Network discovery. 4. Ensure the Turn on network discovery option is selected. 5. Ensure the Turn on automatic setup of network connected devices option is cleared. 6. If necessary, click Save Changes. 7. Repeat these substeps for each profile section. - 41 -
Lumension Endpoint Management and Security Suite 11. Ensure File sharing is enabled. Based on the endpoint operating system, complete the applicable substeps that follow. Operating System Windows Vista and Windows Server 2008: Windows 7: Steps 1. Click the arrow icon adjacent to File Sharing. 2. Ensure the Turn on file sharing option is selected. 3. If necessary, click Apply. 1. Ensure you have clicked Advanced sharing settings. 2. Expand one of the following sections: Home or Work Public Domain 3. Scroll to File and printer sharing. 4. Ensure the Turn on file and printer sharing option is selected. 5. If necessary, click Save Changes. 6. Repeat these substeps for each profile section. Windows 8 or Windows Server 2012: 1. Click Change advanced sharing settings. 2. Expand one of the following sections: Private Guest or Public Domain 3. Scroll to File and printer. 4. Ensure the Turn on file and printer sharing option is selected. 5. If necessary, click Save Changes. 6. Repeat these substeps for each profile section. 12. Close Network and Sharing Center. Network and Sharing Center closes. Next, ensure Windows Firewall is configured to allow exceptions for agent management jobs. A Windows Firewall that does not allow exceptions will block pings and other agent management processes. Ensure that firewall exceptions are in place for successfull agent management. - 42 -
Installing Agents by Agent Management Jobs Create the firewall exceptions using the Local Group Policy Editor. Create exceptions for both the standard and domain profiles. Note: In environments using a third-party firewall, do not complete the steps to create Windows Firewall exceptions. Instead, complete create exceptions in your third-party firewall. For additional information, refer to Port and ICMP Requirements for Agent Management Jobs on page 25. 13. Open a run prompt. Operating System Windows Vista, Windows 7, and Windows Server 2008: Windows 8 or Windows Server 2012: Steps 1. Select the Start menu. 2. Type run in the Search field and press ENTER. 1. Press the Windows Logo key. 2. Type run and press ENTER. The Run prompt opens. 14. Type gpedit.msc in the Open field and press ENTER. The Local Group Policy Editor opens. Note: In Windows Vista, this dialog is called the Group Policy Object Editor. Figure 7: Local Group Policy Editor Next, ensure firewall exceptions are created for the domain profile. These settings allow the Lumension EMSS server to access the endpoint through the firewall. - 43 -
Lumension Endpoint Management and Security Suite Ensure the following settings (and their subsettings) are configured for agent management jobs: Windows Firewall: Do not allow exceptions Windows Firewall: Allow inbound file and printer sharing exception Windows Firewall: Allow ICMP exceptions Windows Firewall: Allow inbound remote administration exception Configure the following settings (and their subsettings) for agent management purposes: 15. Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profiles. Ensure the Domain Profiles folder is selected. 16. Disable the Windows Firewall: Do not allow exceptions setting. a) From the main pane, right-click Windows Firewall: Do not all exceptions and select Edit (or Properties). The setting dialog opens. b) Ensure the Disabled option is selected. c) Click OK. The Windows Firewall: Do not allow exceptions setting is configured for agent management. 17. Configure the Windows Firewall: Allow inbound file and printer sharing exceptions setting. a) From the main pane, right-click Windows Firewall: Allow inbound file and printer sharing exceptions and select Edit (or Properties). The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow inbound file and printer sharing exceptions setting is configured for agent management. - 44 -
Installing Agents by Agent Management Jobs 18. Configure the Windows Firewall: Allow ICMP exception setting. a) From the main pane, right-click Windows Firewall: Allow ICMP exceptions setting and select Edit (or Properties). The setting dialog opens. b) Ensure the Enabled option is selected. c) Within Options, ensure the Allow inbound echo request check box is selected. d) Within Options, ensure all other check boxes are cleared. e) Click OK. The Windows Firewall: Allow ICMP exceptions setting is configured for agent management. 19. Configure the Windows Firewall: Allow inbound remote administration exceptions setting. a) From the main pane, right-click Windows Firewall: Allow inbound remote administration exceptions and select Edit (or Properties). The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow inbound remote administration exceptions setting is configured for agent management. As with the domain profile Window Firewall settings, you must enable or disable identical settings (and subsettings) within the standard profile. Configure the following settings (and their subsettings) for agent management jobs: Windows Firewall: Do not allow exceptions Windows Firewall: Allow inbound file and printer sharing exception Windows Firewall: Allow ICMP exceptions Windows Firewall: Allow inbound remote administration exception The following steps fully explain how to configure each setting. 20. Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profiles. Ensure the Standard Profiles folder is selected. - 45 -
Lumension Endpoint Management and Security Suite 21. Disable the Windows Firewall: Do not allow exceptions setting. a) From the main pane, right-click Windows Firewall: Do not all exceptions and select Edit (or Properties). The setting dialog opens. b) Ensure the Disabled option is selected. c) Click OK. The Windows Firewall: Do not allow exceptions setting is configured for agent management. 22. Configure the Windows Firewall: Allow inbound file and printer sharing exceptions setting. a) From the main pane, right-click Windows Firewall: Allow inbound file and printer sharing exceptions and select Edit (or Properties). The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow inbound file and printer sharing exceptions setting is configured for agent management. 23. Configure the Windows Firewall: Allow ICMP exception setting. a) From the main pane, right-click Windows Firewall: Allow ICMP exceptions setting and select Edit (or Properties). The setting dialog opens. b) Ensure the Enabled option is selected. c) Within Options, ensure the Allow inbound echo request check box is selected. d) Within Options, ensure all other check boxes are cleared. e) Click OK. The Windows Firewall: Allow ICMP exceptions setting is configured for agent management. - 46 -
Installing Agents by Agent Management Jobs 24. Configure the Windows Firewall: Allow inbound remote administration exceptions setting. a) From the main pane, right-click Windows Firewall: Allow inbound remote administration exceptions and select Edit (or Properties). The setting dialog opens. b) Ensure the Enabled option is selected. c) [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Lumension recommends defining this field using your Lumension EMSS Server IP address. To define a range, you may use the following syntax. This input is not validated. * (any IP address) 10.3.2.0/24 (specific Class C subnet) localsubnet (for local subnetwork access only) d) Click OK. The Windows Firewall: Allow inbound remote administration exceptions setting is configured for agent management. 25. Close the Local Group Policy Editior (or the Group Policy Object Editor). Note: The creation of Windows Firewall exceptions opens the following ports, which are required for job completion: 445/TCP 139/UDP 135/UDP 137/UDP Finally, complete configuration of your endpoint for agent management by verifying that the C$ and ADMIN$ network shares are enabled. These shares are required for agent management job completion. 26. Open the Command Prompt. Operating System Windows Vista, Windows 7, and Windows Server 2008: Windows 8 or Windows Server 2012: Steps 1. Select the Start menu. 2. Type cmd in the Search field and press ENTER. 1. Press the Windows Logo key. 2. Type cmd and press ENTER. - 47 -
Lumension Endpoint Management and Security Suite 27. From the Command Prompt, type net share and press ENTER. The endpoint network shares are listed. 28. Ensure that the following shares are listed in the Share name column. C$ ADMIN$ If they are already listed, proceed to the next step. If these shares are not listed, complete the following substeps to enable them. If one of the necessary shares is enabled but not the other, only enable the share that needs to be enabled. a) From the Command Prompt, type the necessary command(s) to enable any required network shares. To enable the C$ share, type NET SHARE C$=C and press ENTER. To enable the ADMIN$ share, type NET SHARE ADMIN$ and press ENTER. 29. Close the Command Prompt. You have enabled the required share(s). All enabled shares remain active until the system reboots. The Command Prompt closes. Result: The endpoint is configured for agent managment jobs. - 48 -
Installing Agents by Agent Management Jobs Installing Agents by Agent Management Job You can install agents upon network endpoints remotely by using agent management jobs. Installing agents remotely substantially eases an administrator's workload, since they do not have to install agents locally. Prerequisites: Verify that the endpoints you are installing agents on are Windows endpoints. Linux, UNIX, and Mac endpoints cannot have agents installed using agent management jobs. Gather the built-in Administrator credentials for endpoints you are installing agents on. Successful job outcome is contingent upon authenticated credentials for this account. Configure your server to allow agent management. For additional information, refer to Configuring the Lumension EMSS Server for Discovery Scanning on page 26. Configure your targets to allow agent management. For additional information, refer to one of the following procedures: Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs on page 27 Configuring Vista or Later Endpoints for Agent Management Jobs on page 37 While configuring Windows Vista or later endpoints, ensure network discovery and file sharing are turned on. Verify that your computer meets the minimum requirements for agent installation. See Agent for Windows on page 14 for more information. Configuration of agent management jobs is similar to configuration of discovery scan jobs. Configuration occurs in the Install Agents Wizard. 1. Log in to Lumension Endpoint Management and Security Suite. For additional information, refer to Lumension Endpoint Management and Security Suite User Guide (http:// portal.lumension.com). 2. Begin configuration of the Install Agent Wizard. Complete one of the following substep sets to being configuration. Context To open the Wizard without targets predefined: Steps Select Discover > Assets and Install Agents. - 49 -
Lumension Endpoint Management and Security Suite Context To open the Wizard with target predefined: Steps 1. Select Manage > Endpoints. 2. Select the endpoints you want to install agents on. 3. From the toolbar, select Manage Agents > Install Agents. The wizard opens to the Job Name and Scheduling page. Figure 8: Job Name and Scheduling Page 3. [Optional] Type a new name in the Scan job name field. Note: By default, new agent management jobs for installation are named New Agent Install Management Job, followed by the server's date and time. 4. Schedule the job. Use one of the following methods. Tip: During job scheduling, you can use the following shortcuts: Click the Calender icon to select a Start date. Selecting a date automatically fills the Start date field. Click the Clock icon to select a Start time. Selecting a time automatically fills the Start time field. Method To schedule an immediate job: Steps Select the Immediate option. - 50 -
Installing Agents by Agent Management Jobs Method To schedule a one-time job: Steps 1. Ensure the Once option is selected. 2. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. 3. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. Note: Scheduling a one-time job for a past date and time will launch the job immediately. To schedule a recurring weekly job: To schedule a recurring monthly job: 1. Select the Weekly option. 2. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. 3. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. 4. Define the day of the week the job runs by selecting a day from the Run every week on the following day list. 1. Select the Monthly option. 2. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. 3. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. 4. Define the day of the month the job runs by typing a day in the Run every month on the following day field. Note: One-time and recurring jobs scheduled for the last day of a 31-day month are automatically rescheduled for the last day of shorter months. - 51 -
Lumension Endpoint Management and Security Suite 5. Click Next. The Targets page opens. Figure 9: Targets Page 6. Define targets (endpoints) for the job to locate. Use one or more of the following discovery methods. Method To define targets using a single IP address: Steps 1. From the Scan for list, select Single IP Address. 2. Type an IP address in the empty field. Wildcards are supported. For additional information refer to Defining Targets Using Wildcards on page 64. 3. Edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity for a particular target. Under most network conditions, the Timeout field does not require editing. 4. Edit the Number of retries list. The Number of retries list defines the number of times a scan retries on that target if the scan times out. - 52 -
Installing Agents by Agent Management Jobs Method To define targets using an IP range: To define targets using a computer name: To define targets using network neighborhood: To define targets using active directory: Steps 1. From the Scan for list, select IP Range. 2. In the first empty field, type the beginning of IP range. Wildcards are supported. For additional information refer to Defining Targets Using Wildcards on page 64. 3. In the second empty field, type the ending of the IP range. 4. Edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity for that particular target. Under most network conditions, the Timeout field does not require editing. 5. Edit the Number of retries list. The Number of retries list defines the number of times a scan retries on that target if the scan times out. 1. From the Scan for list, select Computer name. 2. In the empty field, type an endpoint name in one of the following formats: endpointname or domain\endpointname. 1. From the Scan for list, select Network Neighborhood. 2. From the second list, select the desired network neighborhood. 1. From the Scan for list, select Active Directory. 2. In the Fully-qualified domain name field, type the DNS domain name of the domain controller you want to scan. For example, if your domain controller DNS name is box.domain.company.local, you would type domain.company.local in this field. 3. Optionally, in the Organizational Unit field, type the active directory organizational unit string from specific to broad, separating each string with front slashes (such as Techpubs/ Engineering/Corporate). The omission of this field returns job results containing the full contents of all the active directory organizational units. View the following figure for an example of how to enter data using Active Directory. 4. In the Domain controller field, type the domain controller IP address. 5. In the Username field, type a user name that authenticates with the domain controller. Type the user name in one of the following format: domainname\username or username. 6. In the Password field, type the password associated with the user name. - 53 -
Lumension Endpoint Management and Security Suite Method To define targets using an imported file: Steps 1. From the Scan for list, select Import file. 2. Click Browse. 3. Browse to the file you want to use for target discovery. The following file types are supported:.txt and.csv. 4. Click Open. Figure 10: Active Directory Input Example 7. Add targets to the wizard list. This list indicates whether defined targets are included in or excluded from the job. Use one of the following methods. Method To include defined targets in the job: To exclude defined targets from the job: Steps Click Add to Scan. Click Exclude from Scan. Note: You must include at least one target for Next to become available. You can also delete targets from the list by selecting the applicable check boxes and clicking Remove. 8. [Optional] Define additional targets and add them to the list. For more information, see Editing Targets in the Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). - 54 -
Installing Agents by Agent Management Jobs 9. Click Next. The Scan Options page opens. Figure 11: Scan Options Page 10. Select or clear the desired Scan Options. The following table defines each Scan Option. Option Verify With Ping Description Jobs using this option send ping requests to all network endpoints targeted for discovery. Endpoints that respond to the request are flagged for scanning; unresponsive endpoints are skipped. Endpoints unresponsive to Verify With Ping are not scanned by other selected discovery options. Note: Anti-virus software and host firewalls may block Verify With Ping. If necessary, adjust antivirus and firewall configurations to permit ping requests. ICMP Discovery Jobs using this option request a series of echoes, information, and address masks from endpoints. Endpoint responses are then compared to a list of known ICMP fingerprints to identify endpoint operating systems. Note: ICMP Discovery is ineffective on endpoints configured to ignore ICMP requests. For best results identifying Windows operating systems, use this option in conjunction with Windows Version Discovery. - 55 -
Lumension Endpoint Management and Security Suite Option Port Scan Discovery Description Jobs using this option perform a limited scan on endpoint FTP, Telnet, SSH, SMTP, and HTTP ports. Based on the application banners found in these ports, endpoint operating systems are generically identified. Note: For best results in identifying Windows operating systems, use this option in conjunction with Windows Version Discovery. SNMP Discovery Jobs using this option request system properties for SNMP devices (routers, printers, and so on) from the management information base. Following credential authentication, SNMP devices are identified. Note: Without authenticated credentials, SNMP devices ignore SNMP Discovery requests. In this event, one of two outcomes occur: the SNMP device is misidentified as a UNIX endpoint or the SNMP device is not detected. Jobs with no SNMP credentials use the public credential by default. Windows Version Discovery Jobs using this option identify an endpoint's specific version of Windows following generic operating system identification during ICMP or Port Scan Discovery. Note: Correct operating system identification is contingent upon authenticated credentials. This option must be used in conjunction with either ICMP or Port Scan Discovery. Resolve DNS Names Resolve MAC Addresses Jobs using this option acquire the endpoint DNS name through a local DNS server query. These names are displayed in job results for easy endpoint identification. Jobs using this option acquire endpoint MAC addresses through endpoint queries. These addresses are displayed in job results for easy endpoint identification. Note: Monitor network inventory reports to prevent MAC address spoofing that may alter the Resolve MAC Addresses results. Resolve NetBIOS Names Jobs using this option acquire endpoint NetBIOS names through WINS NetBIOS mapping. These names are displayed in job results for easy endpoint identification. Note: Security-hardened networks running Windows 2003 or Windows XP may require enabling of NetBIOS over TCP/IP for Resolve NetBIOS Names to acquire NetBIOS names. Additionally, firewalls protecting endpoints using Windows XP Professional SP2 may require adjustment to permit NetBIOS communication. - 56 -
Installing Agents by Agent Management Jobs 11. Click Next. The Agent Options page opens. 12. Select the desired Agent Options. These options control which version of the agent is installed on Windows-based endpoints. a) Select an agent version from the Agent version list. Note: The agent versions available for selection are defined by the Agent Version Options, which you can edit from the Options page Agents tab within the Lumension Endpoint Management and Security Suite Web console. b) Select the modules you want to install with the agent. Select the check boxes associated with the modules you want to install. c) [Optional] Select the Overwrite existing agents check box. This option controls whether the agent management job skips targets that already have agents installed. Attention: Selecting this option will cause data loss when an endpoint's Lumension Endpoint Management and Security Suite Agent is overwritten. Note: Following initial agent installation, if the Patch and Remediation module is installed, the agent version will change if the applicable endpoint is subject to a conflicting agent version policy. 13. Click Next. Note: If a dialog opens that notifies you that an endpoint reboot is required following agent installation, click Continue to dismiss the dialog. The Credentials page opens. Figure 12: Credentials Page - 57 -
Lumension Endpoint Management and Security Suite 14. Define Windows credentials for the target. Type the applicable information in the following fields. Note: When configuring an agent management job, you must define valid Windows credentials. Field Username Description A user name that authenticates with Windows-based endpoints. Type the user name in a local format (UserName) or a domain format (DOMAIN\UserName). Note: When configuring agent management jobs, Lumension recommends using the built-in Administrator account. Password Confirm password The password associated with the Username. The Password retyped. 15. Click Next. The Agent Settings page opens. Figure 13: Agent Settings Page 16. Define the Distribution options. The following table describes each list their available values. List Timeout (list) Description Defines the number of minutes before the agent management job terminates due to a non-responsive agent installation or removal (0-30). - 58 -
Installing Agents by Agent Management Jobs List Number of retries (list) Number of simultaneous installs (list) Description Defines the number of attempts an agent installation or removal will retry if the initial attempt fails (1-10). Defines the maximum number of agents that can installed or removed simultaneously during the job (1-25). A value of 1 indicates that serial installs or removals should occur. 17. Define the Lumension Endpoint Management and Security Suite server that the agent will report to using the Server Identity field. Define the Server identity using one of the following formats. The wizard fills this field with the server computername by default. endpointname.domainname.com computername 10.10.10.10 18. If the target endpoints will communicate with the Lumension EMSS server through a proxy server following initial agent installation, select the Use a proxy server check box and define the following fields. Note: In many network environments, although a proxy is used for Internet access, a proxy bypass is used to for all access within the corporate network. Therefore, only enter proxy information if your agents will be required to use a proxy to access your Lumension Endpoint Management and Security Suite server. Field Server address Port Description The applicable proxy IP address. The applicable proxy port number used to communicate. 19. If the target endpoints will use a proxy for agent to server communication, and that proxy requires authentication, select the Authentication required check box and define the following fields. Field Username Password Confirm password Description A user name that authenticates with the proxy. The password associated with the Username. The Password retyped. - 59 -
Lumension Endpoint Management and Security Suite 20. Click Finish. Result: The Install Agents Wizard closes. Depending on how you configured the job, it moves to either the Scheduled tab or Active tab on the Job Results page. The job will run at the applicable time, installing agents on the defined targets, and move to Completed tab when finished. Note: After the agent management job completes, install agent modules. For additional information, refer to Managing Endpoint Modules in Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). Editing Targets While configuring agent management jobs that install agents, you can edit items included in the Targets list. Edit Target list items from the Targets page. 1. From the Targets list, select the check box associated with the item you want to edit. 2. Click Edit. The Edit Targets dialog opens. Figure 14: Edit Targets Dialog - 60 -
Installing Agents by Agent Management Jobs 3. Based on the type of discovery method, edit the item. Discovery Method Single IP Address IP Range Computer Name Network Neighborhood Steps 1. Type a new IP address in the field. Wildcards are supported. For additional information, refer to Defining Targets Within an Imported File on page 63. 2. If necessary, edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity. Under most network conditions, the Timeout field does not require editing. 3. If necessary, edit the Number of retries list. The Number of retries list defines the number of times a discover assets scan retries if the scan times out. 1. In the field, type the beginning of IP range. Wildcards are supported. For additional information, refer to Defining Targets Within an Imported File on page 63. 2. In the field, type the ending of the IP range. 3. If necessary, edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity. Under most network conditions, the Timeout field does not require editing. 4. If necessary, edit the Number of retries list. The Number of retries list defines the number of times a discover assets scan retries if the scan times out. In the empty field, type a new endpoint name in one of the following formats: endpointname or domain\endpointname. From list, select the desired network neighborhood. - 61 -
Lumension Endpoint Management and Security Suite Discovery Method Active Directory Steps 1. In the Fully-qualified domain name field, type the DNS domain name of the domain controller you want to scan. For example, if your domain controller's DNS name was box.domain.company.local, you would type domain.company.local in this field. 2. Optionally, in the Organizational Unit field, type the active directory organizational unit string from specific to broad, separating each string with front slashes (such as Techpubs/ Engineering/Corporate). The omission of this field returns job results containing the full contents of all the active directory organizational units. View the following figure for an example of how to enter data using Active Directory. 3. In the Domain controller field, type the domain controller's IP address. 4. In the Username field, type user name that will authenticate with the domain controller. Type the user name in one of the following format: domainname\username or username. 5. In the Password field, type the password associated with the user name. Figure 15: Active Directory Input Example - 62 -
Installing Agents by Agent Management Jobs 4. Include or exclude the target(s) from the scan. To include the target(s), click Include Targets. To exclude the target(s), click Exclude Targets. Result: The Targets list reflects your changes. Defining Targets Within an Imported File Using imported files, you can define job targets using a combination of single IP addresses, wildcard IP addresses, IP ranges, DNS names, NetBIOS names, and so on. To create a file containing targets, open a text editor that allows you to create.txt or.csv (like Notepad). This topic also explains how to use wildcards for any job type. The following table lists the methods you can use to define discovery methods within an importable file type, and then follows those methods with examples. Use one method per line. Table 11: Basic Use Discovery Method To define single IP addresses: Step Example Targets Defined Type a single address. 10.1.1.2 10.1.1.2 To define wildcard IP addresses: Type a wildcard IP address using commas (,). Type a wildcard IP address using dashes (-). Type a wildcard IP address using asterisks (*). Type a wildcard IP address using Classless Inter-Domain Routing (CIDR). 10.1.1.2,9 10.1.1.2-5 10.1.1.* 10.1.1.0/24 10.1.1.2 and 10.1.1.9 10.1.1.2, 10.1.1.3, 10.1.1.4, and 10.1.1.5 10.1.1.0 through 10.1.1.255 10.1.1.0 through 10.1.1.255 To define IP ranges: Type two IP addresses separated by a greater-than sign (>). Type two IP addresses separated by a dash (-). 10.1.1.2 > 10.1.1.9 10.1.1.2-10.1.1.9 10.1.1.2 through 10.1.1.9 10.1.1.2 through 10.1.1.9 Note: Dashes and greater-than signs are interchangeable. To define DNS names: Type a DNS host name for an endpoint. DNS.dom.com The defined DNS name. - 63 -
Lumension Endpoint Management and Security Suite Discovery Method To define NetBIOS names: Step Example Targets Defined Type a NetBIOS name for an endpoint. NetBIOSname The defined NetBIOS name. Table 12: Advanced Use Discovery Method Steps Examples Targets Defined To define wildcard IP addresses using dashes in various octets: Type a wildcard IP address using dashes, placing the dashes where applicable. You can use dashes in any octet. 10.2-4.5.9 10.5.2-4.9 10.2.5.9, 10.3.5.9, 10.4.5.9 10.5.2.9, 10.5.3.9, 10.5.4.9 To define wildcard IP addresses using asterisks in various octets: Type a wildcard IP address using asterisks, placing the asterisks where applicable. You can use asterisks in any octet. *.6.65.92 10.25.*.* 1.6.65.92 through 255.6.65.92 10.35.0.0 through 10.35.255.255 To define wildcard IP addresses using commas in various octets: Type a wildcard IP address using commas, placing the commas where applicable. You can use commas in any octet. 10.2.5,9,12.9 10,12,19.2.5.9 10.2.5.9, 10.2.9.9, 10.2.12.9 10.2.5.9, 12.2.5.9, 19.2.5.9 To define wildcard IP addresses using a combination of wildcard characters: Type a wildcard IP address using dashes, commas, and asterisks. 10-13.*.12.2,4,7 10.2-4.5,23.* 10, 11, 12, 13.0-255.12.2, 4, 7 10.2, 3, 4.5, 23.0-255 Defining Targets Using Wildcards When configuring a discovery scan job or agent management job, you can define scan targets using wildcard IP addresses. Wildcards are characters can be used to substitute for any other character or characters in a string. In other words, you can use wildcards to scan for numerous IP address instead of just one. Use wildcards to scan specific IP address ranges. - 64 -
Installing Agents by Agent Management Jobs The following table lists examples of how to define targets using wildcards. Table 13: Wildcard Examples Discovery Method Step Example Targets Defined To define wildcard IP addresses: Type a wildcard IP address using commas (,). Type a wildcard IP address using dashes (-). Type a wildcard IP address using asterisks (*). 10.1.1.2,9 10.1.1.2-5 10.1.1.* 10.1.1.0/24 10.1.1.2 and 10.1.1.9 10.1.1.2, 10.1.1.3, 10.1.1.4, and 10.1.1.5 10.1.1.0 through 10.1.1.255 10.1.1.0 through 10.1.1.255 Type a wildcard IP address using Classless Inter- Domain Routing (CIDR). To define IP ranges: Type two IP addresses separated by a greater-than sign (>). Type two IP addresses separated by a dash (-). 10.1.1.2 > 10.1.1.9 10.1.1.2-10.1.1.9 10.1.1.2 through 10.1.1.9 10.1.1.2 through 10.1.1.9 Note: Dashes and greater-than signs are interchangeable. To define wildcard IP addresses using dashes in various octets: Type a wildcard IP address using dashes, placing the dashes where applicable. You can use dashes in any octet. 10.2-4.5.9 10.5.2-4.9 10.2.5.9, 10.3.5.9, 10.4.5.9 10.5.2.9, 10.5.3.9, 10.5.4.9 To define wildcard IP addresses using asterisks in various octets: Type a wildcard IP address using asterisks, placing the asterisks where applicable. You can use asterisks in any octet. *.6.65.92 10.25.*.* 1.6.65.92 through 255.6.65.92 10.25.0.0 through 10.25.255.255-65 -
Lumension Endpoint Management and Security Suite Discovery Method Step Example Targets Defined To define wildcard IP addresses using commas in various octets: Type a wildcard IP address using commas, placing the commas where applicable. You can use commas in any octet. 10.2.5,9,12.9 10,12,19.2.5.9 10.2.5.9, 10.2.9.9, 10.2.12.9 10.2.5.9, 12.2.5.9, 19.2.5.9 To define wildcard IP addresses using a combination of wildcard characters: Type a wildcard IP address using dashes, commas, and asterisks. 10-13.*.12.2,4,7 10.2-4.5,23.* 10, 11, 12, 13.0-255.12.2, 4, 7 10.2, 3, 4.5, 23.0-255 - 66 -
Chapter 4 Installing Agents by Command Line In this chapter: Preparing for Agent Installation by Command Line Installing Java Runtime Environment Downloading the Installer Silently Installing the Agent by Command Line (Windows) Installing the Agent by Command Line (Linux, UNIX, or Mac) Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) Network administrator comfortable using command line can use this interface for agent installation. Command line can be used to install the agent on all supported operating systems. On Linux and UNIX endpoints, command line is the only method that can used to install the agent. Command line can also be used to install the agent on Mac endpoints. Tip: If you want to install the agent on a Mac endpoint, but are unfamiliar with command line, you can use the Mac install waizrd instead. For additional information, refer to Installing Agents by Installer on page 85 for additional information. Command line installation offers an advantage over other installation types: silent installation. When using silent installation, you can enter all the information necessary for installation before the installation begins; the installation itself runs unattended. You can run silent installations on Windows, Linux, UNIX, and Mac endpoints. Preparing for Agent Installation by Command Line Network administrators who prefer to work from the command line can use this interface to install the agent on network endpoints. You can use command line to install the agent on an endpoint. Depending on the target endpoint's operating, you may have the option of installing the agent silently. To complete agent installation by command line for a single Windows endpoint, complete the following tasks in order. You may only complete silent installs when using Windows command line. 1. Download the agent installer. For additional information, refer to Downloading the Installer on page 71. 2. Complete the agent installation. For additional information, refer to Silently Installing the Agent by Command Line (Windows) on page 73 To complete agent installation by command line for a single Linux, UNIX, or Mac endpoints, complete the following tasks in order: - 67 -
Lumension Endpoint Management and Security Suite 1. If you are installing to a Linux endpoint, ensure the endpoint is running Java Runtime Environment 1.5 or later. For additional information, refer to Installing Java Runtime Environment on page 70. 2. Download the agent installer. For additional information, refer to Downloading the Installer on page 71. 3. Complete the agent installation. For additional information, refer to Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 76. You can also complete a Linux, UNIX, or Mac endpoint agent installation silently. To complete a silent installation, complete the following tasks in order: 1. If you are installing to a Linux endpoint, ensure the endpoint is running Java Runtime Environment 1.5 or later. For additional information, refer to Installing Java Runtime Environment on page 70. 2. Download the agent installer. For additional information, refer to Downloading the Installer on page 71. 3. Complete the agent installation. For additional information, refer to Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 80. You can use this installation method to install the agent on all supported operating systems. The following table lists all endpoint operating system on which you can perform this installation method. For a more through listing of system requirements, refer to Agent Requirements on page 9. Table 14: Command Line Install Supported Operating Systems Operating System Version Edition Data Width Microsoft 6.2 Windows 8 Windows 8 (1) Professional Enterprise (2) Microsoft Windows Server 2012 (3) Microsoft Windows Storage Server 2012 Microsoft Windows 7 Microsoft Windows Server 2008 R2 6.2 Standard (2)(4) Datacenter (2)(4) Foundation Essentials 6.2 Standard Workgroup 6.1 Professional Enterprise Ultimate 6.1 Standard Enterprise Web Proc. Family Software Prerequisites 32/64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 64 bit Intel Microsoft.NET Framework 3.0+ Agent Version Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent - 68 -
Installing Agents by Command Line Operating System Version Edition Data Width Microsoft 6.0 Business Windows Vista (5) Enterprise Microsoft Windows Server 2008 (6) Microsoft Windows 2003 SP1+ Microsoft Windows XP SP2+ (7) Apple Mac OS X 10.5 Ultimate 6.0 Web Standard Enterprise 5.2 Web Standard Enterprise R2 Proc. Family Software Prerequisites 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 2.0+ 5.1 Professional 32/64 bit Intel Microsoft.NET Framework 2.0+ 10.4 10.3 Apple Mac OS X 10.8 (1) 10.7 (1) 10.6 10.5 10.4 HP-UX 11.31 11.23 11.11 All 32/64 bit PowerPC Sun Java JRE 1.5.0+ All 32/64 bit Intel Sun Java JRE 1.5.0+ All 64 bit PA-RISC Sun Java JRE 1.5.0+ HP-UX 11.31 All 64 bit Itanium Sun Java JRE 1.5.0+ IBM AIX 7.1 Novell SUSE Linux 6.1 11 10 All 32/64 bit PowerPC Sun Java JRE 1.5.0+ Server Desktop 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Agent Version Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Patch 7.0 Agent Patch 7.0303 Agent Patch 7.0 Agent Patch 7.0303 Agent Patch 7.0303 Agent Patch 7.0303 Agent - 69 -
Lumension Endpoint Management and Security Suite Operating System Red Hat Enterprise Linux Version Edition Data Width 6 (1) 5 Server Desktop Proc. Family Software Prerequisites 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Agent Version Patch 7.0303 Agent Oracle Solaris 11 10 All 32/64 bit SPARC/ Intel Sun Java JRE 1.5.0+ Patch 7.0303 Agent Oracle Linux 6 5 CentOS Linux 6 5 Server 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Server 32/64 bit Intel Sun Java JRE 1.5.0+ or IcedTea/ OpenJDK Patch 7.0303 Agent Patch 7.0303 Agent Installing Java Runtime Environment Before you can install the Lumension Endpoint Management and Security Suite Agent on a Linux endpoint, you must first verify that the target endpoint is running Java Runtime Environment 1.5 or later. Verify you are running Java Runtime Environment 1.5 or later from your target Linux endpoint. 1. Open Terminal. 2. Type java -version and press ENTER. Terminal displays output that lists the installed version of Jave Runtime Environment. 3. Use the output to verify that the java version is 1.5.x_x or later. If your java version is 1.5.x_x or later, your target endpoint is ready for Lumension Endpoint Management and Security Suite Agent installation. Proceed to Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 76 or Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 80. If your java version is earlier than 1.5.x_x, you must update Java Runtime Environment. Proceed to the next step. 4. Download the latest version of Java Runtime Environment. a) Open your Web browser and go to Java Web site (http://java.com/en/download/manual.jsp) for the latest version. b) Download the version of Java Runtime Environment most applicable to your target environment. - 70 -
Installing Agents by Command Line 5. Install Java Runtime Environment. Note: In the version variable, type the version number of Java Runtime Environment you downloaded. a) In Terminal, type chmod a+x jre-6uversion-linux-i586.rpm.bin and press ENTER. The endpoints permissions are changed to allow Java Runtime Environment installation. b) Type./jre-6uversion-linuxi586-rpm.bin and press ENTER. The installation begins. c) Type rpm -iv jre-6uversion-linuxi586-rpm and press ENTER. The installation runs. 6. Once more, type java -version and press ENTER. Terminal displays output that lists the installed version of Jave Runtime Environment. 7. Once more, use the output to verify that the java version is 1.5.x_x or later. If your java version is 1.5.x_x or later, your target endpoint is ready for Lumension Endpoint Management and Security Suite Agent installation. Proceed to Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 76 or Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 80. If your java version is earlier than 1.5.x_x, you must update Java Runtime Environment. Proceed to the next step. 8. Create symbolic links that point to Java software. Note: In the version variable, type the version number of Java Runtime Environment you downloaded. a) Type ln -sf /usr/java/jreversion/bin/java/etc/alternatives/java and press ENTER. b) Type ln -sf /etc/alternatives/java /usr/bin/java and press ENTER. Result: The lastest version of Java Runtime Environment is installed on your target endpoint. After Completing This Task: Complete Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 76 or Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 80. Downloading the Installer Download the agent installer from your Lumension Endpoint Management and Security Suite server by using the Web console. - 71 -
Lumension Endpoint Management and Security Suite To download the installer, log on to the target endpoint, and then download the installer. Tip: For some operating systems, you have the option of downloading and installing the command line version of the agent installer or the graphical user interface version of the agent installer. The command line agent is installed and accessed after installation using the command prompt. The graphical user interface version of the agent is installed using an installation wizard and accessed after installation via the Control Panel (Windows) or System Preferences (Mac). 1. Log on to the target endpoint as the local administrator (or a member of the Local Administrators group). 2. Log in to your Lumension Endpoint Management and Security Suite. For additional information refer to the Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). The Lumension Endpoint Management and Security Suite Home page opens. 3. Select Tools > Download Agent Installer. The Download Agent Installers dialog opens. Figure 16: Download Agent Installers Dialog 4. Select your endpoint's operating system from the Operating System drop-down list. 5. Select the version of the agent that you want to install from the Agent Version drop-down list. Note: The agent versions available for selection are controlled by defining the Agent Versions option within Lumension Endpoint Management and Security Suite. For additional information, refer to Configuring the Agents Tab in the Lumension Endpoint Management and Security Suite User Guide (http:// portal.lumension.com). - 72 -
Installing Agents by Command Line 6. Click Download. A dialog opens, prompting you to define a download location. Tip: The Download Agent Installer dialog remains open during the installer download. 7. Using the dialog controls, define a download location and begin the download. 8. After the download completes, close the Download Agent Installers dialog by clicking Cancel. Tip: Leave the dialog open while installing the agent to have easy access to Lumension Endpoint Management and Security Suite server information used during the installation procedure. Silently Installing the Agent by Command Line (Windows) Prerequisites: Ensure that your computer meets the minimum requirements for agent installation. See Agent for Windows on page 14 for more information. Download the appropriate installer for your operating system. See Downloading the Installer on page 71 for more information. Ensure you are logged on using the built-in Administrator account. After downloading the agent MSI, you can begin a silent install from Windows Command Prompt. In addition to the Lumension Endpoint Management and Security Suite URL (or IP) and serial number, you can define a proxy for agent-to-server and Auto-Assign groups when performing a silent install using the Single Agent Windows MSI Installer: 1. Select Start > Run. 2. Type cmd and click OK. The Command Prompt opens. 3. Change directories to the root directory. Type cd\ and press ENTER. The directory is changed to the root directory. 4. Change directories to the location you downloaded LMAgent.msi. Type cd <Your\Download\Directory> and press ENTER. The directory changes to the directory where you downloaded the LMAgent.msi. - 73 -
Lumension Endpoint Management and Security Suite 5. Begin the install by typing the install command followed by the parameters used to install the agent in your environment. Note: If you downloaded the 64-bit installer, replace LMAgent.msi with LMAgentx64.msi when typing the install command. To perform an install with a proxy, type the following syntax and then press ENTER: msiexec /i LMAgent.msi /qn SERVERIPADDRESS= <xxx.xxx.xxx.xxx> PROXYADDRESS= <xxx.xxx.xxx.xxx> PROXYPORT="<xx>" PROXYUSERNAME= <ProxyUser> PROXYPASSWORD= <ProxyUserPassword> MODULELIST="<Module> <Module2>" GROUPLIST= <Group> <Group2> To perform an install without a proxy, type the following syntax and then press ENTER: msiexec /i LMAgent.msi /qn SERVERIPADDRESS= <xxx.xxx.xxx.xxx> MODULELIST="<Module> <Module2>" GROUPLIST= Group Group2 Note: When installing the Lumension EMSS Agent from command line, you can add a number of parameters to modify how the agent is installed on the endpoint. Read the following table for detailed instructions about how to use each parameter. Remember the following information when using these parameters: Parameters do not have to be entered in a specific order. The parameter name must be typed in capital letters. Words surrounded in carrots are variables relative to your environment. When defining these variables, omit the carrots and replace the variable for information relevant in your environment. For example when defining the SERVERIPADDRESS parameter, you might type SERVERIPADDRESS="10.19.0.133" With the exception of password variables, variables are not case sensitive. Table 15: Description of Installation Parameters Parameter SERVERIPADDRESS PROXYADDRESS PROXYPORT PROXYUSERNAME PROXYPASSWORD Description The IP address of your Lumension Endpoint Management and Security Suite. Example: SERVERIPADDRESS="<xxx.xxx.xxx.xxx>" The IP address for your proxy server. Example: PROXYADDRESS="<xxx.xxx.xxx.xxx>" The port your proxy server is using for communication. Example: PROXYPORT="<xx>" Login user for an authenticated proxy. Example: PROXYUSERNAME="<ProxyUserName>" Login password for an authenticated proxy. Example: PROXYPASSWORD="<ProxyUserPassword>" - 74 -
Installing Agents by Command Line Parameter GROUPLIST Description This parameter adds the target endpoint to existing Lumension Endpoint Management and Security Suite groups during agent installation. The following list includes information about using this parameter. You can only use this parameter to add endpoints to existing groups. This parameter cannot create new groups. When using this parameter, you can add the endpoint to two or more groups. To add the endpoint to multiple groups, type a pipe between two group names. Do not type spaces between the group names and the pipe(s). Example (single group): GROUPLIST="<Group>" Example (multiple groups): GROUPLIST="<Group> <Group2> <Group3>" When using this parameter, you can use either the group name or the distinguished name. If two or more groups exist that share the same name, using the group name will add the endpoint to all groups using the name. If two or more groups exist that share the same name, using the distinguished name will add the endpoint to a specific group. Example (distinguised name use): GROUPLIST="OU=<Group>,OU=Custom Groups,OU=My Groups" To view your group names and distinguished names, view the Groups page Group Membership view in the Lumension Endpoint Management and Security Suite Web console. MODULELIST This parameter installs additional Lumension Endpoint Management and Security Suite endpoint modules along with the Lumension EMSS Agent during installation. The following list includes information about using this parameter. You can only use this parameter to add endpoint modules you are licensed for. When using this parameter, you can add two or more modules. To multiple modules, type a pipe between two module names. Do not type spaces between the modules names and the pipe(s). Example: MODULELIST="<Module> <Module2> <Module3>" The following list includes the MODULELIST parameter for each Lumension Endpoint Management and Security Suite module: VulnerabilityManagement (Patch and Remediation) ApplicationControl (Application Control) Antivirus (AntiVirus) PowerMgmt (Power Management) DeviceControl (Device Control) - 75 -
Lumension Endpoint Management and Security Suite Installing the Agent by Command Line (Linux, UNIX, or Mac) Prerequisites: Ensure the Patch and Remediation module is installed on your Lumension Endpoint Management and Security Suite server. Verify that your computer meets the minimum requirements for agent installation. See Agent for Linux, UNIX, and Mac on page 16 for more information. Ensure Java Runtime Environment 1.5 or later is installed on the endpoint. See Installing Java Runtime Environment on page 70 for more information. Download the appropriate installer for your operating system. See Downloading the Installer on page 71 for more information. Attention: This agent can only operate in environments that have the Patch and Remediation module installed. After ensuring the endpoint meets the minimum system requirements, complete the following steps to install the command line agent. 1. In the /root directory, create the UnixPatchAgent directory. Tip: You can create this directory a variety of ways depending on your endpoint operating system. The /root/unixpatchagent directory is created. 2. From the downloaded location, select the UnixPatchAgent.tar file and extract its contents to / root/unixpatchagent. The following files are extracted to /root/unixpatchagent: env.class install install.ncf InstallArchive.jar patchagent.properties patchagent.tar README.txt support.tar Note: If a new directory is created during the extraction, move its contents to / root/unixpatchagent and delete the directory created during extraction. 3. Open Terminal. Note: How you open Terminal varies depending on your operating system. - 76 -
Installing Agents by Command Line 4. Change the directory to /root/unixpatchagent/. Type cd /root/unixpatchagent and press ENTER. The directory changes to /root/unixpatchagent. 5. Type./install to start the installation process. Installation begins. 6. At the Enter the Directory where the Agent should be installed [/usr/local] prompt, define the directory where you want to install the agent. type the desired installation path or press ENTER to accept the default path of /usr/local. Installation Location Option To install the agent to the default path of /usr/local: To install the agent to a custom patch: Step(s) Press ENTER. 1. Type the custom path you want to install to in the following format: /customlocation. Note: When defining a custom path, type front slashes between directories. For example, if you wanted to define path for the theoretical Administrator directory nested within the usr directory, you would type /usr/administrator. 2. Press ENTER. 7. At the Enter your Lumension Endpoint Management and Security Suite address prompt, define the Lumension Endpoint Management and Security Suite Server for the agent. Server Definition Option To define the server with an IP address: To define the server with a server name: To define the server using SSL with an IP address: To define the server using SSL with a server name: Step Type http://xxx.xxx.xxx.xxx and press ENTER. Type http://serverurl and press ENTER. Type https://xxx.xxx.xxx.xxx and press ENTER. Type https://serverurl and press ENTER. - 77 -
Lumension Endpoint Management and Security Suite 8. At the Enter the product serial number that appears as xxxxxxxx-xxxxxxxx prompt, type your serial number in a xxxxxxxx-xxxxxxxx format and press ENTER. Tip: The serial number is displayed on the Lumension Endpoint Management and Security Suite Web console Home page and the Download Agent Installers dialog. 9. At the Do you have a Proxy [Y/N] prompt, define whether the agent will use a proxy during communcation with the Lumension Endpoint Management and Security Suite server. type y to configure a proxy, or press ENTER to continue without configuring a proxy server. Note: In many network environments, although a proxy is used for Internet access, a proxy bypass is used to for all access within the corporate network. Therefore, only enter proxy information if your agents will be required to use a proxy to access your Lumension Endpoint Management and Security Suite server. Proxy Use Option To skip proxy definition: To define a proxy: Step(s0 Type n and press ENTER. 1. Type y and press ENTER. 2. At the Enter your proxy address prompt, type the proxy IP address in one of the following format and press ENTER: http://xxx.xxx.xxx.xxx http://serverurl 3. At the Enter your proxy port [1-65535] prompt, type the port that will be used for communication with the proxy and press ENTER (1-655353). 4. At the Proxy username [press return if your proxy does not require authorization] prompt, type a valid proxy username and press ENTER if the proxy requires authentication. If the proxy does not require authentication, forgo typing a username and press ENTER. 5. At the Proxy password prompt, type the password associated with the user name you entered, if necessary. 10. At the Do you wish to add this agent to existing groups on Lumension Endpoint Management and Security Suite? [Y/N] prompt, define whether you want to add the endpoint to an existing Lumension Endpoint Management and Security Suite group. Group Addition Option To skip adding the endpoint to an existing group: Step(s) Type n and press ENTER. - 78 -
Installing Agents by Command Line Group Addition Option To add the endpoint to an existing group: Step(s) 1. Type y and press ENTER. 2. At the Enter the group name separated by ' ' (Eg. OU=group1 OU=group2 OU=group3) prompt, define the existing group or groups you want to add the endpoint to. You can define groups either the group name or the distinguished name. Tip: You can view group names and distinguished names from the Groups page Group Membership view with the Lumension Endpoint Management and Security Suite Web console. To add the endpoint to a single group, type <GroupName> and press ENTER. To add the endpoint to two or more groups, type <GroupName> <GroupName2> and press ENTER. Type additional pipes and group names when adding the endpoint to more than two groups. Note: If two or more groups share the same name, and you want to add the endpoint to all groups sharing the name, use the group name to define the target group. If two or more groups share the same name, and you want to add the endpoint to a specific group, use the distinguished name to define the target group. For example, type OU=<GroupName>,OU=Custom Groups,OU=My Groups 11. At the Do you wish to set the agent process nice value: prompt, define whether you want to define an agent process nice value. Type y to define a value or n to accept the default (0). Agent Process Nice Value Option To skip defining an agent process nice value: Step(s) Type n and press ENTER. - 79 -
Lumension Endpoint Management and Security Suite Agent Process Nice Value Option To define and agent process nice value: Step(s) 1. Type y and press ENTER. 2. Type a nice value (-20 to 20) and press ENTER. Result: The installation completes and the terminal link can be disconnected. Note: Lumension recommends opening ports 49152-65535 on Linux, UNIX, and Mac endpoints. The agent randomly opens one of these ports to listen for check now commands, which are serversent requests that the agent check for tasks. Closing these ports delays agent tasks until they check in themselves. Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) Prerequisites: Ensure the Patch and Remediation module is installed on your Lumension Endpoint Management and Security Suite server. Verify that your computer meets the minimum requirements for agent installation. See Agent for Linux, UNIX, and Mac on page 16 for more information. Ensure Java Runtime Environment 1.5 or later is installed on the endpoint. See Installing Java Runtime Environment on page 70 for more information. Download the appropriate installer for your operating system. See Downloading the Installer on page 71 for more information. Attention: This agent can only operate in environments that have the Patch and Remediation module installed. In addition to the Lumension Endpoint Management and Security Suite URL (or IP) and serial number, you can define a proxy and auto-assign groups when performing a silent install using the single agent installer for Linux, UNIX, or Mac. 1. In the /root directory, create the UnixPatchAgent directory. Tip: You can create this directory a variety of ways depending on your endpoint operating system. The /root/unixpatchagent directory is created. - 80 -
Installing Agents by Command Line 2. From the downloaded location, select the UnixPatchAgent.tar file and extract its contents to / root/unixpatchagent. The following files are extracted to /root/unixpatchagent: env.class install install.ncf InstallArchive.jar patchagent.properties patchagent.tar README.txt support.tar Note: If a new directory is created during the extraction, move its contents to / root/unixpatchagent and delete the directory created during extraction. 3. Open Terminal. Note: How you open Terminal varies depending on your operating system. 4. Change the directory to /root/unixpatchagent/. Type cd /root/unixpatchagent and press ENTER. The directory changes to /root/unixpatchagent. 5. Begin the install by typing the install command followed by the parameters needed to install the agent in your environment. To perform a silent install with a proxy, type the following syntax and press ENTER:./install -silent -d /usr/local -p http://<myserver> -sno <xxxxxxxx>-<xxxxxxxx> -proxy http://<myproxy> -port <xx> -g <GroupName> <GroupName2> To perform a silent install without a proxy, type the following syntax and press ENTER:./install -silent -d /usr/local -p http://<myserver> -sno <xxxxxxxx>-<xxxxxxxx> -g <GroupName> <GroupName2> When installing the Patch Agent from command line, you can add a number of parameters to modify how the agent is installed on the endpoint. The following table lists all available command line parameters. - 81 -
Lumension Endpoint Management and Security Suite Read the following table for detailed instruction about how to use each parameter. Remember the following information when using these parameters: Parameters do not have to be entered in a specific order. Words surrounded in carrots are variables relative to your environment. When defining these parameters, omit the carrots and replace the variable for information relevent in your environment. For example when defining the -p, you might type -p "http://10.19.0.133" With the exception of password variables, variables are not case sensitive. Table 16: Parameter Descriptions Parameter -silent Description Performs installation silently. Example: -silent -d The install directory. Lumension recommends using /usr/local for most Linux endpoints. Example: -d "install/directory" -p The URL (or IP) of your Lumension Endpoint Management and Security Suite. Examples: -p "http://myserver" -p "http://xxx.xxx.xxx.xxx" -sno -proxy The serial number of your Lumension Endpoint Management and Security Suite. Example: -sno "xxxxxxxx-xxxxxxxx" The URL (or IP) of your proxy. Examples: -proxy "http://myserver" -proxy "http://xxx.xxx.xxx.xxx" -port The proxy port. Example: -port "xx" - 82 -
Installing Agents by Command Line Parameter Description -g This parameter adds the target endpoint to existing Lumension Endpoint Management and Security Suite groups during agent installation. The following list includes information about using this parameter. You can only use this parameter to add endpoints to existing groups. This parameter cannot create new groups. When using this parameter, you can add the endpoint to two or more groups. To add the endpoint to multiple groups, type a pipe between two group names. Do not type spaces between the group names and the pipe(s). Example (single group): -g "<Group>" Example (multiple groups): -g "<Group> <Group2> <Group3>" When using this parameter, you can use either the group name or the distinguished name. If two or more groups exist that share the same name, using the group name will add the endpoint to all groups using the name. If two or more groups exist that share the same name, using the distinguished name will add the endpoint to a specific group. Example (distinguished name use): -g "OU=<Group>,OU=Custom Groups,OU=My Groups" To view your group names and distinguished names, view the Groups page Group Membership view in the Lumension Endpoint Management and Security Suite Web console. Result: The agent is installed. Note: Lumension recommends opening ports 49152-65535 on Linux, UNIX, and Mac endpoints. The agent randomly opens one of these ports to listen for check now commands, which are serversent requests that the agent check for tasks. Closing these ports delays agent tasks until they check in themselves. - 83 -
Lumension Endpoint Management and Security Suite - 84 -
Chapter 5 Installing Agents by Installer In this chapter: Preparing for Installation by Agent Installer Agents can be installed on single Windows and Mac endpoints very simply. You can log in to the Lumension Endpoint Management and Security Suite Web console, download the agent, and then run the agent installer. This installation method is useful when installing a single agent on a network endpoint. Newer network administrator unfamiliar with the command prompt may prefer this agent installation method. The installer for Windows in a Windows Installer (.MSI) file, and the installer for Mac is a disc image (.dmg) file. Preparing for Installation by Agent Installer The simplest method to install the Lumension EMSS agent on an endpoint is through use of the agent's installer. Like most software, the Lumension EMSS Agent features an easy-to-use step-by-step installer that can be used to install the agent on a single endpoint. To complete agent installation on a single endpoint using the installer, complete the following tasks: 1. From the endpoint you want to install an agent on, log in to the Lumension EMSS Web Console and download the agent installer. For additional information, refer to Downloading the Installer on page 71. 2. Open and complete the downloaded installer. For additional information about completing the installer on Windows endpoints, refer to Installing the Single Agent for Windows XP and Later on page 89. For additional information about completing the installer on Mac endpoints, refer to Installing the Agent for Mac on page 95. - 85 -
Lumension Endpoint Management and Security Suite You can use this installation method to install the agent on Windows and Mac endpoints. The following table lists all endpoint operating systems on which you can perform this installation method. For a more through listing of system requirements, refer to Agent Requirements on page 9. Table 17: Installer Supported Operating Systems Operating System Version Edition Data Width Microsoft 6.2 Windows 8 Windows 8 (1) Professional Enterprise (2) Microsoft Windows Server 2012 (3) Microsoft Windows Storage Server 2012 Microsoft Windows 7 Microsoft Windows Server 2008 R2 6.2 Standard (2)(4) Datacenter (2)(4) Foundation Essentials 6.2 Standard Workgroup 6.1 Professional Enterprise Ultimate 6.1 Standard Enterprise Web Microsoft 6.0 Business Windows Vista (5) Enterprise Microsoft Windows Server 2008 (6) Microsoft Windows 2003 SP1+ Microsoft Windows XP SP2+ (7) Ultimate 6.0 Web Standard Enterprise 5.2 Web Standard Enterprise R2 Proc. Family Software Prerequisites 32/64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 64 bit Intel Microsoft.NET Framework 4.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 3.0+ 32/64 bit Intel Microsoft.NET Framework 2.0+ 5.1 Professional 32/64 bit Intel Microsoft.NET Framework 2.0+ Agent Version Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent Lumension EMSS 7.3 Agent - 86 -
Installing Agents by Installer Operating System Apple Mac OS X 10.5 Version Edition Data Width 10.4 10.3 Apple Mac OS X 10.8 (1) 10.7 (1) 10.6 10.5 10.4 Proc. Family Software Prerequisites All 32/64 bit PowerPC Sun Java JRE 1.5.0+ All 32/64 bit Intel Sun Java JRE 1.5.0+ Agent Version Patch 7.0 Agent Patch 7.0303 Agent Downloading the Installer Download the agent installer from your Lumension Endpoint Management and Security Suite server by using the Web console. To download the installer, log on to the target endpoint, and then download the installer. Tip: For some operating systems, you have the option of downloading and installing the command line version of the agent installer or the graphical user interface version of the agent installer. The command line agent is installed and accessed after installation using the command prompt. The graphical user interface version of the agent is installed using an installation wizard and accessed after installation via the Control Panel (Windows) or System Preferences (Mac). 1. Log on to the target endpoint as the local administrator (or a member of the Local Administrators group). 2. Log in to your Lumension Endpoint Management and Security Suite. For additional information refer to the Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). The Lumension Endpoint Management and Security Suite Home page opens. - 87 -
Lumension Endpoint Management and Security Suite 3. Select Tools > Download Agent Installer. The Download Agent Installers dialog opens. Figure 17: Download Agent Installers Dialog 4. Select your endpoint's operating system from the Operating System drop-down list. 5. Select the version of the agent that you want to install from the Agent Version drop-down list. Note: The agent versions available for selection are controlled by defining the Agent Versions option within Lumension Endpoint Management and Security Suite. For additional information, refer to Configuring the Agents Tab in the Lumension Endpoint Management and Security Suite User Guide (http:// portal.lumension.com). 6. Click Download. A dialog opens, prompting you to define a download location. Tip: The Download Agent Installer dialog remains open during the installer download. 7. Using the dialog controls, define a download location and begin the download. 8. After the download completes, close the Download Agent Installers dialog by clicking Cancel. Tip: Leave the dialog open while installing the agent to have easy access to Lumension Endpoint Management and Security Suite server information used during the installation procedure. - 88 -
Installing Agents by Installer Installing the Single Agent for Windows XP and Later Endpoints running Windows XP or later communicate with the Lumension Endpoint Management and Security Suite server using the Lumension Endpoint Management and Security Suite Agent. Prerequisites: Ensure that your computer meets the minimum requirements for agent installation. See Agent for Windows on page 14 for more information. Download the appropriate installer for your operating system. See Downloading the Installer on page 71 for more information. Ensure you are logged on with a user account that has administrative access rights. The following steps apply to both the 64-bit and 32-bit agent installer. Note: If you downloaded the 64-bit installer, x64 is appended to the file name for the installer. 1. From the downloaded location, double-click LMAgent.msi. The installer opens to the Welcome page. Figure 18: Welcome Page - 89 -
Lumension Endpoint Management and Security Suite 2. Click Next. The License Agreement page opens. Figure 19: License Agreement Dialog 3. If you agree to the license terms, select the I accept the terms in the license agreement option and click Next. The Destination Folder page opens. Figure 20: Destination Folder Page - 90 -
Installing Agents by Installer 4. [Optional] Edit the agent installation location. a) Click Browse. The Change Current Destination Folder dialog opens. Figure 21: Change Current Destination Folder Dialog b) Define an installation location. c) Click OK. The Change Current Destination Folder dialog closes and the Destination Folder page reflects the new location. - 91 -
Lumension Endpoint Management and Security Suite 5. Click Next. The Lumension EMSS Server Information page opens. Figure 22: Lumension EMSS Server Information Page 6. Type the appropriate IP address or URL in the Server identity field including the protocol. Server Definition Option To define the server with an IP address: To define the server with a server name: To define the server using SSL with an IP address: To define the server using SSL with a server name: Step Type http://xxx.xxx.xxx.xxx and press ENTER. Type http://serverurl and press ENTER. Type https://xxx.xxx.xxx.xxx and press ENTER. Type https://serverurl and press ENTER. - 92 -
Installing Agents by Installer 7. [Optional] If the agent will communicate with the Lumension EMSS server through a proxy server, select the Use a proxy server check box and complete the following substeps. Note: In many network environments, although a proxy is used for Internet access, a proxy bypass is used to for all access within the corporate network. Therefore, only enter proxy information if your agents will be required to use a proxy to access your Lumension Endpoint Management and Security Suite server. a) Click Next. The Proxy Information page opens. Figure 23: Proxy Information Page b) In the Proxy server address field, type the proxy URL. c) [Optional] In the Port number field, type the port number that the proxy uses for communication. d) [Optional] If proxy server requires authentication, complete the following substeps. 1. Select the Authentication is required check box. 2. In the Username field, type the user name. 3. In the Password field, type a new password for the proxy. 4. In the Confirm Password field, type the proxy password again. - 93 -
Lumension Endpoint Management and Security Suite 8. Click Next. The Installation Ready dialog opens. Figure 24: Installation Ready Dialog 9. Click Install to install the agent. Note: On Windows 8 endpoints, you may be prompted for an administrative password. If you are prompted, type an administrative password and press ENTER. The agent is installed and the Installation Complete dialog displays. Figure 25: Installation Complete Dialog - 94 -
Installing Agents by Installer 10. Click Finish to exit the wizard. Result: The agent is installed. Installing the Agent for Mac Mac endpoints communicate with the Lumension Endpoint Management and Security Suite server using the Mac agent. Prerequisites: Ensure the Patch and Remediation module is installed on your Lumension Endpoint Management and Security Suite server. Verify that your computer meets the minimum requirements for agent installation. See Agent for Linux, UNIX, and Mac on page 16 for more information. Download the appropriate installer for your operating system. See Downloading the Installer on page 71 for more information. Attention: This agent can only operate in environments that have the Patch and Remediation module installed. 1. From the downloaded location, select the PatchAgentforMac.dmg to extract the Patch Agent for Mac Installer. 2. Open the installer. 3. Enter your system password. The Introduction page of the install wizard displays. 4. Click Next. The License Agreement page displays. 5. If you agree to the license terms, select the I Accept the terms of the License Agreement option and click Next. The Verify Sudo Password page opens. 6. Enter your system password in the Please Enter the Password field. This password is identical to the one entered earlier. 7. Click Next. The Choose Install Folder page opens. 8. [Optional] Edit the agent installation location. a) Click Choose. The Finder window opens. b) Edit the installation location. - 95 -
Lumension Endpoint Management and Security Suite c) Select Open. Tip: Click Restore Default Folder to restore the default installation location at any time. 9. Select Next. The Server Information page displays. 10. Type the Lumension Endpoint Management and Security Suite server URL in the URL field. Type the URL in one of the following formats. Server Definition Option To define the server with an IP address: To define the server with a server name: To define the server using SSL with an IP address: To define the server using SSL with a server name: Step Type http://xxx.xxx.xxx.xxx and press ENTER. Type http://serverurl and press ENTER. Type https://xxx.xxx.xxx.xxx and press ENTER. Type https://serverurl and press ENTER. 11. Type your serial number in the Serial Number field. Tip: The Lumension Endpoint Management and Security Suite serial number is available on the Lumension Endpoint Management and Security Suite Home page. 12. [Optional] If the agent will use a proxy server during communication with the Lumension EMSS server, select the Use a Proxy Server check box and complete the following substeps. Note: In many network environments, although a proxy is used for Internet access, a proxy bypass is used to for all access within the corporate network. Therefore, only enter proxy information if your agents will be required to use a proxy to access your Lumension Endpoint Management and Security Suite server. a) Click Next. The Proxy Configuration page opens. b) In the Proxy URL field, type the proxy URL. c) [Optional] In the Proxy Port field, type the port number that the proxy uses for communication. d) [Optional] If your proxy require authentication, complete the following substeps. 1. Type a user name that authenticates with the proxy server in the Proxy User (if authenticated) field. 2. Type the user name password in the Proxy Password (if authenticated) field. 3. Retype the password in the Confirm Password field. - 96 -
Installing Agents by Installer 13. Click Next. The Additional Options page displays. 14. [Optional] In the Groups field, define the existing groups you to add the endpoint to. Add the agent to specific device groups, enter the names of the groups in the Groups field. Values should be separated by a ( ) symbol. Remember the following information when defining the groups you want to add the endpoint to: You can define groups either the group name or the distinguished name. Tip: You can view group names and distinguished names from the Groups page Group Membership view with the Lumension Endpoint Management and Security Suite Web console. To add the endpoint to a single group, type <GroupName> and press ENTER. To add the endpoint to two or more groups, type <GroupName> <GroupName2> and press ENTER. Type additional pipes and group names when adding the endpoint to more than two groups. Note: If two or more groups share the same name, and you want to add the endpoint to all groups sharing the name, use the group name to define the target group. If two or more groups share the same name, and you want to add the endpoint to a specific group, use the distinguished name to define the target group. For example, type OU=<GroupName>,OU=Custom Groups,OU=My Groups 15. [Optional] Set the operating system's prioritization value for the agent by typing a value in the Agent Nice Value field. A value of -20 in this field gives the agent the highest priority and 20 gives the lowest priority. 16. [Optional] Configure the agent so that it is detectable, yet cannot have packages deployed to it, select the Detect Only check box. 17. Click Next. The Pre-Installation Summary page displays. 18. Verify the agent pre-installation summary information is accurate. 19. Click Next to begin the installation. The Install Complete Success page displays when the installation process is finished. 20. Click Done to complete the installation and close the installer. - 97 -
Lumension Endpoint Management and Security Suite - 98 -
Appendix A Upgrading Agents In this appendix: Upgrading Agents Automatically Upgrading Agents Locally For users upgrading older Lumension Endpoint Management and Security Suite servers to the most recent version, there are several options for updating your Lumension Endpoint Management and Security Suite infrastructure. You can upgrade your Windows endpoints either manually or automatically. For additional information on upgrading your Windows endpoint automatically, refer to Upgrading Agents Automatically on page 99. For additional information on upgrading Windows endpoints manually, refer to: Upgrading Agents Locally on page 101 Installing Agents by Agent Management Job on page 49 Linux, UNIX, and Mac endpoints can be overwritten: the agent can be upgraded, but data cannot be retained. For additional information, refer to Upgrading Agents Locally on page 101. Note: For Patch and Remediation users, Lumension recommends upgrading the agent for Linux, UNIX and Mac using a deployment. Upgrading Agents Automatically Administrators who have recently updated their server to the newest version of Lumension Endpoint Management and Security Suite can use the Lumension Endpoint Management and Security Suite Web console to upgrade their endpoints to the newest agent version. - 99 -
Lumension Endpoint Management and Security Suite Agent can be upgraded from the Endpoints page. Complete the following tasks to execute an automatic upgrade of existing network agents. Ensure that your agent options are configured so that the latest Lumension EMSS agent is available for installation. For additional information, refer to Defining Installable Agent Versions on page 100. Select the endpoints you want to upgrade and complete the agent upgrade. For additional information, refer to Upgrading the Agent Automatically on page 101. Defining Installable Agent Versions Before beginning your automatic agent installation, your must first ensure that the latest version of the Lumension EMSS agent is available for agent installation within the Lumension Endpoint Management and Security Suite Web console. You can only install the latest agent version on your network endpoints if this setting is properly defined. Prerequisites: Ensure the most recent version of the agent is available for installation. For additional information, refer to Upgrading the Agent Automatically on page 101. Define the Installable Agent Verions options from within the Lumension Endpoint Management and Security Suite Web console. The option is available from the Options page Agents tab. You can perform these instructions from any endpoint in your network. 1. Log in to the Lumension Endpoint Management and Security Suite Web console. For additional information, refer to the Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). 2. Select Tools > Options. 3. Select the Agents tab. The Options page opens. The Agents tab opens. 4. Ensure the Windows XP and newer agent version is set to Newest available. Note: When selecting an agent version, you can alternatively select Lumension EMSS <AgentVersion> +. This selection makes all agent versions released since the selected agent version available for installation. 5. Click Save. Result: Your agent version selection is saved. After Completing This Task: Complete the agent upgrade. For additional information, refer to Upgrading the Agent Automatically on page 101. - 100 -
Upgrading Agents Upgrading the Agent Automatically After you ensure Lumension Endpoint Management and Security Suite is configured to have the latest agent version available for installation, you can begin your agent upgrade. Prerequisites: Complete Defining Installable Agent Versions on page 100. Upgrade your agents from the Endpoints page of the Lumension Endpoint Management and Security Suite Web console. 1. Log in to the Lumension Endpoint Management and Security Suite Web console. For additional information, refer to the Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). 2. Select Manage > Endpoints. The Endpoints page opens to the All. 3. From the page list, select the endpoints that you want to upgrade to the latest agent version. 4. Click Agent Versions. The Manage Agent Versions dialog opens. 5. From the Select One list, select the most recent agent version and click Apply to All Agents. Tip: If you want to test the upgrade on a few endpoints before upgrading your entire network, select the latest agent versions for an endpoints Agent Version list. 6. Click OK. Result: The agent begins upgrading on all selected endpoints. Upgrading Agents Locally Upgrading the agent overwrites the version of the agent running on the endpoint with the most recent version of the agent. Prerequisites: Ensure you are logged on to the target endpoint using an appropraite user account. If installing to a Windows XP, Windows Vista, Windows 7, Window Server 2003, or Windows Server 2008 endpoint, ensure you are logged on using the built-in Administrator account. If installing to a Windows 8 or Windows Server 2012 endpoint, ensure you are logged on as an administrative user other than the local administrator account. - 101 -
Lumension Endpoint Management and Security Suite Perfrom these steps within Lumension Endpoint Management and Security Suite on your target endpoint. Note: Overwriting an agent deletes all agent history. 1. Download the most recent version of the Lumension EMSS Agent for your target endpoint. For additional information, refer to Downloading the Installer on page 71. 2. Install the agent. For additional information, refer to one of the following topics: Installing the Single Agent for Windows XP and Later on page 89 Silently Installing the Agent by Command Line (Windows) on page 73 Installing the Agent for Mac on page 95 Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 76 Silently Installing the Agent by Command Line (Linux, UNIX, or Mac) on page 80-102 -
Appendix B Uninstalling Agents In this appendix: Uninstalling Agents by Agent Management Job Uninstalling the Lumension EMSS Agent Locally on Windows Uninstalling the Agent Locally on Linux, UNIX, or Mac You can uninstall the Lumension Endpoint Management and Security Suite Agent using serveral methods. The methods available for uninstall vary based on operating system. When uninstalling agents installed on Windows endpoints, you can remove the agent by agent management jobs or Windows Control Panel. For additional information, refer to the following topics: Uninstalling Agents by Agent Management Job on page 104 Uninstalling the Lumension EMSS Agent Locally on Windows on page 114 Agent uninstalls on Linux, UNIX, or Mac endpoints can only be completed by command line. Because these operating systems differ slightly, their uninstall parameters differ slightly as well. For additional information on completing uninstalls on Linux, UNIX, or Mac endpoints, refer to Uninstalling the Agent Locally on Linux, UNIX, or Mac on page 115. - 103 -
Lumension Endpoint Management and Security Suite Uninstalling Agents by Agent Management Job You can remotely uninstall agents from endpoints in your network using an agent management job. These jobs prevent administrators from having to uninstall agents locally. Prerequisites: Verify that the endpoints you are installing agents on are Windows endpoints. Linux, UNIX, and Mac endpoints cannot have agents installed using agent management jobs. Gather the built-in Administrator credentials for endpoints you are installing agents on. Successful job outcome is contingent upon authenticated credentials for this account. Configure your server to allow agent management. For additional information, refer to Configuring the Lumension EMSS Server for Discovery Scanning on page 26. Configure your targets to allow agent management. For additional information, refer to one of the following procedures: Configuring Windows XP and Windows Server 2003 Endpoints for Agent Management Jobs on page 27 Configuring Vista or Later Endpoints for Agent Management Jobs on page 37 While configuring Windows Vista or later endpoints, ensure network discovery and file sharing are turned on. Configuration of agent management is similar to a discovery scan job. Configuration occurs in the Uninstall Agents Wizard. 1. Begin configuration of the Uninstall Agent Wizard. Complete one of the follow substep sets to being configuration. Context To open the Wizard without targets predefined: Steps Select Discover > Assets and Uninstall Agents. - 104 -
Uninstalling Agents Context To open the Wizard with target predefined: Steps 1. Select Manage > Endpoints. 2. Select the endpoints you want to uninstall agents from. 3. From the toolbar, select Manage Agents > Uninstall Agents. The wizard opens to the Job Name and Scheduling page. Figure 26: Job Name and Scheduling Page 2. [Optional] Type a new name in the Scan job name field. Note: By default, new agent management jobs for uninstallation are named New Agent Uninstall Management Job, followed by the server's date and time, which is formatted according to your browser's locale setting. 3. Schedule the job. Use one of the following methods. Tip: During job scheduling, you can use the following shortcuts: Click the Calender icon to select a Start date. Selecting a date automatically fills the Start date field. Click the Clock icon to select a Start time. Selecting a time automatically fills the Start time field. Method To schedule an immediate job: Steps Select the Immediate option. - 105 -
Lumension Endpoint Management and Security Suite Method To schedule a one-time job: Steps 1. Ensure the Once option is selected. 2. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. 3. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. Note: Scheduling a one-time job for a past date and time will launch the job immediately. To schedule a recurring weekly job: To schedule a recurring monthly job: 1. Select the Weekly option. 2. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. 3. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. 4. Define the day of the week the job runs by selecting a day from the Run every week on the following day list. 1. Select the Monthly option. 2. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. 3. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. 4. Define the day of the month the job runs by typing a day in the Run every month on the following day field. Note: One-time and recurring jobs scheduled for the last day of a 31-day month are automatically rescheduled for the last day of shorter months. - 106 -
Uninstalling Agents 4. Click Next. The Targets page opens. Figure 27: Targets Page 5. Define targets (endpoints) for the job to locate. Use one or more of the following discovery methods. Method To define targets using a single IP address: Steps 1. From the Scan for list, select Single IP Address. 2. Type an IP address in the empty field. Wildcards are supported. For additional information, refer to Defining Targets Using Wildcards on page 64. 3. Edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity for a particular target. Under most network conditions, the Timeout field does not require editing. 4. Edit the Number of retries list. The Number of retries list defines the number of times a scan retries on that target if the scan times out. - 107 -
Lumension Endpoint Management and Security Suite Method To define targets using an IP range: To define targets using a computer name: To define targets using network neighborhood: To define targets using active directory: Steps 1. From the Scan for list, select IP Range. 2. In the first empty field, type the beginning of IP range. Wildcards are supported. For additional information, refer to Defining Targets Using Wildcards on page 64. 3. In the second empty field, type the ending of the IP range. 4. Edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity for that particular target. Under most network conditions, the Timeout field does not require editing. 5. Edit the Number of retries list. The Number of retries list defines the number of times a scan retries on that target if the scan times out. 1. From the Scan for list, select Computer name. 2. In the empty field, type an endpoint name in one of the following formats: endpointname or domain\endpointname. 1. From the Scan for list, select Network Neighborhood. 2. From the second list, select the desired network neighborhood. 1. From the Scan for list, select Active Directory. 2. In the Fully-qualified domain name field, type the DNS domain name of the domain controller you want to scan. For example, if your domain controller DNS name is box.domain.company.local, you would type domain.company.local in this field. 3. Optionally, in the Organizational Unit field, type the active directory organizational unit string from specific to broad, separating each string with front slashes (such as Techpubs/ Engineering/Corporate). The omission of this field returns job results containing the full contents of all the active directory organizational units. View the following figure for an example of how to enter data using Active Directory. 4. In the Domain controller field, type the domain controller IP address. 5. In the Username field, type a user name that authenticates with the domain controller. Type the user name in one of the following format: domainname\username or username. 6. In the Password field, type the password associated with the user name. - 108 -
Uninstalling Agents Method To define targets using an imported file: Steps 1. From the Scan for list, select Import file. 2. Click Browse. 3. Browse to the file you want to use for target discovery. The following file types are supported:.txt and.csv. 4. Click Open. Figure 28: Active Directory Input Example 6. Add targets to the wizard list. This list indicates whether defined targets are included in or excluded from the job. Use one of the following methods. Method To include defined targets in the job: To exclude defined targets from the job: Steps Click Add to Scan. Click Exclude from Scan. Note: You must include at least one target for Next to become available. You can also delete targets from the list by selecting the applicable check boxes and clicking Remove. 7. [Optional] Define additional targets and add them to the list. For more information, see Editing Targets in the Lumension Endpoint Management and Security Suite User Guide (http://portal.lumension.com). - 109 -
Lumension Endpoint Management and Security Suite 8. Click Next. The Options page opens. Figure 29: Options Page 9. Select or clear the desired Scan Options. The following table defines each Scan Option. Option Verify With Ping Description Jobs using this option send ping requests to all network endpoints targeted for discovery. Endpoints that respond to the request are flagged for scanning; unresponsive endpoints are skipped. Endpoints unresponsive to Verify With Ping are not scanned by other selected discovery options. Note: Anti-virus software and host firewalls may block Verify With Ping. If necessary, adjust antivirus and firewall configurations to permit ping requests. ICMP Discovery Jobs using this option request a series of echoes, information, and address masks from endpoints. Endpoint responses are then compared to a list of known ICMP fingerprints to identify endpoint operating systems. Note: ICMP Discovery is ineffective on endpoints configured to ignore ICMP requests. For best results identifying Windows operating systems, use this option in conjunction with Windows Version Discovery. - 110 -
Uninstalling Agents Option Port Scan Discovery Description Jobs using this option perform a limited scan on endpoint FTP, Telnet, SSH, SMTP, and HTTP ports. Based on the application banners found in these ports, endpoint operating systems are generically identified. Note: For best results in identifying Windows operating systems, use this option in conjunction with Windows Version Discovery. SNMP Discovery Jobs using this option request system properties for SNMP devices (routers, printers, and so on) from the management information base. Following credential authentication, SNMP devices are identified. Note: Without authenticated credentials, SNMP devices ignore SNMP Discovery requests. In this event, one of two outcomes occur: the SNMP device is misidentified as a UNIX endpoint or the SNMP device is not detected. Jobs with no SNMP credentials use the public credential by default. Windows Version Discovery Jobs using this option identify an endpoint's specific version of Windows following generic operating system identification during ICMP or Port Scan Discovery. Note: Correct operating system identification is contingent upon authenticated credentials. This option must be used in conjunction with either ICMP or Port Scan Discovery. Resolve DNS Names Resolve MAC Addresses Jobs using this option acquire the endpoint DNS name through a local DNS server query. These names are displayed in job results for easy endpoint identification. Jobs using this option acquire endpoint MAC addresses through endpoint queries. These addresses are displayed in job results for easy endpoint identification. Note: Monitor network inventory reports to prevent MAC address spoofing that may alter the Resolve MAC Addresses results. Resolve NetBIOS Names Jobs using this option acquire endpoint NetBIOS names through WINS NetBIOS mapping. These names are displayed in job results for easy endpoint identification. Note: Security-hardened networks running Windows 2003 or Windows XP may require enabling of NetBIOS over TCP/IP for Resolve NetBIOS Names to acquire NetBIOS names. Additionally, firewalls protecting endpoints using Windows XP Professional SP2 may require adjustment to permit NetBIOS communication. - 111 -
Lumension Endpoint Management and Security Suite 10. Click Next. The Credentials page opens. Figure 30: Credentials Page 11. Define Windows credentials for the target. Type the applicable information in the following fields. Note: When configuring an agent management job, you must define valid Windows credentials. Field Username Description A user name that authenticates with Windows-based endpoints. Type the user name in a local format (UserName) or a domain format (DOMAIN\UserName). Note: When configuring agent management jobs, Lumension recommends using the built-in Administrator account. Password Confirm password The password associated with the Username. The Password retyped. - 112 -
Uninstalling Agents 12. Click Next. The Agent Settings page opens. Figure 31: Agent Settings Page 13. Define the Distribution options. The following table describes each list their available values. List Timeout (list) Number of retries (list) Number of simultaneous installs (list) Description Defines the number of minutes before the agent management job terminates due to a non-responsive agent installation or removal (0-30). Defines the number of attempts an agent installation or removal will retry if the initial attempt fails (1-10). Defines the maximum number of agents that can installed or removed simultaneously during the job (1-25). A value of 1 indicates that serial installs or removals should occur. 14. Define the Reboot option. Select one of the following options: Suppress the reboot Force a reboot (does not prompt the user) Note: If the agent being uninstalled is installed on the Lumension Endpoint Management and Security Suite server, the reboot is automatically suppressed regardless of this setting. - 113 -
Lumension Endpoint Management and Security Suite 15. Click Finish. Result: The Uninstall Agents Wizard closes. Depending on how you configured the job, it moves to either the Scheduled tab or Active tab on the Job Results page. The job will run at the applicable time, uninstalling agents on the defined targets, and move to the Completed tab when finished. Uninstalling the Lumension EMSS Agent Locally on Windows You can uninstall Lumension EMSS Agents locally on managed endpoints through Control Panel. Prerequisites: Ensure you are logged on using an appropriate user account. If installing to a Windows XP, Windows Vista, Windows 7, Window Server 2003, or Windows Server 2008 endpoint, ensure you are logged on using the built-in Administrator account. If installing to a Windows 8 or Windows Server 2012 endpoint, ensure you are logged on as an administrative user other than the local administrator account. You must have either the endpoint or global uninstall password. For more information on agent policy sets, see The Policies View in the Lumension Endpoint Management and Security Suite User Guide (http:// portal.lumension.com). Uninstall the agent from the target endpoint. 1. Open Control Panel. Operating System Windows XP, Windows Vista, Windows 7, or Windows Server 2008 Windows 8 or Windows Server 2012 Steps Select Start > Control Panel. 1. Press the Windows Logo key. 2. Type Control Panel and press ENTER. Control Panel opens. - 114 -
Uninstalling Agents 2. Open Add or Remove Programs or Programs and Features based on your operating system. Operating System Windows XP Winodws Server 2003 Windows Vista Windows 7 Windows 8 Windows Server 2008 Windows Server 2012 Steps Double-click Add or Remove Programs. Click Programs and Features. 3. Begin the agent uninstall. Operating System Windows XP Winodws Server 2003 Windows Vista Windows 7 Windows 8 Windows Server 2008 Windows Server 2012 Steps Select Lumension EMSS Agent. Click Remove. Doublie-click Lumension EMSS Agent. Note: On Windows 8 endpoints, you may be prompted for an administrative password. If you are prompted, type an administrative password and press ENTER. 4. Type either the agent or global uninstall password for the endpoint in the Global or uninstall password field and click OK. Result: The agent is uninstalled. Uninstalling the Agent Locally on Linux, UNIX, or Mac Perform the following procedure to uninstall the Linux agent locally. 1. Open Terminal. Note: How you open Terminal varies by operating system. Terminal opens. - 115 -
Lumension Endpoint Management and Security Suite 2. Change directory to the agent installation directory. The following table lists the default installation directory for various operating systems. Operating System Mac Linux Solaris Command /private/var/patchagent /usr/local/patchagent /export/home/patchagent Note: If you installed the agent to a directory other than the default directory, navigate to that directory. 3. Type./uninstall at the command prompt and press ENTER. The agent is uninstalled. 4. Change directory to the parent directory of the installation directory. Type the command for your operating system below and press ENTER. Operating System Mac Linux Solaris Command cd /private/var/ cd /usr/local/ cd /export/home/ Note: If you installed the agent to a directory other than the default directory, navigate to the parent directory of the agent installation directory. 5. Type rm rf patchagent and press ENTER. Result: The agent installation directory is deleted. - 116 -