Endpoint Security January 16, 2008 Installation Guide Version NGX 7.0 GA © 2008 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. Endpoint Security Installation Guide 4 Contents Preface About this Guide 7 Available Formats 7 Obtaining the Correct Version .7 Obtaining New Issues of this Guide .7 About the Endpoint Security Documentation Set . 8 Documentation for Administrators .8 Documentation for Endpoint Users 8 Feedback . 10 Chapter 1 Endpoint Security Overview Endpoint Security System Components . 12 System Requirements 12 Architecture 12 Endpoint Security Communications 14 The Endpoint Security Sync 14 Other Endpoint Security Communications 14 Endpoint Security Services .15 Chapter 2 Installation Overview Master Installer 18 Supported Installations . 18 Upgrading and Migration . 19 Gateway Integration 20 Chapter 3 Upgrading and Migration Introduction to Upgrading . 21 Supported Upgrades 21 Migration 22 Upgrade Workflow 22 Backing Up Data 23 SPLAT Upgrade Instructions 23 Clustered Upgrade Instructions 24 Chapter 4 Installing on a Dedicated Host Windows 26 Linux 27 Check Point SecurePlatform (Command Line Version) 28 Check Point SecurePlatform (GUI Version) 30 Chapter 5 Installing with SmartCenter on the Same Host Windows 33 Linux 35 Check Point SecurePlatform (Command line Version) . 36 Check Point SecurePlatform (GUI Version) 38 Installing Endpoint Security with an Existing SmartCenter 40 Connecting Endpoint Security and SmartCenter 40 Chapter 6 Installing with SmartCenter on Separate Hosts Workflow . 43 Installing SmartCenter in a Distributed Installation 44 Windows .44 Linux .45 Check Point SecurePlatform (Command Line Version) .46 Check Point SecurePlatform (GUI Version) .47 Connecting Endpoint Security and SmartCenter . 49 Chapter 7 Installing Endpoint Security and Provider-1 Provider-1 Overview 51 Workflow . 52 Installing Endpoint Security on the Same Host as Provider-1 53 Connecting Endpoint Security and Provider-1 54 Chapter 8 Endpoint Security Installation Wizard Reference Completing the Endpoint Security Installation Wizard 56 Completing the Installation . 57 Chapter 9 Check Point Configuration Tool Starting the Configuration Tool 59 Configuration Tool Options 60 Chapter 10 Remote Logging Connecting the Log Server and SmartCenter 63 Connecting the Log Server and Endpoint Security 64 Chapter 11 High Availability Overview of High Availability 65 Architecture . 66 Configuring High Availability . 67 Forcing Replication . 68 Changing an Active Server to a Standby Server 69 Changing a Standby Server to an Active Server 69 Endpoint Security Installation Guide 6 Preface In This Preface About this Guide page 7 About the Endpoint Security Documentation Set page 8 Feedback page 10 Endpoint Security Installation Guide 7 About this Guide The Endpoint Security Installation Guide provides detailed instructions for installing, configuring, and maintaining Endpoint Security. This document is intended for global administrators. Please make sure you have the most up-to-date version available for the version of Endpoint Security that you are using. Before using this document to install Endpoint Security, you should read and understand the information in the Endpoint Security Implementation Guide in order to familiarize yourself with the basic features and principles. Available Formats This guide is available as a PDF. This document is available from the Check Point CD. Updated editions of the document may be available on the Check Point Website after the release of Endpoint Security. The version of this document on the Check Point Website may be more up-to-date than the version on the CD. Obtaining the Correct Version Make sure that this document has the Version Number that corresponds to the version of your Endpoint Security. The Version Number is printed on the cover page of this document. Obtaining New Issues of this Guide New issues of this guide are occasionally available in PDF format from the Check Point Website. When using the PDF version of this document, make sure you have the most up-to-date issue available. The issue date is on the cover page of this document. When obtaining updated PDF editions from the Check Point Website, make sure they are for the same server version as your Endpoint Security. Do not attempt to administer Endpoint Security using documentation that is for another version. When obtaining the most up-to-date issue of the documentation, make sure that you are obtaining the issue that is for the appropriate server. Endpoint Security Installation Guide 8 About the Endpoint Security Documentation Set A comprehensive set of documentation is available for Endpoint Security, including the documentation for the Endpoint Security clients. This includes:  “Documentation for Administrators,” on page 8  “Documentation for Endpoint Users,” on page 8 Documentation for Administrators The following documentation is intended for use by Endpoint Security administrators. Documentation for Endpoint Users Although this documentation is written for endpoint users, Administrators should be familiar with it to help them to understand the Endpoint Security clients and how the policies they create impact the user experience. Table 1-1: Server Documentation for Administrators Title Description Endpoint Security Installation Guide Contains detailed instructions for installing, configuring, and maintaining Endpoint Security. This document is intended for global administrators. Endpoint Security Administrator Guide Provides background and task-oriented information about using Endpoint Security. It is available in both a Multi and Single Domain version. Endpoint Security Administrator Online Help Contains descriptions of user interface elements for each Endpoint Security Administrator Console page, with cross- references to the associated tasks in the Endpoint Security Administrator Guide. Endpoint Security System Requirements Contains information on client and server requirements and supported third party devices and applications. Endpoint Security Gateway Integration Guide Contains information on integrating your gateway device with Endpoint Security. Endpoint Security Client Management Guide Contains detailed information on the use of third party distribution methods and command line parameters. Endpoint Security Agent for Linux Installation and Configuration Guide Contains information on how to install and configure Endpoint Security Agent for Linux. Endpoint Security Installation Guide 9 Table 1-2: Client documentation for endpoint users Title Description User Guide for Endpoint Security Client Software Provides task-oriented information about the Endpoint Security clients (Agent and Flex) as well as information about the user interface. Introduction to Endpoint Security Flex Provides basic information to familiarize new users with Flex. This document is intended to be customized by an Administrator before distribution. See the Endpoint Security Implementation Guide for more information. Introduction to Endpoint Security Agent Provides basic information to familiarize new users with Endpoint Security Agent. This document is intended to be customized by an Administrator before distribution. See the Endpoint Security Implementation Guide for more information. Endpoint Security Installation Guide 10 Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com [...]...1 Chapter Endpoint Security Overview In This Chapter Endpoint Security System Components page 12 Endpoint Security Communications page 14 Endpoint Security Installation Guide 11 Endpoint Security System Components This section provides an overview of the Endpoint Security system components System Requirements For information about Endpoint Security system requirements, see the Endpoint Security System... Figure 1-1: Typical Endpoint Security Configuration A typical Endpoint Security configuration includes the following components: Endpoint Security Server-Allows you to centrally configure your Endpoint Security enterprise policies Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 12 Endpoint Security Clients-Monitor your endpoints and enforce your security policies These... ports used by the Endpoint Security system When an Endpoint Security client is initialized it performs a sync with the Endpoint Security This allows the Endpoint Security client to get the security policy that is assigned to it Other communications take place either by the request of administrators or as determined by your security policies The Endpoint Security Sync 1 The Endpoint Security client requests... configurations, see the Endpoint Security Administrator Guide and the chapter of the Endpoint Security Gateway Integration Guide appropriate to your gateway device The Endpoint Security System Requirements document lists all supported gateways These documents are available on the Check Point Web site Endpoint Security Installation Guide Integrity Advanced Server Installation Guide 13 Endpoint Security Communications... following supported configurations: Endpoint Security Installation Guide 18 Endpoint Security alone You can install just Endpoint Security and the necessary supporting components (Endpoint Security installations always include Check Point SmartPortal and some Check Point SmartCenter components.) To install Endpoint Security alone, follow the instructions for installing Endpoint Security on its own host See... server and Endpoint Security clients It also provides secure communication with the Endpoint Security server for Administrators logging onto the Endpoint Security Administrator Console The Apache HTTP server also improves performance by serving your security data to Endpoint Security clients using a high speed cache Administrator Workstation-Administrators can use a workstation to access Endpoint Security. .. and Protocols The Endpoint Security server uses the ports and protocols listed below to communicate with Endpoint Security clients Make sure all these ports and protocols are available on the Endpoint Security server: 80 HTTP 443 HTTPS 6054 UDP 8009 AJP13 (Internal) 8010 AJP13 (Internal) Endpoint Security services and ports,” on page 16 represents the services that make up Endpoint Security and shows... 443 Some reports are viewed on SmartPortal via HTTPS on port 4433 by drilling down in the Endpoint Security Administrator console Endpoint Security Services Endpoint Security operations are implemented by separate Endpoint Security services The services are divided into two types: Client services allow an Endpoint Security client to get policies and configuration information, and to communicate session... Provider-1 You can install Endpoint Security with Provider-1 in the following configurations: Same Host You can install Endpoint Security with Provider-1 on the same server See “Installing Endpoint Security and Provider-1,” on page 50 Distributed You can install Endpoint Security and Provider-1 on different servers and then configure them to connect See “Installing Endpoint Security and Provider-1,”... prompted to specify the Endpoint Security configuration type, do one of the following: If you are installing Endpoint Security in standalone mode, choose Endpoint Security Only (by typing the corresponding number) and type N If you are installing Endpoint Security as part of a distributed installation (in which SmartCenter or Provider-1 runs on another host), choose Endpoint Security with Remote SmartCenter . Endpoint Security Documentation Set A comprehensive set of documentation is available for Endpoint Security, including the documentation for the Endpoint Security. down in the Endpoint Security Administrator console. Endpoint Security Services Endpoint Security operations are implemented by separate Endpoint Security