Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1, Installation Manual

Page 1: ...Juniper Networks Network and Security Manager Installation Guide Release 2010 4 Published 2010 11 17 Revision 1 Copyright 2010 Juniper Networks Inc...

Page 2: ...are copyright 1991 D L S Associates This product includes software developed by Maker Communications Inc copyright 1996 1997 Maker Communications Inc Juniper Networks Junos Steel Belted Radius NetScre...

Page 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Page 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Page 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Page 6: ...Copyright 2010 Juniper Networks Inc vi...

Page 7: ...vailability Configuration 9 Extended High Availability Configuration 9 Other Configuration Options 9 Local Remote Database Backup 10 NetScreen Statistical Report Server Interoperability 10 Device Serv...

Page 8: ...ce in Demo Mode 47 Next Steps 47 Chapter 4 Installing NSM in a Distributed Configuration 49 Suggested Distributed Configuration Installation Order 49 Defining System Parameters 50 Prerequisites 53 Ins...

Page 9: ...nstalling NSM in a Simple HA Configuration 95 Primary GUI Server and Device Server Installation 96 Secondary GUI Server and Device Server Installation Script 101 Installing the User Interface 107 Conf...

Page 10: ...entral Manager Appliance Offline Mode 162 Migrating Data to an NSM Regional Server Appliance 165 Data Migration from a Solaris Server to an NSM Regional Server Appliance 165 On the Solaris server 165...

Page 11: ...187 Downgrade Procedures 188 Removing the Management System 188 Uninstalling the User Interface 190 Part 2 Appendixes Appendix A Technical Overview of the NSM Architecture 193 About the Management Sy...

Page 12: ...ns 209 Performance Tuning Recommendations 209 Recommendations for Low End Configurations 209 Medium Size Configuration 3 to 8 IDP Profiling Devices 210 High End Configuration 9 to 20 IDP Profiling Dev...

Page 13: ...g the NSM Installation 46 Chapter 5 Installing NSM with High Availability 71 Figure 6 Simple HA Management System Configuration 72 Figure 7 HA Configuration Example 96 Figure 8 Configuring the HA GUI...

Page 14: ...Copyright 2010 Juniper Networks Inc xiv Network and Security Manager Installation Guide...

Page 15: ...meters 22 Chapter 4 Installing NSM in a Distributed Configuration 49 Table 11 Distributed Configuration System Parameters 50 Chapter 5 Installing NSM with High Availability 71 Table 12 HA Utilities 77...

Page 16: ...e 30 Storage Requirements for Device Server Managing Firewall VPN Devices 206 Table 31 Storage Requirements for Device Server Managing IDP w Profiler Devices 206 Table 32 CPU Requirements for Device S...

Page 17: ...uide is intended primarily for IT administrators who are responsible for installing upgrading and maintaining NSM Conventions The sample screens used throughout this guide are representations of the s...

Page 18: ...s Bold typeface like this user input Represents text that the user must type Bold typeface like this host1 show ip ospf Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an area Border Router...

Page 19: ...s intended for IT administrators responsible for the installation or upgrade of NSM Network and Security Manager Installation Guide Describes how to use and configure key management features in the NS...

Page 20: ...e Access Devices Guide Provides details about configuring the device features for all supported EX Series platforms Network and Security Manager Configuring EX Series Switches Guide Provides details a...

Page 21: ...hnical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Networks Community Forum http www juniper net company communities Ope...

Page 22: ...Copyright 2010 Juniper Networks Inc xxii Network and Security Manager Installation Guide...

Page 23: ...alling NSM in a Standalone Configuration on page 21 Installing NSM in a Distributed Configuration on page 49 Installing NSM with High Availability on page 71 Upgrading to NSM 2010 4 from an Earlier Ve...

Page 24: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Installation Guide...

Page 25: ...s on page 9 Next Steps on page 11 Installation Process Overview NSM is software that enables you to integrate and centralize management of your Juniper Networks environment You need to install two mai...

Page 26: ...aunches an InstallAnywhere wizard that you can run on any Windows or Linux based computer that meets minimum system requirements See Table 8 on page 7 for more information on the minimum required hard...

Page 27: ...nagement System Table 6 on page 5 describes the minimum requirements that must be met for the GUI Server and Device Server on the same server Table6 MinimumSystemRequirements ManagementSystemonSame Se...

Page 28: ...running the same operating system version For example you cannot run the GUI Server on a server running Linux and the Device Server on a server running Solaris Operating System Only Sun Microsystems...

Page 29: ...s a minimum of 4 GB RAM 384 Kbps DSL or LAN connection minimum bandwidth required to connect to the NSM management system Hardware Choosing Standalone Distributed or High Availability Configurations T...

Page 30: ...to scale to small medium and large enterprises as well as service provider deployments There are four main options for configuring NSM Standalone Configuration on page 8 Distributed Configuration on p...

Page 31: ...de process the installer script prompts you to specify whether or not you want the current server machine to participate in an HA cluster If you choose to do so the installer script prompts you to con...

Page 32: ...ces are preconfigured to perform local database backups See the NSMXpress and NSM3000 User Guide for details If you want to send copies of the file backups to a remote machine the installer script pro...

Page 33: ...ot already exist the installer creates the user for you In this case the installer prompts you to create a password for the user This password will not expire NOTE The NSM appliance settings for Postg...

Page 34: ...ice Server on the same server with HA simple high availability configuration or separate servers with HA extended high availability configuration This configuration option enables you to configure a p...

Page 35: ...er License Management Server LMS and then installed onto the NSM Server or NSM appliance LMS provides an interface to generate licenses based upon serial number authorization code and installation ID...

Page 36: ...rchase and generate a license key file 4 Enter the installation ID that was generated by the NSM Server The LMS system generates a license key file for the SKU recorded You can choose to download the...

Page 37: ...per Networks Customer Service Customer Service will validate your purchase and generate a license key 5 Select the Need High Availability Key check box The LMS systems prompts you to provide the NSM S...

Page 38: ...u purchased Juniper Networks provides an authorization code via e mail If you received a paper license certificate and are managing more than 25 devices call Juniper Networks Customer Service Customer...

Page 39: ...a license key 5 Select the Need High Availability Key check box The LMS systems prompts you to provide the NSM Secondary serial number and Secondary Installation ID The LMS system generates a license...

Page 40: ...the NSM License Information window From the menu bar select Tools NSM License Information to view this information Enforcing Licenses The maximum number of devices allowed for NSMXpress appliance ins...

Page 41: ...for an NSM appliance and software only installations License upgrades can be purchased at any time for any supported product After purchasing a license upgrade you receive a Right to Use RTU certifica...

Page 42: ...Copyright 2010 Juniper Networks Inc 20 Network and Security Manager Installation Guide...

Page 43: ...e NSM appliance uses a simplified installation procedure See the NSMXpress and NSM3000 User Guide for details This chapter contains the following sections Suggested Standalone Configuration Installati...

Page 44: ...er Interface Defining System Parameters During the installation process you are required to configure common system parameters such as the location of the directories where you want to store data for...

Page 45: ...process By default the GUI Server stores data in var netscreen GuiSvr xdb log GUI Server database log directory The IP address used by the running GUI Server The default is the IP address of the machi...

Page 46: ...rms the daily backup within an hour after 2 AM Hour of the Day to Start Local Database Backup Total number of database backup files that the GUI Server stores When the GUI Server reaches the maximum n...

Page 47: ...te have specific version requirements such as PostgreSQL Be sure to use the packages distributed in the system update 5 Configure shared memory size on your appropriate platform See Configuring Shared...

Page 48: ...m and the update script is put in that directory The script for Solaris is located in the same directory as the tar file The name of the update script for Solaris is update_solaris10 sh The script pro...

Page 49: ...ssh authorized_keys directory For example scp ssh id_rsa pub root IP addr management system root ssh authorized_keys 4 From the server running the management system copy ssh id_rsa pub to the remote m...

Page 50: ...locales are installed If you have all required locales proceed to Step 2 C POSIX en_CA en_CA ISO8859 1 en_CA UTF 8 en_US en_US ISO8859 1 en_US ISO8859 15 en_US ISO8859 15 euro en_US UTF 8 es es UTF 8...

Page 51: ...On Solaris run the following command sh nsm2010 4_servers_sol_sparc sh The installation begins automatically by performing a series of preinstallation checks The installer ensures that The OS version...

Page 52: ...errorLog If the failure happens in the early stages of the install the log might be in tmp The installer extracts the software payloads and prompts you to install NSM with the base license root h sh...

Page 53: ...to install the management server files Press Enter to accept the default usr netscreen directory or type the full path name to a directory and then press Enter The installer prompts whether you want t...

Page 54: ...er to accept the default location var netscreen GuiSvr xdb log NOTE You cannot store files in an existing directory location This feature safeguards against overwriting any existing data If you specif...

Page 55: ...uration file management actions and prompts for a password 16 Enter a password for the configuration file management CFM user Because the UNIX password can not be saved in plain text format the instal...

Page 56: ...econds you want NSM to wait while performing backups until the process times out e Designate a directory location for locally storing the NSM database backup Press Enter to accept the default location...

Page 57: ...erver you must reboot the server after installation Typical Output for a Standalone Installation An example of the output for a typical standalone installation is as follows root h sh nsm2010 4_server...

Page 58: ...rectory is var netscreen GuiSvr Because the user data including database data and policies can grow to be quite large it is sometimes desirable to place this data in another partition Please enter an...

Page 59: ...S Will server processes need to be restarted automatically in case of a failure y n y BACKUP SETUP DETAILS Will this machine require local database backups y n y Enter hour of day to start the databas...

Page 60: ...tgres DevSvr Db password set for nsm Start server s when finished Yes Are the above actions correct y n y PERFORMING INSTALLATION TASKS INSTALLING Device Server Looking for existing RPM package ok Rem...

Page 61: ...DE CC 91 B8 4F 42 77 42 You will need this for verification purposes when logging into the GUI Server Please make a note of it root C73 16 Starting Server Processes Manually If you did not specify th...

Page 62: ...f you are installing the UI on RHEL 5 first install the libXp package You can obtain libXp from RedHat We recommend that you exit all running applications before installing the UI To install the NSM U...

Page 63: ...nt click the button next to the appropriate statement and then click Next to continue NOTE If you choose to not accept the terms of the License Agreement then you are unable to proceed with the instal...

Page 64: ...ing on a Linux based computer then the installer saves the UI software files in install_user_homedir Network and Security Manager by default To specify a new or different folder location click Choose...

Page 65: ...to create the NSM product icons Or if you are installing on a Linux based computer select where you would like to create links to the NSM UI program Click Next to continue The Pre Installation Summary...

Page 66: ...ation is complete a screen indicating Install Complete appears NOTE If you do not select a default web browser then the UI is not able to launch the NSM online help If you still want to use the online...

Page 67: ...nt to run the program or launch it from a command line From the command line navigate to the subdirectory where you have installed the UI software files and then launch the UI application by running t...

Page 68: ...o Figure 5 on page 46 Figure 5 Validating the NSM Installation 3 Use the General tab to verify the following information Device Server Manager Port The default port is 7800 IDP Device Server Manager P...

Page 69: ...t system To run the UI in Demo mode 1 Run the NSM UI The Login window appears 2 Type any username in the Login field provided 3 Type any password in the Password field provided 4 Select DEMO MODE from...

Page 70: ...Copyright 2010 Juniper Networks Inc 48 Network and Security Manager Installation Guide...

Page 71: ...uration Installation Order on page 49 Defining System Parameters on page 50 Prerequisites on page 53 Installing the GUI Server on page 53 Installing the User Interface on page 62 Adding the Device Ser...

Page 72: ...he server that you are installing the GUI Server Defining System Parameters During the installation process you are required to configure common system parameters such as directory locations to store...

Page 73: ...all process By default the GUI Server stores data in var netscreen GuiSvr xdb log GUI Server database log directory The IP address and port used by the running GUI Server The default is the IP address...

Page 74: ...fter 2 AM Hour of the Day to Start Local Database Backup Total number of database backup files that the GUI Server stores When the GUI Server reaches the maximum number of backup files you configure i...

Page 75: ...needed software binaries and packages are present If any component is missing the installer displays a message identifying the missing component Checking for platform specific packages FAILED The Foll...

Page 76: ...sm2010 4_servers_linux_x86 sh PERFORMING PRE INSTALLATION TASKS Creating staging directory ok Running preinstallcheck Checking if platform is valid ok Checking for correct intended platform ok Checkin...

Page 77: ...e the full path name to a directory and then press Enter The installer prompts whether you want to enable FIPS support 7 If you require FIPS support enter y Otherwise press Enter to accept the default...

Page 78: ...he management IP address of the GUI Server c Type the IP address of the GUI Server This address should be the same as the server on which you are installing The installer sets the IP address and port...

Page 79: ...s to be restarted automatically on failure NOTE The CFM passwords for NSM and for UNIX must be identical although NSM does not check that they are the same 13 If you want the server processes to be re...

Page 80: ...ter y The installer will start the server processes with nsm user permissions If you do not want to start the server processes enter n NOTE When you restart your server the GUI Server and HA Server pr...

Page 81: ...ies are present ok Checking for platform specific binaries ok Checking for platform specific packages ok Checking in System File for PostgreSQL and XDB parameters ok Checking for PostgreSQL ok Checkin...

Page 82: ...word for the super user Enter password password will not display as you type Please enter again for verification Enter password password will not display as you type Enter the one time password for th...

Page 83: ...ailure Local database backups are enabled Start backups at 02 Daily backups will not be sent to a remote machine Number of database backups to keep 7 HA rsync command backup timeout 3600 Create databa...

Page 84: ...nstalling the User Interface Install the User Interface See Installing the User Interface on page 40 for more information on installing the User Interface UI Adding the Device Server in the User Inter...

Page 85: ...need this when you install the Device Server Installing the Device Server The installer guides you through all the steps required to configure the system parameters and then the installer runs to com...

Page 86: ...ocation var netscreen DevSvr The installer prompts you to enter parameters assigned by the UI to this Device Server b Type the Device Server ID The installer prompts you to type the one time password...

Page 87: ...and creates a new backup Press Enter to accept the default setting of seven backup files d Type a number specifying how many seconds you want the management system to wait while performing backups unt...

Page 88: ...tory ok Running preinstallcheck Checking if platform is valid ok Checking for correct intended platform ok Checking for CPU architecture ok Checking if all needed binaries are present ok Checking for...

Page 89: ...ovide the IP address of the running GUI Server Enter the IP address of the running GUI Server 10 157 48 108 HIGH AVAILABILITY HA SETUP DETAILS Will server processes need to be restarted automatically...

Page 90: ...TALLING Device Server Looking for existing RPM package ok Removing existing Device Server RPM ok Installing Device Server RPM ok Installing JRE ok Installing GCC ok Creating var directory ok Creating...

Page 91: ...ating Management System Status To validate the management system is started and running properly we recommend that you view the status of all the running server processes the HA server Device Server a...

Page 92: ...Copyright 2010 Juniper Networks Inc 70 Network and Security Manager Installation Guide...

Page 93: ...e 78 Suggested Extended HA Installation Order on page 78 Defining System Parameters on page 79 Prerequisites on page 84 Installing NSM 2010 4 on the Primary Server on page 86 Installing NSM 2010 4 on...

Page 94: ...scenario with access to a shared disk HA Requirements Consider the following system requirements if you are planning on installing the management system for high availability Both the primary and seco...

Page 95: ...g TCP port 7801 Upon failure the UI automatically attempts to connect to the secondary GUI Server This process is transparent to the Admin user Note however that the IP address of the secondary GUI Se...

Page 96: ...tandby Device Server to access log data also on the active Device Server you must connect both servers to an external shared disk NOTE Rsync uses a temporary SSH connection to the peer server to perfo...

Page 97: ...server then enters an ERROR mode and stays in that mode until you manually restart the HA Server NOTE You cannot start or stop the Device Server and GUI Server processes manually in an HA configuratio...

Page 98: ...you need to ensure sufficient redundancy within the shared disk machine for example RAID dual power supplies NOTE In a Simple HA installation using a shared disk ensure that the data directories of b...

Page 99: ...he HA Server is in error mode the script appends log messages from the HaSvr var errorLog highAvail 0 error log You can use this script view error messages output for the server that the script is run...

Page 100: ...d HA configuration for example with four servers the most important step is to ensure that the PKI information is shared correctly among the servers A failure to do this step correctly could cause the...

Page 101: ...ice Server 14 Allow the primary Device Server to failover to test that it can connect to the secondary GUI Server 15 Add your managed devices in the UI Check the device connection to both Device Serve...

Page 102: ...etscreen GuiSvr CAUTION Do not place your data directory in usr netscreen That path normally contains binary files and should not be used for data GUI Server data directory Directory location on the G...

Page 103: ...ry machine This in addition to the data network link already existing in the primary secondary HA Server IP address Heartbeat links between primary and secondary machine This is the password that is r...

Page 104: ...e of day in a 24 hour day 00 23 For example if you want the backup to begin at 4 00 AM type 04 if at 4 00 PM type 16 We recommend that you set this parameter to a time of day that effectively minimize...

Page 105: ...d Disk Parameters If you are using a shared disk partition the installer prompts you to configure additional information Table 15 on page 83 identifies the additional system parameters that you need t...

Page 106: ...files that each partition is listed on the appropriate mount point etc fstab on Linux etc vfstab on Solaris You also need to verify that all mounts are not set to restart automatically Verifying That...

Page 107: ...ry server manually and place it in ssh authorized_keys For example you would run the following command scp ssh id_rsa pub root IP addr NSM2 root ssh authorized_keys 4 From the secondary server you the...

Page 108: ...a directory on the server or download the installer from the Juniper Networks Customer Services Online Web site 2 Navigate to the directory where you saved the installer file We recommend that you sav...

Page 109: ...that the installer performed a task or check but it was unsuccessful See the install log for information about the failure This log is usually stored in usr netscreen DevSvr var errorLog If the failur...

Page 110: ...y file enter n You will enter the license file path later See Introduction on page 3 for information about obtaining license keys 6 To accept the default usr netscreen directory press Enter or enter t...

Page 111: ...cation var netscreen DevSvr NOTE You cannot store files in an existing directory location This feature safeguards against overwriting any existing data If you specify an existing directory the install...

Page 112: ...er with the GUI Server 13 If you are not installing NetScreen Statistical Report Server with NSM enter n If you are installing NetScreen Statistical Report Server with NSM enter y If you entered y the...

Page 113: ...that you are managing greater than 1000 devices For example the default heartbeat interval is 15 seconds This interval is appropriate for deployments of fewer than 1000 managed devices If you plan to...

Page 114: ...operation a Type a two digit number 00 through 23 specifying the hour of day that you want NSM to perform the daily backup operation For example if you want NSM to perform the daily backup operation...

Page 115: ...rompt NOTE If you are installing NSM for the first time on a Solaris server you must reboot the server after installation Viewing the Management System Installation Log The installer generates a log f...

Page 116: ...f you are experiencing problems with the HA Server run the following command for more detailed information usr netscreen HaSvr utils haStatus The haStatus utility provides additional information descr...

Page 117: ...rectory structure for all NSM software and data NOTE If you are installing NSM for the first time on a Solaris server you must reboot the server after installation Example Installing NSM in a Simple H...

Page 118: ...g for platform specific packages ok Checking in System File for PostgreSQL and XDB parameters ok Checking for PostgreSQL ok Checking if user is root ok Checking if user nsm exists ok Checking if iptab...

Page 119: ...ctory is var netscreen GuiSvr Because the user data including database data and policies can grow to be quite large it is sometimes desirable to place this data in another partition Please enter an al...

Page 120: ...ed for Heartbeat authentication Enter password password will not display as you type Please enter again for verification Enter password password will not display as you type Enter number of Heartbeat...

Page 121: ...e backups y n y Enter hour of day to start the database backup 00 midnight 02 2am 14 2pm 02 Will daily backups need to be sent to a remote machine y n n Enter number of database backups to keep 7 Ente...

Page 122: ...ckup Use rsync program at usr bin rsync Path for the ssh command usr bin ssh Local database backups are enabled Start backups at 02 Daily backups will not be sent to a remote machine Number of databas...

Page 123: ...rt Generation ok Removing staging directory ok NOTES Installation log is stored in usr netscreen DevSvr var errorLog netmgtInstallLog 20080902150909 This is the GUI Server fingerprint 17 3E 1F B9 69 2...

Page 124: ...on the primary server during the installation of this software to avoid data corruption DEVICE SERVER SETUP DETAILS Will the Device Server data directory be located on a shared disk partition y n n T...

Page 125: ...password will not display as you type Please enter again for verification Enter password password will not display as you type Will a Statistical Report Server be used with this GUI Server y n n CFM u...

Page 126: ...monitor this server s network connection Enter an IP address outside of the cluster 10 150 47 254 Enter the rsync replication timeout 3600 Enter HA directory var netscreen dbbackup The HA server s req...

Page 127: ...Use port 8443 for NBI Service Connect to GUI Server at 10 150 41 10 7801 Set password for super user CFM user cfmuser CFM Password set for cfmuser IP address for the primary HA Server 10 150 41 9 IP...

Page 128: ...tory ok Putting NSROOT into start scripts ok Filling in GUI Server config file s ok Setting permissions for GUI Server ok Running generateMPK utility ok Running fingerprintMPK utility ok Installation...

Page 129: ...the name of the Device Server 4 In the IP Address box enter the IP address of the Device Server 5 In the Password for GUI Server Connection box enter the password you specified for the super user acc...

Page 130: ...are done 5 Optional Click to activate the E mail Notification tab Configure the following parameters a Enter the IP Address of the SMTP Server b Enter the e mail address referenced in the e mail notif...

Page 131: ...ification tabs become available 3 Select the HA tab Configure the following parameters as shown in Figure 9 on page 109 a Enter the IP Address of the Secondary Server b Enter the Secondary Device Serv...

Page 132: ...HA Configuration If you are installing the management system in an extended configuration GUI Server and Device Server on separate server machines with HA enabled you will need to run the management...

Page 133: ...e server machines with the following parameters No shared disk No Statistical Report Server Only one heartbeat link between the primary secondary servers IP Address of the primary GUI Server is 10 150...

Page 134: ...ecture ok Checking if all needed binaries are present ok Checking for platform specific binaries ok Checking for platform specific packages ok Checking in System File for PostgreSQL and XDB parameters...

Page 135: ...ocation specified in the brackets Enter data directory location var netscreen GuiSvr The GUI Server stores all of the database logs under a single directory By default this directory is var netscreen...

Page 136: ...the primary and secondary machines The IP addresses entered here must be correct and match on both ends of the link for automatic failover to function correctly Enter the IP address for this machine...

Page 137: ...oceed with the following actions Install GUI Server Install High Availability Server Store base directory for management servers as usr netscreen This machine will have base license with maximum 25 de...

Page 138: ...generateMPK utility ok Running fingerprintMPK utility ok Installation of GUI Server complete INSTALLING HA Server Looking for existing RPM package ok Removing existing HA Server RPM ok Installing HA S...

Page 139: ...ace ok Noting OS name ok Stopping any running servers EXTRACTING PAYLOADS Extracting and decompressing payload ok Extracting license manager package ok GATHERING INFORMATION 1 Install Device Server on...

Page 140: ...word will not display as you type Enter the one time password for this Gui Server Enter password password will not display as you type Please enter again for verification Enter password password will...

Page 141: ...s outside the HA cluster is needed to monitor this server s network connection Enter an IP address outside of the cluster 10 150 47 254 Enter the rsync replication timeout 3600 Enter HA directory var...

Page 142: ...at link 10 150 42 10 IP address for the peer s primary heartbeat link 10 150 42 9 IP address for remote HA replications 10 150 41 9 Port for HA heartbeat communication 7802 Seconds between heartbeat m...

Page 143: ...3A 31 D4 84 You will need this for verification purposes when logging into the GUI Server Please make a note of it root C73 16 Primary Device Server Installation The following example shows the compl...

Page 144: ...ease enter an alternative location for this data if so desired or press ENTER for the location specified in the brackets Enter data directory location var netscreen DevSvr Enter the ID assigned by the...

Page 145: ...outside the HA cluster is needed to monitor this server s network connection Enter an IP address outside of the cluster 10 150 47 254 Enter the rsync replication timeout 3600 Enter HA directory var n...

Page 146: ...address for the secondary HA Server 10 150 41 8 Set shared password for heartbeat Number of Heartbeat links 1 IP address for this machine s primary heartbeat link 10 150 43 7 IP address for the peer...

Page 147: ...rt script ok PERFORMING POST INSTALLATION TASKS Running nacnCertGeneration ok Running idpCertGeneration ok Removing staging directory ok NOTES Installation log is stored in usr netscreen DevSvr var er...

Page 148: ...default this directory is var netscreen DevSvr Because the user data including logs and policies can grow to be quite large it is sometimes desirable to place this data in another partition Please en...

Page 149: ...t equal at least this value Using the defaults is recommended Enter a time interval seconds between heartbeat messages 15 Enter number of missing heartbeat messages before automatic switchover occurs...

Page 150: ...ster This server is the primary No Store Device Server data in var netscreen DevSvr Connect to GUI Server at 10 150 41 10 7801 IP address for the primary HA Server 10 150 41 7 IP address for the secon...

Page 151: ...Server RPM ok Creating var directory ok Putting NSROOT into start scripts ok Filling in HA Server config file s ok Setting permissions for HA Server ok Installation of HA Server complete SETTING START...

Page 152: ...Copyright 2010 Juniper Networks Inc 130 Network and Security Manager Installation Guide...

Page 153: ...n on page 150 Upgrading NSM with HA Enabled on page 151 Restoring Data if the Upgrade Fails on page 153 Next Steps on page 154 Upgrade Overview The following procedure summarizes the process for upgra...

Page 154: ...eter Directory location on the Device Server where device data is stored Because the data on the Device Server can grow to be large consider placing this data in another location If you decide to have...

Page 155: ...agement password Directory location where local database backup data is stored By default the GUI Server stores local database backup data at var netscreen dbbackup Localdatabasebackup directory Path...

Page 156: ...henticate with the GUI Server when attempting to connect Password for GUI Server Connection HA Configuration Parameters Table 19 on page 134 describes the system parameters that you need to identify i...

Page 157: ...matic switchover to the secondary machine occurs The default is 4 messages Missing heartbeats before switchover occurs Network IP Address used to monitor this server s network connection IP Address ou...

Page 158: ...rver stores seven backup files Number of Local Database Backup Files Stored Shared Disk Parameters Table 20 on page 136 identifies the additional system parameters that you need to identify to upgrade...

Page 159: ...cated a maximum amount of disk space for the data partition var netscreen directory See Hardware Recommendations on page 201 for more information about the disk space requirements appropriate for your...

Page 160: ...e shell archive script For example you can execute the shell archive script by running the following command platform sh For example on Linux es4 the update script is named rhes4_upd3 sh and located i...

Page 161: ...ity configuration directory For example cd usr netscreen HaSvr var 2 Open the High Availability configuration file haSvr cfg in any text editor 3 To modify the rsync timeout values configure the follo...

Page 162: ...Use the Solaris 10 installation DVD to load any missing locales The minimum supported Solaris 10 revision is 6 06 You can download the DVD from www sun com Mount the DVD in this example solaris and is...

Page 163: ...following message Device s running ScreenOS 4 0 x or earlier release were found in the managed network Using your currently installed version of NSM upgrade all such devices to ScreenOS 5 0 or later...

Page 164: ...platform is valid ok Checking for correct intended platform ok Checking if ScreenOS 4 0 x or earlier device in network ok Checking for CPU architecture ok Checking if all needed binaries are present o...

Page 165: ...prompt you will be prompted for configuration input The installer prompts whether you want to enable FIPS support 6 If you require FIPS support enter y Otherwise press Enter to accept the default val...

Page 166: ...ding time of day to take the backup how many backups to keep and whether to take a remote backup NOTE You must allow local backup if you want to specify remote backup Database server details including...

Page 167: ...ple upgrades a standalone installation using the base license and without reconfiguring server parameters root h sh nsm2010 4_servers_linux_x86 sh PERFORMING PRE INSTALLATION TASKS Creating staging di...

Page 168: ...er password password will not display as you type Please enter again for verification Enter password password will not display as you type Enter the same password again for CFM user Changing password...

Page 169: ...servers as usr netscreen This machine will have base license with maximum 25 devices This machine does not participate in an HA cluster CFM user cfmuser CFM Password set for cfmuser Servers will be re...

Page 170: ...abling HA Server start script ok PERFORMING POST INSTALLATION TASKS ok Loading GuiSvr XDB data from init files ok Migrating GuiSvr data ok ok Removing staging directory ok Starting GUI Server ok Start...

Page 171: ...3 and later releases of the UI client you can upgrade to the 2010 4 Release automatically For earlier releases you must manually download and install the new UI client Downloading and Installing the...

Page 172: ...er information 2 Click on the Device Server and click on the Edit icon or right click on the Device Server and select Edit to view all information available on the Device Server 3 Use the General tab...

Page 173: ...on the primary servers where you have currently installed the GUI and Device Servers Specify that you want to upgrade the servers 4 Configure the following HA parameters when prompted during the Gener...

Page 174: ...tended platform ok Checking for CPU architecture ok Checking if all needed binaries are present ok Checking for platform specific binaries ok Checking for platform specific packages ok Checking in Sys...

Page 175: ...the next scheduled remote database replication interval default is 1 hour If the primary server goes down before the next scheduled remote database replication the data on the secondary server will no...

Page 176: ...dy to begin managing your network Refer to the Network and Security Manager Administration Guide and Network and Security Manager Online Help for information describing how to plan and implement NSM f...

Page 177: ...rading to NSM 2010 4 on an NSM Regional Server appliance if the appliance is connected to the Internet NSM 2010 4 requires a license file if you are managing more than 25 devices You must have the lic...

Page 178: ...your operating system All the necessary software binaries are present You correctly logged in as root You have installed a version of NSM earlier than the current version you are installing The syste...

Page 179: ...ct type y and press Enter to proceed If settings are incorrect type n and press Enter to return to the original selection prompt The upgrade proceeds automatically The installer performs the following...

Page 180: ...g the following command which unzip This command gives you the location of the unzip utility If it is not available use the following command to install this utility yum install unzip 6 Navigate to th...

Page 181: ...rform a clean install of Central Manager 10 The installer next prompts you to configure additional options specific to your installation during the upgrade These options can include Configuring High A...

Page 182: ...r upgrade link to download the NSM Appliance upgrade software The downloaded file has the name nsm2010 4_servers_upgrade_rs zip 2 From the NSM Software Download page click the Offline Server upgrade l...

Page 183: ...heck and verified that the condition was satisfied FAILED indicates that the installer performed a task or check but it was not successful See the install log for information about the failure This lo...

Page 184: ...with the output of the installation commands for troubleshooting The installer indicates the name of the installation log file and the directory location where it is saved This file is saved by defaul...

Page 185: ...5 i386 rpm 7 Navigate to the directory where you saved the downloaded files which is typically the tmp subdirectory 8 Enter the following command to unzip and save two files nsm2010 4_servers_cm sh u...

Page 186: ...m a clean install of the Central Manager 11 The installer next prompts you to configure additional options specific to your installation during the upgrade These options can include Configuring High A...

Page 187: ...NSM to an NSMXpress or NSM3000 appliance It contains the following procedures Data Migration from a Solaris Server to an NSM Regional Server Appliance on page 165 Data Migration from a Linux Server to...

Page 188: ...esses with the following commands usr netscreen HaSvr bin haSvr sh stop usr netscreen GuiSvr bin guiSvr sh stop usr netscreen DevSvr bin devSvr sh stop 5 Run Importer using the following command usr n...

Page 189: ...d in devSvr cfg to match the one time password in the shadow_server table a Use the vi editor to edit the var netscreen DevSvr devSvr cfg file b Change the one time password to match the one time pass...

Page 190: ...ractical cd var netscreen tar cvf Devdb tar DevSvr 5 Transfer the Guidb tar and Devdb tar archive files to a place where they can be retrieved later On the NSMAppliance 1 Use the nsm_setup utility to...

Page 191: ...r and guiSvr from the devSvr cfg file so they can be renegotiated and established again Correct the one time client password in devSvr cfg 8 If the Linux server used a customized device server data di...

Page 192: ...ser to admin 1 Log in as an nsm user by entering the following command at the prompt admin NSMXpress sudo su nsm Password admin password 2 Change user privileges to admin by entering the following com...

Page 193: ...ge 178 Configuring High Availability Options on page 180 Relocating the Database on page 183 Installing a Trivial File Transfer Protocol Server on page 185 Modifying Timeout Values on the Device Serve...

Page 194: ...d Stops the management system process for two seconds and then restarts the process restart Starts the management system process start Stops the management system process stop Provides a status of the...

Page 195: ...Svr sh stop To stop the HA Server process manually enter the following command usr netscreen HaSvr bin haSvr sh stop NOTE To prevent the server from rebooting in a HA configuration that uses shared di...

Page 196: ...ess xdbUpdate usr netscreen GuiSvr var xdb server 0 1 __ ip IP Address Note that the 0 represents the GUI Server ID and the 1 represents the Device Server You can view these IDs using the Server Manag...

Page 197: ...isk space is restored If for any reason the Device Server is not able to restore 500 MB of disk space the Device Server automatically shuts down An error message appears in the console window indicati...

Page 198: ...r until you reclaim required minimum i nodes For your convenience a shell script is provided enabling you to reclaim i nodes This script is located in the utilities directory on the GUI Server usr net...

Page 199: ...Server configuration file called devSvr cfg 2 Edit the time value in thousandths of a second for the devSvrDirectiveHandler fastCli timeout parameter to change the way the Device Server controls conne...

Page 200: ...netscreen GuiSvr var or the path that you configured when you initially installed the GUI Server usr netscreen DevSvr var or the path that you configured when you initially installed the Device Serve...

Page 201: ...al location or disk 6 Start the HA Server GUI Server and then the Device Server NOTE Do not start the GUI Server and the Device Server manually if the HA Server will start them for you The HA Server s...

Page 202: ...high availability options on the management system by editing the High Availability configuration file haSvr cfg Enabling and Disabling High Availability Processes To enable high availability 1 Stop...

Page 203: ...ue for the highAvail backupTimeHour variable To change the number of backup files that the tool saves edit the value for the highAvail numofBackup variable To change the path to the rsync package edit...

Page 204: ...ckup data directory on your new management system server 3 Navigate to the HA Server utilities subdirectory usr netscreen HaSvr utils by default 4 Run the database restore shell archive script and spe...

Page 205: ...database and the Device Server log database 1 Verify that the system is working properly 2 Stop the server processes usr netscreen HaSvr bin haSvr sh stop If the HA Server is not configured to stop th...

Page 206: ...ents the GUI Server ID and the 1 represents the Device Server You can view these IDs using the Server Manager in the NSM UI Copy the Device Server log database to the new system 1 On the Device Server...

Page 207: ...correct d Save the file and exit Restart the server processes 1 Start the HA Server usr netscreen HaSvr bin haSvr sh start 2 If the HA Server is not configured to start the GUI Server and the Device...

Page 208: ...rver To configure and enable the TFTP server on Linux 1 Open the etc xinetd d tftp file in any text editor 2 Edit the parameter server_args so that the value is s usr netscreen DevSvr var cache 3 Edit...

Page 209: ...ce Server 1 Stop the Device Server and any HA Server If the HA Serer is configured to stop all NSM server processes when it stops enter this command usr netscreen HaSvr bin haSvr sh stop If the HA Ser...

Page 210: ...your previous version of NSM 4 Restore your backup database See Restoring the Database on page 182 for more information Removing the Management System To remove previous management system installation...

Page 211: ...athnames in class none usr netscreen DevSvr utils policy_compiler usr netscreen DevSvr utils nacnUpdateCAnml usr netscreen DevSvr utils nacnLoadPKCS12 usr netscreen DevSvr bin devSvrDataCollector usr...

Page 212: ...inux based computer you can either double click on the Uninstall_Network_and_Security Manager icon or you can launch the UI uninstaller from a command line sh Uninstall_Network_and_ Security_Manager T...

Page 213: ...T 2 Appendixes Technical Overview of the NSM Architecture on page 193 Hardware Recommendations on page 201 Profiler Performance Tuning Recommendations on page 209 191 Copyright 2010 Juniper Networks I...

Page 214: ...Copyright 2010 Juniper Networks Inc 192 Network and Security Manager Installation Guide...

Page 215: ...ecific network security environment It includes the following key components as shown in Figure 12 on page 193 Management system User interface UI Managed devices Figure 12 NSM Architecture This appen...

Page 216: ...ating the two server components you can improve system performance GUI Server The GUI Server receives and responds to requests and commands from the NSM UI It manages all the system resources and conf...

Page 217: ...ocation Refer to the Network and Security Manager Administration Guide or the Network and Security Manager Online Help included in the UI for more information about the NSM UI About Managed Devices Th...

Page 218: ...rt TCP 443 STRM devices connect to the PostgreSQL on this port to get profiler data TCP 5432 Devices running ScreenOS Software connect to the Device Server on this port TCP 7800 The GUI Server receive...

Page 219: ...nization the Device Server connects to the NTP server on this port UDP 123 The NSM Topology Discovery Manager uses SNMP to communicate with devices through this port UDP 161 The Device Server sends SN...

Page 220: ...able 24 on page 198 lists and describes the ports used specifically in communications between NSM and ScreenOS 5 0 devices Table 24 Management System Communications With Devices Running ScreenOS Descr...

Page 221: ...System Communications With DMI Compatible Devices Description Port Server Component Accepts incoming device connections Inbound TCP 7804 Device Server Communicates with the GUI server Outbound TCP 780...

Page 222: ...rom the GUI Server if you deploy your UI clients inside the management network If you must deploy UI clients outside the management network then you must allow TCP port 7808 access to the GUI Server i...

Page 223: ...ome general rules and formulas This appendix contains these sections Standalone or Distributed System for GUI Server and Device Server on page 201 Network Card Requirements on page 202 Memory Requirem...

Page 224: ...u add a device use the MIP Address for the devices to connect to the Device Server Memory Requirements This section details memory requirements on the GUI Server and Device Server GUI Server A higher...

Page 225: ...the Device Server is managing firewall VPN devices or Junos devices Table 27 Device Server RAM Requirements for Firewall VPN or Junos Devices Device Server RAM Required Number of Devices 4 GB Less th...

Page 226: ...Server GUI Server The GUI Server binaries and libraries require less than 100 MB Other key components that are disk space intensive are Audit Log Error Log Device configuration database Nightly backu...

Page 227: ...audit log details turned off the audit log uses only 100 408 bytes 5 1 KB 45 KB of disk space The GUI Server also requires 2 GB for the database transaction log Error Log The var netscreen GuiSvr err...

Page 228: ...25 000 000 300 GB 50 000 000 Table 31 on page 206 lists some examples for a Device Server managing just IDP stand alone devices running profiler based on a retention period of 30 days Table 31 Storag...

Page 229: ...ability on the Device Server A modern Intel or AMD CPU 2 4GHz or an UltraSparc III 1 2 GHz can handle sustained log rates of at least 20 000 logs per second Device Server Managing IDP Standalone Devic...

Page 230: ...nternal testing The Device Server must have at least enough space in var netscreen for 1 day of logs Make sure that the storage manager parameters in devSvr cfg are adjusted to cover one full day s wo...

Page 231: ...tivities Low End Configuration 1 or 2 profiling devices Medium Sized Configuration 3 through 8 profiling devices High End Configuration 9 through 20 profiling devices Recommendations for Low End Confi...

Page 232: ...n recommended settings Medium Size Configuration 3 to 8 IDP Profiling Devices Table 34 on page 210 describes recommendations for optimum performance when managing 3 to 8 profiling devices Table 34 Per...

Page 233: ...on page 211 describes recommendations for optimum performance when managing 9 to 20 profiling devices Table 35 Performance Turning Recommendations for High End Configurations Value Recommended Compone...

Page 234: ...erences From the UI use System Preferences Profiler Settings to configure settings on the Profiler to improve performance Table 36 on page 212 describes settings that you can configure to improve perf...

Page 235: ...e next section Table 37 on page 213 describes parameters in the postgresql conf file that affect Profiler performance Table 37 PostgreSQL Server Settings Default Value Description Parameter 1000 KB Se...

Page 236: ...set shmsys shminfo_shmmin 1 set shmsys shminfo_shmmni 256 set shmsys shminfo_shmseg 256 set semsys seminfo_semmap 256 set semsys seminfo_semmni 512 set semsys seminfo_semmns 512 set semsys seminfo_se...

Page 237: ...een two consecutive vacuums profilerMgr receiver minVacuumInterval NO If this setting is YES VACUUM FULL is performed during optimization otherwise skipped profilerMgr receiver performVacuumFull 3 hou...

Page 238: ...4 CPUs we recommend that you set this value as follows set_cachesize 0 1024000000 4 If you need more memory change the BDB config to increase the exiting limit Increase the parameters listed below in...

Page 239: ...PART 3 Index Index on page 219 217 Copyright 2010 Juniper Networks Inc...

Page 240: ...Copyright 2010 Juniper Networks Inc 218 Network and Security Manager Installation Guide...

Page 241: ...132 for GUI Server described 23 51 80 132 data migration 165 database backup options 10 replicating 181 restoring 182 defining system parameters 22 50 79 132 Demo Mode 47 Device Server adding 62 inst...

Page 242: ...ng 131 upgrading Central Manager 158 162 upgrading NSMXpress 155 160 memory requirements for UI 7 management system on same server 5 management system on separate servers 6 migration to NSMXpress 165...

Page 243: ...vers 6 system parameters 22 50 79 132 system update utility described 5 running 25 138 T technical support contacting JTAC xx TFTP server installing on Linux 186 installing on Solaris 186 timeout bulk...

Page 244: ...Copyright 2010 Juniper Networks Inc 222 Network and Security Manager Installation Guide...